GitLab

(cherry picked from commit c2e31a77)

Change-Id: I92218709fa8cdb71c0369aca8fdd7922df45f7d0

* commit 'bf162a2a':
  Revert "Create context for ctl.console"

* commit '1bd407a0':
  Create context for ctl.console

* commit 'eb953648':
  Revert "Create context for ctl.console"

* commit 'a331c593':
  Revert "Revert "SELinux policy changes for re-execing init.""

This reverts commit 525e3747.

Change-Id: I64f72073592f7f7553e763402a40c467c639cfce

This reverts commit bbd56b71.

Change-Id: I3e295f785aa62de3a04b2f201be97dd7ef0c207f

* commit 'bbd56b71':
  Create context for ctl.console

(cherry picked from commit bbd56b71)

Change-Id: I0db435b80678a58cd9a6fbd5d67ba08f8e8d3cd4

Change-Id: I9ba4952230ec1b811b8ec6cd19c0286ee791bf08

* commit '5aac86dc':
  Revert "Revert "SELinux policy changes for re-execing init.""

This reverts commit c450759e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387

* commit '6b82aaeb':
  Revert "SELinux policy changes for re-execing init."

* commit '6d97d9b8':
  Revert "SELinux policy changes for re-execing init."

shamu isn't booting.

This reverts commit 46e832f5.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca

* commit 'f17bbab7':
  SELinux policy changes for re-execing init.

* commit 'b1b5e662':
  allow adbd to set sys.usb.ffs.ready

* commit 'ecd57731':
  SELinux policy changes for re-execing init.

* commit 'caefbd71':
  allow adbd to set sys.usb.ffs.ready

Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9

Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448

* commit '268425b7':
  gatekeeperd: use more specific label for /data file

* commit '934cf6ea':
  gatekeeperd: use more specific label for /data file

* commit '479a536a':
  Grant apps write access to returned vfat FDs.

* commit 'e98cda25':
  Grant apps write access to returned vfat FDs.

* commit 'bb0385e2':
  Grant platform apps access to /mnt/media_rw.

Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9

* commit 'c9036fb1':
  Grant platform apps access to /mnt/media_rw.

Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5

* commit 'ab2ff479':
  New rules for SID access

* commit '6db824a7':
  New rules for SID access

Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e

* commit 'f06090af':
  neverallow shell file_type:file link

* commit 'd18f1482':
  su.te: add filesystem dontaudit rule

* commit '490a7a8a':
  neverallow shell file_type:file link