| 591308e3bfe14aebeb380e946fa850ef034fed3b |
05-Jun-2018 |
Jaekyun Seok <jaekyun@google.com> |
Fix access denials for Render script props
ro.vendor.graphics.memory and vendor.debug.rs.* are used by Render
script (one of same-process HALs).
So they should be public-readable because Render script can be loaded
from almost everywhere.
Bug: 109653662
Test: succeeded building and tested with taimen
Change-Id: I5c6d6dd2f2406feaec60c965a763215c4a064f52
roperty_contexts
|
| da2016576ae6d4ded0408f632d742a0a1a4b44ab |
23-May-2018 |
Jaekyun Seok <jaekyun@google.com> |
Fix access denials for libEGL props
vendor.debug.egl.changepixelformat and vendor.debug.prerotation.disable
are used by libEGL (one of same-process HALs).
So they should be public-readable because libEGL can be loaded from
almost everywhere.
Bug: 80135368
Test: succeeded building and tested with taimen
Change-Id: I2e9c0809a4868329ab76a94800a144283f523579
Merged-In: I2e9c0809a4868329ab76a94800a144283f523579
(cherry picked from commit 52ca941f7a0235cc07f7df606f36c46e02eeff14)
roperty_contexts
|
| 484b83c96ce47ad06de204702b0b27599c818134 |
22-May-2018 |
Jayachandran C <jayachandranc@google.com> |
sepolicy: cleanup tel_mon_prop as its no more used
Test: Verified connectivity monitor app works without denial
Bug: 79255514
Change-Id: Id8ebac2f3453a8fc175a91d60caad173734aa6cd
roperty.te
adio.te
ild.te
ystem_app.te
|
| 83fc9c19952951de4ffb366cdd6078abad3f7216 |
22-May-2018 |
Thierry Strudel <tstrudel@google.com> |
Merge "Adjust for QCOM BT HAL property name changes" into pi-dev
|
| 35e267a41faf466dc2a447366794e0741ff41a4e |
22-May-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Temporarily whitelisting system domains writing vendor props" into pi-dev
|
| 906e91433b7b849219d859dae6fe71f32d76c842 |
12-May-2018 |
Petri Gynther <pgynther@google.com> |
Adjust for QCOM BT HAL property name changes
Bug: 36513925
Test: Manual Bluetooth test
Change-Id: I492fde56b7f10395869ac32e8d6dd20268ce5230
roperty_contexts
|
| 5cb44010b24e23f7839848c97e575f70113adcab |
21-May-2018 |
Paul Crowley <paulcrowley@google.com> |
Remove device-specific metadata policy that's now in platform.
Bug: 79781913
Test: compiles
Change-Id: Ie632d1a4c44f491415ae9bb2ceb1264f0cfa5096
ile_contexts
|
| bda628fe83f10a29f6293e259c9ddb808c28d68d |
17-May-2018 |
Petri Gynther <pgynther@google.com> |
wahoo: sepolicy: add missing vendor_bluetooth_prop
Add missing vendor_bluetooth_prop:
persist.service.bdroid.snooplog
Usage:
1. vendor/qcom/sdm845/proprietary/bluetooth/
hidl_transport/bt/1.0/default/logger.cpp:
property_get("persist.service.bdroid.snooplog", ...)
2. init.hardware.diag.rc.userdebug:
on property:sys.logger.bluetooth=true
setprop persist.service.bdroid.snooplog true
on property:sys.logger.bluetooth=false
setprop persist.service.bdroid.snooplog false
Bug: 77633703
Test: Manual
Change-Id: I781fe8b8b5937a706eccc55f027255ccebe67a5c
roperty_contexts
|
| b7e3d9f3defac20a0123f9df3052e62c96b31131 |
14-May-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Add dontaudit rules for nfc.persist properties
Since NFC has a common vendor library, adding dontaudit rules
for properties which are not used by this product.
type=1400 audit(0.0:35): avc: denied { read } for comm="nfc@1.1-service"
name="u:object_r:default_prop:s0" dev="tmpfs" ino=17612 scontext=u:r:hal_nfc_default:s0
tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
Test: check logcat
Bug: 79417308
Change-Id: If2d0a1d3403851d819305f18c96c18eca35db7a8
al_nfc_default.te
roperty.te
roperty_contexts
|
| 3ee4e77674ecce82dadfcf5c64d87ce6d65a88b0 |
14-May-2018 |
Jiyong Park <jiyong@google.com> |
Temporarily whitelisting system domains writing vendor props
system properties must not be used as a communication channel in between
system and vendor processes. However, there has been no enforcement on
this: system process could write system properties that are owned and
read by vendor processes and vice versa. Such communication should be
done over hwbinder and should be formally specified in HIDL.
Until we finish migrating the existing use cases of sysprops to HIDL,
whitelisting them in system_writes_vendor_properties_violators so that
the violators are clearly tracked.
These violators are allowed only for P, but not for Q.
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I60b12f1232c77ad997c8c87e6d91baa14c626e94
luetooth.te
ameraserver.te
harger.te
atekeeperd.te
ealthd.te
adio.te
urfaceflinger.te
ystem_app.te
ystem_server.te
|
| 9cafa9a1914322c31fd6bb8a672b0650b1a64add |
12-May-2018 |
Joel Galenson <jgalenson@google.com> |
Track nfc SELinux denial.
This should help fix presubmit tests.
Bug: 79617173
Test: Built policy.
Change-Id: Ia6b55c7aa329366bde2390939883fb8f4770eff1
ug_map
|
| 55e9c926f4dd9ab76b7fe4f4942148d76982846b |
12-May-2018 |
Sean Callanan <spyffe@google.com> |
Merge "wahoo: Update sepolicy for LA.UM.6.4.9.C2.07.00.00.386.031" into pi-dev
|
| 3550ada6f73c05e5527449f467e552141d661bb6 |
12-May-2018 |
Sean Callanan <spyffe@google.com> |
wahoo: add bug_map for b/79617173
AU031 graphics drivers introduce SELinux denials for
"vendor_default_prop".
Pending a proper fix, tracking this bug so the new graphics driver
can be merged.
Test: Check that presubmit succeeds.
Bug: 79426077
Change-Id: I775de870c6fae32f35acaa7017192ef12254dd7f
ug_map
|
| 84f819c57f94fe0cbad197750ec262cc8b671d4c |
09-May-2018 |
Sean Callanan <spyffe@google.com> |
wahoo: Update sepolicy for LA.UM.6.4.9.C2.07.00.00.386.031
Bug: 79426077
Test: CTS, PTS pending
Change-Id: Ic5b7c473deec50a8e48c8db0130666093e5562b8
ile_contexts
|
| 28607db79b7495818f9f1ea7a65e9e6d4e77a283 |
11-May-2018 |
Joel Galenson <jgalenson@google.com> |
Track per_proxy SELinux denial.
This should help fix presubmit tests.
Bug: 79541095
Test: Built policy.
Change-Id: Ide4401527cce5473288092a6c44fc446e9c1fc27
(cherry picked from commit 703a55c3a9b40c560e91c7bc3128f8949e48fa14)
ug_map
|
| ed36ecb6ecb0acce8f3223d7c5b0bf75ea883f10 |
03-May-2018 |
Kevin Rocard <krocard@google.com> |
Merge "Whitelist audio vendor property" into pi-dev
|
| a9c681f94fa785c792b068fe958ecaea2b7ddc18 |
02-May-2018 |
Kevin Rocard <krocard@google.com> |
Whitelist audio vendor property
audio.usb.enable.debug is used to dump information of the
audio usb device connected in the vendor implementation.
Bug: 77926553
Test: atest VtsHalAudioV4_0TargetTest
without sepolicy errors
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: Ia36823fab7087c3dd77eade28fe14dc6805a1551
roperty_contexts
|
| 24982f59c6afa8ec3b0d7615cafa09954118ed84 |
02-May-2018 |
android-build-team Robot <android-build-team-robot@google.com> |
Merge "Namespace ssrdump properties with vendor prefix" into pi-dev
|
| 2c67552cfddb01f78b909a3a9ffc79edc18da00a |
26-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Hide denials caused by race with labeling.
These denials seem to be caused by a race with the process that labels
the files.
Bug: 77635294
Test: Build policy.
Change-Id: Ieed9c2be18a092e92ec90fc8a07fa17c8ec19308
ug_map
endor_init.te
|
| 6c9599d865591172897c37c7c9f69650b8830e44 |
24-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Allow access to sysfs_timestamp_switch.
We've seen these processes trying to access this file, so allow it.
Note that this is likely why they needed the sysfs_diag permission we
granted earlier.
Bug: 77908806
Test: Build
Change-Id: I60a2dae5a0635156070397242f13695678f1d00e
(cherry picked from commit 2e41f0e3f09f8f7caedca37454d18fe0e8dd9891)
al_gnss_qti.te
ti.te
adio.te
|
| 09e056efe1b4872abb7b9d52fa5617af2bd3a131 |
24-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Handle radio diag-related denials." into pi-dev
|
| 64f3848f9ed71eb95f74489bc91bce14fc4f1fd9 |
24-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Fix denial when dump powerhal" into pi-dev
|
| 731a3272ad5c9b9087b0cca3b696b7b29aad55d1 |
24-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Handle radio diag-related denials.
This allows the behavior on userdebug and eng builds and hides it on
user builds.
Bug: 77908806
Test: Build policy.
Change-Id: I0d858a94bb1bab6069107209494536a62019788f
(cherry picked from commit e7e22f5e8270b78c14700a77232044224426f278)
adio.te
|
| b296bbf7f09d5b73e5f14abcb1bd5b9668ac0074 |
11-Apr-2018 |
Kelly Rossmoyer <krossmo@google.com> |
Add temp workaround Easel power stats on 2017
While snapshot Easel power data is captured in bugreports via dumpstate,
Easel does not provide low power stats on a recurring basis via
PowerHAL, which is the type of data need to detect the presence and
scope of power drain issues in the field. As a temporary workaround,
this set of changes keeps cumulative counts of the number of times
PowerHAL saw Easel's state (an existing sysfs node) as "on" (state 1)
or "not on" (state 0 or 2), and logs the "on" count as cumulative count
and the "not on" count as cumulative duration.
This does not sufficiently address the long term need for cumulative
stats, since this will just be comprised of essentially random snapshots
of Easel's current state. However, for the known issue already being
investigated, this should be enough to gauge the scope of the issue.
sepolicy updates allow hal_power to search/read the directory/file
containing Easel's current state: /sys/devices/virtual/misc/mnh_sm/state
Bug: 77208137
Bug: 36576572
Test: Installed on taimen, used camera for various functions, used
easel debug commands and properties to force it into different states,
captured a bugreport and verified the content against observed "current
state" values from monitoring the state file while performing similar
camera functions.
Change-Id: Ib1ee92db477d2a6c9d6f293fb4fcc2f753b8335a
al_power_default.te
|
| b11f26963ab6cbe17801acbae9fbffe02b0cfd51 |
18-Apr-2018 |
Tom Cherry <tomcherry@google.com> |
Merge "vendor_init permissions for unencrypted_data_file are now global" into pi-dev
|
| e998016833d78bc8d68abadf3c3b0c3e1ae8207e |
18-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Apply whitelist of bluetooth_prop and wifi_prop (2/2)" into pi-dev
|
| 811d138338cdc049749487963e48abe55b0b6093 |
17-Apr-2018 |
David Lin <dtwlin@google.com> |
haptics: Implement constant effect for heavy click
This patch implements support for heavy click effect which has the
following UX requirements:
- 8 ms in square wave and full amplitude for Walleye
- 12 ms in square wave and full amplitude for Taimen
Bug: 77863933
Test: manual long press test
Change-Id: Ibc30117fecb234a6b400123e5f18a7c100ae36cb
Signed-off-by: David Lin <dtwlin@google.com>
roperty_contexts
|
| 7ee031af1479090ce759f4af62162380082fb4ba |
17-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Give access persist.radio access" into pi-dev
|
| 98e3e69245a067d6ccbd48631cb9f7d1fe088861 |
17-Apr-2018 |
Sooraj Sasindran <sasindran@google.com> |
Give access persist.radio access
Give persist.radio access to connectivity monitor
Bug: 73953318
Test: verified that connectivy monitor works
fine
Change-Id: Idbcb87f45f809aa9fef00b8a6f2e191cf7e562f8
on_monitor.te
roperty_contexts
|
| 8010c0b1edaa89436f3fc39b649511cba44a033c |
17-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add bug_map entries for bugs we've seen." into pi-dev
|
| 267d8aeabf1cb1a841b7a03002797a0345e56a2a |
16-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Add bug_map entries for bugs we've seen.
This adds numerous bug_map entries to try to annotate all denials
we've seen.
Bug: 78117980
Test: Build
Change-Id: I78923ebeb8837e09920941450d40504da3924022
(cherry picked from commit e97c886ed97b2474785642f9e8ac56be89e34d38)
ug_map
|
| 4398397246896e27cdf350535133afee458702e1 |
13-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Allow some denials we have seen.
This addresses the following denials:
avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
avc: denied { module_request } for comm="allocator@2.0-s" kmod="crypto-heh(aes)" scontext=u:r:hal_graphics_allocator_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
avc: denied { module_request } for comm="android.hardwar" kmod="crypto-hmac(sha256)" scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
avc: denied { sigkill } for comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netutils_wrapper:s0 tclass=process permissive=0
avc: denied { sys_module } for comm="android.fg" capability=16 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability permissive=0
avc: denied { search } for comm="cnss-daemon" name="net" dev="sysfs" scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
Bug: 78117980
Test: Build.
Change-Id: I7e201147271a32ea8420406af221aa7678374d78
(cherry picked from commit cd761300c1cc67cb2be3e001b95317e8a865c5fe)
nsmasq.te
al_graphics_allocator_default.te
al_graphics_composer_default.te
etmgrd.te
ystem_server.te
cnss_service.te
|
| ff468bf2b43a1cef9ee4a3ff83364b3e72140544 |
13-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Suppress hal_wifi_default module loading denials." into pi-dev
|
| 9bca65d293d86357ef1f2e295fe456e89bac485c |
13-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Handle some diag-related denials." into pi-dev
|
| b19ca9ab95a59e31b3ceff64a03dee790ce432ea |
13-Apr-2018 |
Jie Song <jies@google.com> |
Namespace ssrdump properties with vendor prefix
Bug: 77553553
Change-Id: I5d0f8204f5ab310846deeaf9e91d28fe50cc0ad9
al_bluetooth_default.te
roperty.te
roperty_contexts
amdump_app.te
sr_detector.te
ubsystem_ramdump.te
cnss_filter.te
|
| 659079a8620715434bd97842d9681014ded1a7da |
13-Apr-2018 |
Tom Cherry <tomcherry@google.com> |
vendor_init permissions for unencrypted_data_file are now global
So they can be removed from this device specific policy.
Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: Ib77abd81ae886b40f5a078c379d352a53d865e31
endor_init.te
|
| aa293f7fa90eff91af04bd0df517fbde86d919cd |
12-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Suppress hal_wifi_default module loading denials.
This suppresses the following denials:
avc: denied { module_request } for comm="android.hardwar" kmod="netdev-wlan0" scontext=u:r:hal_wifi_default:s0 tcontext=u:r:kernel:s0 tclass=system
avc: denied { sys_module } for comm="android.hardwar" capability=16 scontext=u:r:hal_wifi_default:s0 tcontext=u:r:hal_wifi_default:s0 tclass=capability
Bug: 77973826
Test: Boot device.
Change-Id: I2eb4789892172cb119f50084cfe9718d8ead647d
(cherry picked from commit 82ee41e471025be3d4ce161f2b484481b583abde)
al_wifi_default.te
|
| 5d9c327f6ec451b331bb334d79b87b41dec243b7 |
12-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "hal_tetheroffload: move hwservice mapping to core policy" into pi-dev
|
| 9f5e50beb77773e68fa1ef55f709ee6dd1b1d5bc |
12-Apr-2018 |
Wei Wang <wvw@google.com> |
sepolicy: Fix denial when dump powerhal
Bug: 77919134
Test: Build
Change-Id: Ie49fcc4593c48ad109be45fdce7949b3cd39eeed
al_power_default.te
|
| 8424d3b945ebcc26b7019eb8769bd660fd3ad4fa |
11-Apr-2018 |
Jeff Vander Stoep <jeffv@google.com> |
hal_tetheroffload: move hwservice mapping to core policy
Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager
Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
wservice_contexts
|
| e2be8c24de86b5688cd9fce7c8bdd3ff6fd5b059 |
11-Apr-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Track spurious hal_imrsc selinux denial
Caused by changes in b/77725358.
Track:
avc: denied { read } for comm="ims_rtp_daemon"
name="u:object_r:default_prop:s0" scontext=u:r:hal_imsrtp:s0
context=u:object_r:default_prop:s0 tclass=file
Bug: 77725358
Test: build/boot Taimen
Change-Id: Ic6234905e1694cab4bb8ef385f3dbe5455ef35b6
ug_map
|
| daa6fec44fc33fb2dd5b69b417c898c085cb97f1 |
10-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Handle some diag-related denials.
This allows the behavior on userdebug and eng builds and hides it on
user builds.
Bug: 77908806
Test: Boot device.
Change-Id: I936f08283bcd03ef88c55b3849f54d2dab5a5d64
(cherry picked from commit 3e3da1baaac981a17c5e40ae7d20110a113d5c63)
al_gnss_qti.te
ti.te
adio.te
|
| 7a12e2e56a76fa8f4ead0184f22f39ae3d1f8e29 |
10-Apr-2018 |
Jaekyun Seok <jaekyun@google.com> |
Correct misspelled "perist." with "persist." (5/5)
Bug: 77725358
Test: succeeded building
Change-Id: I8fbf7a8718f409f87410a7b9b1b45ab122620417
roperty_contexts
|
| 6a9651b762d064260dee2e73fd59707977802b78 |
05-Apr-2018 |
Joel Galenson <jgalenson@google.com> |
Track vendor_init SELinux denial.
This should help fix presubmit tests.
Bug: 77635294
Test: Built policy.
Change-Id: I884ee75106c055aa7eb7af9f373d18e828a9f4e9
(cherry picked from commit 1c81d19b818ca93b64b05ebeced80048da8c3233)
ug_map
|
| 5fb4818d68f7c71fcc5c6950ffc4fbbf3a8354b9 |
09-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow RILD to read xt_qtaguid iface stats on wahoo" into pi-dev
|
| 97121bbe703197bde1752f28b8bbb4f9c519903d |
09-Apr-2018 |
Jaekyun Seok <jaekyun@google.com> |
Apply whitelist of bluetooth_prop and wifi_prop (2/2)
Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I440603705f5cbf6701c8521873792b9448fa5c7d
luetooth.te
al_bluetooth_default.te
roperty.te
roperty_contexts
ystem_app.te
endor_init.te
cnss_filter.te
|
| d4235d2c5ac7f235595d4c6e5639fedeff6b8db5 |
06-Apr-2018 |
Chenbo Feng <fengc@google.com> |
Allow RILD to read xt_qtaguid iface stats on wahoo
The RILD process on W/T need to get the per iface stats from
proc/net/xt_qtaguid/iface_stat_fmt file. So we have to grant it the
permission since there is no native API for that.
Bug: 68774956
Test: device boot without selinux violation
Change-Id: Ib86916951cb8f340bfef55814ae8c4fef0f51338
ild.te
|
| a60f2873a57992f371967d31ef3305ae7360efd1 |
06-Mar-2018 |
Alan Stokes <alanstokes@google.com> |
Add /sys/kernel/memory_state_time to sysfs_power.
This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).
batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
Bug: 72643420
Bug: 73947096
Test: Policy still builds.
Change-Id: I2a31178f3fb2b5761050896579650a062ea026d2
enfs_contexts
|
| 6452bcd371c06a5c1002ed6bb8d3d5edcdb42c9b |
04-Apr-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "battery cycle counts: backup/restore + update dumpstate" into pi-dev
|
| 138bd6b43874093fbf88933b34d6f7d4b087f86d |
04-Apr-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Add support for NFC 1.1" into pi-dev
|
| fa1279bd6bbab0b2ff07e5079da45a082efd3622 |
04-Apr-2018 |
Thierry Strudel <tstrudel@google.com> |
battery cycle counts: backup/restore + update dumpstate
Tests:
- pts-tradefed run pts -a arm64-v8a -m PtsHardwareInfoHostTestCases
- adb bugreport
- no "avc: denied" on health vendor service
- cycle count stored in /persist/battery/qcom_cycle_counts_bins
Bug: 72776338
Bug: 77498107
Change-Id: Ia1a58441fff511c60278b5d97806655c34aec610
Signed-off-by: Thierry Strudel <tstrudel@google.com>
ile.te
ile_contexts
enfs_contexts
al_dumpstate_impl.te
al_health_default.te
ardware_info_app.te
|
| 0662668209e314a33e5a48824d90e479c9fee689 |
28-Mar-2018 |
Tri Vo <trong@google.com> |
wahoo: Mark proc_* types with proc_type attribute.
Bug: 74182216
Test: build policy
Change-Id: I6e541d0111639a213b80d755adc546f653531103
Merged-In: I6e541d0111639a213b80d755adc546f653531103
(cherry picked from commit ece77653a531cf55f25304964e6c047a641c85da)
ile.te
|
| 4d35724ee40266004a8254e9ba8e94332d70fc2a |
22-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Add sysfs_type attr to sysfs_irq
Tests in aosp/646548 assert that genfs_contexts labeled filesystems
use the correct attributes such as files in /sys having sysfs_type.
Bug: 74182216
Test: build with aosp/646548 - these are build-time tests.
Change-Id: If82fe17632f0c28e481eb7e831730c6ba22d3877
Merged-In: If82fe17632f0c28e481eb7e831730c6ba22d3877
(cherry picked from commit 4abb3d041332dcb7cd29ad1d38408c57432a5ca9)
ile.te
|
| 847e28f86e226e49bb9253823df9d238bf10e31f |
31-Mar-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Add support for NFC 1.1
Supresses the following denials:
denied { add } for interface=vendor.nxp.nxpnfc::INxpNfc pid=5675 scontext=u:r:hal_nfc_default:s0
tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0
denied { find } for interface=vendor.nxp.nxpese::INxpEse pid=5675 scontext=u:r:hal_nfc_default:s0
tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=0
Test: Enable/Disable NFC, Tag reading
Bug: 75980364
Change-Id: I337810ff89d61f796cb213cd931a7b665870029e
al_nfc_default.te
wservice.te
wservice_contexts
|
| 436d59a04d5a700f3f28af782a39ff740b22bddf |
31-Mar-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Rename Widevine HIDL service to v1.1." into pi-dev
|
| e3894648febfd3a9fee500747f06b9f704ba1986 |
22-Mar-2018 |
Edwin Wong <edwinwong@google.com> |
Rename Widevine HIDL service to v1.1.
Widevine HIDL service added new v1.1 media APIs,
the service version is updated to 1.1.
Test: Netflix and Play Movies & TV (streaming and offline playback)
Test: GTS WidevineH264PlaybackTests test
e.g. ANDROID_BUILD_TOP= ./android-gts/toolsefed run gts -m GtsMediaTestCases
--test com.google.android.media.gts.WidevineH264PlaybackTests#testL1With480P30
bug: 69674645
Change-Id: I287d48bf7cef5b3bb30e21b3794cc7422701ca6c
ile_contexts
al_drm_widevine.te
|
| 8fa09289ec18a05b45228639daac40bff2bb2eb1 |
27-Mar-2018 |
Thierry Strudel <tstrudel@google.com> |
sepolicy: add type for persist.vendor.charge.
Bug: 73647497
Change-Id: I169195f97e2fd42c4106723023e523fd70f255e9
Signed-off-by: Thierry Strudel <tstrudel@google.com>
roperty.te
roperty_contexts
endor_init.te
|
| 2003abeffb1932c2c1d4025e3d8ace4cf0afd562 |
28-Mar-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Enable TCPM, pd_engine logs on user build." into pi-dev
|
| e8a3dcb674d9fc597d9c6dbd0156fa69ee9b630b |
20-Mar-2018 |
Jie Song <jies@google.com> |
Add SELinux permissions for vendor usb config
Bug: 74603740
Change-Id: I72adb62f6dc8c85ce265616cb13fc638a131e253
al_usb_impl.te
ogger_app.te
roperty.te
roperty_contexts
|
| d1028fde357c6db935d745b55b53fb6c82e26c8d |
27-Mar-2018 |
Badhri Jagan Sridharan <badhri@google.com> |
Enable TCPM, pd_engine logs on user build.
Bug: 75396562
Test: User build bugreports had tcpm and pd_engine logs
Change-Id: I77fae102202aa66aa14f6a44fd5bcb3a8531790a
al_dumpstate_impl.te
|
| 296546cdc73ca68e9a0dd662fd277efe6638bdce |
24-Mar-2018 |
Ecco Park <eccopark@google.com> |
wifi: create the sys property for wlan driver/firmware
Bug: 76220544
Test:
No denial error found for selinux
Signed-off-by: Ecco Park <eccopark@google.com>
Change-Id: If379812a7c8df7fd84beec6734313459938d540e
ile.te
ile_contexts
enfs_contexts
nit-wlan-sh.te
roperty.te
roperty_contexts
sr_detector.te
|
| 274196bca441761fd5b706fe6908be45d80bb0aa |
22-Mar-2018 |
Jaekyun Seok <jaekyun@google.com> |
Namespace ramdump_prop with vendor prefix (2/7)
debug.ramdump.* and persist.sys.crash_rcu should be renamed to
vendor.debug.ramdump.* and persist.vendor.sys.crash_rcu repectively
because they are vendor-specific properties.
Bug: 74266614
Test: succeeded building and tested with taimen
Change-Id: I4d277207b68000160e101456e110656aa483eb83
roperty.te
roperty_contexts
amdump.te
amdump_app.te
|
| d315a83f14113856746fce9b81eb9d485780bcb1 |
22-Mar-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: power: add dumpstate support in Power HAL" into pi-dev
|
| e671f7473c1d63207ef268e48f315c31a16c5103 |
29-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: power: add dumpstate support in Power HAL
Test: Capture bugreport and check:
lshal-debug/android.hardware.power@1.2::IPower_default.txt
Bug: 72071908
Change-Id: I0220ce80e69636381d0901c69896b7ce96fde323
al_power_default.te
|
| ab8d91f947944487adcc54ceeb8add84ea971504 |
16-Mar-2018 |
Thierry Strudel <tstrudel@google.com> |
dumpstate: dump SRAM & power supply properties
Bug: 74954924
Change-Id: I4e2ba0efaf453d0f713d8859945e61e5f5d9ed8d
Signed-off-by: Thierry Strudel <tstrudel@google.com>
umpstate.te
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| 8e42ca9426069d06cafc3246e15271eba996e9db |
15-Mar-2018 |
Andrew LeCain <alecain@google.com> |
Add qsee_log to dumpstate
Updating dumpstate to cat /d/tzdbg/qsee_log
Added debugfs_tzdbg selinux security context
Give hal_dumpstate_impl debugfs_tzdbg read permissions
Fixes: 74536221
Test: taimen: adb bugreport, qsee_log in dumpstate_device.txt
Change-Id: If80e665b789125d11a55d2812380aa4b906f10ab
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| 9309dd42afd014cc10576f6b6cd65417e369e994 |
12-Mar-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic "bugreport-zero-denials-pi-dev" into pi-dev
* changes:
Remove regex and label the whole directory.
Remove unnecessary permissions.
Grant hal_bootctl permissions for new type.
Ensure taking a bugreport generates no denials.
|
| 1e824c790435aa0da17859e8a9e8395184fde841 |
10-Mar-2018 |
Amruth Ramachandran <amruthr@google.com> |
Merge "ConnectivityMonitor sepolicy update: Add audio_server permission" into pi-dev
|
| e176b1e9d1b8f931d938e87f64a6670706b2667c |
03-Mar-2018 |
Petri Gynther <pgynther@google.com> |
Walleye/Taimen: switch to QCOM BT HAL
The flag definition:
BOARD_USES_SDM845_BLUETOOTH_HAL := true
adds SDM845 Bluetooth components to the build:
vendor/qcom/sdm845/proprietary/bluetooth/hidl_transport/Android.mk
vendor/qcom/sdm845/proprietary/bt/hci_qcomm_init/Android.mk
and removes MSM8998 Bluetooth components from the build:
vendor/qcom/msm8998/prebuilts/grease/target/product/msm8998/Android.mk
vendor/qcom/msm8998/proprietary/proprietary/bt/hci_qcomm_init/Android.mk
Effectively, Walleye/Taimen switch to the same QCOM BT HAL as B1/C1.
Bug: 73968979
Test: Manual build and test with BT A2DP headphones
(cherry picked from commit 7c2dc1679dc6cfc4576a53cf7257c94f654dae2e)
Change-Id: I4d6444932a807e573f6e8d88c6ad4ba4de8f277a
ile_contexts
al_bluetooth_default.te
|
| 43e4bf7ab7cde8b8bde22213b0f73cc61f38c4ba |
08-Mar-2018 |
Amruth Ramachandran <amruthr@google.com> |
ConnectivityMonitor sepolicy update: Add audio_server permission
ConnectivityMonitor requires the current audio route for voice calls.
Error fixed:
auditd : avc: denied { find } for service=media.audio_policy pid=4056
uid=1001 scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:object_r:audioserver_service:s0 tclass=service_manager
permissive=0
Bug: 3619416
Change-Id: I6f5c1512a554b2db21768aa36277ada7e57fdf8a
on_monitor.te
|
| c10e253c27f09eea56e9cc670a24a6c76d3eba3a |
06-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Remove regex and label the whole directory.
This is cleaner, as it allows us to remove a regex and label the
entire directory, and it will hopefully improve performance.
Bug: 74209458
Bug: 74366296
Test: Boot device, verify file labels, and test wifi and camera.
Test: Locally flashed OTA by following go/manual-ab-ota.
Test: Locally tested updated_verifier by following b/74366296#comment8.
Merged-In: I003dc949cf109cc63d75cee9515ef72cb9d0f055
Change-Id: I85f07b2fc8bfb472f25a66e32d3c7d746886535e
(cherry picked from commit 8a70f7ef1d1805a8f79486c10280407354f1230b)
umpstate.te
ile.te
ile_contexts
enfs_contexts
old.te
|
| fd5a749d3bdf3844e869932d09b07e775f398977 |
06-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Remove unnecessary permissions.
Remove sysfs file permissions and use the generic type for
directories.
Bug:74213358
Test: Flash OTA.
Merged-In: I27a27972f01a273b4eb65d72dd8f2827c1a374af
Change-Id: I27a27972f01a273b4eb65d72dd8f2827c1a374af
(cherry picked from commit 278cab5f371e79b638a71c45bbc8afd523b15d13)
al_bootctl.te
|
| 1b7e98f600a596a5d3a09cc1f369556fdbbf048c |
06-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Grant hal_bootctl permissions for new type.
Bug: 74213358
Test: Built policy.
Merged-In: Icf523468e06b65095755594a8de68f42c789751c
Change-Id: Icf523468e06b65095755594a8de68f42c789751c
(cherry picked from commit 84e961164e269241eebf4bc78650c796c7d2e502)
al_bootctl.te
|
| f39d286782e6c8259389ef5ecb5cf63fcfe42a4d |
02-Mar-2018 |
Joel Galenson <jgalenson@google.com> |
Ensure taking a bugreport generates no denials.
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.
Bug: 73256908
Test: Captured bugreports and verified that there were no denials.
Merged-In: I84ed2be7438a4202d37ff91cb3846f491de29d70
Change-Id: I84ed2be7438a4202d37ff91cb3846f491de29d70
(cherry picked from commit d7854eb513f1533b0239baa81706b37a327cb529)
umpstate.te
ile.te
ile_contexts
enfs_contexts
al_dumpstate_impl.te
mlog_dump.te
old.te
|
| ba1439d10aad8295d11922087e2f3f6c8c6faac3 |
03-Mar-2018 |
Siqi Lin <siqilin@google.com> |
sepolicy: allow vendor_init to write to /proc/sysrq-trigger
Bug: 73088609
Test: manual - trigger crash from app
Change-Id: I045169d7ea6a38d681dc6826117e505cd20aadd0
endor_init.te
|
| e21d70c4c2402e3b85fbebb2d5cdb55971b49b88 |
01-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: 372ca940fa am: 40e63f8870
am: 6288f2168a
Change-Id: I1bbdb6dce6bc92e9927467ee5eb211197bbfab43
|
| 6288f2168ad5a0c51185b43077cdbef9143c2646 |
01-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: 372ca940fa
am: 40e63f8870
Change-Id: Ic96bfa59c1bad09bedf9e52b6609c72e4377c723
|
| 40e63f8870669b10dd81771ac7e02db2798a8d1c |
01-Mar-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type"
am: 372ca940fa
Change-Id: I356475e25b2ef66768a5ce7355e116b5f1e27501
|
| 372ca940fac235839921cdf695e2634ff101bec1 |
01-Mar-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove vendor_firmware_file type"
|
| 4ebfe92d376a6e3e6572b99eb86a1eda60feb4f3 |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type"" am: 1f81b8e744 am: b5000a0215
am: 055997d543
Change-Id: I565e6ec33659b1cc4e47c96e94bafd18f5b33011
|
| 055997d543df3265dc443ba66035fe9eacbac1ce |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type"" am: 1f81b8e744
am: b5000a0215
Change-Id: Iceb151d7550645925fb7b122dfff883f974fbd17
|
| 9df9ad04d44662df2d742784a23e1085c54c7388 |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Remove vendor_firmware_file type
It's causing surfaceflinger denials and does not exist on other
devices. Grant kernel read access to vendor/firmware's new type.
denied { search } for comm="surfaceflinger" name="firmware"
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_firmware_file:s0
tclass=dir
denied { read } for comm="surfaceflinger" name="a530_pm4.fw"
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_file:s0
tclass=file permissive=0
Test: boot Taimen without denials.
Bug: 68213100
Change-Id: I8b070a0aae59e12391c881cec8a46b6b4dbe1c67
ug_map
ile.te
ile_contexts
ernel.te
urfaceflinger.te
|
| b5000a02153fa32ee85f1f2644235234ffaae3ac |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type""
am: 1f81b8e744
Change-Id: Ifb8189756c229c542170a1a77ede49fbed769717
|
| 1f81b8e7443d1e049d8e18bab57124814a1408de |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Revert "Remove vendor_firmware_file type""
|
| a49507adc5d43cc5376874c695d55ae2bb26257b |
01-Mar-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Remove vendor_firmware_file type"
This reverts commit d96b55b88ab9e16b685cd0fff0bd11cce78a614c.
Reason for revert: b/74022074
Bug: 74022074
Change-Id: I84c5345c1a205257e088eccd01d3d93fd30a37c1
ug_map
ile.te
ile_contexts
ernel.te
|
| c0f0dfbfc4fa3abb222025ee8c50f7ed91e34e65 |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: d5a9eb456e am: 6497e43931
am: 03df7cb271
Change-Id: Ib6d63077d4e8b86bdeb38ce3a37519748502b842
|
| 03df7cb2719805e24230482494e995f0e283c1bb |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type" am: d5a9eb456e
am: 6497e43931
Change-Id: Ic5ddc74850a08f3d3dc09dc3f38cdbb67230bd5d
|
| 6497e43931566c6f4dc5a0c7d5ce48bce22ee18e |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove vendor_firmware_file type"
am: d5a9eb456e
Change-Id: I5e7196d2d1e55072408b2f1b4a2304ba88cbaf87
|
| d5a9eb456ec86be2853a158ce65abdb8c4098913 |
28-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove vendor_firmware_file type"
|
| d96b55b88ab9e16b685cd0fff0bd11cce78a614c |
28-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Remove vendor_firmware_file type
It's causing surfaceflinger denials and does not exist on other
devices. Grant kernel read access to vendor/firmware's new type.
denied { search } for comm="surfaceflinger" name="firmware"
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_firmware_file:s0
tclass=dir
Test: boot Taimen without denials.
