Commits · 5bb9ccdb4656a089a7a7c143242530be67935f5b · halo / external_sepolicy

24 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to lmp-mr1-dev · 5bb9ccdb
  The Android Automerger authored 10 years ago
  
  5bb9ccdb
20 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to lmp-mr1-dev · 4a44f974
  The Android Automerger authored 10 years ago
  
  4a44f974
19 Nov, 2014 3 commits

Accept command-line input for neverallow-check. · 3fa92bed

dcashman authored 10 years ago

Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561

Cherry-pick from: https://android-review.googlesource.com/#/c/111626/

Change-Id: I751a99feffe820308ec58514fdba4cdef184d964

3fa92bed

Merge "allow system_server to set ro.build.fingerprint" into lmp-mr1-dev · db4582a9
Nick Kralevich authored 10 years ago

db4582a9

allow system_server to set ro.build.fingerprint · aaecd1ec

Nick Kralevich authored 10 years ago

Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956

(cherry picked from commit c48971f6)

Change-Id: I24bc1b3405f60c9d4e16e5a995e987e54692b6aa

aaecd1ec

13 Nov, 2014 2 commits

Add neverallow checking to sepolicy-analyze. · 3a1eb33b

Stephen Smalley authored 10 years ago


See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

3a1eb33b

merge in lmp-mr1-release history after reset to lmp-mr1-dev · 35dcd5a9
The Android Automerger authored 10 years ago

35dcd5a9

12 Nov, 2014 2 commits
- am 6f201ddc: App: add permissions to read symlinks from dalvik cache. · afd27603
  Jeff Hao authored 10 years ago
```
* commit '6f201ddc':
  App: add permissions to read symlinks from dalvik cache.
```
  afd27603
- App: add permissions to read symlinks from dalvik cache. · 6f201ddc
  Jeff Hao authored 10 years ago
```
Bug: 18035729
Change-Id: Ib60f9cd59a7a185ae99761ad29358a735ae2ad26
```
  6f201ddc
11 Nov, 2014 2 commits
- merge in lmp-mr1-release history after reset to lmp-mr1-dev · 72748ca4
  The Android Automerger authored 10 years ago
  
  72748ca4
- am 9f0af9ec: Merge "zygote/dex2oat: Grant additional symlink permissions" into lmp-sprout-dev · 4bd6cf5f
  Jeff Hao authored 10 years ago
```
* commit '9f0af9ec':
  zygote/dex2oat: Grant additional symlink permissions
```
  4bd6cf5f
10 Nov, 2014 5 commits

Merge "zygote/dex2oat: Grant additional symlink permissions" into lmp-sprout-dev · 9f0af9ec
Jeff Hao authored 10 years ago

9f0af9ec
am b7934922: allow run-as to access /data/local/tmp · 5aaa8e86
Nick Kralevich authored 10 years ago
```
* commit 'b7934922':
  allow run-as to access /data/local/tmp
```
5aaa8e86

zygote/dex2oat: Grant additional symlink permissions · 3df12275

Igor Murashkin authored 10 years ago

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729

(cherry picked from commit f7ccfd00)

Change-Id: I5dca27241f46f481515b96e968fb2bef7866c89b

3df12275

allow run-as to access /data/local/tmp · b7934922

Nick Kralevich authored 10 years ago

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

(cherry picked from commit dd8571aa)

Change-Id: I80bb26e06d932229c286f0389f28ad6868d79100

b7934922

merge in lmp-mr1-release history after reset to lmp-mr1-dev · 5288d29c
The Android Automerger authored 10 years ago

5288d29c

09 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to lmp-mr1-dev · 27ee0ab9
  The Android Automerger authored 10 years ago
  
  27ee0ab9
08 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to cc132037 · 173cf816
  The Android Automerger authored 10 years ago
  
