591308e3bfe14aebeb380e946fa850ef034fed3b |
05-Jun-2018 |
Jaekyun Seok <jaekyun@google.com> |
Fix access denials for Render script props ro.vendor.graphics.memory and vendor.debug.rs.* are used by Render script (one of same-process HALs). So they should be public-readable because Render script can be loaded from almost everywhere. Bug: 109653662 Test: succeeded building and tested with taimen Change-Id: I5c6d6dd2f2406feaec60c965a763215c4a064f52
roperty_contexts
|
da2016576ae6d4ded0408f632d742a0a1a4b44ab |
23-May-2018 |
Jaekyun Seok <jaekyun@google.com> |
Fix access denials for libEGL props vendor.debug.egl.changepixelformat and vendor.debug.prerotation.disable are used by libEGL (one of same-process HALs). So they should be public-readable because libEGL can be loaded from almost everywhere. Bug: 80135368 Test: succeeded building and tested with taimen Change-Id: I2e9c0809a4868329ab76a94800a144283f523579 Merged-In: I2e9c0809a4868329ab76a94800a144283f523579 (cherry picked from commit 52ca941f7a0235cc07f7df606f36c46e02eeff14)
roperty_contexts
|
484b83c96ce47ad06de204702b0b27599c818134 |
22-May-2018 |
Jayachandran C <jayachandranc@google.com> |
sepolicy: cleanup tel_mon_prop as its no more used Test: Verified connectivity monitor app works without denial Bug: 79255514 Change-Id: Id8ebac2f3453a8fc175a91d60caad173734aa6cd
roperty.te
adio.te
ild.te
ystem_app.te
|
83fc9c19952951de4ffb366cdd6078abad3f7216 |
22-May-2018 |
Thierry Strudel <tstrudel@google.com> |
Merge "Adjust for QCOM BT HAL property name changes" into pi-dev
|
35e267a41faf466dc2a447366794e0741ff41a4e |
22-May-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Temporarily whitelisting system domains writing vendor props" into pi-dev
|
906e91433b7b849219d859dae6fe71f32d76c842 |
12-May-2018 |
Petri Gynther <pgynther@google.com> |
Adjust for QCOM BT HAL property name changes Bug: 36513925 Test: Manual Bluetooth test Change-Id: I492fde56b7f10395869ac32e8d6dd20268ce5230
roperty_contexts
|
5cb44010b24e23f7839848c97e575f70113adcab |
21-May-2018 |
Paul Crowley <paulcrowley@google.com> |
Remove device-specific metadata policy that's now in platform. Bug: 79781913 Test: compiles Change-Id: Ie632d1a4c44f491415ae9bb2ceb1264f0cfa5096
ile_contexts
|
bda628fe83f10a29f6293e259c9ddb808c28d68d |
17-May-2018 |
Petri Gynther <pgynther@google.com> |
wahoo: sepolicy: add missing vendor_bluetooth_prop Add missing vendor_bluetooth_prop: persist.service.bdroid.snooplog Usage: 1. vendor/qcom/sdm845/proprietary/bluetooth/ hidl_transport/bt/1.0/default/logger.cpp: property_get("persist.service.bdroid.snooplog", ...) 2. init.hardware.diag.rc.userdebug: on property:sys.logger.bluetooth=true setprop persist.service.bdroid.snooplog true on property:sys.logger.bluetooth=false setprop persist.service.bdroid.snooplog false Bug: 77633703 Test: Manual Change-Id: I781fe8b8b5937a706eccc55f027255ccebe67a5c
roperty_contexts
|
b7e3d9f3defac20a0123f9df3052e62c96b31131 |
14-May-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Add dontaudit rules for nfc.persist properties Since NFC has a common vendor library, adding dontaudit rules for properties which are not used by this product. type=1400 audit(0.0:35): avc: denied { read } for comm="nfc@1.1-service" name="u:object_r:default_prop:s0" dev="tmpfs" ino=17612 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 Test: check logcat Bug: 79417308 Change-Id: If2d0a1d3403851d819305f18c96c18eca35db7a8
al_nfc_default.te
roperty.te
roperty_contexts
|
3ee4e77674ecce82dadfcf5c64d87ce6d65a88b0 |
14-May-2018 |
Jiyong Park <jiyong@google.com> |
Temporarily whitelisting system domains writing vendor props system properties must not be used as a communication channel in between system and vendor processes. However, there has been no enforcement on this: system process could write system properties that are owned and read by vendor processes and vice versa. Such communication should be done over hwbinder and should be formally specified in HIDL. Until we finish migrating the existing use cases of sysprops to HIDL, whitelisting them in system_writes_vendor_properties_violators so that the violators are clearly tracked. These violators are allowed only for P, but not for Q. Bug: 78598545 Test: m -j selinux_policy Change-Id: I60b12f1232c77ad997c8c87e6d91baa14c626e94
luetooth.te
ameraserver.te
harger.te
atekeeperd.te
ealthd.te
adio.te
urfaceflinger.te
ystem_app.te
ystem_server.te
|
9cafa9a1914322c31fd6bb8a672b0650b1a64add |
12-May-2018 |
Joel Galenson <jgalenson@google.com> |
Track nfc SELinux denial. This should help fix presubmit tests. Bug: 79617173 Test: Built policy. Change-Id: Ia6b55c7aa329366bde2390939883fb8f4770eff1
ug_map
|
55e9c926f4dd9ab76b7fe4f4942148d76982846b |
12-May-2018 |
Sean Callanan <spyffe@google.com> |
Merge "wahoo: Update sepolicy for LA.UM.6.4.9.C2.07.00.00.386.031" into pi-dev
|
3550ada6f73c05e5527449f467e552141d661bb6 |
12-May-2018 |
Sean Callanan <spyffe@google.com> |
wahoo: add bug_map for b/79617173 AU031 graphics drivers introduce SELinux denials for "vendor_default_prop". Pending a proper fix, tracking this bug so the new graphics driver can be merged. Test: Check that presubmit succeeds. Bug: 79426077 Change-Id: I775de870c6fae32f35acaa7017192ef12254dd7f
ug_map
|
84f819c57f94fe0cbad197750ec262cc8b671d4c |
09-May-2018 |
Sean Callanan <spyffe@google.com> |
wahoo: Update sepolicy for LA.UM.6.4.9.C2.07.00.00.386.031 Bug: 79426077 Test: CTS, PTS pending Change-Id: Ic5b7c473deec50a8e48c8db0130666093e5562b8
ile_contexts
|
28607db79b7495818f9f1ea7a65e9e6d4e77a283 |
11-May-2018 |
Joel Galenson <jgalenson@google.com> |
Track per_proxy SELinux denial. This should help fix presubmit tests. Bug: 79541095 Test: Built policy. Change-Id: Ide4401527cce5473288092a6c44fc446e9c1fc27 (cherry picked from commit 703a55c3a9b40c560e91c7bc3128f8949e48fa14)
ug_map
|
ed36ecb6ecb0acce8f3223d7c5b0bf75ea883f10 |
03-May-2018 |
Kevin Rocard <krocard@google.com> |
Merge "Whitelist audio vendor property" into pi-dev
|
a9c681f94fa785c792b068fe958ecaea2b7ddc18 |
02-May-2018 |
Kevin Rocard <krocard@google.com> |
Whitelist audio vendor property audio.usb.enable.debug is used to dump information of the audio usb device connected in the vendor implementation. Bug: 77926553 Test: atest VtsHalAudioV4_0TargetTest without sepolicy errors Signed-off-by: Kevin Rocard <krocard@google.com> Change-Id: Ia36823fab7087c3dd77eade28fe14dc6805a1551
roperty_contexts
|
24982f59c6afa8ec3b0d7615cafa09954118ed84 |
02-May-2018 |
android-build-team Robot <android-build-team-robot@google.com> |
Merge "Namespace ssrdump properties with vendor prefix" into pi-dev
|
2c67552cfddb01f78b909a3a9ffc79edc18da00a |
26-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Hide denials caused by race with labeling. These denials seem to be caused by a race with the process that labels the files. Bug: 77635294 Test: Build policy. Change-Id: Ieed9c2be18a092e92ec90fc8a07fa17c8ec19308
ug_map
endor_init.te
|
6c9599d865591172897c37c7c9f69650b8830e44 |
24-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Allow access to sysfs_timestamp_switch. We've seen these processes trying to access this file, so allow it. Note that this is likely why they needed the sysfs_diag permission we granted earlier. Bug: 77908806 Test: Build Change-Id: I60a2dae5a0635156070397242f13695678f1d00e (cherry picked from commit 2e41f0e3f09f8f7caedca37454d18fe0e8dd9891)
al_gnss_qti.te
ti.te
adio.te
|
09e056efe1b4872abb7b9d52fa5617af2bd3a131 |
24-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Handle radio diag-related denials." into pi-dev
|
64f3848f9ed71eb95f74489bc91bce14fc4f1fd9 |
24-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Fix denial when dump powerhal" into pi-dev
|
731a3272ad5c9b9087b0cca3b696b7b29aad55d1 |
24-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Handle radio diag-related denials. This allows the behavior on userdebug and eng builds and hides it on user builds. Bug: 77908806 Test: Build policy. Change-Id: I0d858a94bb1bab6069107209494536a62019788f (cherry picked from commit e7e22f5e8270b78c14700a77232044224426f278)
adio.te
|
b296bbf7f09d5b73e5f14abcb1bd5b9668ac0074 |
11-Apr-2018 |
Kelly Rossmoyer <krossmo@google.com> |
Add temp workaround Easel power stats on 2017 While snapshot Easel power data is captured in bugreports via dumpstate, Easel does not provide low power stats on a recurring basis via PowerHAL, which is the type of data need to detect the presence and scope of power drain issues in the field. As a temporary workaround, this set of changes keeps cumulative counts of the number of times PowerHAL saw Easel's state (an existing sysfs node) as "on" (state 1) or "not on" (state 0 or 2), and logs the "on" count as cumulative count and the "not on" count as cumulative duration. This does not sufficiently address the long term need for cumulative stats, since this will just be comprised of essentially random snapshots of Easel's current state. However, for the known issue already being investigated, this should be enough to gauge the scope of the issue. sepolicy updates allow hal_power to search/read the directory/file containing Easel's current state: /sys/devices/virtual/misc/mnh_sm/state Bug: 77208137 Bug: 36576572 Test: Installed on taimen, used camera for various functions, used easel debug commands and properties to force it into different states, captured a bugreport and verified the content against observed "current state" values from monitoring the state file while performing similar camera functions. Change-Id: Ib1ee92db477d2a6c9d6f293fb4fcc2f753b8335a
al_power_default.te
|
b11f26963ab6cbe17801acbae9fbffe02b0cfd51 |
18-Apr-2018 |
Tom Cherry <tomcherry@google.com> |
Merge "vendor_init permissions for unencrypted_data_file are now global" into pi-dev
|
e998016833d78bc8d68abadf3c3b0c3e1ae8207e |
18-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Apply whitelist of bluetooth_prop and wifi_prop (2/2)" into pi-dev
|
811d138338cdc049749487963e48abe55b0b6093 |
17-Apr-2018 |
David Lin <dtwlin@google.com> |
haptics: Implement constant effect for heavy click This patch implements support for heavy click effect which has the following UX requirements: - 8 ms in square wave and full amplitude for Walleye - 12 ms in square wave and full amplitude for Taimen Bug: 77863933 Test: manual long press test Change-Id: Ibc30117fecb234a6b400123e5f18a7c100ae36cb Signed-off-by: David Lin <dtwlin@google.com>
roperty_contexts
|
7ee031af1479090ce759f4af62162380082fb4ba |
17-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Give access persist.radio access" into pi-dev
|
98e3e69245a067d6ccbd48631cb9f7d1fe088861 |
17-Apr-2018 |
Sooraj Sasindran <sasindran@google.com> |
Give access persist.radio access Give persist.radio access to connectivity monitor Bug: 73953318 Test: verified that connectivy monitor works fine Change-Id: Idbcb87f45f809aa9fef00b8a6f2e191cf7e562f8
on_monitor.te
roperty_contexts
|
8010c0b1edaa89436f3fc39b649511cba44a033c |
17-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add bug_map entries for bugs we've seen." into pi-dev
|
267d8aeabf1cb1a841b7a03002797a0345e56a2a |
16-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Add bug_map entries for bugs we've seen. This adds numerous bug_map entries to try to annotate all denials we've seen. Bug: 78117980 Test: Build Change-Id: I78923ebeb8837e09920941450d40504da3924022 (cherry picked from commit e97c886ed97b2474785642f9e8ac56be89e34d38)
ug_map
|
4398397246896e27cdf350535133afee458702e1 |
13-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Allow some denials we have seen. This addresses the following denials: avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 avc: denied { module_request } for comm="allocator@2.0-s" kmod="crypto-heh(aes)" scontext=u:r:hal_graphics_allocator_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 avc: denied { module_request } for comm="android.hardwar" kmod="crypto-hmac(sha256)" scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 avc: denied { sigkill } for comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netutils_wrapper:s0 tclass=process permissive=0 avc: denied { sys_module } for comm="android.fg" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=0 avc: denied { search } for comm="cnss-daemon" name="net" dev="sysfs" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 78117980 Test: Build. Change-Id: I7e201147271a32ea8420406af221aa7678374d78 (cherry picked from commit cd761300c1cc67cb2be3e001b95317e8a865c5fe)
nsmasq.te
al_graphics_allocator_default.te
al_graphics_composer_default.te
etmgrd.te
ystem_server.te
cnss_service.te
|
ff468bf2b43a1cef9ee4a3ff83364b3e72140544 |
13-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Suppress hal_wifi_default module loading denials." into pi-dev
|
9bca65d293d86357ef1f2e295fe456e89bac485c |
13-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Handle some diag-related denials." into pi-dev
|
b19ca9ab95a59e31b3ceff64a03dee790ce432ea |
13-Apr-2018 |
Jie Song <jies@google.com> |
Namespace ssrdump properties with vendor prefix Bug: 77553553 Change-Id: I5d0f8204f5ab310846deeaf9e91d28fe50cc0ad9
al_bluetooth_default.te
roperty.te
roperty_contexts
amdump_app.te
sr_detector.te
ubsystem_ramdump.te
cnss_filter.te
|
659079a8620715434bd97842d9681014ded1a7da |
13-Apr-2018 |
Tom Cherry <tomcherry@google.com> |
vendor_init permissions for unencrypted_data_file are now global So they can be removed from this device specific policy. Bug: 77850279 Test: walleye + more restrictions continues to have FBE work Change-Id: Ib77abd81ae886b40f5a078c379d352a53d865e31
endor_init.te
|
aa293f7fa90eff91af04bd0df517fbde86d919cd |
12-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Suppress hal_wifi_default module loading denials. This suppresses the following denials: avc: denied { module_request } for comm="android.hardwar" kmod="netdev-wlan0" scontext=u:r:hal_wifi_default:s0 tcontext=u:r:kernel:s0 tclass=system avc: denied { sys_module } for comm="android.hardwar" capability=16 scontext=u:r:hal_wifi_default:s0 tcontext=u:r:hal_wifi_default:s0 tclass=capability Bug: 77973826 Test: Boot device. Change-Id: I2eb4789892172cb119f50084cfe9718d8ead647d (cherry picked from commit 82ee41e471025be3d4ce161f2b484481b583abde)
al_wifi_default.te
|
5d9c327f6ec451b331bb334d79b87b41dec243b7 |
12-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "hal_tetheroffload: move hwservice mapping to core policy" into pi-dev
|
9f5e50beb77773e68fa1ef55f709ee6dd1b1d5bc |
12-Apr-2018 |
Wei Wang <wvw@google.com> |
sepolicy: Fix denial when dump powerhal Bug: 77919134 Test: Build Change-Id: Ie49fcc4593c48ad109be45fdce7949b3cd39eeed
al_power_default.te
|
8424d3b945ebcc26b7019eb8769bd660fd3ad4fa |
11-Apr-2018 |
Jeff Vander Stoep <jeffv@google.com> |
hal_tetheroffload: move hwservice mapping to core policy Addresses: avc: denied { find } for interface=android.hardware.tetheroffload.config::IOffloadConfig scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager Bug: 77855688 Test: build/boot Sailfish, turn on tethering, no selinux denial Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
wservice_contexts
|
e2be8c24de86b5688cd9fce7c8bdd3ff6fd5b059 |
11-Apr-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Track spurious hal_imrsc selinux denial Caused by changes in b/77725358. Track: avc: denied { read } for comm="ims_rtp_daemon" name="u:object_r:default_prop:s0" scontext=u:r:hal_imsrtp:s0 context=u:object_r:default_prop:s0 tclass=file Bug: 77725358 Test: build/boot Taimen Change-Id: Ic6234905e1694cab4bb8ef385f3dbe5455ef35b6
ug_map
|
daa6fec44fc33fb2dd5b69b417c898c085cb97f1 |
10-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Handle some diag-related denials. This allows the behavior on userdebug and eng builds and hides it on user builds. Bug: 77908806 Test: Boot device. Change-Id: I936f08283bcd03ef88c55b3849f54d2dab5a5d64 (cherry picked from commit 3e3da1baaac981a17c5e40ae7d20110a113d5c63)
al_gnss_qti.te
ti.te
adio.te
|
7a12e2e56a76fa8f4ead0184f22f39ae3d1f8e29 |
10-Apr-2018 |
Jaekyun Seok <jaekyun@google.com> |
Correct misspelled "perist." with "persist." (5/5) Bug: 77725358 Test: succeeded building Change-Id: I8fbf7a8718f409f87410a7b9b1b45ab122620417
roperty_contexts
|
6a9651b762d064260dee2e73fd59707977802b78 |
05-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Track vendor_init SELinux denial. This should help fix presubmit tests. Bug: 77635294 Test: Built policy. Change-Id: I884ee75106c055aa7eb7af9f373d18e828a9f4e9 (cherry picked from commit 1c81d19b818ca93b64b05ebeced80048da8c3233)
ug_map
|
5fb4818d68f7c71fcc5c6950ffc4fbbf3a8354b9 |
09-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow RILD to read xt_qtaguid iface stats on wahoo" into pi-dev
|
97121bbe703197bde1752f28b8bbb4f9c519903d |
09-Apr-2018 |
Jaekyun Seok <jaekyun@google.com> |
Apply whitelist of bluetooth_prop and wifi_prop (2/2) Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: I440603705f5cbf6701c8521873792b9448fa5c7d
luetooth.te
al_bluetooth_default.te
roperty.te
roperty_contexts
ystem_app.te
endor_init.te
cnss_filter.te
|
d4235d2c5ac7f235595d4c6e5639fedeff6b8db5 |
06-Apr-2018 |
Chenbo Feng <fengc@google.com> |
Allow RILD to read xt_qtaguid iface stats on wahoo The RILD process on W/T need to get the per iface stats from proc/net/xt_qtaguid/iface_stat_fmt file. So we have to grant it the permission since there is no native API for that. Bug: 68774956 Test: device boot without selinux violation Change-Id: Ib86916951cb8f340bfef55814ae8c4fef0f51338
ild.te
|
a60f2873a57992f371967d31ef3305ae7360efd1 |
06-Mar-2018 |
Alan Stokes <alanstokes@google.com> |
Add /sys/kernel/memory_state_time to sysfs_power. This allows system_server to access it for determining battery stats (see KernelMemoryBandwidthStats.java). batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 72643420 Bug: 73947096 Test: Policy still builds. Change-Id: I2a31178f3fb2b5761050896579650a062ea026d2
enfs_contexts
|
6452bcd371c06a5c1002ed6bb8d3d5edcdb42c9b |
04-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "battery cycle counts: backup/restore + update dumpstate" into pi-dev
|
138bd6b43874093fbf88933b34d6f7d4b087f86d |
04-Apr-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Add support for NFC 1.1" into pi-dev
|
fa1279bd6bbab0b2ff07e5079da45a082efd3622 |
04-Apr-2018 |
Thierry Strudel <tstrudel@google.com> |
battery cycle counts: backup/restore + update dumpstate Tests: - pts-tradefed run pts -a arm64-v8a -m PtsHardwareInfoHostTestCases - adb bugreport - no "avc: denied" on health vendor service - cycle count stored in /persist/battery/qcom_cycle_counts_bins Bug: 72776338 Bug: 77498107 Change-Id: Ia1a58441fff511c60278b5d97806655c34aec610 Signed-off-by: Thierry Strudel <tstrudel@google.com>
ile.te
ile_contexts
enfs_contexts
al_dumpstate_impl.te
al_health_default.te
ardware_info_app.te
|
0662668209e314a33e5a48824d90e479c9fee689 |
28-Mar-2018 |
Tri Vo <trong@google.com> |
wahoo: Mark proc_* types with proc_type attribute. Bug: 74182216 Test: build policy Change-Id: I6e541d0111639a213b80d755adc546f653531103 Merged-In: I6e541d0111639a213b80d755adc546f653531103 (cherry picked from commit ece77653a531cf55f25304964e6c047a641c85da)
ile.te
|
4d35724ee40266004a8254e9ba8e94332d70fc2a |
22-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Add sysfs_type attr to sysfs_irq Tests in aosp/646548 assert that genfs_contexts labeled filesystems use the correct attributes such as files in /sys having sysfs_type. Bug: 74182216 Test: build with aosp/646548 - these are build-time tests. Change-Id: If82fe17632f0c28e481eb7e831730c6ba22d3877 Merged-In: If82fe17632f0c28e481eb7e831730c6ba22d3877 (cherry picked from commit 4abb3d041332dcb7cd29ad1d38408c57432a5ca9)
ile.te
|
847e28f86e226e49bb9253823df9d238bf10e31f |
31-Mar-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Add support for NFC 1.1 Supresses the following denials: denied { add } for interface=vendor.nxp.nxpnfc::INxpNfc pid=5675 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 denied { find } for interface=vendor.nxp.nxpese::INxpEse pid=5675 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0 Test: Enable/Disable NFC, Tag reading Bug: 75980364 Change-Id: I337810ff89d61f796cb213cd931a7b665870029e
al_nfc_default.te
wservice.te
wservice_contexts
|
436d59a04d5a700f3f28af782a39ff740b22bddf |
31-Mar-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Rename Widevine HIDL service to v1.1." into pi-dev
|
e3894648febfd3a9fee500747f06b9f704ba1986 |
22-Mar-2018 |
Edwin Wong <edwinwong@google.com> |
Rename Widevine HIDL service to v1.1. Widevine HIDL service added new v1.1 media APIs, the service version is updated to 1.1. Test: Netflix and Play Movies & TV (streaming and offline playback) Test: GTS WidevineH264PlaybackTests test e.g. ANDROID_BUILD_TOP= ./android-gts/toolsefed run gts -m GtsMediaTestCases --test com.google.android.media.gts.WidevineH264PlaybackTests#testL1With480P30 bug: 69674645 Change-Id: I287d48bf7cef5b3bb30e21b3794cc7422701ca6c
ile_contexts
al_drm_widevine.te
|
8fa09289ec18a05b45228639daac40bff2bb2eb1 |
27-Mar-2018 |
Thierry Strudel <tstrudel@google.com> |
sepolicy: add type for persist.vendor.charge. Bug: 73647497 Change-Id: I169195f97e2fd42c4106723023e523fd70f255e9 Signed-off-by: Thierry Strudel <tstrudel@google.com>
roperty.te
roperty_contexts
endor_init.te
|
2003abeffb1932c2c1d4025e3d8ace4cf0afd562 |
28-Mar-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Enable TCPM, pd_engine logs on user build." into pi-dev
|
e8a3dcb674d9fc597d9c6dbd0156fa69ee9b630b |
20-Mar-2018 |
Jie Song <jies@google.com> |
Add SELinux permissions for vendor usb config Bug: 74603740 Change-Id: I72adb62f6dc8c85ce265616cb13fc638a131e253
al_usb_impl.te
ogger_app.te
roperty.te
roperty_contexts
|
d1028fde357c6db935d745b55b53fb6c82e26c8d |
27-Mar-2018 |
Badhri Jagan Sridharan <badhri@google.com> |
Enable TCPM, pd_engine logs on user build. Bug: 75396562 Test: User build bugreports had tcpm and pd_engine logs Change-Id: I77fae102202aa66aa14f6a44fd5bcb3a8531790a
al_dumpstate_impl.te
|
296546cdc73ca68e9a0dd662fd277efe6638bdce |
24-Mar-2018 |
Ecco Park <eccopark@google.com> |
wifi: create the sys property for wlan driver/firmware Bug: 76220544 Test: No denial error found for selinux Signed-off-by: Ecco Park <eccopark@google.com> Change-Id: If379812a7c8df7fd84beec6734313459938d540e
ile.te
ile_contexts
enfs_contexts
nit-wlan-sh.te
roperty.te
roperty_contexts
sr_detector.te
|
274196bca441761fd5b706fe6908be45d80bb0aa |
22-Mar-2018 |
Jaekyun Seok <jaekyun@google.com> |
Namespace ramdump_prop with vendor prefix (2/7) debug.ramdump.* and persist.sys.crash_rcu should be renamed to vendor.debug.ramdump.* and persist.vendor.sys.crash_rcu repectively because they are vendor-specific properties. Bug: 74266614 Test: succeeded building and tested with taimen Change-Id: I4d277207b68000160e101456e110656aa483eb83
roperty.te
roperty_contexts
amdump.te
amdump_app.te
|
d315a83f14113856746fce9b81eb9d485780bcb1 |
22-Mar-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: power: add dumpstate support in Power HAL" into pi-dev
|
e671f7473c1d63207ef268e48f315c31a16c5103 |
29-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: power: add dumpstate support in Power HAL Test: Capture bugreport and check: lshal-debug/android.hardware.power@1.2::IPower_default.txt Bug: 72071908 Change-Id: I0220ce80e69636381d0901c69896b7ce96fde323
al_power_default.te
|
ab8d91f947944487adcc54ceeb8add84ea971504 |
16-Mar-2018 |
Thierry Strudel <tstrudel@google.com> |
dumpstate: dump SRAM & power supply properties Bug: 74954924 Change-Id: I4e2ba0efaf453d0f713d8859945e61e5f5d9ed8d Signed-off-by: Thierry Strudel <tstrudel@google.com>
umpstate.te
ile.te
enfs_contexts
al_dumpstate_impl.te
|
8e42ca9426069d06cafc3246e15271eba996e9db |
15-Mar-2018 |
Andrew LeCain <alecain@google.com> |
Add qsee_log to dumpstate Updating dumpstate to cat /d/tzdbg/qsee_log Added debugfs_tzdbg selinux security context Give hal_dumpstate_impl debugfs_tzdbg read permissions Fixes: 74536221 Test: taimen: adb bugreport, qsee_log in dumpstate_device.txt Change-Id: If80e665b789125d11a55d2812380aa4b906f10ab
ile.te
enfs_contexts
al_dumpstate_impl.te
|
9309dd42afd014cc10576f6b6cd65417e369e994 |
12-Mar-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic "bugreport-zero-denials-pi-dev" into pi-dev * changes: Remove regex and label the whole directory. Remove unnecessary permissions. Grant hal_bootctl permissions for new type. Ensure taking a bugreport generates no denials.
|
1e824c790435aa0da17859e8a9e8395184fde841 |
10-Mar-2018 |
Amruth Ramachandran <amruthr@google.com> |
Merge "ConnectivityMonitor sepolicy update: Add audio_server permission" into pi-dev
|
e176b1e9d1b8f931d938e87f64a6670706b2667c |
03-Mar-2018 |
Petri Gynther <pgynther@google.com> |
Walleye/Taimen: switch to QCOM BT HAL The flag definition: BOARD_USES_SDM845_BLUETOOTH_HAL := true adds SDM845 Bluetooth components to the build: vendor/qcom/sdm845/proprietary/bluetooth/hidl_transport/Android.mk vendor/qcom/sdm845/proprietary/bt/hci_qcomm_init/Android.mk and removes MSM8998 Bluetooth components from the build: vendor/qcom/msm8998/prebuilts/grease/target/product/msm8998/Android.mk vendor/qcom/msm8998/proprietary/proprietary/bt/hci_qcomm_init/Android.mk Effectively, Walleye/Taimen switch to the same QCOM BT HAL as B1/C1. Bug: 73968979 Test: Manual build and test with BT A2DP headphones (cherry picked from commit 7c2dc1679dc6cfc4576a53cf7257c94f654dae2e) Change-Id: I4d6444932a807e573f6e8d88c6ad4ba4de8f277a
ile_contexts
al_bluetooth_default.te
|
43e4bf7ab7cde8b8bde22213b0f73cc61f38c4ba |
08-Mar-2018 |
Amruth Ramachandran <amruthr@google.com> |
ConnectivityMonitor sepolicy update: Add audio_server permission ConnectivityMonitor requires the current audio route for voice calls. Error fixed: auditd : avc: denied { find } for service=media.audio_policy pid=4056 uid=1001 scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768 tcontext=u:object_r:audioserver_service:s0 tclass=service_manager permissive=0 Bug: 3619416 Change-Id: I6f5c1512a554b2db21768aa36277ada7e57fdf8a
on_monitor.te
|
c10e253c27f09eea56e9cc670a24a6c76d3eba3a |
06-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Remove regex and label the whole directory. This is cleaner, as it allows us to remove a regex and label the entire directory, and it will hopefully improve performance. Bug: 74209458 Bug: 74366296 Test: Boot device, verify file labels, and test wifi and camera. Test: Locally flashed OTA by following go/manual-ab-ota. Test: Locally tested updated_verifier by following b/74366296#comment8. Merged-In: I003dc949cf109cc63d75cee9515ef72cb9d0f055 Change-Id: I85f07b2fc8bfb472f25a66e32d3c7d746886535e (cherry picked from commit 8a70f7ef1d1805a8f79486c10280407354f1230b)
umpstate.te
ile.te
ile_contexts
enfs_contexts
old.te
|
fd5a749d3bdf3844e869932d09b07e775f398977 |
06-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Remove unnecessary permissions. Remove sysfs file permissions and use the generic type for directories. Bug:74213358 Test: Flash OTA. Merged-In: I27a27972f01a273b4eb65d72dd8f2827c1a374af Change-Id: I27a27972f01a273b4eb65d72dd8f2827c1a374af (cherry picked from commit 278cab5f371e79b638a71c45bbc8afd523b15d13)
al_bootctl.te
|
1b7e98f600a596a5d3a09cc1f369556fdbbf048c |
06-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Grant hal_bootctl permissions for new type. Bug: 74213358 Test: Built policy. Merged-In: Icf523468e06b65095755594a8de68f42c789751c Change-Id: Icf523468e06b65095755594a8de68f42c789751c (cherry picked from commit 84e961164e269241eebf4bc78650c796c7d2e502)
al_bootctl.te
|
f39d286782e6c8259389ef5ecb5cf63fcfe42a4d |
02-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Ensure taking a bugreport generates no denials. This commit adds new SELinux permissions and neverallow rules so that taking a bugreport does not produce any denials. Bug: 73256908 Test: Captured bugreports and verified that there were no denials. Merged-In: I84ed2be7438a4202d37ff91cb3846f491de29d70 Change-Id: I84ed2be7438a4202d37ff91cb3846f491de29d70 (cherry picked from commit d7854eb513f1533b0239baa81706b37a327cb529)
umpstate.te
ile.te
ile_contexts
enfs_contexts
al_dumpstate_impl.te
mlog_dump.te
old.te
|
ba1439d10aad8295d11922087e2f3f6c8c6faac3 |
03-Mar-2018 |
Siqi Lin <siqilin@google.com> |
sepolicy: allow vendor_init to write to /proc/sysrq-trigger Bug: 73088609 Test: manual - trigger crash from app Change-Id: I045169d7ea6a38d681dc6826117e505cd20aadd0
endor_init.te
|
e21d70c4c2402e3b85fbebb2d5cdb55971b49b88 |
01-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: 372ca940fa am: 40e63f8870 am: 6288f2168a Change-Id: I1bbdb6dce6bc92e9927467ee5eb211197bbfab43
|
6288f2168ad5a0c51185b43077cdbef9143c2646 |
01-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: 372ca940fa am: 40e63f8870 Change-Id: Ic96bfa59c1bad09bedf9e52b6609c72e4377c723
|
40e63f8870669b10dd81771ac7e02db2798a8d1c |
01-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: 372ca940fa Change-Id: I356475e25b2ef66768a5ce7355e116b5f1e27501
|
372ca940fac235839921cdf695e2634ff101bec1 |
01-Mar-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove vendor_firmware_file type"
|
4ebfe92d376a6e3e6572b99eb86a1eda60feb4f3 |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type"" am: 1f81b8e744 am: b5000a0215 am: 055997d543 Change-Id: I565e6ec33659b1cc4e47c96e94bafd18f5b33011
|
055997d543df3265dc443ba66035fe9eacbac1ce |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type"" am: 1f81b8e744 am: b5000a0215 Change-Id: Iceb151d7550645925fb7b122dfff883f974fbd17
|
9df9ad04d44662df2d742784a23e1085c54c7388 |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Remove vendor_firmware_file type It's causing surfaceflinger denials and does not exist on other devices. Grant kernel read access to vendor/firmware's new type. denied { search } for comm="surfaceflinger" name="firmware" scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_firmware_file:s0 tclass=dir denied { read } for comm="surfaceflinger" name="a530_pm4.fw" scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=0 Test: boot Taimen without denials. Bug: 68213100 Change-Id: I8b070a0aae59e12391c881cec8a46b6b4dbe1c67
ug_map
ile.te
ile_contexts
ernel.te
urfaceflinger.te
|
b5000a02153fa32ee85f1f2644235234ffaae3ac |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type"" am: 1f81b8e744 Change-Id: Ifb8189756c229c542170a1a77ede49fbed769717
|
1f81b8e7443d1e049d8e18bab57124814a1408de |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type""
|
a49507adc5d43cc5376874c695d55ae2bb26257b |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Remove vendor_firmware_file type" This reverts commit d96b55b88ab9e16b685cd0fff0bd11cce78a614c. Reason for revert: b/74022074 Bug: 74022074 Change-Id: I84c5345c1a205257e088eccd01d3d93fd30a37c1
ug_map
ile.te
ile_contexts
ernel.te
|
c0f0dfbfc4fa3abb222025ee8c50f7ed91e34e65 |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: d5a9eb456e am: 6497e43931 am: 03df7cb271 Change-Id: Ib6d63077d4e8b86bdeb38ce3a37519748502b842
|
03df7cb2719805e24230482494e995f0e283c1bb |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: d5a9eb456e am: 6497e43931 Change-Id: Ic5ddc74850a08f3d3dc09dc3f38cdbb67230bd5d
|
6497e43931566c6f4dc5a0c7d5ce48bce22ee18e |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: d5a9eb456e Change-Id: I5e7196d2d1e55072408b2f1b4a2304ba88cbaf87
|
d5a9eb456ec86be2853a158ce65abdb8c4098913 |
28-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove vendor_firmware_file type"
|
d96b55b88ab9e16b685cd0fff0bd11cce78a614c |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Remove vendor_firmware_file type It's causing surfaceflinger denials and does not exist on other devices. Grant kernel read access to vendor/firmware's new type. denied { search } for comm="surfaceflinger" name="firmware" scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_firmware_file:s0 tclass=dir Test: boot Taimen without denials. Bug: 68213100 Change-Id: Ib5e1187a09ba59907c29e3de51f7189d25d42b49
ug_map
ile.te
ile_contexts
ernel.te
|
65890df658df3af8e72ae354f86c5efeb58b61aa |
27-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling. am: 77e4c3efe1 am: 22ae0b6b75 am: f3b05bb52b Change-Id: I339d681817edb849adaa10061bb93227466bb571
|
f3b05bb52b53d76c04449e5bb66649a17eac159a |
27-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling. am: 77e4c3efe1 am: 22ae0b6b75 Change-Id: I2d20f53479ff4c5867307225e7bf83741ee8fb4a
|
22ae0b6b75d65ebc21e67b72aea63d26acfa1fdd |
27-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling. am: 77e4c3efe1 Change-Id: If3329ca7398ed2b47c6687ddc069b04706be201b
|
77e4c3efe1edc517f7aaeeb31eab27d73f6ab121 |
26-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling. This denial seems to be caused by a race with the process that labels the files. While we work on fixing it, hide the denials. Bug: 68864350 Test: Built policy. Change-Id: I3dc7f1a27714d81a42109d46b31b368c36e7fcff
ime_daemon.te
|
fc86925b41424e2306a2ff8d4f1cba3f5aede793 |
23-Feb-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Upgrade vibrator to HAL 1.2"
|
3e8e6599972bf8fd48c832dbd5ba6214e0b2cefc |
29-Jan-2018 |
Michael Wright <michaelwr@google.com> |
Upgrade vibrator to HAL 1.2 Bug: 64184692 Test: build, flash and play with device Change-Id: I44d82371e6a6d7dc7e05e740aa5f2fdb5c3f8df6
ile_contexts
|
4ede3902cb6c7f4c0a6e07ae89be19ac6600acf6 |
15-Feb-2018 |
Naina Nalluri <nainanalluri@google.com> |
Allow ConnectivityMonitor to use radio_service This change is a result of moving ConnectivityMonitor app to vendor partition Fixes below errors: 02-13 15:13:13.620 1000 606 606 E SELinux : avc: denied { find } for service=isub pid=3878 uid=1001 scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0 Bug: 73381264 Test: Tested on device Change-Id: If6b22d23d1363c10bda3982bf30e97e35e044c60
on_monitor.te
|
0c995dbb15588bccdae265635ddc83842e186648 |
13-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Add todo to remove system_server access to cpufreq." am: ff77266206 am: 58a948528c am: 7a1172d4fa Change-Id: If51a0e9127237bed3798860afd6243e3712ffb32
|
7a1172d4fa3681dd2fef6502891782ad61626d4a |
13-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Add todo to remove system_server access to cpufreq." am: ff77266206 am: 58a948528c Change-Id: I50635ec98499a45316dad313ca1bb31deee9ce58
|
58a948528c29ba24d55efa67c835acf37ce82747 |
13-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Add todo to remove system_server access to cpufreq." am: ff77266206 Change-Id: Icae3b4be22b77311fa84aaf91b149b68a2dc1d63
|
ff772662067f97b61073af68abf738c71d60cc97 |
13-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Add todo to remove system_server access to cpufreq."