Bug: 68213100
Change-Id: Ib5e1187a09ba59907c29e3de51f7189d25d42b49
ug_map
ile.te
ile_contexts
ernel.te
|
| 65890df658df3af8e72ae354f86c5efeb58b61aa |
27-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling. am: 77e4c3efe1 am: 22ae0b6b75
am: f3b05bb52b
Change-Id: I339d681817edb849adaa10061bb93227466bb571
|
| f3b05bb52b53d76c04449e5bb66649a17eac159a |
27-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling. am: 77e4c3efe1
am: 22ae0b6b75
Change-Id: I2d20f53479ff4c5867307225e7bf83741ee8fb4a
|
| 22ae0b6b75d65ebc21e67b72aea63d26acfa1fdd |
27-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling.
am: 77e4c3efe1
Change-Id: If3329ca7398ed2b47c6687ddc069b04706be201b
|
| 77e4c3efe1edc517f7aaeeb31eab27d73f6ab121 |
26-Feb-2018 |
Joel Galenson <jgalenson@google.com> |
Dontaudit denial caused by race with labeling.
This denial seems to be caused by a race with the process that labels
the files. While we work on fixing it, hide the denials.
Bug: 68864350
Test: Built policy.
Change-Id: I3dc7f1a27714d81a42109d46b31b368c36e7fcff
ime_daemon.te
|
| fc86925b41424e2306a2ff8d4f1cba3f5aede793 |
23-Feb-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Upgrade vibrator to HAL 1.2"
|
| 3e8e6599972bf8fd48c832dbd5ba6214e0b2cefc |
29-Jan-2018 |
Michael Wright <michaelwr@google.com> |
Upgrade vibrator to HAL 1.2
Bug: 64184692
Test: build, flash and play with device
Change-Id: I44d82371e6a6d7dc7e05e740aa5f2fdb5c3f8df6
ile_contexts
|
| 4ede3902cb6c7f4c0a6e07ae89be19ac6600acf6 |
15-Feb-2018 |
Naina Nalluri <nainanalluri@google.com> |
Allow ConnectivityMonitor to use radio_service
This change is a result of moving
ConnectivityMonitor app to vendor partition
Fixes below errors:
02-13 15:13:13.620 1000 606 606 E SELinux : avc: denied { find }
for service=isub pid=3878 uid=1001
scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:object_r:radio_service:s0
tclass=service_manager permissive=0
Bug: 73381264
Test: Tested on device
Change-Id: If6b22d23d1363c10bda3982bf30e97e35e044c60
on_monitor.te
|
| 0c995dbb15588bccdae265635ddc83842e186648 |
13-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Add todo to remove system_server access to cpufreq." am: ff77266206 am: 58a948528c
am: 7a1172d4fa
Change-Id: If51a0e9127237bed3798860afd6243e3712ffb32
|
| 7a1172d4fa3681dd2fef6502891782ad61626d4a |
13-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Add todo to remove system_server access to cpufreq." am: ff77266206
am: 58a948528c
Change-Id: I50635ec98499a45316dad313ca1bb31deee9ce58
|
| 58a948528c29ba24d55efa67c835acf37ce82747 |
13-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Add todo to remove system_server access to cpufreq."
am: ff77266206
Change-Id: Icae3b4be22b77311fa84aaf91b149b68a2dc1d63
|
| ff772662067f97b61073af68abf738c71d60cc97 |
13-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Add todo to remove system_server access to cpufreq."
|
| 96a6c4d4fc9f216cad2780bff1fc83b767d680b6 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy." am: 8c538da276 am: 3b637ed63d
am: b59d49daf3
Change-Id: Ic6611fb824aeb46b22cab0e5250edb6549d7e02d
|
| b59d49daf31165cf6a8998b4e58b4fdfe23d0142 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy." am: 8c538da276
am: 3b637ed63d
Change-Id: I6b68004cab017a1e267ef01ae5df3108d25d5c1e
|
| 3b637ed63d5a602922e1f0c14b45f4c5e69551f0 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy."
am: 8c538da276
Change-Id: I79a45b47ed32e337f22d29f8faa31c0783de5993
|
| 8c538da276a21c2b3691bdab84029ad48b281015 |
08-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Label /sys/devices/virtual/net from device sepolicy."
|
| 8c0ccd43df4b27684cfe6d6ee99a8c020a88e442 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Add todo to remove system_server access to cpufreq.
Bug: 73123675
Test: n/a
Change-Id: I8174711d2ad80575892149360564c420f07e264a
ystem_server.te
|
| 6ed46ddcd48a3146175a60165359986554d02bd4 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo." am: e6c6e5ed06 am: ddccabaae2
am: facc4ba606
Change-Id: I607f0192436f1fed5b586b436131f18cdbd02c48
|
| facc4ba606e85ad77f4bb64f8dc9437a87b96184 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo." am: e6c6e5ed06
am: ddccabaae2
Change-Id: Ifd2f163260d13b22b00f0b0751043612171a9bcd
|
| ddccabaae2d5c9c45bf0f2cd04bfedcc73f71088 |
08-Feb-2018 |
Tri Vo <trong@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo."
am: e6c6e5ed06
Change-Id: I1b07b0826b6566feb339b3779ca56c34f949abde
|
| e6c6e5ed0609a13d6fff76e91ffd611afb5dfef4 |
08-Feb-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Allow BatterySaver access to cpufreq on wahoo."
|
| cb798cfa6fcc8f4f3b2b90a04ee4092dd73e61b5 |
07-Feb-2018 |
Tri Vo <trong@google.com> |
Allow BatterySaver access to cpufreq on wahoo.
Bug: 68988722
Test: n/a
Change-Id: I58b502e0f9741f9374a2c079f8fad674639011e6
ystem_server.te
|
| e2e31436c83a317a1d2de4aea295512005598b9b |
07-Feb-2018 |
Tri Vo <trong@google.com> |
Label /sys/devices/virtual/net from device sepolicy.
This is done to preserve backwards compatibility of core policy.
Bug: 72878750
Test: combined wahoo sepolicy is unchanged.
Change-Id: I3e85bb94d1f0364a06f1af0d32c70abfedf4624e
enfs_contexts
|
| 2e9c3537f2e2b18578759e4201edb987f649a4d0 |
02-Feb-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Add SELinux policy for clearkey HIDL service." am: d08d2a34e1
am: ed1410eea2
Change-Id: Ie5872623bf49fbc1624d3b6b059e1468f37866cf
|
| ed1410eea2a27a9d7bd0c09d4809d99d468e221b |
02-Feb-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Add SELinux policy for clearkey HIDL service."
am: d08d2a34e1
Change-Id: Ic444b165e8a19bac3f7e609c023df418584251c8
|
| d08d2a34e1e26d942701fe020102322c59b63cc3 |
02-Feb-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Add SELinux policy for clearkey HIDL service."
|
| ea75afb33efa28a31632f4537fef574aaaf98061 |
02-Feb-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add SELinux policy for clearkey HIDL service."
|
| ce26b1c561d31c1e2f97f434c169196c4472241d |
02-Feb-2018 |
Steve Pfetsch <spfetsch@google.com> |
Merge "Reflect libegl move in sepolicy"
|
| 358d72f626595048cf50e079d33946b283c3f985 |
01-Feb-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Reflect libegl move in sepolicy
libraries moved from /vendor/lib to /vendor/lib/egl.
Bug: 72814034
Test: spfetsch@ to verify
Change-Id: Ifd3d80053436aed6a42c4a64e113474eb65bbae5
ile_contexts
|
| 6c9b99e10861a7d3dfac0a55ab39670850a3da0e |
31-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Add SELinux policy for clearkey HIDL service.
Convert clearkey plugin to HIDL to support drm HAL v1.1.
Add SELinux policy for android.hardware.drm@1.1-service.clearkey.
Test: CTS test
ANDROID_BUILD_TOP= ./android-ccts-tradefed run cts-dev
--module CtsMediaTestCases
-t android.media.cts.ClearKeySystemTest#testClearKeyPlaybackCenc
bug: 69635855
Change-Id: I61e9c272c2a2788fd07d5c12921d28c785661b77
ile_contexts
al_drm_clearkey.te
|
| 07d21f461b81f0ee4e9cfe95cb3244f1e9794fbd |
24-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Add SELinux policy for clearkey HIDL service.
Convert clearkey plugin to HIDL to support drm HAL v1.1.
Add SELinux policy for android.hardware.drm@1.1-service.clearkey.
Test: CTS test
ANDROID_BUILD_TOP= ./android-ccts-tradefed run cts-dev
--module CtsMediaTestCases
-t android.media.cts.ClearKeySystemTest#testClearKeyPlaybackCenc
Merged-In: I61e9c272c2a2788fd07d5c12921d28c785661b77
bug: 69635855
Change-Id: I2b6dad3cbefa210400c0169b497ed58d355b85ab
ile_contexts
al_drm_clearkey.te
|
| aaf57715e155b16fa10d2b6ea504195228301821 |
31-Jan-2018 |
Wei Wang <wvw@google.com> |
Merge "wahoo: VR: Reset setting in runtime crash and add dumpstate support"
|
| 2516638b16b3bf317085c983c6e562516eef6009 |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Merge "Clean up bug_map." am: 03a16f98d6 am: 01e6d51248
am: cbbcb9e449
Change-Id: Id88c872c66e74cfeecab39fd3d5798a750fcb95d
|
| cbbcb9e4493035e2dc1ea2f0f25f9152887e6103 |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Merge "Clean up bug_map." am: 03a16f98d6
am: 01e6d51248
Change-Id: Ib5b172548db41828bfabe3f6b02d3523f80b498b
|
| 01e6d51248284dfd88abdc5a7e515038468f6c79 |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Merge "Clean up bug_map."
am: 03a16f98d6
Change-Id: I2272425fcc8f6964c435dd68687168afd9936a70
|
| 03a16f98d6c87e0cf72374e71e2214245c09fb68 |
31-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Clean up bug_map."
|
| ad1b1088336435b1a2db95cacf5b0a84c7738f0b |
31-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Mark ro.qcom.adreno.* as public_vendor_default_prop"
|
| 76b6dbfbc52612ca52e44d95ed6ebda6f200e8f7 |
31-Jan-2018 |
Jaekyun Seok <jaekyun@google.com> |
Mark ro.qcom.adreno.* as public_vendor_default_prop
ro.qcom.adreno.* are used in some of VNDK-SP libs, and so they should be
accessible from system components.
Bug: 72697173
Test: tested with ro.qcom.adreno.qgl.VkApiMinorVersion=1
Change-Id: I307c2013a5424245586509cf250c14cf02a8c1cc
roperty_contexts
|
| 49843e3ab0b6a9264801b2f44ef008a20c85a8e7 |
31-Jan-2018 |
Max Bires <jbires@google.com> |
Merge "Suppressing boot time denial" am: 2fd80081d1 am: 5530470d6f
am: 5c5cf3237a
Change-Id: I3bd2b497893591af69f423f9239ff58a7c756a41
|
| 5c5cf3237a213435ea744063605008baf4e63977 |
31-Jan-2018 |
Max Bires <jbires@google.com> |
Merge "Suppressing boot time denial" am: 2fd80081d1
am: 5530470d6f
Change-Id: I6732940c7aad4189811905ba377040ae4b12dc16
|
| 5530470d6fcd819d646367c85cadba904cf03038 |
31-Jan-2018 |
Max Bires <jbires@google.com> |
Merge "Suppressing boot time denial"
am: 2fd80081d1
Change-Id: If3f606aed83eb1ef81f0bca59007ebeb6b6df905
|
| 2fd80081d17e56decd19073f9b1d5ff299d45c66 |
31-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Suppressing boot time denial"
|
| 00ef1c1658ade2962d9a405f90345f377a89d75e |
31-Jan-2018 |
Joel Galenson <jgalenson@google.com> |
Clean up bug_map.
Remove fixed bugs.
Test: Booted Walleye, tested wifi and camera, and observed no new
denials.
Change-Id: Iff8d3f9dbd2b881a512aa7d65a0a7c67a4beb509
ug_map
|
| c58ae4e91923b94e285d7a58ade4577392b93a98 |
29-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: VR: Reset setting in runtime crash and add dumpstate support
Reset thermal setting after runtime reboot in VR
Reset touch setting after runtime reboot in VR
Add dump support in VR
Test: Kill system_server during VR session and check thermal and touch settings
Test: Capture bugreport and look at:
lshal-debug/android.hardware.vr@1.0::IVr_default.txt
Bug: 72644266
Bug: 72071908
Change-Id: I752c98ec88975a45eda19e72aed24df1a9fef2ba
endor_init.te
|
| 32a6d40bc254321dfa74eb692498795087446d20 |
30-Jan-2018 |
Max Bires <jbires@google.com> |
Suppressing boot time denial
This denial is generated by whichever process first attempts to access
the filesystem, triggering the kernel to go through module loading to
find the correct crypto module to use to decrypt the FS. This dontaudit
will suppress the denial until the underlying problem is fixed
denied { module_request } for comm="BootAnimation"
kmod="crypto-heh(aes)-all" scontext=u:r:bootanim:s0
tcontext=u:r:kernel:s0 tclass=system
Bug: 37205419
Test: bootanim doesn't spawn a module_load denial
Change-Id: I85f1b75c70e87be924c033c9934b87cb90035132
ootanim.te
|
| d449eb488004c3ac10cfb429ef167ada6925b557 |
27-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Usb Gadget hal implementation for wahoo"
|
| 5bc564b494ed4bb4c5f2ae51f9d1a8a666321caa |
27-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file" am: 9704987280 am: e9e717c8aa
am: 45e2e638e0
Change-Id: Icb2b0230646da03e3d606d8bebacfedbe8ef4d5c
|
| 45e2e638e0cd708797593003fd3a59106f722bf0 |
27-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file" am: 9704987280
am: e9e717c8aa
Change-Id: I085121f638bfe2c56ae8e557b36013d96d96c7b4
|
| e9e717c8aa9eeae2a9901ff1b11090e398061933 |
27-Jan-2018 |
Ruchi Kandoi <kandoiruchi@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file"
am: 9704987280
Change-Id: Ia6ed0052ab396c841aee90ce1d433add8e9d8dfc
|
| 9704987280e8044f2aabcbbf96fe167b1a1e4f6e |
26-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Disallow NFC vendor library access to nfc_data_file"
|
| 5e309b924830644827182e039e915e5ba314a81f |
19-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
Usb Gadget hal implementation for wahoo
(cherry-pick of commit: e9af4669659c306a9c9b1a1ae3a1313a7631357d)
Bug: 63669128
Test: Tested USB gadget configurations and verified
that they enumerated.
Change-Id: If0f98697488f6c7cfe335d4c292acebaaba6c20f
ile_contexts
al_usb_default.te
al_usb_impl.te
|
| e81bff1dda1897ea66c5fd6aaeedcb0b070bf6b0 |
26-Jan-2018 |
Badhri Jagan Sridharan <badhri@google.com> |
Merge "DO NOT MERGE :Usb Gadget hal implementation for wahoo"
|
| ecfc861e1e23d024ee5e9125c150fbb1b4ffad6b |
19-Jan-2018 |
Badhri Jagan Sridharan <Badhri@google.com> |
DO NOT MERGE :Usb Gadget hal implementation for wahoo
Bug: 63669128
Test: Tested USB gadget configurations and verified
that they enumerated.
Change-Id: If0f98697488f6c7cfe335d4c292acebaaba6c20f
ile_contexts
al_usb_default.te
al_usb_impl.te
|
| cc136b14f0257edbf0a6e7352c1a554dd1af576c |
25-Jan-2018 |
Miguel de Dios <migueldedios@google.com> |
Merge "Allow hardware_info_app to read from debugfs_ufs."
|
| 2cdbc03bf105ae49b94fffcea2a732e715fc573a |
25-Jan-2018 |
Marissa Wall <marissaw@google.com> |
STOPSHIP: proc.uidcpupower reflector for experiments am: 1437d38b52 am: 33c59636f6
am: 456690f063
Change-Id: I5fab6ed361c6e7bf3a7674565b3eb4d7adb83021
|
| 456690f063b760fb9ac120dba7db727038cced01 |
25-Jan-2018 |
Marissa Wall <marissaw@google.com> |
STOPSHIP: proc.uidcpupower reflector for experiments am: 1437d38b52
am: 33c59636f6
Change-Id: If4076bbc9222b73da5e963075d8fad30d546e7fd
|
| c679517ce16a79fcb7d0f073a989dc991158ef35 |
25-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "wpa_supplicant: move control sockets to /data/vendor"
|
| 4c05539d6cfbdb38131ea667c411c2da59b8534a |
24-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
wpa_supplicant: move control sockets to /data/vendor
Treble compliance.
Bug: 70228425
Bug: 70393317
Test: complete wifi test in b/70393317
Test: Test wifi on Taimen and Sailfish
Test: verify sockets exist in /data/vendor/wifi/wpa/sockets
Change-Id: I0bfc3a351419f0a03498e79664949f353369bf1b
al_wifi_supplicant_default.te
|
| 0292352f5eac4dbaa84714b24c7b914c4bc4adb0 |
24-Jan-2018 |
Kelly Rossmoyer <krossmo@google.com> |
Low Power Monitor security policies for wahoo
Adds a security policy allowing ConnectivityMonitor to access the new
system property controlling startup of the Low Power Monitor service.
Also adds security policies allowing ConnectivityMonitor to access the
device PowerHAL service, which is used on 2017 devices to obtain low
power operation stats.
Error 1 (related to PowerHAL access):
01-24 11:20:41.444 589 589 E SELinux : avc: denied { find }
for interface=android.hardware.power::IPower pid=3964
scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:object_r:hal_power_hwservice:s0 tclass=hwservice_manager
permissive=0
Policy 1:
allow con_monitor_app hal_power_hwservice:hwservice_manager find;
Error 2 (also related to PowerHAL access):
01-24 11:28:37.527 3971 3971 W ectivitymonitor: type=1400
audit(0.0:12): avc: denied { call } for
scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:r:hal_power_default:s0 tclass=binder permissive=0
Policy 2:
allow con_monitor_app hal_power_default:binder call;
Error 3 (related to setting system property):
01-24 11:37:41.853 3756 3756 W libc : Unable to set property
"persist.radio.poweranomaly.start" to "disabled": error code: 0x18
01-24 11:37:41.854 3756 3756 D AndroidRuntime: Shutting down VM
--------- beginning of crash
01-24 11:37:41.855 3756 3756 E AndroidRuntime: FATAL EXCEPTION: main
01-24 11:37:41.855 3756 3756 E AndroidRuntime: Process:
com.google.android.connectivitymonitor, PID: 3756
01-24 11:37:41.855 3756 3756 E AndroidRuntime:
java.lang.RuntimeException: Unable to start receiver
com.google.android.connectivitymonitor.GservicesChangeReceiver:
java.lang.RuntimeException: failed to set system property
Policy 3:
persist.radio.lowpowermonitor.start u:object_r:tel_mon_prop:s0
Bug:35955665
Test: All policies taken from audit2allow (see commit text) and tested
before/after policy change to establish correctness.
Change-Id: I02bb85a8fd39f3003c035a1ac8f28622d1f0ecc2
on_monitor.te
roperty_contexts
|
| a43dba2e832a2b53388a476125d62c279c525aa5 |
24-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Add restricted permissions to vendor_init am: a29b489370 am: 417db4f1d2
am: 60b2608abb
Change-Id: Ie67fcd4598dc8a246bad71567132f890b899f353
|
| 60b2608abb6cea7813c472865359d8e0a07cc070 |
24-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Add restricted permissions to vendor_init am: a29b489370
am: 417db4f1d2
Change-Id: I901a931e6b51f9d8ac7de2f604ac06ba3031d621
|
| 1437d38b52d32188a8118e67e2501d9887ca4016 |
17-Jan-2018 |
Marissa Wall <marissaw@google.com> |
STOPSHIP: proc.uidcpupower reflector for experiments
Allow the concurrent_*_time to be enable and disabled
for performance experiments on the dogfood population.
This patch and the corresponding kernel patches should
be removed before launch.
proc.uidcpupower=* -> concurrent_*_time enabled
proc.uidcpupower=1 -> concurrent_*_time enabled
proc.uidcpupower=0 -> concurrent_*_time disabled
Test: Run "adb shell setprop proc.uidcpupower 0" and
check that "adb shell cat /proc/uid_cpupower/enable"
returns 0. Repeat the test with 1.
Change-Id: I818e110907b4d24d0d3c4b9ca92b6f2816ba3b1f
endor_init.te
|
| 9244427d036ae2b0891929f0d98ebf211cb01bf0 |
24-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Remove vendor access to wpa_socket"
This reverts commit 3ef4216053407b8b0d9ff26f622efc2224cbf4c4.
rpius@ says that this can cause some devices to fail to boot.
Reverting and will re-test/resubmit tomorrow.
Change-Id: I48f033516b93d10edc77a277de49a3e21a068930
al_wifi_supplicant_default.te
|
| a29b4893706bdba10477fe569fbb835d0355a71f |
23-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Add restricted permissions to vendor_init
The core SEPolicy for vendor_init is being restricted to the proper
Treble restrictions. Since this is a legacy device, it is tagged as a
data_between_core_and_vendor_violators and the needed permissions are
added to its device specific vendor_init.te
Bug: 62875318
Test: boot walleye without audits
Change-Id: I13aaa2278e71092d740216d3978dc720afafe8ea
endor_init.te
|
| 3ef4216053407b8b0d9ff26f622efc2224cbf4c4 |
23-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
Remove vendor access to wpa_socket
It violates new restrictions on sharing data between system
and vendor processes.
Bug: 34980020
Test: build (these are build-time tests).
Change-Id: Ie57a7587bb497557e48d0f2940d1fe60f4ee3700
al_wifi_supplicant_default.te
|
| 96b9a25b8e5070cacf9ba6454d964a1a0be54b87 |
19-Jan-2018 |
Jaekyun Seok <jaekyun@google.com> |
Allow vendor_init to set HAL properties
The following properties of bluetooth_prop are set in init scripts.
- persist.service.bdroid.snooplog
- persist.service.bdroid.fwsnoop
- persist.service.bdroid.snooplog
- persist.service.bdroid.fwsnoop
- persist.service.bdroid.soclog
- persist.service.bdroid.soclog
And the following properties of power_prop are set in init scripts.
- vendor.powerhal.state
- vendor.powerhal.audio
Bug: 62875318
Test: tested with walleye
Change-Id: I7cf63bc6ae575150024df3ec7373c750db923ab3
endor_init.te
|
| 7b07955b89b1edc8b46bc7202c3fc79cc63e8da1 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow traversal of persist/ am: 45c8eedd87 am: e097025bd4
am: 86fd268114
Change-Id: I0f253b8785c95d535c872c8292721cfcf78a661a
|
| 86fd268114ea046e84aff008a512ffaf924cd395 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow traversal of persist/ am: 45c8eedd87
am: e097025bd4
Change-Id: Ib2e01fae11f206951805c538a91ddb52500784c4
|
| 45c8eedd875839f827fa45d6c93d6e81311290a5 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow traversal of persist/
Because otherwise access to persist/sensor/ doesn't work
Bug: 70565622
Bug: 63629224
Test: Builds, HAL can open and read a file in /persist/sensor/calibration
Change-Id: I9ce66dcf2856ed99c09b8183c41d00ee07ad2460
al_camera.te
|
| ac4045e0dd54eb0d548554cfd63cf6e42405cec2 |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow access to sensor calibration file am: 32eb479e66 am: 9757888c6c
am: 6d0840ec59
Change-Id: Iea1371f4fb6303f413cf87bbbe08e4e584b6fe52
|
| 6d0840ec5932bdb7e94fc262c133c008d395da1b |
20-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow access to sensor calibration file am: 32eb479e66
am: 9757888c6c
Change-Id: I83397033f80a3beec98cb504ce76bcce0a0b8bef
|
| 32eb479e66702db4c8f73701caca738630919eee |
05-Jan-2018 |
Eino-Ville Talvala <etalvala@google.com> |
hal_camera: Allow access to sensor calibration file
To allow the camera HAL to export lens calibration data measured
for tango_core, it needs access to the same calibration file.
Bug: 70565622
Bug: 63629224
Test: Builds
Change-Id: Ia891dc442e1f01b827ba8533f4d77f26e1f61b3b
al_camera.te
|
| 377efbfdae4b22c42c1835062796e11db8954223 |
19-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "cnss_diag: Track selinux denial" am: 80fc3d69c9 am: 764a4a1f2e
am: 1fe9401ebe
Change-Id: I4a2bccfd0be41ff1d959ff3cee84e34d9fc94cd5
|
| 1fe9401ebe81576797062b95cc184837c4d2a22e |
19-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "cnss_diag: Track selinux denial" am: 80fc3d69c9
am: 764a4a1f2e
Change-Id: I844f0e464ca2f54e14d15f35f43e08d8d69da454
|
| 80fc3d69c9981053dcd78dc7c6640e3de6bc263a |
19-Jan-2018 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "cnss_diag: Track selinux denial"
This reverts commit 3102a99db42f5237849e111380d0ffff064ef4b8.
Reason for revert: b/72133934 fixed.
Bug: 72133934
Change-Id: Id02bd53eef55ace0de0fb392ed9054abc94a164e
ug_map
|
| 219ed3fbf3ed30b0a642117c4bd99399222019c7 |
18-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
cnss_diag: Track selinux denial am: 3102a99db4 am: a5fc28a024
am: b44db98766
Change-Id: Ib8bcdcdfacb5d80ba8af72eb95c5b8658aa1a833
|
| b44db9876696b87c4518c9323c5626007406fb19 |
18-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
cnss_diag: Track selinux denial am: 3102a99db4
am: a5fc28a024
Change-Id: Ib8abb6b7cded87825a2fae0ed7a1da33df4d13d5
|
| 3102a99db42f5237849e111380d0ffff064ef4b8 |
18-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
cnss_diag: Track selinux denial
Fix presubmit tests.
Bug: 72133934
Test: build
Change-Id: I72a95bffbaddb4373d761481462b2a0dabf25604
ug_map
|
| 6bee4eb8b6cf7542d2e6c1af718b81be5bf33561 |
18-Jan-2018 |
Roshan Pius <rpius@google.com> |
Merge changes from topic "hostapd_hidl"
* changes:
wahoo(sepolicy): Redefine cnss_diag folder
wahoo(manifest): Add hostapd HIDL interface
hostapd: Remove treble violation exception
|
| d062beeaec4a879cebb5fe794a84ced66e1e0d28 |
18-Jan-2018 |
Michael Butler <butlermichael@google.com> |
Merge "Allow hvx hal to open application fd" am: d66f810d1e am: 8253d4978d
am: c95bc5bfbf
Change-Id: I72b381ae7aa4def19ccb9b1a5f3bf8549e470341
|
| c95bc5bfbfcb9d9068333cb4c45b86887f8da0a7 |
18-Jan-2018 |
Michael Butler <butlermichael@google.com> |
Merge "Allow hvx hal to open application fd" am: d66f810d1e
am: 8253d4978d
Change-Id: I614ba5eee81d7b5ab5183253cee9505c28b02150
|
| d66f810d1ef9c893a19a6164738f7893ecfe1e11 |
17-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Allow hvx hal to open application fd"
|
| c02f290a1dd4233ee09cb4a45c0a55fe30e22ff9 |
29-Nov-2017 |
Michael Butler <butlermichael@google.com> |
Allow hvx hal to open application fd
Bug: 67478959
Test: mm, vts, cts
Change-Id: I36ffcbc97b1f70dc6e19ec344903c38adc3f2311
(cherry picked from commit fdabd93272ed99d47e10217620eb2659e78db185)
al_neuralnetworks_hvx.te
|
| a50ad59c5e9bd74c2b2dbb7c80bf8add9460cb31 |
17-Jan-2018 |
Jaekyun Seok <jaekyun@google.com> |
Merge "Mark unlabeled vendor properties with vendor_default_prop"
|
| 3ee38634c923664603c219730e23d1cae0d96af1 |
17-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: move denial tracking to core policy am: df8a9ee6c6 am: f69f0ee877
am: 66c93e3e25
Change-Id: I53b1baeb9d94506117904882bd6b9aed2f5d3045
|
| 66c93e3e256b0ec6197e11d1c50bc2b230241562 |
17-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: move denial tracking to core policy am: df8a9ee6c6
am: f69f0ee877
Change-Id: I53c182515c1872e995b25cc746506d5c33334df8
|
| a334daa6c6aa565cc64fd5396ef2f9b126709679 |
17-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "STOPSHIP: move sys.vdso reflector to allow "user" builds"
|
| 6b106184074c091017417700aaa87bb3fb385821 |
19-Oct-2017 |
Jaekyun Seok <jaekyun@google.com> |
Mark unlabeled vendor properties with vendor_default_prop
For now, unlabeled vendor properties are marked as default_prop which is
one of core_property_type.
This CL will mark them with vendor_default_prop.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I8d4068927f435a0a0732fce86920adc3e7389424
tfwd.te
harger.te
omain.te
al_dumpstate_impl.te
ealthd.te
nit-devstart-sh.te
nit-insmod-sh.te
etmgrd.te
roperty.te
roperty_contexts
adio.te
ild.te
urfaceflinger.te
ystem_app.te
ystem_server.te
endor_init.te
|
| df8a9ee6c6fe467bd067be02530ae3495cbad686 |
17-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: move denial tracking to core policy
Bug: 68864350
Test: build
Change-Id: I28478fd9588023a8c43ee64b087476b8a074a0fd
ug_map
|
| 2bedc05caed4bb4a68695a09c6d7b524a53bb2aa |
17-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Move persistent data to /data/vendor." am: a74d5f7707 am: 0db26c191f
am: 25ddee178f
Change-Id: I13d8e04cc48f8313876ff1f174ff922d8de9f849
|
| 25ddee178fb41b77d23b31aeaf3c1ee04dbc4398 |
17-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Move persistent data to /data/vendor." am: a74d5f7707
am: 0db26c191f
Change-Id: If8f9aee8d18c08d1759acb2190a22b44317dac46
|
| a74d5f77072e37970f2c5c5771c2d313c8486ba2 |
17-Jan-2018 |
Edwin Wong <edwinwong@google.com> |
Merge "Move persistent data to /data/vendor."
|
| bffc61fb4df0c0831c382818b754ffd972281074 |
17-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Power: restart PowerHAL if audio HAL died with active low_latency hint"
|
| 15fd9f5fae85cd3aed1853612369c2211c9e2410 |
16-Jan-2018 |
Wei Wang <wvw@google.com> |
Power: restart PowerHAL if audio HAL died with active low_latency hint
Audio low latency which can go parallel with other long-term hints and
there is small change that leaves the powerHAL stuck with the hint for
long time. This CL will require another property to record the state of it.
Bug: 67648152
Test: kill audiohal, audioserver
Change-Id: Ic0017b0c7a27994e7583d7701665b2cd156ca192
roperty_contexts
|
| 0d045dd2c4573183a3d01af62dbdf35b1329aae1 |
16-Jan-2018 |
Mark Salyzyn <salyzyn@google.com> |
STOPSHIP: move sys.vdso reflector to allow "user" builds
Modification of bb267fa16f8a1a13283575a4e89b880cd44a00b2 to
remove restriction to userdebug and eng builds. Rationalization
is the experiment will continue during public beta releases.
Test: manual, bionic-benchmarks --bionic_xml=vdso.xml
Bug: 70518189
Change-Id: I57e5cdc21569dd32377256d3962e1dc03385f7cb
nit.te
|
| 11a106330ed18671807e792fc4254e99459dc86e |
16-Jan-2018 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core am: 6113e178c3 am: b6ef487185
am: 7bb299d9c1
Change-Id: I8c4c61b373258d30062c5d96d7ca840f0c949c63
|
| 7bb299d9c124b2fd645bdbf1cf033faaad77e011 |
16-Jan-2018 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core am: 6113e178c3
am: b6ef487185
Change-Id: I874eb5271c1c2a3e6d89d2fb8e2ee582a3557c25
|
| 6113e178c3cfed5d54a87938d0d9b5fa98e09c03 |
21-Dec-2017 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core
Bug: 62041836
Test: policy builds
No rules were added to google_camera_app and tango_core domains
Change-Id: Ib8605db10d28998ca564bf9f17a1a89a1b76d504
oogle_camera_app.te
ango_core.te
|
| 361214d17c8694220785df89ed87ddf4a48f902e |
17-Dec-2017 |
Edwin Wong <edwinwong@google.com> |
Move persistent data to /data/vendor.
HALs are only allow to access files in /data/vendor starting
in Pi. Change SELinux policy to move data from /data/mediadrm
to /data/vendor/mediadrm.
Test: Play Movies & TV, Netflix
Ensure offline playback works after the move.
bug: 36601695
Change-Id: Ie7ed580036fe0b6113eb4c39210e90dc08478230
ile.te
ile_contexts
al_drm_default.te
al_drm_widevine.te
ove-widevine-data-sh.te
|
| 6a60787a548bf87b9eb01d2c9b8d6ab63fab5fc5 |
13-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
vendor_init: allow reading sys.modem.diag property am: 99e7af062f am: 237efff11c
am: 7b1cfa03c0
Change-Id: I933cf6ceb6c9a26aac2d09b87ef5bbb2e3a595a0
|
| 7b1cfa03c04df661680221df83917c77cc320c89 |
13-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
vendor_init: allow reading sys.modem.diag property am: 99e7af062f
am: 237efff11c
Change-Id: Idf2127daa0138095c5ae2df2de42bdf61861cc63
|
| 99e7af062f2f2f14a2a75aa2a9bf0313079a6121 |
13-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
vendor_init: allow reading sys.modem.diag property
Test: build wahoo policy
Change-Id: Iaa5c1c26a6a41fdb9c33bbad44b461e7bc898f23
endor_init.te
|
| 5cf6d726a8ea293f6f698532db33363a1de16434 |
12-Jan-2018 |
Tri Vo <trong@google.com> |
Merge "Revert "system_executes_vendor_violators: google_camera_app and tango_core""
|
| 840d4a5ea4081c0a819a53b447f22e9f68eea0f9 |
12-Jan-2018 |
Tri Vo <trong@google.com> |
Revert "system_executes_vendor_violators: google_camera_app and tango_core"
This reverts commit f4494825c5fc75203d3a55d5e58110dfd43c1033.