  173cf816
07 Nov, 2014 3 commits

am 7cd346a7: am 0055ea90: Allow recovery to create device nodes and modify rootfs · cc132037
Nick Kralevich authored 10 years ago
```
* commit '7cd346a7':
  Allow recovery to create device nodes and modify rootfs
```
cc132037
am 0055ea90: Allow recovery to create device nodes and modify rootfs · 7cd346a7
Nick Kralevich authored 10 years ago
```
* commit '0055ea90':
  Allow recovery to create device nodes and modify rootfs
```
7cd346a7

Allow recovery to create device nodes and modify rootfs · 0055ea90

Nick Kralevich authored 10 years ago

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e

0055ea90

06 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to f457e57d · 3fc87d6a
  The Android Automerger authored 10 years ago
  
  3fc87d6a
05 Nov, 2014 3 commits

am 7adc8cfe: Allow adbd to write to /data/adb · f457e57d
Nick Kralevich authored 10 years ago
```
* commit '7adc8cfe':
  Allow adbd to write to /data/adb
```
f457e57d

Allow adbd to write to /data/adb · 7adc8cfe

Nick Kralevich authored 10 years ago

adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895

(cherry picked from commit 973877db)

Change-Id: Ida2e0257c97941ab33ccdab59eb2cde95dca344f

7adc8cfe

merge in lmp-mr1-release history after reset to 71e9a7c4 · d401fe58
The Android Automerger authored 10 years ago

d401fe58

04 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to 71e9a7c4 · 6751974b
  The Android Automerger authored 10 years ago
  
  6751974b
03 Nov, 2014 2 commits
- Allow radio access to netd_pid file. · 71e9a7c4
  Robert Greenwalt authored 10 years ago
```
They need to see when it changes so they know when netd bounces.

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a
```
  71e9a7c4
- merge in lmp-mr1-release history after reset to d7e004eb · ad53b1aa
  The Android Automerger authored 10 years ago
  
  ad53b1aa
02 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to d7e004eb · 27dd0584
  The Android Automerger authored 10 years ago
  
  27dd0584
01 Nov, 2014 1 commit
- merge in lmp-mr1-release history after reset to d7e004eb · 0333e0ac
  The Android Automerger authored 10 years ago
  
  0333e0ac
31 Oct, 2014 2 commits

allow coredump functionality · d7e004eb
Nick Kralevich authored 10 years ago
```
Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba
```
d7e004eb

zygote/dex2oat: Grant additional symlink permissions · f7ccfd00

Igor Murashkin authored 10 years ago

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62

f7ccfd00

30 Oct, 2014 1 commit
- merge in lmp-mr1-release history after reset to 491c5368 · 1ad53fdb
  The Android Automerger authored 10 years ago
  
  1ad53fdb
29 Oct, 2014 1 commit
- merge in lmp-mr1-release history after reset to 491c5368 · 21d5c888
  The Android Automerger authored 10 years ago
  
  21d5c888
28 Oct, 2014 1 commit
- merge in lmp-mr1-release history after reset to 491c5368 · 1a54e3ce
  The Android Automerger authored 10 years ago
  
  1a54e3ce
27 Oct, 2014 1 commit
- merge in lmp-mr1-release history after reset to 491c5368 · 6c46a984
  The Android Automerger authored 10 years ago
  
  6c46a984
26 Oct, 2014 1 commit
- merge in lmp-mr1-release history after reset to 491c5368 · bcdf5298
  The Android Automerger authored 10 years ago
  
  bcdf5298
25 Oct, 2014 1 commit
- merge in lmp-mr1-release history after reset to 491c5368 · 7bea116e
  The Android Automerger authored 10 years ago
  
  7bea116e
24 Oct, 2014 2 commits

am 2d1650f4: allow system_server to set kernel scheduling priority · 491c5368
Nick Kralevich authored 10 years ago
```
* commit '2d1650f4':
  allow system_server to set kernel scheduling priority
```
491c5368

allow system_server to set kernel scheduling priority · 2d1650f4

Nick Kralevich authored 10 years ago

Addresses the following denial:

  avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.

Maybe fix bug 18085992.

Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855

2d1650f4