Commits · f74d781138794b1620d5a299708eaae6f46d3fed · CodeLinaro / public-release-test / platform / system / sepolicy

May 14, 2014
- Introduce fwmarkd: a service to set the fwmark of sockets. · f74d7811
  Sreeram Ramachandran authored 10 years ago
```
Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
```
  f74d7811
May 13, 2014

am 71139516: am 2680a8c4: am f78fb4e0: Merge "Make ppp domain enforcing." · f1f467f1
Nick Kralevich authored 10 years ago
```
* commit '71139516':
  Make ppp domain enforcing.
```
f1f467f1
am 623b6361: am 132e56b9: am e3519d6c: Merge "Label /data/.layout_version with its own type." · 6bedc2df
Nick Kralevich authored 10 years ago
```
* commit '623b6361':
  Label /data/.layout_version with its own type.
```
6bedc2df
am 2680a8c4: am f78fb4e0: Merge "Make ppp domain enforcing." · 71139516
Nick Kralevich authored 10 years ago
```
* commit '2680a8c4':
  Make ppp domain enforcing.
```
71139516
am 132e56b9: am e3519d6c: Merge "Label /data/.layout_version with its own type." · 623b6361
Nick Kralevich authored 10 years ago
```
* commit '132e56b9':
  Label /data/.layout_version with its own type.
```
623b6361
am f78fb4e0: Merge "Make ppp domain enforcing." · 2680a8c4
Nick Kralevich authored 10 years ago
```
* commit 'f78fb4e0':
  Make ppp domain enforcing.
```
2680a8c4
am e3519d6c: Merge "Label /data/.layout_version with its own type." · 132e56b9
Nick Kralevich authored 10 years ago
```
* commit 'e3519d6c':
  Label /data/.layout_version with its own type.
```
132e56b9
Merge "Make ppp domain enforcing." · f78fb4e0
Nick Kralevich authored 10 years ago

f78fb4e0
Merge "Label /data/.layout_version with its own type." · e3519d6c
Nick Kralevich authored 10 years ago

e3519d6c

sync internal master to AOSP master. · 8662b7aa

Nick Kralevich authored 10 years ago

The automerger is introducing duplicate rules. Clean them
up and make sure internal master is the same as AOSP master.

Change-Id: If6183947688b2adefbc54f048958221598d8d975

8662b7aa

am : am : am : Merge "Restrict system_server to only... · 523701aa

Nick Kralevich authored 10 years ago

am a914acb1: am 6d439213: am bc36ce13: Merge "Restrict system_server to only the data file types needed."

* commit 'a914acb1':
  Restrict system_server to only the data file types needed.

523701aa

am b372f246: (-s ours) DO NOT MERGE: remove duplicate rules. · 444aebb1
Nick Kralevich authored 10 years ago
```
* commit 'b372f246':
  DO NOT MERGE: remove duplicate rules.
```
444aebb1
am 6d439213: am bc36ce13: Merge "Restrict system_server to only the data file types needed." · a914acb1
Nick Kralevich authored 10 years ago
```
* commit '6d439213':
  Restrict system_server to only the data file types needed.
```
a914acb1
am bc36ce13: Merge "Restrict system_server to only the data file types needed." · 6d439213
Nick Kralevich authored 10 years ago
```
* commit 'bc36ce13':
  Restrict system_server to only the data file types needed.
```
6d439213
Merge "Restrict system_server to only the data file types needed." · bc36ce13
Nick Kralevich authored 10 years ago

bc36ce13
am d733117a: (-s ours) DO NOT MERGE: remove system_server sdcard_type · e15bc6f0
Nick Kralevich authored 10 years ago
```
* commit 'd733117a':
  DO NOT MERGE: remove system_server sdcard_type
```
e15bc6f0

DO NOT MERGE: remove duplicate rules. · b372f246

Nick Kralevich authored 10 years ago

Another removal of duplicate rules, which don't occur in AOSP nor
internal master.

Change-Id: I363b6e8f5b87741ca5d837ab1858603d1bd8fb5b

b372f246

am 8393d4b8: (-s ours) DO NOT MERGE: remove duplicate rules. · 8b19e618
Nick Kralevich authored 10 years ago
```
* commit '8393d4b8':
  DO NOT MERGE: remove duplicate rules.
```
8b19e618

DO NOT MERGE: remove system_server sdcard_type · d733117a

Nick Kralevich authored 10 years ago

klp-modular-dev-plus-aosp has a rule allowing system_server
access to sdcard file descriptors, but this change isn't
in AOSP nor internal master.

This line was removed in https://android-review.googlesource.com/84081 .
Pull the line out from the -plus-aosp tree. DO NOT MERGE because
this change is already in internal master.

Change-Id: I0a1b08f75d309a5a1acb5dc1a44212f9d35eaf3e

d733117a

DO NOT MERGE: remove duplicate rules. · 8393d4b8

Nick Kralevich authored 10 years ago

klp-modular-dev-plus-aosp has duplicate SELinux rules in
system_server, which don't appear in AOSP or master. Delete
those duplicate rules, as they just make resolving merge
conflicts more difficult.