Reason for revert: albacore build broken
Change-Id: I79bccbab740d545261afd8f7f3ffec3be20d0a27
oogle_camera_app.te
ango_core.te
|
| b173ec1a08c033ef1bb89d3c42002c5758c3b460 |
12-Jan-2018 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic "storage_health_interface"
* changes:
Create sepolicy for Wahoo health HAL service
Add health service for Wahoo
|
| 13fe0c40565a61d406227265d535d3a5268d5580 |
12-Jan-2018 |
Tri Vo <trong@google.com> |
Merge "system_executes_vendor_violators: google_camera_app and tango_core"
|
| 6ba332939ea0df70cd0a8ff792095cbc2744e60d |
12-Jan-2018 |
Sooraj Sasindran <sasindran@google.com> |
Merge "enable power anomaly detection"
|
| dd69b2ca0c3fc466eaf8321b9f3fc48c66994515 |
20-Dec-2017 |
Hridya Valsaraju <hridya@google.com> |
Create sepolicy for Wahoo health HAL service
Bug: 68388678
Test: vts-tradefed run vts -m VtsHalHealthV2_0
Change-Id: I4d7214c760948bc07cfdf3143526d137718e4f9a
ile_contexts
al_health_default.te
|
| f4494825c5fc75203d3a55d5e58110dfd43c1033 |
21-Dec-2017 |
Tri Vo <trong@google.com> |
system_executes_vendor_violators: google_camera_app and tango_core
Bug: 62041836
Test: policy builds
No rules were added to google_camera_app and tango_core domains
Change-Id: Ib8605db10d28998ca564bf9f17a1a89a1b76d504
oogle_camera_app.te
ango_core.te
|
| 86815f4889cb100a8cace63829e697a3e7c8eba8 |
03-Jan-2018 |
Sooraj Sasindran <sasindran@google.com> |
enable power anomaly detection
Move connectivity monitor sepolicies to specific policy file
Allow Power Anomaly detector to access /data/vendor/radio
Fixes below errors
12-28 18:01:37.294 W/ectivitymonitor( 3619): type=1400 audit(0.0:13):
avc: denied { search } for name="radio" dev="sda13" ino=1835015
scontext=u:r:radio:s0 tcontext=u:object_r:radio_vendor_data_file:s0
tclass=dir permissive=0
12-28 18:15:03.838 W/ectivitymonitor( 3621): type=1400 audit(0.0:18):
avc: denied { read } for name="u:object_r:tel_mon_prop:s0" dev="tmpfs"
ino=9592 scontext=u:r:con_monitor_app:s0:c233,c259,c512,c768
tcontext=u:object_r:tel_mon_prop:s0 tclass=file permissive=0
01-10 19:38:17.399 939 939 W rild : type=1400 audit(0.0:87): avc:
denied { read } for name="u:object_r:tel_mon_prop:s0" dev="tmpfs"
ino=17732 scontext=u:r:rild:s0 tcontext=u:object_r:tel_mon_prop:s0
tclass=file permissive=
add power_anomaly_data.txt to be picked up in bugreport
Test: tested by testing power anomaly detector and connectivity monitor
Bug: 67058502
Change-Id: I8ad45d5e9cedde8f498627f97b35db27dfd2ea28
on_monitor.te
roperty_contexts
ild.te
eapp_contexts
|
| bb267fa16f8a1a13283575a4e89b880cd44a00b2 |
14-Dec-2017 |
Mark Salyzyn <salyzyn@google.com> |
STOPSHIP: sys.vdso reflector for experiments
On userdebug or eng, permit vdso to be enabled or disabled at will to
manage performance experiments on the dogfood population.
ro.debuggable=1 -> permit sys.vdso to maintain an influence over vdso
sys.vdso=false -> 32 and 64 bit vdso disabled
sys.vdso=32 -> 64 bit vdso disabled
sys.vdso=64 -> 32 bit vdso disabled
sys.vdso= -> 32 and 64 bit vdso enabled
NB: sys.vdso set to any other value will default to vdso enabled.
Test: manual, bionic-benchmarks --bionic_xml=vdso.xml to confirm.
Bug: 70518189
Change-Id: I839feff206a1404f228a5bdf35fb0c392fd8974a
ile.te
ile_contexts
nit.te
|
| 7a37d573638459c382783f8447123a9dd7a3197d |
05-Jan-2018 |
Roshan Pius <rpius@google.com> |
wahoo(sepolicy): Redefine cnss_diag folder
The parent folder /data/vendor/wifi of cnss diag is going to
be used by hostapd data file storage. So, rename sepolicy file attribute
to limit the path controlled by the cnss_vendor_data_file attribute.
Bug: Start softap
Test: Compiles
Change-Id: I0001199864fed580983f8340645f36fd4e2f69ef
ile_contexts
|
| 252f00b4aff279aee53e1b633b84e3646606834f |
23-Dec-2017 |
Roshan Pius <rpius@google.com> |
hostapd: Remove treble violation exception
Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: I8a826d944fc25b08aa9e919ff95f20e34c13346a
ostapd.te
|
| 1c36565762cbd478e7faf1e16b05f45b4b7a412f |
09-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: power: Add hint state into PowerHAL in case of restart
PowerHAL should remember the long-lasting hint when it (re)starts,
in case it crashed/killed. Also when clint crashed, the long-lasting
hint should be cancelled.
This CL adds a property for PowerHAL to store its long-lasting hint,
and uses init to clear the property and restart PowerHAL when client
died.
Bug: 67648152
Test: kill cameraHAL, powerHAL, system-server
Change-Id: I6b2cae3c2228da00bcb97a3befacf9ab045eeba8
al_power_default.te
roperty.te
roperty_contexts
|
| c4822cb33291cb4a2ed47e43fd2d2864ae68fda4 |
05-Jan-2018 |
Thierry Strudel <tstrudel@google.com> |
Merge "wahoo: power: switch to libperfmgr for powerhint"
|
| 445050c9d7a60402001c9248eb5428b579b72370 |
04-Jan-2018 |
Jeff Tinker <jtinker@google.com> |
Merge "Allow widevine drm hal to access allocator hal" am: d1c8174061 am: b8cf647687
am: 7a35cb0518
Change-Id: I8399d17cca55cf7998073a36773dd63641dca609
|
| 7a35cb0518a07280fbef32be09e48e38fd13c98c |
04-Jan-2018 |
Jeff Tinker <jtinker@google.com> |
Merge "Allow widevine drm hal to access allocator hal" am: d1c8174061
am: b8cf647687
Change-Id: Ic0749608b04347460fbd94d85b65fd159b9d1d55
|
| d1c817406186c220ce146322b07d5355eaad9cf6 |
04-Jan-2018 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Allow widevine drm hal to access allocator hal"
|
| d7f901b58dd1ea1eb370c1a0f41f3834a87dc6f1 |
01-Jan-2018 |
Wei Wang <wvw@google.com> |
wahoo: power: switch to libperfmgr for powerhint
Test: boot and do powerhint
Bug: 62041945
Change-Id: I7de1d2bf377fb46162171a084fca3413b1067d3b
ile_contexts
al_camera.te
al_power_default.te
erfd.te
|
| 9246d7f0dec78d33823ebeeb800c8246edb87b2a |
30-Nov-2017 |
Jeff Tinker <jtinker@google.com> |
Allow widevine drm hal to access allocator hal
This fixes failing vts drm tests
bug:67675811
Change-Id: Ic489b4cfac383e809f9c1f0503c337dce21a100e
al_drm_widevine.te
|
| 51c700f3710a3ba32d30be7951792389fe85e3ee |
29-Dec-2017 |
Miguel de Dios <migueldedios@google.com> |
Allow hardware_info_app to read from debugfs_ufs.
Add sepolicy for hardware_info_app to read from debugfs_ufs since we
need to read /sys/kernel/debug/ufshcd0/dump_health_desc.
Change-Id: I86bf99f06bf18a2f7264dd85b745c99433872f35
Bugs: b/70754991
Test: pts-tradefed run pts -m PtsHardwareInfoHostTestCases
ardware_info_app.te
|
| 63207ac2a75341992b719145ee02c34ffdb7dca2 |
03-Jan-2018 |
Ke Bai <kebai@google.com> |
easel.te: read access to sysfs_thermal am: 401c245984 am: c97b49a5cb
am: ad080d19de
Change-Id: I46c78592ab1fb828100df97dec67c5e58c885faa
|
| ad080d19dec70e0100c8e6cbd973fc309aeb1441 |
03-Jan-2018 |
Ke Bai <kebai@google.com> |
easel.te: read access to sysfs_thermal am: 401c245984
am: c97b49a5cb
Change-Id: Ied8a65855553fe6cc8e00980a6b36ff01fa2b94f
|
| 401c2459842a3d8617bc0b40e3b98dcc6c2d5544 |
22-Dec-2017 |
Ke Bai <kebai@google.com> |
easel.te: read access to sysfs_thermal
Bug: b/70857705
Test: manual
Change-Id: I539f3cbc9fe69aa0c3f5bbf21599c0a126594188
asel.te
|
| 27e37c4fe15c0d41db31c2de30e68a7fa74918cd |
30-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label sysfs_rtc files." am: ec90390658 am: 3036651d6c
am: eee4bf11cb
Change-Id: I5cfb2d00561a5147dfb43fe5b6c3f4123509ebfe
|
| eee4bf11cb3985fa2333027636a56f1d1d20951b |
30-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label sysfs_rtc files." am: ec90390658
am: 3036651d6c
Change-Id: I25cfebc7f611bd1ad792015823a41c882428be1e
|
| 6928c476056abde5090fca3ab3e3a92de2a280ea |
19-Dec-2017 |
Tri Vo <trong@google.com> |
Label sysfs_rtc files.
We expect all files under /sys/class/rtc to be labeled sysfs_rtc.
/sys/class/rtc/rtc0 is a symlink to
/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc/rtc0
Bug: 68018685
Test: walleye boots with no denials to /sys/class/rtc/*.
Change-Id: Iacf2b55ae365661be29016729d5517403ff6e9a1
enfs_contexts
|
| 0db0e4a5618393c0e139a34c574328164a756c1a |
13-Dec-2017 |
Tri Vo <trong@google.com> |
Label vendor sys/*/power_supply/* as sysfs_batteryinfo am: 2a6f537080 am: ef523fdfa3
am: a85b493054
Change-Id: Ie6a33245495aca896ce54d308eff7f443d294d10
|
| a85b493054f3af7919a949c0339f68a7e52102e4 |
13-Dec-2017 |
Tri Vo <trong@google.com> |
Label vendor sys/*/power_supply/* as sysfs_batteryinfo am: 2a6f537080
am: ef523fdfa3
Change-Id: I220315745b2186855e00908e95b4d219b16c3407
|
| 2a6f537080f100e44d097bd8800e348e553ab8a2 |
15-Nov-2017 |
Tri Vo <trong@google.com> |
Label vendor sys/*/power_supply/* as sysfs_batteryinfo
thermal-engine access to sysfs_batteryinfo.
Bug: 65643247
Bug: 70275668
Test: device boots with no denial to sysfs_batteryinfo or
sysfs_msm_subsys.
Change-Id: I09fd4057282236edfabc43fd2b4209fcee4e8332
enfs_contexts
hermal-engine.te
|
| 013ebf1c1c8f4d83bc70a76eeff1de5ae050e15e |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/18800000.qcom,icnss/net" am: 4b90c93c5f am: 5239474f78
am: 33064e3cb9
Change-Id: I56bcbf48183ee034d262a788ab4eafdb4659c172
|
| 33064e3cb93d50a0e18d6d37c8469102e01e5d91 |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/18800000.qcom,icnss/net" am: 4b90c93c5f
am: 5239474f78
Change-Id: I4d10d56f6d65bc8e9ce8b384446b451cf73822d1
|
| 4b90c93c5fab89280d35b08c341434b2213b01c0 |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/18800000.qcom,icnss/net"
|
| a3333a875a16f70b4856df8c6318d2d2868f9a0c |
09-Dec-2017 |
Tri Vo <trong@google.com> |
Label /sys/devices/soc/18800000.qcom,icnss/net
The following symlinks are under /sys/class/net:
/sys/class/net/p2p0 -> /sys/devices/soc/18800000.qcom,icnss/net/p2p0
/sys/class/net/wlan0 -> /sys/devices/soc/18800000.qcom,icnss/net/wlan0
and we expect everything under /sys/class/net to be labeled sysfs_net.
Bug: 65643247
Test: netd_integration_test
Test: can browse internet without denials to sysfs_net
Change-Id: Ie92ac36b34f86847aaaef2199b9f3aaae05d991b
enfs_contexts
|
| d055d6d6b2af5aac0d3edbf4c352a8c0a7178381 |
08-Dec-2017 |
Kevin Chyn <kchyn@google.com> |
Allow Sensors HAL to connect with CHRE Daemon am: 4b55a6ca98 am: 5e0a9f9c62
am: 06b025da27
Change-Id: I7687d3b274346dcc2dbc14328a0c2de0cb412cb9
|
| 06b025da274ef4caa02aeb5e8597e3a0d45c9715 |
08-Dec-2017 |
Kevin Chyn <kchyn@google.com> |
Allow Sensors HAL to connect with CHRE Daemon am: 4b55a6ca98
am: 5e0a9f9c62
Change-Id: Ic24fcf5e87f0407657b9a0c668d83c0295c48e23
|
| c5ffbbba668ab09be4fb721bdf8fc46dc0e48e52 |
08-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Annotate boot denials am: 65ab5a73f5 am: defba2d3c5
am: 2e806302c7
Change-Id: I86f6411106c54c9c29c83718dd6fbb78eda897f1
|
| 4b55a6ca98cfc323a74895e50486a0196a27c492 |
07-Dec-2017 |
Kevin Chyn <kchyn@google.com> |
Allow Sensors HAL to connect with CHRE Daemon
Bug: 69386746
Test: On master, able to connect to CHRE Daemon without
using adb shell setenforce 0
Change-Id: I590e495e4f032d8928ea1aa8264a285e1d424078
al_sensors_default.te
|
| 2e806302c70ec71cf495d3644c46548743c8c6cb |
07-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Annotate boot denials am: 65ab5a73f5
am: defba2d3c5
Change-Id: I3f5a6891f97be5a5528ae13932a02b325d8abc82
|
| 65ab5a73f5ec0da00c924d3b95ed463e885f1216 |
07-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Annotate boot denials
Test: build
Bug: 70180742
Bug: 70308329
Change-Id: I16ad0c4b01452a7d7e23d1f467f56501db37329f
ug_map
|
| afebe7283e6b66b64d33927b227c06c51f6874fc |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy am: 22f01a2fa0 am: 7164b2c4d4
am: 4abe1f8534
Change-Id: I2fe52705cdfafbbace79c1745134befd4b5d542a
|
| c754fc01507d08390df3a17805786bf8f2c7796f |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds am: 6cbc6d9104 am: 2381f51ba5
am: 440319ac7a
Change-Id: Ic0c865d876851670a57eab34a9c87b0b34798a0f
|
| 4abe1f85341d8bfcfd70013c660bc7586768c117 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy am: 22f01a2fa0
am: 7164b2c4d4
Change-Id: Ic524793275fc994d3eba32ec16cfb576cf3e45a5
|
| 440319ac7a2d9abded7b8773a4f71e49333ab9d0 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds am: 6cbc6d9104
am: 2381f51ba5
Change-Id: Id921c9a08c4b179cd219be61cb1165cd9c1e2fef
|
| 7164b2c4d48f9b304a77c421548368edf898c292 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy
am: 22f01a2fa0
Change-Id: Ic0fa85622c4f0cb0ec77e88a39d05b81fd3c1513
|
| 2381f51ba58c086ed79bc2b24e38e847d3475e20 |
06-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds
am: 6cbc6d9104
Change-Id: I9080f9f54241f5a18e4bf179331c2509c28212ac
|
| 70e630035c666776593b4258381b2c4351dc3469 |
06-Dec-2017 |
Wei Wang <wvw@google.com> |
Merge "Power: Implement PowerHal 1.2"
|
| 22f01a2fa0261c5f5601ef500f7516cfc9259933 |
05-Dec-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery type to bugreport & fixup sepolicy
Add sepolicy for this operation, and update sepolicy to allow
collecting batteryinfo in bugreport for user builds.
Bug: 70094701, 70094083
Test: Take bugreport, verify battery type is present
Change-Id: Id67776301e2ed39a283a08483ac5eb8125aba96b
umpstate.te
enfs_contexts
|
| 6cbc6d9104e79b8fbda4cdc4bc59b9bcb6435fe8 |
01-Dec-2017 |
Ajay Dudani <adudani@google.com> |
sepolicy: Allow rpm and wifi power stats in user builds
In order to enable debugging of power issues on 'user' builds, we need
to capture rpm stats and wifi power stats from debugfs. Allow this
for user builds.
Bug: 69003183
Test: Verify rpm & wifi power stats are present in bugreport
Change-Id: If9754137f9331832d055ee39d3fd3d5ec79cfc15
al_power_default.te
ernel.te
|
| 8ce5e19a671fa91bcb3edaf6da598f415ad1066b |
17-Nov-2017 |
Wei Wang <wvw@google.com> |
Power: Implement PowerHal 1.2
Convert all perfd hints into PowerHAL hints
Test: do camera/audio powerhint
Bug: 62041945
Change-Id: I82c8ca99b76d70d716eabedb617a126446646b7d
udioserver.te
ile_contexts
al_audio_default.te
|
| 758c4e7b7c3f6d04faaa8bc47aa779ba712e69b4 |
01-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin" am: 5ded7d8a1c am: fb9dbfebcc
am: 3c58378dfc
Change-Id: Idf9a4fe1bb78ce13afeab7b0cc716aa38a8edbec
|
| 3c58378dfc8fa13233e6873a6d74ad98ddd37d1d |
01-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin" am: 5ded7d8a1c
am: fb9dbfebcc
Change-Id: I479ba6593c4afe8ea8e464aacee8d23ee829ac13
|
| fb9dbfebcc1d41f08ab127c6c432b120133996ca |
01-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin"
am: 5ded7d8a1c
Change-Id: Ifdcf8c25340608bf82f4699609dcebd12c7a9f47
|
| 5ded7d8a1c70692aa29cd31422bc40e6fdd3c53f |
01-Dec-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "wifi_supplicant: deprecate entropy.bin"
|
| 0a81570cb9a17c011f87da6677b8c9ba7f449291 |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
wifi_supplicant: deprecate entropy.bin
Wpa_supplicant's random pool is not necessary on Android. Randomness
is already provided by the entropymixer service which ensures
sufficient entropy is maintained across reboots. Commit b410eb1913
'Initialize /dev/urandom earlier in boot' seeds /dev/urandom with
that entropy before either wpa_supplicant or hostapd are run.
Bug: 34980020
Test: Use wifi and wifi tethering on Taimen
Change-Id: Ib5caf362bc939911b357db186a274957d3fbf186
ostapd.te
|
| 675c6a699bc9762be13bfcd07499c856c01d2655 |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy" am: 80c738e7ab am: c04078c166
am: 37f085c783
Change-Id: I701e8b7ecdf40c50ff4822f9f63eb5580e9fb84b
|
| 37f085c783c05088e55add9ab0c28967a95b1c5a |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy" am: 80c738e7ab
am: c04078c166
Change-Id: I87a2cea582800c7f0c00c79fae9fd305401636d9
|
| c04078c166a687565821c9a8a4d382a3123137d4 |
30-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy"
am: 80c738e7ab
Change-Id: I25bafcbb91501a5495a2cc554d43be67c7b7a4ec
|
| 80c738e7abf37f22fd21fdca51d124e3298a4838 |
30-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove obsolete /data/ramdump sepolicy"
|
| 83ce8a5d624033ab939cd652909e0d56942739b1 |
29-Nov-2017 |
Ruchi Kandoi <kandoiruchi@google.com> |
Disallow NFC vendor library access to nfc_data_file
Test: NFC enable/disable. No SElinux denials
Bug: 36645109
Change-Id: Ib50cbc1dfc4db1a3afea044b9ebf849e26feea8b
al_nfc_default.te
|
| b33775465b094234ec01c4856c3e008ea2810a9b |
29-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove obsolete /data/ramdump sepolicy
No domain has access to this type/location.
Test: build
Bug: 34980020
Change-Id: Icd7e58a1e8a46f603bfb651a4654ddf020e684a0
ile.te
ile_contexts
|
| 78395856c9b1d20b22df7c951b76baa1f5e198cf |
28-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial am: d90b6a6589 am: 201fc696bd
am: 3264cc9451
Change-Id: I894763c2001407d651ff4c5703c01d95c430911d
|
| 3264cc9451ea3e1278cbeec55c2e5523f10cfa8c |
28-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial am: d90b6a6589
am: 201fc696bd
Change-Id: I4ff76e832f9c4e54ca1a239bc48a6c13f5ca9d42
|
| 201fc696bda4f2446e6401dec135634a7eafcb8f |
28-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial
am: d90b6a6589
Change-Id: I0f3a4750522a6ed4c247c359398b62eddf09afd2
|
| 81d95c7216c5f6249269f8967c90a3427c52b2a6 |
28-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy am: 8dfbc9c280
am: 9be94e1031
Change-Id: I6c2eaa83eab89844c3283644bba91ed36992be97
|
| 9be94e10316eb6cb3f82f83fd40d403bb9261aec |
28-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy
am: 8dfbc9c280
Change-Id: I301105abf86b0108554609ccde4585649e6a0479
|
| d90b6a65890b2c6d16ad5eb4c49b04b676428632 |
27-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: Remove tracking of resolved denial
Bug: 67860826
Test: build
Change-Id: I9e7bb8e0af75e499d024228e26abf12ff4418d55
ug_map
|
| 8dfbc9c280fb78d2fc4a79c324238b3d2989c33d |
01-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy
Test: entry no longer exists in this file
Change-Id: I8b16c772983dfd79a54cd049ba3295cc6cdecd41
(cherry picked from commit d946b273ba44db7c0809a5a256641c25bdfb7644)
ug_map
|
| 74c2d71feca23c8eb48d7e984bf9af720c16ba71 |
28-Nov-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: Change ramdump property names"
|
| 4dc6659501b4e202f385842d17e490db5cd72fad |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "This change is primarily a revert of 611c3d70a" am: 3bd6a7ab6f am: 508cfa70b8
am: 3764ba8cdb
Change-Id: I9cfbf5af90cc519df3d817569d3e480f3d19f252
|
| 3764ba8cdb0d86b013dbdb4629134dc41aa36b8f |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "This change is primarily a revert of 611c3d70a" am: 3bd6a7ab6f
am: 508cfa70b8
Change-Id: Ib0222df8a3a9657d2f075966bce48bb93f000c48
|
| 508cfa70b8eef59862a2f124346a0f12da5e99d8 |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "This change is primarily a revert of 611c3d70a"
am: 3bd6a7ab6f
Change-Id: Iedfc834e35dac481cdf49df8917256164f740b1a
|
| 8d21715fc2357593711546df8999bc9651405a1f |
22-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
This change is primarily a revert of 611c3d70a
Commit 611c3d70a "Move hal_bootctl rules to hal_bootctl_default"
breaks sideloading OTAs. It was introduced to fix a CTS regression
due to overly broad access to the vendor-owned misc_block partition.
The change also did a refactor of permissions for the bootctl HAL.
The fix leaves the one-line CTS fix in place and reverts the rest of
the refactor. This results in no change in permissions for the recovery
process which is already granted access to the misc_block partion in
core policy. "allow recovery dev_type:blk_file rw_file_perms;"
Bug: 69566734
Test: adb sideload ota
Change-Id: I67504482b166e1cf278be213e42bfde2ddfa6e67
al_bootctl.te
al_bootctl_default.te
|
| a54d493853e680c3600a688474923b21378e369f |
21-Nov-2017 |
Oleg Matcovschi <omatcovschi@google.com> |
wahoo: Change ramdump property names
Avoid using vendor names in properties.
Change-Id: I1d0bc294584daa6910fc778ada05631440d3e707
roperty_contexts
|
| ae7ff6e17720e968e3233a66baa9950ec5667812 |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default" am: cee6d6db58 am: 5dc4c280f7
am: 9cac94dbaf
Change-Id: Ib6522f0e739970a366330bedd390934600a00a3c
|
| 9cac94dbaf3f7e2e5cabae85c99d79b990d36784 |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default" am: cee6d6db58
am: 5dc4c280f7
Change-Id: I8f4b6a5f7d654baefe99da94b5dd69a1a8901134
|
| 5dc4c280f73df46dcf236d1577965666512b68f4 |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default"
am: cee6d6db58
Change-Id: I608d31eae81625a48e75dd143c13156b4ab5acc9
|
| cee6d6db5889efe35e3af5bf7e1c74b8475d91de |
22-Nov-2017 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Move hal_bootctl rules to hal_bootctl_default"
|
| 611c2d70a06107d22dfee4f3b1eaf29224b64b33 |
21-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move hal_bootctl rules to hal_bootctl_default
This more clearly attributes the permissions to the actual domain and
prevents a build breakage when building recovery due to a
userdebug-only neverallow exemption for hal_bootctl.
Bug: 69566734
Test: build user build
Change-Id: I5ed3c04b3709ac7b00234402788f5f1ae88e6f61
al_bootctl.te
al_bootctl_default.te
|
| aff5731c449298d00e52c73a69501951783981bd |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit am: 8760ea13c8
am: b1c7925f39
Change-Id: I87acc9a42b31bce78a688d17ccb72bc57f847e44
|
| b1c7925f39795cc0ab3d6fa467aa7f4ad834faf4 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit
am: 8760ea13c8
Change-Id: I65596064dcea4ef10fbed479af37429df1b3d55b
|
| c34f83ca6eca31a44589ac2dd4caa5712e98ff31 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial am: 79c6875ae1
am: a18b856873
Change-Id: I2136fdfe79376fb2394ab33b1d0e73e647622cb4
|
| 8ad4301e14a5abce77c17c201d4effdb48eb068d |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials am: 6f8f263c64
am: 2d5b503deb
Change-Id: Ie98762bb38cb2865cc2517c25e6b48a9ae174e39
|
| a18b856873b43d33fc78d6d9b22473744868ea3f |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial
am: 79c6875ae1
Change-Id: I62af409b7d870f2562f8a585468f0c5ce76f6934
|
| 2d5b503deb4d47330c3d5818fb18cd771bebb337 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials
am: 6f8f263c64
Change-Id: I63f5b9a494f535b499bc7a6bbb94016e6182b414
|
| 8954b7958dacef1ce25173ace6fa256438a4a3a3 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen am: bf29a6610c
am: 2eb295df29
Change-Id: I3f9b9453e1717498e76b254fc16d3d988a37d28e
|
| 2eb295df292393165ab81e5763d10bb6d74044b5 |
20-Nov-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen
am: bf29a6610c
Change-Id: Id3c3164c7fbbdda81a8a038f87181b2e535bb608
|
| 8760ea13c88090cf6f8ff01668667040fcc8ec34 |
03-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit
These intermittent denials are making it look like taimen boot tests are
occasionally unhealthy due to untracked denials. This will remove the
failing tests issue.
Bug: 68705274
Test: these intermittent denials are now tracked or properly
dontaudit'ed
Change-Id: I342cff19d7bde73fee93fd8461c9c0680511e23c
Merged-In: I342cff19d7bde73fee93fd8461c9c0680511e23c
(cherry picked from commit 552978d27c7c475e0ec6ff982d9e2bb709b7c93f)
ug_map
etutils_wrapper.te
|
| 79c6875ae1daf9e0fbcf48081b14b0da1358d843 |
24-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial
Test: the surfaceflinger denial is properly tagged
Change-Id: I734aa3880491504c2c7e73236bda11e3cd111384
Merged-In: I734aa3880491504c2c7e73236bda11e3cd111384
(cherry picked from commit cb67b3d17069e21188f1e111fed43035daa61b19)
ug_map
|
| 6f8f263c64a3700cebdab6da1523fa087fb19cb4 |
19-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials
Test: bug metadata is properly attached to relevant denials
Change-Id: I20fba3a86104f494131714056b2809ae6a62d416
Merged-In: I20fba3a86104f494131714056b2809ae6a62d416
(cherry picked from commit 6f475be419041f239cb0802d0cc9ab0c829956ed)
ug_map
|
| bf29a6610c8d24a98b74b72031652b926f9d691d |
17-Oct-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen
Allow rule denials:
denied { ioctl } for pid=863 comm="rild"
path="/vendor/radio/qcril_database/qcril.db" dev="dm-1" ino=900
ioctlcmd=f50c scontext=u:r:rild:s0 tcontext=u:object_r:vendor_file:s0
tclass=file
denied { read } for pid=1609 comm="batterystats-wo" name="show_stat"
dev="sysfs" ino=37781 scontext=u:r:system_server:s0
tcontext=u:object_r:sysfs:s0 tclass=file
denied { search } for pid=1609 comm="system_server"
name="800f000.qcom,spmi" dev="sysfs" ino=19648
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir
bug_map denial entries:
denied { create } for pid=751 comm="main" name="tasks"
scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=fil
denied { getattr } for pid=1609 comm="system_server"
path="/vendor/framework" dev="dm-1" ino=291
scontext=u:r:system_server:s0
tcontext=u:object_r:vendor_framework_file:s0 tclass=dir
Test: denials either don't show up or are properly tagged with a bug
number
Change-Id: Ibf841033ac5480ddb975772840680011cb331a7d
Merged-In: Ibf841033ac5480ddb975772840680011cb331a7d
(cherry picked from commit 53146f8cc0fcf8fe084105668d6d1d715d63d9cb)
ug_map
enfs_contexts
ild.te
|
| bc563cf96a1dce8dfa0ea5efb55801bc770f9b12 |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te" am: c0959d9ff8 am: c28270b47c
am: 3506ef33a3
Change-Id: Ib652a46bee64b02e567642d0c838f5c4f7d9cd54
|
| 3506ef33a34b75f6c4cff138e3c5e9717ab7ad0f |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te" am: c0959d9ff8
am: c28270b47c
Change-Id: I7543b913805e3c62e3a3ecc6ff6b0e97cc1bf299
|
| c28270b47ca445c5e5cc4c74a6f133f61b43f4ea |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te"
am: c0959d9ff8
Change-Id: Id7deaf4d160d31066eca8e0f77ecdfce48dab0c8
|
| c0959d9ff8679ef803c1d756f3d21245c1eb0677 |
16-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Merge "Add vendor_init.te"
|
| 74d8c3674a626a4a092acc63a7d109f60c1fc531 |
07-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Add vendor_init.te
Update sepolicy for vendor_init. Relevant denials:
avc: denied { write } for pid=558 comm="init" name="debug_suspend"
dev="debugfs" ino=997 scontext=u:r:vendor_init:s0
tcontext=u:object_r:debugfs_clk:s0 tclass=file permissive=1
avc: denied { module_request } for pid=558 comm="init"
kmod="deadline-iosched" scontext=u:r:vendor_init:s0
tcontext=u:r:kernel:s0 tclass=system permissive=1
Bug: 62875318
Test: use walleye + factory reset + vendor_init
Change-Id: I2655316be5fbf18120174a11958c43d7ca70b478
endor_init.te
|
| 5fddf5544d518889f5defa88ac38035921a6b68b |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove dumpstate HAL's access to radio app data" am: dc08a47024
am: 864b27eda6
Change-Id: Icd51489793bbfb79686b7bd5f51589944e617ebf
|
| 864b27eda6da61f5b17092dab87631cbdaf034cc |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove dumpstate HAL's access to radio app data"
am: dc08a47024
Change-Id: I2ead3b84bf4e792a2791ba0877c338f4e07b61eb
|
| dc08a4702457670e04300d619f728b69f8464e00 |
15-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Remove dumpstate HAL's access to radio app data"
|
| 283fc24c21bdff1ecfa6f2de0b372ec908a92678 |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge changes I23f5d887,I7f65224b am: a3c5fdbfc3
am: 54a4466be9
Change-Id: I67089f62df8e9bb98163ba1931140370e61c86d3
|
| 54a4466be9a72e6fe173fb1e3847a40dd53b492d |
15-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge changes I23f5d887,I7f65224b
am: a3c5fdbfc3
Change-Id: I4367232e00d50c245e6c5034da9ea6d85e28440b
|
| a3c5fdbfc36e3666600de7a78a95d53427c3391b |
15-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge changes I23f5d887,I7f65224b
* changes:
Remove system_server access to location daemon's data
Remove dumpstate's access to modem dump file
|
| b93164076a0fbcf78af63e439dc128d08a2d8708 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove dumpstate HAL's access to radio app data
These permissions no longer appear to be needed.
Bug: 34980020
Test: adb bugreport, not denials for radio_data_file
Change-Id: Id20a3cc87d78ef547811dffe230d13772f1504b0
Merged-In: Id20a3cc87d78ef547811dffe230d13772f1504b0
(cherry picked from commit 97e8a770f6129986202161663edeaa1169e92914)
al_dumpstate_impl.te
|
| 4c44680ee099543686b3eb6553159530843cfc37 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove system_server access to location daemon's data
These permissions no longer appear to be necessary, and violate
Treble separation of system/vendor data.
Bug: 34980020
Test: Launch google maps, get current location
Change-Id: I23f5d887fdcb400dd027431eabc4e744a08d4ea9
Merged-In: I23f5d887fdcb400dd027431eabc4e744a08d4ea9
(cherry picked from commit 9dccaa56ce67938f60d5c113eeb8ec530ec654a1)
ystem_server.te
|
| d6a99d1db8033cfc2d111c48e5a263f3e6d9d180 |
20-Oct-2017 |
Jie Song <jies@google.com> |
Remove dumpstate's access to modem dump file
Dumpstate is using the 2nd file descriptor to access dump file
Bug: 68044348
Test: Take bugreport, no denial for modem_dump_file and modem log is
valid
Change-Id: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3
Merged-In: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3
(cherry picked from commit b51ae72a5d8c47ecaf6465239c747179d3272745)
umpstate.te
|
| 9ba9e412f62aaffee9e33ed27e6611539d73f862 |
14-Nov-2017 |
Xin Li <delphij@google.com> |
Merge commit '34f7f32ea4cca137547463132f06cb93dc8d04b3' from
oc-mr1-dev-plus-aosp-without-vendor into stage-aosp-master
Change-Id: I1f549411c9b9219fae6e602569778ae36c511055
|
| acdf8ee53a08fc0987bf882e17eb296296c2ce90 |
14-Nov-2017 |
Tao Bao <tbao@google.com> |
Merge "sepolicy: Remove update_verifier.te." am: 14716fc148
am: 2959768511
Change-Id: I8aa6e174e91a1a0120b4e6b0e4109bb1aaf217c0
|
| 14716fc148ccb72f0c08803374d142736fce0387 |
14-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Remove update_verifier.te."
|
| 3d4c191247f5d429fa9b3382293685c9411b20f4 |
06-Oct-2017 |
Tao Bao <tbao@google.com> |
sepolicy: Remove update_verifier.te.
It has been added into core policy through
https://android-review.googlesource.com/c/platform/system/sepolicy/+/503421.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on walleye.
