Commits · fa6c3d7c4c9e18bc5d1877db0ed4c8ef833783d2 · CodeLinaro / public-release-test / platform / system / sepolicy

Oct 16, 2017

storaged: move storaged file from DE to CE · fa6c3d7c

Jin Qian authored 7 years ago

Allow vold/system_server to call storaged service

Test: adb shell storaged -u
Bug: 63740245
Change-Id: I88219e32520006db20299468b7a8c7ce0bfa58e0

fa6c3d7c

storaged: add storaged_pri service · 37ab7c09

Jin Qian authored 7 years ago

"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.

Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042

37ab7c09

Oct 09, 2017
- Merge "Remove reboot_data_file." am: f3f194c0 am: 9cac761d am: 17491f6b · eceee125
  Dan Cashman authored 7 years ago
```
am: 33edd896

Change-Id: Iba4aba8833f3543d8e28c5d469667bbeb09b860e
```
  eceee125
- Merge "Remove unnecessary HAL permissions" am: f7196a88 am: 7d610705 am: d874f049 · 7a0ed9bc
  Jeff Vander Stoep authored 7 years ago
```
am: 5dba5b2a

Change-Id: I1f75837ba99e6dd1961a911a9ab072e26d24837d
```
  7a0ed9bc
- Merge "Remove reboot_data_file." am: f3f194c0 am: 9cac761d · 33edd896
  Dan Cashman authored 7 years ago
```
am: 17491f6b

Change-Id: I32dfe7fd082e3d7a60f0787f2c0d559d8ce252c0
```
  33edd896
- Merge "Remove reboot_data_file." am: f3f194c0 · 17491f6b
  Dan Cashman authored 7 years ago
```
am: 9cac761d

Change-Id: If420befeb2ccd04e354debc8408c13edcf97dbd1
```
  17491f6b
- Merge "Remove reboot_data_file." · 9cac761d
  Dan Cashman authored 7 years ago
```
am: f3f194c0

Change-Id: Ifabe0a78658b2c903c8a2face0102b816427e3e2
```
  9cac761d
- Merge "Remove reboot_data_file." · f3f194c0
  Treehugger Robot authored 7 years ago
  
  f3f194c0
- Merge "Remove unnecessary HAL permissions" am: f7196a88 am: 7d610705 · 5dba5b2a
  Jeff Vander Stoep authored 7 years ago
```
am: d874f049

Change-Id: I0f27c558f5394f71a987a1b4b3c8de05e6348841
```
  5dba5b2a
- Merge "Remove unnecessary HAL permissions" am: f7196a88 · d874f049
  Jeff Vander Stoep authored 7 years ago
```
am: 7d610705

Change-Id: I3b770b1fb2bf8efdc45ba85536e2f990e79d99dc
```
  d874f049
- Remove proc label access from kernel domain. am: bc1c5453 am: 24cc484f am: dd517519 · ac4f00ce
  Tri Vo authored 7 years ago
```
am: 0018d9a6

Change-Id: I19aa72d70b6210b6488073d9ab46d96ec674e253
```
  ac4f00ce
- Merge "Remove unnecessary HAL permissions" · 7d610705
  Jeff Vander Stoep authored 7 years ago
```
am: f7196a88

Change-Id: Ib53dab06b2eae107411260d852227211bfb2ff69
```
  7d610705
- Merge "Remove unnecessary HAL permissions" · f7196a88
  Treehugger Robot authored 7 years ago
  
  f7196a88
- Remove unnecessary HAL permissions · 89d77187
  Jeff Vander Stoep authored 7 years ago
```
Comments indicate that these permissions are used to access already
open FDs. However, getattr of a directory is clearly not necessary
for that, search of system_data_file is already granted to domain
and following symlinks is clearly not needed for reading an already
open FD.

Bug: 34980020
Test: boot marlin. Test drm with google play movies, no related
    denials
Test: cts-tradefed run cts -m CtsMediaTestCases -t \
    android.media.cts.MediaCasTest
    5/6 tests fail with no related selinux denials. The same 5/6
    also fail in selinux permissive mode.
Change-Id: Ib4b9a1e18bdc479d656b2d64917bbc0358515525
```
  89d77187
- Remove proc label access from kernel domain. am: bc1c5453 am: 24cc484f · 0018d9a6
  Tri Vo authored 7 years ago
```
am: dd517519

Change-Id: I3f8f953b16879d4b4e826412f3d23096cefee1a2
```
  0018d9a6
- Remove proc label access from kernel domain. am: bc1c5453 · dd517519
  Tri Vo authored 7 years ago
```
am: 24cc484f

Change-Id: Ibc0c3ef801f0ec115530e5ff4e8f5ba8b88cd4ef
```
  dd517519
- Remove proc label access from kernel domain. · 24cc484f
  Tri Vo authored 7 years ago
```
am: bc1c5453

Change-Id: I7c59d28fb32d5785a88e3678ea85a0ae43003302
```
  24cc484f
- Remove reboot_data_file. · 76d0e418
  Dan Cashman authored 7 years ago
```
Bug: 64687998
Test: Builds.
Change-Id: I7a5b65d34382b8b76e55c523811a0f17dd9c1051
```
  76d0e418
- Remove proc label access from kernel domain. · bc1c5453
  Tri Vo authored 7 years ago
```
Bug: 65643247
Test: sailfish boots, can take pictures, use browser without denials
form kernel domain.
Change-Id: I4fc0555f0b65fc5537e0b2765142b384ed0560c8
```
  bc1c5453
Oct 08, 2017
- Merge "Allow redeclaring typeattributes" am: dcee57b8 am: 7242f168 am: a08b925a · affbeb8f
  Jeffrey Vander Stoep authored 7 years ago
```
am: 5b322d4e

Change-Id: Ie584e64322009a53672cc39b671090c4523889ef
```
  affbeb8f
- Merge "Allow redeclaring typeattributes" am: dcee57b8 am: 7242f168 · 5b322d4e
  Jeffrey Vander Stoep authored 7 years ago
```
am: a08b925a

Change-Id: Iadeb02947c4aefd1821b8e3294ad9fd801f8b0c1
```
  5b322d4e
- Merge "Allow redeclaring typeattributes" am: dcee57b8 · a08b925a
  Jeffrey Vander Stoep authored 7 years ago
```
am: 7242f168

Change-Id: Iaf37d2a4391f64fb76f1a2a51aa9077ba81be224
```
  a08b925a
- Merge "Allow redeclaring typeattributes" · 7242f168
  Jeffrey Vander Stoep authored 7 years ago
```
am: dcee57b8

Change-Id: I99ec6c055c8f6f04be90a4710ae278ba676f741d
```
  7242f168
- Merge "Allow redeclaring typeattributes" · dcee57b8
  Jeffrey Vander Stoep authored 7 years ago
  