|
96a6c4d4fc9f216cad2780bff1fc83b767d680b6 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy." am: 8c538da276 am: 3b637ed63d am: b59d49daf3 Change-Id: Ic6611fb824aeb46b22cab0e5250edb6549d7e02d
|
b59d49daf31165cf6a8998b4e58b4fdfe23d0142 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy." am: 8c538da276 am: 3b637ed63d Change-Id: I6b68004cab017a1e267ef01ae5df3108d25d5c1e
|
3b637ed63d5a602922e1f0c14b45f4c5e69551f0 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy." am: 8c538da276 Change-Id: I79a45b47ed32e337f22d29f8faa31c0783de5993
|
8c538da276a21c2b3691bdab84029ad48b281015 |
08-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy."
|
8c0ccd43df4b27684cfe6d6ee99a8c020a88e442 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Add todo to remove system_server access to cpufreq. Bug: 73123675 Test: n/a Change-Id: I8174711d2ad80575892149360564c420f07e264a
ystem_server.te
|
6ed46ddcd48a3146175a60165359986554d02bd4 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo." am: e6c6e5ed06 am: ddccabaae2 am: facc4ba606 Change-Id: I607f0192436f1fed5b586b436131f18cdbd02c48
|
facc4ba606e85ad77f4bb64f8dc9437a87b96184 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo." am: e6c6e5ed06 am: ddccabaae2 Change-Id: Ifd2f163260d13b22b00f0b0751043612171a9bcd
|
ddccabaae2d5c9c45bf0f2cd04bfedcc73f71088 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo." am: e6c6e5ed06 Change-Id: I1b07b0826b6566feb339b3779ca56c34f949abde
|
e6c6e5ed0609a13d6fff76e91ffd611afb5dfef4 |
08-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo."
|
cb798cfa6fcc8f4f3b2b90a04ee4092dd73e61b5 |
07-Feb-2018 |
Tri Vo <trong@google.com> |
Allow BatterySaver access to cpufreq on wahoo. Bug: 68988722 Test: n/a Change-Id: I58b502e0f9741f9374a2c079f8fad674639011e6
ystem_server.te
|
e2e31436c83a317a1d2de4aea295512005598b9b |
07-Feb-2018 |
Tri Vo <trong@google.com> |
Label /sys/devices/virtual/net from device sepolicy. This is done to preserve backwards compatibility of core policy. Bug: 72878750 Test: combined wahoo sepolicy is unchanged. Change-Id: I3e85bb94d1f0364a06f1af0d32c70abfedf4624e
enfs_contexts
|
2e9c3537f2e2b18578759e4201edb987f649a4d0 |
02-Feb-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Add SELinux policy for clearkey HIDL service." am: d08d2a34e1 am: ed1410eea2 Change-Id: Ie5872623bf49fbc1624d3b6b059e1468f37866cf
|
ed1410eea2a27a9d7bd0c09d4809d99d468e221b |
02-Feb-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Add SELinux policy for clearkey HIDL service." am: d08d2a34e1 Change-Id: Ic444b165e8a19bac3f7e609c023df418584251c8
|
d08d2a34e1e26d942701fe020102322c59b63cc3 |
02-Feb-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Add SELinux policy for clearkey HIDL service."
|
ea75afb33efa28a31632f4537fef574aaaf98061 |
02-Feb-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add SELinux policy for clearkey HIDL service."
|
ce26b1c561d31c1e2f97f434c169196c4472241d |
02-Feb-2018 |
Steve Pfetsch <spfetsch@google.com> |
Merge "Reflect libegl move in sepolicy"
|
358d72f626595048cf50e079d33946b283c3f985 |
01-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Reflect libegl move in sepolicy libraries moved from /vendor/lib to /vendor/lib/egl. Bug: 72814034 Test: spfetsch@ to verify Change-Id: Ifd3d80053436aed6a42c4a64e113474eb65bbae5
ile_contexts
|
6c9b99e10861a7d3dfac0a55ab39670850a3da0e |
31-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Add SELinux policy for clearkey HIDL service. Convert clearkey plugin to HIDL to support drm HAL v1.1. Add SELinux policy for android.hardware.drm@1.1-service.clearkey. Test: CTS test ANDROID_BUILD_TOP= ./android-ccts-tradefed run cts-dev --module CtsMediaTestCases -t android.media.cts.ClearKeySystemTest#testClearKeyPlaybackCenc bug: 69635855 Change-Id: I61e9c272c2a2788fd07d5c12921d28c785661b77
ile_contexts
al_drm_clearkey.te
|
07d21f461b81f0ee4e9cfe95cb3244f1e9794fbd |
24-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Add SELinux policy for clearkey HIDL service. Convert clearkey plugin to HIDL to support drm HAL v1.1. Add SELinux policy for android.hardware.drm@1.1-service.clearkey. Test: CTS test ANDROID_BUILD_TOP= ./android-ccts-tradefed run cts-dev --module CtsMediaTestCases -t android.media.cts.ClearKeySystemTest#testClearKeyPlaybackCenc Merged-In: I61e9c272c2a2788fd07d5c12921d28c785661b77 bug: 69635855 Change-Id: I2b6dad3cbefa210400c0169b497ed58d355b85ab
ile_contexts
al_drm_clearkey.te
|
aaf57715e155b16fa10d2b6ea504195228301821 |
31-Jan-2018 |
Wei Wang <wvw@google.com> |
Merge "wahoo: VR: Reset setting in runtime crash and add dumpstate support"
|
2516638b16b3bf317085c983c6e562516eef6009 |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Merge "Clean up bug_map." am: 03a16f98d6 am: 01e6d51248 am: cbbcb9e449 Change-Id: Id88c872c66e74cfeecab39fd3d5798a750fcb95d
|
cbbcb9e4493035e2dc1ea2f0f25f9152887e6103 |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Merge "Clean up bug_map." am: 03a16f98d6 am: 01e6d51248 Change-Id: Ib5b172548db41828bfabe3f6b02d3523f80b498b
|
01e6d51248284dfd88abdc5a7e515038468f6c79 |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Merge "Clean up bug_map." am: 03a16f98d6 Change-Id: I2272425fcc8f6964c435dd68687168afd9936a70
|
03a16f98d6c87e0cf72374e71e2214245c09fb68 |
31-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Clean up bug_map."
|
ad1b1088336435b1a2db95cacf5b0a84c7738f0b |
31-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Mark ro.qcom.adreno.* as public_vendor_default_prop"
|
76b6dbfbc52612ca52e44d95ed6ebda6f200e8f7 |
31-Jan-2018 |
Jaekyun Seok <jaekyun@google.com> |
Mark ro.qcom.adreno.* as public_vendor_default_prop ro.qcom.adreno.* are used in some of VNDK-SP libs, and so they should be accessible from system components. Bug: 72697173 Test: tested with ro.qcom.adreno.qgl.VkApiMinorVersion=1 Change-Id: I307c2013a5424245586509cf250c14cf02a8c1cc
roperty_contexts
|
49843e3ab0b6a9264801b2f44ef008a20c85a8e7 |
31-Jan-2018 |
Max Bires <jbires@google.com> |
Merge "Suppressing boot time denial" am: 2fd80081d1 am: 5530470d6f am: 5c5cf3237a Change-Id: I3bd2b497893591af69f423f9239ff58a7c756a41
|
5c5cf3237a213435ea744063605008baf4e63977 |
31-Jan-2018 |
Max Bires <jbires@google.com> |
Merge "Suppressing boot time denial" am: 2fd80081d1 am: 5530470d6f Change-Id: I6732940c7aad4189811905ba377040ae4b12dc16
|
5530470d6fcd819d646367c85cadba904cf03038 |
31-Jan-2018 |
Max Bires <jbires@google.com> |
Merge "Suppressing boot time denial" am: 2fd80081d1 Change-Id: If3f606aed83eb1ef81f0bca59007ebeb6b6df905
|
2fd80081d17e56decd19073f9b1d5ff299d45c66 |
31-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Suppressing boot time denial"
|
00ef1c1658ade2962d9a405f90345f377a89d75e |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Clean up bug_map. Remove fixed bugs. Test: Booted Walleye, tested wifi and camera, and observed no new denials. Change-Id: Iff8d3f9dbd2b881a512aa7d65a0a7c67a4beb509
ug_map
|
c58ae4e91923b94e285d7a58ade4577392b93a98 |
29-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: VR: Reset setting in runtime crash and add dumpstate support Reset thermal setting after runtime reboot in VR Reset touch setting after runtime reboot in VR Add dump support in VR Test: Kill system_server during VR session and check thermal and touch settings Test: Capture bugreport and look at: lshal-debug/android.hardware.vr@1.0::IVr_default.txt Bug: 72644266 Bug: 72071908 Change-Id: I752c98ec88975a45eda19e72aed24df1a9fef2ba
endor_init.te
|
32a6d40bc254321dfa74eb692498795087446d20 |
30-Jan-2018 |
Max Bires <jbires@google.com> |
Suppressing boot time denial This denial is generated by whichever process first attempts to access the filesystem, triggering the kernel to go through module loading to find the correct crypto module to use to decrypt the FS. This dontaudit will suppress the denial until the underlying problem is fixed denied { module_request } for comm="BootAnimation" kmod="crypto-heh(aes)-all" scontext=u:r:bootanim:s0 tcontext=u:r:kernel:s0 tclass=system Bug: 37205419 Test: bootanim doesn't spawn a module_load denial Change-Id: I85f1b75c70e87be924c033c9934b87cb90035132
ootanim.te
|
d449eb488004c3ac10cfb429ef167ada6925b557 |
27-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Usb Gadget hal implementation for wahoo"
|
5bc564b494ed4bb4c5f2ae51f9d1a8a666321caa |
27-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file" am: 9704987280 am: e9e717c8aa am: 45e2e638e0 Change-Id: Icb2b0230646da03e3d606d8bebacfedbe8ef4d5c
|
45e2e638e0cd708797593003fd3a59106f722bf0 |
27-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file" am: 9704987280 am: e9e717c8aa Change-Id: I085121f638bfe2c56ae8e557b36013d96d96c7b4
|
e9e717c8aa9eeae2a9901ff1b11090e398061933 |
27-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file" am: 9704987280 Change-Id: Ia6ed0052ab396c841aee90ce1d433add8e9d8dfc
|
9704987280e8044f2aabcbbf96fe167b1a1e4f6e |
26-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file"
|
5e309b924830644827182e039e915e5ba314a81f |
19-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
Usb Gadget hal implementation for wahoo (cherry-pick of commit: e9af4669659c306a9c9b1a1ae3a1313a7631357d) Bug: 63669128 Test: Tested USB gadget configurations and verified that they enumerated. Change-Id: If0f98697488f6c7cfe335d4c292acebaaba6c20f
ile_contexts
al_usb_default.te
al_usb_impl.te
|
e81bff1dda1897ea66c5fd6aaeedcb0b070bf6b0 |
26-Jan-2018 |
Badhri Jagan Sridharan <badhri@google.com> |
Merge "DO NOT MERGE :Usb Gadget hal implementation for wahoo"
|
ecfc861e1e23d024ee5e9125c150fbb1b4ffad6b |
19-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
DO NOT MERGE :Usb Gadget hal implementation for wahoo Bug: 63669128 Test: Tested USB gadget configurations and verified that they enumerated. Change-Id: If0f98697488f6c7cfe335d4c292acebaaba6c20f
ile_contexts
al_usb_default.te
al_usb_impl.te
|
cc136b14f0257edbf0a6e7352c1a554dd1af576c |
25-Jan-2018 |
Miguel de Dios <migueldedios@google.com> |
Merge "Allow hardware_info_app to read from debugfs_ufs."
|
2cdbc03bf105ae49b94fffcea2a732e715fc573a |
25-Jan-2018 |
Marissa Wall <marissaw@google.com> |
STOPSHIP: proc.uidcpupower reflector for experiments am: 1437d38b52 am: 33c59636f6 am: 456690f063 Change-Id: I5fab6ed361c6e7bf3a7674565b3eb4d7adb83021
|
456690f063b760fb9ac120dba7db727038cced01 |
25-Jan-2018 |
Marissa Wall <marissaw@google.com> |
STOPSHIP: proc.uidcpupower reflector for experiments am: 1437d38b52 am: 33c59636f6 Change-Id: If4076bbc9222b73da5e963075d8fad30d546e7fd
|
c679517ce16a79fcb7d0f073a989dc991158ef35 |
25-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "wpa_supplicant: move control sockets to /data/vendor"
|
4c05539d6cfbdb38131ea667c411c2da59b8534a |
24-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
wpa_supplicant: move control sockets to /data/vendor Treble compliance. Bug: 70228425 Bug: 70393317 Test: complete wifi test in b/70393317 Test: Test wifi on Taimen and Sailfish Test: verify sockets exist in /data/vendor/wifi/wpa/sockets Change-Id: I0bfc3a351419f0a03498e79664949f353369bf1b
al_wifi_supplicant_default.te
|
0292352f5eac4dbaa84714b24c7b914c4bc4adb0 |
24-Jan-2018 |
Kelly Rossmoyer <krossmo@google.com> |
Low Power Monitor security policies for wahoo Adds a security policy allowing ConnectivityMonitor to access the new system property controlling startup of the Low Power Monitor service. Also adds security policies allowing ConnectivityMonitor to access the device PowerHAL service, which is used on 2017 devices to obtain low power operation stats. Error 1 (related to PowerHAL access): 01-24 11:20:41.444 589 589 E SELinux : avc: denied { find } for interface=android.hardware.power::IPower pid=3964 scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768 tcontext=u:object_r:hal_power_hwservice:s0 tclass=hwservice_manager permissive=0 Policy 1: allow con_monitor_app hal_power_hwservice:hwservice_manager find; Error 2 (also related to PowerHAL access): 01-24 11:28:37.527 3971 3971 W ectivitymonitor: type=1400 audit(0.0:12): avc: denied { call } for scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768 tcontext=u:r:hal_power_default:s0 tclass=binder permissive=0 Policy 2: allow con_monitor_app hal_power_default:binder call; Error 3 (related to setting system property): 01-24 11:37:41.853 3756 3756 W libc : Unable to set property "persist.radio.poweranomaly.start" to "disabled": error code: 0x18 01-24 11:37:41.854 3756 3756 D AndroidRuntime: Shutting down VM --------- beginning of crash 01-24 11:37:41.855 3756 3756 E AndroidRuntime: FATAL EXCEPTION: main 01-24 11:37:41.855 3756 3756 E AndroidRuntime: Process: com.google.android.connectivitymonitor, PID: 3756 01-24 11:37:41.855 3756 3756 E AndroidRuntime: java.lang.RuntimeException: Unable to start receiver com.google.android.connectivitymonitor.GservicesChangeReceiver: java.lang.RuntimeException: failed to set system property Policy 3: persist.radio.lowpowermonitor.start u:object_r:tel_mon_prop:s0 Bug:35955665 Test: All policies taken from audit2allow (see commit text) and tested before/after policy change to establish correctness. Change-Id: I02bb85a8fd39f3003c035a1ac8f28622d1f0ecc2
on_monitor.te
roperty_contexts
|
a43dba2e832a2b53388a476125d62c279c525aa5 |
24-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Add restricted permissions to vendor_init am: a29b489370 am: 417db4f1d2 am: 60b2608abb Change-Id: Ie67fcd4598dc8a246bad71567132f890b899f353
|
60b2608abb6cea7813c472865359d8e0a07cc070 |
24-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Add restricted permissions to vendor_init am: a29b489370 am: 417db4f1d2 Change-Id: I901a931e6b51f9d8ac7de2f604ac06ba3031d621
|
1437d38b52d32188a8118e67e2501d9887ca4016 |
17-Jan-2018 |
Marissa Wall <marissaw@google.com> |
STOPSHIP: proc.uidcpupower reflector for experiments Allow the concurrent_*_time to be enable and disabled for performance experiments on the dogfood population. This patch and the corresponding kernel patches should be removed before launch. proc.uidcpupower=* -> concurrent_*_time enabled proc.uidcpupower=1 -> concurrent_*_time enabled proc.uidcpupower=0 -> concurrent_*_time disabled Test: Run "adb shell setprop proc.uidcpupower 0" and check that "adb shell cat /proc/uid_cpupower/enable" returns 0. Repeat the test with 1. Change-Id: I818e110907b4d24d0d3c4b9ca92b6f2816ba3b1f
endor_init.te
|
9244427d036ae2b0891929f0d98ebf211cb01bf0 |
24-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Remove vendor access to wpa_socket" This reverts commit 3ef4216053407b8b0d9ff26f622efc2224cbf4c4. rpius@ says that this can cause some devices to fail to boot. Reverting and will re-test/resubmit tomorrow. Change-Id: I48f033516b93d10edc77a277de49a3e21a068930
al_wifi_supplicant_default.te
|
a29b4893706bdba10477fe569fbb835d0355a71f |
23-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Add restricted permissions to vendor_init The core SEPolicy for vendor_init is being restricted to the proper Treble restrictions. Since this is a legacy device, it is tagged as a data_between_core_and_vendor_violators and the needed permissions are added to its device specific vendor_init.te Bug: 62875318 Test: boot walleye without audits Change-Id: I13aaa2278e71092d740216d3978dc720afafe8ea
endor_init.te
|
3ef4216053407b8b0d9ff26f622efc2224cbf4c4 |
23-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Remove vendor access to wpa_socket It violates new restrictions on sharing data between system and vendor processes. Bug: 34980020 Test: build (these are build-time tests). Change-Id: Ie57a7587bb497557e48d0f2940d1fe60f4ee3700
al_wifi_supplicant_default.te
|
96b9a25b8e5070cacf9ba6454d964a1a0be54b87 |
19-Jan-2018 |
Jaekyun Seok <jaekyun@google.com> |
Allow vendor_init to set HAL properties The following properties of bluetooth_prop are set in init scripts. - persist.service.bdroid.snooplog - persist.service.bdroid.fwsnoop - persist.service.bdroid.snooplog - persist.service.bdroid.fwsnoop - persist.service.bdroid.soclog - persist.service.bdroid.soclog And the following properties of power_prop are set in init scripts. - vendor.powerhal.state - vendor.powerhal.audio Bug: 62875318 Test: tested with walleye Change-Id: I7cf63bc6ae575150024df3ec7373c750db923ab3
endor_init.te
|
7b07955b89b1edc8b46bc7202c3fc79cc63e8da1 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow traversal of persist/ am: 45c8eedd87 am: e097025bd4 am: 86fd268114 Change-Id: I0f253b8785c95d535c872c8292721cfcf78a661a
|
86fd268114ea046e84aff008a512ffaf924cd395 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow traversal of persist/ am: 45c8eedd87 am: e097025bd4 Change-Id: Ib2e01fae11f206951805c538a91ddb52500784c4
|
45c8eedd875839f827fa45d6c93d6e81311290a5 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow traversal of persist/ Because otherwise access to persist/sensor/ doesn't work Bug: 70565622 Bug: 63629224 Test: Builds, HAL can open and read a file in /persist/sensor/calibration Change-Id: I9ce66dcf2856ed99c09b8183c41d00ee07ad2460
al_camera.te
|
ac4045e0dd54eb0d548554cfd63cf6e42405cec2 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow access to sensor calibration file am: 32eb479e66 am: 9757888c6c am: 6d0840ec59 Change-Id: Iea1371f4fb6303f413cf87bbbe08e4e584b6fe52
|
6d0840ec5932bdb7e94fc262c133c008d395da1b |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow access to sensor calibration file am: 32eb479e66 am: 9757888c6c Change-Id: I83397033f80a3beec98cb504ce76bcce0a0b8bef
|
32eb479e66702db4c8f73701caca738630919eee |
05-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow access to sensor calibration file To allow the camera HAL to export lens calibration data measured for tango_core, it needs access to the same calibration file. Bug: 70565622 Bug: 63629224 Test: Builds Change-Id: Ia891dc442e1f01b827ba8533f4d77f26e1f61b3b
al_camera.te
|
377efbfdae4b22c42c1835062796e11db8954223 |
19-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "cnss_diag: Track selinux denial" am: 80fc3d69c9 am: 764a4a1f2e am: 1fe9401ebe Change-Id: I4a2bccfd0be41ff1d959ff3cee84e34d9fc94cd5
|
1fe9401ebe81576797062b95cc184837c4d2a22e |
19-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "cnss_diag: Track selinux denial" am: 80fc3d69c9 am: 764a4a1f2e Change-Id: I844f0e464ca2f54e14d15f35f43e08d8d69da454
|
80fc3d69c9981053dcd78dc7c6640e3de6bc263a |
19-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "cnss_diag: Track selinux denial" This reverts commit 3102a99db42f5237849e111380d0ffff064ef4b8. Reason for revert: b/72133934 fixed. Bug: 72133934 Change-Id: Id02bd53eef55ace0de0fb392ed9054abc94a164e
ug_map
|
219ed3fbf3ed30b0a642117c4bd99399222019c7 |
18-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
cnss_diag: Track selinux denial am: 3102a99db4 am: a5fc28a024 am: b44db98766 Change-Id: Ib8bcdcdfacb5d80ba8af72eb95c5b8658aa1a833
|
b44db9876696b87c4518c9323c5626007406fb19 |
18-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
cnss_diag: Track selinux denial am: 3102a99db4 am: a5fc28a024 Change-Id: Ib8abb6b7cded87825a2fae0ed7a1da33df4d13d5
|
3102a99db42f5237849e111380d0ffff064ef4b8 |
18-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
cnss_diag: Track selinux denial Fix presubmit tests. Bug: 72133934 Test: build Change-Id: I72a95bffbaddb4373d761481462b2a0dabf25604
ug_map
|
6bee4eb8b6cf7542d2e6c1af718b81be5bf33561 |
18-Jan-2018 |
Roshan Pius <rpius@google.com> |
Merge changes from topic "hostapd_hidl" * changes: wahoo(sepolicy): Redefine cnss_diag folder wahoo(manifest): Add hostapd HIDL interface hostapd: Remove treble violation exception
|
d062beeaec4a879cebb5fe794a84ced66e1e0d28 |
18-Jan-2018 |
Michael Butler <butlermichael@google.com> |
Merge "Allow hvx hal to open application fd" am: d66f810d1e am: 8253d4978d am: c95bc5bfbf Change-Id: I72b381ae7aa4def19ccb9b1a5f3bf8549e470341
|
c95bc5bfbfcb9d9068333cb4c45b86887f8da0a7 |
18-Jan-2018 |
Michael Butler <butlermichael@google.com> |
Merge "Allow hvx hal to open application fd" am: d66f810d1e am: 8253d4978d Change-Id: I614ba5eee81d7b5ab5183253cee9505c28b02150
|
d66f810d1ef9c893a19a6164738f7893ecfe1e11 |
17-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Allow hvx hal to open application fd"
|
c02f290a1dd4233ee09cb4a45c0a55fe30e22ff9 |
29-Nov-2017 |
Michael Butler <butlermichael@google.com> |
Allow hvx hal to open application fd Bug: 67478959 Test: mm, vts, cts Change-Id: I36ffcbc97b1f70dc6e19ec344903c38adc3f2311 (cherry picked from commit fdabd93272ed99d47e10217620eb2659e78db185)
al_neuralnetworks_hvx.te
|
a50ad59c5e9bd74c2b2dbb7c80bf8add9460cb31 |
17-Jan-2018 |
Jaekyun Seok <jaekyun@google.com> |
Merge "Mark unlabeled vendor properties with vendor_default_prop"
|
3ee38634c923664603c219730e23d1cae0d96af1 |
17-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: move denial tracking to core policy am: df8a9ee6c6 am: f69f0ee877 am: 66c93e3e25 Change-Id: I53b1baeb9d94506117904882bd6b9aed2f5d3045
|
66c93e3e256b0ec6197e11d1c50bc2b230241562 |
17-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: move denial tracking to core policy am: df8a9ee6c6 am: f69f0ee877 Change-Id: I53c182515c1872e995b25cc746506d5c33334df8
|
a334daa6c6aa565cc64fd5396ef2f9b126709679 |
17-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "STOPSHIP: move sys.vdso reflector to allow "user" builds"
|
6b106184074c091017417700aaa87bb3fb385821 |
19-Oct-2017 |
Jaekyun Seok <jaekyun@google.com> |
Mark unlabeled vendor properties with vendor_default_prop For now, unlabeled vendor properties are marked as default_prop which is one of core_property_type. This CL will mark them with vendor_default_prop. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I8d4068927f435a0a0732fce86920adc3e7389424
tfwd.te
harger.te
omain.te
al_dumpstate_impl.te
ealthd.te
nit-devstart-sh.te
nit-insmod-sh.te
etmgrd.te
roperty.te
roperty_contexts
adio.te
ild.te
urfaceflinger.te
ystem_app.te
ystem_server.te
endor_init.te
|
df8a9ee6c6fe467bd067be02530ae3495cbad686 |
17-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: move denial tracking to core policy Bug: 68864350 Test: build Change-Id: I28478fd9588023a8c43ee64b087476b8a074a0fd
ug_map
|
2bedc05caed4bb4a68695a09c6d7b524a53bb2aa |
17-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Move persistent data to /data/vendor." am: a74d5f7707 am: 0db26c191f am: 25ddee178f Change-Id: I13d8e04cc48f8313876ff1f174ff922d8de9f849
|
25ddee178fb41b77d23b31aeaf3c1ee04dbc4398 |
17-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Move persistent data to /data/vendor." am: a74d5f7707 am: 0db26c191f Change-Id: If8f9aee8d18c08d1759acb2190a22b44317dac46
|
a74d5f77072e37970f2c5c5771c2d313c8486ba2 |
17-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Move persistent data to /data/vendor."