Change-Id: I5605af8b10d890489c25f16f82274f828e10e751
(cherry picked from commit e2c0c287fb8fe6b0f33c1a84492c41baaf29c074)
pdate_verifier.te
|
| fc98977517e0bdc06c1eaa68fb37236dec76e156 |
11-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Clean up commented out permissions" am: 64936a0238 am: 0d0c712b4b
am: d9c7badbfe
Change-Id: Ife079289736a78ec567755ee28dc586614fc0cfd
|
| d9c7badbfe900fa0f85a37f0d6b3943a864cc47d |
11-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Clean up commented out permissions" am: 64936a0238
am: 0d0c712b4b
Change-Id: If55d1b556ac29f2cd64c8cdcdab8c6396ca24471
|
| 64936a023898d48299aa5823e7ebcbea7234b6d2 |
11-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Clean up commented out permissions"
|
| e74598517d1683f9d0cfa81d00abc2fd2baa70d8 |
10-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Clean up commented out permissions
Test: none
Change-Id: I26f4a18ad1141a5d402ddd38505a4cdaee266c4e
al_camera.te
|
| f54f2c98d3885a20d05ebaf739e09ead1b9199e3 |
10-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Allow easel to read sysfs_easel dir am: 3b8bac308a am: 8d06a43142
am: efcec0f279
Change-Id: I1d115462e9e84bdc27cfbb754a5165167ec78a20
|
| efcec0f27946b0e5b7f30e7a5e03fbbef2f8fffe |
10-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Allow easel to read sysfs_easel dir am: 3b8bac308a
am: 8d06a43142
Change-Id: I828140da3c5f8da8ffc1ba0a872348196d869520
|
| 3b8bac308adc8442e57028a4d1029542c209d47f |
10-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Allow easel to read sysfs_easel dir
Test: easelmanagerd_client_example
Change-Id: I494e35e8127cba0bcbfcd9ed68776268dfb42131
asel.te
|
| c8807869f226e90af770b9c4f7647cc9c82c921b |
10-Nov-2017 |
Wei Wang <wvw@google.com> |
Merge "sepolicy: remove perfd usage in mediacodec"
|
| 32a17f0bbbedc43cdc522cbc338c85309be00325 |
10-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move platform/vendor data violations to device policy am: 98dd9bb659 am: cdfb42f233
am: ef03706701
Change-Id: Ib7b03d039766c82a965080f534a35ebcf7ed2003
|
| ef03706701644f9b55a394a1bb393e7df92b7d88 |
10-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move platform/vendor data violations to device policy am: 98dd9bb659
am: cdfb42f233
Change-Id: Id5f2f5607bf6050c20916243df4534db0ad9bdeb
|
| 98dd9bb6595c50ea459b0a6b279b0916a6d521ca |
06-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move platform/vendor data violations to device policy
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.
Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
and Play movies on Marlin.
Test: build Taimen
Change-Id: I1c2f2acac02266f8d07ff1fc3c69329af0aa2f3d
al_drm_default.te
al_drm_widevine.te
al_fingerprint.te
al_fingerprint_default.te
al_nfc_default.te
al_wifi_supplicant_default.te
ostapd.te
|
| 1ec29720de80257ee40236a45dc33df314f342fb |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant HALs access to diag_device am: 4c1bb0c66e am: c4a8826ab6
am: 24bf7da390
Change-Id: If7c1980a2f54f5b365c645f37bebab6dc36a6f69
|
| 24bf7da390974227f2954a28d8cd8defc38776b5 |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant HALs access to diag_device am: 4c1bb0c66e
am: c4a8826ab6
Change-Id: I86781e7ecd7a0aaf3a533d88215729c6065cfc8a
|
| 6ca3b6af6b655f3a33de8c4ece7a5fbfccd74d7f |
09-Nov-2017 |
Max Bires <jbires@google.com> |
Adding userdebug/eng diag access for following domains am: a72c9eda39
am: b889c22817
Change-Id: I9b80da7f1e605fe50a3f9ebf797223951915555c
|
| ae00e38a4e8a1392c63bcf6327b8c0d6266e8bf4 |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: domain: remove world access to /dev/diag am: d683b2f369
am: 454b33c2c6
Change-Id: I28f0e28cebb08a1f9701d1224ccc25b09371cfae
|
| 4c1bb0c66e150edcdf40375ecebb0190fadce242 |
09-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Grant HALs access to diag_device
avc: denied { read write } for comm="imsrcsd" name="diag"
dev="tmpfs" ino=9694 scontext=u:r:hal_rcsservice:s0
tcontext=u:object_r:diag_device:s0 tclass=chr_file
avc: denied { read write } for comm="ims_rtp_daemon"
name="diag" dev="tmpfs" ino=9694 scontext=u:r:hal_imsrtp:s0
tcontext=u:object_r:diag_device:s0 tclass=chr_file
Bug: 68705274
Test: build
Change-Id: I39f21c1e01001ea83d38461b450e42db1d21991d
al_imsrtp.te
al_rcsservice.te
|
| 9b1fa7dc7e893ea9a87f6ef9465113c227ea078c |
09-Nov-2017 |
Wei Wang <wvw@google.com> |
sepolicy: remove perfd usage in mediacodec
VIDEO_DECODE_PLAYBACK_HINT is for interactive governor in HMP kernels
Remove the access to it.
Bug: 62041945
Test: boot
Change-Id: I9454f2707cb380761d8370fa477e6d933dae9d40
ediacodec.te
|
| a72c9eda39db602a25bd7a0b6346fb61e1dc861b |
11-Oct-2017 |
Max Bires <jbires@google.com> |
Adding userdebug/eng diag access for following domains
World access to diag_device for userdebug/eng builds was revoked due to
potential for dangerous use from 3rd party code so this
CL grants access back to the domains that requested it.
denied { read write } for pid=832 comm="qti" name="diag" dev="tmpfs" ino
=9583 scontext=u:r:qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_
file
denied { read write } for pid=808 comm="thermal-engine" name="diag" dev=
"tmpfs" ino=9583 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:diag
_device:s0 tclass=chr_file
denied { read write } for pid=877 comm="cnss_diag" name="diag" dev="tmpf
s" ino=9583 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file
denied { read write } for pid=816 comm="imsqmidaemon" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:ims:s0 tcontext=u:object_r:diag_device:s0 tc
lass=chr_file
denied { read write } for pid=753 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_
r:diag_device:s0 tclass=chr_file
denied { read write } for pid=772 comm="sensors.qcom" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s
0 tclass=chr_file
denied { read write } for pid=677 comm="time_daemon" name="diag" dev="tm
pfs" ino=9583 scontext=u:r:time_daemon:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file
denied { read write } for pid=618 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_graphics_composer_default:s0 tcontext
=u:object_r:diag_device:s0 tclass=chr_file
denied { read write } for pid=854 comm="rild" name="diag" dev="tmpfs" in
o=10642 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=c
hr_file
denied { read write } for pid=828 comm="netmgrd" name="diag" dev="tmpfs"
ino=10642 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tcl
ass=chr_file
denied { read write } for pid=826 comm="cnd" name="diag" dev="tmpfs" ino
=10642 scontext=u:r:cnd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr
_file
denied { read write } for pid=1559 comm="iptables-wrappe" path="/dev/dia
g" dev="tmpfs" ino=17555 scontext=u:r:netutils_wrapper:s0 tcontext=u:obj
ect_r:diag_device:s0 tclass=chr_file
Test: domains that need diag_device access can get access to it
Change-Id: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e
Merged-In: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e
(cherry picked from commit c760b34307f28d8d68ee6b0e03f0d670e3d8eadd)
nd.te
al_graphics_composer_default.te
al_sensors_default.te
ms.te
etmgrd.te
etutils_wrapper.te
ti.te
ild.te
ensors.te
hermal-engine.te
ime_daemon.te
cnss_service.te
|
| d9bf00f0fa0c8a588f23abdc4771605aad8a70b5 |
11-Aug-2017 |
Ecco Park <eccopark@google.com> |
sepolicy: change the sepolicy for cnss_diag
cnss_diag: type=1400 audit(0.0:65):
avc: denied { search } for name="diagchar" dev="sysfs" ino=27415
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_diag:s0
tclass=dir permissive=0
audit(1502477202.513:37783): avc: denied { read
} for pid=989 comm="cnss_diag" name="timestamp_switch" dev="sysfs"
ino=27761 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0
Bug:64604240
Change-Id: I1b882b15908241c18d694947b8de11136e6afee2
Merged-In: I1b882b15908241c18d694947b8de11136e6afee2
Signed-off-by: Ecco Park <eccopark@google.com>
(cherry picked from commit d024c1334a1900aba407174ade6aa2f196e4fbfc)
cnss_service.te
|
| d683b2f369d0f0f34ad570c123753e81600e2169 |
05-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: domain: remove world access to /dev/diag
This driver is not safe for general use, particularly for third party
apps, even on debug builds.
Adding OWNERS file in a subsequent commit to prevent security violations
like this from getting checked in.
Test: build
Change-Id: I245244e924ae247b6fbd48aa033bb71cca6067de
Merged-In: I245244e924ae247b6fbd48aa033bb71cca6067de
(cherry picked from commit 23ea15a12a5e253241d85f57568bec709e85f98f)
omain.te
|
| a887be0f43cedd13c9a603a3e386c45e922864b3 |
09-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Add easel sepolicy. am: 8843e8e1f9 am: da4568815d
am: 76a57dd976
Change-Id: I7425f52d89e7b7a129bb816b378b87e8abfe6a3d
|
| 76a57dd976d0934015c2d2bfef30bb6f74f91f03 |
09-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Add easel sepolicy. am: 8843e8e1f9
am: da4568815d
Change-Id: Ib6141c1a3a54861f6837be4f797e5f6f086c9144
|
| 8843e8e1f9805eb9f3d601b12369ed03a1f1306d |
03-Nov-2017 |
Chenjie Luo <cjluo@google.com> |
Add easel sepolicy.
Test: easelmanager_client_example
Change-Id: Iaed2e346b469ce907f7f1ffe0012d8c5840af385
asel.te
ile_contexts
ndservice.te
ndservice_contexts
|
| c0e2cc52a491e866b8c25b967d8cb3f9ce787d41 |
08-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Ban sharing data between platform and vendor processes" am: ea46f456cd
am: 69cea20710
Change-Id: Ife37dbec6b32eb41e17ba11d37e683c07ec7c5ba
|
| ea46f456cdf55196e60fec0cf6d22bb293142da2 |
08-Nov-2017 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Ban sharing data between platform and vendor processes"
|
| 87529b3f4bad820b3a607d7b579f99291651c353 |
02-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban sharing data between platform and vendor processes
Annotate processes that violate the ban including fingerprint and
widevine HALs.
Bug: 34980020
Test: build
Change-Id: I4afa03841e1648d4624e66bbd5ed21d09d357547
Merged-In: I4afa03841e1648d4624e66bbd5ed21d09d357547
(cherry picked from commit 458d1f6a6e5274565976cc93675ce09ef926ed5f)
al_drm_widevine.te
ee.te
|
| 92fb5015442759b02b471ad86969196e0240c15b |
08-Nov-2017 |
Siyuan Zhou <siyuanzhou@google.com> |
Allowed ssr_setup to access sysfs_msm_subsys for user builds. am: 8da95d2f14
am: e3cbb4ea05
Change-Id: I207a25a58cab36f75637c3c732cf201e641413e9
|
| e3cbb4ea055b7675fbe61b4567c144226b9d0fd7 |
08-Nov-2017 |
Siyuan Zhou <siyuanzhou@google.com> |
Allowed ssr_setup to access sysfs_msm_subsys for user builds.
am: 8da95d2f14
Change-Id: I39367b46e40c08d42d834e434d305891ab1e6dc8
|
| b74d70834b9d7179c133eb0a58f65cc95edd66d3 |
08-Nov-2017 |
Mikhail Naganov <mnaganov@google.com> |
Use /data/vendor/audio for Audio HAL data am: 943161347d
am: a91b22865d
Change-Id: I4456b90619bc98a0f6e1f9af6eab5beafc66cb5e
|
| 943161347ddd753f635966dce1260ac9866ffb3c |
08-Nov-2017 |
Mikhail Naganov <mnaganov@google.com> |
Use /data/vendor/audio for Audio HAL data
This separates the data of audioserver from the data of the
hal_audio.
Bug: 35042759
Test: no SELinux denials for hal_audio
Change-Id: I2eafed4d8a620507e27cab3a9b84d829d003bcec
Merged-In: I1815c5debaa6d6d2076cebf8beb5acd36c6fe891
ile.te
ile_contexts
al_audio_default.te
|
| 86ca2b44a86b0b765e93f1e73c3e6c7cc473c907 |
08-Nov-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/{ c179000.i2c c1b5000.i2c } as sysfs_msm_subsys" am: 2d2cd9670a am: 661aca373a
am: fd689130b3
Change-Id: I6ac5aef36a82ad14087eafb441bf3e723f4fa16e
|
| fd689130b36a29d8f25af9cfec8541fdcfc596ff |
08-Nov-2017 |
Tri Vo <trong@google.com> |
Merge "Label /sys/devices/soc/{ c179000.i2c c1b5000.i2c } as sysfs_msm_subsys" am: 2d2cd9670a
am: 661aca373a
Change-Id: Ifa82e09aa8709f20d8478dd8dd39b1662fd910a5
|
| 8da95d2f1403e8c9fdc10ba20bdf22dd9d9f7c1a |
07-Nov-2017 |
Siyuan Zhou <siyuanzhou@google.com> |
Allowed ssr_setup to access sysfs_msm_subsys for user builds.
Allow ssr_setup to access sysfs_msm_subsys and enable subsystem
restart properly for user builds. Otherwise, all subsystem issues
are translated into kernel panics.
BUG: 69001795
Change-Id: I0e3cf53b92f04433d356fdeb1018bb18a9a954a6
sr_setup.te
|
| cf5550fe6ad39ae1633f78eff985ec1e44786613 |
07-Nov-2017 |
Tri Vo <trong@google.com> |
Label /sys/devices/soc/{ c179000.i2c c1b5000.i2c } as sysfs_msm_subsys
On taimen some of the files under /sys/class/power_supply are symlinks
to these dirs.
Addresses these denials on taimen:
avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs"
ino=50110 scontext=u:r:hal_health_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
avc: denied { read } for comm="android.hardwar" name="type" dev="sysfs"
ino=48182 scontext=u:r:hal_health_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
Bug: 68962942
Test: builds, boots, files are correctly labeled.
Change-Id: I2b972f4f471b54097354d3e490a02300182a8e9a
enfs_contexts
|
| fb167a94c3e0376c287474a08d919eb85931d58b |
07-Nov-2017 |
Mikhail Naganov <mnaganov@google.com> |
Use /data/vendor/audio for Audio HAL data
This separates the data of audioserver from the data of the
hal_audio.
Bug: 35042759
Change-Id: I1815c5debaa6d6d2076cebf8beb5acd36c6fe891
Test: no SELinux denials for hal_audio
ile.te
ile_contexts
al_audio_default.te
|
| 552978d27c7c475e0ec6ff982d9e2bb709b7c93f |
03-Nov-2017 |
Max Bires <jbires@google.com> |
Adding intermittent taimen denials to bug_map and adding dontaudit
These intermittent denials are making it look like taimen boot tests are
occasionally unhealthy due to untracked denials. This will remove the
failing tests issue.
Bug: 68705274
Test: these intermittent denials are now tracked or properly
dontaudit'ed
Change-Id: I342cff19d7bde73fee93fd8461c9c0680511e23c
ug_map
etutils_wrapper.te
|
| 9012d7d192071e42cf28802d1929bb5be46d73f1 |
03-Nov-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Ban sharing data between platform and vendor processes"
|
| 458d1f6a6e5274565976cc93675ce09ef926ed5f |
02-Nov-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Ban sharing data between platform and vendor processes
Annotate processes that violate the ban including fingerprint and
widevine HALs.
Bug: 34980020
Test: build
Change-Id: I4afa03841e1648d4624e66bbd5ed21d09d357547
al_drm_widevine.te
ee.te
|
| d946b273ba44db7c0809a5a256641c25bdfb7644 |
01-Nov-2017 |
Max Bires <jbires@google.com> |
Removing entry from bug_map that belongs in global policy
Test: entry no longer exists in this file
Change-Id: I8b16c772983dfd79a54cd049ba3295cc6cdecd41
ug_map
|
| 6063bde2a921c22f644ede1e79323e1b610941bc |
01-Nov-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "radio: remove access to proc label"
|
| be7260e7183d75706eb773077f915e0f6906af88 |
01-Nov-2017 |
Tri Vo <trong@google.com> |
radio: remove access to proc label
Added appropriate access to proc_cmdline.
Bug: 65643247
Test: make/receive phone calls
Test: send/receive text messages
Test: browse internet on LTE network
No denials to 'proc' label are observed during tests.
Change-Id: I59710c75dbb1cf9aec7c2de4c0372d3ab372a31e
adio.te
|
| 8664a03c40e77723305bac5e3bfe8c26885aaad0 |
25-Oct-2017 |
Tri Vo <trong@google.com> |
Health hal: grant access to sysfs_msm_subsys
Health hal needs access to this label to read files under
/sys/class/power_supply, which are symlink to qcom-specific files, e.g.
/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/usb/type
Test: boots without health hal denials.
Change-Id: I1412241ab7fcacc120dc1a0a67cac7f0867f0f37
al_health_default.te
|
| 801459dd3b877c3de824382f8d9e2f3017b30471 |
27-Oct-2017 |
Chien-Yu Chen <cychen@google.com> |
Merge "system_app: Set camera property in user builds" into oc-mr1-dev am: a66abec0b9
am: 1061c0df93
Change-Id: If150a2333ef0ef65111fdebc6c79489d98be6379
|
| 1061c0df93ce4f351f7fbb2e6d6f156439d83d1b |
27-Oct-2017 |
Chien-Yu Chen <cychen@google.com> |
Merge "system_app: Set camera property in user builds" into oc-mr1-dev
am: a66abec0b9
Change-Id: Iee93d2ad041554e4e3289850bfda29e8d166a4c9
|
| a66abec0b9b7af5acaa47127133417dd9a40452f |
27-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "system_app: Set camera property in user builds" into oc-mr1-dev
|
| f22847be7030f1bc335623d1a039405abe34bb5b |
27-Oct-2017 |
Chien-Yu Chen <cychen@google.com> |
system_app: Set camera property in user builds
Allow system app to set camera property in user builds.
Test: Settings app
Bug: 68346040
Change-Id: Ie183acb88f32f019fdf096b12cba52cecc3e3aee
ystem_app.te
|
| cb67b3d17069e21188f1e111fed43035daa61b19 |
24-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entry for surfaceflinger denial
Test: the surfaceflinger denial is properly tagged
Change-Id: I734aa3880491504c2c7e73236bda11e3cd111384
ug_map
|
| 02d4201a8b2a4963db5cc787237f8fa574378f97 |
24-Oct-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
wahoo: sepolicy: escape a period
Fixes: 68144019
Change-Id: I88318f9c25e1589a9688c595bda00c9510d55ab0
ile_contexts
|
| 43748c0054c99a02820fa9beabc25644eb8311c8 |
24-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: fingerprint: change HAL binary name"
|
| 6749bd83aef653ec782520ef971e9dfdcc13f720 |
23-Oct-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
wahoo: fingerprint: change HAL binary name
Change the binary name to not be device specific. This allows us not to
have multiple init.rc files per device, simplifying code sharing between
devices that use the same HAL.
Bug: 68144019
Change-Id: Ib81fa673c96a25137ad3dfb673f161243cc55ef4
ile_contexts
|
| 0b87d6b0cd253c026d805df9657cdbfd15cff707 |
23-Oct-2017 |
Dan Cashman <dcashman@google.com> |
Move dataservice_app to platform policy. am: 03320ccd49
am: 9765f29acb
Change-Id: I2196e207fc48228c1426c84d1c92c2e7c168d0ad
|
| 9765f29acbb2102af806c5ce542168ca2bf5e03d |
23-Oct-2017 |
Dan Cashman <dcashman@google.com> |
Move dataservice_app to platform policy.
am: 03320ccd49
Change-Id: I83bd3965001e2a6c9125acd228dcce3123e2dad3
|
| dca9f37f0a7e62d3e1c4e94d5e51f95e2a7ed553 |
21-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove dumpstate's access to modem dump file"
|
| f9ae2b051113a0b52440d698f953afd712bbe9d1 |
17-Oct-2017 |
Tri Vo <trong@google.com> |
Move device-agnostic netd rules to fwk policy.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a
Change-Id: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a
(cherry picked from commit 661dbb6d30798c1acfdbbaff10fba1d489b0f8ef)
ile.te
enfs_contexts
etd.te
|
| b51ae72a5d8c47ecaf6465239c747179d3272745 |
20-Oct-2017 |
Jie Song <jies@google.com> |
Remove dumpstate's access to modem dump file
Dumpstate is using the 2nd file descriptor to access dump file
Bug: 68044348
Test: Take bugreport, no denial for modem_dump_file and modem log is
valid
Change-Id: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3
umpstate.te
|
| 03320ccd49e5bdcccc44f7b1d17d081e7569624e |
20-Oct-2017 |
Dan Cashman <dcashman@google.com> |
Move dataservice_app to platform policy.
Bug: 68012595
Test: Builds.
Change-Id: Ibb01d8ba94e271d4d53c2457b27e24cdeb2bb8e2
eapp_contexts
|
| 97e8a770f6129986202161663edeaa1169e92914 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove dumpstate HAL's access to radio app data
These permissions no longer appear to be needed.
Bug: 34980020
Test: adb bugreport, not denials for radio_data_file
Change-Id: Id20a3cc87d78ef547811dffe230d13772f1504b0
al_dumpstate_impl.te
|
| 9dccaa56ce67938f60d5c113eeb8ec530ec654a1 |
20-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove system_server access to location daemon's data
These permissions no longer appear to be necessary, and violate
Treble separation of system/vendor data.
Bug: 34980020
Test: Launch google maps, get current location
Change-Id: I23f5d887fdcb400dd027431eabc4e744a08d4ea9
ystem_server.te
|
| 1945c409cdb8eaca0bcec159c6189a34847f4449 |
17-Oct-2017 |
Tri Vo <trong@google.com> |
Move device-agnostic netd rules to fwk policy.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a
Change-Id: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a
(cherry picked from commit 661dbb6d30798c1acfdbbaff10fba1d489b0f8ef)
ile.te
enfs_contexts
etd.te
|
| 884bb6f40af0c49d234f9e08ccfd98e17f383161 |
19-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Adding bug map entries for boot denials"
|
| 6f475be419041f239cb0802d0cc9ab0c829956ed |
19-Oct-2017 |
Max Bires <jbires@google.com> |
Adding bug map entries for boot denials
Test: bug metadata is properly attached to relevant denials
Change-Id: I20fba3a86104f494131714056b2809ae6a62d416
ug_map
|
| 10fd6f6cdb54435f293163904e0f39907be1b485 |
19-Oct-2017 |
Tri Vo <trong@google.com> |
Merge "Move device-agnostic netd rules to fwk policy."
|
| 661dbb6d30798c1acfdbbaff10fba1d489b0f8ef |
17-Oct-2017 |
Tri Vo <trong@google.com> |
Move device-agnostic netd rules to fwk policy.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Change-Id: I9e6ec7ab24039bc74a7e47f423222334fed8bf3a
ile.te
enfs_contexts
etd.te
|
| 53146f8cc0fcf8fe084105668d6d1d715d63d9cb |
17-Oct-2017 |
Max Bires <jbires@google.com> |
Adding allow rules and bug_map entries to clean up boot on taimen
Allow rule denials:
denied { ioctl } for pid=863 comm="rild"
path="/vendor/radio/qcril_database/qcril.db" dev="dm-1" ino=900
ioctlcmd=f50c scontext=u:r:rild:s0 tcontext=u:object_r:vendor_file:s0
tclass=file
denied { read } for pid=1609 comm="batterystats-wo" name="show_stat"
dev="sysfs" ino=37781 scontext=u:r:system_server:s0
tcontext=u:object_r:sysfs:s0 tclass=file
denied { search } for pid=1609 comm="system_server"
name="800f000.qcom,spmi" dev="sysfs" ino=19648
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir
bug_map denial entries:
denied { create } for pid=751 comm="main" name="tasks"
scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=fil
denied { getattr } for pid=1609 comm="system_server"
path="/vendor/framework" dev="dm-1" ino=291
scontext=u:r:system_server:s0
tcontext=u:object_r:vendor_framework_file:s0 tclass=dir
Test: denials either don't show up or are properly tagged with a bug
number
Change-Id: Ibf841033ac5480ddb975772840680011cb331a7d
ug_map
enfs_contexts
ild.te
|
| 365c33bb3705e3c3f41b4ba45535ee9fdd89fc05 |
13-Oct-2017 |
Max Bires <jbires@google.com> |
Adding rw access to diag_device for hal_gnss_qti
denied { read write } for pid=751 comm="Loc_hal" name="diag" dev="tmpfs"
ino=10674 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:diag_device:s0 tclass=chr_file
Test: on userdebug/eng builds, hal_gnss_qti can access diag_device
without generating denials
Change-Id: I571e4a4a470f3550c22a7af3145468baa4e0a155
al_gnss_qti.te
|
| 80862e8ce49725a64532475bf250992c1c569932 |
11-Oct-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Adding userdebug/eng diag access for following domains"
|
| c760b34307f28d8d68ee6b0e03f0d670e3d8eadd |
11-Oct-2017 |
Max Bires <jbires@google.com> |
Adding userdebug/eng diag access for following domains
World access to diag_device for userdebug/eng builds was revoked due to
potential for dangerous use from 3rd party code so this
CL grants access back to the domains that requested it.
denied { read write } for pid=832 comm="qti" name="diag" dev="tmpfs" ino
=9583 scontext=u:r:qti:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_
file
denied { read write } for pid=808 comm="thermal-engine" name="diag" dev=
"tmpfs" ino=9583 scontext=u:r:thermal-engine:s0 tcontext=u:object_r:diag
_device:s0 tclass=chr_file
denied { read write } for pid=877 comm="cnss_diag" name="diag" dev="tmpf
s" ino=9583 scontext=u:r:wcnss_service:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file
denied { read write } for pid=816 comm="imsqmidaemon" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:ims:s0 tcontext=u:object_r:diag_device:s0 tc
lass=chr_file
denied { read write } for pid=753 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_
r:diag_device:s0 tclass=chr_file
denied { read write } for pid=772 comm="sensors.qcom" name="diag" dev="t
mpfs" ino=9583 scontext=u:r:sensors:s0 tcontext=u:object_r:diag_device:s
0 tclass=chr_file
denied { read write } for pid=677 comm="time_daemon" name="diag" dev="tm
pfs" ino=9583 scontext=u:r:time_daemon:s0 tcontext=u:object_r:diag_devic
e:s0 tclass=chr_file
denied { read write } for pid=618 comm="android.hardwar" name="diag" dev
="tmpfs" ino=9583 scontext=u:r:hal_graphics_composer_default:s0 tcontext
=u:object_r:diag_device:s0 tclass=chr_file
denied { read write } for pid=854 comm="rild" name="diag" dev="tmpfs" in
o=10642 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=c
hr_file
denied { read write } for pid=828 comm="netmgrd" name="diag" dev="tmpfs"
ino=10642 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tcl
ass=chr_file
denied { read write } for pid=826 comm="cnd" name="diag" dev="tmpfs" ino
=10642 scontext=u:r:cnd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr
_file
denied { read write } for pid=1559 comm="iptables-wrappe" path="/dev/dia
g" dev="tmpfs" ino=17555 scontext=u:r:netutils_wrapper:s0 tcontext=u:obj
ect_r:diag_device:s0 tclass=chr_file
Test: domains that need diag_device access can get access to it
Change-Id: I6b2473958d10145ed981c5fbcb2ebd3232fcee0e
nd.te
al_graphics_composer_default.te
al_sensors_default.te
ms.te
etmgrd.te
etutils_wrapper.te
ti.te
ild.te
ensors.te
hermal-engine.te
ime_daemon.te
cnss_service.te
|
| e2c0c287fb8fe6b0f33c1a84492c41baaf29c074 |
06-Oct-2017 |
Tao Bao <tbao@google.com> |
sepolicy: Remove update_verifier.te.
It has been added into core policy through
https://android-review.googlesource.com/c/platform/system/sepolicy/+/503421.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on walleye.
Change-Id: I5605af8b10d890489c25f16f82274f828e10e751
pdate_verifier.te
|
| 23ea15a12a5e253241d85f57568bec709e85f98f |
05-Oct-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sepolicy: domain: remove world access to /dev/diag
This driver is not safe for general use, particularly for third party
apps, even on debug builds.
Adding OWNERS file in a subsequent commit to prevent security violations
like this from getting checked in.
Test: build
Change-Id: I245244e924ae247b6fbd48aa033bb71cca6067de
omain.te
|
| 4fa2c7c8b842f293f406f654c287271fc9fe41fe |
02-Oct-2017 |
Wei Wang <wvw@google.com> |
Add UFS health information into board specific dumpstate
Test: Take bugreport
Bug: 66967195
Change-Id: Id635b64f77d4a6fdc1ace2290f89adfdf86514a7
Merged-In: Id635b64f77d4a6fdc1ace2290f89adfdf86514a7
(cherry picked from commit 0db0037ca1a8015e26c45c0d45e9e5f1976a2881)
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| 0db0037ca1a8015e26c45c0d45e9e5f1976a2881 |
02-Oct-2017 |
Wei Wang <wvw@google.com> |
Add UFS health information into board specific dumpstate
Test: Take bugreport
Bug: 66967195
Change-Id: Id635b64f77d4a6fdc1ace2290f89adfdf86514a7
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| c16eac87679cb20e4779129c85a4e3454c5a8709 |
25-Aug-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Fix build. Remove dup file_contexts label
/dev/input(/.*)? u:object_r:input_device:s0
Is now in core policy. Remove from device specific policy.
(cherry-pick of commit: 1fa31288a051c763d158fc69fcc280862d77e87b)
Bug: 64954704
Test: build
Change-Id: Id16dccff58843e619e5197661f7ffabc22c3e213
ile_contexts
|
| e3ea723c144562102fcae7b35bb16592e65ba6ae |
26-Sep-2017 |
Ecco Park <eccopark@google.com> |
selinux: add the BT logging permission for Pixel logger [DO NOT MERGE]
Denial message:
09-13 18:55:11.249 7554 7577 W libc : Unable to set property
"persist.service.bdroid.snooplog" to "true": error code: 0x18
09-13 18:55:11.250 7554 7577 E AndroidRuntime: FATAL EXCEPTION:
LoggingService
09-13 18:55:11.250 7554 7577 E AndroidRuntime: Process:
com.android.pixellogger, PID: 7554
09-13 18:55:11.250 7554 7577 E AndroidRuntime:
java.lang.RuntimeException: failed to set system property
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.SystemProperties.native_set(Native Method)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.SystemProperties.set(SystemProperties.java:171)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger$1.onStart(ModemLogger.java:79)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger.lambda$startLogging$0$ModemLogger(ModemLogger.java:186)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger$$Lambda$0.accept(Unknown
Source:6)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
java.util.HashMap.forEach(HashMap.java:1292)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger.startLogging(ModemLogger.java:183)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.service.logging.LoggingService$StartLoggingRunnable.run(LoggingService.java:458)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.Handler.handleCallback(Handler.java:790)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.Handler.dispatchMessage(Handler.java:99)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.Looper.loop(Looper.java:164)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.HandlerThread.run(HandlerThread.java:65)
09-13 18:55:11.251 1147 2530 W ActivityManager: Force finishing
activity com.android.pixellogger/.ui.main.MainActivity
09-13 18:55:11.257 1147 1206 I ActivityManager: Showing crash dialog
for package com.android.pixellogger u0
09-13 21:38:45.198 2084 2084 W wcnss_filter: type=1400
audit(0.0:1174):
avc: denied { read } for name="timestamp_switch" dev="sysfs" ino=27539
scontext=u:r:wcnss_filter:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0
09-13 21:30:50.451 2031 2031 W wcnss_filter: type=1400
audit(0.0:1390): avc: denied { search } for name="diagchar" dev="sysfs"
ino=27213 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_diag:s0
tclass=dir permissive=0
Bug: 37298084
Change-Id: I793b6ee7d712208b3ae685e3c0de59fd2091b763
Signed-off-by: Ecco Park <eccopark@google.com>
ogger_app.te
roperty.te
roperty_contexts
cnss_filter.te
|
| 4a5ab5dc1fb500ac1b154a56c6f9255fa17d566b |
23-Sep-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "Update ArCore/Tango pem file for userdebug" into oc-mr1-dev am: 5291355c7a
am: c170c4b0fe
Change-Id: I9d017d980396e2f74cc76ac60be3ed73ba987e79
|
| 5291355c7a188e21485bf14f06f3cd72d3d080bd |
23-Sep-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Update ArCore/Tango pem file for userdebug" into oc-mr1-dev
|
| fefa4cf09f846490bb0b6c98ee9184b37d3c7ae3 |
23-Sep-2017 |
Tri Vo <trong@google.com> |
Merge "Ramdump read access to proc/cmdline"
|
| 78c71304f2912d9c8164eb58a5dc39f9d9054dcc |
22-Sep-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Update ArCore/Tango pem file for userdebug
A new test key is assigned for tango core here:
//wireless/android/build_tools/signing/apk_dev_keys/tango_core/tango_core.x509.pem
BUG: 66701538
Test: Tested on walleye with tango mapper
Change-Id: I6cc11309d9c5b341176256eb1fad8bd9bd25c054
erts/tango.x509.pem
|
| 6ce431799ec477cd57a51d41312e1fc580aca3f0 |
21-Sep-2017 |
Tri Vo <trong@google.com> |
Ramdump read access to proc/cmdline
Test: device boots without selinux denials from ramdump
Change-Id: Id4b0dc53295ef26b53d0f7b0e6d65e435743509f
amdump.te
|
| 38acc8772ba3956dc8282f155354d797dbe9656d |
20-Sep-2017 |
Todd Poynor <toddpoynor@google.com> |
sepolicy: move thermal HAL to thermal-engine am: f16a701e6b
am: 201aba5d5e
Change-Id: Id5d15f33560d1a551b4e873369e83510c03b7e3a
|
| 27560dbb58df94641b182094ffdc6c2620402851 |
20-Sep-2017 |
Todd Poynor <toddpoynor@google.com> |
resolve merge conflicts of 84f6876 to master
Namely, de.lete the tmeral service .rc file, which had been modified in
master, but is now obsolete with this change.
Test: It'll be fine, trust me
Change-Id: I39a5b27813dddc96eef3f8a26033163c315e579c
|
| f16a701e6b15ea3af962c354992bdaa1cc52ddb6 |
24-Aug-2017 |
Todd Poynor <toddpoynor@google.com> |
sepolicy: move thermal HAL to thermal-engine
Move standalone Thermal HAL daemon permissions to thermal-engine
Thermal HAL for Qualcomm-based devices is now served by the vendor
daemon for thermal management: thermal-engine.
Bug: 30982366
Test: manual on walleye: audit logs
Change-Id: I95e8dde9825b99c5ad28212f4eb34b774d1759e9
al_thermal_default.te
hermal-engine.te
|
| c447163a838ebfed1a34d8bd03ad37763667fbff |
24-Aug-2017 |
Todd Poynor <toddpoynor@google.com> |
sepolicy: use context thermal_device for thermal driver device file
File /dev/msm_thermal_query is labeled with audio_device context,
which isn't accurate and triggers a neverallow rule when
thermal-engine is modified (in a future commit) to serve the
Thermal HAL. Use thermal_device context like other devices.
