Jeff Vander Stoep
508cfa70b8
Merge "This change is primarily a revert of 611c3d70a"
...
am: 3bd6a7ab6f
2017-11-22 21:26:35 +00:00
Treehugger Robot
3bd6a7ab6f
Merge "This change is primarily a revert of 611c3d70a"
2017-11-22 21:21:13 +00:00
Tom Cherry
99955d9cdf
Merge "Move mkdir /data/nfc/... to rootdir init.rc"
...
am: e3ffe7bffd
2017-11-22 20:03:56 +00:00
Tom Cherry
e3ffe7bffd
Merge "Move mkdir /data/nfc/... to rootdir init.rc"
2017-11-22 19:56:10 +00:00
Jeff Vander Stoep
8d21715fc2
This change is primarily a revert of 611c3d70a
...
Commit 611c3d70a "Move hal_bootctl rules to hal_bootctl_default"
breaks sideloading OTAs. It was introduced to fix a CTS regression
due to overly broad access to the vendor-owned misc_block partition.
The change also did a refactor of permissions for the bootctl HAL.
The fix leaves the one-line CTS fix in place and reverts the rest of
the refactor. This results in no change in permissions for the recovery
process which is already granted access to the misc_block partion in
core policy. "allow recovery dev_type:blk_file rw_file_perms;"
Bug: 69566734
Test: adb sideload ota
Change-Id: I67504482b166e1cf278be213e42bfde2ddfa6e67
2017-11-22 19:18:52 +00:00
Jeffrey Vander Stoep
5dc4c280f7
Merge "Move hal_bootctl rules to hal_bootctl_default"
...
am: cee6d6db58
2017-11-22 04:58:37 +00:00
Jeffrey Vander Stoep
cee6d6db58
Merge "Move hal_bootctl rules to hal_bootctl_default"
2017-11-22 04:55:18 +00:00
Jeff Vander Stoep
611c2d70a0
Move hal_bootctl rules to hal_bootctl_default
...
This more clearly attributes the permissions to the actual domain and
prevents a build breakage when building recovery due to a
userdebug-only neverallow exemption for hal_bootctl.
Bug: 69566734
Test: build user build
Change-Id: I5ed3c04b3709ac7b00234402788f5f1ae88e6f61
2017-11-21 13:34:45 -08:00
Tom Cherry
707978a594
Move mkdir /data/nfc/... to rootdir init.rc
...
These are directories used by the system so they should be created by
the system.
Test: treehugger
Change-Id: Ie0473d53a3ffd476faeb2dcb08497c0554b3b172
2017-11-21 10:29:50 -08:00
Max Bires
b1c7925f39
Adding intermittent taimen denials to bug_map and adding dontaudit
...
am: 8760ea13c8
2017-11-20 21:38:30 +00:00
Max Bires
a18b856873
Adding bug map entry for surfaceflinger denial
...
am: 79c6875ae1
2017-11-20 20:18:02 +00:00
Max Bires
2d5b503deb
Adding bug map entries for boot denials
...
am: 6f8f263c64
2017-11-20 20:17:58 +00:00
Max Bires
2eb295df29
Adding allow rules and bug_map entries to clean up boot on taimen
...
am: bf29a6610c
2017-11-20 19:53:53 +00:00
Max Bires
8760ea13c8
Adding intermittent taimen denials to bug_map and adding dontaudit
...
These intermittent denials are making it look like taimen boot tests are
occasionally unhealthy due to untracked denials. This will remove the
failing tests issue.
Bug: 68705274
Test: these intermittent denials are now tracked or properly
dontaudit'ed
Change-Id: I342cff19d7bde73fee93fd8461c9c0680511e23c
Merged-In: I342cff19d7bde73fee93fd8461c9c0680511e23c
(cherry picked from commit 552978d27c
2017-11-20 19:01:58 +00:00
Max Bires
79c6875ae1
Adding bug map entry for surfaceflinger denial
...
Test: the surfaceflinger denial is properly tagged
Change-Id: I734aa3880491504c2c7e73236bda11e3cd111384
Merged-In: I734aa3880491504c2c7e73236bda11e3cd111384
(cherry picked from commit cb67b3d170
2017-11-20 19:01:53 +00:00
Max Bires
6f8f263c64
Adding bug map entries for boot denials
...
Test: bug metadata is properly attached to relevant denials
Change-Id: I20fba3a86104f494131714056b2809ae6a62d416
Merged-In: I20fba3a86104f494131714056b2809ae6a62d416
(cherry picked from commit 6f475be419
2017-11-20 19:01:47 +00:00
Max Bires
bf29a6610c
Adding allow rules and bug_map entries to clean up boot on taimen
...