|
bffc61fb4df0c0831c382818b754ffd972281074 |
17-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Power: restart PowerHAL if audio HAL died with active low_latency hint"
|
15fd9f5fae85cd3aed1853612369c2211c9e2410 |
16-Jan-2018 |
Wei Wang <wvw@google.com> |
Power: restart PowerHAL if audio HAL died with active low_latency hint Audio low latency which can go parallel with other long-term hints and there is small change that leaves the powerHAL stuck with the hint for long time. This CL will require another property to record the state of it. Bug: 67648152 Test: kill audiohal, audioserver Change-Id: Ic0017b0c7a27994e7583d7701665b2cd156ca192
roperty_contexts
|
0d045dd2c4573183a3d01af62dbdf35b1329aae1 |
16-Jan-2018 |
Mark Salyzyn <salyzyn@google.com> |
STOPSHIP: move sys.vdso reflector to allow "user" builds Modification of bb267fa16f8a1a13283575a4e89b880cd44a00b2 to remove restriction to userdebug and eng builds. Rationalization is the experiment will continue during public beta releases. Test: manual, bionic-benchmarks --bionic_xml=vdso.xml Bug: 70518189 Change-Id: I57e5cdc21569dd32377256d3962e1dc03385f7cb
nit.te
|
11a106330ed18671807e792fc4254e99459dc86e |
16-Jan-2018 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core am: 6113e178c3 am: b6ef487185 am: 7bb299d9c1 Change-Id: I8c4c61b373258d30062c5d96d7ca840f0c949c63
|
7bb299d9c124b2fd645bdbf1cf033faaad77e011 |
16-Jan-2018 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core am: 6113e178c3 am: b6ef487185 Change-Id: I874eb5271c1c2a3e6d89d2fb8e2ee582a3557c25
|
6113e178c3cfed5d54a87938d0d9b5fa98e09c03 |
21-Dec-2017 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core Bug: 62041836 Test: policy builds No rules were added to google_camera_app and tango_core domains Change-Id: Ib8605db10d28998ca564bf9f17a1a89a1b76d504
oogle_camera_app.te
ango_core.te
|
361214d17c8694220785df89ed87ddf4a48f902e |
17-Dec-2017 |
Edwin Wong <edwinwong@google.com> |
Move persistent data to /data/vendor. HALs are only allow to access files in /data/vendor starting in Pi. Change SELinux policy to move data from /data/mediadrm to /data/vendor/mediadrm. Test: Play Movies & TV, Netflix Ensure offline playback works after the move. bug: 36601695 Change-Id: Ie7ed580036fe0b6113eb4c39210e90dc08478230
ile.te
ile_contexts
al_drm_default.te
al_drm_widevine.te
ove-widevine-data-sh.te
|
6a60787a548bf87b9eb01d2c9b8d6ab63fab5fc5 |
13-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
vendor_init: allow reading sys.modem.diag property am: 99e7af062f am: 237efff11c am: 7b1cfa03c0 Change-Id: I933cf6ceb6c9a26aac2d09b87ef5bbb2e3a595a0
|
7b1cfa03c04df661680221df83917c77cc320c89 |
13-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
vendor_init: allow reading sys.modem.diag property am: 99e7af062f am: 237efff11c Change-Id: Idf2127daa0138095c5ae2df2de42bdf61861cc63
|
99e7af062f2f2f14a2a75aa2a9bf0313079a6121 |
13-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
vendor_init: allow reading sys.modem.diag property Test: build wahoo policy Change-Id: Iaa5c1c26a6a41fdb9c33bbad44b461e7bc898f23
endor_init.te
|
5cf6d726a8ea293f6f698532db33363a1de16434 |
12-Jan-2018 |
Tri Vo <trong@google.com> |
Merge "Revert "system_executes_vendor_violators: google_camera_app and tango_core""
|
840d4a5ea4081c0a819a53b447f22e9f68eea0f9 |
12-Jan-2018 |
Tri Vo <trong@google.com> |
Revert "system_executes_vendor_violators: google_camera_app and tango_core" This reverts commit f4494825c5fc75203d3a55d5e58110dfd43c1033. Reason for revert: albacore build broken Change-Id: I79bccbab740d545261afd8f7f3ffec3be20d0a27
oogle_camera_app.te
ango_core.te
|
b173ec1a08c033ef1bb89d3c42002c5758c3b460 |
12-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic "storage_health_interface" * changes: Create sepolicy for Wahoo health HAL service Add health service for Wahoo
|
13fe0c40565a61d406227265d535d3a5268d5580 |
12-Jan-2018 |
Tri Vo <trong@google.com> |
Merge "system_executes_vendor_violators: google_camera_app and tango_core"
|
6ba332939ea0df70cd0a8ff792095cbc2744e60d |
12-Jan-2018 |
Sooraj Sasindran <sasindran@google.com> |
Merge "enable power anomaly detection"
|
dd69b2ca0c3fc466eaf8321b9f3fc48c66994515 |
20-Dec-2017 |
Hridya Valsaraju <hridya@google.com> |
Create sepolicy for Wahoo health HAL service Bug: 68388678 Test: vts-tradefed run vts -m VtsHalHealthV2_0 Change-Id: I4d7214c760948bc07cfdf3143526d137718e4f9a
ile_contexts
al_health_default.te
|
f4494825c5fc75203d3a55d5e58110dfd43c1033 |
21-Dec-2017 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core Bug: 62041836 Test: policy builds No rules were added to google_camera_app and tango_core domains Change-Id: Ib8605db10d28998ca564bf9f17a1a89a1b76d504
oogle_camera_app.te
ango_core.te
|
86815f4889cb100a8cace63829e697a3e7c8eba8 |
03-Jan-2018 |
Sooraj Sasindran <sasindran@google.com> |
enable power anomaly detection Move connectivity monitor sepolicies to specific policy file Allow Power Anomaly detector to access /data/vendor/radio Fixes below errors 12-28 18:01:37.294 W/ectivitymonitor( 3619): type=1400 audit(0.0:13): avc: denied { search } for name="radio" dev="sda13" ino=1835015 scontext=u:r:radio:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=0 12-28 18:15:03.838 W/ectivitymonitor( 3621): type=1400 audit(0.0:18): avc: denied { read } for name="u:object_r:tel_mon_prop:s0" dev="tmpfs" ino=9592 scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768 tcontext=u:object_r:tel_mon_prop:s0 tclass=file permissive=0 01-10 19:38:17.399 939 939 W rild : type=1400 audit(0.0:87): avc: denied { read } for name="u:object_r:tel_mon_prop:s0" dev="tmpfs" ino=17732 scontext=u:r:rild:s0 tcontext=u:object_r:tel_mon_prop:s0 tclass=file permissive= add power_anomaly_data.txt to be picked up in bugreport Test: tested by testing power anomaly detector and connectivity monitor Bug: 67058502 Change-Id: I8ad45d5e9cedde8f498627f97b35db27dfd2ea28
on_monitor.te
roperty_contexts
ild.te
eapp_contexts
|
bb267fa16f8a1a13283575a4e89b880cd44a00b2 |
14-Dec-2017 |
Mark Salyzyn <salyzyn@google.com> |
STOPSHIP: sys.vdso reflector for experiments On userdebug or eng, permit vdso to be enabled or disabled at will to manage performance experiments on the dogfood population. ro.debuggable=1 -> permit sys.vdso to maintain an influence over vdso sys.vdso=false -> 32 and 64 bit vdso disabled sys.vdso=32 -> 64 bit vdso disabled sys.vdso=64 -> 32 bit vdso disabled sys.vdso= -> 32 and 64 bit vdso enabled NB: sys.vdso set to any other value will default to vdso enabled. Test: manual, bionic-benchmarks --bionic_xml=vdso.xml to confirm. Bug: 70518189 Change-Id: I839feff206a1404f228a5bdf35fb0c392fd8974a
ile.te
ile_contexts
nit.te
|
7a37d573638459c382783f8447123a9dd7a3197d |
05-Jan-2018 |
Roshan Pius <rpius@google.com> |
wahoo(sepolicy): Redefine cnss_diag folder The parent folder /data/vendor/wifi of cnss diag is going to be used by hostapd data file storage. So, rename sepolicy file attribute to limit the path controlled by the cnss_vendor_data_file attribute. Bug: Start softap Test: Compiles Change-Id: I0001199864fed580983f8340645f36fd4e2f69ef
ile_contexts
|
252f00b4aff279aee53e1b633b84e3646606834f |
23-Dec-2017 |
Roshan Pius <rpius@google.com> |
hostapd: Remove treble violation exception Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: I8a826d944fc25b08aa9e919ff95f20e34c13346a
ostapd.te
|
1c36565762cbd478e7faf1e16b05f45b4b7a412f |
09-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: power: Add hint state into PowerHAL in case of restart PowerHAL should remember the long-lasting hint when it (re)starts, in case it crashed/killed. Also when clint crashed, the long-lasting hint should be cancelled. This CL adds a property for PowerHAL to store its long-lasting hint, and uses init to clear the property and restart PowerHAL when client died. Bug: 67648152 Test: kill cameraHAL, powerHAL, system-server Change-Id: I6b2cae3c2228da00bcb97a3befacf9ab045eeba8
al_power_default.te
roperty.te
roperty_contexts
|
c4822cb33291cb4a2ed47e43fd2d2864ae68fda4 |
05-Jan-2018 |
Thierry Strudel <tstrudel@google.com> |
Merge "wahoo: power: switch to libperfmgr for powerhint"
|
445050c9d7a60402001c9248eb5428b579b72370 |
04-Jan-2018 |
Jeff Tinker <jtinker@google.com> |
Merge "Allow widevine drm hal to access allocator hal" am: d1c8174061 am: b8cf647687 am: 7a35cb0518 Change-Id: I8399d17cca55cf7998073a36773dd63641dca609
|
7a35cb0518a07280fbef32be09e48e38fd13c98c |
04-Jan-2018 |
Jeff Tinker <jtinker@google.com> |
Merge "Allow widevine drm hal to access allocator hal" am: d1c8174061 am: b8cf647687 Change-Id: Ic0749608b04347460fbd94d85b65fd159b9d1d55
|
d1c817406186c220ce146322b07d5355eaad9cf6 |
04-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Allow widevine drm hal to access allocator hal"
|
d7f901b58dd1ea1eb370c1a0f41f3834a87dc6f1 |
01-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: power: switch to libperfmgr for powerhint Test: boot and do powerhint Bug: 62041945 Change-Id: I7de1d2bf377fb46162171a084fca3413b1067d3b
ile_contexts
al_camera.te
al_power_default.te
erfd.te
|
9246d7f0dec78d33823ebeeb800c8246edb87b2a |
30-Nov-2017 |
Jeff Tinker <jtinker@google.com> |
Allow widevine drm hal to access allocator hal This fixes failing vts drm tests bug:67675811 Change-Id: Ic489b4cfac383e809f9c1f0503c337dce21a100e
al_drm_widevine.te
|
51c700f3710a3ba32d30be7951792389fe85e3ee |
29-Dec-2017 |
Miguel de Dios <migueldedios@google.com> |
Allow hardware_info_app to read from debugfs_ufs. Add sepolicy for hardware_info_app to read from debugfs_ufs since we need to read /sys/kernel/debug/ufshcd0/dump_health_desc. Change-Id: I86bf99f06bf18a2f7264dd85b745c99433872f35 Bugs: b/70754991 Test: pts-tradefed run pts -m PtsHardwareInfoHostTestCases
ardware_info_app.te
|
63207ac2a75341992b719145ee02c34ffdb7dca2 |
03-Jan-2018 |
Ke Bai <kebai@google.com> |
easel.te: read access to sysfs_thermal am: 401c245984 am: c97b49a5cb am: ad080d19de Change-Id: I46c78592ab1fb828100df97dec67c5e58c885faa
|
ad080d19dec70e0100c8e6cbd973fc309aeb1441 |
03-Jan-2018 |
Ke Bai <kebai@google.com> |
easel.te: read access to sysfs_thermal am: 401c245984 am: c97b49a5cb Change-Id: Ied8a65855553fe6cc8e00980a6b36ff01fa2b94f
|
401c2459842a3d8617bc0b40e3b98dcc6c2d5544 |
22-Dec-2017 |
Ke Bai <kebai@google.com> |
easel.te: read access to sysfs_thermal Bug: b/70857705 Test: manual Change-Id: I539f3cbc9fe69aa0c3f5bbf21599c0a126594188
asel.te
|
27e37c4fe15c0d41db31c2de30e68a7fa74918cd |
30-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label sysfs_rtc files." am: ec90390658 am: 3036651d6c am: eee4bf11cb Change-Id: I5cfb2d00561a5147dfb43fe5b6c3f4123509ebfe
|
eee4bf11cb3985fa2333027636a56f1d1d20951b |
30-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label sysfs_rtc files." am: ec90390658 am: 3036651d6c Change-Id: I25cfebc7f611bd1ad792015823a41c882428be1e
|
6928c476056abde5090fca3ab3e3a92de2a280ea |
19-Dec-2017 |
Tri Vo <trong@google.com> |
Label sysfs_rtc files. We expect all files under /sys/class/rtc to be labeled sysfs_rtc. /sys/class/rtc/rtc0 is a symlink to /sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc/rtc0 Bug: 68018685 Test: walleye boots with no denials to /sys/class/rtc/*. Change-Id: Iacf2b55ae365661be29016729d5517403ff6e9a1
enfs_contexts
|
0db0e4a5618393c0e139a34c574328164a756c1a |
13-Dec-2017 |
Tri Vo <trong@google.com> |
Label vendor sys/*/power_supply/* as sysfs_batteryinfo am: 2a6f537080 am: ef523fdfa3 am: a85b493054 Change-Id: Ie6a33245495aca896ce54d308eff7f443d294d10
|
a85b493054f3af7919a949c0339f68a7e52102e4 |
13-Dec-2017 |
Tri Vo <trong@google.com> |
Label vendor sys/*/power_supply/* as sysfs_batteryinfo am: 2a6f537080 am: ef523fdfa3 Change-Id: I220315745b2186855e00908e95b4d219b16c3407
|
2a6f537080f100e44d097bd8800e348e553ab8a2 |
15-Nov-2017 |
Tri Vo <trong@google.com> |
Label vendor sys/*/power_supply/* as sysfs_batteryinfo thermal-engine access to sysfs_batteryinfo. Bug: 65643247 Bug: 70275668 Test: device boots with no denial to sysfs_batteryinfo or sysfs_msm_subsys. Change-Id: I09fd4057282236edfabc43fd2b4209fcee4e8332
enfs_contexts
hermal-engine.te
|
013ebf1c1c8f4d83bc70a76eeff1de5ae050e15e |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/18800000.qcom,icnss/net" am: 4b90c93c5f am: 5239474f78 am: 33064e3cb9 Change-Id: I56bcbf48183ee034d262a788ab4eafdb4659c172
|
33064e3cb93d50a0e18d6d37c8469102e01e5d91 |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/18800000.qcom,icnss/net" am: 4b90c93c5f am: 5239474f78 Change-Id: I4d10d56f6d65bc8e9ce8b384446b451cf73822d1
|
4b90c93c5fab89280d35b08c341434b2213b01c0 |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/18800000.qcom,icnss/net"
|
a3333a875a16f70b4856df8c6318d2d2868f9a0c |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Label /sys/devices/soc/18800000.qcom,icnss/net The following symlinks are under /sys/class/net: /sys/class/net/p2p0 -> /sys/devices/soc/18800000.qcom,icnss/net/p2p0 /sys/class/net/wlan0 -> /sys/devices/soc/18800000.qcom,icnss/net/wlan0 and we expect everything under /sys/class/net to be labeled sysfs_net. Bug: 65643247 Test: netd_integration_test Test: can browse internet without denials to sysfs_net Change-Id: Ie92ac36b34f86847aaaef2199b9f3aaae05d991b
enfs_contexts
|
d055d6d6b2af5aac0d3edbf4c352a8c0a7178381 |
08-Dec-2017 |
Kevin Chyn <kchyn@google.com> |
Allow Sensors HAL to connect with CHRE Daemon am: 4b55a6ca98 am: 5e0a9f9c62 am: 06b025da27 Change-Id: I7687d3b274346dcc2dbc14328a0c2de0cb412cb9
|
06b025da274ef4caa02aeb5e8597e3a0d45c9715 |
08-Dec-2017 |
Kevin Chyn <kchyn@google.com> |
Allow Sensors HAL to connect with CHRE Daemon am: 4b55a6ca98 am: 5e0a9f9c62 Change-Id: Ic24fcf5e87f0407657b9a0c668d83c0295c48e23
|
c5ffbbba668ab09be4fb721bdf8fc46dc0e48e52 |
08-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Annotate boot denials am: 65ab5a73f5 am: defba2d3c5 am: 2e806302c7 Change-Id: I86f6411106c54c9c29c83718dd6fbb78eda897f1
|
4b55a6ca98cfc323a74895e50486a0196a27c492 |
07-Dec-2017 |
Kevin Chyn <kchyn@google.com> |
Allow Sensors HAL to connect with CHRE Daemon Bug: 69386746 Test: On master, able to connect to CHRE Daemon without using adb shell setenforce 0 Change-Id: I590e495e4f032d8928ea1aa8264a285e1d424078
al_sensors_default.te
|
2e806302c70ec71cf495d3644c46548743c8c6cb |
07-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Annotate boot denials am: 65ab5a73f5 am: defba2d3c5 Change-Id: I3f5a6891f97be5a5528ae13932a02b325d8abc82
|
65ab5a73f5ec0da00c924d3b95ed463e885f1216 |
07-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Annotate boot denials Test: build Bug: 70180742 Bug: 70308329 Change-Id: I16ad0c4b01452a7d7e23d1f467f56501db37329f
ug_map
|
afebe7283e6b66b64d33927b227c06c51f6874fc |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy am: 22f01a2fa0 am: 7164b2c4d4 am: 4abe1f8534 Change-Id: I2fe52705cdfafbbace79c1745134befd4b5d542a
|
c754fc01507d08390df3a17805786bf8f2c7796f |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds am: 6cbc6d9104 am: 2381f51ba5 am: 440319ac7a Change-Id: Ic0c865d876851670a57eab34a9c87b0b34798a0f
|
4abe1f85341d8bfcfd70013c660bc7586768c117 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy am: 22f01a2fa0 am: 7164b2c4d4 Change-Id: Ic524793275fc994d3eba32ec16cfb576cf3e45a5
|
440319ac7a2d9abded7b8773a4f71e49333ab9d0 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds am: 6cbc6d9104 am: 2381f51ba5 Change-Id: Id921c9a08c4b179cd219be61cb1165cd9c1e2fef
|
7164b2c4d48f9b304a77c421548368edf898c292 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy am: 22f01a2fa0 Change-Id: Ic0fa85622c4f0cb0ec77e88a39d05b81fd3c1513
|
2381f51ba58c086ed79bc2b24e38e847d3475e20 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds am: 6cbc6d9104 Change-Id: I9080f9f54241f5a18e4bf179331c2509c28212ac
|
70e630035c666776593b4258381b2c4351dc3469 |
06-Dec-2017 |
Wei Wang <wvw@google.com> |
Merge "Power: Implement PowerHal 1.2"
|
22f01a2fa0261c5f5601ef500f7516cfc9259933 |
05-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy Add sepolicy for this operation, and update sepolicy to allow collecting batteryinfo in bugreport for user builds. Bug: 70094701, 70094083 Test: Take bugreport, verify battery type is present Change-Id: Id67776301e2ed39a283a08483ac5eb8125aba96b
umpstate.te
enfs_contexts
|
6cbc6d9104e79b8fbda4cdc4bc59b9bcb6435fe8 |
01-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds In order to enable debugging of power issues on 'user' builds, we need to capture rpm stats and wifi power stats from debugfs. Allow this for user builds. Bug: 69003183 Test: Verify rpm & wifi power stats are present in bugreport Change-Id: If9754137f9331832d055ee39d3fd3d5ec79cfc15
al_power_default.te
ernel.te
|
8ce5e19a671fa91bcb3edaf6da598f415ad1066b |
17-Nov-2017 |
Wei Wang <wvw@google.com> |
Power: Implement PowerHal 1.2 Convert all perfd hints into PowerHAL hints Test: do camera/audio powerhint Bug: 62041945 Change-Id: I82c8ca99b76d70d716eabedb617a126446646b7d
udioserver.te
ile_contexts
al_audio_default.te
|
758c4e7b7c3f6d04faaa8bc47aa779ba712e69b4 |
01-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin" am: 5ded7d8a1c am: fb9dbfebcc am: 3c58378dfc Change-Id: Idf9a4fe1bb78ce13afeab7b0cc716aa38a8edbec
|
3c58378dfc8fa13233e6873a6d74ad98ddd37d1d |
01-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin" am: 5ded7d8a1c am: fb9dbfebcc Change-Id: I479ba6593c4afe8ea8e464aacee8d23ee829ac13
|
fb9dbfebcc1d41f08ab127c6c432b120133996ca |
01-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin" am: 5ded7d8a1c Change-Id: Ifdcf8c25340608bf82f4699609dcebd12c7a9f47
|
5ded7d8a1c70692aa29cd31422bc40e6fdd3c53f |
01-Dec-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin"
|
0a81570cb9a17c011f87da6677b8c9ba7f449291 |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
wifi_supplicant: deprecate entropy.bin Wpa_supplicant's random pool is not necessary on Android. Randomness is already provided by the entropymixer service which ensures sufficient entropy is maintained across reboots. Commit b410eb1913 'Initialize /dev/urandom earlier in boot' seeds /dev/urandom with that entropy before either wpa_supplicant or hostapd are run. Bug: 34980020 Test: Use wifi and wifi tethering on Taimen Change-Id: Ib5caf362bc939911b357db186a274957d3fbf186
ostapd.te
|
675c6a699bc9762be13bfcd07499c856c01d2655 |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy" am: 80c738e7ab am: c04078c166 am: 37f085c783 Change-Id: I701e8b7ecdf40c50ff4822f9f63eb5580e9fb84b
|
37f085c783c05088e55add9ab0c28967a95b1c5a |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy" am: 80c738e7ab am: c04078c166 Change-Id: I87a2cea582800c7f0c00c79fae9fd305401636d9
|
c04078c166a687565821c9a8a4d382a3123137d4 |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy" am: 80c738e7ab Change-Id: I25bafcbb91501a5495a2cc554d43be67c7b7a4ec
|
80c738e7abf37f22fd21fdca51d124e3298a4838 |
30-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy"
|
83ce8a5d624033ab939cd652909e0d56942739b1 |
29-Nov-2017 |
Ruchi Kandoi <kandoiruchi@google.com> |
Disallow NFC vendor library access to nfc_data_file Test: NFC enable/disable. No SElinux denials Bug: 36645109 Change-Id: Ib50cbc1dfc4db1a3afea044b9ebf849e26feea8b
al_nfc_default.te
|
b33775465b094234ec01c4856c3e008ea2810a9b |
29-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove obsolete /data/ramdump sepolicy No domain has access to this type/location. Test: build Bug: 34980020 Change-Id: Icd7e58a1e8a46f603bfb651a4654ddf020e684a0
ile.te
ile_contexts
|
78395856c9b1d20b22df7c951b76baa1f5e198cf |
28-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial am: d90b6a6589 am: 201fc696bd am: 3264cc9451 Change-Id: I894763c2001407d651ff4c5703c01d95c430911d
|
3264cc9451ea3e1278cbeec55c2e5523f10cfa8c |
28-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial am: d90b6a6589 am: 201fc696bd Change-Id: I4ff76e832f9c4e54ca1a239bc48a6c13f5ca9d42
|
201fc696bda4f2446e6401dec135634a7eafcb8f |
28-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial am: d90b6a6589 Change-Id: I0f3a4750522a6ed4c247c359398b62eddf09afd2
|
81d95c7216c5f6249269f8967c90a3427c52b2a6 |
28-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy am: 8dfbc9c280 am: 9be94e1031 Change-Id: I6c2eaa83eab89844c3283644bba91ed36992be97
|
9be94e10316eb6cb3f82f83fd40d403bb9261aec |
28-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy am: 8dfbc9c280 Change-Id: I301105abf86b0108554609ccde4585649e6a0479
|
d90b6a65890b2c6d16ad5eb4c49b04b676428632 |
27-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial Bug: 67860826 Test: build Change-Id: I9e7bb8e0af75e499d024228e26abf12ff4418d55
ug_map
|
8dfbc9c280fb78d2fc4a79c324238b3d2989c33d |
01-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy Test: entry no longer exists in this file Change-Id: I8b16c772983dfd79a54cd049ba3295cc6cdecd41 (cherry picked from commit d946b273ba44db7c0809a5a256641c25bdfb7644)
ug_map
|
74c2d71feca23c8eb48d7e984bf9af720c16ba71 |
28-Nov-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: Change ramdump property names"
|
4dc6659501b4e202f385842d17e490db5cd72fad |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "This change is primarily a revert of 611c3d70a" am: 3bd6a7ab6f am: 508cfa70b8 am: 3764ba8cdb Change-Id: I9cfbf5af90cc519df3d817569d3e480f3d19f252
|
3764ba8cdb0d86b013dbdb4629134dc41aa36b8f |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "This change is primarily a revert of 611c3d70a" am: 3bd6a7ab6f am: 508cfa70b8 Change-Id: Ib0222df8a3a9657d2f075966bce48bb93f000c48
|
508cfa70b8eef59862a2f124346a0f12da5e99d8 |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "This change is primarily a revert of 611c3d70a" am: 3bd6a7ab6f Change-Id: Iedfc834e35dac481cdf49df8917256164f740b1a
|
8d21715fc2357593711546df8999bc9651405a1f |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
This change is primarily a revert of 611c3d70a Commit 611c3d70a "Move hal_bootctl rules to hal_bootctl_default" breaks sideloading OTAs. It was introduced to fix a CTS regression due to overly broad access to the vendor-owned misc_block partition. The change also did a refactor of permissions for the bootctl HAL. The fix leaves the one-line CTS fix in place and reverts the rest of the refactor. This results in no change in permissions for the recovery process which is already granted access to the misc_block partion in core policy. "allow recovery dev_type:blk_file rw_file_perms;" Bug: 69566734 Test: adb sideload ota Change-Id: I67504482b166e1cf278be213e42bfde2ddfa6e67
al_bootctl.te
al_bootctl_default.te
|
a54d493853e680c3600a688474923b21378e369f |
21-Nov-2017 |
Oleg Matcovschi <omatcovschi@google.com> |
wahoo: Change ramdump property names Avoid using vendor names in properties. Change-Id: I1d0bc294584daa6910fc778ada05631440d3e707
roperty_contexts
|
ae7ff6e17720e968e3233a66baa9950ec5667812 |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default" am: cee6d6db58 am: 5dc4c280f7 am: 9cac94dbaf Change-Id: Ib6522f0e739970a366330bedd390934600a00a3c
|
9cac94dbaf3f7e2e5cabae85c99d79b990d36784 |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default" am: cee6d6db58 am: 5dc4c280f7 Change-Id: I8f4b6a5f7d654baefe99da94b5dd69a1a8901134
|
5dc4c280f73df46dcf236d1577965666512b68f4 |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default" am: cee6d6db58 Change-Id: I608d31eae81625a48e75dd143c13156b4ab5acc9
|
cee6d6db5889efe35e3af5bf7e1c74b8475d91de |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default"
|
611c2d70a06107d22dfee4f3b1eaf29224b64b33 |
21-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move hal_bootctl rules to hal_bootctl_default This more clearly attributes the permissions to the actual domain and prevents a build breakage when building recovery due to a userdebug-only neverallow exemption for hal_bootctl. Bug: 69566734 Test: build user build Change-Id: I5ed3c04b3709ac7b00234402788f5f1ae88e6f61
al_bootctl.te
al_bootctl_default.te
|
aff5731c449298d00e52c73a69501951783981bd |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit am: 8760ea13c8 am: b1c7925f39 Change-Id: I87acc9a42b31bce78a688d17ccb72bc57f847e44
|
b1c7925f39795cc0ab3d6fa467aa7f4ad834faf4 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit am: 8760ea13c8 Change-Id: I65596064dcea4ef10fbed479af37429df1b3d55b
|
c34f83ca6eca31a44589ac2dd4caa5712e98ff31 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial am: 79c6875ae1 am: a18b856873 Change-Id: I2136fdfe79376fb2394ab33b1d0e73e647622cb4
|
8ad4301e14a5abce77c17c201d4effdb48eb068d |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials am: 6f8f263c64 am: 2d5b503deb Change-Id: Ie98762bb38cb2865cc2517c25e6b48a9ae174e39
|
a18b856873b43d33fc78d6d9b22473744868ea3f |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial am: 79c6875ae1 Change-Id: I62af409b7d870f2562f8a585468f0c5ce76f6934
|
2d5b503deb4d47330c3d5818fb18cd771bebb337 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials am: 6f8f263c64 Change-Id: I63f5b9a494f535b499bc7a6bbb94016e6182b414
|
8954b7958dacef1ce25173ace6fa256438a4a3a3 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen am: bf29a6610c am: 2eb295df29 Change-Id: I3f9b9453e1717498e76b254fc16d3d988a37d28e
|
2eb295df292393165ab81e5763d10bb6d74044b5 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen am: bf29a6610c Change-Id: Id3c3164c7fbbdda81a8a038f87181b2e535bb608
|
8760ea13c88090cf6f8ff01668667040fcc8ec34 |
03-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit These intermittent denials are making it look like taimen boot tests are occasionally unhealthy due to untracked denials. This will remove the failing tests issue. Bug: 68705274 Test: these intermittent denials are now tracked or properly dontaudit'ed Change-Id: I342cff19d7bde73fee93fd8461c9c0680511e23c Merged-In: I342cff19d7bde73fee93fd8461c9c0680511e23c (cherry picked from commit 552978d27c7c475e0ec6ff982d9e2bb709b7c93f)
ug_map
etutils_wrapper.te
|
79c6875ae1daf9e0fbcf48081b14b0da1358d843 |
24-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial Test: the surfaceflinger denial is properly tagged Change-Id: I734aa3880491504c2c7e73236bda11e3cd111384 Merged-In: I734aa3880491504c2c7e73236bda11e3cd111384 (cherry picked from commit cb67b3d17069e21188f1e111fed43035daa61b19)
ug_map
|
6f8f263c64a3700cebdab6da1523fa087fb19cb4 |
19-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials Test: bug metadata is properly attached to relevant denials Change-Id: I20fba3a86104f494131714056b2809ae6a62d416 Merged-In: I20fba3a86104f494131714056b2809ae6a62d416 (cherry picked from commit 6f475be419041f239cb0802d0cc9ab0c829956ed)
ug_map
|
bf29a6610c8d24a98b74b72031652b926f9d691d |
17-Oct-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen Allow rule denials: denied { ioctl } for pid=863 comm="rild" path="/vendor/radio/qcril_database/qcril.db" dev="dm-1" ino=900 ioctlcmd=f50c scontext=u:r:rild:s0 tcontext=u:object_r:vendor_file:s0 tclass=file denied { read } for pid=1609 comm="batterystats-wo" name="show_stat" dev="sysfs" ino=37781 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { search } for pid=1609 comm="system_server" name="800f000.qcom,spmi" dev="sysfs" ino=19648 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir bug_map denial entries: denied { create } for pid=751 comm="main" name="tasks" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=fil denied { getattr } for pid=1609 comm="system_server" path="/vendor/framework" dev="dm-1" ino=291 scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir Test: denials either don't show up or are properly tagged with a bug number Change-Id: Ibf841033ac5480ddb975772840680011cb331a7d Merged-In: Ibf841033ac5480ddb975772840680011cb331a7d (cherry picked from commit 53146f8cc0fcf8fe084105668d6d1d715d63d9cb)
ug_map
enfs_contexts
ild.te
|
bc563cf96a1dce8dfa0ea5efb55801bc770f9b12 |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te" am: c0959d9ff8 am: c28270b47c am: 3506ef33a3 Change-Id: Ib652a46bee64b02e567642d0c838f5c4f7d9cd54
|
3506ef33a34b75f6c4cff138e3c5e9717ab7ad0f |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te" am: c0959d9ff8 am: c28270b47c Change-Id: I7543b913805e3c62e3a3ecc6ff6b0e97cc1bf299
|
c28270b47ca445c5e5cc4c74a6f133f61b43f4ea |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te" am: c0959d9ff8 Change-Id: Id7deaf4d160d31066eca8e0f77ecdfce48dab0c8
|
c0959d9ff8679ef803c1d756f3d21245c1eb0677 |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te"
|
74d8c3674a626a4a092acc63a7d109f60c1fc531 |
07-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Add vendor_init.te Update sepolicy for vendor_init. Relevant denials: avc: denied { write } for pid=558 comm="init" name="debug_suspend" dev="debugfs" ino=997 scontext=u:r:vendor_init:s0 tcontext=u:object_r:debugfs_clk:s0 tclass=file permissive=1 avc: denied { module_request } for pid=558 comm="init" kmod="deadline-iosched" scontext=u:r:vendor_init:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 Bug: 62875318 Test: use walleye + factory reset + vendor_init Change-Id: I2655316be5fbf18120174a11958c43d7ca70b478
endor_init.te
|
5fddf5544d518889f5defa88ac38035921a6b68b |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove dumpstate HAL's access to radio app data" am: dc08a47024 am: 864b27eda6 Change-Id: Icd51489793bbfb79686b7bd5f51589944e617ebf
|
864b27eda6da61f5b17092dab87631cbdaf034cc |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove dumpstate HAL's access to radio app data" am: dc08a47024 Change-Id: I2ead3b84bf4e792a2791ba0877c338f4e07b61eb
|
dc08a4702457670e04300d619f728b69f8464e00 |
15-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove dumpstate HAL's access to radio app data"
|
283fc24c21bdff1ecfa6f2de0b372ec908a92678 |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge changes I23f5d887,I7f65224b am: a3c5fdbfc3 am: 54a4466be9 Change-Id: I67089f62df8e9bb98163ba1931140370e61c86d3
|
54a4466be9a72e6fe173fb1e3847a40dd53b492d |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge changes I23f5d887,I7f65224b am: a3c5fdbfc3 Change-Id: I4367232e00d50c245e6c5034da9ea6d85e28440b
|
a3c5fdbfc36e3666600de7a78a95d53427c3391b |
15-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge changes I23f5d887,I7f65224b * changes: Remove system_server access to location daemon's data Remove dumpstate's access to modem dump file
|
b93164076a0fbcf78af63e439dc128d08a2d8708 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove dumpstate HAL's access to radio app data These permissions no longer appear to be needed. Bug: 34980020 Test: adb bugreport, not denials for radio_data_file Change-Id: Id20a3cc87d78ef547811dffe230d13772f1504b0 Merged-In: Id20a3cc87d78ef547811dffe230d13772f1504b0 (cherry picked from commit 97e8a770f6129986202161663edeaa1169e92914)
al_dumpstate_impl.te
|
4c44680ee099543686b3eb6553159530843cfc37 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove system_server access to location daemon's data These permissions no longer appear to be necessary, and violate Treble separation of system/vendor data. Bug: 34980020 Test: Launch google maps, get current location Change-Id: I23f5d887fdcb400dd027431eabc4e744a08d4ea9 Merged-In: I23f5d887fdcb400dd027431eabc4e744a08d4ea9 (cherry picked from commit 9dccaa56ce67938f60d5c113eeb8ec530ec654a1)
ystem_server.te
|
d6a99d1db8033cfc2d111c48e5a263f3e6d9d180 |
20-Oct-2017 |
Jie Song <jies@google.com> |
Remove dumpstate's access to modem dump file Dumpstate is using the 2nd file descriptor to access dump file Bug: 68044348 Test: Take bugreport, no denial for modem_dump_file and modem log is valid Change-Id: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3 Merged-In: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3 (cherry picked from commit b51ae72a5d8c47ecaf6465239c747179d3272745)
umpstate.te
|
9ba9e412f62aaffee9e33ed27e6611539d73f862 |
14-Nov-2017 |
Xin Li <delphij@google.com> |
Merge commit '34f7f32ea4cca137547463132f06cb93dc8d04b3' from oc-mr1-dev-plus-aosp-without-vendor into stage-aosp-master Change-Id: I1f549411c9b9219fae6e602569778ae36c511055
|
acdf8ee53a08fc0987bf882e17eb296296c2ce90 |
14-Nov-2017 |
Tao Bao <tbao@google.com> |
Merge "sepolicy: Remove update_verifier.te." am: 14716fc148 am: 2959768511 Change-Id: I8aa6e174e91a1a0120b4e6b0e4109bb1aaf217c0
|
14716fc148ccb72f0c08803374d142736fce0387 |
14-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Remove update_verifier.te."