Bug: 30982366
Test: manual on walleye: logcat messages for device open OK
Change-Id: I62b995f90d034ddd4f80378d197d9206e2f96748
evice.te
ile_contexts
hermal-engine.te
|
| cd6f8d52a4a5591ae5223ca9fcaf30c2d5c0fb8a |
20-Sep-2017 |
Wei Wang <wvw@google.com> |
Merge "dumpstate: Add UFS debug output to dumpstate_board.txt" into oc-mr1-dev
|
| c29a09d4412630dd6cdbfe6b549c3e93184b10b8 |
20-Sep-2017 |
Petri Gynther <pgynther@google.com> |
resolve merge conflicts of b8bc815 to master
Change-Id: Ia152696bc3028aa711cb579af96b4fae6e194101
|
| 5e02a58ecb8e6c1fb95bc90ad431091dd2fc0325 |
19-Sep-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "dumpstate: Add UFS debug output to dumpstate_board.txt"
|
| 8fd5d9eb86c1ec73b1541dbdd3877fc0169f05d5 |
19-Sep-2017 |
Wei Wang <wvw@google.com> |
dumpstate: Add UFS debug output to dumpstate_board.txt
Bug: 65848498
Test: adb bugreport
Change-Id: I0df04fdabf085341ba679ffedf06dcdea407e322
(cherry picked from commit 383c58d861e790b6144086052e1778c26e4f0b4d)
al_dumpstate_impl.te
|
| 50ecd957e65b2dce2e9286ab7f5ad1e6f2ac700b |
15-Sep-2017 |
Petri Gynther <pgynther@google.com> |
Bluetooth sepolicy: Move BT dumps to /data/vendor/ssrdump
1. Move BT dumps to /data/vendor/ssrdump
2. Don't allow wcnss_filter to read /data/vendor/ssrdump
3. Allow wcnss_filter to set SSR properties
Bug: 37298084
Bug: 65402355
Change-Id: I39afdd00df86957dcec77b905344f9d131b1a44a
cnss_filter.te
|
| 383c58d861e790b6144086052e1778c26e4f0b4d |
19-Sep-2017 |
Wei Wang <wvw@google.com> |
dumpstate: Add UFS debug output to dumpstate_board.txt
Bug: 65848498
Test: adb bugreport
Change-Id: I0df04fdabf085341ba679ffedf06dcdea407e322
al_dumpstate_impl.te
|
| 0c7da9766bd829a90dc153d44aa7e7e1f8b89e69 |
19-Sep-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add 'vendor.' prefix to a vendor daemon name"
|
| 98a67963fba19d795339f7ab350414c999dd8c3b |
14-Sep-2017 |
Ecco Park <eccopark@google.com> |
selinux: add the BT logging permission for Pixel logger
Denial message:
09-13 18:55:11.249 7554 7577 W libc : Unable to set property
"persist.service.bdroid.snooplog" to "true": error code: 0x18
09-13 18:55:11.250 7554 7577 E AndroidRuntime: FATAL EXCEPTION:
LoggingService
09-13 18:55:11.250 7554 7577 E AndroidRuntime: Process:
com.android.pixellogger, PID: 7554
09-13 18:55:11.250 7554 7577 E AndroidRuntime:
java.lang.RuntimeException: failed to set system property
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.SystemProperties.native_set(Native Method)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.SystemProperties.set(SystemProperties.java:171)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger$1.onStart(ModemLogger.java:79)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger.lambda$startLogging$0$ModemLogger(ModemLogger.java:186)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger$$Lambda$0.accept(Unknown
Source:6)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
java.util.HashMap.forEach(HashMap.java:1292)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.data.logger.vendor.qct.ModemLogger.startLogging(ModemLogger.java:183)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
com.android.pixellogger.service.logging.LoggingService$StartLoggingRunnable.run(LoggingService.java:458)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.Handler.handleCallback(Handler.java:790)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.Handler.dispatchMessage(Handler.java:99)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.Looper.loop(Looper.java:164)
09-13 18:55:11.250 7554 7577 E AndroidRuntime: at
android.os.HandlerThread.run(HandlerThread.java:65)
09-13 18:55:11.251 1147 2530 W ActivityManager: Force finishing
activity com.android.pixellogger/.ui.main.MainActivity
09-13 18:55:11.257 1147 1206 I ActivityManager: Showing crash dialog
for package com.android.pixellogger u0
09-13 21:38:45.198 2084 2084 W wcnss_filter: type=1400 audit(0.0:1174):
avc: denied { read } for name="timestamp_switch" dev="sysfs" ino=27539
scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0
09-13 21:30:50.451 2031 2031 W wcnss_filter: type=1400
audit(0.0:1390): avc: denied { search } for name="diagchar" dev="sysfs"
ino=27213 scontext=u:r:wcnss_filter:s0 tcontext=u:object_r:sysfs_diag:s0
tclass=dir permissive=0
Change-Id: Ia05996c1b6e0969ef6df6ea142271f76445b90e1
Signed-off-by: Ecco Park <eccopark@google.com>
ogger_app.te
roperty.te
roperty_contexts
cnss_filter.te
|
| 491d56144b5d3a4192533867fe889f97eb4e2fbd |
14-Sep-2017 |
Jaekyun Seok <jaekyun@google.com> |
Add 'vendor.' prefix to a vendor daemon name
To prevent property name collisions between properties of system and
vendor, 'vendor.' prefix must be added to a vendor HAL service name.
You can see the details in http://go/treble-sysprop-compatibility.
Test: succeeded building and tested on a walleye device
Bug: 36796459
Change-Id: I519603b13978567b51dbb2bcb866aa088a1646e4
roperty_contexts
|
| a3bb8e636f6cad35aa505c017fb721052edf873c |
08-Sep-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "camera HAL is a client of configstore" into oc-mr1-dev am: 211f213136
am: b540750757
Change-Id: I2367dc94597a7a54979de369fa3e742bc2b5d034
|
| 5372e457d47e7de41c34fc9b276fe8dadbf7df61 |
08-Sep-2017 |
Jeff Vander Stoep <jeffv@google.com> |
camera HAL is a client of configstore
Addresses:
avc: denied { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs pid=817
scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0
Bug: 65454046
Test: camera app
Change-Id: I84b92e5809b89b7f755322d485b92f5e7175a06a
al_camera_default.te
|
| 81fbfee4435db1a2b67a82e6a7bd34c1c8efe68b |
06-Sep-2017 |
Ecco Park <eccopark@google.com> |
Merge "selinux: change the package name for pixel logger"
|
| 3a4b93f2ddf81c7f7a1364ceb20389a31cc695e8 |
02-Sep-2017 |
Maggie White <maggiewhite@google.com> |
Merge "Add easel debug output to dumpstate_board.txt" into oc-mr1-dev am: 6ada147166
am: 16bdff7be4
Change-Id: Ic45760fc58fcc49eea9edc870ed65242236a69ef
|
| 0f1c9a667dc5c8ea635f17ef5d16f4db695fe4b5 |
01-Sep-2017 |
Maggie White <maggiewhite@google.com> |
Add easel debug output to dumpstate_board.txt
Bug: 64975902
Change-Id: I6354c1f19d38611cd2c2edf149d35355f6ce99a7
Test: adb bugreport
Signed-off-by: Maggie White <maggiewhite@google.com>
enfs_contexts
al_dumpstate_impl.te
|
| e64c0a5e56ebfe68f18408ac15a1f33e7a200a14 |
29-Aug-2017 |
Ecco Park <eccopark@google.com> |
selinux: change the package name for pixel logger
Bug: 64000290
Change-Id: I2c90fe2ce1ef92b3585f8f930f20065808e62054
Signed-off-by: Ecco Park <eccopark@google.com>
eapp_contexts
|
| 78e962a5a49e03ff9a8328a3580ca8d63e10be90 |
31-Aug-2017 |
Chia-kai Liang <ckliang@google.com> |
Merge "Add camera HAL to be client of thermal HAL." into oc-mr1-dev am: 0c3aeadab9
am: 54d177d0dd
Change-Id: Icb90da50490a75ec2fe283437ebc2e019fc3d313
|
| e9627865a76de0ef3419c19714158a6be1802cac |
31-Aug-2017 |
Chia-Kai Liang <ckliang@google.com> |
Add camera HAL to be client of thermal HAL.
Test: Run and build locally with ag/2824593
Bug: 65099590
Change-Id: I4a52b6fc083875c005633cd56d93b125ed720c35
al_camera_default.te
|
| fe2ee6937a14c52a13d7ce08826ed17d27cd13e4 |
25-Aug-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove dup file_contexts label" into oc-mr1-dev am: 45d69d4b0a
am: 5360de7d22
Change-Id: I2ee54ea57c7b2d9ee2d76b6615ae38b9a4d72e51
|
| 45d69d4b0aefe62d696d65ff694b8d77b61bec09 |
25-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove dup file_contexts label" into oc-mr1-dev
|
| 1fa31288a051c763d158fc69fcc280862d77e87b |
25-Aug-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove dup file_contexts label
/dev/input(/.*)? u:object_r:input_device:s0
Is now in core policy. Remove from device specific policy.
Bug: 64954704
Test: build
Change-Id: Id16dccff58843e619e5197661f7ffabc22c3e213
ile_contexts
|
| bdf21e39c6d178fb29d7ef098e19720253dd4348 |
17-Aug-2017 |
Ecco Park <eccopark@google.com> |
Merge "sepolicy: change the sepolicy for cnss_diag" into oc-mr1-dev am: 6627e394f7
am: bd78911e02
Change-Id: Ic4cfa741400fb6963229e6606030e33ef7b4899e
|
| d024c1334a1900aba407174ade6aa2f196e4fbfc |
11-Aug-2017 |
Ecco Park <eccopark@google.com> |
sepolicy: change the sepolicy for cnss_diag
cnss_diag: type=1400 audit(0.0:65):
avc: denied { search } for name="diagchar" dev="sysfs" ino=27415
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:sysfs_diag:s0
tclass=dir permissive=0
audit(1502477202.513:37783): avc: denied { read
} for pid=989 comm="cnss_diag" name="timestamp_switch" dev="sysfs"
ino=27761 scontext=u:r:wcnss_service:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0
Bug:64604240
Change-Id: I1b882b15908241c18d694947b8de11136e6afee2
Signed-off-by: Ecco Park <eccopark@google.com>
cnss_service.te
|
| e05d5dc4338af029295bed8b8163409f5ae08296 |
09-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev am: 2bfa33e92d am: 05cae99117
am: 532b3f9a84
Change-Id: I51e0ef6b8ba0e6403c0753fa7f28fdd85c7f95ca
|
| 532b3f9a849e33e224d2f8d22f4c990616e75263 |
09-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev am: 2bfa33e92d
am: 05cae99117
Change-Id: I554299a6dae8ec76503d390094c632d0d3167f87
|
| 8943e0d693cb8cf0ef6cf7b89c2166fd95916e1f |
09-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev
am: 2bfa33e92d
Change-Id: Icfabe5a0eb1bc0a653fce0791afa240048c0d32e
|
| 2bfa33e92d7ad09d9338f6c6b74dd643dd6c20b4 |
09-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Rename com.google.arcore to com.google.ar.core" into oc-dr1-dev
|
| a7e7e139ed9cfbcb7922079a0f816cc8a605889a |
03-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
sepolicy: Rename com.google.arcore to com.google.ar.core
Rename com.google.arcore to com.google.ar.core and add
arcore app keys
BUG=64121848
Test: Basic sanity
Change-Id: I7e0d6b3072da1b20177e43071598742d24b3bb5b
erts/arcore.x509.pem
erts/arcore_release.x509.pem
erts/arcore_userdev.x509.pem
eys.conf
ac_permissions.xml
eapp_contexts
|
| dd113869ca52d80baab80e161c291ca3279c6f1a |
08-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "sepolicy: move ftm4 sepolicy" into oc-dr1-dev am: 16be8f0958 am: 8e092f89f8
am: 96479f7272
Change-Id: I5920b94c99a1dfca3fd510ba8224e9d074c304b1
|
| 8e092f89f89c189020ce0d0a2571ddb244e38c17 |
08-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "sepolicy: move ftm4 sepolicy" into oc-dr1-dev
am: 16be8f0958
Change-Id: I6e5cd8676e7927d071e0b85ddd517940391f5e6b
|
| 16be8f095853d6ce0eb1d452bc285d04f2872a9c |
08-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: move ftm4 sepolicy" into oc-dr1-dev
|
| bbef3fd93a98957ff43a996d616f125f4c38f685 |
06-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
sepolicy: move ftm4 sepolicy
Bug: 63911898
Change-Id: I738c4fa6cb441b51294dd8add412984505c285c9
enfs_contexts
|
| 4cd3660cd2627b67820d2081ade904503af58796 |
04-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"" into oc-dr1-dev am: a29b03b81b am: 19649add1a
am: 011afa170a
Change-Id: I4eb3992f55959559ba990c56ac41aa4e5bf46608
|
| 19649add1a495905c62383e0ecff4dbb33aa9721 |
04-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"" into oc-dr1-dev
am: a29b03b81b
Change-Id: Ifd2fdae72c1d49850d4e0d7edadf119aa60dd3ac
|
| a29b03b81b4e736dc0d429504ea29bc0afac07eb |
04-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"" into oc-dr1-dev
|
| a17279baf42afe44d7fccf7c556b1d4f0dac1ff9 |
03-Aug-2017 |
Maggie White <maggiewhite@google.com> |
Merge "Add sysfs thermal permissions for dumpstate" into oc-mr1-dev am: 402a71e033
am: 7d85be6fd4
Change-Id: I17add7010f6a10a49935bbc4d735373580d3de70
|
| 17cc9388e71c44dc760e0633651153275e439746 |
03-Aug-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Revert "Allow collection of Bluetooth firmware dumps in bugreports (1/3)"
This reverts commit a89c11643c311e3c9e8acf3bb2987d486ec7e2c7.
Change-Id: Ibbea725145de40ca23844a00946c373ffd40453d
cnss_filter.te
|
| 553fe6e9946548b3767c2f0e10be7c411ce95ab2 |
02-Aug-2017 |
Maggie White <maggiewhite@google.com> |
Add sysfs thermal permissions for dumpstate
Dumpstate currently cannot print temperature readings because it doesn't
have permissions to read thermal sensor values via sysfs. This commit
adds read permissions for sysfs_thermal.
Test: adb bugreport
Bug: 63602647
Change-Id: I20066adbb52b532eeb22e6992b0c0eca1c40cd5d
ile_contexts
enfs_contexts
al_dumpstate_impl.te
|
| 4c682f0f4b52216317b2ccfe9b23e46e11ce7d88 |
02-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: toggle special touch mode when VR mode is active am: fee56b7311 am: 3d5484c358
am: eb1e5e8aaa
Change-Id: I5c86b269672d5aa2e8b7e68bf1b7efb5e1babacd
|
| 3d5484c358c10b8a780a716cb7f5d28fa6004129 |
02-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: toggle special touch mode when VR mode is active
am: fee56b7311
Change-Id: I1d6b85772063d43c63ac472aca3583a1a0c5b070
|
| fee56b731150fe4ee2dbf434e8327da48f8fa940 |
02-Aug-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: toggle special touch mode when VR mode is active
Bug: 37515573
Change-Id: I5b741323f97f7d4713636a1688f50c9459d2764f
al_vr.te
|
| 7b6ff9bc564e809e9c5e8bafb12c755380b1b35a |
01-Aug-2017 |
Maggie White <maggiewhite@google.com> |
Add sysfs thermal permissions for dumpstate
Dumpstate currently cannot print temperature readings because it doesn't
have permissions to read thermal sensor values via sysfs. This commit
adds read permissions for sysfs_thermal.
Test: adb bugreport
Bug: 63602647
Change-Id: I21dd6f7bcaabaff722c8847b0958c725d661f489
ile_contexts
enfs_contexts
al_dumpstate_impl.te
|
| da3e1efaff008a3690c88a7d1f0aaf695b5b45d3 |
01-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev am: 7386cd87a7 am: b542783136
am: 7d8c32f5b6
Change-Id: Ifceccfa4777b4cfd2bbc0d1e1f9ac87dbf56ecd3
|
| 7d8c32f5b642a8ef31865021c66855429594df1f |
01-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev am: 7386cd87a7
am: b542783136
Change-Id: I18201a2d742a73a76345a53f56af738234934f0f
|
| 9f37253b87c128ebe0b17edf67b19c68debb14b5 |
01-Aug-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev
am: 7386cd87a7
Change-Id: Ic5bd22ed62678049044a43e32d4958077f09b552
|
| 7386cd87a78c56a691d3e7a458c437aca86f03a7 |
01-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: Add com.google.arcore as alias to com.google.tango" into oc-dr1-dev
|
| dca818984bdebad12daf2a3e74f2db7c7cc605f6 |
01-Aug-2017 |
Trevor Bunker <trevorbunker@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev am: 6ec569f9c8 am: 3ede8061ac
am: fae76eacc5
Change-Id: I3a136275bafb566a909d887174a15dee7bdec023
|
| fae76eacc56f3895015bc71efc0d14dd5c0cfd16 |
01-Aug-2017 |
Trevor Bunker <trevorbunker@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev am: 6ec569f9c8
am: 3ede8061ac
Change-Id: I75b45779af3cc36ed04bfaf95eaf5ef979fb915f
|
| 628af13fb51fd4c7bf3e374480dc28ccb5d86a6b |
01-Aug-2017 |
Trevor Bunker <trevorbunker@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev
am: 6ec569f9c8
Change-Id: I7c609a72695dd554e8bd6c04bc42e704ad17625b
|
| 6ec569f9c8138e5b0c2f54705d58acc681bb3e21 |
01-Aug-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sepolicy: allow camera HAL more access to easelcomm" into oc-dr1-dev
|
| 5c511ef077c32078f695f3001c4b366159292a76 |
31-Jul-2017 |
John Dias <joaodias@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev am: ac85d615c5 am: 1ba48537ec
am: 52605a47f9
Change-Id: Ifc09c0d5bb08be0d3036f0b8ab8636a62e2a6815
|
| 52605a47f908f5732d8c8eca1399b33dd509b713 |
31-Jul-2017 |
John Dias <joaodias@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev am: ac85d615c5
am: 1ba48537ec
Change-Id: I1875c0d10594064b703df1aa46d169e201ff49c8
|
| 05c78bfff990075d1a7b3255683a3baf73f96d74 |
31-Jul-2017 |
John Dias <joaodias@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev
am: ac85d615c5
Change-Id: Ia5d8541b579a3784dcc40608c9152469d5fef32b
|
| ac85d615c5280e756c1740079d84c92384490d45 |
31-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "irqbalance: add msm_irqbalance to wahoo" into oc-dr1-dev
|
| 4b440c49bbad354c23508e132ad85ddd1fdf7c1f |
31-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev am: ff61a6fa2c am: a241fefe3c
am: d77b41ee8d
Change-Id: Iba3e6cfa21e816646ccbd86ddac9f58284931824
|
| d77b41ee8d830f5bb706aa65b717d1724047774e |
31-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev am: ff61a6fa2c
am: a241fefe3c
Change-Id: I124002803022db7356e093608da745803d92efde
|
| 469fef653e4dfadfa482b1013b5c0031ad4f9ad9 |
31-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev
am: ff61a6fa2c
Change-Id: I6234d766d0028a84570053f3fc25e37052f74b1f
|
| ff61a6fa2cb25175256c81f22ccb747aaf5057e0 |
31-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "allow netmgrd to use INetd hal" into oc-dr1-dev
|
| 2b7671248921c31bf47de0ea2c505b08ce62c7c9 |
31-Jul-2017 |
Trevor Bunker <trevorbunker@google.com> |
sepolicy: allow camera HAL more access to easelcomm
Fixes denial:
denied { getattr } for path="/dev/easelcomm-client" dev="tmpfs"
ino=17584 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:easel_device:s0 tclass=chr_file permissive=0
Bug: 64115673
Test: Camera CTS
Change-Id: I2fdbd0b82b1057cb3cdd4a53af008332f250d53a
al_camera.te
|
| 1a78d72187c86fae0229ff49a7bec6e6bf1f1444 |
25-Jul-2017 |
John Dias <joaodias@google.com> |
irqbalance: add msm_irqbalance to wahoo
Bug: 63632610
Test: boot, verify that irqs are pinned
Change-Id: I9a2132523f59b8a0a91c846174ce259b1d0f1e7f
ile.te
ile_contexts
enfs_contexts
rqbalance.te
old.te
|
| d4432f0f9ec2ea43a560d1fd8ee1674449f75228 |
30-Jul-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove service_contexts." into oc-dr1-dev am: da1c0f3d9d am: dd180bf480
am: 6b87e495e3
Change-Id: I03852ca29bee19f88ba316b3d538cfac816f0fff
|
| dd180bf480726f66024f875e32b30fc71e9b45e2 |
30-Jul-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove service_contexts." into oc-dr1-dev
am: da1c0f3d9d
Change-Id: I2c0ae2ad090f81c548445fbeaac62cfe03e123f0
|
| da1c0f3d9da42569ba68cd1a84440ac9210ca0c2 |
30-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove service_contexts." into oc-dr1-dev
|
| af72448ad3d268ac30bf63eec54d40b73daa2212 |
29-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev am: f93a0d3c94 am: 7bb0fe2119
am: 079386a079
Change-Id: Ic41c5d6c8249f88ee44764819cae572354c12cc4
|
| 5e594ab2dea6c21d6631a5a448300cc5775bc5bf |
29-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev am: 77f8984cf8 am: 386ccc968e
am: 8205c337a1
Change-Id: I92111bc7151e639fd630dbe522270cd2a0359177
|
| 079386a079ac8dd116d0062e66e4ff425463c5af |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev am: f93a0d3c94
am: 7bb0fe2119
Change-Id: I54174ed059c80d2161b27eba0cb6b681f24dc09b
|
| 8205c337a1e1891507ff28575e95d20b20bd3dce |
28-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev am: 77f8984cf8
am: 386ccc968e
Change-Id: Ia24433cd32c5db853664e08c25874f87966e2995
|
| 8e5bcd308273e00077c2fbbe363af45363dfcd60 |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev
am: f93a0d3c94
Change-Id: I232463123a370f464757160f1452ac770d36ac9e
|
| d8835f54a50829b2bbf0f785de3a5912f797995c |
28-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev
am: 77f8984cf8
Change-Id: I1cf18014ed3f77e8b3fc9870cd5ffb378fbda676
|
| 7b7530c0e6c33ae6fec28aa13c8d7909f710f800 |
27-Jul-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
allow netmgrd to use INetd hal
Remove permissions to read /data/misc/* (netd pid file).
Allow netmgrd to become client of INetd HAL.
Test: no denials
Bug:36682246
Change-Id: If7a120a74ced3e63eed6baea288e814a7a0e177e
etmgrd.te
|
| f93a0d3c949515de62566bbd6168d0dfd2b4d0fb |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors HAL/daemon to read diag timestamp switch" into oc-dr1-dev
|
| 5cfbf95977d29e00756ca9fff135fa91d13460a7 |
28-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
sepolicy: Add com.google.arcore as alias to com.google.tango
ARSDK adds a wrapper package with prefix com.google.arcore
BUG=64121848
Test: Basic sanity
Change-Id: Icce80ec416516f3ac11110aa9618929289936084
eys.conf
eapp_contexts
|
| 77f8984cf8e8022255e6bd9b1fb30617e9a90c7e |
28-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add SEPolicy for collecting battery counters" into oc-dr1-dev
|
| 3ef8701698d42edd0bb14d89c8900be2feccc757 |
28-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "Add untrusted_app permissions to tango_core.te" into oc-mr1-dev am: 76690815ce
am: 757ba1c8cb
Change-Id: I8a7eb1ce550f272ecb1b9954d3297cbdc0be661a
|
| 76690815ce3508776578f929a0e89b62871b558b |
28-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add untrusted_app permissions to tango_core.te" into oc-mr1-dev
|
| 27a28b2bfc5afc3f71d167945fc96cb4d19f49b2 |
28-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors HAL/daemon to read diag timestamp switch
Allow the sensors daemon and HAL to read the sysfs node that controls
the timestamp source to use when creating diag (QXDM/Pixel Logger) log
packets.
Denials:
avc: denied { search } for pid=758 comm=504F5349582074696D65722030
name="diagchar" dev="sysfs" ino=27415
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_diag:s0
tclass=dir permissive=1
avc: denied { read } for pid=758 comm=504F5349582074696D65722030
name="timestamp_switch" dev="sysfs" ino=27741
scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1
avc: denied { open } for pid=758 comm=504F5349582074696D65722030
path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs"
ino=27741 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1
avc: denied { search } for pid=774 comm="sensors.qcom" name="diagchar"
dev="sysfs" ino=27415 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_diag:s0 tclass=dir permissive=1
avc: denied { read } for pid=774 comm="sensors.qcom"
name="timestamp_switch" dev="sysfs" ino=27741 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1
avc: denied { open } for pid=774 comm="sensors.qcom"
path="/sys/module/diagchar/parameters/timestamp_switch" dev="sysfs"
ino=27741 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=1
Bug: 64124346
Test: enable Pixel Logger, monitor logcat/dmesg and confirm no SELinux
denials or permission denied error messages
Change-Id: I4f23be62e3d30674e57a0a8acfc33cc02fddbd9b
al_sensors_default.te
ensors.te
|
| cac92e14f03eccc05ff16be5d4b9e370622608ba |
28-Jul-2017 |
Martijn Coenen <maco@google.com> |
Remove service_contexts.
These are binder services that are no longer served
from vendor processes, so they don't belong here.
"rcs" is still served, but from a system process,
so move it to private/service_contexts instead.
Bug: 36866029
Test: build, boot wahoo
Change-Id: I13364dcb7bc5734c1e0830360ec7d2ceb0312827
adio.te
ervice.te
ervice_contexts
|
| 4deb3410152c434bf21adf8eb4fa7723b3b3105f |
30-Jun-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Add untrusted_app permissions to tango_core.te
tango_core domain should be allowed to do everything the untrusted_app
domain can. Otherwise we're likely to hit further issues in the future.
BUG=63167163
Test: Tested TangoVerifier
Change-Id: I14f627230ab4de94c8f05af338ebb50561a242b8
ile_contexts
ango_core.te
|
| e1c91d450a843d29cc1cfe4821a2b7d88394fe5d |
25-Jul-2017 |
Stuart Scott <stuartscott@google.com> |
Add SEPolicy for collecting battery counters
Bug: 63841211
Test: pts-tradefed run pts -m PtsHardwareInfo
Change-Id: I59f25fed1775eddb6f91c68b74f04b41b5777095
ile.te
enfs_contexts
ardware_info_app.te
|
| 8d90e98b8209fd3b3dfd5ef4b7f79453c45058f5 |
27-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev am: a99fb8d7ce am: e72cf27eed
am: fe34e97b2a
Change-Id: I90f976e3d97c4d47d889f4635f7f6d1344ac931b
|
| fe34e97b2a2776b18cdfd3199374937c4ab191bd |
27-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev am: a99fb8d7ce
am: e72cf27eed
Change-Id: I5f54f73d293d7aa93af60225d6193bfe2dd08d9e
|
| 06d1a12a6dd1317623175b03517d9e081e53d9b4 |
27-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev
am: a99fb8d7ce
Change-Id: I71b49450f3eb3db6ad66131bda7fabe91143845e
|
| a99fb8d7ce00faf7fd551951bc94832839709e6f |
27-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "file_context: make libadsprpc a same_process_hal_file .. again." into oc-dr1-dev
|
| 987d43b896f33d57326557a2c43f137e5a7a95cd |
26-Jul-2017 |
Yueyao Zhu <yueyao@google.com> |
Merge changes from topic 'b38352281' into oc-dr1-dev am: f0c9faf9f1 am: f9fa833e8c
am: 3f749464fe
Change-Id: Id21148df16970c689702700dfa80863b14fbf880
|
| f9fa833e8cfb8fe778833788d3e8cb7a63d3e803 |
26-Jul-2017 |
Yueyao Zhu <yueyao@google.com> |
Merge changes from topic 'b38352281' into oc-dr1-dev
am: f0c9faf9f1
Change-Id: I5fe3d8af3369a51a5178ed6ebb4337542b892f9f
|
| f0c9faf9f15d04ac0da841f1b405bc4393107c87 |
26-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic 'b38352281' into oc-dr1-dev
* changes:
USB: HAL: enable auto suspend for USB headsets
sepolicy: allow USB hal to access sysfs_usb_device nodes
USB: HAL: run as user root, group root system
|
| f2e4aea41a8c63716503c453989947a6fd313ec5 |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev am: 476f136f60 am: e11e9e06c7
am: 6089b218bb
Change-Id: I44d7266b8021a16a6da1ece1cd30529730b78a28
|
| 6089b218bb70c72d465326e3a33133e10d557491 |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev am: 476f136f60
am: e11e9e06c7
Change-Id: I039074c8449035422d7c5a2965d9efcabdfa90ca
|
| f5d88f92d9d9afdd926b08e2073bc95aa6e07d0a |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev
am: 476f136f60
Change-Id: I94a333920c6ec2855e26b245672668a6eb1d8f30
|
| 476f136f60ef5c567e18ab471f689c842fffc847 |
26-Jul-2017 |
Pat Tjin <pattjin@google.com> |
Merge "sepolicy: Add aes block device to A/B OTA" into oc-dr1-dev
|
| 7361627b1b7a1da02e7fd78c73b06205b4fbe108 |
26-Jul-2017 |
Patrick Tjin <pattjin@google.com> |
sepolicy: Add aes block device to A/B OTA
Bug: 64061369
Bug: 37554629
Change-Id: I172a17761fc20ede9175c881f9b35e76e09fc339
ile_contexts
|
| d097cd474314bc4fa764fe127fa5ec0ac369e5b8 |
26-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "allow radio app to read /proc/cmdline"
|
| 56aed06febea7d7356bb98564ffb0c3836b66ee6 |
26-Jul-2017 |
Sandeep Patil <sspatil@google.com> |
file_context: make libadsprpc a same_process_hal_file .. again.
The library is made vendor public, so it needs to be accessible to all
domains (not only the google camera app as it is currently done). This
also led to 'JniStaticTest#test_linker_namespaces failure' CTS failure.
Fix it by making libadsprpc.so a 'same_process_hal_file' again.
Bug: 63677132
Test: Build
Change-Id: I81d6379b7b540397319bc5e3839aecb6d8b4d2c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
ile_contexts
|
| f58d6097cade0ca618251cf41fdce13ba4250f9e |
26-Jul-2017 |
Ajay Dudani <adudani@google.com> |
Merge "dumpstate: Add battery cycle count to bugreport" into oc-dr1-dev am: 6149ab3aea
am: d65d4b0800
Change-Id: I7ccd4018d0584e131ce2221d0abaa598e59262f5
|
| 41e3ae16eaa541dbc4763f72d41a370ebc1ff705 |
26-Jul-2017 |
Ajay Dudani <adudani@google.com> |
Merge "dumpstate: Add battery cycle count to bugreport" into oc-dr1-dev
am: 6149ab3aea
Change-Id: Ieeb2b19523ca775ef70758759786d58236ed38c0
|
| 6149ab3aeaec7c9dda2b90f15396d7b3fcb3b9e3 |
26-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "dumpstate: Add battery cycle count to bugreport" into oc-dr1-dev
|
| 38ef8d70821d18607ddf508a2da6117559597db6 |
26-Jul-2017 |
Ajay Dudani <adudani@google.com> |
dumpstate: Add battery cycle count to bugreport
Bug: 63841211
Test: Verify cycle count metrics are present in bugreport
Change-Id: I7c6a3af3ef687c99f88de5ee1c4d7433b618772e
al_dumpstate_impl.te
|
| 18b0387a49752b17e5db7e5567a4660d21dc9a24 |
26-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
allow radio app to read /proc/cmdline
avc: granted { read open } for comm="main" path="/proc/cmdline"
dev="proc" ino=4026532072 scontext=u:r:radio:s0
tcontext=u:object_r:proc:s0 tclass=filea
Bug: 28760354
Test: build
Change-Id: Iaa51560d84725b99375f9eb3bd47bd6fd490703d
adio.te
|
| 7670cc65b2d433e11ba292f236813a26e471b113 |
25-Jul-2017 |
Michael Butler <butlermichael@google.com> |
Merge "Walleye configuration for the initial Android Neural Networks upload." into oc-mr1-dev
|
| 6812ee4cd123b3d3d68520c38d8417537bc7c478 |
30-Jun-2017 |
Michael Butler <butlermichael@google.com> |
Walleye configuration for the initial Android Neural Networks upload.
Uploads the HIDL hvx service and sepolicy.
Bug: 63905942
Test: mma -j40
Change-Id: Ie5508c6ade5a16897b7b786a71bf1825423f4deb
(cherry picked from commit 49e5e88a7dc584afd02d74fb97053043516f489c)
ile_contexts
al_neuralnetworks_hvx.te
|
| ea79876e7930bc2bf213177ce102b02d2cdce28b |
25-Jul-2017 |
Jeff Tinker <jtinker@google.com> |
Merge "Fix selinux denial in hal_drm_widevine" into oc-dr1-dev
am: 261e1f7eb3
Change-Id: I0cc7240eb90ac698ad1b1285a6d04665786d3904
|
| 261e1f7eb31b0fa7ae88bf61676c896c7343306f |
25-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fix selinux denial in hal_drm_widevine" into oc-dr1-dev
|
| f5a99531535a1bf372c1c40d9695af0eb1532ae1 |
29-Jun-2017 |
Yueyao Zhu <yueyao@google.com> |
sepolicy: allow USB hal to access sysfs_usb_device nodes
Allow the USB hal to read directories and read/write usb devcie
sysfs files.
