- 24 Apr, 2015 10 commits
-
-
Elliott Hughes authored
* commit '5aac86dc': Revert "Revert "SELinux policy changes for re-execing init.""
-
Elliott Hughes authored
This reverts commit c450759e. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
-
Nick Kralevich authored
* commit '6d97d9b8': Revert "SELinux policy changes for re-execing init."
-
Nick Kralevich authored
-
Nick Kralevich authored
shamu isn't booting. This reverts commit 46e832f5. Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
-
Elliott Hughes authored
* commit 'ecd57731': SELinux policy changes for re-execing init.
-
Nick Kralevich authored
* commit 'caefbd71': allow adbd to set sys.usb.ffs.ready
-
Elliott Hughes authored
-
Nick Kralevich authored
Needed for https://android-review.googlesource.com/147730 Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
-
Elliott Hughes authored
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
-
- 20 Apr, 2015 2 commits
-
-
Nick Kralevich authored
* commit '934cf6ea': gatekeeperd: use more specific label for /data file
-
Nick Kralevich authored
-
- 18 Apr, 2015 5 commits
-
-
Jeff Sharkey authored
* commit 'e98cda25': Grant apps write access to returned vfat FDs.
-
Jeff Sharkey authored
Users can pick files from vfat devices through the Storage Access Framework, which are returned through ParcelFileDescriptors. Grant apps write access to those files. (Direct access to the files on disk is still controlled through normal filesystem permissions.) avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file Bug: 19993667 Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9 -
Jeff Sharkey authored
* commit 'c9036fb1': Grant platform apps access to /mnt/media_rw.
-
Jeff Sharkey authored
Raw physical storage devices are mounted by vold under /mnt/media_rw and then wrapped in a FUSE daemon that presents them under /storage. Normal apps only have access through /storage, but platform apps (such as ExternalStorageProvider) often bypass the FUSE daemon for performance reasons. avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file Bug: 19993667 Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad -
Nick Kralevich authored
Use a more specific label for /data/misc/gatekeeper Rearrange some other rules. Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
-
- 17 Apr, 2015 3 commits
-
-
Andres Morales authored
* commit '6db824a7': New rules for SID access
-
Andres Morales authored
-
Andres Morales authored
Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e
-
- 16 Apr, 2015 5 commits
-
-
Nick Kralevich authored
* commit '490a7a8a': neverallow shell file_type:file link
-
Nick Kralevich authored
* commit '85416e06': su.te: add filesystem dontaudit rule
-
Nick Kralevich authored
-
Nick Kralevich authored
Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
-
Nick Kralevich authored
Addresses su denials which occur when mounting filesystems not defined by policy. Addresses denials similar to: avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1 Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e
-
- 14 Apr, 2015 2 commits
-
-
-
dcashman authored
Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25
-
- 13 Apr, 2015 4 commits
-
-
Andres Morales authored
* commit 'dd156fc3': Allow gatekeeperd to use keystore
-
Andres Morales authored
needs to call addAuthToken Change-Id: If519df61448f19dfafab254668c17eea6c161ea4
-
Neil Fuller authored
* commit '4127a4c8': Add rules for /system/bin/tzdatacheck
-
Neil Fuller authored
-
- 12 Apr, 2015 3 commits
-
-
Jeff Sharkey authored
* commit '5e5b0065': Allow sdcard daemon to run above expanded storage.
-
Jeff Sharkey authored
-
Jeff Sharkey authored
We have a /media directory on expanded storage that behaves just like internal storage, and has a FUSE daemon running above it. avc: denied { search } for name="expand" dev="tmpfs" ino=3130 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 Bug: 19993667 Change-Id: I771ecb8f2808c48ccf4139ac9cfc2a48a2332fec
-
- 11 Apr, 2015 2 commits
-
-
Nick Kralevich authored
* commit 'fdc56c5f': genfs_contexts: provide a label for binfmt_misc
-
Nick Kralevich authored
Provide a default label for binfmt_misc. This is not used by the core policy, although it may be used in device specific policy. Bug: 20152930 Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95
-
- 10 Apr, 2015 4 commits
-
-
Jeff Sharkey authored
* commit 'e32c7b2e': Allow installd to move around private app data.
-
Jeff Sharkey authored
-
Nick Kralevich authored
* commit '50d50621': Revert "Exclude isolated_app from ptrace self."
-
Nick Kralevich authored
Google Breakpad (crash reporter for Chrome) relies on ptrace functionality. Without the ability to ptrace, the crash reporter tool is broken. Addresses the following denial: type=1400 audit(1428619926.939:1181): avc: denied { ptrace } for pid=10077 comm="CrRendererMain" scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:r:isolated_app:s0:c512,c768 tclass=process permissive=0 This reverts commit e9623d8f. Bug: 20150694 Bug: https://code.google.com/p/chromium/issues/detail?id=475270 Change-Id: I1727c6a93f10ea6db877687a8f81ec789f9e501f
-