|
3d4c191247f5d429fa9b3382293685c9411b20f4 |
06-Oct-2017 |
Tao Bao <tbao@google.com> |
sepolicy: Remove update_verifier.te. It has been added into core policy through https://android-review.googlesource.com/c/platform/system/sepolicy/+/503421. Bug: 63440407 Test: update_verifier successfully triggers blocks verification and marks a sucessful boot; Test: No sysfs_dm related denials on walleye. Change-Id: I5605af8b10d890489c25f16f82274f828e10e751 (cherry picked from commit e2c0c287fb8fe6b0f33c1a84492c41baaf29c074)
pdate_verifier.te
|
fc98977517e0bdc06c1eaa68fb37236dec76e156 |
11-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Clean up commented out permissions" am: 64936a0238 am: 0d0c712b4b am: d9c7badbfe Change-Id: Ife079289736a78ec567755ee28dc586614fc0cfd
|
d9c7badbfe900fa0f85a37f0d6b3943a864cc47d |
11-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Clean up commented out permissions" am: 64936a0238 am: 0d0c712b4b Change-Id: If55d1b556ac29f2cd64c8cdcdab8c6396ca24471
|
64936a023898d48299aa5823e7ebcbea7234b6d2 |
11-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Clean up commented out permissions"
|
e74598517d1683f9d0cfa81d00abc2fd2baa70d8 |
10-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Clean up commented out permissions Test: none Change-Id: I26f4a18ad1141a5d402ddd38505a4cdaee266c4e
al_camera.te
|
f54f2c98d3885a20d05ebaf739e09ead1b9199e3 |
10-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Allow easel to read sysfs_easel dir am: 3b8bac308a am: 8d06a43142 am: efcec0f279 Change-Id: I1d115462e9e84bdc27cfbb754a5165167ec78a20
|
efcec0f27946b0e5b7f30e7a5e03fbbef2f8fffe |
10-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Allow easel to read sysfs_easel dir am: 3b8bac308a am: 8d06a43142 Change-Id: I828140da3c5f8da8ffc1ba0a872348196d869520
|
3b8bac308adc8442e57028a4d1029542c209d47f |
10-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Allow easel to read sysfs_easel dir Test: easelmanagerd_client_example Change-Id: I494e35e8127cba0bcbfcd9ed68776268dfb42131
asel.te
|
c8807869f226e90af770b9c4f7647cc9c82c921b |
10-Nov-2017 |
Wei Wang <wvw@google.com> |
Merge "sepolicy: remove perfd usage in mediacodec"
|
32a17f0bbbedc43cdc522cbc338c85309be00325 |
10-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move platform/vendor data violations to device policy am: 98dd9bb659 am: cdfb42f233 am: ef03706701 Change-Id: Ib7b03d039766c82a965080f534a35ebcf7ed2003
|
ef03706701644f9b55a394a1bb393e7df92b7d88 |
10-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move platform/vendor data violations to device policy am: 98dd9bb659 am: cdfb42f233 Change-Id: Id5f2f5607bf6050c20916243df4534db0ad9bdeb
|
98dd9bb6595c50ea459b0a6b279b0916a6d521ca |
06-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move platform/vendor data violations to device policy Sharing data folders by path will be disallowed because it violates the approved API between platform and vendor components tested by VTS. Move all violating permissions from core selinux policy to device specific policy so that we can exempt existing devices from the ban and enforce it on new devices. Bug: 34980020 Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint and Play movies on Marlin. Test: build Taimen Change-Id: I1c2f2acac02266f8d07ff1fc3c69329af0aa2f3d
al_drm_default.te
al_drm_widevine.te
al_fingerprint.te
al_fingerprint_default.te
al_nfc_default.te
al_wifi_supplicant_default.te
ostapd.te
|
1ec29720de80257ee40236a45dc33df314f342fb |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant HALs access to diag_device am: 4c1bb0c66e am: c4a8826ab6 am: 24bf7da390 Change-Id: If7c1980a2f54f5b365c645f37bebab6dc36a6f69
|
24bf7da390974227f2954a28d8cd8defc38776b5 |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant HALs access to diag_device am: 4c1bb0c66e am: c4a8826ab6 Change-Id: I86781e7ecd7a0aaf3a533d88215729c6065cfc8a
|
6ca3b6af6b655f3a33de8c4ece7a5fbfccd74d7f |
09-Nov-2017 |
Max Bires <jbires@google.com> |
Adding userdebug/eng diag access for following domains am: a72c9eda39 am: b889c22817 Change-Id: I9b80da7f1e605fe50a3f9ebf797223951915555c
|
ae00e38a4e8a1392c63bcf6327b8c0d6266e8bf4 |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: domain: remove world access to /dev/diag am: d683b2f369 am: 454b33c2c6 Change-Id: I28f0e28cebb08a1f9701d1224ccc25b09371cfae
|
4c1bb0c66e150edcdf40375ecebb0190fadce242 |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant HALs access to diag_device avc: denied { read write } for comm="imsrcsd" name="diag" dev="tmpfs" ino=9694 scontext=u:r:hal_rcsservice:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file avc: denied { read write } for comm="ims_rtp_daemon" name="diag" dev="tmpfs" ino=9694 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file Bug: 68705274 Test: build Change-Id: I39f21c1e01001ea83d38461b450e42db1d21991d
al_imsrtp.te
al_rcsservice.te
|
9b1fa7dc7e893ea9a87f6ef9465113c227ea078c |
09-Nov-2017 |
Wei Wang <wvw@google.com> |
sepolicy: remove perfd usage in mediacodec VIDEO_DECODE_PLAYBACK_HINT is for interactive governor in HMP kernels Remove the access to it. Bug: 62041945 Test: boot Change-Id: I9454f2707cb380761d8370fa477e6d933dae9d40
ediacodec.te
|
a72c9eda39db602a25bd7a0b6346fb61e1dc861b |
11-Oct-2017 |
Max Bires <jbires@google.com> |
Adding userdebug/eng diag access for following domains World access to diag_device for userdebug/eng builds was revoked due to potential for dangerous use from 3rd party code so this CL grants access back to the domains that requested it. denied { read write } for pid=832 comm="qti" name="diag" dev="tmpfs" ino =9583 scontext=u:r:qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_ file denied { read write } for pid=808 comm="thermal-engine" name="diag" dev= "tmpfs" ino=9583 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:diag _device:s0 tclass=chr_file denied { read write } for pid=877 comm="cnss_diag" name="diag" dev="tmpf s" ino=9583 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:diag_devic e:s0 tclass=chr_file denied { read write } for pid=816 comm="imsqmidaemon" name="diag" dev="t mpfs" ino=9583 scontext=u:r:ims:s0 tcontext=u:object_r:diag_device:s0 tc lass=chr_file denied { read write } for pid=753 comm="android.hardwar" name="diag" dev ="tmpfs" ino=9583 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_ r:diag_device:s0 tclass=chr_file denied { read write } for pid=772 comm="sensors.qcom" name="diag" dev="t mpfs" ino=9583 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s 0 tclass=chr_file denied { read write } for pid=677 comm="time_daemon" name="diag" dev="tm pfs" ino=9583 scontext=u:r:time_daemon:s0 tcontext=u:object_r:diag_devic e:s0 tclass=chr_file denied { read write } for pid=618 comm="android.hardwar" name="diag" dev ="tmpfs" ino=9583 scontext=u:r:hal_graphics_composer_default:s0 tcontext =u:object_r:diag_device:s0 tclass=chr_file denied { read write } for pid=854 comm="rild" name="diag" dev="tmpfs" in o=10642 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=c hr_file denied { read write } for pid=828 comm="netmgrd" name="diag" dev="tmpfs" ino=10642 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tcl ass=chr_file denied { read write } for pid=826 comm="cnd" name="diag" dev="tmpfs" ino =10642 scontext=u:r:cnd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr _file denied { read write } for pid=1559 comm="iptables-wrappe" path="/dev/dia g" dev="tmpfs" ino=17555 scontext=u:r:netutils_wrapper:s0 tcontext=u:obj ect_r:diag_device:s0 tclass=chr_file Test: domains that need diag_device access can get access to it Change-Id: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e Merged-In: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e (cherry picked from commit c760b34307f28d8d68ee6b0e03f0d670e3d8eadd)
nd.te
al_graphics_composer_default.te
al_sensors_default.te
ms.te
etmgrd.te
etutils_wrapper.te
ti.te
ild.te
ensors.te
hermal-engine.te
ime_daemon.te
cnss_service.te
|
d9bf00f0fa0c8a588f23abdc4771605aad8a70b5 |
11-Aug-2017 |
Ecco Park <eccopark@google.com> |
sepolicy: change the sepolicy for cnss_diag cnss_diag: type=1400 audit(0.0:65): avc: denied { search } for name="diagchar" dev="sysfs" ino=27415 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=0 audit(1502477202.513:37783): avc: denied { read } for pid=989 comm="cnss_diag" name="timestamp_switch" dev="sysfs" ino=27761 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0 Bug:64604240 Change-Id: I1b882b15908241c18d694947b8de11136e6afee2 Merged-In: I1b882b15908241c18d694947b8de11136e6afee2 Signed-off-by: Ecco Park <eccopark@google.com> (cherry picked from commit d024c1334a1900aba407174ade6aa2f196e4fbfc)
cnss_service.te
|
d683b2f369d0f0f34ad570c123753e81600e2169 |
05-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: domain: remove world access to /dev/diag This driver is not safe for general use, particularly for third party apps, even on debug builds. Adding OWNERS file in a subsequent commit to prevent security violations like this from getting checked in. Test: build Change-Id: I245244e924ae247b6fbd48aa033bb71cca6067de Merged-In: I245244e924ae247b6fbd48aa033bb71cca6067de (cherry picked from commit 23ea15a12a5e253241d85f57568bec709e85f98f)
omain.te
|
a887be0f43cedd13c9a603a3e386c45e922864b3 |
09-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Add easel sepolicy. am: 8843e8e1f9 am: da4568815d am: 76a57dd976 Change-Id: I7425f52d89e7b7a129bb816b378b87e8abfe6a3d
|
76a57dd976d0934015c2d2bfef30bb6f74f91f03 |
09-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Add easel sepolicy. am: 8843e8e1f9 am: da4568815d Change-Id: Ib6141c1a3a54861f6837be4f797e5f6f086c9144
|
8843e8e1f9805eb9f3d601b12369ed03a1f1306d |
03-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Add easel sepolicy. Test: easelmanager_client_example Change-Id: Iaed2e346b469ce907f7f1ffe0012d8c5840af385
asel.te
ile_contexts
ndservice.te
ndservice_contexts
|
c0e2cc52a491e866b8c25b967d8cb3f9ce787d41 |
08-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Ban sharing data between platform and vendor processes" am: ea46f456cd am: 69cea20710 Change-Id: Ife37dbec6b32eb41e17ba11d37e683c07ec7c5ba
|
ea46f456cdf55196e60fec0cf6d22bb293142da2 |
08-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Ban sharing data between platform and vendor processes"
|
87529b3f4bad820b3a607d7b579f99291651c353 |
02-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban sharing data between platform and vendor processes Annotate processes that violate the ban including fingerprint and widevine HALs. Bug: 34980020 Test: build Change-Id: I4afa03841e1648d4624e66bbd5ed21d09d357547 Merged-In: I4afa03841e1648d4624e66bbd5ed21d09d357547 (cherry picked from commit 458d1f6a6e5274565976cc93675ce09ef926ed5f)
al_drm_widevine.te
ee.te
|
92fb5015442759b02b471ad86969196e0240c15b |
08-Nov-2017 |
Siyuan Zhou <siyuanzhou@google.com> |
Allowed ssr_setup to access sysfs_msm_subsys for user builds. am: 8da95d2f14 am: e3cbb4ea05 Change-Id: I207a25a58cab36f75637c3c732cf201e641413e9
|
e3cbb4ea055b7675fbe61b4567c144226b9d0fd7 |
08-Nov-2017 |
Siyuan Zhou <siyuanzhou@google.com> |
Allowed ssr_setup to access sysfs_msm_subsys for user builds. am: 8da95d2f14 Change-Id: I39367b46e40c08d42d834e434d305891ab1e6dc8
|
b74d70834b9d7179c133eb0a58f65cc95edd66d3 |
08-Nov-2017 |
Mikhail Naganov <mnaganov@google.com> |
Use /data/vendor/audio for Audio HAL data am: 943161347d am: a91b22865d Change-Id: I4456b90619bc98a0f6e1f9af6eab5beafc66cb5e
|
943161347ddd753f635966dce1260ac9866ffb3c |
08-Nov-2017 |
Mikhail Naganov <mnaganov@google.com> |
Use /data/vendor/audio for Audio HAL data This separates the data of audioserver from the data of the hal_audio. Bug: 35042759 Test: no SELinux denials for hal_audio Change-Id: I2eafed4d8a620507e27cab3a9b84d829d003bcec Merged-In: I1815c5debaa6d6d2076cebf8beb5acd36c6fe891
ile.te
ile_contexts
al_audio_default.te
|
86ca2b44a86b0b765e93f1e73c3e6c7cc473c907 |
08-Nov-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/{ c179000.i2c c1b5000.i2c } as sysfs_msm_subsys" am: 2d2cd9670a am: 661aca373a am: fd689130b3 Change-Id: I6ac5aef36a82ad14087eafb441bf3e723f4fa16e
|
fd689130b36a29d8f25af9cfec8541fdcfc596ff |
08-Nov-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/{ c179000.i2c c1b5000.i2c } as sysfs_msm_subsys" am: 2d2cd9670a am: 661aca373a Change-Id: Ifa82e09aa8709f20d8478dd8dd39b1662fd910a5
|
8da95d2f1403e8c9fdc10ba20bdf22dd9d9f7c1a |
07-Nov-2017 |
Siyuan Zhou <siyuanzhou@google.com> |
Allowed ssr_setup to access sysfs_msm_subsys for user builds. Allow ssr_setup to access sysfs_msm_subsys and enable subsystem restart properly for user builds. Otherwise, all subsystem issues are translated into kernel panics. BUG: 69001795 Change-Id: I0e3cf53b92f04433d356fdeb1018bb18a9a954a6
sr_setup.te
|
cf5550fe6ad39ae1633f78eff985ec1e44786613 |
07-Nov-2017 |
Tri Vo <trong@google.com> |
Label /sys/devices/soc/{ c179000.i2c c1b5000.i2c } as sysfs_msm_subsys On taimen some of the files under /sys/class/power_supply are symlinks to these dirs. Addresses these denials on taimen: avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=50110 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs" ino=48182 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 68962942 Test: builds, boots, files are correctly labeled. Change-Id: I2b972f4f471b54097354d3e490a02300182a8e9a
enfs_contexts
|
fb167a94c3e0376c287474a08d919eb85931d58b |
07-Nov-2017 |
Mikhail Naganov <mnaganov@google.com> |
Use /data/vendor/audio for Audio HAL data This separates the data of audioserver from the data of the hal_audio. Bug: 35042759 Change-Id: I1815c5debaa6d6d2076cebf8beb5acd36c6fe891 Test: no SELinux denials for hal_audio
ile.te
ile_contexts
al_audio_default.te
|
552978d27c7c475e0ec6ff982d9e2bb709b7c93f |
03-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit These intermittent denials are making it look like taimen boot tests are occasionally unhealthy due to untracked denials. This will remove the failing tests issue. Bug: 68705274 Test: these intermittent denials are now tracked or properly dontaudit'ed Change-Id: I342cff19d7bde73fee93fd8461c9c0680511e23c
ug_map
etutils_wrapper.te
|
9012d7d192071e42cf28802d1929bb5be46d73f1 |
03-Nov-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Ban sharing data between platform and vendor processes"
|
458d1f6a6e5274565976cc93675ce09ef926ed5f |
02-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban sharing data between platform and vendor processes Annotate processes that violate the ban including fingerprint and widevine HALs. Bug: 34980020 Test: build Change-Id: I4afa03841e1648d4624e66bbd5ed21d09d357547
al_drm_widevine.te
ee.te
|
d946b273ba44db7c0809a5a256641c25bdfb7644 |
01-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy Test: entry no longer exists in this file Change-Id: I8b16c772983dfd79a54cd049ba3295cc6cdecd41
ug_map
|
6063bde2a921c22f644ede1e79323e1b610941bc |
01-Nov-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "radio: remove access to proc label"
|
be7260e7183d75706eb773077f915e0f6906af88 |
01-Nov-2017 |
Tri Vo <trong@google.com> |
radio: remove access to proc label Added appropriate access to proc_cmdline. Bug: 65643247 Test: make/receive phone calls Test: send/receive text messages Test: browse internet on LTE network No denials to 'proc' label are observed during tests. Change-Id: I59710c75dbb1cf9aec7c2de4c0372d3ab372a31e
adio.te
|
8664a03c40e77723305bac5e3bfe8c26885aaad0 |
25-Oct-2017 |
Tri Vo <trong@google.com> |
Health hal: grant access to sysfs_msm_subsys Health hal needs access to this label to read files under /sys/class/power_supply, which are symlink to qcom-specific files, e.g. /sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/usb/type Test: boots without health hal denials. Change-Id: I1412241ab7fcacc120dc1a0a67cac7f0867f0f37
al_health_default.te
|
801459dd3b877c3de824382f8d9e2f3017b30471 |
27-Oct-2017 |
Chien-Yu Chen <cychen@google.com> |
Merge "system_app: Set camera property in user builds" into oc-mr1-dev am: a66abec0b9 am: 1061c0df93 Change-Id: If150a2333ef0ef65111fdebc6c79489d98be6379
|
1061c0df93ce4f351f7fbb2e6d6f156439d83d1b |
27-Oct-2017 |
Chien-Yu Chen <cychen@google.com> |
Merge "system_app: Set camera property in user builds" into oc-mr1-dev am: a66abec0b9 Change-Id: Iee93d2ad041554e4e3289850bfda29e8d166a4c9
|
a66abec0b9b7af5acaa47127133417dd9a40452f |
27-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "system_app: Set camera property in user builds" into oc-mr1-dev
|
f22847be7030f1bc335623d1a039405abe34bb5b |
27-Oct-2017 |
Chien-Yu Chen <cychen@google.com> |
system_app: Set camera property in user builds Allow system app to set camera property in user builds. Test: Settings app Bug: 68346040 Change-Id: Ie183acb88f32f019fdf096b12cba52cecc3e3aee
ystem_app.te
|
cb67b3d17069e21188f1e111fed43035daa61b19 |
24-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial Test: the surfaceflinger denial is properly tagged Change-Id: I734aa3880491504c2c7e73236bda11e3cd111384
ug_map
|
02d4201a8b2a4963db5cc787237f8fa574378f97 |
24-Oct-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
wahoo: sepolicy: escape a period Fixes: 68144019 Change-Id: I88318f9c25e1589a9688c595bda00c9510d55ab0
ile_contexts
|
43748c0054c99a02820fa9beabc25644eb8311c8 |
24-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: fingerprint: change HAL binary name"
|
6749bd83aef653ec782520ef971e9dfdcc13f720 |
23-Oct-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
wahoo: fingerprint: change HAL binary name Change the binary name to not be device specific. This allows us not to have multiple init.rc files per device, simplifying code sharing between devices that use the same HAL. Bug: 68144019 Change-Id: Ib81fa673c96a25137ad3dfb673f161243cc55ef4
ile_contexts
|
0b87d6b0cd253c026d805df9657cdbfd15cff707 |
23-Oct-2017 |
Dan Cashman <dcashman@google.com> |
Move dataservice_app to platform policy. am: 03320ccd49 am: 9765f29acb Change-Id: I2196e207fc48228c1426c84d1c92c2e7c168d0ad
|
9765f29acbb2102af806c5ce542168ca2bf5e03d |
23-Oct-2017 |
Dan Cashman <dcashman@google.com> |
Move dataservice_app to platform policy. am: 03320ccd49 Change-Id: I83bd3965001e2a6c9125acd228dcce3123e2dad3
|
dca9f37f0a7e62d3e1c4e94d5e51f95e2a7ed553 |
21-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove dumpstate's access to modem dump file"
|
f9ae2b051113a0b52440d698f953afd712bbe9d1 |
17-Oct-2017 |
Tri Vo <trong@google.com> |
Move device-agnostic netd rules to fwk policy. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Merged-In: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a Change-Id: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a (cherry picked from commit 661dbb6d30798c1acfdbbaff10fba1d489b0f8ef)
ile.te
enfs_contexts
etd.te
|
b51ae72a5d8c47ecaf6465239c747179d3272745 |
20-Oct-2017 |
Jie Song <jies@google.com> |
Remove dumpstate's access to modem dump file Dumpstate is using the 2nd file descriptor to access dump file Bug: 68044348 Test: Take bugreport, no denial for modem_dump_file and modem log is valid Change-Id: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3
umpstate.te
|
03320ccd49e5bdcccc44f7b1d17d081e7569624e |
20-Oct-2017 |
Dan Cashman <dcashman@google.com> |
Move dataservice_app to platform policy. Bug: 68012595 Test: Builds. Change-Id: Ibb01d8ba94e271d4d53c2457b27e24cdeb2bb8e2
eapp_contexts
|
97e8a770f6129986202161663edeaa1169e92914 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove dumpstate HAL's access to radio app data These permissions no longer appear to be needed. Bug: 34980020 Test: adb bugreport, not denials for radio_data_file Change-Id: Id20a3cc87d78ef547811dffe230d13772f1504b0
al_dumpstate_impl.te
|
9dccaa56ce67938f60d5c113eeb8ec530ec654a1 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove system_server access to location daemon's data These permissions no longer appear to be necessary, and violate Treble separation of system/vendor data. Bug: 34980020 Test: Launch google maps, get current location Change-Id: I23f5d887fdcb400dd027431eabc4e744a08d4ea9
ystem_server.te
|
1945c409cdb8eaca0bcec159c6189a34847f4449 |
17-Oct-2017 |
Tri Vo <trong@google.com> |
Move device-agnostic netd rules to fwk policy. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Merged-In: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a Change-Id: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a (cherry picked from commit 661dbb6d30798c1acfdbbaff10fba1d489b0f8ef)
ile.te
enfs_contexts
etd.te
|
884bb6f40af0c49d234f9e08ccfd98e17f383161 |
19-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Adding bug map entries for boot denials"
|
6f475be419041f239cb0802d0cc9ab0c829956ed |
19-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials Test: bug metadata is properly attached to relevant denials Change-Id: I20fba3a86104f494131714056b2809ae6a62d416
ug_map
|
10fd6f6cdb54435f293163904e0f39907be1b485 |
19-Oct-2017 |
Tri Vo <trong@google.com> |
Merge "Move device-agnostic netd rules to fwk policy."
|
661dbb6d30798c1acfdbbaff10fba1d489b0f8ef |
17-Oct-2017 |
Tri Vo <trong@google.com> |
Move device-agnostic netd rules to fwk policy. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Change-Id: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a
ile.te
enfs_contexts
etd.te
|
53146f8cc0fcf8fe084105668d6d1d715d63d9cb |
17-Oct-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen Allow rule denials: denied { ioctl } for pid=863 comm="rild" path="/vendor/radio/qcril_database/qcril.db" dev="dm-1" ino=900 ioctlcmd=f50c scontext=u:r:rild:s0 tcontext=u:object_r:vendor_file:s0 tclass=file denied { read } for pid=1609 comm="batterystats-wo" name="show_stat" dev="sysfs" ino=37781 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { search } for pid=1609 comm="system_server" name="800f000.qcom,spmi" dev="sysfs" ino=19648 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir bug_map denial entries: denied { create } for pid=751 comm="main" name="tasks" scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=fil denied { getattr } for pid=1609 comm="system_server" path="/vendor/framework" dev="dm-1" ino=291 scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir Test: denials either don't show up or are properly tagged with a bug number Change-Id: Ibf841033ac5480ddb975772840680011cb331a7d
ug_map
enfs_contexts
ild.te
|
365c33bb3705e3c3f41b4ba45535ee9fdd89fc05 |
13-Oct-2017 |
Max Bires <jbires@google.com> |
Adding rw access to diag_device for hal_gnss_qti denied { read write } for pid=751 comm="Loc_hal" name="diag" dev="tmpfs" ino=10674 scontext=u:r:hal_gnss_qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file Test: on userdebug/eng builds, hal_gnss_qti can access diag_device without generating denials Change-Id: I571e4a4a470f3550c22a7af3145468baa4e0a155
al_gnss_qti.te
|
80862e8ce49725a64532475bf250992c1c569932 |
11-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Adding userdebug/eng diag access for following domains"
|
c760b34307f28d8d68ee6b0e03f0d670e3d8eadd |
11-Oct-2017 |
Max Bires <jbires@google.com> |
Adding userdebug/eng diag access for following domains World access to diag_device for userdebug/eng builds was revoked due to potential for dangerous use from 3rd party code so this CL grants access back to the domains that requested it. denied { read write } for pid=832 comm="qti" name="diag" dev="tmpfs" ino =9583 scontext=u:r:qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_ file denied { read write } for pid=808 comm="thermal-engine" name="diag" dev= "tmpfs" ino=9583 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:diag _device:s0 tclass=chr_file denied { read write } for pid=877 comm="cnss_diag" name="diag" dev="tmpf s" ino=9583 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:diag_devic e:s0 tclass=chr_file denied { read write } for pid=816 comm="imsqmidaemon" name="diag" dev="t mpfs" ino=9583 scontext=u:r:ims:s0 tcontext=u:object_r:diag_device:s0 tc lass=chr_file denied { read write } for pid=753 comm="android.hardwar" name="diag" dev ="tmpfs" ino=9583 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_ r:diag_device:s0 tclass=chr_file denied { read write } for pid=772 comm="sensors.qcom" name="diag" dev="t mpfs" ino=9583 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s 0 tclass=chr_file denied { read write } for pid=677 comm="time_daemon" name="diag" dev="tm pfs" ino=9583 scontext=u:r:time_daemon:s0 tcontext=u:object_r:diag_devic e:s0 tclass=chr_file denied { read write } for pid=618 comm="android.hardwar" name="diag" dev ="tmpfs" ino=9583 scontext=u:r:hal_graphics_composer_default:s0 tcontext =u:object_r:diag_device:s0 tclass=chr_file denied { read write } for pid=854 comm="rild" name="diag" dev="tmpfs" in o=10642 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=c hr_file denied { read write } for pid=828 comm="netmgrd" name="diag" dev="tmpfs" ino=10642 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tcl ass=chr_file denied { read write } for pid=826 comm="cnd" name="diag" dev="tmpfs" ino =10642 scontext=u:r:cnd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr _file denied { read write } for pid=1559 comm="iptables-wrappe" path="/dev/dia g" dev="tmpfs" ino=17555 scontext=u:r:netutils_wrapper:s0 tcontext=u:obj ect_r:diag_device:s0 tclass=chr_file Test: domains that need diag_device access can get access to it Change-Id: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e
nd.te
al_graphics_composer_default.te
al_sensors_default.te
ms.te
etmgrd.te
etutils_wrapper.te
ti.te
ild.te
ensors.te
hermal-engine.te
ime_daemon.te
cnss_service.te
|
e2c0c287fb8fe6b0f33c1a84492c41baaf29c074 |
06-Oct-2017 |
Tao Bao <tbao@google.com> |
sepolicy: Remove update_verifier.te. It has been added into core policy through https://android-review.googlesource.com/c/platform/system/sepolicy/+/503421. Bug: 63440407 Test: update_verifier successfully triggers blocks verification and marks a sucessful boot; Test: No sysfs_dm related denials on walleye. Change-Id: I5605af8b10d890489c25f16f82274f828e10e751
pdate_verifier.te
|
23ea15a12a5e253241d85f57568bec709e85f98f |
05-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: domain: remove world access to /dev/diag This driver is not safe for general use, particularly for third party apps, even on debug builds. Adding OWNERS file in a subsequent commit to prevent security violations like this from getting checked in. Test: build Change-Id: I245244e924ae247b6fbd48aa033bb71cca6067de
omain.te
|
4fa2c7c8b842f293f406f654c287271fc9fe41fe |
02-Oct-2017 |
Wei Wang <wvw@google.com> |
Add UFS health information into board specific dumpstate Test: Take bugreport Bug: 66967195 Change-Id: Id635b64f77d4a6fdc1ace2290f89adfdf86514a7 Merged-In: Id635b64f77d4a6fdc1ace2290f89adfdf86514a7 (cherry picked from commit 0db0037ca1a8015e26c45c0d45e9e5f1976a2881)
ile.te
enfs_contexts
al_dumpstate_impl.te
|
0db0037ca1a8015e26c45c0d45e9e5f1976a2881 |
02-Oct-2017 |
Wei Wang <wvw@google.com> |
Add UFS health information into board specific dumpstate Test: Take bugreport Bug: 66967195 Change-Id: Id635b64f77d4a6fdc1ace2290f89adfdf86514a7
ile.te
enfs_contexts
al_dumpstate_impl.te
|
c16eac87679cb20e4779129c85a4e3454c5a8709 |
25-Aug-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Fix build. Remove dup file_contexts label /dev/input(/.*)? u:object_r:input_device:s0 Is now in core policy. Remove from device specific policy. (cherry-pick of commit: 1fa31288a051c763d158fc69fcc280862d77e87b) Bug: 64954704 Test: build Change-Id: Id16dccff58843e619e5197661f7ffabc22c3e213
ile_contexts
|
e3ea723c144562102fcae7b35bb16592e65ba6ae |
26-Sep-2017 |
Ecco Park <eccopark@google.com> |
selinux: add the BT logging permission for Pixel logger [DO NOT MERGE] Denial message: 09-13 18:55:11.249 7554 7577 W libc : Unable to set property "persist.service.bdroid.snooplog" to "true": error code: 0x18 09-13 18:55:11.250 7554 7577 E AndroidRuntime: FATAL EXCEPTION: LoggingService 09-13 18:55:11.250 7554 7577 E AndroidRuntime: Process: com.android.pixellogger, PID: 7554 09-13 18:55:11.250 7554 7577 E AndroidRuntime: java.lang.RuntimeException: failed to set system property 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.SystemProperties.native_set(Native Method) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.SystemProperties.set(SystemProperties.java:171) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger$1.onStart(ModemLogger.java:79) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger.lambda$startLogging$0$ModemLogger(ModemLogger.java:186) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger$$Lambda$0.accept(Unknown Source:6) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at java.util.HashMap.forEach(HashMap.java:1292) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger.startLogging(ModemLogger.java:183) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.service.logging.LoggingService$StartLoggingRunnable.run(LoggingService.java:458) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:790) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:99) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.Looper.loop(Looper.java:164) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:65) 09-13 18:55:11.251 1147 2530 W ActivityManager: Force finishing activity com.android.pixellogger/.ui.main.MainActivity 09-13 18:55:11.257 1147 1206 I ActivityManager: Showing crash dialog for package com.android.pixellogger u0 09-13 21:38:45.198 2084 2084 W wcnss_filter: type=1400 audit(0.0:1174): avc: denied { read } for name="timestamp_switch" dev="sysfs" ino=27539 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0 09-13 21:30:50.451 2031 2031 W wcnss_filter: type=1400 audit(0.0:1390): avc: denied { search } for name="diagchar" dev="sysfs" ino=27213 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=0 Bug: 37298084 Change-Id: I793b6ee7d712208b3ae685e3c0de59fd2091b763 Signed-off-by: Ecco Park <eccopark@google.com>