Bug: 38352281
Change-Id: Ia3a9a19ed7a607eb190d54cdbc3686e69f6db4f3
al_usb_default.te
|
| aeb6458cefdad7e600d05b440e546362446262f7 |
24-Jul-2017 |
Jeff Tinker <jtinker@google.com> |
Fix selinux denial in hal_drm_widevine
Test: manual verification of playback using
ExoPlayer on GTS HDCP and secure video path
playback. Also tested Play Movies and
verified it is using L1.
bug:63992308
Change-Id: I93ac76243ccb2872a1107f1995b8235ec5a348dd
al_drm_widevine.te
|
| 447cd41642ce6316d4e76ad351e9b8b5bc248302 |
25-Jul-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "Add touch sensor readings to Dumpstate" into oc-dr1-dev
am: c31d2f638f
Change-Id: Ief85e3a6be632d6b42c442f15206db3dc1e40d99
|
| c31d2f638fb5c1310fcd96fcbfa012df04434b6b |
25-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add touch sensor readings to Dumpstate" into oc-dr1-dev
|
| 71dc781941f17863d61a3cb4d58074dec4d50cfe |
20-Jul-2017 |
Steve Pfetsch <spfetsch@google.com> |
Add touch sensor readings to Dumpstate
Bug: 63854271
Change-Id: Ibaa42bd977acdd0e68e4fc76db77a0c6023dc2a9
al_dumpstate_impl.te
|
| db58fb583bdef7257d4be020da58978c02024032 |
24-Jul-2017 |
Max Bires <jbires@google.com> |
Merge "Removing TODO upon bug resolution and fixing boot denial" into oc-dr1-dev
am: 182cbac7e0
Change-Id: Ifde40ae7d48ae45b457fa603adeb0ee0e1315ede
|
| 182cbac7e03da69425c150689194ea4be8ff88ca |
24-Jul-2017 |
Max Bires <jbires@google.com> |
Merge "Removing TODO upon bug resolution and fixing boot denial" into oc-dr1-dev
|
| ebbf1fa5c7d5eeca6710b43612409ab869c87483 |
24-Jul-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing a perfd denial on bootup" into oc-dr1-dev
am: 28a893290d
Change-Id: Ic5a8747790f0136e77e3c7525e23992a7df53b9d
|
| 28a893290d6e66f1b10af5a06b2ea290b406c533 |
24-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing a perfd denial on bootup" into oc-dr1-dev
|
| 360c1974e186fa5f5ac6de68ec22b87b59d174f1 |
29-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing a perfd denial on bootup
denied { read } for pid=834 comm="perfd" name="clkscale_enable"
dev="sysfs" ino=37814 scontext=u:r:perfd:s0 tcontext=u:object_r:sysfs:s0
tclass=file
Test: no perfd denials on boot
Bug: 63944830
Change-Id: I08cd03725ae412ae985dcdf0b943003872a97b67
ile.te
enfs_contexts
erfd.te
|
| 4370d6cae1712757818a30ab929f9332b4d3a080 |
22-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors daemon to read hardware version files" into oc-dr1-dev am: cb6458173f
am: 4f143f3a93
Change-Id: I59ddfb29c5e8afe331af8ea635d1939b2a00f080
|
| 5bd122d85e0c2ec2f7f98e4ce0de5e6b59374845 |
22-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Allow sensors daemon to read hardware version files" into oc-dr1-dev
am: cb6458173f
Change-Id: I6961aaa64e89ba95c57525c52ef3d25b64f53a4e
|
| a92bd32a1dcc939091df4cbe13a4d1c077734784 |
21-Jul-2017 |
Max Bires <jbires@google.com> |
Removing TODO upon bug resolution and fixing boot denial
denied { read } for pid=708 comm="vold" name="/" dev="sda4" ino=2
scontext=u:r:vold:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
Bug: 35810138
Test: Above denial no longer appears on boot, vold works under enforcing
Change-Id: I78add787fa732e0cf20a3e205f866554d17d0e18
old.te
|
| 61ca0ffdae5b38138b54f46c49e621ac10d79194 |
21-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Run sensors daemon as system user instead of root" into oc-dr1-dev am: 5cf711293d
am: 4da01c8741
Change-Id: I656b0363b0b23bd448eb021835acd27b3a8cda60
|
| a8986eb259403a9a211c662f0fca6c0437c1d115 |
21-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Merge "Run sensors daemon as system user instead of root" into oc-dr1-dev
am: 5cf711293d
Change-Id: Ibaa42c4a1c4a1a7158dc76100f7894b37fcd6cc0
|
| b5e50bed86cead7a4eb34127994461122f26395b |
19-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors daemon to read hardware version files
Permit the sensors daemon to read files in /sys/devices/soc0, which is
used to identify the hardware revision it is running on, so it can
properly handle registry variations.
Addresses these denials (and more which would occur if only the blocked
operations were permitted):
type=1400 audit(2017551.030:4): avc: denied { getattr } for pid=805
comm="sensors.qcom" path="/sys/devices/soc0/hw_platform" dev="sysfs"
ino=50525 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=file permissive=0
Bug: 63857630
Bug: 63901499
Test: confirm denials do not appear on boot, sanity check all sensors
provide data, run sensors CTS
Change-Id: I2ba59a21b22d09af03226d5993d80e1d868bf607
ensors.te
|
| b04b13e9768f4a12eb659411d81dc81871a3c03e |
19-Jul-2017 |
Brian Duddie <bduddie@google.com> |
Run sensors daemon as system user instead of root
Grant capabilities and change file permissions to allow the sensors.qcom
daemon to start up as the system user/group, rather than running as
root.
Fixes: 63775281
Test: monitor logcat after reboot, confirm no file open errors. Run
QSensorTest, confirm all sensors provide sane data. Confirm that
IMU calibration can read + write its saved settings. Run sensors CTS.
Change-Id: Ib80ea21900d6af6cd34c82c4a63f50c7e0ac18ff
ensors.te
|
| 06b97200f621360a71c73e33837390d1e4708bf6 |
21-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "tango_core.te: Allow shell data file access to tango" into oc-dr1-dev
am: 220b681c4c
Change-Id: I246c8856dd592039ac8bc646538d40c9fe87515f
|
| 220b681c4c9428695456777dd1f51b73d49ec326 |
21-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "tango_core.te: Allow shell data file access to tango" into oc-dr1-dev
|
| b05203e0d1f8bedf13aab7878b0c190e00cb6201 |
21-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "sensors: address selinux denial" into oc-dr1-dev
am: 144a1962a9
Change-Id: I7998b510f934b14e940c400285f9a2161a37d776
|
| 144a1962a95bec1196db835afdd1a6afc7aea155 |
21-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "sensors: address selinux denial" into oc-dr1-dev
|
| 6935ce7f07ec08494db91e6f133e3df871290963 |
21-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
tango_core.te: Allow shell data file access to tango
avc: denied { search } for name="tmp" dev="sda45" ino=6782978
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { read } for name="includes.txt" dev="sda45" ino=6782980
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
avc: denied { open } for path="/data/local/tmp/ajur/includes.txt"
dev="sda45" ino=6782980 scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
BUG=63124901
Test: Tested tango cts
Change-Id: Idb6f1f37070652922924f7f948e7c05d4609f010
ango_core.te
|
| 0c64a4f1abed86c1146c55cb17e80db49860e044 |
21-Jul-2017 |
Siqi Lin <siqilin@google.com> |
Merge changes Id97d7cdf,I8743a2bb into oc-dr1-dev
am: fc754502a7
Change-Id: I9d7efde780cebdd7b90a6d93bbb5836dd3cd139e
|
| fc754502a7057a88094f16a5bbe560bc809be8e4 |
21-Jul-2017 |
Siqi Lin <siqilin@google.com> |
Merge changes Id97d7cdf,I8743a2bb into oc-dr1-dev
* changes:
Allow init.power.sh to change printk console_suspend
Remove no_console_suspend=1 from kernel command line
|
| d209d46ba1dd86fb0c17a5210d97980c15b25b69 |
20-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
sensors: address selinux denial
avc: denied { search } for name="soc0" dev="sysfs" ino=49978
scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=dir
permissive=0
Bug: 63901499
Test: build and boot. Verify denial no longer occurs
Change-Id: I623b742ec68552921685d18f986ca32d71c090a8
ensors.te
|
| c196ac979277e76e2ad0bc4fb8e0d76179a09db7 |
20-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "label persist partition and grant e2fsck access" into oc-dr1-dev
am: de5bf7bd6f
Change-Id: I69b90912e03944dce10b7e19a556ad4d7fca74c5
|
| de5bf7bd6ffc6dc133cf1f95fe05af953729c272 |
20-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "label persist partition and grant e2fsck access" into oc-dr1-dev
|
| 2e0ef591c3405bc5bfc42ecf354c2028c1728dda |
20-Jul-2017 |
Siqi Lin <siqilin@google.com> |
Allow init.power.sh to change printk console_suspend
Bug: 63856769
Test: boot with serial console enabled / disabled
Change-Id: Id97d7cdf6e3093f2b6caaa2c7cd9bfa64a282a98
ile.te
enfs_contexts
nit_power.te
|
| 05c1a7083a9497be4ff2b6c9dd9ab12deaab1e62 |
20-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
label persist partition and grant e2fsck access
avc: denied { read write } for p)9 cgLe=�2bs`+" name<�sda `V=
945(qcg text=u:r:Frck:s0tbkntdpt=u:lb
Bug: 63874026
Test: build and flash, verify no new denials
Change-Id: I4aba660643323f2401963addd73bf674509f8ee0
evice.te
ile_contexts
sck.te
nit.te
|
| 7cbea8ea82daff7f492c8aeda018839a813b1d5d |
20-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
AU293 drop rebase for IMS and radio related changes
am: 9882d1d7a6
Change-Id: Iba4690a386d97b281769f48b38b1354c13fb6a1e
|
| 9882d1d7a6e52cff80f0f35f472725433d9e9488 |
19-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
AU293 drop rebase for IMS and radio related changes
1) Explicitly specify uid, gid and groups needed for cnd Add
CAP_BLOCK_SUSPEND
2) Move sys.ims properties to vendor.ims
3) Remove imscmservice from init as its not used on Pixel
Bug: 63850865
Bug: 63804057
Change-Id: Ie8f0eefa96a21605a63ae5a73e59270866704ed7
nd.te
roperty_contexts
|
| 9a6d0c71dd1989190b645a4125ae993941b165ea |
20-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "THERMAL HAL API 1.0 impl for Wahoo" into oc-dr1-dev am: 4e102dfdcb
am: 842e224d44
Change-Id: I4a0d4c55aecedaf1100799429b59a44c47ce49f4
|
| 4e102dfdcbe0b49253b20a62e32e54e7f7a9b454 |
20-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "THERMAL HAL API 1.0 impl for Wahoo" into oc-dr1-dev
|
| a81f5612fe78242b93318f4297c721babea14ed9 |
15-Jul-2017 |
Wei Wang <wvw@google.com> |
THERMAL HAL API 1.0 impl for Wahoo
Thermal HAL 1.0 implementation for wahoo
Bug: 36458508
Test: VtsHalThermalV1_0TargetTest pass
Test: Check thermalHAL log
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I88831aec5c388269cb78f8cbd966ecae55f1cff2
ile_contexts
|
| b05fb1bb1ecdeee1af2a34c59234eebf4c309917 |
18-Jul-2017 |
Jie Song <jies@google.com> |
Add SELinux rules for MDS app
Bug: 63147021
Test: Verify app can run and access diag interface
Change-Id: I6aaadd5af6508aee8229968636e4f76c8c957d5e
(cherry picked from commit a48092ad06ab09a14d62ec50f8e73baaef1b6e23)
ds_app.te
eapp_contexts
|
| 5693bda225a52190f80f39135cf01a4f7d00c580 |
18-Jul-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "add atfwd service and related policy." into oc-dr1-dev am: ac31ae9116
am: 8e0c005989
Change-Id: Ifb836c554e63201a0590e966e19e1d53c4312f2a
|
| ac31ae91162ab86217982acd4c2775d6a2aa09c4 |
18-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "add atfwd service and related policy." into oc-dr1-dev
|
| a48092ad06ab09a14d62ec50f8e73baaef1b6e23 |
18-Jul-2017 |
Jie Song <jies@google.com> |
Add SELinux rules for MDS app
Bug: 63147021
Test: Verify app can run and access diag interface
Change-Id: I6aaadd5af6508aee8229968636e4f76c8c957d5e
ds_app.te
eapp_contexts
|
| 4143733bfea9760ece3e7893586e9ca4f897a7ec |
18-Jul-2017 |
Jean-Michel Trivi <jmtrivi@google.com> |
Merge "Revert "Add SELinux rules for MDS app" fix build"
|
| 572162ff885f6f8a3fe02054f53bed8a43d20443 |
17-Jul-2017 |
Jean-Michel Trivi <jmtrivi@google.com> |
Revert "Add SELinux rules for MDS app" fix build
This reverts commit 312763bb36f27a27d75756d0118d016b41af5d77.
Change-Id: I7f857cbb1d4442139be7a71d6cd58fb4e19861e2
ds_app.te
eapp_contexts
|
| 71beb08cae1f60236498d84e9adcc333ccafae52 |
17-Jul-2017 |
Jie Song <jies@google.com> |
Merge "Add SELinux rules for MDS app"
|
| 9a01b66d986aa9740b80ca6ed51067e9b8253463 |
17-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "Restore Camera to perfd communication" into oc-dr1-dev am: 096c529776
am: 9e73e499ed
Change-Id: Id1a6b402b6a3fcfeb3b3544fe2ee88c36d6f05a1
|
| 6871dd4a7dcae842c84b3458a64dbee8e198b362 |
14-Jul-2017 |
Wei Wang <wvw@google.com> |
Restore Camera to perfd communication
Bug: 63633407
Test: Build
Change-Id: I395e487d1fe0463cfa6034cf7194ffdeb4ad31ca
al_camera.te
|
| ede38fa2140976b986130e54f3f52c76a08f4ca8 |
14-Jul-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Bluetooth: Allow wakelock access to wcnss_filter am: 0c2b5e803d
am: 2a9d518a64
Change-Id: Ic06104ddb8b3fa1b0cc2478df8873f281b648318
|
| 312763bb36f27a27d75756d0118d016b41af5d77 |
30-Jun-2017 |
Jie Song <jies@google.com> |
Add SELinux rules for MDS app
Bug: 63147021
Test: Verify app can run and access diag interface
Change-Id: Icd5e1aee2532ccd1cb6e6ccc1d43578c808d1e9d
ds_app.te
eapp_contexts
|
| 0c2b5e803d9655007d664937b179e36c37178956 |
14-Jul-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Bluetooth: Allow wakelock access to wcnss_filter
Bluetooth driver needs to hold a wakelock while receiving
packets from the UART to make sure that no bytes are lost.
Test: Bluetooth on/off
Bug: 63628397
Change-Id: I8cd6a13921cdc2777c64b0624f544a9548292522
cnss_filter.te
|
| c09b928dd2ca26a22314730dc9524ee310d6860a |
24-May-2017 |
Thierry Strudel <tstrudel@google.com> |
add atfwd service and related policy.
Bug: 37168913
Test: No more atfwd errors at boot
Change-Id: I8b05bbc33c8d393a9dcaabf4fd554fdfab126989
Signed-off-by: Thierry Strudel <tstrudel@google.com>
(cherry picked from commit a75d65362c8baef5c66e97c79d2840b00ce21bfe)
tfwd.te
ile_contexts
wservice.te
wservice_contexts
roperty.te
roperty_contexts
telephony.te
eapp_contexts
|
| fd55a2b54e0cb920834d02cd1ad073f67031b850 |
13-Jul-2017 |
Ajay Panicker <apanicke@google.com> |
Merge "Allow collection of Bluetooth firmware dumps in bugreports (1/3)" into oc-dr1-dev am: 74d7e77ea5
am: e51c7c2b87
Change-Id: Ifa297f85cb45e3374929f89762176a47f9be0b2f
|
| 74d7e77ea5fb1c2f3448eb78c5aee1ecabb01627 |
13-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow collection of Bluetooth firmware dumps in bugreports (1/3)" into oc-dr1-dev
|
| 6c2db41df223bc513688a6a390c80b779713b9ee |
13-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Merge "tango_core.te: Allow audioserver and mediaserver find" into oc-dr1-dev am: fb037a5a96
am: 5a8ea222b2
Change-Id: I6ac66d4a0f1833a0a971ced8ac13817591a7941a
|
| fb037a5a963233d17f2b4560b06dbcee8bb0a319 |
12-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "tango_core.te: Allow audioserver and mediaserver find" into oc-dr1-dev
|
| ea1be3d4e4e9ccac9c4ada94083aef1222e06f89 |
12-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "remove cameraHAL to perfd interface" into oc-dr1-dev am: 7a7af08804
am: 622eef10f9
Change-Id: I29fbce422cba62490dd2bb302123b30a9b8b9e66
|
| 7a7af0880427a0ffdfc529486b29a43d3edb2a73 |
12-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "remove cameraHAL to perfd interface" into oc-dr1-dev
|
| 5e53c868afa4e582cb071549582091ea7747e876 |
11-Jul-2017 |
Wei Wang <wvw@google.com> |
remove cameraHAL to perfd interface
This CL removed cameraHAL to perfd interface
Also changed some powerHAL logging level
Bug: 63589458
Test: Build
Change-Id: I4725f45b22bf3a3787dc5d77fc9c6b22a66a21aa
al_camera.te
|
| a89c11643c311e3c9e8acf3bb2987d486ec7e2c7 |
12-Jul-2017 |
Ajay Panicker <apanicke@google.com> |
Allow collection of Bluetooth firmware dumps in bugreports (1/3)
This patch is temporary and should be removed once the bug is resolved
Bug: 63390057
Test: Force a hci_timeout and collect a bugreport
Change-Id: I29d3f19462c152e785eec0291f06ed4c004b623f
cnss_filter.te
|
| cd95edc556fb05bf2f981c2a5272650a65d6fc47 |
12-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "ueventd: remove redundant rules" into oc-dr1-dev am: 6544bd52b8
am: c0ac85d203
Change-Id: If5584814d0e273a93a3ae15b9786bb30ab7aaa13
|
| 6544bd52b86c7ff71f2389bb5b00b67dd88c3881 |
12-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "ueventd: remove redundant rules" into oc-dr1-dev
|
| 3bcf11716c89d174d16305c15504299628143e1d |
11-Jul-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
tango_core.te: Allow audioserver and mediaserver find
Denial log:
avc: denied { find } for service=media.audio_flinger pid=12405
uid=10142 scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:audioserver_service:s0 tclass=service_manager
permissive=0
avc: denied { find } for service=media.player pid=4881 uid=10131
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
permissive=1
BUG=63115272
Test: Basic sanity
Change-Id: I88fb12e89d75eab6b69c5f2ec453e18c05fd6f6c
ango_core.te
|
| bceae15bb476784516648e632851c0ebee1bb4a3 |
11-Jul-2017 |
Michael Wright <michaelwr@google.com> |
Allow system_server to load input device configurations am: 2f3b0f2af3
am: c4674ecac3
Change-Id: I819ef5ca50786dbeaf54652e9faa9ed7fb85a49f
|
| 33e9c267ca0dabaf14ab8f4918cbce3fa463dba5 |
11-Jul-2017 |
Jeff Vander Stoep <jeffv@google.com> |
ueventd: remove redundant rules
Ueventd is now granted write access to all files in /sys
in core policy.
avc: denied { write } for pid=790 comm="ueventd" name="uevent"
dev="sysfs" ino=52014 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_usb_device:s0 tclass=file
Bug: 63147833
Test: build
Change-Id: I61f742a6151fe37ec99654bda6074f055a84a163
eventd.te
|
| 2f3b0f2af38eb4d71cd5164188f34d952c5bffd7 |
10-Jul-2017 |
Michael Wright <michaelwr@google.com> |
Allow system_server to load input device configurations
Test: flash and use PointerLocation to observe size
Bug: 62871286
Change-Id: I5588b7b1a4d948446b0e1e9e8d5b32c9aabc1e42
ile.te
ile_contexts
ystem_server.te
|
| 4003048411a46d991552218a5166d34695f0830c |
11-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge "Enable Encoder hint for camera powersaving" into oc-dr1-dev am: b02fb17265
am: e25b3d87e6
Change-Id: Ieed3669295aad97411953ed15e6fce4b3b73605c
|
| 3b189d337fd50ebe0f9c3db645ecb95dc6a8d091 |
06-Jun-2017 |
Wei Wang <wvw@google.com> |
Enable Encoder hint for camera powersaving
- Hook up Encoder hint with CameraHal
- Remove dead code for EAS kernel for decoder hint and camera preview
This CL will enable powerhint for CameraHal to cap Big CPU
Cluster max freq to 1.958 Ghz.
Bug: 38000354
Bug: 62354242
Bug: 63039461
Test: Build and test camera preview on
Change-Id: I13e93915499f6cc83335b72ab2076d90bc9edfcc
al_camera_default.te
|
| 76fc679ae5f5ad676b1322ffa047108b5e657906 |
07-Jul-2017 |
Tao Bao <tbao@google.com> |
Merge "Grant update_verifier sysfs access." into oc-dr1-dev am: 81cec4011b
am: 3b74e2075a
Change-Id: Icb2d9369c1b152087a2adf1da8a18af72a9619cf
|
| 81cec4011b01231becd1b92098f0fff131b6bc3a |
07-Jul-2017 |
Tao Bao <tbao@google.com> |
Merge "Grant update_verifier sysfs access." into oc-dr1-dev
|
| 8014ac1c9ab762ed3e985998b7fca58b88edd6df |
07-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge changes from topic 'elabel' into oc-dr1-dev
* changes:
Add copy from /persist/elabel to /data/misc/elabel
Add permissions for elabel data access
|
| 4402ccfb27661a973cbd34505ea8f0df20d42b69 |
05-Jul-2017 |
Patrick Tjin <pattjin@google.com> |
Add copy from /persist/elabel to /data/misc/elabel
Bug: 62837579
Test: place test files in /persist/elabel, check that they are copied to /data/misc/elabel on boot
Change-Id: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
Merged-In: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
ile.te
ile_contexts
nit_elabel.te
|
| 0e1346c32c3841d2703eec83ed02b9db7e1ddbdc |
27-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add permissions for elabel data access
Allow init to copy elabel data from /persist/elabel to
/data/misc/elabel. Allow settings app to access elabel data
from /data/misc/elabel.
Bug: 62837579
Change-Id: Ie2241abe8c2384a537b001a90830a3f42c566748
Merged-In: Ie2241abe8c2384a537b001a90830a3f42c566748
ile.te
ile_contexts
ystem_app.te
|
| d1ed4a4fb84a64f19b0e3f49cd9014be8ac34968 |
05-Jul-2017 |
Patrick Tjin <pattjin@google.com> |
Add copy from /persist/elabel to /data/misc/elabel
Bug: 62837579
Test: place test files in /persist/elabel, check that they are copied to /data/misc/elabel on boot
Change-Id: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
ile.te
ile_contexts
nit_elabel.te
|
| cbb788099a458fdea0e1aea3edabd1e9286d02ed |
27-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add permissions for elabel data access
Allow init to copy elabel data from /persist/elabel to
/data/misc/elabel. Allow settings app to access elabel data
from /data/misc/elabel.
Bug: 62837579
Change-Id: Ie2241abe8c2384a537b001a90830a3f42c566748
ile.te
ile_contexts
ystem_app.te
|
| e7bc54085ddd52c57aaf1d3aefc1a899c693dfdb |
07-Jul-2017 |
Siddharth Ray <siddharthr@google.com> |
Merge "Wahoo sepolicy changes" into oc-dr1-dev am: 271fd0c603
am: 07b52a0836
Change-Id: I6ef9e15eded25bd5f4201219d5a5675787e6f6d5
|
| 271fd0c60347903d6ee0081d99d0b58b2389ea24 |
07-Jul-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Wahoo sepolicy changes" into oc-dr1-dev
|
| 078daa1c8b60f7bc7b9c299421e8604e3132fae8 |
26-Jun-2017 |
Siddharth Ray <siddharthr@google.com> |
Wahoo sepolicy changes
Wahoo's sepolicy is changed merged to add Marlin permissions
based on compliance test needs. Marlin's sepolicy can be
found at device/google/marlin/sepolicy/hal_gnss_default.te
Bug: 37409476
Test: Boots with no avc denials or crashes. GNSS incl. post XTRA
delete runs well with no denials.
Change-Id: Id51197120d142850fe0d7c97f747818e23c178f8
al_gnss_qti.te
ocation.te
|
| 13c6400e11fd253f6615f1ceb7e3f8090bfcf1c4 |
30-Jun-2017 |
Tao Bao <tbao@google.com> |
Grant update_verifier sysfs access.
avc: denied { read } for pid=694 comm="update_verifier" name="block" dev="sysfs" ino=27770 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { read } for pid=719 comm="update_verifier" name="name" dev="sysfs" ino=51336 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=file
update_verifier reads /sys/block/dm-X/dm/name to find the device-mapper
entries for system and vendor partitions.
Also remove the unneeded "block_device:dir r_dir_perms" permission.
Bug: 63146601
Test: As follows.
a) Set up /data/ota_package/care_map.txt.
b) Reset the slot boot-successful flag with fastboot set_active.
c) Boot the device and check update_verifier successfully verifies
the blocks.
Change-Id: I581136249e93ec2d4bd9ceda316590ee31148643
pdate_verifier.te
|
| b5fc48231acf4f43c1ef1b866c433301fe4c41ca |
06-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
Merge changes I45a49628,Icf764bf3 into oc-dr1-dev am: f5ed4d3d87
am: 68067a79df
Change-Id: I31ab45c1d1c6c7adfd70fdc400f359fcba540f72
|
| 06f2fdfb7e2d21a41dc1d59d6adb91f0d55fbddd |
06-Jul-2017 |
Jayachandran C <jayachandranc@google.com> |
Fix netmgrd crash recovery denials
This change fixes the following denials
auditd : type=1400 audit(0.0:30032): avc: denied { unlink } for
comm="netmgrd" name="netmgr_connect_socket" dev="tmpfs" ino=31621
scontext=u:r:netmgrd:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=sock_file permissive=0
auditd : type=1400 audit(0.0:35887): avc: denied { search } for
comm="netmgrd" name="diagchar" dev="sysfs" ino=26926
scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_diag:s0 tclass=dir
permissive=0
Test: Force crashed netmgrd and validated data working
Bug: 63360347
Change-Id: I45a49628b486cb264e07037cfa8397e381f72a00
etmgrd.te
|
| 28511cb3df9d63809be5fdf9095cce57050016dd |
22-Jun-2017 |
Sunmeet Gill <sgill@codeaurora.org> |
sepolicy: Separate system partition sepolicy and hal macros from vendor partition
Test: VoLTE, VT & VoWiFi on Vzw and T-Mobile SIM cards
Bug: 62574674
Change-Id: Icf764bf353bbdfb7831f5ea8528414a271525c63
ataservice_app.te
wservice.te
adio.te
ervice.te
ervice_contexts
|
| b8527780e1a784878ee4cc58e01cce0a0f2e1ebd |
01-Jul-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Enable bt wcnss_filter to collect crash dumps am: f128f5c538
am: 338bf393d4
Change-Id: I8342f796f21ec2f7d193280effa957c9d95fb4d6
|
| f128f5c538e37212e0bc762b12f9ae02470bb346 |
29-Jun-2017 |
Sunny Kapdi <sunnyk@qca.qualcomm.com> |
Enable bt wcnss_filter to collect crash dumps
Bug: 37298084
Change-Id: Id67e4faf27ea6d59fdbcc2affcd1f2e6eb2ba3dd
cnss_filter.te
|
| bcf6cc2aa4b08b742bd62fe903f0125d831f48ec |
01-Jul-2017 |
Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org> |
Add policies to remove System UID from time service am: 739f448717
am: 3e582a9a33
Change-Id: Idf150de4e4736cb06acb2226f3fd3ee8a90ef148
|
| 4673c0b45c8d33185f0973f7973bf1281348a10d |
01-Jul-2017 |
Wei Wang <wvw@google.com> |
Merge commit 'cc4f752ee88a9c0839d50b6db8f8f5387dd3e2d7' into manual_merge_cc4f752
Bug: 62184939
Test: build
Change-Id: Ied320cd2d2ab59c152869a03b11223cef5b87d16
|
| 739f4487173e10cab0263d8dfbad44c34373d5bd |
30-Jun-2017 |
Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org> |
Add policies to remove System UID from time service
Bug: 62785008
Change-Id: I85cdaa618da7beddce88d4b67bd1b9d08c0a9c00
eapp_contexts
imeservice_app.te
|
| 454fc3e786ce50669fd6d5a0a374298a95344472 |
30-Jun-2017 |
Wei Wang <wvw@google.com> |
wahoo: time_daemon: use /persist to store offset to RTC
Also cleanup sepolicy files that was using /data/vendor as they are not
needed and /data is not ready by the time we start time_daemon
Bug: 62184939
Test: walleye boot with correct time in airplane mode
Change-Id: Ic7b025a8c795092a1dd4b1ab1d7497d1440c0a4b
ile.te
ile_contexts
ime_daemon.te
|
| 84ed0c73b0626b51c190e7b6be3670441e88d031 |
01-Jul-2017 |
Arnd Geis <arndg@google.com> |
Merge "Add permission to search the kernel's keychain"
|
| ef189c8a9f5657d0b4c24be82c4ce845ff716fea |
30-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Allow qseecomd to write to persist_data am: aaaafebf1c
am: 923b456e6b
Change-Id: Ie02047e3d31515ce409cea353e985db797f92e04
|
| aaaafebf1c6b1d86ca31dfea04d9e1de8620363e |
30-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Allow qseecomd to write to persist_data
Needed for drm.
avc: denied { read } for comm="qseecomd" name="/" dev="sdd3" ino=2
scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { open } for comm="qseecomd" path="/persist" dev="sdd3"
scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { write } for comm="qseecomd" name="widevine" dev="sdd3"
ino=97 scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0
tclass=dir
avc: denied { add_name } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1
avc: denied { create } for comm="qseecomd scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1
avc: denied { write } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0
tclass=file permissive=1:persist_file:s0 tclass=dir permissive=1
avc: denied { open } scontext=u:r:tee:s0
tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1
avc: denied { write } for comm="qseecomd" name="widevine"
scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0
tclass=dir permissive=1
avc: denied { add_name } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1
avc: denied { create } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1
avc: denied { write } scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1
Bug: 63051358
Test: build
Change-Id: I28bd0cd816720a85fc840890a74929939366de6d
ee.te
|
| 8f446c77e042134eb4e4ebe20ffceeb302157ae6 |
30-Jun-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors daemon to create vendor data files am: ee8cd6b127
am: cda862e28c
Change-Id: I8797dba967d01e8e1a0bcb2729c82d4a8cdf8cb3
|
| 64b292e70be793dce504be820b7904189e4d2204 |
29-Jun-2017 |
Arnd Geis <arndg@google.com> |
Add permission to search the kernel's keychain
The public key used for Easel firmware signing is stored in
the system trusted keychain. This grants access to search for
the key.
Bug: b/62846087
Change-Id: Ie44f70ed923fc563f0f73f5dd4c701b532610d22
Signed-off-by: Arnd Geis <arndg@google.com>
aselservice_app.te
|
| ee8cd6b127fc1563d27a656cfa5647674b7790e4 |
24-Jun-2017 |
Brian Duddie <bduddie@google.com> |
Allow sensors daemon to create vendor data files
Add an entry to init.hardware.rc to create /data/vendor/sensors at
startup, and sepolicy entries that allow the sensors daemon to create
files in that directory. These will be used to persist runtime
calibration across reboot, but not across factory reset.
denied { getattr } for pid=14080 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { write } for pid=14113 comm="sensors.qcom" name="vendor"
dev="sda45" ino=2179073 scontext=u:r:sensors:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
denied { add_name } for pid=14113 comm="sensors.qcom" name="sensors"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir permissive=1
denied { create } for pid=14113 comm="sensors.qcom" name="sensors"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir permissive=1
denied { create } for pid=14113 comm="sensors.qcom" name="cal.bin"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { write open } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.bin" dev="sda45" ino=2179115
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { read } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { getattr } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
Bug: 38425697
Test: confirm folder is created on boot, and calibration files are
created, updated, and read successfully by sensors daemon
Change-Id: Ie23cafe4f43b3335e07cf0d13dde0c5d06b69f80
ile.te
ile_contexts
ensors.te
|
| c934f5afca204d1c37a2a8e646e858940d94b621 |
30-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "Remove vendor_executes_system_violator attribute" into oc-dr1-dev am: 53c92f3bb8
am: 754a4de7f1
Change-Id: Ib132771a2a89f2a3dc1611db9cf6138a4790fa34
|
| 53c92f3bb8f5ba439c187c74ea241a5004d1dae7 |
30-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "Remove vendor_executes_system_violator attribute" into oc-dr1-dev
|
| c272f35b8bc34842d15fa21f4ef749acee7d7cd0 |
29-Jun-2017 |
Subhani Shaik <subhanis@codeaurora.org> |
Remove vendor_executes_system_violator attribute
Bug: 62385687
Test: No svc denial error, wifi is working fine.
Change-Id: I47cad9cab9b2e60ccf4b692daae7042b44804b05
cnss_service.te
|
| 109a495a39abc7028a2f3c6860488906c6bfe584 |
29-Jun-2017 |
Chong Zhang <chz@google.com> |
Merge "cas: add CAS HAL and allow it to use vndbinder"
|
| 04832f20d7cc78ce16e65f7a8a5a91c509413e3b |
28-Jun-2017 |
Chong Zhang <chz@google.com> |
cas: add CAS HAL and allow it to use vndbinder
bug: 22804304
bug: 63129142
Change-Id: Iea70c6626d99c4404632fcf9685ec9993f776ca4
al_cas_default.te
|
| ba83bc9f7be8398eca89ff13e43490a4cb038e5f |
29-Jun-2017 |
Ed Tam <etam@google.com> |
Merge "Revert "Wahoo sepolicy changes"" into oc-dr1-dev am: 1fe3fbbda7
am: ffa39747e8
Change-Id: I5d4477b200708a524aae30000fcbaed123ff5436
|
| 1fe3fbbda7e745e6bc8e9ef6143187a8b654b066 |
29-Jun-2017 |
Ed Tam <etam@google.com> |
Merge "Revert "Wahoo sepolicy changes"" into oc-dr1-dev
|
| 7d05a3ba897de04ebfb120de03dba083ed67d99c |
29-Jun-2017 |
Ed Tam <etam@google.com> |
Revert "Wahoo sepolicy changes"
This reverts commit eb6f000bffa01aa340f2821c27563d4a02f98188.
Reason for revert: Causing runtime restarts
Bug: 63123125
Change-Id: I3f4752c7ff29f52957f28b0f0c84de2c11a06f40
al_gnss_qti.te
ocation.te
e_macros
|
| a00866e92889cfaff45da4ce44553fab7b2f3dfb |
29-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "declare ipacm as the tetheroffload HAL" into oc-dr1-dev am: 730070f3d2
am: 247f148001
Change-Id: I3d3ecfdb06596de4c0dfe46c4cf87e230f868aef
|
| 730070f3d2c06ed4c297026705431ab7ca964d52 |
29-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "declare ipacm as the tetheroffload HAL" into oc-dr1-dev
|
| 5c5eb9de3ab91db937d0669fa3e8517337f62fbe |
21-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
declare ipacm as the tetheroffload HAL
Also add tetheroffload HALs to the manifest.
Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
...
Log:
...
06-28 11:46:58.841 - SET master tether settings: ON
06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
06-28 11:46:58.853 816 947 I IPAHALService: IPACM was provided two FDs (18, 19)
06-28 11:46:58.853 1200 1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I40e23c1863901330dfe59e2ea196314c5c7bb52a
(cherry picked from commit c6ecb207d7032bf43e9b39941ff7e47dd127e361)
ile.te
ile_contexts
al_tetheroffload_default.te
wservice.te
wservice_contexts
pacm.te
|
| 53cf0a5ca75c81798a9c7e49c13d5be709593a95 |
29-Jun-2017 |
Siddharth Ray <siddharthr@google.com> |
Wahoo sepolicy changes am: eb6f000bff
am: 5a13cd31ee
Change-Id: I5643b3d7e202b1c1b367e0b9415d6a090d78252c
|
| eb6f000bffa01aa340f2821c27563d4a02f98188 |
26-Jun-2017 |
Siddharth Ray <siddharthr@google.com> |
Wahoo sepolicy changes
Wahoo's sepolicy is changed to mirror Marlin's. Marlin's sepolicy can be
found at device/google/marlin/sepolicy/hal_gnss_default.te
BUG: 37409476
Change-Id: Id6f49defd70923c56da2dfd68f55cf3dfc2e62fc
al_gnss_qti.te
ocation.te
e_macros
|
| 638cc1653548d73a0f161c51c36e5164d486a4c0 |
28-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Allow init_ese to run grep" into oc-dr1-dev
|
| 647c0c5ecf214eab54f43dd6eeea9ad755ff4ef6 |
28-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Clean up denials" into oc-dr1-dev am: eb3cbfb47b
am: ab287969ab
Change-Id: I350d45ae3c8ccc36b4335aa6136997a893bb8073
|
| eb3cbfb47bdd2ee0a408d165240ad96fb09bd943 |
28-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Clean up denials" into oc-dr1-dev
|
| 98bc1a88acf5083e4ed56dd5c8583397adb3fe71 |
26-Jun-2017 |
Paul Crowley <paulcrowley@google.com> |
Allow init_ese to run grep
Bug: 62586642
Test: selinux denial on grep no longer seen.