Change-Id: I0eaae453b887d08bddf16f963cef4c099fe2e9a6

8393d4b8

am 5892d336: (-s ours) am 3ff8b536: DO NOT MERGE: Fix broken halt while in healthd charger mode · 7d9f05d4
Nick Kralevich authored 10 years ago
```
* commit '5892d336':
  DO NOT MERGE: Fix broken halt while in healthd charger mode
```
7d9f05d4
am aeb3eb7c: resolved conflicts for merge of dfee702c to klp-modular-dev-plus-aosp · 05e22631
Nick Kralevich authored 10 years ago
```
* commit 'aeb3eb7c':
  DO NOT MERGE: Address system_server denials.
```
05e22631
am 3ff8b536: DO NOT MERGE: Fix broken halt while in healthd charger mode · 5892d336
Nick Kralevich authored 10 years ago
```
* commit '3ff8b536':
  DO NOT MERGE: Fix broken halt while in healthd charger mode
```
5892d336
resolved conflicts for merge of dfee702c to klp-modular-dev-plus-aosp · aeb3eb7c
Nick Kralevich authored 10 years ago
```
Change-Id: I20dc8bf1c8861c2152d5aa41f50cd4d44730056b
```
aeb3eb7c

DO NOT MERGE: Fix broken halt while in healthd charger mode · 3ff8b536

Nick Kralevich authored 11 years ago

Reboots/halts aren't working in healthd charger mode. This is
causing high power draw in an unplugged, powered off state.

Steps to reproduce (on Nexus 5):
  Unplug device from USB charger/computer
  Turn device off
  Wait for device to turn off
  Plug in USB cable/charger
  Wait for charge animation (wait for animation, not just lightning bolt, may have to press power button briefly to get animation going)
  Wait for panel to turn off
  Unplug USB cable/charger
  Press power button again, notice screen turns on at some frame in the animation.
  (not important) Each press of the power button advances the animation
  Power on.
  Examine denials from /proc/last_kmsg

Addresses the following denials:

[   24.934809] type=1400 audit(12534308.640:8): avc:  denied  { write } for  pid=130 comm="healthd" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:healthd:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file
[   24.935395] type=1400 audit(12534308.640:9): avc:  denied  { sys_boot } for  pid=130 comm="healthd" capability=22  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13229119
Bug: 14833575

(cherry picked from commit 9ada894a)

Change-Id: I6175ad9225e847a0a40d558ac65c3544b22803d5

3ff8b536

DO NOT MERGE: Address system_server denials. · dfee702c

Stephen Smalley authored 11 years ago

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Bug: 14833575

Change-Id: I23425b4ef1552ff31486d0a52ee2c69d6236691d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

dfee702c

am 24f18d69: am 1a1abe51: am f67e0ef3: Merge "Revisit kernel setenforce" · fc00a2b8
Nick Kralevich authored 10 years ago
```
* commit '24f18d69':
  Revisit kernel setenforce
```
fc00a2b8
am d0313c12: am 24247d18: am 4fc25052: Merge "Allow ppp to inherit/use mtp unix datagram socket." · 697dd7d6
Nick Kralevich authored 10 years ago
```
* commit 'd0313c12':
  Allow ppp to inherit/use mtp unix datagram socket.
```
697dd7d6
am 1a1abe51: am f67e0ef3: Merge "Revisit kernel setenforce" · 24f18d69
Nick Kralevich authored 10 years ago
```
* commit '1a1abe51':
  Revisit kernel setenforce
```
24f18d69
am 24247d18: am 4fc25052: Merge "Allow ppp to inherit/use mtp unix datagram socket." · d0313c12
Nick Kralevich authored 10 years ago
```
* commit '24247d18':
  Allow ppp to inherit/use mtp unix datagram socket.
```
d0313c12
am f67e0ef3: Merge "Revisit kernel setenforce" · 1a1abe51
Nick Kralevich authored 10 years ago
```
* commit 'f67e0ef3':
  Revisit kernel setenforce
```
1a1abe51
am 4fc25052: Merge "Allow ppp to inherit/use mtp unix datagram socket." · 24247d18
Nick Kralevich authored 10 years ago
```
* commit '4fc25052':
  Allow ppp to inherit/use mtp unix datagram socket.
```
24247d18
Merge "Revisit kernel setenforce" · f67e0ef3
Nick Kralevich authored 10 years ago

f67e0ef3
Merge "Allow ppp to inherit/use mtp unix datagram socket." · 4fc25052
Nick Kralevich authored 10 years ago

4fc25052
am e83bbd7a: am 87bf6de9: am efc72991: Allow mediaserver to use app-created pipes. · 69dbe866
Stephen Smalley authored 10 years ago
```
* commit 'e83bbd7a':
  Allow mediaserver to use app-created pipes.
```
69dbe866
am 87bf6de9: am efc72991: Allow mediaserver to use app-created pipes. · e83bbd7a
Stephen Smalley authored 10 years ago
```
* commit '87bf6de9':
  Allow mediaserver to use app-created pipes.
```
e83bbd7a
am efc72991: Allow mediaserver to use app-created pipes. · 87bf6de9
Stephen Smalley authored 10 years ago
```
* commit 'efc72991':
  Allow mediaserver to use app-created pipes.
```
87bf6de9

Make ppp domain enforcing. · 70110728

Stephen Smalley authored 10 years ago


Change-Id: If6b85fbb2332f7a03b603f2d46bd2f73c778ecf9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

70110728

Allow ppp to inherit/use mtp unix datagram socket. · b3007650

Stephen Smalley authored 10 years ago

Resolves denials such as:
avc: denied { read write } for path="socket:[33571]" dev="sockfs" ino=33571 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=unix_dgram_socket

Change-Id: Icb1ee00d8513179039bfb738647f49480e836f25
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

b3007650

Allow mediaserver to use app-created pipes. · efc72991

Stephen Smalley authored 10 years ago

Resolves denials such as:
avc: denied { getattr } for path="pipe:[167684]" dev="pipefs" ino=167684 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file

Change-Id: I1120c8b130a592e40992c5233650345640a23a87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

efc72991