ogger_app.te
roperty.te
roperty_contexts
cnss_filter.te
|
4a5ab5dc1fb500ac1b154a56c6f9255fa17d566b |
23-Sep-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "Update ArCore/Tango pem file for userdebug" into oc-mr1-dev am: 5291355c7a am: c170c4b0fe Change-Id: I9d017d980396e2f74cc76ac60be3ed73ba987e79
|
5291355c7a188e21485bf14f06f3cd72d3d080bd |
23-Sep-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Update ArCore/Tango pem file for userdebug" into oc-mr1-dev
|
fefa4cf09f846490bb0b6c98ee9184b37d3c7ae3 |
23-Sep-2017 |
Tri Vo <trong@google.com> |
Merge "Ramdump read access to proc/cmdline"
|
78c71304f2912d9c8164eb58a5dc39f9d9054dcc |
22-Sep-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Update ArCore/Tango pem file for userdebug A new test key is assigned for tango core here: //wireless/android/build_tools/signing/apk_dev_keys/tango_core/tango_core.x509.pem BUG: 66701538 Test: Tested on walleye with tango mapper Change-Id: I6cc11309d9c5b341176256eb1fad8bd9bd25c054
erts/tango.x509.pem
|
6ce431799ec477cd57a51d41312e1fc580aca3f0 |
21-Sep-2017 |
Tri Vo <trong@google.com> |
Ramdump read access to proc/cmdline Test: device boots without selinux denials from ramdump Change-Id: Id4b0dc53295ef26b53d0f7b0e6d65e435743509f
amdump.te
|
38acc8772ba3956dc8282f155354d797dbe9656d |
20-Sep-2017 |
Todd Poynor <toddpoynor@google.com> |
sepolicy: move thermal HAL to thermal-engine am: f16a701e6b am: 201aba5d5e Change-Id: Id5d15f33560d1a551b4e873369e83510c03b7e3a
|
27560dbb58df94641b182094ffdc6c2620402851 |
20-Sep-2017 |
Todd Poynor <toddpoynor@google.com> |
resolve merge conflicts of 84f6876 to master Namely, de.lete the tmeral service .rc file, which had been modified in master, but is now obsolete with this change. Test: It'll be fine, trust me Change-Id: I39a5b27813dddc96eef3f8a26033163c315e579c
|
f16a701e6b15ea3af962c354992bdaa1cc52ddb6 |
24-Aug-2017 |
Todd Poynor <toddpoynor@google.com> |
sepolicy: move thermal HAL to thermal-engine Move standalone Thermal HAL daemon permissions to thermal-engine Thermal HAL for Qualcomm-based devices is now served by the vendor daemon for thermal management: thermal-engine. Bug: 30982366 Test: manual on walleye: audit logs Change-Id: I95e8dde9825b99c5ad28212f4eb34b774d1759e9
al_thermal_default.te
hermal-engine.te
|
c447163a838ebfed1a34d8bd03ad37763667fbff |
24-Aug-2017 |
Todd Poynor <toddpoynor@google.com> |
sepolicy: use context thermal_device for thermal driver device file File /dev/msm_thermal_query is labeled with audio_device context, which isn't accurate and triggers a neverallow rule when thermal-engine is modified (in a future commit) to serve the Thermal HAL. Use thermal_device context like other devices. Bug: 30982366 Test: manual on walleye: logcat messages for device open OK Change-Id: I62b995f90d034ddd4f80378d197d9206e2f96748
evice.te
ile_contexts
hermal-engine.te
|
cd6f8d52a4a5591ae5223ca9fcaf30c2d5c0fb8a |
20-Sep-2017 |
Wei Wang <wvw@google.com> |
Merge "dumpstate: Add UFS debug output to dumpstate_board.txt" into oc-mr1-dev
|
c29a09d4412630dd6cdbfe6b549c3e93184b10b8 |
20-Sep-2017 |
Petri Gynther <pgynther@google.com> |
resolve merge conflicts of b8bc815 to master Change-Id: Ia152696bc3028aa711cb579af96b4fae6e194101
|
5e02a58ecb8e6c1fb95bc90ad431091dd2fc0325 |
19-Sep-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "dumpstate: Add UFS debug output to dumpstate_board.txt"
|
8fd5d9eb86c1ec73b1541dbdd3877fc0169f05d5 |
19-Sep-2017 |
Wei Wang <wvw@google.com> |
dumpstate: Add UFS debug output to dumpstate_board.txt Bug: 65848498 Test: adb bugreport Change-Id: I0df04fdabf085341ba679ffedf06dcdea407e322 (cherry picked from commit 383c58d861e790b6144086052e1778c26e4f0b4d)
al_dumpstate_impl.te
|
50ecd957e65b2dce2e9286ab7f5ad1e6f2ac700b |
15-Sep-2017 |
Petri Gynther <pgynther@google.com> |
Bluetooth sepolicy: Move BT dumps to /data/vendor/ssrdump 1. Move BT dumps to /data/vendor/ssrdump 2. Don't allow wcnss_filter to read /data/vendor/ssrdump 3. Allow wcnss_filter to set SSR properties Bug: 37298084 Bug: 65402355 Change-Id: I39afdd00df86957dcec77b905344f9d131b1a44a
cnss_filter.te
|
383c58d861e790b6144086052e1778c26e4f0b4d |
19-Sep-2017 |
Wei Wang <wvw@google.com> |
dumpstate: Add UFS debug output to dumpstate_board.txt Bug: 65848498 Test: adb bugreport Change-Id: I0df04fdabf085341ba679ffedf06dcdea407e322
al_dumpstate_impl.te
|
0c7da9766bd829a90dc153d44aa7e7e1f8b89e69 |
19-Sep-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add 'vendor.' prefix to a vendor daemon name"
|
98a67963fba19d795339f7ab350414c999dd8c3b |
14-Sep-2017 |
Ecco Park <eccopark@google.com> |
selinux: add the BT logging permission for Pixel logger Denial message: 09-13 18:55:11.249 7554 7577 W libc : Unable to set property "persist.service.bdroid.snooplog" to "true": error code: 0x18 09-13 18:55:11.250 7554 7577 E AndroidRuntime: FATAL EXCEPTION: LoggingService 09-13 18:55:11.250 7554 7577 E AndroidRuntime: Process: com.android.pixellogger, PID: 7554 09-13 18:55:11.250 7554 7577 E AndroidRuntime: java.lang.RuntimeException: failed to set system property 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.SystemProperties.native_set(Native Method) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.SystemProperties.set(SystemProperties.java:171) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger$1.onStart(ModemLogger.java:79) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger.lambda$startLogging$0$ModemLogger(ModemLogger.java:186) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger$$Lambda$0.accept(Unknown Source:6) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at java.util.HashMap.forEach(HashMap.java:1292) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.data.logger.vendor.qct.ModemLogger.startLogging(ModemLogger.java:183) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at com.android.pixellogger.service.logging.LoggingService$StartLoggingRunnable.run(LoggingService.java:458) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:790) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:99) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.Looper.loop(Looper.java:164) 09-13 18:55:11.250 7554 7577 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:65) 09-13 18:55:11.251 1147 2530 W ActivityManager: Force finishing activity com.android.pixellogger/.ui.main.MainActivity 09-13 18:55:11.257 1147 1206 I ActivityManager: Showing crash dialog for package com.android.pixellogger u0 09-13 21:38:45.198 2084 2084 W wcnss_filter: type=1400 audit(0.0:1174): avc: denied { read } for name="timestamp_switch" dev="sysfs" ino=27539 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0 09-13 21:30:50.451 2031 2031 W wcnss_filter: type=1400 audit(0.0:1390): avc: denied { search } for name="diagchar" dev="sysfs" ino=27213 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=0 Change-Id: Ia05996c1b6e0969ef6df6ea142271f76445b90e1 Signed-off-by: Ecco Park <eccopark@google.com>
ogger_app.te
roperty.te
roperty_contexts
cnss_filter.te
|
491d56144b5d3a4192533867fe889f97eb4e2fbd |
14-Sep-2017 |
Jaekyun Seok <jaekyun@google.com> |
Add 'vendor.' prefix to a vendor daemon name To prevent property name collisions between properties of system and vendor, 'vendor.' prefix must be added to a vendor HAL service name. You can see the details in http://go/treble-sysprop-compatibility. Test: succeeded building and tested on a walleye device Bug: 36796459 Change-Id: I519603b13978567b51dbb2bcb866aa088a1646e4
roperty_contexts
|
a3bb8e636f6cad35aa505c017fb721052edf873c |
08-Sep-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "camera HAL is a client of configstore" into oc-mr1-dev am: 211f213136 am: b540750757 Change-Id: I2367dc94597a7a54979de369fa3e742bc2b5d034
|
5372e457d47e7de41c34fc9b276fe8dadbf7df61 |
08-Sep-2017 |
Jeff Vander Stoep <jeffv@google.com> |
camera HAL is a client of configstore Addresses: avc: denied { find } for interface=android.hardware.configstore::ISurfaceFlingerConfigs pid=817 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 tclass=hwservice_manager permissive=0 Bug: 65454046 Test: camera app Change-Id: I84b92e5809b89b7f755322d485b92f5e7175a06a
al_camera_default.te
|
81fbfee4435db1a2b67a82e6a7bd34c1c8efe68b |
06-Sep-2017 |
Ecco Park <eccopark@google.com> |
Merge "selinux: change the package name for pixel logger"
|
3a4b93f2ddf81c7f7a1364ceb20389a31cc695e8 |
02-Sep-2017 |
Maggie White <maggiewhite@google.com> |
Merge "Add easel debug output to dumpstate_board.txt" into oc-mr1-dev am: 6ada147166 am: 16bdff7be4 Change-Id: Ic45760fc58fcc49eea9edc870ed65242236a69ef
|
0f1c9a667dc5c8ea635f17ef5d16f4db695fe4b5 |
01-Sep-2017 |
Maggie White <maggiewhite@google.com> |
Add easel debug output to dumpstate_board.txt Bug: 64975902 Change-Id: I6354c1f19d38611cd2c2edf149d35355f6ce99a7 Test: adb bugreport Signed-off-by: Maggie White <maggiewhite@google.com>
enfs_contexts
al_dumpstate_impl.te
|
e64c0a5e56ebfe68f18408ac15a1f33e7a200a14 |
29-Aug-2017 |
Ecco Park <eccopark@google.com> |
selinux: change the package name for pixel logger Bug: 64000290 Change-Id: I2c90fe2ce1ef92b3585f8f930f20065808e62054 Signed-off-by: Ecco Park <eccopark@google.com>
eapp_contexts
|
78e962a5a49e03ff9a8328a3580ca8d63e10be90 |
31-Aug-2017 |
Chia-kai Liang <ckliang@google.com> |
Merge "Add camera HAL to be client of thermal HAL." into oc-mr1-dev am: 0c3aeadab9 am: 54d177d0dd Change-Id: Icb90da50490a75ec2fe283437ebc2e019fc3d313
|
e9627865a76de0ef3419c19714158a6be1802cac |
31-Aug-2017 |
Chia-Kai Liang <ckliang@google.com> |
Add camera HAL to be client of thermal HAL. Test: Run and build locally with ag/2824593 Bug: 65099590 Change-Id: I4a52b6fc083875c005633cd56d93b125ed720c35
al_camera_default.te
|
fe2ee6937a14c52a13d7ce08826ed17d27cd13e4 |
25-Aug-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove dup file_contexts label" into oc-mr1-dev am: 45d69d4b0a am: 5360de7d22 Change-Id: I2ee54ea57c7b2d9ee2d76b6615ae38b9a4d72e51
|
45d69d4b0aefe62d696d65ff694b8d77b61bec09 |
25-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove dup file_contexts label" into oc-mr1-dev
|
1fa31288a051c763d158fc69fcc280862d77e87b |
25-Aug-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove dup file_contexts label /dev/input(/.*)? u:object_r:input_device:s0 Is now in core policy. Remove from device specific policy. Bug: 64954704 Test: build Change-Id: Id16dccff58843e619e5197661f7ffabc22c3e213
ile_contexts
|
bdf21e39c6d178fb29d7ef098e19720253dd4348 |
17-Aug-2017 |
Ecco Park <eccopark@google.com> |
Merge "sepolicy: change the sepolicy for cnss_diag" into oc-mr1-dev am: 6627e394f7 am: bd78911e02 Change-Id: Ic4cfa741400fb6963229e6606030e33ef7b4899e
|
d024c1334a1900aba407174ade6aa2f196e4fbfc |
11-Aug-2017 |
Ecco Park <eccopark@google.com> |
sepolicy: change the sepolicy for cnss_diag cnss_diag: type=1400 audit(0.0:65): avc: denied { search } for name="diagchar" dev="sysfs" ino=27415 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=0 audit(1502477202.513:37783): avc: denied { read } for pid=989 comm="cnss_diag" name="timestamp_switch" dev="sysfs" ino=27761 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0 Bug:64604240 Change-Id: I1b882b15908241c18d694947b8de11136e6afee2 Signed-off-by: Ecco Park <eccopark@google.com>
cnss_service.te
|
e05d5dc4338af029295bed8b8163409f5ae08296 |
09-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev am: 2bfa33e92d am: 05cae99117 am: 532b3f9a84 Change-Id: I51e0ef6b8ba0e6403c0753fa7f28fdd85c7f95ca
|
532b3f9a849e33e224d2f8d22f4c990616e75263 |
09-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev am: 2bfa33e92d am: 05cae99117 Change-Id: I554299a6dae8ec76503d390094c632d0d3167f87
|
8943e0d693cb8cf0ef6cf7b89c2166fd95916e1f |
09-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev am: 2bfa33e92d Change-Id: Icfabe5a0eb1bc0a653fce0791afa240048c0d32e
|
2bfa33e92d7ad09d9338f6c6b74dd643dd6c20b4 |
09-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev
|
a7e7e139ed9cfbcb7922079a0f816cc8a605889a |
03-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
sepolicy: Rename com.google.arcore to com.google.ar.core Rename com.google.arcore to com.google.ar.core and add arcore app keys BUG=64121848 Test: Basic sanity Change-Id: I7e0d6b3072da1b20177e43071598742d24b3bb5b
erts/arcore.x509.pem
erts/arcore_release.x509.pem
erts/arcore_userdev.x509.pem
eys.conf
ac_permissions.xml
eapp_contexts
|
dd113869ca52d80baab80e161c291ca3279c6f1a |
08-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "sepolicy: move ftm4 sepolicy" into oc-dr1-dev am: 16be8f0958 am: 8e092f89f8 am: 96479f7272 Change-Id: I5920b94c99a1dfca3fd510ba8224e9d074c304b1
|
8e092f89f89c189020ce0d0a2571ddb244e38c17 |
08-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "sepolicy: move ftm4 sepolicy" into oc-dr1-dev am: 16be8f0958 Change-Id: I6e5cd8676e7927d071e0b85ddd517940391f5e6b
|
16be8f095853d6ce0eb1d452bc285d04f2872a9c |
08-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: move ftm4 sepolicy" into oc-dr1-dev
|
bbef3fd93a98957ff43a996d616f125f4c38f685 |
06-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
sepolicy: move ftm4 sepolicy Bug: 63911898 Change-Id: I738c4fa6cb441b51294dd8add412984505c285c9
enfs_contexts
|
4cd3660cd2627b67820d2081ade904503af58796 |
04-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"" into oc-dr1-dev am: a29b03b81b am: 19649add1a am: 011afa170a Change-Id: I4eb3992f55959559ba990c56ac41aa4e5bf46608
|
19649add1a495905c62383e0ecff4dbb33aa9721 |
04-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"" into oc-dr1-dev am: a29b03b81b Change-Id: Ifd2fdae72c1d49850d4e0d7edadf119aa60dd3ac
|
a29b03b81b4e736dc0d429504ea29bc0afac07eb |
04-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"" into oc-dr1-dev
|
a17279baf42afe44d7fccf7c556b1d4f0dac1ff9 |
03-Aug-2017 |
Maggie White <maggiewhite@google.com> |
Merge "Add sysfs thermal permissions for dumpstate" into oc-mr1-dev am: 402a71e033 am: 7d85be6fd4 Change-Id: I17add7010f6a10a49935bbc4d735373580d3de70
|
17cc9388e71c44dc760e0633651153275e439746 |
03-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)" This reverts commit a89c11643c311e3c9e8acf3bb2987d486ec7e2c7. Change-Id: Ibbea725145de40ca23844a00946c373ffd40453d
cnss_filter.te
|
553fe6e9946548b3767c2f0e10be7c411ce95ab2 |
02-Aug-2017 |
Maggie White <maggiewhite@google.com> |
Add sysfs thermal permissions for dumpstate Dumpstate currently cannot print temperature readings because it doesn't have permissions to read thermal sensor values via sysfs. This commit adds read permissions for sysfs_thermal. Test: adb bugreport Bug: 63602647 Change-Id: I20066adbb52b532eeb22e6992b0c0eca1c40cd5d
ile_contexts
enfs_contexts
al_dumpstate_impl.te
|
4c682f0f4b52216317b2ccfe9b23e46e11ce7d88 |
02-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: toggle special touch mode when VR mode is active am: fee56b7311 am: 3d5484c358 am: eb1e5e8aaa Change-Id: I5c86b269672d5aa2e8b7e68bf1b7efb5e1babacd
|
3d5484c358c10b8a780a716cb7f5d28fa6004129 |
02-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: toggle special touch mode when VR mode is active am: fee56b7311 Change-Id: I1d6b85772063d43c63ac472aca3583a1a0c5b070
|
fee56b731150fe4ee2dbf434e8327da48f8fa940 |
02-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: toggle special touch mode when VR mode is active Bug: 37515573 Change-Id: I5b741323f97f7d4713636a1688f50c9459d2764f
al_vr.te
|
7b6ff9bc564e809e9c5e8bafb12c755380b1b35a |
01-Aug-2017 |
Maggie White <maggiewhite@google.com> |
Add sysfs thermal permissions for dumpstate Dumpstate currently cannot print temperature readings because it doesn't have permissions to read thermal sensor values via sysfs. This commit adds read permissions for sysfs_thermal. Test: adb bugreport Bug: 63602647 Change-Id: I21dd6f7bcaabaff722c8847b0958c725d661f489
ile_contexts
enfs_contexts
al_dumpstate_impl.te
|
da3e1efaff008a3690c88a7d1f0aaf695b5b45d3 |
01-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev am: 7386cd87a7 am: b542783136 am: 7d8c32f5b6 Change-Id: Ifceccfa4777b4cfd2bbc0d1e1f9ac87dbf56ecd3
|
7d8c32f5b642a8ef31865021c66855429594df1f |
01-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev am: 7386cd87a7 am: b542783136 Change-Id: I18201a2d742a73a76345a53f56af738234934f0f
|
9f37253b87c128ebe0b17edf67b19c68debb14b5 |
01-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev am: 7386cd87a7 Change-Id: Ic5bd22ed62678049044a43e32d4958077f09b552
|
7386cd87a78c56a691d3e7a458c437aca86f03a7 |
01-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev
|
dca818984bdebad12daf2a3e74f2db7c7cc605f6 |
01-Aug-2017 |
Trevor Bunker <trevorbunker@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev am: 6ec569f9c8 am: 3ede8061ac am: fae76eacc5 Change-Id: I3a136275bafb566a909d887174a15dee7bdec023
|
fae76eacc56f3895015bc71efc0d14dd5c0cfd16 |
01-Aug-2017 |
Trevor Bunker <trevorbunker@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev am: 6ec569f9c8 am: 3ede8061ac Change-Id: I75b45779af3cc36ed04bfaf95eaf5ef979fb915f
|
628af13fb51fd4c7bf3e374480dc28ccb5d86a6b |
01-Aug-2017 |
Trevor Bunker <trevorbunker@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev am: 6ec569f9c8 Change-Id: I7c609a72695dd554e8bd6c04bc42e704ad17625b
|
6ec569f9c8138e5b0c2f54705d58acc681bb3e21 |
01-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev
|
5c511ef077c32078f695f3001c4b366159292a76 |
31-Jul-2017 |
John Dias <joaodias@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev am: ac85d615c5 am: 1ba48537ec am: 52605a47f9 Change-Id: Ifc09c0d5bb08be0d3036f0b8ab8636a62e2a6815
|
52605a47f908f5732d8c8eca1399b33dd509b713 |
31-Jul-2017 |
John Dias <joaodias@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev am: ac85d615c5 am: 1ba48537ec Change-Id: I1875c0d10594064b703df1aa46d169e201ff49c8
|
05c78bfff990075d1a7b3255683a3baf73f96d74 |
31-Jul-2017 |
John Dias <joaodias@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev am: ac85d615c5 Change-Id: Ia5d8541b579a3784dcc40608c9152469d5fef32b
|
ac85d615c5280e756c1740079d84c92384490d45 |
31-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev
|
4b440c49bbad354c23508e132ad85ddd1fdf7c1f |
31-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev am: ff61a6fa2c am: a241fefe3c am: d77b41ee8d Change-Id: Iba3e6cfa21e816646ccbd86ddac9f58284931824
|
d77b41ee8d830f5bb706aa65b717d1724047774e |
31-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev am: ff61a6fa2c am: a241fefe3c Change-Id: I124002803022db7356e093608da745803d92efde
|
469fef653e4dfadfa482b1013b5c0031ad4f9ad9 |
31-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev am: ff61a6fa2c Change-Id: I6234d766d0028a84570053f3fc25e37052f74b1f
|
ff61a6fa2cb25175256c81f22ccb747aaf5057e0 |
31-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev
|
2b7671248921c31bf47de0ea2c505b08ce62c7c9 |
31-Jul-2017 |
Trevor Bunker <trevorbunker@google.com> |
sepolicy: allow camera HAL more access to easelcomm Fixes denial: denied { getattr } for path="/dev/easelcomm-client" dev="tmpfs" ino=17584 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:easel_device:s0 tclass=chr_file permissive=0 Bug: 64115673 Test: Camera CTS Change-Id: I2fdbd0b82b1057cb3cdd4a53af008332f250d53a
al_camera.te
|
1a78d72187c86fae0229ff49a7bec6e6bf1f1444 |
25-Jul-2017 |
John Dias <joaodias@google.com> |
irqbalance: add msm_irqbalance to wahoo Bug: 63632610 Test: boot, verify that irqs are pinned Change-Id: I9a2132523f59b8a0a91c846174ce259b1d0f1e7f
ile.te
ile_contexts
enfs_contexts
rqbalance.te
old.te
|
d4432f0f9ec2ea43a560d1fd8ee1674449f75228 |
30-Jul-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove service_contexts." into oc-dr1-dev am: da1c0f3d9d am: dd180bf480 am: 6b87e495e3 Change-Id: I03852ca29bee19f88ba316b3d538cfac816f0fff
|
dd180bf480726f66024f875e32b30fc71e9b45e2 |
30-Jul-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove service_contexts." into oc-dr1-dev am: da1c0f3d9d Change-Id: I2c0ae2ad090f81c548445fbeaac62cfe03e123f0
|
da1c0f3d9da42569ba68cd1a84440ac9210ca0c2 |
30-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove service_contexts." into oc-dr1-dev
|
af72448ad3d268ac30bf63eec54d40b73daa2212 |
29-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev am: f93a0d3c94 am: 7bb0fe2119 am: 079386a079 Change-Id: Ic41c5d6c8249f88ee44764819cae572354c12cc4
|
5e594ab2dea6c21d6631a5a448300cc5775bc5bf |
29-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev am: 77f8984cf8 am: 386ccc968e am: 8205c337a1 Change-Id: I92111bc7151e639fd630dbe522270cd2a0359177
|
079386a079ac8dd116d0062e66e4ff425463c5af |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev am: f93a0d3c94 am: 7bb0fe2119 Change-Id: I54174ed059c80d2161b27eba0cb6b681f24dc09b
|
8205c337a1e1891507ff28575e95d20b20bd3dce |
28-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev am: 77f8984cf8 am: 386ccc968e Change-Id: Ia24433cd32c5db853664e08c25874f87966e2995
|
8e5bcd308273e00077c2fbbe363af45363dfcd60 |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev am: f93a0d3c94 Change-Id: I232463123a370f464757160f1452ac770d36ac9e
|
d8835f54a50829b2bbf0f785de3a5912f797995c |
28-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev am: 77f8984cf8 Change-Id: I1cf18014ed3f77e8b3fc9870cd5ffb378fbda676
|
7b7530c0e6c33ae6fec28aa13c8d7909f710f800 |
27-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
allow netmgrd to use INetd hal Remove permissions to read /data/misc/* (netd pid file). Allow netmgrd to become client of INetd HAL. Test: no denials Bug:36682246 Change-Id: If7a120a74ced3e63eed6baea288e814a7a0e177e
etmgrd.te
|
f93a0d3c949515de62566bbd6168d0dfd2b4d0fb |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev
|
5cfbf95977d29e00756ca9fff135fa91d13460a7 |
28-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
sepolicy: Add com.google.arcore as alias to com.google.tango ARSDK adds a wrapper package with prefix com.google.arcore BUG=64121848 Test: Basic sanity Change-Id: Icce80ec416516f3ac11110aa9618929289936084
eys.conf
eapp_contexts
|
77f8984cf8e8022255e6bd9b1fb30617e9a90c7e |
28-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev
|
3ef8701698d42edd0bb14d89c8900be2feccc757 |
28-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "Add untrusted_app permissions to tango_core.te" into oc-mr1-dev am: 76690815ce am: 757ba1c8cb Change-Id: I8a7eb1ce550f272ecb1b9954d3297cbdc0be661a
|
76690815ce3508776578f929a0e89b62871b558b |
28-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add untrusted_app permissions to tango_core.te" into oc-mr1-dev
|
27a28b2bfc5afc3f71d167945fc96cb4d19f49b2 |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors HAL/daemon to read diag timestamp switch Allow the sensors daemon and HAL to read the sysfs node that controls the timestamp source to use when creating diag (QXDM/Pixel Logger) log packets. Denials: avc: denied { search } for pid=758 comm=504F5349582074696D65722030 name="diagchar" dev="sysfs" ino=27415 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=1 avc: denied { read } for pid=758 comm=504F5349582074696D65722030 name="timestamp_switch" dev="sysfs" ino=27741 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1 avc: denied { open } for pid=758 comm=504F5349582074696D65722030 path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs" ino=27741 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1 avc: denied { search } for pid=774 comm="sensors.qcom" name="diagchar" dev="sysfs" ino=27415 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=1 avc: denied { read } for pid=774 comm="sensors.qcom" name="timestamp_switch" dev="sysfs" ino=27741 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1 avc: denied { open } for pid=774 comm="sensors.qcom" path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs" ino=27741 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1 Bug: 64124346 Test: enable Pixel Logger, monitor logcat/dmesg and confirm no SELinux denials or permission denied error messages Change-Id: I4f23be62e3d30674e57a0a8acfc33cc02fddbd9b
al_sensors_default.te
ensors.te
|
cac92e14f03eccc05ff16be5d4b9e370622608ba |
28-Jul-2017 |
Martijn Coenen <maco@google.com> |
Remove service_contexts. These are binder services that are no longer served from vendor processes, so they don't belong here. "rcs" is still served, but from a system process, so move it to private/service_contexts instead. Bug: 36866029 Test: build, boot wahoo Change-Id: I13364dcb7bc5734c1e0830360ec7d2ceb0312827
adio.te
ervice.te
ervice_contexts
|
4deb3410152c434bf21adf8eb4fa7723b3b3105f |
30-Jun-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Add untrusted_app permissions to tango_core.te tango_core domain should be allowed to do everything the untrusted_app domain can. Otherwise we're likely to hit further issues in the future. BUG=63167163 Test: Tested TangoVerifier Change-Id: I14f627230ab4de94c8f05af338ebb50561a242b8
ile_contexts
ango_core.te
|
e1c91d450a843d29cc1cfe4821a2b7d88394fe5d |
25-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Add SEPolicy for collecting battery counters Bug: 63841211 Test: pts-tradefed run pts -m PtsHardwareInfo Change-Id: I59f25fed1775eddb6f91c68b74f04b41b5777095
ile.te
enfs_contexts
ardware_info_app.te
|
8d90e98b8209fd3b3dfd5ef4b7f79453c45058f5 |
27-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev am: a99fb8d7ce am: e72cf27eed am: fe34e97b2a Change-Id: I90f976e3d97c4d47d889f4635f7f6d1344ac931b
|
fe34e97b2a2776b18cdfd3199374937c4ab191bd |
27-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev am: a99fb8d7ce am: e72cf27eed Change-Id: I5f54f73d293d7aa93af60225d6193bfe2dd08d9e
|
06d1a12a6dd1317623175b03517d9e081e53d9b4 |
27-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev am: a99fb8d7ce Change-Id: I71b49450f3eb3db6ad66131bda7fabe91143845e
|
a99fb8d7ce00faf7fd551951bc94832839709e6f |
27-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev
|
987d43b896f33d57326557a2c43f137e5a7a95cd |
26-Jul-2017 |
Yueyao Zhu <yueyao@google.com> |
Merge changes from topic 'b38352281' into oc-dr1-dev am: f0c9faf9f1 am: f9fa833e8c am: 3f749464fe Change-Id: Id21148df16970c689702700dfa80863b14fbf880
|
f9fa833e8cfb8fe778833788d3e8cb7a63d3e803 |
26-Jul-2017 |
Yueyao Zhu <yueyao@google.com> |
Merge changes from topic 'b38352281' into oc-dr1-dev am: f0c9faf9f1 Change-Id: I5fe3d8af3369a51a5178ed6ebb4337542b892f9f
|
f0c9faf9f15d04ac0da841f1b405bc4393107c87 |
26-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic 'b38352281' into oc-dr1-dev * changes: USB: HAL: enable auto suspend for USB headsets sepolicy: allow USB hal to access sysfs_usb_device nodes USB: HAL: run as user root, group root system
|
f2e4aea41a8c63716503c453989947a6fd313ec5 |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev am: 476f136f60 am: e11e9e06c7 am: 6089b218bb Change-Id: I44d7266b8021a16a6da1ece1cd30529730b78a28
|
6089b218bb70c72d465326e3a33133e10d557491 |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev am: 476f136f60 am: e11e9e06c7 Change-Id: I039074c8449035422d7c5a2965d9efcabdfa90ca
|
f5d88f92d9d9afdd926b08e2073bc95aa6e07d0a |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev am: 476f136f60 Change-Id: I94a333920c6ec2855e26b245672668a6eb1d8f30
|
476f136f60ef5c567e18ab471f689c842fffc847 |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev
|
7361627b1b7a1da02e7fd78c73b06205b4fbe108 |
26-Jul-2017 |
Patrick Tjin <pattjin@google.com> |
sepolicy: Add aes block device to A/B OTA Bug: 64061369 Bug: 37554629 Change-Id: I172a17761fc20ede9175c881f9b35e76e09fc339
ile_contexts
|
d097cd474314bc4fa764fe127fa5ec0ac369e5b8 |
26-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "allow radio app to read /proc/cmdline"
|
56aed06febea7d7356bb98564ffb0c3836b66ee6 |
26-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