Allow rule denials:
denied { ioctl } for pid=863 comm="rild"
path="/vendor/radio/qcril_database/qcril.db" dev="dm-1" ino=900
ioctlcmd=f50c scontext=u:r:rild:s0 tcontext=u:object_r:vendor_file:s0
tclass=file
denied { read } for pid=1609 comm="batterystats-wo" name="show_stat"
dev="sysfs" ino=37781 scontext=u:r:system_server:s0
tcontext=u:object_r:sysfs:s0 tclass=file
denied { search } for pid=1609 comm="system_server"
name="800f000.qcom,spmi" dev="sysfs" ino=19648
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir
bug_map denial entries:
denied { create } for pid=751 comm="main" name="tasks"
scontext=u:r:zygote:s0 tcontext=u:object_r:cgroup:s0 tclass=fil
denied { getattr } for pid=1609 comm="system_server"
path="/vendor/framework" dev="dm-1" ino=291
scontext=u:r:system_server:s0
tcontext=u:object_r:vendor_framework_file:s0 tclass=dir
Test: denials either don't show up or are properly tagged with a bug
number
Change-Id: Ibf841033ac5480ddb975772840680011cb331a7d
Merged-In: Ibf841033ac5480ddb975772840680011cb331a7d
(cherry picked from commit 53146f8cc0
2017-11-20 18:46:26 +00:00
Ruchi Kandoi
4886cb6b08
Use nfc_nci.msm8998 instead of nfc_nci.$(TARGET_BOARD_PLATFORM)
...
am: c2283035e2
2017-11-17 00:09:14 +00:00
Ruchi Kandoi
c2283035e2
Use nfc_nci.msm8998 instead of nfc_nci.$(TARGET_BOARD_PLATFORM)
...
Fixes: 69413085
Fixes: 69414641
Test: Make clean; make and flash.
Change-Id: I0edeb196ab28ff44cade1611e181eeedd42f79c3
2017-11-16 13:08:01 -08:00
Tom Cherry
c28270b47c
Merge "Add vendor_init.te"
...
am: c0959d9ff8
2017-11-16 17:38:16 +00:00
Tom Cherry
c0959d9ff8
Merge "Add vendor_init.te"
2017-11-16 17:34:51 +00:00
Tom Cherry
74d8c3674a
Add vendor_init.te
...
Update sepolicy for vendor_init. Relevant denials:
avc: denied { write } for pid=558 comm="init" name="debug_suspend"
dev="debugfs" ino=997 scontext=u:r:vendor_init:s0
tcontext=u:object_r:debugfs_clk:s0 tclass=file permissive=1
avc: denied { module_request } for pid=558 comm="init"
kmod="deadline-iosched" scontext=u:r:vendor_init:s0
tcontext=u:r:kernel:s0 tclass=system permissive=1
Bug: 62875318
Test: use walleye + factory reset + vendor_init
Change-Id: I2655316be5fbf18120174a11958c43d7ca70b478
2017-11-15 16:00:29 -08:00
Ruchi Kandoi
fcf8b9124b
Merge "Add the correct NFC HAL library."
...
am: 15ab496b31
2017-11-15 23:49:16 +00:00
Treehugger Robot
15ab496b31
Merge "Add the correct NFC HAL library."
2017-11-15 23:44:50 +00:00
Jeff Vander Stoep
864b27eda6
Merge "Remove dumpstate HAL's access to radio app data"
...
am: dc08a47024
2017-11-15 22:14:35 +00:00
Treehugger Robot
dc08a47024
Merge "Remove dumpstate HAL's access to radio app data"
2017-11-15 22:07:22 +00:00
Ruchi Kandoi
2e5f03b821
Add the correct NFC HAL library.
...
NXP HAL library has a board platform suffix instead of product target.
Test: HAL library loaded correctly on boot
Change-Id: I6d794987140e604853945c2b3d29320a2e4a23a9
2017-11-15 13:48:43 -08:00
Jeff Vander Stoep
54a4466be9
Merge changes I23f5d887,I7f65224b
...
am: a3c5fdbfc3
2017-11-15 21:47:08 +00:00
Treehugger Robot
a3c5fdbfc3
Merge changes I23f5d887,I7f65224b
...
* changes:
Remove system_server access to location daemon's data
Remove dumpstate's access to modem dump file
2017-11-15 21:35:03 +00:00
Jeff Vander Stoep
b93164076a
Remove dumpstate HAL's access to radio app data
...
These permissions no longer appear to be needed.
Bug: 34980020
Test: adb bugreport, not denials for radio_data_file
Change-Id: Id20a3cc87d78ef547811dffe230d13772f1504b0
Merged-In: Id20a3cc87d78ef547811dffe230d13772f1504b0
(cherry picked from commit 97e8a770f6
2017-11-15 12:55:38 -08:00
Jeff Vander Stoep
4c44680ee0
Remove system_server access to location daemon's data
...
These permissions no longer appear to be necessary, and violate
Treble separation of system/vendor data.