Change-Id: I61847f5a5f460fc8efef5a772eae3a0559634b40
(cherry picked from commit 1478bd41b46bd700954a08cab816918bff6c40c3)
nit_ese.te
|
| 561262edd03037fbc77060ba49335c3a8661c2b1 |
27-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Merge "Allow network access to google_camera_app domain" into oc-dr1-dev am: 2d5372cfb9
am: 89767f71f0
Change-Id: I9f8694b14cc630f9bb22e93e08405c18dc288ced
|
| a63fd3aadb6464a314cabd18eb4ee78ea6161c50 |
27-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Clean up denials
avc: denied { search } for name="/" scontext=u:r:kernel:s0
tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { search } for name="ipc_logging" dev="debugfs"
scontext=u:r:kernel:s0 tcontext=u:object_r:debugfs_ipc:s0
tclass=dir
avc: denied { sys_module } scontext=u:r:netd:s0
tcontext=u:r:netd:s0 tclass=capability
Bug: 35197529
Test: build, verify denials no longer occur.
Change-Id: Ibe18ca05f2d80343624d08116b83b5287239c01a
ernel.te
etd.te
|
| 2d5372cfb993c9c9b1805cff6e975d095059898f |
27-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Merge "Allow network access to google_camera_app domain" into oc-dr1-dev
|
| 5b8694076555e9834caf84722eab73ff19fb4d6c |
27-Jun-2017 |
Jie Song <jies@google.com> |
Merge "Add folder and SELinux rules for subsystem ramdump" into oc-dr1-dev am: 486dc6acd7
am: 5345d61beb
Change-Id: Ibdfe89e0c5a512b96af900cdbec56719ad0c3af7
|
| 486dc6acd784d9a387f6399e13da639ce2894381 |
27-Jun-2017 |
Jie Song <jies@google.com> |
Merge "Add folder and SELinux rules for subsystem ramdump" into oc-dr1-dev
|
| 153afe88d3a5f484d3016736239b1ffcb5be800f |
27-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Allow network access to google_camera_app domain
Test: New features in app that use the network function as expected
Bug: 63058578
Bug: 62848290
Change-Id: I129a57e2837f180e722bef4a3a05756acb150c0f
oogle_camera_app.te
|
| cbaa3b68841db433fa06c80d7f5c8e0915fb8589 |
27-Jun-2017 |
Jie Song <jies@google.com> |
Add folder and SELinux rules for subsystem ramdump
1. Move subsystem ramdump to ssrdump
2. Fix denials on sysfs
Bug: 62257616
Test: Modem ramdump in new folder
Change-Id: I5c77ec42a0967140d04b616ede9b02e6272f3442
ile_contexts
sr_detector.te
|
| e51b1aaf6acd1bcfe17629b69e2ca6f39e504146 |
27-Jun-2017 |
Paul Crowley <paulcrowley@google.com> |
Merge "Allow init_ese to run grep"
|
| 1478bd41b46bd700954a08cab816918bff6c40c3 |
26-Jun-2017 |
Paul Crowley <paulcrowley@google.com> |
Allow init_ese to run grep
Bug: 62586642
Test: selinux denial on grep no longer seen.
Change-Id: I61847f5a5f460fc8efef5a772eae3a0559634b40
nit_ese.te
|
| adb9d3909686836d3859b5828ac1839bf186150d |
26-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "bootanim: suppress selinux denial" into oc-dr1-dev am: dfc34ea32b
am: 8516d69995
Change-Id: I269e925a854f894d6b1241b43f7b48dafb55daa5
|
| dfc34ea32b2dbf523c61386ee748bc2ad6c9abd3 |
26-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "bootanim: suppress selinux denial" into oc-dr1-dev
|
| 3ecc3b29133903546eda5d22adc560adad24e1db |
26-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
bootanim: suppress selinux denial
Reading time from /data/system/time is not used on Wahoo.
denied { read } for pid=619 comm="BootAnimation::" name="system"
scontext=u:r:bootanim:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir
Bug: 62954877
Test: build policy
Change-Id: I0d5bc69797f7a11ca4e612c00228e87dd48942c7
ootanim.te
|
| 4dac4ed66f8466b4fc3b95504f0e66ef1d2fdb55 |
26-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Move file labeling to genfs_contexts." into oc-dr1-dev
|
| 36d6d16d191e3b8d2acd23b9866d9df64b4dc6b1 |
24-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Removing keystore policy due to bug resolution" into oc-dr1-dev am: 86c23203fc
am: 87266096d6
Change-Id: Ic0eab54c29f88c9650a43297f2c75bb42568e609
|
| 86c23203fca3b2f23268f62ce42e4aa88407a2af |
24-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Removing keystore policy due to bug resolution" into oc-dr1-dev
|
| e643104592b34242723bc1de1ed6df1adcc80bb4 |
24-Jun-2017 |
Erik Staats <estaats@google.com> |
Merge "Add sys.slpi.firmware.version property." into oc-dr1-dev am: 3d5523ed0f
am: ee061af02a
Change-Id: I863762912e8a5507f59196737d6f11fa5f52d765
|
| 3d5523ed0f3ef022ee384fdf367bb39ec314342e |
24-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add sys.slpi.firmware.version property." into oc-dr1-dev
|
| 003321109fb9b04b9c5e608f8c0975a4e62336ed |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Allow init to relabel ab_block lnk_files" into oc-dr1-dev am: b2be8cb917
am: 469d934489
Change-Id: I521d13492bdb636633159babb5ad749ef7fcc599
|
| b2be8cb917d32dc7cd7b00ba48e1bf88230f332d |
23-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow init to relabel ab_block lnk_files" into oc-dr1-dev
|
| 44f090269150d0aba886f298912f390890c9f8db |
21-Jun-2017 |
Erik Staats <estaats@google.com> |
Add sys.slpi.firmware.version property.
Bug: 38240024
Test: Verified value of sys.spli.firmware.version property. See details in
testing done comment in
https://googleplex-android-review.git.corp.google.com/2442584 .
Change-Id: Ief04cbfac4efd71c8ff22057fc286645fbadf44d
nit-devstart-sh.te
|
| 63013293d8b02d3fcc709928752312436f290ea2 |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Allow init to relabel ab_block lnk_files
avc: denied { relabelto } for name="dtbo_a" dev="tmpfs"
scontext=u:r:init:s0 tcontext=u:object_r:ab_block_device:s0
tclass=lnk_file permissive=0
avc: denied { relabelto } for name="boot_a" dev="tmpfs"
scontext=u:r:init:s0 tcontext=u:object_r:boot_block_device:s0
tclass=lnk_file permissive=0
Bug: 35197529
Test: build and flash. Verify link files have correct label.
Change-Id: I2e718e8e06af70d73b0c5076ffc99d5fa7013fd9
nit.te
|
| 026415e14d5447d7e2ac5b9d55cca41168d0b637 |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Suppress netutils_wrapper module denials" into oc-dr1-dev am: 32f9c6131d
am: f59e5934e1
Change-Id: Ie942aae79e8b30517bb800cd1e7e221b08059806
|
| ac2a8e0fd7a406caf1ff3a0d8a87a40e94873b47 |
23-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Narrow down tftp_server's access to /persist" into oc-dr1-dev am: 30038f8184
am: 618cd63a44
Change-Id: I92e1a98dbda85eab892cce092e02e1be4af4c39b
|
| 32f9c6131d0fc40b2f51602543b0721ab270c6e6 |
23-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Suppress netutils_wrapper module denials" into oc-dr1-dev
|
| 30038f8184822ef6a777c1c4553fadb1d5b92367 |
23-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Narrow down tftp_server's access to /persist" into oc-dr1-dev
|
| 247695bd704943b3a816cca40d319da47a472bc1 |
23-Jun-2017 |
Stuart Scott <stuartscott@google.com> |
Add missing SE Policies for Hardware Info Testing am: 7c5a76860a
am: a2593b5bb4
Change-Id: I6a1cb3ef92013d054c6a45ff47df62a31b9d821e
|
| 24e2048bacce9887ea5d52e9be0096a890e23657 |
21-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts.
This should improve performance, as file_contexts is slower
than genfs_contexts.
Bug: 62413700, 62852219
Test: Built, flashed, and booted. Verified that all of the
files have the correct context. Verified that wifi,
cellular, camera, and GPS work.
Change-Id: I5b3c91c00486c0f741e9a015fb1602885612896d
(cherry picked from commit cdd9829be89802fee63d9d5d1d381f1d84847d47)
ile_contexts
enfs_contexts
|
| 7c5a76860a1d557bf5e7b35496d47f4801ea984f |
15-Jun-2017 |
Stuart Scott <stuartscott@google.com> |
Add missing SE Policies for Hardware Info Testing
Bug: 35668291
Test: pts-tradefed run singleCommand pts
Change-Id: If50b00ea6fc11884c3aad6969b8821046916335a
ile.te
enfs_contexts
ardware_info_app.te
eapp_contexts
eventd.te
old.te
|
| 02a94ce7cfbe9e0b3e227ec057dd0d6631f55204 |
22-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Suppress netutils_wrapper module denials
Netutils does not need to load kernel modules. Ignore.
Bug: 35197529
Test: build policy
Change-Id: I14f79ddfd47f3b6eb8461a0b351808bed09a5a30
etutils_wrapper.te
|
| 24c1a1f556220e83a45c805a34d10b591925253e |
22-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Narrow down tftp_server's access to /persist
avc: denied { dac_override } scontext=u:r:rfs_access:s0
econtext=u:r:rfs_access:s0 tclass=capability
Bug: 62074287
Bug: 38214174
Test: build and boot device. No denials in the logs related to
/persist/rfs or /persist/hlos_rfs. All files have correct label.
Change-Id: Ic63d1684af2d2b3a1ea75a3aacf2ab2a5ebe36a2
ile.te
ile_contexts
fs_access.te
|
| fb2d6e2b902a4f3a6e1509d38f49c4d6c21a491d |
22-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Merge "Allow radio to set telephony monitor property on userdebug builds" into oc-dr1-dev am: c1319b7c73
am: 37a567ecb8
Change-Id: I1bb0b86adda5caf2b60b70417fdfdf2da830f76b
|
| c1319b7c732039f264e8e28d65a3dad6c1768f17 |
22-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Allow radio to set telephony monitor property on userdebug builds" into oc-dr1-dev
|
| 4632db7d7deb22a875aec205abcfb3fba94050bc |
22-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Removing binder_call's from system_server" into oc-dr1-dev am: 192d8c3411
am: 2b59ebd5bf
Change-Id: I5668c429d3f7a6bdf2dcc6ebd8ba53f9e99332a1
|
| 192d8c3411dc13030d8ff93342bd236a6c744bd7 |
22-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Removing binder_call's from system_server" into oc-dr1-dev
|
| cc44df863d622ed6b41f96eb7b3d152f0d090532 |
22-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add WiFi Statistics to Bugreport to Wahoo" into oc-dr1-dev
|
| 6fa748ff45614a450a2b442bb9fa46b40849d213 |
22-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Allow radio to set telephony monitor property on userdebug builds
This is need to fix the following denial
selinux: avc: denied { set } for property=persist.radio.enable_tel_mon
pid=9378 uid=1001 gid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:
tel_mon_prop:s0 tclass=property_service permissive=0
Test: Verifed no telephony monitor crash at power up
Bug: 62870818
Change-Id: If72bb39552d38c5498094170fd27ca6cda6efa2b
adio.te
|
| 19c0576fd8c59cdc2deaa9ac9ca670ec35352b85 |
22-Jun-2017 |
Adrian Salido <salidoa@google.com> |
Merge "power: remove interaction lock when idle" into oc-dr1-dev am: d5c6e693b9
am: 41fdbdb846
Change-Id: Id7063de214590ced5109322ce2efc05a6e579666
|
| d5c6e693b9e38a8c207e5c046efa030b075f4239 |
22-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "power: remove interaction lock when idle" into oc-dr1-dev
|
| 585ac7d71a1e2f7886ea4e65ec87a026addf9130 |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Change radio back to enforce mode" into oc-dr1-dev am: 385acb4ef6
am: 6406a1719e
Change-Id: Id9a73bfd30b43feaef78f5bcdaff4d93e932d83c
|
| 2f3ed5304c20bcdb3067f7ea1834156780e8e86c |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Move /data/misc/radio to /data/vendor/radio as per treble rules" into oc-dr1-dev am: 24c0b637f0
am: 0b9fc0bebd
Change-Id: Ica653c122a310202f53afcfbe5a4cdd64ebe46bc
|
| 385acb4ef6ae57245d141054d861b014628da6cd |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Change radio back to enforce mode" into oc-dr1-dev
|
| 24c0b637f03cbd35007728a6cea1a49138d393ee |
22-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Move /data/misc/radio to /data/vendor/radio as per treble rules" into oc-dr1-dev
|
| 668cac2f4c50fe9e375f7917700127f309671b7e |
19-May-2017 |
Adrian Salido <salidoa@google.com> |
power: remove interaction lock when idle
Allows earlier interaction lock release by polling on display updates to
stop happening (becomes idle) for a programmable amount of time.
Bug: 62110101
Test: Ran UiBench, didn't see regressions
susbset of tests - avg-jank:
testInflatingListViewFling: 0.09
testTrivialListViewFling: 0.15
Change-Id: I83c0fc75a3d7ca5bf76910ebbaeddb69343a7ee2
al_power_default.te
|
| 6d6b5ec090985ac8c3b68e9430996cbd6b98c879 |
22-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Merge "Add WiFi Statistics to Bugreport to Wahoo"
|
| 5e53707061206ca7013d6fac9e4031562b1c9122 |
21-Jun-2017 |
Max Bires <jbires@google.com> |
Removing binder_call's from system_server
They no longer appear to be in use, no denials are seen from
system_server after removal
Bug: 34784662
Bug: 36867326
Test: system_server functions normally
Change-Id: Ifca772bc60bd67b14fe695737a7fc563810cd592
ystem_server.te
|
| 4e94c457cd77be54a44ccd016d0c9a682f7dc158 |
17-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Add WiFi Statistics to Bugreport to Wahoo
This commit adds some statistics from debugfs to bugreport
this includes the files:
/d/wlan0/power_stats
/d/wlan0/ll_stats
/d/icnss/stats
Bug: 62290986
Test: adb bugreport and inspect the required statistics
Change-Id: Ib65b98935a043542283a645f9760e02ff6935db3
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| 67c420df271c88dac01f96b3e0e0cf868da60234 |
21-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Move folio_daemon to system in sepolicy" into oc-dr1-dev am: 56b07ec982
am: 98f85a6ff8
Change-Id: I50a7e0dc8600feed1e332732b24e301b3a16926d
|
| 56b07ec98243d39bdec6711f1a58362b74bee021 |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Move folio_daemon to system in sepolicy" into oc-dr1-dev
|
| adb9d4722c7a8cb7921f3809330d51d632e26812 |
21-Jun-2017 |
Max Bires <jbires@google.com> |
Removing keystore policy due to bug resolution
Bug: 35810138
Test: keystore works properly
Change-Id: I18cb878df60dc57c7fd921629952f4287c934bb9
eystore.te
|
| d60c59ea430e688613e63f084c39d4d65b423cf2 |
21-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Move folio_daemon to system in sepolicy
Remove Treble violations.
Bug: 36867326
Bug: 62387246
Test: loaded on taimen, checked dmesg, and tested daemon with magnet
Change-Id: I4662b41206b94cae6ac9843b5dc7e1452003c63c
ile_contexts
olio_daemon.te
ystem_server.te
|
| eff97a240f214520f3437ca55ca996e86438900d |
21-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Revert "Move file labeling to genfs_contexts."" into oc-dr1-dev
|
| 81ec1ced6ebce722cc9bfebaa89cab059f8c9082 |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fix incorrect SELinux rule."
|
| 5084c6ba71a48204c67919d44cf453bd0f9aa48f |
21-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Revert "Move file labeling to genfs_contexts."
This reverts commit c29e60806b2648882ea371e9217effd841ac7090.
Bug: 62852219
Change-Id: If212c1fea86ee929b6234ed48892ab6065da0173
ile_contexts
enfs_contexts
|
| 3a002c8b68de42668bb8e40d7804e4c4cda655b6 |
21-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Move file labeling to genfs_contexts." into oc-dr1-dev
|
| 97c71e3f91a96981ab93b415c1561006e69ebe15 |
21-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Change radio back to enforce mode
Test: Basic telephony sanity
Bug: 38261780
Change-Id: Ia862e093f3d32500269fb732a5fe6e7e2ca36f41
adio.te
|
| 86b6fcc8a6fdef2551c76b683d257605b6c54a22 |
20-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Move /data/misc/radio to /data/vendor/radio as per treble rules
1) Modify the sepolicy to use /data/vendor partition to hold
vendor radio data.
2) Modify Dumpstate to access /data/vendor for logging.
Test: Basic telephony sanity with radio enforce mode
Bug: 36736902
Bug: 36717606
Change-Id: I1f8f1026189c1262cfe0af251451e0efcc98c7f7
ile_contexts
nit_radio.te
ild.te
mlog_dump.te
|
| 9c2c09f4d7d265353e69eafc2c5113c7474cb5dc |
21-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing denials blocking SFS and widevine" into oc-dr1-dev am: a05b888385
am: e11f6c6b94
Change-Id: Ifd2282dcf41cb89ed4c8a596d62933298dce525e
|
| a05b8883851744226710cd71c12bf6b095a659b2 |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing denials blocking SFS and widevine" into oc-dr1-dev
|
| 68e562a6b51be309fbd0b246a5eee300277e65a7 |
21-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "rild: remove rules to allow socket usage between rild and radio" into oc-dr1-dev am: 427d3ced01
am: 8b9050fda0
Change-Id: I7398c1a205c418c55eb47f7b0a185d57432ea3c5
|
| 427d3ced01c6976091ffb70826edde4d2b47ae3f |
21-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "rild: remove rules to allow socket usage between rild and radio" into oc-dr1-dev
|
| c29e60806b2648882ea371e9217effd841ac7090 |
08-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts.
This should improve performance, as file_contexts is slower
than genfs_contexts.
Bug: 62413700
Test: Built, flashed, and booted. Verified that all of the
files have the correct context.
Change-Id: I40035d396fe344ade6b665ef0c314e36ef9c8bf8
(cherry picked from commit cdd9829be89802fee63d9d5d1d381f1d84847d47)
ile_contexts
enfs_contexts
|
| 5a3c3b6993c02e325f5ac5793016e41711968c8c |
21-Jun-2017 |
Arnd Geis <arndg@google.com> |
Create SELinux domain for easelservice app am: 0745d1bc52
am: 2ae3d1fd10
Change-Id: I2374b16960fa4a8138c5a932e7dc2c51bc798e98
|
| b9facbcd955fed0bd86e12e98e9c1d2de702958a |
20-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Fix incorrect SELinux rule.
Bug: 62413700
Test: Verified that the file has the correct rule.
Change-Id: I55a45952ae0d8de16dc03ddbf455a0bd1f657490
enfs_contexts
|
| 841c4ad431d5098d9711f43a2892fdfb370fea9a |
17-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Add WiFi Statistics to Bugreport to Wahoo
This commit adds some statistics from debugfs to bugreport
this includes the files:
/d/wlan0/power_stats
/d/wlan0/ll_stats
/d/icnss/stats
Bug: 62290986
Test: adb bugreport and inspect the required statistics
Merged-In: Ib65b98935a043542283a645f9760e02ff6935db3
Change-Id: Ib65b98935a043542283a645f9760e02ff6935db3
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| 7d452f093f2d3d2957267fd2c9f90368a7fd3c0d |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
rild: remove rules to allow socket usage between rild and radio
This eventually also removes the socket_between_core_and_vendor
attribute added to rild for the same
Bug: 36718031
Bug: 62343727
Test: Build and boot walleye
Change-Id: Ib4808579742942b663d2e93c1527057f54f869cf
Signed-off-by: Sandeep Patil <sspatil@google.com>
ild.te
|
| 0469656a6a323019b9972eeabed243d3ba3944da |
15-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing denials blocking SFS and widevine
Details in bug b/62391689
Bug: 62391689
Bug: 62686689
Test: Attestation works
Change-Id: I0f9fe50537db5d8218331ecc7bd6cce60969a7bf
ile.te
ile_contexts
ee.te
|
| 0745d1bc52c16511700f4c53245b0c876ae68f16 |
19-Jun-2017 |
Arnd Geis <arndg@google.com> |
Create SELinux domain for easelservice app
- Add domain for Easel firmware update app
- Add app cert
- Add access permission to mnh driver
- Add access permission to app_api_service
- Add access permission to surfaceflinger service
Bug: b/38212365
Change-Id: I62e813a126d10b6d70854163635e564c161e9305
Signed-off-by: Arnd Geis <arndg@google.com>
erts/easel.x509.pem
aselservice_app.te
eys.conf
ac_permissions.xml
eapp_contexts
|
| 425a893cc4ee0d410d17e0edd234e67393395331 |
20-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing some radio/ueventd/tee denials" into oc-dr1-dev am: 8e782a5db0
am: d25091363f
Change-Id: Ie50e47898be07155628762058e6895a137c9ccc3
|
| 8e782a5db0c05a073b2995d63dc6f5fd7ed3c457 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing some radio/ueventd/tee denials" into oc-dr1-dev
|
| 905abb7c601b4b6627bc6971ee835463d4bb3180 |
20-Jun-2017 |
Andrew Chant <achant@google.com> |
Merge "Add USB device descriptors to bug report." into oc-dr1-dev
|
| 3b19e99148131fa1d4f76fe6bf066d6cf5f89916 |
12-Jun-2017 |
Andrew Chant <achant@google.com> |
Add USB device descriptors to bug report.
Reports product, version, and first 48 bytes of
descriptors.
Test: Took bugreports with and without USB device attached.
With no USB Device:
------ USB Device Descriptors (/vendor/bin/sh -c cd
/sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat
descriptors | od -t x1 -w16 -N96) ------
0000000
With USB Device:
------ USB Device Descriptors (/vendor/bin/sh -c cd
/sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat
descriptors | od -t x1 -w16 -N96) ------
Mir
0200
0000000 12 01 00 02 00 00 00 40 d1 18 25 50 00 02 03 01
0000020 02 01 09 02 1f 01 04 01 04 a0 32 09 04 00 00 01
0000040 01 01 00 05 0a 24 01 00 01 83 00 02 01 02 0c 24
0000060 02 01 01 02 00 02 03 00 00 00 0d 24 06 03 01 02
0000100 01 00 02 00 02 00 00 09 24 03 02 01 01 01 04 00
0000120 0c 24 02 22 01 02 00 02 03 00 00 18 0d 24 06 23
0000140
Bug: 38327094
Change-Id: I05cb5f6f3895b43b55ab4b1f434bb5b206b3bf4c
Merged-In: I05cb5f6f3895b43b55ab4b1f434bb5b206b3bf4c
ile.te
ile_contexts
al_dumpstate_impl.te
|
| d6bf24251e9bfd28b4c6b24484a2f1fe48455321 |
01-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing some radio/ueventd/tee denials
denied { write } for pid=559 comm="ueventd" name="uevent" dev="sysfs"
ino=53168 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb_c:s0
tclass=file
denied { open } for pid=7321 comm="elephonymonitor"
path="/dev/__properties__/u:object_r:tel_mon_prop:s0" dev="tmpfs"
ino=18893 scontext=u:r:radio:s0 tcontext=u:object_r:tel_mon_prop:s0
tclass=file
denied { set } for property=rcs.publish.status pid=4829 uid=1001
gid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:default_prop:s0
tclass=property_service
denied { set } for property=persist.radio.enable_tel_mon pid=10182
uid=1001 gid=1001 scontext=u:r:radio:s0
tcontext=u:object_r:tel_mon_prop:s0 tclass=property_service
Bug: 34784662
Test: These denials no longer appear during phone operation
Change-Id: I0f38e4f7e937c79d60eb2d4c607bcb62694f973b
roperty_contexts
eventd.te
|
| 21756abc654c31fb799652a969b9394fe9999b68 |
20-Jun-2017 |
Andrew Chant <achant@google.com> |
Merge "Add USB device descriptors to bug report."
|
| f184f76ba188b38d67898c6a9495d57e4aa47b82 |
20-Jun-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove binder_in_vendor_violators from wcnss." into oc-dr1-dev am: 87c358793f
am: 83ae8180ac
Change-Id: I34cf727b65f7255bf50c1e5e1abfc7d5f7d6be73
|
| 87c358793ff61c128f1fd8dc944a382260c7f1fa |
20-Jun-2017 |
Martijn Coenen <maco@google.com> |
Merge "Remove binder_in_vendor_violators from wcnss." into oc-dr1-dev
|
| 29029eda1883b84984d4c8437d99b54ef8215a55 |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "netmgrd: remove vendor_executes_system_violator" into oc-dr1-dev am: 3e9bd98c90
am: 6497c518e5
Change-Id: I7a9d818d62c3a3edd7fc3152a8954d089fcfdf39
|
| 3e9bd98c907409ef081033e43fb3452a4d97b611 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "netmgrd: remove vendor_executes_system_violator" into oc-dr1-dev
|
| e1c75faa4a9b2b4904f0ceef428841fde5e15118 |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "init_ese: use vendor shell and toybox in ese script" into oc-dr1-dev am: 3266111d28
am: c4b67a6f2f
Change-Id: I2a51b998928b027029b3ba63c07cf4bfc60a5f0a
|
| b96e98c9535b24430edcaf8f293c196874a9b415 |
12-Jun-2017 |
Andrew Chant <achant@google.com> |
Add USB device descriptors to bug report.
Reports product, version, and first 48 bytes of
descriptors.
Test: Took bugreports with and without USB device attached.
With no USB Device:
------ USB Device Descriptors (/vendor/bin/sh -c cd
/sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat
descriptors | od -t x1 -w16 -N96) ------
0000000
With USB Device:
------ USB Device Descriptors (/vendor/bin/sh -c cd
/sys/bus/usb/devices/1-1 && cat product && cat bcdDevice; cat
descriptors | od -t x1 -w16 -N96) ------
Mir
0200
0000000 12 01 00 02 00 00 00 40 d1 18 25 50 00 02 03 01
0000020 02 01 09 02 1f 01 04 01 04 a0 32 09 04 00 00 01
0000040 01 01 00 05 0a 24 01 00 01 83 00 02 01 02 0c 24
0000060 02 01 01 02 00 02 03 00 00 00 0d 24 06 03 01 02
0000100 01 00 02 00 02 00 00 09 24 03 02 01 01 01 04 00
0000120 0c 24 02 22 01 02 00 02 03 00 00 18 0d 24 06 23
0000140
Bug: 38327094
Change-Id: I05cb5f6f3895b43b55ab4b1f434bb5b206b3bf4c
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| 3266111d2831590f54c76c13fc940b78f9a5592d |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "init_ese: use vendor shell and toybox in ese script" into oc-dr1-dev
|
| 76dc25b2075e91d21b6f590671b84fb5438ac3b0 |
20-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Merge "Remove system_server policy to communicate with netmgrd over sockets" into oc-dr1-dev am: dffb51f4c0
am: 2c345df645
Change-Id: I793ca5a816e59141d2ee8b5a3aad384f1c5ec500
|
| 6a840da33dcc4fac15d71701f0ce7dcf4e69cedf |
20-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Merge "Remove binder rules for rild to communicate with audioserver." into oc-dr1-dev am: 8c27f611c2
am: 56bfffada8
Change-Id: I19942dce61f33698e4b9f0f6d88e7be3453acfb8
|
| dffb51f4c0ab30c9634f290c76c9a9038a9b1d58 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove system_server policy to communicate with netmgrd over sockets" into oc-dr1-dev
|
| 8c27f611c2c8d5a268f5f1912fd4a4de387a778a |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove binder rules for rild to communicate with audioserver." into oc-dr1-dev
|
| 67c279ab87e98de53180d8462fab86b7e98a90fd |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
Merge "wahoo: Make vendor script use vendor shell and vendor toybox" into oc-dr1-dev am: 0aecfea175
am: 4c97fd83d2
Change-Id: I1cd414d797a6f547c548eb046f304102dc6c8ecd
|
| 79325b70135cdad9c9883d2adefe4ad29f13dd26 |
20-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Merge "GoogleCamera: Remove redundant persist.camera.* access" into oc-dr1-dev am: 39b781b6ef
am: 5650f08112
Change-Id: I01e7085780801a78f1b8333309aaff102be3afee
|
| 073f57addc3b91615c2eb78470ce78ba4e8ea125 |
20-Jun-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "wahoo: dumpstate: add touch firmware versions to dumpstate" into oc-dr1-dev am: 8ba1d8c88a
am: 8232779736
Change-Id: Iedfd1bcb24d79f69333cff511321b6b0e93136d7
|
| 55d1b0499240a8506738006feb7af7a266e889d5 |
20-Jun-2017 |
Steven Moreland <smoreland@google.com> |
Merge "Remove socket violators from passthrough mode." into oc-dr1-dev am: eba35a7659
am: 11c321b326
Change-Id: Iedba491df389a09903b0180c2558c45eb27c9d07
|
| 3c5dd51dfd59eb990600c8e0fce06199f3289699 |
20-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing sepolicy to allow sensors to create necessary files" into oc-dr1-dev am: 9449862bbc
am: f87a36e1c9
Change-Id: I8c34de22477e8a6fa04a8761d6e1417453ddc66d
|
| adcf25a5128bf5b3383462b29cedc3965021dc35 |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
netmgrd: remove vendor_executes_system_violator
netmgrd needed this because if libudsutil depending on /system
executable. That has now change to point to /vendor copies of tyobox
utilities. So, remove the violator attribute and add permission to use
vendor_toolbox for netmgrd domain.
Bug: 37364044
Bug: 62385687
Test: Build and boot walleye and observe no denials for netmgrd
Change-Id: I54adc23bbb7f59e209fd5ad797fa6c46995adc29
Signed-off-by: Sandeep Patil <sspatil@google.com>
etmgrd.te
|
| 79430f1a6e92b580c0c4d5556662c87959a03de0 |
20-Jun-2017 |
Martijn Coenen <maco@google.com> |
Remove binder_in_vendor_violators from wcnss.
Bug: 36651714
Test: builds
Change-Id: Ib12f6e891bfc8b2d8ba818392f7cdc0a13b8ab4f
cnss_service.te
|
| f15fe5de4b2683d75c3fe58f3043320292e614de |
20-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
init_ese: use vendor shell and toybox in ese script
Bug: 38447496
Bug: 37364044
Bug: 37914554
Test: Build and boot walleye
Test: No denials for init_ese requireing access for /data (b/t37914554)
Change-Id: Ifce97fd50c4d2b0f49460ff37bcc01a281a6c700
Signed-off-by: Sandeep Patil <sspatil@google.com>
nit_ese.te
|
| 0aecfea1758fcd8febfc4bef6e53b37c02fe4851 |
20-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: Make vendor script use vendor shell and vendor toybox" into oc-dr1-dev
|
| 4ccd3d226fa7cd897bc5ee8fb17f41f7a5108adf |
19-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Remove binder rules for rild to communicate with audioserver.
Test: Basicy telephony sanity
Bug: 36565056
Change-Id: Ie315ca7b23d0ab64773de1d850b9b412d84b2557
udioserver.te
ild.te
|
| 39b781b6ef9091c79a205de485f24e4245b95c74 |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "GoogleCamera: Remove redundant persist.camera.* access" into oc-dr1-dev
|
| acd002580663f1dcea3af96d17cf500c514b6bac |
19-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge commit 'd49c28813760c1aeee43f222e68ed0e939ed8e7d' into HEAD
Change-Id: Ib9cac8693b967d075f2a7c1cc21d5feea37bbcb9
|
| 8ba1d8c88ae4c72ef4afd1b03e38ee74604bfcaf |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "wahoo: dumpstate: add touch firmware versions to dumpstate" into oc-dr1-dev
|
| eba35a7659514f8e0f027f40d3076ab94811d9a6 |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove socket violators from passthrough mode." into oc-dr1-dev
|
| 9449862bbc3679f432d0caea91ffcd77506096d7 |
19-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing sepolicy to allow sensors to create necessary files" into oc-dr1-dev
|
| 4a2b3affdafb5d7f05b03ac61335c1dd77aa7feb |
19-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
wahoo: Make vendor script use vendor shell and vendor toybox
This also enables us to remove the vendor_executes_system_violator
attribute from all the vendor scripts launched from init.
Bug: 37914554
Test: Build and boot and ensure all services exited with status 0.
Change-Id: If692b17b45f91ff128608c3f6e9524847c1af69f
Signed-off-by: Sandeep Patil <sspatil@google.com>
nit-devstart-sh.te
nit-insmod-sh.te
nit-ipastart-sh.te
nit_power.te
nit_radio.te
|
| 3db6f8685173943ea7090a976d23bff4275412c0 |
08-Jun-2017 |
Steven Moreland <smoreland@google.com> |
Remove socket violators from passthrough mode.
Bug: 34274385
Bug: 34784662
Test: neverallows not tripped
Test: bluetooth audio works
Test: no denials seen related to wcnss<->bluetooth sockets
Change-Id: Ie966130e5fd15b94bf8ce0e339eb632e7bf5e71e
luetooth.te
al_camera.te
ocation.te
erfd.te
cnss_filter.te
|
| 69bdf39fd594c15fcf099f8e5fb1a734943275d4 |
01-Jun-2017 |
Roopesh Rajashekharaiah Nataraja <roopeshr@codeaurora.org> |
Ensure treble compliance for time-service
- Use /data/vendor/time instead of /data/time
- Use /persist/time instead of /persist
- Allow vendor to vendor socket communication
Bug: 62184939
Bug: 62256376
Change-Id: Ia1c27cf3dfa393abcbf860249da8e7669c359ad9
ile.te
ile_contexts
eapp_contexts
ystem_app.te
ime_daemon.te
imeservice_app.te
|
| 321cee7e61ba6853c3f2c8528415be163a35bc79 |
27-May-2017 |
Steve Pfetsch <spfetsch@google.com> |
wahoo: dumpstate: add touch firmware versions to dumpstate
Bug: 38207199
Change-Id: I2b21f92f64847286a34d7d52a932bd1f825fe000
ile.te
enfs_contexts
al_dumpstate_impl.te
|
| da38591af2b2eab5f59c51d568f19726567d02a1 |
19-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing sepolicy to allow sensors to create necessary files
denied { create } for name="sns.reg" scontext=u:r:sensors:s0
tcontext=u:object_r:persist_sensors_file:s0 tclass=file
Bug: 62555317
Test: sensors can create sns.reg file if missing
Change-Id: I7a9a8e8f42408641a0efce0e02617305e4bc6331
ensors.te
|
| 46f5dcbd693f33d06ed488435dc7719e0ebf9e87 |
19-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Allow Hexagon DSP access to GoogleCamera application am: 9da8401acb
am: b66c8ab754
Change-Id: I18ae00b37e8b64e5da9119dd143ded5169b2956f
|
| e4f65f1aad9ddbefd70c9ec2ee08ec352772e14f |
19-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
GoogleCamera: Remove redundant persist.camera.* access
All apps already get this access, so no reason to repeat that
Test: Manually verify GoogleCamera can still access persist.camera.*
Bug: 62712071
Change-Id: I913f89b467514047d8e7079449148a4f6a3536aa
oogle_camera_app.te
|
| 9ed7bea713820fca44a01dbb85adf93603e184d0 |
19-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Remove system_server policy to communicate with netmgrd over sockets
system_server no longer communicates with netmgrd over sockets
Test: Basic Telephony and GPS sanity and no new denials
Bug: 36626250
Change-Id: I7468504372a98a422e1eaaf63b8d1462b40c96a5
ystem_server.te
|
| 9da8401acba47d463d8f122525be7d26f686901e |
15-Jun-2017 |
Eino-Ville Talvala <etalvala@google.com> |
Allow Hexagon DSP access to GoogleCamera application
- Add custom domain for GoogleCamera, with QDSP access
- Add app cert for Google apps
- Add new hexagon_halide_file type, apply it to two critical DSP
libraries, and grant GoogleCamera access to them.