file_context: make libadsprpc a same_process_hal_file .. again. The library is made vendor public, so it needs to be accessible to all domains (not only the google camera app as it is currently done). This also led to 'JniStaticTest#test_linker_namespaces failure' CTS failure. Fix it by making libadsprpc.so a 'same_process_hal_file' again. Bug: 63677132 Test: Build Change-Id: I81d6379b7b540397319bc5e3839aecb6d8b4d2c7 Signed-off-by: Sandeep Patil <sspatil@google.com>
ile_contexts
|
f58d6097cade0ca618251cf41fdce13ba4250f9e |
26-Jul-2017 |
Ajay Dudani <adudani@google.com> |
Merge "dumpstate: Add battery cycle count to bugreport" into oc-dr1-dev am: 6149ab3aea am: d65d4b0800 Change-Id: I7ccd4018d0584e131ce2221d0abaa598e59262f5
|
41e3ae16eaa541dbc4763f72d41a370ebc1ff705 |
26-Jul-2017 |
Ajay Dudani <adudani@google.com> |
Merge "dumpstate: Add battery cycle count to bugreport" into oc-dr1-dev am: 6149ab3aea Change-Id: Ieeb2b19523ca775ef70758759786d58236ed38c0
|
6149ab3aeaec7c9dda2b90f15396d7b3fcb3b9e3 |
26-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "dumpstate: Add battery cycle count to bugreport" into oc-dr1-dev
|
38ef8d70821d18607ddf508a2da6117559597db6 |
26-Jul-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery cycle count to bugreport Bug: 63841211 Test: Verify cycle count metrics are present in bugreport Change-Id: I7c6a3af3ef687c99f88de5ee1c4d7433b618772e
al_dumpstate_impl.te
|
18b0387a49752b17e5db7e5567a4660d21dc9a24 |
26-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
allow radio app to read /proc/cmdline avc: granted { read open } for comm="main" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:radio:s0 tcontext=u:object_r:proc:s0 tclass=filea Bug: 28760354 Test: build Change-Id: Iaa51560d84725b99375f9eb3bd47bd6fd490703d
adio.te
|
7670cc65b2d433e11ba292f236813a26e471b113 |
25-Jul-2017 |
Michael Butler <butlermichael@google.com> |
Merge "Walleye configuration for the initial Android Neural Networks upload." into oc-mr1-dev
|
6812ee4cd123b3d3d68520c38d8417537bc7c478 |
30-Jun-2017 |
Michael Butler <butlermichael@google.com> |
Walleye configuration for the initial Android Neural Networks upload. Uploads the HIDL hvx service and sepolicy. Bug: 63905942 Test: mma -j40 Change-Id: Ie5508c6ade5a16897b7b786a71bf1825423f4deb (cherry picked from commit 49e5e88a7dc584afd02d74fb97053043516f489c)
ile_contexts
al_neuralnetworks_hvx.te
|
ea79876e7930bc2bf213177ce102b02d2cdce28b |
25-Jul-2017 |
Jeff Tinker <jtinker@google.com> |
Merge "Fix selinux denial in hal_drm_widevine" into oc-dr1-dev am: 261e1f7eb3 Change-Id: I0cc7240eb90ac698ad1b1285a6d04665786d3904
|
261e1f7eb31b0fa7ae88bf61676c896c7343306f |
25-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fix selinux denial in hal_drm_widevine" into oc-dr1-dev
|
f5a99531535a1bf372c1c40d9695af0eb1532ae1 |
29-Jun-2017 |
Yueyao Zhu <yueyao@google.com> |
sepolicy: allow USB hal to access sysfs_usb_device nodes Allow the USB hal to read directories and read/write usb devcie sysfs files. Bug: 38352281 Change-Id: Ia3a9a19ed7a607eb190d54cdbc3686e69f6db4f3
al_usb_default.te
|
aeb6458cefdad7e600d05b440e546362446262f7 |
24-Jul-2017 |
Jeff Tinker <jtinker@google.com> |
Fix selinux denial in hal_drm_widevine Test: manual verification of playback using ExoPlayer on GTS HDCP and secure video path playback. Also tested Play Movies and verified it is using L1. bug:63992308 Change-Id: I93ac76243ccb2872a1107f1995b8235ec5a348dd
al_drm_widevine.te
|
447cd41642ce6316d4e76ad351e9b8b5bc248302 |
25-Jul-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "Add touch sensor readings to Dumpstate" into oc-dr1-dev am: c31d2f638f Change-Id: Ief85e3a6be632d6b42c442f15206db3dc1e40d99
|
c31d2f638fb5c1310fcd96fcbfa012df04434b6b |
25-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add touch sensor readings to Dumpstate" into oc-dr1-dev
|
71dc781941f17863d61a3cb4d58074dec4d50cfe |
20-Jul-2017 |
Steve Pfetsch <spfetsch@google.com> |
Add touch sensor readings to Dumpstate Bug: 63854271 Change-Id: Ibaa42bd977acdd0e68e4fc76db77a0c6023dc2a9
al_dumpstate_impl.te
|
db58fb583bdef7257d4be020da58978c02024032 |
24-Jul-2017 |
Max Bires <jbires@google.com> |
Merge "Removing TODO upon bug resolution and fixing boot denial" into oc-dr1-dev am: 182cbac7e0 Change-Id: Ifde40ae7d48ae45b457fa603adeb0ee0e1315ede
|
182cbac7e03da69425c150689194ea4be8ff88ca |
24-Jul-2017 |
Max Bires <jbires@google.com> |
Merge "Removing TODO upon bug resolution and fixing boot denial" into oc-dr1-dev
|
ebbf1fa5c7d5eeca6710b43612409ab869c87483 |
24-Jul-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing a perfd denial on bootup" into oc-dr1-dev am: 28a893290d Change-Id: Ic5a8747790f0136e77e3c7525e23992a7df53b9d
|
28a893290d6e66f1b10af5a06b2ea290b406c533 |
24-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing a perfd denial on bootup" into oc-dr1-dev
|
360c1974e186fa5f5ac6de68ec22b87b59d174f1 |
29-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing a perfd denial on bootup denied { read } for pid=834 comm="perfd" name="clkscale_enable" dev="sysfs" ino=37814 scontext=u:r:perfd:s0 tcontext=u:object_r:sysfs:s0 tclass=file Test: no perfd denials on boot Bug: 63944830 Change-Id: I08cd03725ae412ae985dcdf0b943003872a97b67
ile.te
enfs_contexts
erfd.te
|
4370d6cae1712757818a30ab929f9332b4d3a080 |
22-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors daemon to read hardware version files" into oc-dr1-dev am: cb6458173f am: 4f143f3a93 Change-Id: I59ddfb29c5e8afe331af8ea635d1939b2a00f080
|
5bd122d85e0c2ec2f7f98e4ce0de5e6b59374845 |
22-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors daemon to read hardware version files" into oc-dr1-dev am: cb6458173f Change-Id: I6961aaa64e89ba95c57525c52ef3d25b64f53a4e
|
a92bd32a1dcc939091df4cbe13a4d1c077734784 |
21-Jul-2017 |
Max Bires <jbires@google.com> |
Removing TODO upon bug resolution and fixing boot denial denied { read } for pid=708 comm="vold" name="/" dev="sda4" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:persist_file:s0 tclass=dir Bug: 35810138 Test: Above denial no longer appears on boot, vold works under enforcing Change-Id: I78add787fa732e0cf20a3e205f866554d17d0e18
old.te
|
61ca0ffdae5b38138b54f46c49e621ac10d79194 |
21-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Run sensors daemon as system user instead of root" into oc-dr1-dev am: 5cf711293d am: 4da01c8741 Change-Id: I656b0363b0b23bd448eb021835acd27b3a8cda60
|
a8986eb259403a9a211c662f0fca6c0437c1d115 |
21-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Run sensors daemon as system user instead of root" into oc-dr1-dev am: 5cf711293d Change-Id: Ibaa42c4a1c4a1a7158dc76100f7894b37fcd6cc0
|
b5e50bed86cead7a4eb34127994461122f26395b |
19-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors daemon to read hardware version files Permit the sensors daemon to read files in /sys/devices/soc0, which is used to identify the hardware revision it is running on, so it can properly handle registry variations. Addresses these denials (and more which would occur if only the blocked operations were permitted): type=1400 audit(2017551.030:4): avc: denied { getattr } for pid=805 comm="sensors.qcom" path="/sys/devices/soc0/hw_platform" dev="sysfs" ino=50525 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file permissive=0 Bug: 63857630 Bug: 63901499 Test: confirm denials do not appear on boot, sanity check all sensors provide data, run sensors CTS Change-Id: I2ba59a21b22d09af03226d5993d80e1d868bf607
ensors.te
|
b04b13e9768f4a12eb659411d81dc81871a3c03e |
19-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Run sensors daemon as system user instead of root Grant capabilities and change file permissions to allow the sensors.qcom daemon to start up as the system user/group, rather than running as root. Fixes: 63775281 Test: monitor logcat after reboot, confirm no file open errors. Run QSensorTest, confirm all sensors provide sane data. Confirm that IMU calibration can read + write its saved settings. Run sensors CTS. Change-Id: Ib80ea21900d6af6cd34c82c4a63f50c7e0ac18ff
ensors.te
|
06b97200f621360a71c73e33837390d1e4708bf6 |
21-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "tango_core.te: Allow shell data file access to tango" into oc-dr1-dev am: 220b681c4c Change-Id: I246c8856dd592039ac8bc646538d40c9fe87515f
|
220b681c4c9428695456777dd1f51b73d49ec326 |
21-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "tango_core.te: Allow shell data file access to tango" into oc-dr1-dev
|
b05203e0d1f8bedf13aab7878b0c190e00cb6201 |
21-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "sensors: address selinux denial" into oc-dr1-dev am: 144a1962a9 Change-Id: I7998b510f934b14e940c400285f9a2161a37d776
|
144a1962a95bec1196db835afdd1a6afc7aea155 |
21-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sensors: address selinux denial" into oc-dr1-dev
|
6935ce7f07ec08494db91e6f133e3df871290963 |
21-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
tango_core.te: Allow shell data file access to tango avc: denied { search } for name="tmp" dev="sda45" ino=6782978 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 avc: denied { read } for name="includes.txt" dev="sda45" ino=6782980 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 avc: denied { open } for path="/data/local/tmp/ajur/includes.txt" dev="sda45" ino=6782980 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 BUG=63124901 Test: Tested tango cts Change-Id: Idb6f1f37070652922924f7f948e7c05d4609f010
ango_core.te
|
0c64a4f1abed86c1146c55cb17e80db49860e044 |
21-Jul-2017 |
Siqi Lin <siqilin@google.com> |
Merge changes Id97d7cdf,I8743a2bb into oc-dr1-dev am: fc754502a7 Change-Id: I9d7efde780cebdd7b90a6d93bbb5836dd3cd139e
|
fc754502a7057a88094f16a5bbe560bc809be8e4 |
21-Jul-2017 |
Siqi Lin <siqilin@google.com> |
Merge changes Id97d7cdf,I8743a2bb into oc-dr1-dev * changes: Allow init.power.sh to change printk console_suspend Remove no_console_suspend=1 from kernel command line
|
d209d46ba1dd86fb0c17a5210d97980c15b25b69 |
20-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sensors: address selinux denial avc: denied { search } for name="soc0" dev="sysfs" ino=49978 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir permissive=0 Bug: 63901499 Test: build and boot. Verify denial no longer occurs Change-Id: I623b742ec68552921685d18f986ca32d71c090a8
ensors.te
|
c196ac979277e76e2ad0bc4fb8e0d76179a09db7 |
20-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "label persist partition and grant e2fsck access" into oc-dr1-dev am: de5bf7bd6f Change-Id: I69b90912e03944dce10b7e19a556ad4d7fca74c5
|
de5bf7bd6ffc6dc133cf1f95fe05af953729c272 |
20-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "label persist partition and grant e2fsck access" into oc-dr1-dev
|
2e0ef591c3405bc5bfc42ecf354c2028c1728dda |
20-Jul-2017 |
Siqi Lin <siqilin@google.com> |
Allow init.power.sh to change printk console_suspend Bug: 63856769 Test: boot with serial console enabled / disabled Change-Id: Id97d7cdf6e3093f2b6caaa2c7cd9bfa64a282a98
ile.te
enfs_contexts
nit_power.te
|
05c1a7083a9497be4ff2b6c9dd9ab12deaab1e62 |
20-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
label persist partition and grant e2fsck access avc: denied { read write } for p)9 cgLe=2bs`+" name<sda `V= 945(qcg text=u:r:Frck:s0tbkntdpt=u:lb Bug: 63874026 Test: build and flash, verify no new denials Change-Id: I4aba660643323f2401963addd73bf674509f8ee0
evice.te
ile_contexts
sck.te
nit.te
|
7cbea8ea82daff7f492c8aeda018839a813b1d5d |
20-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
AU293 drop rebase for IMS and radio related changes am: 9882d1d7a6 Change-Id: Iba4690a386d97b281769f48b38b1354c13fb6a1e
|
9882d1d7a6e52cff80f0f35f472725433d9e9488 |
19-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
AU293 drop rebase for IMS and radio related changes 1) Explicitly specify uid, gid and groups needed for cnd Add CAP_BLOCK_SUSPEND 2) Move sys.ims properties to vendor.ims 3) Remove imscmservice from init as its not used on Pixel Bug: 63850865 Bug: 63804057 Change-Id: Ie8f0eefa96a21605a63ae5a73e59270866704ed7
nd.te
roperty_contexts
|
9a6d0c71dd1989190b645a4125ae993941b165ea |
20-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "THERMAL HAL API 1.0 impl for Wahoo" into oc-dr1-dev am: 4e102dfdcb am: 842e224d44 Change-Id: I4a0d4c55aecedaf1100799429b59a44c47ce49f4
|
4e102dfdcbe0b49253b20a62e32e54e7f7a9b454 |
20-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "THERMAL HAL API 1.0 impl for Wahoo" into oc-dr1-dev
|
a81f5612fe78242b93318f4297c721babea14ed9 |
15-Jul-2017 |
Wei Wang <wvw@google.com> |
THERMAL HAL API 1.0 impl for Wahoo Thermal HAL 1.0 implementation for wahoo Bug: 36458508 Test: VtsHalThermalV1_0TargetTest pass Test: Check thermalHAL log Signed-off-by: Wei Wang <wvw@google.com> Change-Id: I88831aec5c388269cb78f8cbd966ecae55f1cff2
ile_contexts
|
b05fb1bb1ecdeee1af2a34c59234eebf4c309917 |
18-Jul-2017 |
Jie Song <jies@google.com> |
Add SELinux rules for MDS app Bug: 63147021 Test: Verify app can run and access diag interface Change-Id: I6aaadd5af6508aee8229968636e4f76c8c957d5e (cherry picked from commit a48092ad06ab09a14d62ec50f8e73baaef1b6e23)
ds_app.te
eapp_contexts
|
5693bda225a52190f80f39135cf01a4f7d00c580 |
18-Jul-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "add atfwd service and related policy." into oc-dr1-dev am: ac31ae9116 am: 8e0c005989 Change-Id: Ifb836c554e63201a0590e966e19e1d53c4312f2a
|
ac31ae91162ab86217982acd4c2775d6a2aa09c4 |
18-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "add atfwd service and related policy." into oc-dr1-dev
|
a48092ad06ab09a14d62ec50f8e73baaef1b6e23 |
18-Jul-2017 |
Jie Song <jies@google.com> |
Add SELinux rules for MDS app Bug: 63147021 Test: Verify app can run and access diag interface Change-Id: I6aaadd5af6508aee8229968636e4f76c8c957d5e
ds_app.te
eapp_contexts
|
4143733bfea9760ece3e7893586e9ca4f897a7ec |
18-Jul-2017 |
Jean-Michel Trivi <jmtrivi@google.com> |
Merge "Revert "Add SELinux rules for MDS app" fix build"
|
572162ff885f6f8a3fe02054f53bed8a43d20443 |
17-Jul-2017 |
Jean-Michel Trivi <jmtrivi@google.com> |
Revert "Add SELinux rules for MDS app" fix build This reverts commit 312763bb36f27a27d75756d0118d016b41af5d77. Change-Id: I7f857cbb1d4442139be7a71d6cd58fb4e19861e2
ds_app.te
eapp_contexts
|
71beb08cae1f60236498d84e9adcc333ccafae52 |
17-Jul-2017 |
Jie Song <jies@google.com> |
Merge "Add SELinux rules for MDS app"
|
9a01b66d986aa9740b80ca6ed51067e9b8253463 |
17-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "Restore Camera to perfd communication" into oc-dr1-dev am: 096c529776 am: 9e73e499ed Change-Id: Id1a6b402b6a3fcfeb3b3544fe2ee88c36d6f05a1
|
6871dd4a7dcae842c84b3458a64dbee8e198b362 |
14-Jul-2017 |
Wei Wang <wvw@google.com> |
Restore Camera to perfd communication Bug: 63633407 Test: Build Change-Id: I395e487d1fe0463cfa6034cf7194ffdeb4ad31ca
al_camera.te
|
ede38fa2140976b986130e54f3f52c76a08f4ca8 |
14-Jul-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Bluetooth: Allow wakelock access to wcnss_filter am: 0c2b5e803d am: 2a9d518a64 Change-Id: Ic06104ddb8b3fa1b0cc2478df8873f281b648318
|
312763bb36f27a27d75756d0118d016b41af5d77 |
30-Jun-2017 |
Jie Song <jies@google.com> |
Add SELinux rules for MDS app Bug: 63147021 Test: Verify app can run and access diag interface Change-Id: Icd5e1aee2532ccd1cb6e6ccc1d43578c808d1e9d
ds_app.te
eapp_contexts
|
0c2b5e803d9655007d664937b179e36c37178956 |
14-Jul-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Bluetooth: Allow wakelock access to wcnss_filter Bluetooth driver needs to hold a wakelock while receiving packets from the UART to make sure that no bytes are lost. Test: Bluetooth on/off Bug: 63628397 Change-Id: I8cd6a13921cdc2777c64b0624f544a9548292522
cnss_filter.te
|
c09b928dd2ca26a22314730dc9524ee310d6860a |
24-May-2017 |
Thierry Strudel <tstrudel@google.com> |
add atfwd service and related policy. Bug: 37168913 Test: No more atfwd errors at boot Change-Id: I8b05bbc33c8d393a9dcaabf4fd554fdfab126989 Signed-off-by: Thierry Strudel <tstrudel@google.com> (cherry picked from commit a75d65362c8baef5c66e97c79d2840b00ce21bfe)
tfwd.te
ile_contexts
wservice.te
wservice_contexts
roperty.te
roperty_contexts
telephony.te
eapp_contexts
|
fd55a2b54e0cb920834d02cd1ad073f67031b850 |
13-Jul-2017 |
Ajay Panicker <apanicke@google.com> |
Merge "Allow collection of Bluetooth firmware dumps in bugreports (1/3)" into oc-dr1-dev am: 74d7e77ea5 am: e51c7c2b87 Change-Id: Ifa297f85cb45e3374929f89762176a47f9be0b2f
|
74d7e77ea5fb1c2f3448eb78c5aee1ecabb01627 |
13-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow collection of Bluetooth firmware dumps in bugreports (1/3)" into oc-dr1-dev
|
6c2db41df223bc513688a6a390c80b779713b9ee |
13-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "tango_core.te: Allow audioserver and mediaserver find" into oc-dr1-dev am: fb037a5a96 am: 5a8ea222b2 Change-Id: I6ac66d4a0f1833a0a971ced8ac13817591a7941a
|
fb037a5a963233d17f2b4560b06dbcee8bb0a319 |
12-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "tango_core.te: Allow audioserver and mediaserver find" into oc-dr1-dev
|
ea1be3d4e4e9ccac9c4ada94083aef1222e06f89 |
12-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "remove cameraHAL to perfd interface" into oc-dr1-dev am: 7a7af08804 am: 622eef10f9 Change-Id: I29fbce422cba62490dd2bb302123b30a9b8b9e66
|
7a7af0880427a0ffdfc529486b29a43d3edb2a73 |
12-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "remove cameraHAL to perfd interface" into oc-dr1-dev
|
5e53c868afa4e582cb071549582091ea7747e876 |
11-Jul-2017 |
Wei Wang <wvw@google.com> |
remove cameraHAL to perfd interface This CL removed cameraHAL to perfd interface Also changed some powerHAL logging level Bug: 63589458 Test: Build Change-Id: I4725f45b22bf3a3787dc5d77fc9c6b22a66a21aa
al_camera.te
|
a89c11643c311e3c9e8acf3bb2987d486ec7e2c7 |
12-Jul-2017 |
Ajay Panicker <apanicke@google.com> |
Allow collection of Bluetooth firmware dumps in bugreports (1/3) This patch is temporary and should be removed once the bug is resolved Bug: 63390057 Test: Force a hci_timeout and collect a bugreport Change-Id: I29d3f19462c152e785eec0291f06ed4c004b623f
cnss_filter.te
|
cd95edc556fb05bf2f981c2a5272650a65d6fc47 |
12-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "ueventd: remove redundant rules" into oc-dr1-dev am: 6544bd52b8 am: c0ac85d203 Change-Id: If5584814d0e273a93a3ae15b9786bb30ab7aaa13
|
6544bd52b86c7ff71f2389bb5b00b67dd88c3881 |
12-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "ueventd: remove redundant rules" into oc-dr1-dev
|
3bcf11716c89d174d16305c15504299628143e1d |
11-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
tango_core.te: Allow audioserver and mediaserver find Denial log: avc: denied { find } for service=media.audio_flinger pid=12405 uid=10142 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:audioserver_service:s0 tclass=service_manager permissive=0 avc: denied { find } for service=media.player pid=4881 uid=10131 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager permissive=1 BUG=63115272 Test: Basic sanity Change-Id: I88fb12e89d75eab6b69c5f2ec453e18c05fd6f6c
ango_core.te
|
bceae15bb476784516648e632851c0ebee1bb4a3 |
11-Jul-2017 |
Michael Wright <michaelwr@google.com> |
Allow system_server to load input device configurations am: 2f3b0f2af3 am: c4674ecac3 Change-Id: I819ef5ca50786dbeaf54652e9faa9ed7fb85a49f
|
33e9c267ca0dabaf14ab8f4918cbce3fa463dba5 |
11-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
ueventd: remove redundant rules Ueventd is now granted write access to all files in /sys in core policy. avc: denied { write } for pid=790 comm="ueventd" name="uevent" dev="sysfs" ino=52014 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb_device:s0 tclass=file Bug: 63147833 Test: build Change-Id: I61f742a6151fe37ec99654bda6074f055a84a163
eventd.te
|
2f3b0f2af38eb4d71cd5164188f34d952c5bffd7 |
10-Jul-2017 |
Michael Wright <michaelwr@google.com> |
Allow system_server to load input device configurations Test: flash and use PointerLocation to observe size Bug: 62871286 Change-Id: I5588b7b1a4d948446b0e1e9e8d5b32c9aabc1e42
ile.te
ile_contexts
ystem_server.te
|
4003048411a46d991552218a5166d34695f0830c |
11-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "Enable Encoder hint for camera powersaving" into oc-dr1-dev am: b02fb17265 am: e25b3d87e6 Change-Id: Ieed3669295aad97411953ed15e6fce4b3b73605c
|
3b189d337fd50ebe0f9c3db645ecb95dc6a8d091 |
06-Jun-2017 |
Wei Wang <wvw@google.com> |
Enable Encoder hint for camera powersaving - Hook up Encoder hint with CameraHal - Remove dead code for EAS kernel for decoder hint and camera preview This CL will enable powerhint for CameraHal to cap Big CPU Cluster max freq to 1.958 Ghz. Bug: 38000354 Bug: 62354242 Bug: 63039461 Test: Build and test camera preview on Change-Id: I13e93915499f6cc83335b72ab2076d90bc9edfcc
al_camera_default.te
|
76fc679ae5f5ad676b1322ffa047108b5e657906 |
07-Jul-2017 |
Tao Bao <tbao@google.com> |
Merge "Grant update_verifier sysfs access." into oc-dr1-dev am: 81cec4011b am: 3b74e2075a Change-Id: Icb2d9369c1b152087a2adf1da8a18af72a9619cf
|
81cec4011b01231becd1b92098f0fff131b6bc3a |
07-Jul-2017 |
Tao Bao <tbao@google.com> |
Merge "Grant update_verifier sysfs access." into oc-dr1-dev
|
8014ac1c9ab762ed3e985998b7fca58b88edd6df |
07-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic 'elabel' into oc-dr1-dev * changes: Add copy from /persist/elabel to /data/misc/elabel Add permissions for elabel data access
|
4402ccfb27661a973cbd34505ea8f0df20d42b69 |
05-Jul-2017 |
Patrick Tjin <pattjin@google.com> |
Add copy from /persist/elabel to /data/misc/elabel Bug: 62837579 Test: place test files in /persist/elabel, check that they are copied to /data/misc/elabel on boot Change-Id: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf Merged-In: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
ile.te
ile_contexts
nit_elabel.te
|
0e1346c32c3841d2703eec83ed02b9db7e1ddbdc |
27-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add permissions for elabel data access Allow init to copy elabel data from /persist/elabel to /data/misc/elabel. Allow settings app to access elabel data from /data/misc/elabel. Bug: 62837579 Change-Id: Ie2241abe8c2384a537b001a90830a3f42c566748 Merged-In: Ie2241abe8c2384a537b001a90830a3f42c566748
ile.te
ile_contexts
ystem_app.te
|
d1ed4a4fb84a64f19b0e3f49cd9014be8ac34968 |
05-Jul-2017 |
Patrick Tjin <pattjin@google.com> |
Add copy from /persist/elabel to /data/misc/elabel Bug: 62837579 Test: place test files in /persist/elabel, check that they are copied to /data/misc/elabel on boot Change-Id: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
ile.te
ile_contexts
nit_elabel.te
|
cbb788099a458fdea0e1aea3edabd1e9286d02ed |
27-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add permissions for elabel data access Allow init to copy elabel data from /persist/elabel to /data/misc/elabel. Allow settings app to access elabel data from /data/misc/elabel. Bug: 62837579 Change-Id: Ie2241abe8c2384a537b001a90830a3f42c566748
ile.te
ile_contexts
ystem_app.te
|
e7bc54085ddd52c57aaf1d3aefc1a899c693dfdb |
07-Jul-2017 |
Siddharth Ray <siddharthr@google.com> |
Merge "Wahoo sepolicy changes" into oc-dr1-dev am: 271fd0c603 am: 07b52a0836 Change-Id: I6ef9e15eded25bd5f4201219d5a5675787e6f6d5
|
271fd0c60347903d6ee0081d99d0b58b2389ea24 |
07-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Wahoo sepolicy changes" into oc-dr1-dev
|
078daa1c8b60f7bc7b9c299421e8604e3132fae8 |
26-Jun-2017 |
Siddharth Ray <siddharthr@google.com> |
Wahoo sepolicy changes Wahoo's sepolicy is changed merged to add Marlin permissions based on compliance test needs. Marlin's sepolicy can be found at device/google/marlin/sepolicy/hal_gnss_default.te Bug: 37409476 Test: Boots with no avc denials or crashes. GNSS incl. post XTRA delete runs well with no denials. Change-Id: Id51197120d142850fe0d7c97f747818e23c178f8
al_gnss_qti.te
ocation.te
|
13c6400e11fd253f6615f1ceb7e3f8090bfcf1c4 |
30-Jun-2017 |
Tao Bao <tbao@google.com> |
Grant update_verifier sysfs access. avc: denied { read } for pid=694 comm="update_verifier" name="block" dev="sysfs" ino=27770 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: denied { read } for pid=719 comm="update_verifier" name="name" dev="sysfs" ino=51336 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=file update_verifier reads /sys/block/dm-X/dm/name to find the device-mapper entries for system and vendor partitions. Also remove the unneeded "block_device:dir r_dir_perms" permission. Bug: 63146601 Test: As follows. a) Set up /data/ota_package/care_map.txt. b) Reset the slot boot-successful flag with fastboot set_active. c) Boot the device and check update_verifier successfully verifies the blocks. Change-Id: I581136249e93ec2d4bd9ceda316590ee31148643
pdate_verifier.te
|
b5fc48231acf4f43c1ef1b866c433301fe4c41ca |
06-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
Merge changes I45a49628,Icf764bf3 into oc-dr1-dev am: f5ed4d3d87 am: 68067a79df Change-Id: I31ab45c1d1c6c7adfd70fdc400f359fcba540f72
|
06f2fdfb7e2d21a41dc1d59d6adb91f0d55fbddd |
06-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
Fix netmgrd crash recovery denials This change fixes the following denials auditd : type=1400 audit(0.0:30032): avc: denied { unlink } for comm="netmgrd" name="netmgr_connect_socket" dev="tmpfs" ino=31621 scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgrd_socket:s0 tclass=sock_file permissive=0 auditd : type=1400 audit(0.0:35887): avc: denied { search } for comm="netmgrd" name="diagchar" dev="sysfs" ino=26926 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=0 Test: Force crashed netmgrd and validated data working Bug: 63360347 Change-Id: I45a49628b486cb264e07037cfa8397e381f72a00
etmgrd.te
|
28511cb3df9d63809be5fdf9095cce57050016dd |
22-Jun-2017 |
Sunmeet Gill <sgill@codeaurora.org> |
sepolicy: Separate system partition sepolicy and hal macros from vendor partition Test: VoLTE, VT & VoWiFi on Vzw and T-Mobile SIM cards Bug: 62574674 Change-Id: Icf764bf353bbdfb7831f5ea8528414a271525c63
ataservice_app.te
wservice.te
adio.te
ervice.te
ervice_contexts
|
b8527780e1a784878ee4cc58e01cce0a0f2e1ebd |
01-Jul-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Enable bt wcnss_filter to collect crash dumps am: f128f5c538 am: 338bf393d4 Change-Id: I8342f796f21ec2f7d193280effa957c9d95fb4d6
|
f128f5c538e37212e0bc762b12f9ae02470bb346 |
29-Jun-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Enable bt wcnss_filter to collect crash dumps Bug: 37298084 Change-Id: Id67e4faf27ea6d59fdbcc2affcd1f2e6eb2ba3dd
cnss_filter.te
|
bcf6cc2aa4b08b742bd62fe903f0125d831f48ec |
01-Jul-2017 |
Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org> |
Add policies to remove System UID from time service am: 739f448717 am: 3e582a9a33 Change-Id: Idf150de4e4736cb06acb2226f3fd3ee8a90ef148
|
4673c0b45c8d33185f0973f7973bf1281348a10d |
01-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge commit 'cc4f752ee88a9c0839d50b6db8f8f5387dd3e2d7' into manual_merge_cc4f752 Bug: 62184939 Test: build Change-Id: Ied320cd2d2ab59c152869a03b11223cef5b87d16
|
739f4487173e10cab0263d8dfbad44c34373d5bd |
30-Jun-2017 |
Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org> |
Add policies to remove System UID from time service Bug: 62785008 Change-Id: I85cdaa618da7beddce88d4b67bd1b9d08c0a9c00
eapp_contexts
imeservice_app.te
|
454fc3e786ce50669fd6d5a0a374298a95344472 |
30-Jun-2017 |
Wei Wang <wvw@google.com> |
wahoo: time_daemon: use /persist to store offset to RTC Also cleanup sepolicy files that was using /data/vendor as they are not needed and /data is not ready by the time we start time_daemon Bug: 62184939 Test: walleye boot with correct time in airplane mode Change-Id: Ic7b025a8c795092a1dd4b1ab1d7497d1440c0a4b
ile.te
ile_contexts
ime_daemon.te
|
84ed0c73b0626b51c190e7b6be3670441e88d031 |
01-Jul-2017 |
Arnd Geis <arndg@google.com> |
Merge "Add permission to search the kernel's keychain"
|
ef189c8a9f5657d0b4c24be82c4ce845ff716fea |
30-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Allow qseecomd to write to persist_data am: aaaafebf1c am: 923b456e6b Change-Id: Ie02047e3d31515ce409cea353e985db797f92e04
|
aaaafebf1c6b1d86ca31dfea04d9e1de8620363e |