Bug: 34980020
Test: Launch google maps, get current location
Change-Id: I23f5d887fdcb400dd027431eabc4e744a08d4ea9
Merged-In: I23f5d887fdcb400dd027431eabc4e744a08d4ea9
(cherry picked from commit 9dccaa56ce
2017-11-15 12:26:56 -08:00
Jie Song
d6a99d1db8
Remove dumpstate's access to modem dump file
...
Dumpstate is using the 2nd file descriptor to access dump file
Bug: 68044348
Test: Take bugreport, no denial for modem_dump_file and modem log is
valid
Change-Id: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3
Merged-In: I7f65224bd3cc81258bccc3dbf419e52c1bcaeaa3
(cherry picked from commit b51ae72a5d
2017-11-15 12:25:12 -08:00
Jiyong Park
1ec57889cf
DO NOT MERGE ANYWHERE Temporarily disable VNDK restriction for wahoo
...
am: 632d1b2cbf
2017-11-15 01:27:39 +00:00
Xin Li
9ba9e412f6
Merge commit '34f7f32ea4cca137547463132f06cb93dc8d04b3' from
...
oc-mr1-dev-plus-aosp-without-vendor into stage-aosp-master
Change-Id: I1f549411c9b9219fae6e602569778ae36c511055
2017-11-14 11:49:25 -08:00
Jiyong Park
632d1b2cbf
DO NOT MERGE ANYWHERE Temporarily disable VNDK restriction for wahoo
...
Bug: 68710251
Test: aosp_walleye, aosp_taimen boots to the UI
Change-Id: I2decd5c12b45b574ec80226cde7e4b234d0d23f1
2017-11-14 17:01:10 +09:00
Lennart Wieboldt
155dbc92ae
wohoo: remove cpuset foreground boost
...
am: 150af4c811
2017-11-14 05:37:04 +00:00
Lennart Wieboldt
150af4c811
wohoo: remove cpuset foreground boost
...
Cpuset foreground boost is departed since
https://android.googlesource.com/platform/frameworks/base/+/a712d4058f6f85268838
Change-Id: Iab1834dbb8cce15480b5e11968bcfff7cc80177e
Signed-off-by: Lennart Wieboldt <lennart.1997@gmx.de >
2017-11-14 05:33:39 +00:00
Tao Bao
2959768511
Merge "sepolicy: Remove update_verifier.te."
...
am: 14716fc148
2017-11-14 03:13:25 +00:00
Treehugger Robot
14716fc148
Merge "sepolicy: Remove update_verifier.te."
2017-11-14 03:05:16 +00:00
Tao Bao
3d4c191247
sepolicy: Remove update_verifier.te.
...
It has been added into core policy through
https://android-review.googlesource.com/c/platform/system/sepolicy/+/503421 .
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on walleye.
Change-Id: I5605af8b10d890489c25f16f82274f828e10e751
(cherry picked from commit e2c0c287fb
2017-11-13 13:28:14 -08:00
Lennart Wieboldt
08424a84df
wahoo: remove LOCAL_CLANG := true
...
am: 8f4072e87a
2017-11-13 19:54:23 +00:00
Lennart Wieboldt
6b3695f00b
wahoo: remove departed ENABLE_CPUSETS flag
...
am: eaa1a041ec
2017-11-13 19:41:27 +00:00
Lennart Wieboldt
8f4072e87a
wahoo: remove LOCAL_CLANG := true
...
Clang is the default compiler since nougat.
Change-Id: I565e25f9f688a979eac41de0eee4a88b24099098
Signed-off-by: Lennart Wieboldt <lennart.1997@gmx.de >
2017-11-13 18:00:37 +00:00
Lennart Wieboldt
eaa1a041ec
wahoo: remove departed ENABLE_CPUSETS flag
...
It´s an runtime check now so we don´t need the build time variable anymore.
The behaviour changed with this commit:
391ab069b1lennart.1997@gmx.de >
2017-11-13 18:35:43 +01:00
Jeff Vander Stoep
0d0c712b4b
Merge "Clean up commented out permissions"
...
am: 64936a0238
2017-11-11 00:39:00 +00:00
Treehugger Robot
64936a0238
Merge "Clean up commented out permissions"
2017-11-11 00:32:22 +00:00
Jeff Vander Stoep
e74598517d
Clean up commented out permissions
...
Test: none
Change-Id: I26f4a18ad1141a5d402ddd38505a4cdaee266c4e
2017-11-10 14:54:10 -08:00
Chenjie Luo
8d06a43142
Allow easel to read sysfs_easel dir
...
am: 3b8bac308a
2017-11-10 20:03:40 +00:00
Chenjie Luo
3b8bac308a
Allow easel to read sysfs_easel dir
...
Test: easelmanagerd_client_example
Change-Id: I494e35e8127cba0bcbfcd9ed68776268dfb42131
2017-11-10 10:03:19 -08:00
Jeff Vander Stoep
cdfb42f233
Move platform/vendor data violations to device policy
...
am: 98dd9bb659
2017-11-10 16:28:56 +00:00