- Also allow tango_core access to hexagon_halide_file
- Remove /vendor/lib/libhalide_hexagon_host from
same_process_hal_file, it's not used by anything currently.
- Move access to persist.camera.* properties to the generic app domain
Test: GoogleCamera able to use Hexagon for HDR+
Bug: 62712071
Bug: 62341955
Change-Id: I2c49c35d9f90d07b148a2f27d0f8128f99b55b6c
pp.te
erts/app.x509.pem
ile.te
ile_contexts
oogle_camera_app.te
eys.conf
ac_permissions.xml
eapp_contexts
ango_core.te
ntrusted_app.te
|
| c9400f3e432afde1c3a72ae1d459e64a6a681e8e |
17-Jun-2017 |
Naveen Kalla <mrnaveen@google.com> |
Merge "Set system time early to get more accurate timezones" into oc-dr1-dev am: 4aa311afe0
am: d4ce900486
Change-Id: I63c85eee64beb837464e2c9e39d5505aa537d3f5
|
| 4aa311afe03fb5a3bec22611c40f0f7520515dde |
17-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Set system time early to get more accurate timezones" into oc-dr1-dev
|
| 8a0136e3320dbb80dd5c08df58c9758cfb1abb65 |
17-Jun-2017 |
David Lin <dtwlin@google.com> |
sepolicy: allow ueventd to load calibration file on /persist am: f9f9c80b7a
am: 09b2069949
Change-Id: Ied415c9480ecf77006c4d3ba072f14dc95fb13f8
|
| 404eeb6eb190393aae805ba5c09504154aa506ae |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge commit '208239c104fc478a0dc91916f0dfda88332ab043' into HEAD
Change-Id: I7b4fad0b3350112647dd046994d3a6d527b37674
|
| f9f9c80b7a8b1f22d3c6541ad5be5b1f010589f8 |
16-Jun-2017 |
David Lin <dtwlin@google.com> |
sepolicy: allow ueventd to load calibration file on /persist
This patch adds the sepolicy to allow ueventd to load a calibration file
via a symlink on /vendor/firmware pointing to a file on /persist.
Bug: 62683712
Test: audio sanity test
Change-Id: Id16c947578b8860186a25e01ab64131d640a3004
Signed-off-by: David Lin <dtwlin@google.com>
ernel.te
eventd.te
|
| 1b5fe2a540617ccb880b23195a540c5070e1a2d3 |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge changes from topic 'merge-msm8998-AU210' into oc-dr1-dev
* changes:
netmgrd: Change binary location to netutils
Introduce cne server and apiservice hal
Update IMS and radio SE policies based on AU 194 drop
Adding contexts and allows for time_daemon
|
| 08c750584a35fdf3440c179145bc65e7ff724b34 |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "suppress spurious module loading denials" into oc-dr1-dev am: 77199d72f8
am: 88fc340aef
Change-Id: I70355a12f16b79648ac78aea689652b32ced6c3e
|
| 77199d72f8a1c9b3ac4857462f074e02024a49a6 |
17-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "suppress spurious module loading denials" into oc-dr1-dev
|
| 76b781690b2bf90fae18107b79cfeb75e6bb4736 |
16-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "wifi: add the read permission for /proc/ath_pktlog/cld" into oc-dr1-dev am: 1cbbad1f55
am: 1cd92c77c1
Change-Id: I68da9521428bdacf214240e6e9cc253917174814
|
| 1cbbad1f558c4160e1d6a01432dc70ca7734f832 |
16-Jun-2017 |
Ecco Park <eccopark@google.com> |
Merge "wifi: add the read permission for /proc/ath_pktlog/cld" into oc-dr1-dev
|
| ca38bc851d51a5046629d4d5863e51f93edeaaa1 |
16-Jun-2017 |
Ecco Park <eccopark@google.com> |
wifi: add the read permission for /proc/ath_pktlog/cld
Error:
type=1400 audit(1497566325.222:1870): avc: denied { read
} for pid=963 comm="cnss_diag" name="cld" dev="proc" ino=4026533982
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0
Bug: 36823983
Change-Id: Ie231bedccfc75d020e7a467d9b87b0e44e46fad2
Signed-off-by: Ecco Park <eccopark@google.com>
enfs_contexts
cnss_service.te
|
| b771c2152cf330f4c8a450a4d7dc9990ce6c6036 |
16-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Add tangomapper and tango cts to tango_core SE context" into oc-dr1-dev am: 4c80a57708
am: 46ec57a762
Change-Id: I77fd6b5e1202d034044be03eae82b90103df4aba
|
| 4c80a57708f4176c6b0d95230a27a8e1c1c018fd |
16-Jun-2017 |
Thierry Strudel <tstrudel@google.com> |
Merge "Add tangomapper and tango cts to tango_core SE context" into oc-dr1-dev
|
| 664f2d4397e174ccc9fd6f5935515104d58d9a15 |
31-May-2017 |
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> |
netmgrd: Change binary location to netutils
Generic system partition binaries are no accessible on latest
versions of AOSP. As a result, use the netutils wrapper equivalents
of ip[6]tables, ip and tc. Fix the following denials -
type=1400 audit(1495499715.886:76): avc: denied { use } for pid=1370
comm="tc-wrapper-1.0" path="pipe:[28029]" dev="pipefs" ino=28029
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=fd
permissive=0
type=1400 audit(159.269:260): avc: denied { write } for pid=1612
comm="ndc-wrapper-1.0" path="pipe:[30233]" dev="pipefs" ino=30233
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0
tclass=fifo_file permissive=0
type=1400 audit(159.269:267): avc: denied { read } for pid=1612
comm="ndc-wrapper-1.0" path="pipe:[30809]" dev="pipefs" ino=30809
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0
tclass=fifo_file permissive=0
type=1400 audit(10632.149:134): avc: denied { read write } for
pid=1523 comm="ndc-wrapper-1.0" path="socket:[28342]" dev="sockfs"
ino=28342 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0
tclass=netlink_socket permissive=0
type=1400 audit(3510988.283:134): avc: denied { module_request } for
pid=773 comm="netmgrd" kmod="netdev-rmnet_ipa0"
scontext=u:r:netmgrd:s0 tcontext=u:r:kernel:s0 tclass=system
permissive=0
type=1400 audit(1496866410.453:216): avc: denied { read } for
pid=810 comm="netmgrd" name="timestamp_switch" dev="sysfs" ino=27263
scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_timestamp_switch:s0
tclass=file permissive=0
type=1400 audit(1496882073.170:67506) avc: denied { open } for pid=822
comm="netmgrd" path="/sys/module/diagchar/parameters/timestamp_switch"
dev="sysfs" ino=27263 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file permissive=0
audit(1496448874.298:224) avc: denied { read write } for pid=3976
comm="iptables-wrappe" path="socket:[35109]" dev="sockfs" ino=35109
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0
tclass=tcp_socket permissive=1
audit(1496448785.385:139) avc: denied { getattr } for pid=1709
comm="ndc" path="pipe:[31264]" dev="pipefs" ino=31264
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0
tclass=fifo_file permissive=1
CRs-Fixed: 2054108
Test: Verified that the LTE data and WiFi calling works
Bug: 62258789
Change-Id: I91e663ab35369f75d33ef4788c87bde14605f6b9
etmgrd.te
etutils_wrapper.te
|
| 25591f24ea7fcc2e3de8f5d9637557d47b759b73 |
07-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Update IMS and radio SE policies based on AU 194 drop
Permissive to enforce for ims and cnd domains
Introduce new CNE HIDL service
Remove CNE talking to cnd via socket and move to HIDL
Allow IMS to access sysfs data and diag files
Allow radio to access telephony monitor property
Bug: 38043081
Change-Id: I1775d6aea4de9843fdbedd06ebd71ec213f38189
nd.te
ataservice_app.te
ile.te
ile_contexts
al_imsrtp.te
al_rcsservice.te
wservice.te
wservice_contexts
ms.te
adio.te
|
| b7c0dc9aaf1c7495436e6cbfa81a5b9c37def09a |
24-May-2017 |
Max Bires <jbires@google.com> |
Adding contexts and allows for time_daemon
denied { write } for pid=741 comm="time_daemon" name="time" dev="sda10"
ino=335873 scontext=u:r:time_daemon:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { search } for pid=825 comm="time_daemon" name="time" dev="sda10"
ino=335873 scontext=u:r:time_daemon:s0
tcontext=u:object_r:time_data_file:s0 tclass=dir
denied { create } for pid=894 comm="time_daemon" name="ats_13"
scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0
tclass=file
denied { create } for pid=820 comm="time_daemon" name="ats_13"
scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_file:s0
tclass=file
denied { search } for pid=834 comm="time_daemon" name="time" dev="sda4"
ino=23 scontext=u:r:time_daemon:s0
tcontext=u:object_r:persist_time_file:s0 tclass=dir
denied { write } for pid=865 comm="time_daemon" name="time" dev="sda4"
ino=23 scontext=u:r:time_daemon:s0
tcontext=u:object_r:persist_time_file:s0 tclass=dir
Bug: 34784662
Bug: 38415848
Test: time works
Change-Id: I4e859761f32bb0e203e1047f5c491602efcc43b0
(cherry picked from commit 59425a13e653a2250c1fbc4aca494e56ddc69f6b)
ile.te
ile_contexts
ime_daemon.te
|
| d58873547f34afab05fef02510408d6912cfb8e9 |
16-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Update IMS and radio SE policies based on AU 194 drop"
|
| 7df1deb2e838ca2d83a6a5d67d43a8e8dc442a9d |
16-Jun-2017 |
Wyatt Riley <wyattriley@google.com> |
Merge "Fix denials for xtra-daemon file creation" into oc-dr1-dev am: daa2ff2508
am: c9a67c785a
Change-Id: I3d71be6141de80017fa4415a41353aa9d49abf43
|
| 78f825b340c4e3ec9ff0e38c10fb4c49ac2f64ed |
16-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Remove treble violations from sepolicy" into oc-dr1-dev am: ef7dedbfe8
am: 1ce4d6043b
Change-Id: Ic8f1625914fc124ce2a37f4a329f8ca1176701f6
|
| daa2ff2508630022275fb5a3673deeba897e916c |
16-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fix denials for xtra-daemon file creation" into oc-dr1-dev
|
| ef7dedbfe825ddcab237f513008f01bb2fd3c719 |
16-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Remove treble violations from sepolicy" into oc-dr1-dev
|
| 2284c8495a0a920de517f1d21e2c0c30be231e67 |
15-Jun-2017 |
Naveen Kalla <mrnaveen@google.com> |
Set system time early to get more accurate timezones
Zygote reads the system time and caches the timezone information.
So start time_daemon early so that it can set the time before
zygote starts up and reads the time.
Bug: 62473512
Test: Manual: Check adb logs to ensure Zygote starts after system
time is set.
Change-Id: I98fca37928e1822614f9fcb39869e664453a2c3e
roperty.te
roperty_contexts
ime_daemon.te
|
| 05ded31dd6fa6c230a030d9bbcc27385f44f3316 |
07-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Update IMS and radio SE policies based on AU 194 drop
Permissive to enforce for ims and cnd domains
Introduce new CNE HIDL service
Remove CNE talking to cnd via socket and move to HIDL
Allow IMS to access sysfs data and diag files
Allow radio to access telephony monitor property
Bug: 38043081
Change-Id: I1775d6aea4de9843fdbedd06ebd71ec213f38189
nd.te
ataservice_app.te
ile.te
enfs_contexts
al_imsrtp.te
al_rcsservice.te
wservice.te
wservice_contexts
ms.te
adio.te
|
| a287c3bb29068dc1264ddeb4f61e0f3a5559d204 |
16-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
suppress spurious module loading denials
We only load modules during boot, on only by a single script:
init.insmod.sh
Other denials are caused by code we don't rely on that
automatically looks for modules.
Bug: 34784662
Test: build policy
Change-Id: Iccdbe52582e9960f49ecb4ba9b472cf792e48fe6
nit.te
ernel.te
ocation.te
etd.te
etmgrd.te
urfaceflinger.te
|
| e84735870c7b4307b3d11a6778ba6c24f6c599af |
14-Jun-2017 |
Ranjith Kagathi Ananda <ranjithkagathi@google.com> |
Add tangomapper and tango cts to tango_core SE context
* Add com.google.tango.* to tango_core SE context
* Replace the key.pem used for tango apps for userbuild.
Use a release key instead of dummy key
* Resolve denials for tango_core:
avc: denied { search } for name="/" dev="sdd3" ino=2
scontext=u:r:tango_core:s0:c512,c768 tcontext=u:object_r:persist_file:s0
tclass=dir permissive=0
avc: denied { search } for name="sensors" dev="sdd3" ino=16
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:persist_sensors_file:s0 tclass=dir permissive=0
avc: denied { getattr } for
path="/persist/sensors/calibration/calibration.xml" dev="sdd3" ino=38
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1
avc: denied { open } for
path="/persist/sensors/calibration/calibration.xml" dev="sdd3" ino=38
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=1
avc: denied { read } for name="calibration.xml" dev="sdd3" ino=38
scontext=u:r:tango_core:s0:c512,c768
tcontext=u:object_r:persist_sensors_file:s0 tclass=file permissive=0
BUG=62581695
Test: Tested on walleye
Change-Id: Ifac77c8190e59d88c9f1a65ab451e7e060742082
erts/tango_dummy.x509.pem
erts/tango_userdev.x509.pem
eys.conf
eapp_contexts
ango_core.te
|
| fc83072eedf7c9ab3a5b1cf8d7bb899f30fd6875 |
16-Jun-2017 |
Wyatt Riley <wyattriley@google.com> |
Fix denials for xtra-daemon file creation
avc: denied { create } for name="xtra.sqlite" scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=file permissive=0
avc: denied { create } for name="nvparam.sqlite" scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=file permissive=0
avc: denied { create } for name="pcid.data" scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=file permissive=0
Thinner version of
https://partner-android-review.googlesource.com/#/c/840686/
Aligns with marlin
Bug: 62603830
Test: Build, run GPS, check denials
Change-Id: I8b0f11b73c09513a4c19232cfde03b378b93f8f3
ocation.te
|
| e3f80d1ba820b1e924d1d85a363ca5778c8cfb13 |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add domain for widevine HAL am: bbc467932d
am: 47206e4cd2
Change-Id: I6c3fe3fca8151042e0cb99d6931ffd91e46baf35
|
| d8ec0483f7b746e33f41262f83beeeabac34e51f |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "supress spurious firmware_file denial" into oc-dr1-dev am: 115b724ccd
am: c3267453bf
Change-Id: I9b75a64b90d0c424420c6f1d54ecfdb55ce41afd
|
| bbc467932d74c7abf8c365f940d0e2f5e5907192 |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Add domain for widevine HAL
Address:
[ 14.701366] init: service drm-widevine-hal-1-0 does not have a
SELinux domain defined
avc: denied { ioctl } scontext=u:r:hal_drm_widevine:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
avc: denied { open } scontext=u:r:hal_drm_widevine:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
avc: denied { read write } scontext=u:r:hal_drm_widevine:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file
Bug: 62075360
Test: built and booted xyz_test-userdebug
Test: added account and watched video on Play movies. Listened
to songs on Play Music
Change-Id: Id219da343b1268a7492b50f870334a1e7dc151d5
ile_contexts
al_drm_widevine.te
|
| 115b724ccda9703af403bac6b0af9d620cded972 |
15-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "supress spurious firmware_file denial" into oc-dr1-dev
|
| 97f996a846ba9fa18807e50963a61abf430950ed |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
supress spurious firmware_file denial
avc: denied { search } comm="cnss-daemon" scontext=u:r:wcnss_service:s0
tcontext=u:object_r:firmware_file:s0 tclass=dir
Test: build policy
Bug: 34784662
Change-Id: Ic89abbfdb2b36cb35c5a7f14abb21c9464b60561
cnss_service.te
|
| 614394c2560de6b51223a29e2c0af493aa896e85 |
15-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing hal_imsrtp timestamp read issue" into oc-dr1-dev am: e6ee6b54ff
am: df875c2c50
Change-Id: Ic2467994ca6db8ae67c9b30cd2c18f27a630dc6d
|
| da1ebb7d92a0a0df586536186a772cbf3109211a |
15-Jun-2017 |
Jeff Vander Stoep <jeffv@google.com> |
Remove treble violations from sepolicy
Bug: 36570300
Bug: 36570130
Test: build and boot device
Change-Id: I248a31048a867a4e8a4a0c756936e9371d16d320
er_mgr.te
er_proxy.te
|
| e6ee6b54ff3d2f45b6b23c19aa7f05a193863c42 |
15-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing hal_imsrtp timestamp read issue" into oc-dr1-dev
|
| 970e75349d3c5bee884c5f3c1e4282f0c617ff15 |
15-Jun-2017 |
Max Bires <jbires@google.com> |
Merge "Fixing a sensors issue" into oc-dr1-dev am: 2d85910d9f
am: 8ed58a21a3
Change-Id: I42449c7ef485dd27cf47d36b759beddd88116e99
|
| 2d85910d9f4cd4d051b30653fb71106e7bf58c4d |
15-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Fixing a sensors issue" into oc-dr1-dev
|
| 242b0a3be6cb0b7383cf07a801e01f9857f8c526 |
14-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
rild: add radio to rild socket rule temporarily am: 9e75e0ed2c
am: 0e32d679d4
Change-Id: I03cacad9073fbce53348815520a53fd2b0e3c42a
|
| 9e75e0ed2c9f10fd2c6f03cf9b9dc431186d778d |
14-Jun-2017 |
Sandeep Patil <sspatil@google.com> |
rild: add radio to rild socket rule temporarily
The rule is added to ensure we dont break the radio to
rild communication once we remove the same rule from platform's
sepolicy for treble devices. This change MUST be reverted along with
the change to use HIDL between radio and rild domains.
Bug: 62616897
Bug: 62343727
Test: Build and boot.
Change-Id: I846389257bf9d40bac55299c24d2cf07c74e9092
Signed-off-by: Sandeep Patil <sspatil@google.com>
ild.te
|
| 187628ed876ba0d012b4d609f0cb90547d972e1e |
14-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing a sensors issue
denial:
denied { write } for pid=7720 comm="sensors.qcom" name="sensors"
dev="sdd3" ino=16 scontext=u:r:sensors:s0
tcontext=u:object_r:persist_sensors_file:s0 tclass=dir
Bug: 62555317
Bug: 34784662
Test: sensors domain works properly
Change-Id: Ibb41c6c699282383e80a4cb80784ccc544787d71
ensors.te
|
| 59733a30d17e40ea03d93788f3d0c552fb7bf335 |
13-Jun-2017 |
Max Bires <jbires@google.com> |
Fixing hal_imsrtp timestamp read issue
denied { read } for pid=1148 comm="ims_rtp_daemon"
name="timestamp_switch" dev="sysfs" ino=27258 scontext=u:r:hal_imsrtp:s0
tcontext=u:object_r:sysfs_timestamp_switch:s0 tclass=file
Bug: 34784662
Test: this denial no longer appears
Change-Id: I7760173500d8b9c5abbc3eeded1ffba04c49988f
al_imsrtp.te
|
| a348c4c4d5df16b291044ccaf1ff61df8ada354a |
13-Jun-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "move ipacm to vendor and sepolicy definitions" into oc-dr1-dev am: b9bf282710
am: 5a03e1aa77
Change-Id: I9b0050215487920fe0d6b12fefc9e98a034c8e7d
|
| b9bf282710b0b8302c620d226f555308ca307084 |
13-Jun-2017 |
Pankaj Kanwar <pkanwar@google.com> |
Merge "move ipacm to vendor and sepolicy definitions" into oc-dr1-dev
|
| b95e3ee58a3bd44f4df53abe522b02170fc473df |
13-Jun-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "wahoo: Fix display calibration data denial" into oc-dr1-dev am: 9e70df5937
am: 3ea314d610
Change-Id: I7cbf7b81c5947f83f21475c314d8afd75c435ba1
|
| 9e70df59378c5c728e1a073c86693f9342723574 |
13-Jun-2017 |
Steve Pfetsch <spfetsch@google.com> |
Merge "wahoo: Fix display calibration data denial" into oc-dr1-dev
|
| 9f91e3f6b85c51a0b543c0e2a40f29e294d3a4cc |
13-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Move netmgr logging path to /data/vendor as per treble rules am: 7723ec091e
am: efb0711844
Change-Id: Ifefd4b984d2d082781710d419bef068300872955
|
| 253cdd58b59aedaed665289cb4f6f844badb3243 |
10-Jun-2017 |
Niranjan Pendharkar <npendhar@codeaurora.org> |
move ipacm to vendor and sepolicy definitions
add ipacm/offload related definitions to init and sepolicies
CP from Partner.
Bug: 34361337
Test: manual
Change-Id: I7264a500b4c0db82dad4d8b6c3768787693106f9
ile.te
ile_contexts
wservice.te
wservice_contexts
pacm.te
|
| 7723ec091e03e53c36abdbd2f6bc58e50116d41a |
11-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Move netmgr logging path to /data/vendor as per treble rules
Netmgr logging path changed from /data/misc to /data/vendor
Test: Verified bugreport collecting netmgr logs
Bug: 62504502
Change-Id: Iba7f585597e30d8dfedae5bb2a73a759aeb0c737
ile_contexts
|
| 01e9ca7837ae1d84743467bd1c192044655f3535 |
13-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "system_app: Allow setting camera property"
|
| f0512363b2f0d06ac905c7089ce63c70dda6c572 |
13-Jun-2017 |
Stuart Scott <stuartscott@google.com> |
Merge "Add Wahoo SELinux Policy" into oc-dr1-dev am: e138c4bd57
am: 33d65e915c
Change-Id: Id1bdaa4abfdc282e45a2bd2ee14ac4c9e4596b55
|
| e138c4bd5770b40cb144fee3270516d582e0ff8c |
13-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add Wahoo SELinux Policy" into oc-dr1-dev
|
| 3cae7d39daaa4bfd2827b9acae725c104366dc6e |
08-Jun-2017 |
Naseer Ahmed <naseer@codeaurora.org> |
wahoo: Fix display calibration data denial
Bug: 62434319
Change-Id: Iefbeb15e42490234ae8c0d4c0eb5f7d59fa2b9d6
al_graphics_composer_default.te
|
| 59425a13e653a2250c1fbc4aca494e56ddc69f6b |
24-May-2017 |
Max Bires <jbires@google.com> |
Adding contexts and allows for time_daemon
denied { write } for pid=741 comm="time_daemon" name="time" dev="sda10"
ino=335873 scontext=u:r:time_daemon:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { search } for pid=825 comm="time_daemon" name="time" dev="sda10"
ino=335873 scontext=u:r:time_daemon:s0
tcontext=u:object_r:time_data_file:s0 tclass=dir
denied { create } for pid=894 comm="time_daemon" name="ats_13"
scontext=u:r:time_daemon:s0 tcontext=u:object_r:time_data_file:s0
tclass=file
denied { create } for pid=820 comm="time_daemon" name="ats_13"
scontext=u:r:time_daemon:s0 tcontext=u:object_r:persist_file:s0
tclass=file
denied { search } for pid=834 comm="time_daemon" name="time" dev="sda4"
ino=23 scontext=u:r:time_daemon:s0
tcontext=u:object_r:persist_time_file:s0 tclass=dir
denied { write } for pid=865 comm="time_daemon" name="time" dev="sda4"
ino=23 scontext=u:r:time_daemon:s0
tcontext=u:object_r:persist_time_file:s0 tclass=dir
Bug: 34784662
Bug: 38415848
Test: time works
Change-Id: I4e859761f32bb0e203e1047f5c491602efcc43b0
ile.te
ile_contexts
ime_daemon.te
|
| ba5920aee298ecfa06a0c39b35f7926c75411e0f |
10-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Merge "Adjust TODO bug numbers." into oc-dr1-dev am: 797f28481a
am: 547b522c81
Change-Id: I8107524a1b44974f13572929ec722b536479242b
|
| 5c8829c92a95ad18500f2bc53f8df7344e90fe80 |
26-May-2017 |
Stuart Scott <stuartscott@google.com> |
Add Wahoo SELinux Policy
Bug: 35668291
Test: pts-tradefed run singleCommand pts -m PtsHardwareInfoDeviceTestCases
Change-Id: Idfe0b0f68d4d2fa3c496bc66a4310182dcbc4f95
ardware_info_app.te
eapp_contexts
|
| b2a8e34a847be942fa574c8b6fe7b06e1978e726 |
09-Jun-2017 |
Amit Mahajan <amitmahajan@google.com> |
Adjust TODO bug numbers.
Test: none
Bug: 36613472
Bug: 36443535
Change-Id: I05fcab8784b30862b07eab304da63925000de719
ild.te
|
| 352d54af8856588799772488c3c9ee8fe4d37cf0 |
09-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Merge "Move file labeling to genfs_contexts."
|
| cdd9829be89802fee63d9d5d1d381f1d84847d47 |
08-Jun-2017 |
Joel Galenson <jgalenson@google.com> |
Move file labeling to genfs_contexts.
This should improve performance, as file_contexts is slower than
genfs_contexts.
Bug: 62413700
Test: Built, flashed, and booted Muskie. Verified that some of the
files have the correct context.
Change-Id: I40035d396fe344ade6b665ef0c314e36ef9c8bf8
ile_contexts
enfs_contexts
|
| 30faf26836c237ea95d63d7b76415b0c6019ac9e |
08-Jun-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
Merge "wahoo: sepolicy: remove libbinder rules for fingerprint" into oc-dr1-dev
|
| 5363d06f07a7ae4370bd2f9787d0b07d42c924ed |
08-Jun-2017 |
Nick Desaulniers <ndesaulniers@google.com> |
wahoo: sepolicy: remove libbinder rules for fingerprint
Libbinder is just needed for dev/debug tools. SELinux can be disabled
for those.
Test: enroll fingerprints, apply patch, can still authenticate/navigate
Change-Id: Ifa29bdb5cc393ed0c8e894ef76c0d4b5c58847e2
Fixes: 36686751
Bug: 37755263
al_fingerprint.te
al_fingerprint_default.te
|
| 1b59b229c59b8d5f83538b0867f6fc38ede850ac |
30-May-2017 |
Naseer Ahmed <naseer@codeaurora.org> |
wahoo: Add support for display debug data
* Saves display debugfs data in /data/vendor/display
* Update the dumpstate xlog to print the saved data
Bug: 38496103
Change-Id: Ibc3bd97657b9faa74894ad50b01f373403871c94
Author: Naseer Ahmed <naseer@codeaurora.org>
Date: Tue May 30 17:51:24 2017 -0400
ile.te
ile_contexts
al_dumpstate_impl.te
al_graphics_composer_default.te
|
| e59d10875c320eee0c325ae4503bee1b81639e7c |
07-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Allow radio to find uce service"
|
| df94ed10145925c4c69423938bad7e7ac02812c5 |
07-Jun-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Add soc serial number to bugreport"
|
| e5332594abf6952da2061f25dfed2b54bf36f8fb |
31-May-2017 |
Chien-Yu Chen <cychen@google.com> |
system_app: Allow setting camera property
Allow system app to set camera property on userdebug and
eng devices, which is needed by CameraHalHdrplusPreferenceController.
Test: System app
Bug: 62108454
Change-Id: Id21973f7ade737917f567d47953075fc9e500617
ystem_app.te
|
| bc0c83e66e1dd9417f8ca459c80e3a12fa451628 |
07-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Allow radio to find uce service
This fixes the following denials
avc: denied { find } for service=uce pid=2729 uid=1001
scontext=u:r:radio:s0 tcontext=u:object_r:uce_service:s0
tclass=service_manager permissive=1
Bug: 37434935
Change-Id: I0bc3f74fdfbdc25759c38edbe1289fdfd68443f2
adio.te
|
| 4179f3921c209178e75378c4268cb7b5ef77cfe1 |
22-May-2017 |
Dante Russo <drusso@codeaurora.org> |
Move location files from /data/ to /data/vendor/
Runtime files and sockets used by location modules
are moved to vendor partiion from /data/misc/location
to /data/vendor/location
And additional SE policy
CRs-fixed: 2046657
Bug: 38137902
Test: Build, boot, GPS works, XTRA works, no new avc denials
Change-Id: If56a053ff3c478473c08aeef079d119b5b8847d7
ile_contexts
al_gnss_qti.te
ocation.te
|
| e758626c5de1dcffe06b99f4eae2608e9bcecc03 |
06-Jun-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Merge "Re-introduce of POWER HAL API 1.1 impl for Wahoo"
|
| e2ac78d27f9e66b44b2c22d7c18b581e3a2ab025 |
01-Jun-2017 |
David Lin <dtwlin@google.com> |
haptics: implements vibrator 1.1 HAL
Obtain tick/click effect duration from system property and implement the
new perform 1.1 function for supporting tick effect.
Bug: 62176703
Test: VtsHalVibratorV1_1TargetTest
Change-Id: Icbd50c2e7d05fd520aeda4511ba95151dde2a5ed
Signed-off-by: David Lin <dtwlin@google.com>
ile_contexts
|
| f3e845ce21adf40b4caa8982447b0bf99eeeee81 |
24-May-2017 |
Ahmed ElArabawy <arabawy@google.com> |
Re-introduce of POWER HAL API 1.1 impl for Wahoo
Power HAL 1.1 support for wahoo based devices was initially introduced in CL
ag/2098359
However, this caused a regression in application startup times due
to a bug in passing parameters for power hints on application launch
Hence, that CL was reverted in CL ag/2270791
This commit brings back the support of the Power Hal 1.1
to wahoo based devices. This includes the changes of the original CL
as will as a fix for the app startup time regression
The fix is similar to that in ag/1767023 (done for power HAL 1.0 default
implementation)
where a NULL is passed to the powerHint function when the passed data is
Zero
(instead of passing a pointer to the data). This enable the App Launch
power hints to work properly
The commit has been tested not to cause that regression
Bug: 62040325
Test: Performance Tests along with other tests
Change-Id: I29ce38b2de92c2b9ad878b0076288b689695b8a0
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
ile_contexts
enfs_contexts
al_power_default.te
al_wifi_default.te
ernel.te
|
| d6864b43a3c68d62dfe87d5635dec690843ac208 |
03-Jun-2017 |
Jayachandran Chinnakkannu <jayachandranc@google.com> |
Merge "Remove net_raw capability from ims"
|
| 6030720f1e805749a377382726d859728bdb972e |
02-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Fix radio logs not included in bugreport
Made hal_dumpstate_impl to use vendor executables as per treble guidelines
Test: Bugreport and verified radio logs included and no new denials
Bug: 62291820
Change-Id: I4f9f46cd76600e4b083ee6de5c52d495cc17729b
al_dumpstate_impl.te
|
| 132939e57986a946fa230c3c3ae71b2d3f4795fd |
03-Jun-2017 |
Ajay Dudani <adudani@google.com> |
Add soc serial number to bugreport
Test: Verified serial number is present in bugreport
Bug: 62305405
Change-Id: Ie06f1a93af1fd3006d57a46c9e6e5fad85433fe1
al_dumpstate_impl.te
|
| b726f55f53c011a6195d6d9f230d873e3fbe92db |
02-Jun-2017 |
Jayachandran C <jayachandranc@google.com> |
Remove net_raw capability from ims
net_raw was added to make IMS registration work in enforced mode
Currently ims is in permissive mode so any denials will not block
the functionality or lab testing
This change will enable QC to catch denials and fix in their prebuilts
Test: Basic telephony sanity
Bug: 37652052
Change-Id: I942a267464b83f60ef6274e47f1ae6a493230c1f
ms.te
|
| 051bcb37133dba600512654a87dc1371f40191b2 |
02-Jun-2017 |
Dan Cashman <dcashman@google.com> |
Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIR
Move vendor policy to vendor and add a place for system extensions.
Also add such an extension: a labeling of the qti.ims.ext service.
Bug: 38151691
Bug: 62041272
Test: Policy binary identical before and after, except plat_service_contexts
has new service added.
Change-Id: Ie4e8527649787dcf2391b326daa80cf1c9bd9d2f
dsprpcd.te
udioserver.te
luetooth.te
ootanim.te
ameraserver.te
erts/tango.x509.pem
erts/tango_dummy.x509.pem
erts/tango_release.x509.pem
hre.te
nd.te
ataservice_app.te
evice.te
omain.te
umpstate.te
sed.te
ile.te
ile_contexts
olio_daemon.te
atekeeperd.te
enfs_contexts
al_audio_default.te
al_bluetooth_default.te
al_bootctl.te
al_camera.te
al_camera_default.te
al_contexthub.te
al_drm_default.te
al_dumpstate_impl.te
al_fingerprint.te
al_fingerprint_default.te
al_gatekeeper.te
al_gatekeeper_qti.te
al_gnss_qti.te
al_graphics_composer_default.te
al_imsrtp.te
al_keymaster_qti.te
al_light.te
al_light_default.te
al_memtrack_default.te
al_nfc_default.te
al_oemlock_default.te
al_power_default.te
al_rcsservice.te
al_sensors_default.te
al_thermal_default.te
al_usb_default.te
al_vibrator_default.te
al_vr.te
al_wifi_default.te
al_wifi_offload_default.te
wservice.te
wservice_contexts
ms.te
nit-devstart-sh.te
nit-insmod-sh.te
nit-ipastart-sh.te
nit.te
nit_ese.te
nit_power.te
nit_radio.te
octl_defines
octl_macros
rsc_util.te
ernel.te
eys.conf
eystore.te
ocation.te
ogger_app.te
ac_permissions.xml
ediacodec.te
ediaextractor.te
etd.te
etmgrd.te
d_services.te
er_mgr.te
er_proxy.te
erfd.te
latform_app.te
ort-bridge.te
roperty.te
roperty_contexts
logd.te
muxd.te
ti.te
adio.te
amdump.te
amdump_app.te
fs_access.te
ild.te
mt_storage.te
eapp_contexts
ensors.te
ervice.te
ervice_contexts
hell.te
mlog_dump.te
sr_detector.te
sr_diag.te
sr_setup.te
ubsystem_ramdump.te
urfaceflinger.te
ystem_app.te
ystem_server.te
ango_core.te
ee.te
hermal-engine.te
ime_daemon.te
eventd.te
ntrusted_app.te
pdate_engine_common.te
pdate_verifier.te
ndservice.te
ndservice_contexts
old.te
cnss_filter.te
cnss_service.te
|