30-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Allow qseecomd to write to persist_data Needed for drm. avc: denied { read } for comm="qseecomd" name="/" dev="sdd3" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir avc: denied { open } for comm="qseecomd" path="/persist" dev="sdd3" scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir avc: denied { write } for comm="qseecomd" name="widevine" dev="sdd3" ino=97 scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=dir avc: denied { add_name } for comm="qseecomd" scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1 avc: denied { create } for comm="qseecomd scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1 avc: denied { write } for comm="qseecomd" scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1:persist_file:s0 tclass=dir permissive=1 avc: denied { open } scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1 avc: denied { write } for comm="qseecomd" name="widevine" scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1 avc: denied { add_name } for comm="qseecomd" scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1 avc: denied { create } for comm="qseecomd" scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1 avc: denied { write } scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1 Bug: 63051358 Test: build Change-Id: I28bd0cd816720a85fc840890a74929939366de6d
ee.te
|
8f446c77e042134eb4e4ebe20ffceeb302157ae6 |
30-Jun-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors daemon to create vendor data files am: ee8cd6b127 am: cda862e28c Change-Id: I8797dba967d01e8e1a0bcb2729c82d4a8cdf8cb3
|
64b292e70be793dce504be820b7904189e4d2204 |
29-Jun-2017 |
Arnd Geis <arndg@google.com> |
Add permission to search the kernel's keychain The public key used for Easel firmware signing is stored in the system trusted keychain. This grants access to search for the key. Bug: b/62846087 Change-Id: Ie44f70ed923fc563f0f73f5dd4c701b532610d22 Signed-off-by: Arnd Geis <arndg@google.com>
aselservice_app.te
|
ee8cd6b127fc1563d27a656cfa5647674b7790e4 |
24-Jun-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors daemon to create vendor data files Add an entry to init.hardware.rc to create /data/vendor/sensors at startup, and sepolicy entries that allow the sensors daemon to create files in that directory. These will be used to persist runtime calibration across reboot, but not across factory reset. denied { getattr } for pid=14080 comm="sensors.qcom" path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 denied { write } for pid=14113 comm="sensors.qcom" name="vendor" dev="sda45" ino=2179073 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 denied { add_name } for pid=14113 comm="sensors.qcom" name="sensors" scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 denied { create } for pid=14113 comm="sensors.qcom" name="sensors" scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 denied { create } for pid=14113 comm="sensors.qcom" name="cal.bin" scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 denied { write open } for pid=14113 comm="sensors.qcom" path="/data/vendor/sensors/cal.bin" dev="sda45" ino=2179115 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 denied { read } for pid=14113 comm="sensors.qcom" path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 denied { getattr } for pid=14113 comm="sensors.qcom" path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 Bug: 38425697 Test: confirm folder is created on boot, and calibration files are created, updated, and read successfully by sensors daemon Change-Id: Ie23cafe4f43b3335e07cf0d13dde0c5d06b69f80
ile.te
ile_contexts
ensors.te
|
c934f5afca204d1c37a2a8e646e858940d94b621 |
30-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "Remove vendor_executes_system_violator attribute" into oc-dr1-dev am: 53c92f3bb8 am: 754a4de7f1 Change-Id: Ib132771a2a89f2a3dc1611db9cf6138a4790fa34
|
53c92f3bb8f5ba439c187c74ea241a5004d1dae7 |
30-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "Remove vendor_executes_system_violator attribute" into oc-dr1-dev
|
c272f35b8bc34842d15fa21f4ef749acee7d7cd0 |
29-Jun-2017 |
Subhani Shaik <subhanis@codeaurora.org> |
Remove vendor_executes_system_violator attribute Bug: 62385687 Test: No svc denial error, wifi is working fine. Change-Id: I47cad9cab9b2e60ccf4b692daae7042b44804b05
cnss_service.te
|
109a495a39abc7028a2f3c6860488906c6bfe584 |
29-Jun-2017 |
Chong Zhang <chz@google.com> |
Merge "cas: add CAS HAL and allow it to use vndbinder"
|
04832f20d7cc78ce16e65f7a8a5a91c509413e3b |
28-Jun-2017 |
Chong Zhang <chz@google.com> |
cas: add CAS HAL and allow it to use vndbinder bug: 22804304 bug: 63129142 Change-Id: Iea70c6626d99c4404632fcf9685ec9993f776ca4
al_cas_default.te
|
ba83bc9f7be8398eca89ff13e43490a4cb038e5f |
29-Jun-2017 |
Ed Tam <etam@google.com> |
Merge "Revert "Wahoo sepolicy changes"" into oc-dr1-dev am: 1fe3fbbda7 am: ffa39747e8 Change-Id: I5d4477b200708a524aae30000fcbaed123ff5436
|
1fe3fbbda7e745e6bc8e9ef6143187a8b654b066 |
29-Jun-2017 |
Ed Tam <etam@google.com> |
Merge "Revert "Wahoo sepolicy changes"" into oc-dr1-dev
|
7d05a3ba897de04ebfb120de03dba083ed67d99c |
29-Jun-2017 |
Ed Tam <etam@google.com> |
Revert "Wahoo sepolicy changes" This reverts commit eb6f000bffa01aa340f2821c27563d4a02f98188. Reason for revert: Causing runtime restarts Bug: 63123125 Change-Id: I3f4752c7ff29f52957f28b0f0c84de2c11a06f40
al_gnss_qti.te
ocation.te
e_macros
|
a00866e92889cfaff45da4ce44553fab7b2f3dfb |
29-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "declare ipacm as the tetheroffload HAL" into oc-dr1-dev am: 730070f3d2 am: 247f148001 Change-Id: I3d3ecfdb06596de4c0dfe46c4cf87e230f868aef
|
730070f3d2c06ed4c297026705431ab7ca964d52 |
29-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "declare ipacm as the tetheroffload HAL" into oc-dr1-dev
|
5c5eb9de3ab91db937d0669fa3e8517337f62fbe |
21-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
declare ipacm as the tetheroffload HAL Also add tetheroffload HALs to the manifest. Bug: 29337859 Bug: 32163131 Test: adb shell getenforce Enforcing adb shell dumpsys connectivity tethering Tethering: ... Log: ... 06-28 11:46:58.841 - SET master tether settings: ON 06-28 11:46:58.857 - [OffloadController] tethering offload started And logs show some signs of happiness: 06-28 11:46:58.853 816 947 I IPAHALService: IPACM was provided two FDs (18, 19) 06-28 11:46:58.853 1200 1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default Change-Id: I40e23c1863901330dfe59e2ea196314c5c7bb52a (cherry picked from commit c6ecb207d7032bf43e9b39941ff7e47dd127e361)
ile.te
ile_contexts
al_tetheroffload_default.te
wservice.te
wservice_contexts
pacm.te
|
53cf0a5ca75c81798a9c7e49c13d5be709593a95 |
29-Jun-2017 |
Siddharth Ray <siddharthr@google.com> |
Wahoo sepolicy changes am: eb6f000bff am: 5a13cd31ee Change-Id: I5643b3d7e202b1c1b367e0b9415d6a090d78252c
|
eb6f000bffa01aa340f2821c27563d4a02f98188 |
26-Jun-2017 |
Siddharth Ray <siddharthr@google.com> |
Wahoo sepolicy changes Wahoo's sepolicy is changed to mirror Marlin's. Marlin's sepolicy can be found at device/google/marlin/sepolicy/hal_gnss_default.te BUG: 37409476 Change-Id: Id6f49defd70923c56da2dfd68f55cf3dfc2e62fc
al_gnss_qti.te
ocation.te
e_macros
|
638cc1653548d73a0f161c51c36e5164d486a4c0 |
28-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Allow init_ese to run grep" into oc-dr1-dev
|
647c0c5ecf214eab54f43dd6eeea9ad755ff4ef6 |
28-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Clean up denials" into oc-dr1-dev am: eb3cbfb47b am: ab287969ab Change-Id: I350d45ae3c8ccc36b4335aa6136997a893bb8073
|
eb3cbfb47bdd2ee0a408d165240ad96fb09bd943 |
28-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Clean up denials" into oc-dr1-dev
|
98bc1a88acf5083e4ed56dd5c8583397adb3fe71 |
26-Jun-2017 |
Paul Crowley <paulcrowley@google.com> |
Allow init_ese to run grep Bug: 62586642 Test: selinux denial on grep no longer seen. Change-Id: I61847f5a5f460fc8efef5a772eae3a0559634b40 (cherry picked from commit 1478bd41b46bd700954a08cab816918bff6c40c3)
nit_ese.te
|
561262edd03037fbc77060ba49335c3a8661c2b1 |
27-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Merge "Allow network access to google_camera_app domain" into oc-dr1-dev am: 2d5372cfb9 am: 89767f71f0 Change-Id: I9f8694b14cc630f9bb22e93e08405c18dc288ced
|
a63fd3aadb6464a314cabd18eb4ee78ea6161c50 |
27-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Clean up denials avc: denied { search } for name="/" scontext=u:r:kernel:s0 tcontext=u:object_r:persist_file:s0 tclass=dir avc: denied { search } for name="ipc_logging" dev="debugfs" scontext=u:r:kernel:s0 tcontext=u:object_r:debugfs_ipc:s0 tclass=dir avc: denied { sys_module } scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability Bug: 35197529 Test: build, verify denials no longer occur. Change-Id: Ibe18ca05f2d80343624d08116b83b5287239c01a
ernel.te
etd.te
|
2d5372cfb993c9c9b1805cff6e975d095059898f |
27-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Merge "Allow network access to google_camera_app domain" into oc-dr1-dev
|
5b8694076555e9834caf84722eab73ff19fb4d6c |
27-Jun-2017 |
Jie Song <jies@google.com> |
Merge "Add folder and SELinux rules for subsystem ramdump" into oc-dr1-dev am: 486dc6acd7 am: 5345d61beb Change-Id: Ibdfe89e0c5a512b96af900cdbec56719ad0c3af7
|
486dc6acd784d9a387f6399e13da639ce2894381 |
27-Jun-2017 |
Jie Song <jies@google.com> |
Merge "Add folder and SELinux rules for subsystem ramdump" into oc-dr1-dev
|
153afe88d3a5f484d3016736239b1ffcb5be800f |
27-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Allow network access to google_camera_app domain Test: New features in app that use the network function as expected Bug: 63058578 Bug: 62848290 Change-Id: I129a57e2837f180e722bef4a3a05756acb150c0f
oogle_camera_app.te
|
cbaa3b68841db433fa06c80d7f5c8e0915fb8589 |
27-Jun-2017 |
Jie Song <jies@google.com> |
Add folder and SELinux rules for subsystem ramdump 1. Move subsystem ramdump to ssrdump 2. Fix denials on sysfs Bug: 62257616 Test: Modem ramdump in new folder Change-Id: I5c77ec42a0967140d04b616ede9b02e6272f3442
ile_contexts
sr_detector.te
|
e51b1aaf6acd1bcfe17629b69e2ca6f39e504146 |
27-Jun-2017 |
Paul Crowley <paulcrowley@google.com> |
Merge "Allow init_ese to run grep"
|
1478bd41b46bd700954a08cab816918bff6c40c3 |
26-Jun-2017 |
Paul Crowley <paulcrowley@google.com> |
Allow init_ese to run grep Bug: 62586642 Test: selinux denial on grep no longer seen. Change-Id: I61847f5a5f460fc8efef5a772eae3a0559634b40
nit_ese.te
|
adb9d3909686836d3859b5828ac1839bf186150d |
26-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "bootanim: suppress selinux denial" into oc-dr1-dev am: dfc34ea32b am: 8516d69995 Change-Id: I269e925a854f894d6b1241b43f7b48dafb55daa5
|
dfc34ea32b2dbf523c61386ee748bc2ad6c9abd3 |
26-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "bootanim: suppress selinux denial" into oc-dr1-dev
|
3ecc3b29133903546eda5d22adc560adad24e1db |
26-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
bootanim: suppress selinux denial Reading time from /data/system/time is not used on Wahoo. denied { read } for pid=619 comm="BootAnimation::" name="system" scontext=u:r:bootanim:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir Bug: 62954877 Test: build policy Change-Id: I0d5bc69797f7a11ca4e612c00228e87dd48942c7
ootanim.te
|
4dac4ed66f8466b4fc3b95504f0e66ef1d2fdb55 |
26-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Move file labeling to genfs_contexts." into oc-dr1-dev
|
36d6d16d191e3b8d2acd23b9866d9df64b4dc6b1 |
24-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Removing keystore policy due to bug resolution" into oc-dr1-dev am: 86c23203fc am: 87266096d6 Change-Id: Ic0eab54c29f88c9650a43297f2c75bb42568e609
|
86c23203fca3b2f23268f62ce42e4aa88407a2af |
24-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Removing keystore policy due to bug resolution" into oc-dr1-dev
|
e643104592b34242723bc1de1ed6df1adcc80bb4 |
24-Jun-2017 |
Erik Staats <estaats@google.com> |
Merge "Add sys.slpi.firmware.version property." into oc-dr1-dev am: 3d5523ed0f am: ee061af02a Change-Id: I863762912e8a5507f59196737d6f11fa5f52d765
|
3d5523ed0f3ef022ee384fdf367bb39ec314342e |
24-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add sys.slpi.firmware.version property." into oc-dr1-dev
|
003321109fb9b04b9c5e608f8c0975a4e62336ed |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Allow init to relabel ab_block lnk_files" into oc-dr1-dev am: b2be8cb917 am: 469d934489 Change-Id: I521d13492bdb636633159babb5ad749ef7fcc599
|
b2be8cb917d32dc7cd7b00ba48e1bf88230f332d |
23-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow init to relabel ab_block lnk_files" into oc-dr1-dev
|
44f090269150d0aba886f298912f390890c9f8db |
21-Jun-2017 |
Erik Staats <estaats@google.com> |
Add sys.slpi.firmware.version property. Bug: 38240024 Test: Verified value of sys.spli.firmware.version property. See details in testing done comment in https://googleplex-android-review.git.corp.google.com/2442584 . Change-Id: Ief04cbfac4efd71c8ff22057fc286645fbadf44d
nit-devstart-sh.te
|
63013293d8b02d3fcc709928752312436f290ea2 |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Allow init to relabel ab_block lnk_files avc: denied { relabelto } for name="dtbo_a" dev="tmpfs" scontext=u:r:init:s0 tcontext=u:object_r:ab_block_device:s0 tclass=lnk_file permissive=0 avc: denied { relabelto } for name="boot_a" dev="tmpfs" scontext=u:r:init:s0 tcontext=u:object_r:boot_block_device:s0 tclass=lnk_file permissive=0 Bug: 35197529 Test: build and flash. Verify link files have correct label. Change-Id: I2e718e8e06af70d73b0c5076ffc99d5fa7013fd9
nit.te
|
026415e14d5447d7e2ac5b9d55cca41168d0b637 |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Suppress netutils_wrapper module denials" into oc-dr1-dev am: 32f9c6131d am: f59e5934e1 Change-Id: Ie942aae79e8b30517bb800cd1e7e221b08059806
|
ac2a8e0fd7a406caf1ff3a0d8a87a40e94873b47 |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Narrow down tftp_server's access to /persist" into oc-dr1-dev am: 30038f8184 am: 618cd63a44 Change-Id: I92e1a98dbda85eab892cce092e02e1be4af4c39b
|
32f9c6131d0fc40b2f51602543b0721ab270c6e6 |
23-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Suppress netutils_wrapper module denials" into oc-dr1-dev
|
30038f8184822ef6a777c1c4553fadb1d5b92367 |
23-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Narrow down tftp_server's access to /persist" into oc-dr1-dev
|
247695bd704943b3a816cca40d319da47a472bc1 |
23-Jun-2017 |
Stuart Scott <stuartscott@google.com> |
Add missing SE Policies for Hardware Info Testing am: 7c5a76860a am: a2593b5bb4 Change-Id: I6a1cb3ef92013d054c6a45ff47df62a31b9d821e
|
24e2048bacce9887ea5d52e9be0096a890e23657 |
21-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts. This should improve performance, as file_contexts is slower than genfs_contexts. Bug: 62413700, 62852219 Test: Built, flashed, and booted. Verified that all of the files have the correct context. Verified that wifi, cellular, camera, and GPS work. Change-Id: I5b3c91c00486c0f741e9a015fb1602885612896d (cherry picked from commit cdd9829be89802fee63d9d5d1d381f1d84847d47)
ile_contexts
enfs_contexts
|
7c5a76860a1d557bf5e7b35496d47f4801ea984f |
15-Jun-2017 |
Stuart Scott <stuartscott@google.com> |
Add missing SE Policies for Hardware Info Testing Bug: 35668291 Test: pts-tradefed run singleCommand pts Change-Id: If50b00ea6fc11884c3aad6969b8821046916335a
ile.te
enfs_contexts
ardware_info_app.te
eapp_contexts
eventd.te
old.te
|
02a94ce7cfbe9e0b3e227ec057dd0d6631f55204 |
22-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Suppress netutils_wrapper module denials Netutils does not need to load kernel modules. Ignore. Bug: 35197529 Test: build policy Change-Id: I14f79ddfd47f3b6eb8461a0b351808bed09a5a30
etutils_wrapper.te
|
24c1a1f556220e83a45c805a34d10b591925253e |
22-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Narrow down tftp_server's access to /persist avc: denied { dac_override } scontext=u:r:rfs_access:s0 econtext=u:r:rfs_access:s0 tclass=capability Bug: 62074287 Bug: 38214174 Test: build and boot device. No denials in the logs related to /persist/rfs or /persist/hlos_rfs. All files have correct label. Change-Id: Ic63d1684af2d2b3a1ea75a3aacf2ab2a5ebe36a2
ile.te
ile_contexts
fs_access.te
|
fb2d6e2b902a4f3a6e1509d38f49c4d6c21a491d |
22-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Merge "Allow radio to set telephony monitor property on userdebug builds" into oc-dr1-dev am: c1319b7c73 am: 37a567ecb8 Change-Id: I1bb0b86adda5caf2b60b70417fdfdf2da830f76b
|
c1319b7c732039f264e8e28d65a3dad6c1768f17 |
22-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow radio to set telephony monitor property on userdebug builds" into oc-dr1-dev
|
4632db7d7deb22a875aec205abcfb3fba94050bc |
22-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Removing binder_call's from system_server" into oc-dr1-dev am: 192d8c3411 am: 2b59ebd5bf Change-Id: I5668c429d3f7a6bdf2dcc6ebd8ba53f9e99332a1
|
192d8c3411dc13030d8ff93342bd236a6c744bd7 |
22-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Removing binder_call's from system_server" into oc-dr1-dev
|
cc44df863d622ed6b41f96eb7b3d152f0d090532 |
22-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add WiFi Statistics to Bugreport to Wahoo" into oc-dr1-dev
|
6fa748ff45614a450a2b442bb9fa46b40849d213 |
22-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Allow radio to set telephony monitor property on userdebug builds This is need to fix the following denial selinux: avc: denied { set } for property=persist.radio.enable_tel_mon pid=9378 uid=1001 gid=1001 scontext=u:r:radio:s0 tcontext=u:object_r: tel_mon_prop:s0 tclass=property_service permissive=0 Test: Verifed no telephony monitor crash at power up Bug: 62870818 Change-Id: If72bb39552d38c5498094170fd27ca6cda6efa2b
adio.te
|
19c0576fd8c59cdc2deaa9ac9ca670ec35352b85 |
22-Jun-2017 |
Adrian Salido <salidoa@google.com> |
Merge "power: remove interaction lock when idle" into oc-dr1-dev am: d5c6e693b9 am: 41fdbdb846 Change-Id: Id7063de214590ced5109322ce2efc05a6e579666
|
d5c6e693b9e38a8c207e5c046efa030b075f4239 |
22-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "power: remove interaction lock when idle" into oc-dr1-dev
|
585ac7d71a1e2f7886ea4e65ec87a026addf9130 |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Change radio back to enforce mode" into oc-dr1-dev am: 385acb4ef6 am: 6406a1719e Change-Id: Id9a73bfd30b43feaef78f5bcdaff4d93e932d83c
|
2f3ed5304c20bcdb3067f7ea1834156780e8e86c |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Move /data/misc/radio to /data/vendor/radio as per treble rules" into oc-dr1-dev am: 24c0b637f0 am: 0b9fc0bebd Change-Id: Ica653c122a310202f53afcfbe5a4cdd64ebe46bc
|
385acb4ef6ae57245d141054d861b014628da6cd |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Change radio back to enforce mode" into oc-dr1-dev
|
24c0b637f03cbd35007728a6cea1a49138d393ee |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Move /data/misc/radio to /data/vendor/radio as per treble rules" into oc-dr1-dev
|
668cac2f4c50fe9e375f7917700127f309671b7e |
19-May-2017 |
Adrian Salido <salidoa@google.com> |
power: remove interaction lock when idle Allows earlier interaction lock release by polling on display updates to stop happening (becomes idle) for a programmable amount of time. Bug: 62110101 Test: Ran UiBench, didn't see regressions susbset of tests - avg-jank: testInflatingListViewFling: 0.09 testTrivialListViewFling: 0.15 Change-Id: I83c0fc75a3d7ca5bf76910ebbaeddb69343a7ee2
al_power_default.te
|
6d6b5ec090985ac8c3b68e9430996cbd6b98c879 |
22-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Merge "Add WiFi Statistics to Bugreport to Wahoo"
|
5e53707061206ca7013d6fac9e4031562b1c9122 |
21-Jun-2017 |
Max Bires <jbires@google.com> |
Removing binder_call's from system_server They no longer appear to be in use, no denials are seen from system_server after removal Bug: 34784662 Bug: 36867326 Test: system_server functions normally Change-Id: Ifca772bc60bd67b14fe695737a7fc563810cd592
ystem_server.te
|
4e94c457cd77be54a44ccd016d0c9a682f7dc158 |
17-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Add WiFi Statistics to Bugreport to Wahoo This commit adds some statistics from debugfs to bugreport this includes the files: /d/wlan0/power_stats /d/wlan0/ll_stats /d/icnss/stats Bug: 62290986 Test: adb bugreport and inspect the required statistics Change-Id: Ib65b98935a043542283a645f9760e02ff6935db3 Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
ile.te
enfs_contexts
al_dumpstate_impl.te
|
67c420df271c88dac01f96b3e0e0cf868da60234 |
21-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Move folio_daemon to system in sepolicy" into oc-dr1-dev am: 56b07ec982 am: 98f85a6ff8 Change-Id: I50a7e0dc8600feed1e332732b24e301b3a16926d
|
56b07ec98243d39bdec6711f1a58362b74bee021 |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Move folio_daemon to system in sepolicy" into oc-dr1-dev
|
adb9d4722c7a8cb7921f3809330d51d632e26812 |
21-Jun-2017 |
Max Bires <jbires@google.com> |
Removing keystore policy due to bug resolution Bug: 35810138 Test: keystore works properly Change-Id: I18cb878df60dc57c7fd921629952f4287c934bb9
eystore.te
|
d60c59ea430e688613e63f084c39d4d65b423cf2 |
21-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move folio_daemon to system in sepolicy Remove Treble violations. Bug: 36867326 Bug: 62387246 Test: loaded on taimen, checked dmesg, and tested daemon with magnet Change-Id: I4662b41206b94cae6ac9843b5dc7e1452003c63c
ile_contexts
olio_daemon.te
ystem_server.te
|
eff97a240f214520f3437ca55ca996e86438900d |
21-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Revert "Move file labeling to genfs_contexts."" into oc-dr1-dev
|
81ec1ced6ebce722cc9bfebaa89cab059f8c9082 |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fix incorrect SELinux rule."
|
5084c6ba71a48204c67919d44cf453bd0f9aa48f |
21-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Revert "Move file labeling to genfs_contexts." This reverts commit c29e60806b2648882ea371e9217effd841ac7090. Bug: 62852219 Change-Id: If212c1fea86ee929b6234ed48892ab6065da0173
ile_contexts
enfs_contexts
|
3a002c8b68de42668bb8e40d7804e4c4cda655b6 |
21-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Move file labeling to genfs_contexts." into oc-dr1-dev
|
97c71e3f91a96981ab93b415c1561006e69ebe15 |
21-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Change radio back to enforce mode Test: Basic telephony sanity Bug: 38261780 Change-Id: Ia862e093f3d32500269fb732a5fe6e7e2ca36f41
adio.te
|
86b6fcc8a6fdef2551c76b683d257605b6c54a22 |
20-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Move /data/misc/radio to /data/vendor/radio as per treble rules 1) Modify the sepolicy to use /data/vendor partition to hold vendor radio data. 2) Modify Dumpstate to access /data/vendor for logging. Test: Basic telephony sanity with radio enforce mode Bug: 36736902 Bug: 36717606 Change-Id: I1f8f1026189c1262cfe0af251451e0efcc98c7f7
ile_contexts
nit_radio.te
ild.te
mlog_dump.te
|
9c2c09f4d7d265353e69eafc2c5113c7474cb5dc |
21-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing denials blocking SFS and widevine" into oc-dr1-dev am: a05b888385 am: e11f6c6b94 Change-Id: Ifd2282dcf41cb89ed4c8a596d62933298dce525e
|
a05b8883851744226710cd71c12bf6b095a659b2 |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing denials blocking SFS and widevine" into oc-dr1-dev
|
68e562a6b51be309fbd0b246a5eee300277e65a7 |
21-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "rild: remove rules to allow socket usage between rild and radio" into oc-dr1-dev am: 427d3ced01 am: 8b9050fda0 Change-Id: I7398c1a205c418c55eb47f7b0a185d57432ea3c5
|
427d3ced01c6976091ffb70826edde4d2b47ae3f |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "rild: remove rules to allow socket usage between rild and radio" into oc-dr1-dev
|
c29e60806b2648882ea371e9217effd841ac7090 |
08-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts. This should improve performance, as file_contexts is slower than genfs_contexts. Bug: 62413700 Test: Built, flashed, and booted. Verified that all of the files have the correct context. Change-Id: I40035d396fe344ade6b665ef0c314e36ef9c8bf8 (cherry picked from commit cdd9829be89802fee63d9d5d1d381f1d84847d47)
ile_contexts
enfs_contexts
|
5a3c3b6993c02e325f5ac5793016e41711968c8c |
21-Jun-2017 |
Arnd Geis <arndg@google.com> |
Create SELinux domain for easelservice app am: 0745d1bc52 am: 2ae3d1fd10 Change-Id: I2374b16960fa4a8138c5a932e7dc2c51bc798e98
|
b9facbcd955fed0bd86e12e98e9c1d2de702958a |
20-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Fix incorrect SELinux rule. Bug: 62413700 Test: Verified that the file has the correct rule. Change-Id: I55a45952ae0d8de16dc03ddbf455a0bd1f657490
enfs_contexts
|
841c4ad431d5098d9711f43a2892fdfb370fea9a |
17-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Add WiFi Statistics to Bugreport to Wahoo This commit adds some statistics from debugfs to bugreport this includes the files: /d/wlan0/power_stats /d/wlan0/ll_stats /d/icnss/stats Bug: 62290986 Test: adb bugreport and inspect the required statistics Merged-In: Ib65b98935a043542283a645f9760e02ff6935db3 Change-Id: Ib65b98935a043542283a645f9760e02ff6935db3 Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
ile.te
enfs_contexts
al_dumpstate_impl.te
|
7d452f093f2d3d2957267fd2c9f90368a7fd3c0d |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
rild: remove rules to allow socket usage between rild and radio This eventually also removes the socket_between_core_and_vendor attribute added to rild for the same Bug: 36718031 Bug: 62343727 Test: Build and boot walleye Change-Id: Ib4808579742942b663d2e93c1527057f54f869cf Signed-off-by: Sandeep Patil <sspatil@google.com>
ild.te
|
0469656a6a323019b9972eeabed243d3ba3944da |
15-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing denials blocking SFS and widevine Details in bug b/62391689 Bug: 62391689 Bug: 62686689 Test: Attestation works Change-Id: I0f9fe50537db5d8218331ecc7bd6cce60969a7bf
ile.te
ile_contexts
ee.te
|
0745d1bc52c16511700f4c53245b0c876ae68f16 |
19-Jun-2017 |
Arnd Geis <arndg@google.com> |
Create SELinux domain for easelservice app - Add domain for Easel firmware update app - Add app cert - Add access permission to mnh driver - Add access permission to app_api_service - Add access permission to surfaceflinger service Bug: b/38212365 Change-Id: I62e813a126d10b6d70854163635e564c161e9305 Signed-off-by: Arnd Geis <arndg@google.com>
erts/easel.x509.pem
aselservice_app.te
eys.conf
ac_permissions.xml
eapp_contexts
|
425a893cc4ee0d410d17e0edd234e67393395331 |
20-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing some radio/ueventd/tee denials" into oc-dr1-dev am: 8e782a5db0 am: d25091363f Change-Id: Ie50e47898be07155628762058e6895a137c9ccc3
|
8e782a5db0c05a073b2995d63dc6f5fd7ed3c457 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing some radio/ueventd/tee denials" into oc-dr1-dev
|
905abb7c601b4b6627bc6971ee835463d4bb3180 |
20-Jun-2017 |
Andrew Chant <achant@google.com> |
Merge "Add USB device descriptors to bug report." into oc-dr1-dev
|
3b19e99148131fa1d4f76fe6bf066d6cf5f89916 |
12-Jun-2017 |
Andrew Chant <achant@google.com> |
Add USB device descriptors to bug report. Reports product, version, and first 48 bytes of descriptors. Test: Took bugreports with and without USB device attached. With no USB Device: ------ USB Device Descriptors (/vendor/bin/sh -c cd /sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat descriptors | od -t x1 -w16 -N96) ------ 0000000 With USB Device: ------ USB Device Descriptors (/vendor/bin/sh -c cd /sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat descriptors | od -t x1 -w16 -N96) ------ Mir 0200 0000000 12 01 00 02 00 00 00 40 d1 18 25 50 00 02 03 01 0000020 02 01 09 02 1f 01 04 01 04 a0 32 09 04 00 00 01 0000040 01 01 00 05 0a 24 01 00 01 83 00 02 01 02 0c 24 0000060 02 01 01 02 00 02 03 00 00 00 0d 24 06 03 01 02 0000100 01 00 02 00 02 00 00 09 24 03 02 01 01 01 04 00 0000120 0c 24 02 22 01 02 00 02 03 00 00 18 0d 24 06 23 0000140 Bug: 38327094 Change-Id: I05cb5f6f3895b43b55ab4b1f434bb5b206b3bf4c Merged-In: I05cb5f6f3895b43b55ab4b1f434bb5b206b3bf4c
ile.te
ile_contexts
al_dumpstate_impl.te
|
d6bf24251e9bfd28b4c6b24484a2f1fe48455321 |
01-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing some radio/ueventd/tee denials denied { write } for pid=559 comm="ueventd" name="uevent" dev="sysfs" ino=53168 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb_c:s0 tclass=file denied { open } for pid=7321 comm="elephonymonitor" path="/dev/__properties__/u:object_r:tel_mon_prop:s0" dev="tmpfs" ino=18893 scontext=u:r:radio:s0 tcontext=u:object_r:tel_mon_prop:s0 tclass=file denied { set } for property=rcs.publish.status pid=4829 uid=1001 gid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service denied { set } for property=persist.radio.enable_tel_mon pid=10182 uid=1001 gid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:tel_mon_prop:s0 tclass=property_service Bug: 34784662 Test: These denials no longer appear during phone operation Change-Id: I0f38e4f7e937c79d60eb2d4c607bcb62694f973b
roperty_contexts
eventd.te
|
21756abc654c31fb799652a969b9394fe9999b68 |
20-Jun-2017 |
Andrew Chant <achant@google.com> |
Merge "Add USB device descriptors to bug report."