  dcee57b8
Oct 07, 2017

Merge "mediaextractor: ensure no direct open()s" am: e22e99a6 am: ea17be60 am: cbb0543d · d7f018fc
Nick Kralevich authored 7 years ago
```
am: 6eef5589

Change-Id: Ia61c0391c0584336bfdbe9df6f63a49275799ab3
```
d7f018fc
Merge "mediaextractor: ensure no direct open()s" am: e22e99a6 am: ea17be60 · 6eef5589
Nick Kralevich authored 7 years ago
```
am: cbb0543d

Change-Id: Ibf8ee8c6da1fbb3358179044c99861905751884c
```
6eef5589
Merge "mediaextractor: ensure no direct open()s" am: e22e99a6 · cbb0543d
Nick Kralevich authored 7 years ago
```
am: ea17be60

Change-Id: I04573b201588661a98b682224624bb804ec688db
```
cbb0543d
Merge "mediaextractor: ensure no direct open()s" · ea17be60
Nick Kralevich authored 7 years ago
```
am: e22e99a6

Change-Id: I7e345f52865c834bada137d773cbcd869825946c
```
ea17be60
Merge "mediaextractor: ensure no direct open()s" · e22e99a6
Treehugger Robot authored 7 years ago

e22e99a6

Merge "Revert "Ensure /sys restrictions for isolated_apps"" am: am:... · 1d1d78cc

Nick Kralevich authored 7 years ago

Merge "Revert "Ensure /sys restrictions for isolated_apps"" am: 3e60e38a am: 89185f5a am: 3f5bc502
am: 0011fd40

Change-Id: I24fcec7bb6943864173194a64ef7027cd52533a6

1d1d78cc

Merge "Revert "Ensure /sys restrictions for isolated_apps"" am: 3e60e38a am: 89185f5a · 0011fd40
Nick Kralevich authored 7 years ago
```
am: 3f5bc502

Change-Id: I0c442961eab964595ad072ec1a4308a4cc2c6888
```
0011fd40
Merge "Revert "Ensure /sys restrictions for isolated_apps"" am: 3e60e38a · 3f5bc502
Nick Kralevich authored 7 years ago
```
am: 89185f5a

Change-Id: Ifb9d247867381de088801abddcd16ea61201afbe
```
3f5bc502
Merge "Revert "Ensure /sys restrictions for isolated_apps"" · 89185f5a
Nick Kralevich authored 7 years ago
```
am: 3e60e38a

Change-Id: I08ed6727590cac42f6440f2462041368fc4544e2
```
89185f5a
Merge "Revert "Ensure /sys restrictions for isolated_apps"" · 3e60e38a
Nick Kralevich authored 7 years ago

3e60e38a

Revert "Ensure /sys restrictions for isolated_apps" · ae48ecbd

Nick Kralevich authored 7 years ago

Bullhead and dragon are broken. Revert until I can fix
those builds.

Dragon:

libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26264 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open };

Bullhead:

libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_power_management:file { ioctl read lock open };
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open };
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_thermal:file { ioctl read lock open };
libsepol.check_assertions: 3 neverallow failures occurred

This reverts commit 579366a0.

Change-Id: I1ea4824e226c06628769898299f2e322060d0d06
Test: policy compiles.

ae48ecbd

Merge "Ensure /sys restrictions for isolated_apps" am: eb1ae188 am: a2cf96bc am: 1e6ca6fa · bf8ab686
Nick Kralevich authored 7 years ago
```
am: 91f41549

Change-Id: Ibf551367a0a6393ddf45c1e347e011a8a24627d4
```
bf8ab686
Merge "Ensure /sys restrictions for isolated_apps" am: eb1ae188 am: a2cf96bc · 91f41549
Nick Kralevich authored 7 years ago
```
am: 1e6ca6fa

Change-Id: Ic4bac09bef9e3b42115e9bf0b173831c75ee9938
```
91f41549
Merge "Ensure /sys restrictions for isolated_apps" am: eb1ae188 · 1e6ca6fa
Nick Kralevich authored 7 years ago
```
am: a2cf96bc

Change-Id: I88c0a9aed3834af405b4666d04c6203c145f8214
```
1e6ca6fa
Merge "Ensure /sys restrictions for isolated_apps" · a2cf96bc
Nick Kralevich authored 7 years ago
```
am: eb1ae188

Change-Id: I9f8a35d86fefecc0485cf57bc2e2cf876d770fc9
```
a2cf96bc
Merge "Ensure /sys restrictions for isolated_apps" · eb1ae188
Treehugger Robot authored 7 years ago

eb1ae188