|
f184f76ba188b38d67898c6a9495d57e4aa47b82 |
20-Jun-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove binder_in_vendor_violators from wcnss." into oc-dr1-dev am: 87c358793f am: 83ae8180ac Change-Id: I34cf727b65f7255bf50c1e5e1abfc7d5f7d6be73
|
87c358793ff61c128f1fd8dc944a382260c7f1fa |
20-Jun-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove binder_in_vendor_violators from wcnss." into oc-dr1-dev
|
29029eda1883b84984d4c8437d99b54ef8215a55 |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "netmgrd: remove vendor_executes_system_violator" into oc-dr1-dev am: 3e9bd98c90 am: 6497c518e5 Change-Id: I7a9d818d62c3a3edd7fc3152a8954d089fcfdf39
|
3e9bd98c907409ef081033e43fb3452a4d97b611 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "netmgrd: remove vendor_executes_system_violator" into oc-dr1-dev
|
e1c75faa4a9b2b4904f0ceef428841fde5e15118 |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "init_ese: use vendor shell and toybox in ese script" into oc-dr1-dev am: 3266111d28 am: c4b67a6f2f Change-Id: I2a51b998928b027029b3ba63c07cf4bfc60a5f0a
|
b96e98c9535b24430edcaf8f293c196874a9b415 |
12-Jun-2017 |
Andrew Chant <achant@google.com> |
Add USB device descriptors to bug report. Reports product, version, and first 48 bytes of descriptors. Test: Took bugreports with and without USB device attached. With no USB Device: ------ USB Device Descriptors (/vendor/bin/sh -c cd /sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat descriptors | od -t x1 -w16 -N96) ------ 0000000 With USB Device: ------ USB Device Descriptors (/vendor/bin/sh -c cd /sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat descriptors | od -t x1 -w16 -N96) ------ Mir 0200 0000000 12 01 00 02 00 00 00 40 d1 18 25 50 00 02 03 01 0000020 02 01 09 02 1f 01 04 01 04 a0 32 09 04 00 00 01 0000040 01 01 00 05 0a 24 01 00 01 83 00 02 01 02 0c 24 0000060 02 01 01 02 00 02 03 00 00 00 0d 24 06 03 01 02 0000100 01 00 02 00 02 00 00 09 24 03 02 01 01 01 04 00 0000120 0c 24 02 22 01 02 00 02 03 00 00 18 0d 24 06 23 0000140 Bug: 38327094 Change-Id: I05cb5f6f3895b43b55ab4b1f434bb5b206b3bf4c
ile.te
enfs_contexts
al_dumpstate_impl.te
|
3266111d2831590f54c76c13fc940b78f9a5592d |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "init_ese: use vendor shell and toybox in ese script" into oc-dr1-dev
|
76dc25b2075e91d21b6f590671b84fb5438ac3b0 |
20-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Merge "Remove system_server policy to communicate with netmgrd over sockets" into oc-dr1-dev am: dffb51f4c0 am: 2c345df645 Change-Id: I793ca5a816e59141d2ee8b5a3aad384f1c5ec500
|
6a840da33dcc4fac15d71701f0ce7dcf4e69cedf |
20-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Merge "Remove binder rules for rild to communicate with audioserver." into oc-dr1-dev am: 8c27f611c2 am: 56bfffada8 Change-Id: I19942dce61f33698e4b9f0f6d88e7be3453acfb8
|
dffb51f4c0ab30c9634f290c76c9a9038a9b1d58 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove system_server policy to communicate with netmgrd over sockets" into oc-dr1-dev
|
8c27f611c2c8d5a268f5f1912fd4a4de387a778a |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove binder rules for rild to communicate with audioserver." into oc-dr1-dev
|
67c279ab87e98de53180d8462fab86b7e98a90fd |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "wahoo: Make vendor script use vendor shell and vendor toybox" into oc-dr1-dev am: 0aecfea175 am: 4c97fd83d2 Change-Id: I1cd414d797a6f547c548eb046f304102dc6c8ecd
|
79325b70135cdad9c9883d2adefe4ad29f13dd26 |
20-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Merge "GoogleCamera: Remove redundant persist.camera.* access" into oc-dr1-dev am: 39b781b6ef am: 5650f08112 Change-Id: I01e7085780801a78f1b8333309aaff102be3afee
|
073f57addc3b91615c2eb78470ce78ba4e8ea125 |
20-Jun-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "wahoo: dumpstate: add touch firmware versions to dumpstate" into oc-dr1-dev am: 8ba1d8c88a am: 8232779736 Change-Id: Iedfd1bcb24d79f69333cff511321b6b0e93136d7
|
55d1b0499240a8506738006feb7af7a266e889d5 |
20-Jun-2017 |
Steven Moreland <smoreland@google.com> |
Merge "Remove socket violators from passthrough mode." into oc-dr1-dev am: eba35a7659 am: 11c321b326 Change-Id: Iedba491df389a09903b0180c2558c45eb27c9d07
|
3c5dd51dfd59eb990600c8e0fce06199f3289699 |
20-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing sepolicy to allow sensors to create necessary files" into oc-dr1-dev am: 9449862bbc am: f87a36e1c9 Change-Id: I8c34de22477e8a6fa04a8761d6e1417453ddc66d
|
adcf25a5128bf5b3383462b29cedc3965021dc35 |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
netmgrd: remove vendor_executes_system_violator netmgrd needed this because if libudsutil depending on /system executable. That has now change to point to /vendor copies of tyobox utilities. So, remove the violator attribute and add permission to use vendor_toolbox for netmgrd domain. Bug: 37364044 Bug: 62385687 Test: Build and boot walleye and observe no denials for netmgrd Change-Id: I54adc23bbb7f59e209fd5ad797fa6c46995adc29 Signed-off-by: Sandeep Patil <sspatil@google.com>
etmgrd.te
|
79430f1a6e92b580c0c4d5556662c87959a03de0 |
20-Jun-2017 |
Martijn Coenen <maco@google.com> |
Remove binder_in_vendor_violators from wcnss. Bug: 36651714 Test: builds Change-Id: Ib12f6e891bfc8b2d8ba818392f7cdc0a13b8ab4f
cnss_service.te
|
f15fe5de4b2683d75c3fe58f3043320292e614de |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
init_ese: use vendor shell and toybox in ese script Bug: 38447496 Bug: 37364044 Bug: 37914554 Test: Build and boot walleye Test: No denials for init_ese requireing access for /data (b/t37914554) Change-Id: Ifce97fd50c4d2b0f49460ff37bcc01a281a6c700 Signed-off-by: Sandeep Patil <sspatil@google.com>
nit_ese.te
|
0aecfea1758fcd8febfc4bef6e53b37c02fe4851 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: Make vendor script use vendor shell and vendor toybox" into oc-dr1-dev
|
4ccd3d226fa7cd897bc5ee8fb17f41f7a5108adf |
19-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Remove binder rules for rild to communicate with audioserver. Test: Basicy telephony sanity Bug: 36565056 Change-Id: Ie315ca7b23d0ab64773de1d850b9b412d84b2557
udioserver.te
ild.te
|
39b781b6ef9091c79a205de485f24e4245b95c74 |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "GoogleCamera: Remove redundant persist.camera.* access" into oc-dr1-dev
|
acd002580663f1dcea3af96d17cf500c514b6bac |
19-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge commit 'd49c28813760c1aeee43f222e68ed0e939ed8e7d' into HEAD Change-Id: Ib9cac8693b967d075f2a7c1cc21d5feea37bbcb9
|
8ba1d8c88ae4c72ef4afd1b03e38ee74604bfcaf |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: dumpstate: add touch firmware versions to dumpstate" into oc-dr1-dev
|
eba35a7659514f8e0f027f40d3076ab94811d9a6 |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove socket violators from passthrough mode." into oc-dr1-dev
|
9449862bbc3679f432d0caea91ffcd77506096d7 |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing sepolicy to allow sensors to create necessary files" into oc-dr1-dev
|
4a2b3affdafb5d7f05b03ac61335c1dd77aa7feb |
19-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
wahoo: Make vendor script use vendor shell and vendor toybox This also enables us to remove the vendor_executes_system_violator attribute from all the vendor scripts launched from init. Bug: 37914554 Test: Build and boot and ensure all services exited with status 0. Change-Id: If692b17b45f91ff128608c3f6e9524847c1af69f Signed-off-by: Sandeep Patil <sspatil@google.com>
nit-devstart-sh.te
nit-insmod-sh.te
nit-ipastart-sh.te
nit_power.te
nit_radio.te
|
3db6f8685173943ea7090a976d23bff4275412c0 |
08-Jun-2017 |
Steven Moreland <smoreland@google.com> |
Remove socket violators from passthrough mode. Bug: 34274385 Bug: 34784662 Test: neverallows not tripped Test: bluetooth audio works Test: no denials seen related to wcnss<->bluetooth sockets Change-Id: Ie966130e5fd15b94bf8ce0e339eb632e7bf5e71e
luetooth.te
al_camera.te
ocation.te
erfd.te
cnss_filter.te
|
69bdf39fd594c15fcf099f8e5fb1a734943275d4 |
01-Jun-2017 |
Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org> |
Ensure treble compliance for time-service - Use /data/vendor/time instead of /data/time - Use /persist/time instead of /persist - Allow vendor to vendor socket communication Bug: 62184939 Bug: 62256376 Change-Id: Ia1c27cf3dfa393abcbf860249da8e7669c359ad9
ile.te
ile_contexts
eapp_contexts
ystem_app.te
ime_daemon.te
imeservice_app.te
|
321cee7e61ba6853c3f2c8528415be163a35bc79 |
27-May-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: dumpstate: add touch firmware versions to dumpstate Bug: 38207199 Change-Id: I2b21f92f64847286a34d7d52a932bd1f825fe000
ile.te
enfs_contexts
al_dumpstate_impl.te
|
da38591af2b2eab5f59c51d568f19726567d02a1 |
19-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing sepolicy to allow sensors to create necessary files denied { create } for name="sns.reg" scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=file Bug: 62555317 Test: sensors can create sns.reg file if missing Change-Id: I7a9a8e8f42408641a0efce0e02617305e4bc6331
ensors.te
|
46f5dcbd693f33d06ed488435dc7719e0ebf9e87 |
19-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Allow Hexagon DSP access to GoogleCamera application am: 9da8401acb am: b66c8ab754 Change-Id: I18ae00b37e8b64e5da9119dd143ded5169b2956f
|
e4f65f1aad9ddbefd70c9ec2ee08ec352772e14f |
19-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
GoogleCamera: Remove redundant persist.camera.* access All apps already get this access, so no reason to repeat that Test: Manually verify GoogleCamera can still access persist.camera.* Bug: 62712071 Change-Id: I913f89b467514047d8e7079449148a4f6a3536aa
oogle_camera_app.te
|
9ed7bea713820fca44a01dbb85adf93603e184d0 |
19-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Remove system_server policy to communicate with netmgrd over sockets system_server no longer communicates with netmgrd over sockets Test: Basic Telephony and GPS sanity and no new denials Bug: 36626250 Change-Id: I7468504372a98a422e1eaaf63b8d1462b40c96a5
ystem_server.te
|
9da8401acba47d463d8f122525be7d26f686901e |
15-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Allow Hexagon DSP access to GoogleCamera application - Add custom domain for GoogleCamera, with QDSP access - Add app cert for Google apps - Add new hexagon_halide_file type, apply it to two critical DSP libraries, and grant GoogleCamera access to them. - Also allow tango_core access to hexagon_halide_file - Remove /vendor/lib/libhalide_hexagon_host from same_process_hal_file, it's not used by anything currently. - Move access to persist.camera.* properties to the generic app domain Test: GoogleCamera able to use Hexagon for HDR+ Bug: 62712071 Bug: 62341955 Change-Id: I2c49c35d9f90d07b148a2f27d0f8128f99b55b6c
pp.te
erts/app.x509.pem
ile.te
ile_contexts
oogle_camera_app.te
eys.conf
ac_permissions.xml
eapp_contexts
ango_core.te
ntrusted_app.te
|
c9400f3e432afde1c3a72ae1d459e64a6a681e8e |
17-Jun-2017 |
Naveen Kalla <mrnaveen@google.com> |
Merge "Set system time early to get more accurate timezones" into oc-dr1-dev am: 4aa311afe0 am: d4ce900486 Change-Id: I63c85eee64beb837464e2c9e39d5505aa537d3f5
|
4aa311afe03fb5a3bec22611c40f0f7520515dde |
17-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Set system time early to get more accurate timezones" into oc-dr1-dev
|
8a0136e3320dbb80dd5c08df58c9758cfb1abb65 |
17-Jun-2017 |
David Lin <dtwlin@google.com> |
sepolicy: allow ueventd to load calibration file on /persist am: f9f9c80b7a am: 09b2069949 Change-Id: Ied415c9480ecf77006c4d3ba072f14dc95fb13f8
|
404eeb6eb190393aae805ba5c09504154aa506ae |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge commit '208239c104fc478a0dc91916f0dfda88332ab043' into HEAD Change-Id: I7b4fad0b3350112647dd046994d3a6d527b37674
|
f9f9c80b7a8b1f22d3c6541ad5be5b1f010589f8 |
16-Jun-2017 |
David Lin <dtwlin@google.com> |
sepolicy: allow ueventd to load calibration file on /persist This patch adds the sepolicy to allow ueventd to load a calibration file via a symlink on /vendor/firmware pointing to a file on /persist. Bug: 62683712 Test: audio sanity test Change-Id: Id16c947578b8860186a25e01ab64131d640a3004 Signed-off-by: David Lin <dtwlin@google.com>
ernel.te
eventd.te
|
1b5fe2a540617ccb880b23195a540c5070e1a2d3 |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge changes from topic 'merge-msm8998-AU210' into oc-dr1-dev * changes: netmgrd: Change binary location to netutils Introduce cne server and apiservice hal Update IMS and radio SE policies based on AU 194 drop Adding contexts and allows for time_daemon
|
08c750584a35fdf3440c179145bc65e7ff724b34 |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "suppress spurious module loading denials" into oc-dr1-dev am: 77199d72f8 am: 88fc340aef Change-Id: I70355a12f16b79648ac78aea689652b32ced6c3e
|
77199d72f8a1c9b3ac4857462f074e02024a49a6 |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "suppress spurious module loading denials" into oc-dr1-dev
|
76b781690b2bf90fae18107b79cfeb75e6bb4736 |
16-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "wifi: add the read permission for /proc/ath_pktlog/cld" into oc-dr1-dev am: 1cbbad1f55 am: 1cd92c77c1 Change-Id: I68da9521428bdacf214240e6e9cc253917174814
|
1cbbad1f558c4160e1d6a01432dc70ca7734f832 |
16-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "wifi: add the read permission for /proc/ath_pktlog/cld" into oc-dr1-dev
|
ca38bc851d51a5046629d4d5863e51f93edeaaa1 |
16-Jun-2017 |
Ecco Park <eccopark@google.com> |
wifi: add the read permission for /proc/ath_pktlog/cld Error: type=1400 audit(1497566325.222:1870): avc: denied { read } for pid=963 comm="cnss_diag" name="cld" dev="proc" ino=4026533982 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 36823983 Change-Id: Ie231bedccfc75d020e7a467d9b87b0e44e46fad2 Signed-off-by: Ecco Park <eccopark@google.com>
enfs_contexts
cnss_service.te
|
b771c2152cf330f4c8a450a4d7dc9990ce6c6036 |
16-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Add tangomapper and tango cts to tango_core SE context" into oc-dr1-dev am: 4c80a57708 am: 46ec57a762 Change-Id: I77fd6b5e1202d034044be03eae82b90103df4aba
|
4c80a57708f4176c6b0d95230a27a8e1c1c018fd |
16-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Add tangomapper and tango cts to tango_core SE context" into oc-dr1-dev
|
664f2d4397e174ccc9fd6f5935515104d58d9a15 |
31-May-2017 |
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> |
netmgrd: Change binary location to netutils Generic system partition binaries are no accessible on latest versions of AOSP. As a result, use the netutils wrapper equivalents of ip[6]tables, ip and tc. Fix the following denials - type=1400 audit(1495499715.886:76): avc: denied { use } for pid=1370 comm="tc-wrapper-1.0" path="pipe:[28029]" dev="pipefs" ino=28029 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=fd permissive=0 type=1400 audit(159.269:260): avc: denied { write } for pid=1612 comm="ndc-wrapper-1.0" path="pipe:[30233]" dev="pipefs" ino=30233 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=fifo_file permissive=0 type=1400 audit(159.269:267): avc: denied { read } for pid=1612 comm="ndc-wrapper-1.0" path="pipe:[30809]" dev="pipefs" ino=30809 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=fifo_file permissive=0 type=1400 audit(10632.149:134): avc: denied { read write } for pid=1523 comm="ndc-wrapper-1.0" path="socket:[28342]" dev="sockfs" ino=28342 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_socket permissive=0 type=1400 audit(3510988.283:134): avc: denied { module_request } for pid=773 comm="netmgrd" kmod="netdev-rmnet_ipa0" scontext=u:r:netmgrd:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 type=1400 audit(1496866410.453:216): avc: denied { read } for pid=810 comm="netmgrd" name="timestamp_switch" dev="sysfs" ino=27263 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0 type=1400 audit(1496882073.170:67506) avc: denied { open } for pid=822 comm="netmgrd" path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs" ino=27263 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0 audit(1496448874.298:224) avc: denied { read write } for pid=3976 comm="iptables-wrappe" path="socket:[35109]" dev="sockfs" ino=35109 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=tcp_socket permissive=1 audit(1496448785.385:139) avc: denied { getattr } for pid=1709 comm="ndc" path="pipe:[31264]" dev="pipefs" ino=31264 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=fifo_file permissive=1 CRs-Fixed: 2054108 Test: Verified that the LTE data and WiFi calling works Bug: 62258789 Change-Id: I91e663ab35369f75d33ef4788c87bde14605f6b9
etmgrd.te
etutils_wrapper.te
|
25591f24ea7fcc2e3de8f5d9637557d47b759b73 |
07-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Update IMS and radio SE policies based on AU 194 drop Permissive to enforce for ims and cnd domains Introduce new CNE HIDL service Remove CNE talking to cnd via socket and move to HIDL Allow IMS to access sysfs data and diag files Allow radio to access telephony monitor property Bug: 38043081 Change-Id: I1775d6aea4de9843fdbedd06ebd71ec213f38189
nd.te
ataservice_app.te
ile.te
ile_contexts
al_imsrtp.te
al_rcsservice.te
wservice.te
wservice_contexts
ms.te
adio.te
|
b7c0dc9aaf1c7495436e6cbfa81a5b9c37def09a |
24-May-2017 |
Max Bires <jbires@google.com> |
Adding contexts and allows for time_daemon denied { write } for pid=741 comm="time_daemon" name="time" dev="sda10" ino=335873 scontext=u:r:time_daemon:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { search } for pid=825 comm="time_daemon" name="time" dev="sda10" ino=335873 scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir denied { create } for pid=894 comm="time_daemon" name="ats_13" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=file denied { create } for pid=820 comm="time_daemon" name="ats_13" scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_file:s0 tclass=file denied { search } for pid=834 comm="time_daemon" name="time" dev="sda4" ino=23 scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_time_file:s0 tclass=dir denied { write } for pid=865 comm="time_daemon" name="time" dev="sda4" ino=23 scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_time_file:s0 tclass=dir Bug: 34784662 Bug: 38415848 Test: time works Change-Id: I4e859761f32bb0e203e1047f5c491602efcc43b0 (cherry picked from commit 59425a13e653a2250c1fbc4aca494e56ddc69f6b)
ile.te
ile_contexts
ime_daemon.te
|
d58873547f34afab05fef02510408d6912cfb8e9 |
16-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Update IMS and radio SE policies based on AU 194 drop"
|
7df1deb2e838ca2d83a6a5d67d43a8e8dc442a9d |
16-Jun-2017 |
Wyatt Riley <wyattriley@google.com> |
Merge "Fix denials for xtra-daemon file creation" into oc-dr1-dev am: daa2ff2508 am: c9a67c785a Change-Id: I3d71be6141de80017fa4415a41353aa9d49abf43
|
78f825b340c4e3ec9ff0e38c10fb4c49ac2f64ed |
16-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove treble violations from sepolicy" into oc-dr1-dev am: ef7dedbfe8 am: 1ce4d6043b Change-Id: Ic8f1625914fc124ce2a37f4a329f8ca1176701f6
|
daa2ff2508630022275fb5a3673deeba897e916c |
16-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fix denials for xtra-daemon file creation" into oc-dr1-dev
|
ef7dedbfe825ddcab237f513008f01bb2fd3c719 |
16-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove treble violations from sepolicy" into oc-dr1-dev
|
2284c8495a0a920de517f1d21e2c0c30be231e67 |
15-Jun-2017 |
Naveen Kalla <mrnaveen@google.com> |
Set system time early to get more accurate timezones Zygote reads the system time and caches the timezone information. So start time_daemon early so that it can set the time before zygote starts up and reads the time. Bug: 62473512 Test: Manual: Check adb logs to ensure Zygote starts after system time is set. Change-Id: I98fca37928e1822614f9fcb39869e664453a2c3e
roperty.te
roperty_contexts
ime_daemon.te
|
05ded31dd6fa6c230a030d9bbcc27385f44f3316 |
07-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Update IMS and radio SE policies based on AU 194 drop Permissive to enforce for ims and cnd domains Introduce new CNE HIDL service Remove CNE talking to cnd via socket and move to HIDL Allow IMS to access sysfs data and diag files Allow radio to access telephony monitor property Bug: 38043081 Change-Id: I1775d6aea4de9843fdbedd06ebd71ec213f38189
nd.te
ataservice_app.te
ile.te
enfs_contexts
al_imsrtp.te
al_rcsservice.te
wservice.te
wservice_contexts
ms.te
adio.te
|
a287c3bb29068dc1264ddeb4f61e0f3a5559d204 |
16-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
suppress spurious module loading denials We only load modules during boot, on only by a single script: init.insmod.sh Other denials are caused by code we don't rely on that automatically looks for modules. Bug: 34784662 Test: build policy Change-Id: Iccdbe52582e9960f49ecb4ba9b472cf792e48fe6
nit.te
ernel.te
ocation.te
etd.te
etmgrd.te
urfaceflinger.te
|
e84735870c7b4307b3d11a6778ba6c24f6c599af |
14-Jun-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Add tangomapper and tango cts to tango_core SE context * Add com.google.tango.* to tango_core SE context * Replace the key.pem used for tango apps for userbuild. Use a release key instead of dummy key * Resolve denials for tango_core: avc: denied { search } for name="/" dev="sdd3" ino=2 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0 avc: denied { search } for name="sensors" dev="sdd3" ino=16 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir permissive=0 avc: denied { getattr } for path="/persist/sensors/calibration/calibration.xml" dev="sdd3" ino=38 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1 avc: denied { open } for path="/persist/sensors/calibration/calibration.xml" dev="sdd3" ino=38 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1 avc: denied { read } for name="calibration.xml" dev="sdd3" ino=38 scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=0 BUG=62581695 Test: Tested on walleye Change-Id: Ifac77c8190e59d88c9f1a65ab451e7e060742082
erts/tango_dummy.x509.pem
erts/tango_userdev.x509.pem
eys.conf
eapp_contexts
ango_core.te
|
fc83072eedf7c9ab3a5b1cf8d7bb899f30fd6875 |
16-Jun-2017 |
Wyatt Riley <wyattriley@google.com> |
Fix denials for xtra-daemon file creation avc: denied { create } for name="xtra.sqlite" scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0 tclass=file permissive=0 avc: denied { create } for name="nvparam.sqlite" scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0 tclass=file permissive=0 avc: denied { create } for name="pcid.data" scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0 tclass=file permissive=0 Thinner version of https://partner-android-review.googlesource.com/#/c/840686/ Aligns with marlin Bug: 62603830 Test: Build, run GPS, check denials Change-Id: I8b0f11b73c09513a4c19232cfde03b378b93f8f3
ocation.te
|
e3f80d1ba820b1e924d1d85a363ca5778c8cfb13 |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add domain for widevine HAL am: bbc467932d am: 47206e4cd2 Change-Id: I6c3fe3fca8151042e0cb99d6931ffd91e46baf35
|
d8ec0483f7b746e33f41262f83beeeabac34e51f |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "supress spurious firmware_file denial" into oc-dr1-dev am: 115b724ccd am: c3267453bf Change-Id: I9b75a64b90d0c424420c6f1d54ecfdb55ce41afd
|
bbc467932d74c7abf8c365f940d0e2f5e5907192 |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add domain for widevine HAL Address: [ 14.701366] init: service drm-widevine-hal-1-0 does not have a SELinux domain defined avc: denied { ioctl } scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file avc: denied { open } scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file avc: denied { read write } scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file Bug: 62075360 Test: built and booted xyz_test-userdebug Test: added account and watched video on Play movies. Listened to songs on Play Music Change-Id: Id219da343b1268a7492b50f870334a1e7dc151d5
ile_contexts
al_drm_widevine.te
|
115b724ccda9703af403bac6b0af9d620cded972 |
15-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "supress spurious firmware_file denial" into oc-dr1-dev
|
97f996a846ba9fa18807e50963a61abf430950ed |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
supress spurious firmware_file denial avc: denied { search } comm="cnss-daemon" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir Test: build policy Bug: 34784662 Change-Id: Ic89abbfdb2b36cb35c5a7f14abb21c9464b60561
cnss_service.te
|
614394c2560de6b51223a29e2c0af493aa896e85 |
15-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing hal_imsrtp timestamp read issue" into oc-dr1-dev am: e6ee6b54ff am: df875c2c50 Change-Id: Ic2467994ca6db8ae67c9b30cd2c18f27a630dc6d
|
da1ebb7d92a0a0df586536186a772cbf3109211a |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove treble violations from sepolicy Bug: 36570300 Bug: 36570130 Test: build and boot device Change-Id: I248a31048a867a4e8a4a0c756936e9371d16d320
er_mgr.te
er_proxy.te
|
e6ee6b54ff3d2f45b6b23c19aa7f05a193863c42 |
15-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing hal_imsrtp timestamp read issue" into oc-dr1-dev
|
970e75349d3c5bee884c5f3c1e4282f0c617ff15 |
15-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing a sensors issue" into oc-dr1-dev am: 2d85910d9f am: 8ed58a21a3 Change-Id: I42449c7ef485dd27cf47d36b759beddd88116e99
|
2d85910d9f4cd4d051b30653fb71106e7bf58c4d |
15-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing a sensors issue" into oc-dr1-dev
|
242b0a3be6cb0b7383cf07a801e01f9857f8c526 |
14-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
rild: add radio to rild socket rule temporarily am: 9e75e0ed2c am: 0e32d679d4 Change-Id: I03cacad9073fbce53348815520a53fd2b0e3c42a
|
9e75e0ed2c9f10fd2c6f03cf9b9dc431186d778d |
14-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
rild: add radio to rild socket rule temporarily The rule is added to ensure we dont break the radio to rild communication once we remove the same rule from platform's sepolicy for treble devices. This change MUST be reverted along with the change to use HIDL between radio and rild domains. Bug: 62616897 Bug: 62343727 Test: Build and boot. Change-Id: I846389257bf9d40bac55299c24d2cf07c74e9092 Signed-off-by: Sandeep Patil <sspatil@google.com>
ild.te
|
187628ed876ba0d012b4d609f0cb90547d972e1e |
14-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing a sensors issue denial: denied { write } for pid=7720 comm="sensors.qcom" name="sensors" dev="sdd3" ino=16 scontext=u:r:sensors:s0 tcontext=u:object_r:persist_sensors_file:s0 tclass=dir Bug: 62555317 Bug: 34784662 Test: sensors domain works properly Change-Id: Ibb41c6c699282383e80a4cb80784ccc544787d71
ensors.te
|
59733a30d17e40ea03d93788f3d0c552fb7bf335 |
13-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing hal_imsrtp timestamp read issue denied { read } for pid=1148 comm="ims_rtp_daemon" name="timestamp_switch" dev="sysfs" ino=27258 scontext=u:r:hal_imsrtp:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file Bug: 34784662 Test: this denial no longer appears Change-Id: I7760173500d8b9c5abbc3eeded1ffba04c49988f
al_imsrtp.te
|
a348c4c4d5df16b291044ccaf1ff61df8ada354a |
13-Jun-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "move ipacm to vendor and sepolicy definitions" into oc-dr1-dev am: b9bf282710 am: 5a03e1aa77 Change-Id: I9b0050215487920fe0d6b12fefc9e98a034c8e7d
|
b9bf282710b0b8302c620d226f555308ca307084 |
13-Jun-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "move ipacm to vendor and sepolicy definitions" into oc-dr1-dev
|
b95e3ee58a3bd44f4df53abe522b02170fc473df |
13-Jun-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "wahoo: Fix display calibration data denial" into oc-dr1-dev am: 9e70df5937 am: 3ea314d610 Change-Id: I7cbf7b81c5947f83f21475c314d8afd75c435ba1
|
9e70df59378c5c728e1a073c86693f9342723574 |
13-Jun-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "wahoo: Fix display calibration data denial" into oc-dr1-dev
|
9f91e3f6b85c51a0b543c0e2a40f29e294d3a4cc |
13-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Move netmgr logging path to /data/vendor as per treble rules am: 7723ec091e am: efb0711844 Change-Id: Ifefd4b984d2d082781710d419bef068300872955
|
253cdd58b59aedaed665289cb4f6f844badb3243 |
10-Jun-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
move ipacm to vendor and sepolicy definitions add ipacm/offload related definitions to init and sepolicies CP from Partner. Bug: 34361337 Test: manual Change-Id: I7264a500b4c0db82dad4d8b6c3768787693106f9
ile.te
ile_contexts
wservice.te
wservice_contexts
pacm.te
|
7723ec091e03e53c36abdbd2f6bc58e50116d41a |
11-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Move netmgr logging path to /data/vendor as per treble rules Netmgr logging path changed from /data/misc to /data/vendor Test: Verified bugreport collecting netmgr logs Bug: 62504502 Change-Id: Iba7f585597e30d8dfedae5bb2a73a759aeb0c737
ile_contexts
|
01e9ca7837ae1d84743467bd1c192044655f3535 |
13-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "system_app: Allow setting camera property"
|
f0512363b2f0d06ac905c7089ce63c70dda6c572 |
13-Jun-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add Wahoo SELinux Policy" into oc-dr1-dev am: e138c4bd57 am: 33d65e915c Change-Id: Id1bdaa4abfdc282e45a2bd2ee14ac4c9e4596b55
|
e138c4bd5770b40cb144fee3270516d582e0ff8c |
13-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add Wahoo SELinux Policy" into oc-dr1-dev
|
3cae7d39daaa4bfd2827b9acae725c104366dc6e |
08-Jun-2017 |
Naseer Ahmed <naseer@codeaurora.org> |
wahoo: Fix display calibration data denial Bug: 62434319 Change-Id: Iefbeb15e42490234ae8c0d4c0eb5f7d59fa2b9d6
al_graphics_composer_default.te
|
59425a13e653a2250c1fbc4aca494e56ddc69f6b |
24-May-2017 |
Max Bires <jbires@google.com> |
Adding contexts and allows for time_daemon denied { write } for pid=741 comm="time_daemon" name="time" dev="sda10" ino=335873 scontext=u:r:time_daemon:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { search } for pid=825 comm="time_daemon" name="time" dev="sda10" ino=335873 scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=dir denied { create } for pid=894 comm="time_daemon" name="ats_13" scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0 tclass=file denied { create } for pid=820 comm="time_daemon" name="ats_13" scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_file:s0 tclass=file denied { search } for pid=834 comm="time_daemon" name="time" dev="sda4" ino=23 scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_time_file:s0 tclass=dir denied { write } for pid=865 comm="time_daemon" name="time" dev="sda4" ino=23 scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_time_file:s0 tclass=dir Bug: 34784662 Bug: 38415848 Test: time works Change-Id: I4e859761f32bb0e203e1047f5c491602efcc43b0
ile.te
ile_contexts
ime_daemon.te
|
ba5920aee298ecfa06a0c39b35f7926c75411e0f |
10-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Merge "Adjust TODO bug numbers." into oc-dr1-dev am: 797f28481a am: 547b522c81 Change-Id: I8107524a1b44974f13572929ec722b536479242b
|
5c8829c92a95ad18500f2bc53f8df7344e90fe80 |
26-May-2017 |
Stuart Scott <stuartscott@google.com> |
Add Wahoo SELinux Policy Bug: 35668291 Test: pts-tradefed run singleCommand pts -m PtsHardwareInfoDeviceTestCases Change-Id: Idfe0b0f68d4d2fa3c496bc66a4310182dcbc4f95
ardware_info_app.te
eapp_contexts
|
b2a8e34a847be942fa574c8b6fe7b06e1978e726 |
09-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Adjust TODO bug numbers. Test: none Bug: 36613472 Bug: 36443535 Change-Id: I05fcab8784b30862b07eab304da63925000de719
ild.te
|
352d54af8856588799772488c3c9ee8fe4d37cf0 |
09-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Merge "Move file labeling to genfs_contexts."
|
cdd9829be89802fee63d9d5d1d381f1d84847d47 |
08-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts. This should improve performance, as file_contexts is slower than genfs_contexts. Bug: 62413700 Test: Built, flashed, and booted Muskie. Verified that some of the files have the correct context. Change-Id: I40035d396fe344ade6b665ef0c314e36ef9c8bf8
ile_contexts
enfs_contexts
|
30faf26836c237ea95d63d7b76415b0c6019ac9e |
08-Jun-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
Merge "wahoo: sepolicy: remove libbinder rules for fingerprint" into oc-dr1-dev
|
5363d06f07a7ae4370bd2f9787d0b07d42c924ed |
08-Jun-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
wahoo: sepolicy: remove libbinder rules for fingerprint Libbinder is just needed for dev/debug tools. SELinux can be disabled for those. Test: enroll fingerprints, apply patch, can still authenticate/navigate Change-Id: Ifa29bdb5cc393ed0c8e894ef76c0d4b5c58847e2 Fixes: 36686751 Bug: 37755263
al_fingerprint.te
al_fingerprint_default.te
|
1b59b229c59b8d5f83538b0867f6fc38ede850ac |
30-May-2017 |
Naseer Ahmed <naseer@codeaurora.org> |
wahoo: Add support for display debug data * Saves display debugfs data in /data/vendor/display * Update the dumpstate xlog to print the saved data Bug: 38496103 Change-Id: Ibc3bd97657b9faa74894ad50b01f373403871c94 Author: Naseer Ahmed <naseer@codeaurora.org> Date: Tue May 30 17:51:24 2017 -0400
ile.te
ile_contexts
al_dumpstate_impl.te
al_graphics_composer_default.te
|
e59d10875c320eee0c325ae4503bee1b81639e7c |
07-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Allow radio to find uce service"
|
df94ed10145925c4c69423938bad7e7ac02812c5 |
07-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add soc serial number to bugreport"
|
e5332594abf6952da2061f25dfed2b54bf36f8fb |
31-May-2017 |
Chien-Yu Chen <cychen@google.com> |
system_app: Allow setting camera property Allow system app to set camera property on userdebug and eng devices, which is needed by CameraHalHdrplusPreferenceController. Test: System app Bug: 62108454 Change-Id: Id21973f7ade737917f567d47953075fc9e500617
ystem_app.te
|
bc0c83e66e1dd9417f8ca459c80e3a12fa451628 |
07-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Allow radio to find uce service This fixes the following denials avc: denied { find } for service=uce pid=2729 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:uce_service:s0 tclass=service_manager permissive=1 Bug: 37434935 Change-Id: I0bc3f74fdfbdc25759c38edbe1289fdfd68443f2
adio.te
|
4179f3921c209178e75378c4268cb7b5ef77cfe1 |
22-May-2017 |
Dante Russo <drusso@codeaurora.org> |
Move location files from /data/ to /data/vendor/ Runtime files and sockets used by location modules are moved to vendor partiion from /data/misc/location to /data/vendor/location And additional SE policy CRs-fixed: 2046657 Bug: 38137902 Test: Build, boot, GPS works, XTRA works, no new avc denials Change-Id: If56a053ff3c478473c08aeef079d119b5b8847d7
ile_contexts
al_gnss_qti.te
ocation.te
|
e758626c5de1dcffe06b99f4eae2608e9bcecc03 |
06-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Merge "Re-introduce of POWER HAL API 1.1 impl for Wahoo"
|
e2ac78d27f9e66b44b2c22d7c18b581e3a2ab025 |
01-Jun-2017 |
David Lin <dtwlin@google.com> |
haptics: implements vibrator 1.1 HAL Obtain tick/click effect duration from system property and implement the new perform 1.1 function for supporting tick effect. Bug: 62176703 Test: VtsHalVibratorV1_1TargetTest Change-Id: Icbd50c2e7d05fd520aeda4511ba95151dde2a5ed Signed-off-by: David Lin <dtwlin@google.com>
ile_contexts
|
f3e845ce21adf40b4caa8982447b0bf99eeeee81 |
24-May-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Re-introduce of POWER HAL API 1.1 impl for Wahoo Power HAL 1.1 support for wahoo based devices was initially introduced in CL ag/2098359 However, this caused a regression in application startup times due to a bug in passing parameters for power hints on application launch Hence, that CL was reverted in CL ag/2270791 This commit brings back the support of the Power Hal 1.1 to wahoo based devices. This includes the changes of the original CL as will as a fix for the app startup time regression The fix is similar to that in ag/1767023 (done for power HAL 1.0 default implementation) where a NULL is passed to the powerHint function when the passed data is Zero (instead of passing a pointer to the data). This enable the App Launch power hints to work properly The commit has been tested not to cause that regression Bug: 62040325 Test: Performance Tests along with other tests Change-Id: I29ce38b2de92c2b9ad878b0076288b689695b8a0 Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
ile_contexts
enfs_contexts
al_power_default.te
al_wifi_default.te
ernel.te
|
d6864b43a3c68d62dfe87d5635dec690843ac208 |
03-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Remove net_raw capability from ims"
|
6030720f1e805749a377382726d859728bdb972e |
02-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Fix radio logs not included in bugreport Made hal_dumpstate_impl to use vendor executables as per treble guidelines Test: Bugreport and verified radio logs included and no new denials Bug: 62291820 Change-Id: I4f9f46cd76600e4b083ee6de5c52d495cc17729b
al_dumpstate_impl.te
|
132939e57986a946fa230c3c3ae71b2d3f4795fd |
03-Jun-2017 |
Ajay Dudani <adudani@google.com> |
Add soc serial number to bugreport Test: Verified serial number is present in bugreport Bug: 62305405 Change-Id: Ie06f1a93af1fd3006d57a46c9e6e5fad85433fe1
al_dumpstate_impl.te
|
b726f55f53c011a6195d6d9f230d873e3fbe92db |
02-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Remove net_raw capability from ims net_raw was added to make IMS registration work in enforced mode Currently ims is in permissive mode so any denials will not block the functionality or lab testing This change will enable QC to catch denials and fix in their prebuilts Test: Basic telephony sanity Bug: 37652052 Change-Id: I942a267464b83f60ef6274e47f1ae6a493230c1f
ms.te
|
051bcb37133dba600512654a87dc1371f40191b2 |
02-Jun-2017 |
Dan Cashman <dcashman@google.com> |
Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIR Move vendor policy to vendor and add a place for system extensions. Also add such an extension: a labeling of the qti.ims.ext service. Bug: 38151691 Bug: 62041272 Test: Policy binary identical before and after, except plat_service_contexts has new service added. Change-Id: Ie4e8527649787dcf2391b326daa80cf1c9bd9d2f
dsprpcd.te
udioserver.te
luetooth.te
ootanim.te
ameraserver.te
erts/tango.x509.pem
erts/tango_dummy.x509.pem
erts/tango_release.x509.pem
hre.te
nd.te
ataservice_app.te
evice.te
omain.te
umpstate.te
sed.te
ile.te
ile_contexts
olio_daemon.te
atekeeperd.te
enfs_contexts
al_audio_default.te
al_bluetooth_default.te
al_bootctl.te
al_camera.te
al_camera_default.te
al_contexthub.te
al_drm_default.te
al_dumpstate_impl.te
al_fingerprint.te
al_fingerprint_default.te
al_gatekeeper.te
al_gatekeeper_qti.te
al_gnss_qti.te
al_graphics_composer_default.te
al_imsrtp.te
al_keymaster_qti.te
al_light.te
al_light_default.te
al_memtrack_default.te
al_nfc_default.te
al_oemlock_default.te
al_power_default.te
al_rcsservice.te
al_sensors_default.te
al_thermal_default.te
al_usb_default.te
al_vibrator_default.te
al_vr.te
al_wifi_default.te
al_wifi_offload_default.te
wservice.te
wservice_contexts
ms.te
nit-devstart-sh.te
nit-insmod-sh.te
nit-ipastart-sh.te
nit.te
nit_ese.te
nit_power.te
nit_radio.te
octl_defines
octl_macros
rsc_util.te
ernel.te
eys.conf
eystore.te
ocation.te
ogger_app.te
ac_permissions.xml
ediacodec.te
ediaextractor.te
etd.te
etmgrd.te
d_services.te
er_mgr.te
er_proxy.te
erfd.te
latform_app.te
ort-bridge.te
roperty.te
roperty_contexts
logd.te
muxd.te
ti.te
adio.te
amdump.te
amdump_app.te
fs_access.te
ild.te
mt_storage.te
eapp_contexts
ensors.te
ervice.te
ervice_contexts
hell.te
mlog_dump.te
sr_detector.te
sr_diag.te
sr_setup.te
ubsystem_ramdump.te
urfaceflinger.te
ystem_app.te
ystem_server.te
ango_core.te
ee.te
hermal-engine.te
ime_daemon.te
eventd.te
ntrusted_app.te
pdate_engine_common.te
pdate_verifier.te
ndservice.te
ndservice_contexts
old.te
cnss_filter.te
cnss_service.te
|