Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
156 Commits 2 Branches 0 Tags
fdfd0407a4c9065f4e94089ebbfead1b855830d1
Commit Graph

156 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Adrian Salido
fdfd0407a4 power: import and enable binderized power hal 
Bug: 36096835
Test: boot, verify hal is loaded and taking power hints
Change-Id: I75d7ef2f378f6d71de1776f78726be4812bf196f
 2017-03-29 21:04:32 -07:00
Jeff Vander Stoep
0f6882d7c2 annotate vendor components that access core data types am: b7606d8693 
am: a5f3221410

Change-Id: I525fc904d4d1db845a7460bb83b34e4abf121314
 2017-03-29 23:44:12 +00:00
Jeff Vander Stoep
a5f3221410 annotate vendor components that access core data types 
am: b7606d8693

Change-Id: Ic2f5839eb7ae98068663a58ca6f76ec66a3f4907
 2017-03-29 23:38:12 +00:00
Max Bires
3dc6317e58 Merge "Adding allows to handle boot and runtime denials" into oc-dev am: 69c0497447 
am: c6f2f63c43  -s ours

Change-Id: I89963200a61f5c6a437e1a701a6a091c5495d898
 2017-03-29 20:39:00 +00:00
Jeff Vander Stoep
b7606d8693 annotate vendor components that access core data types 
Grant cnd a temporary exemption to a neverallow rule
asserting vendor processes may not access core data types outside
/data/vendor.

Cherry-picked from ead208b3b3

Bug: 34980020
Bug: 36712542
Test: Muskie builds
Change-Id: I68baee81282343b5627b012ff39d2f038fb99054
 2017-03-29 13:13:35 -07:00
Max Bires
c6f2f63c43 Merge "Adding allows to handle boot and runtime denials" into oc-dev 
am: 69c0497447

Change-Id: If34258c497e4ea9a27cd27bdb98f520b35d31842
 2017-03-29 20:01:28 +00:00
TreeHugger Robot
69c0497447 Merge "Adding allows to handle boot and runtime denials" into oc-dev 2017-03-29 19:57:16 +00:00
Max Bires
6dd9019412 Adding allows to handle boot and runtime denials 
Denials dealt with:
denied { search } for pid=811 comm="cnd" name="soc0" dev="sysfs"
ino=49100 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { fsetid } for pid=811 comm="cnd" capability=4
scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability

denied { chown } for pid=811 comm="cnd" capability=0 scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=capability

denied { read write } for pid=794 comm="android.hardwar" name="video3"
dev="tmpfs" ino=10129 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:video_device:s0 tclass=chr_file

denied { open } for pid=794 comm="android.hardwar" path="/dev/video3"
dev="tmpfs" ino=10129 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:video_device:s0 tclass=chr_file

denied { sendto } for pid=811 comm="cnd" path="/dev/socket/wpa_wlan0"
scontext=u:r:cnd:s0 tcontext=u:r:hal_wifi_supplicant_default:s0
tclass=unix_dgram_socket

denied { sendto } for pid=6516 comm="wpa_supplicant"
path="/data/misc/wifi/sockets/wpa_ctrl_811-1"
scontext=u:r:hal_wifi_supplicant_default:s0 tcontext=u:r:cnd:s0
tclass=unix_dgram_socket

denied { ioctl } for pid=811 comm="cnd" path="socket:[108403]"
dev="sockfs" ino=108403 ioctlcmd=8921 scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=udp_socket

denied { create } for pid=811 comm="cnd" scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=udp_socket

denied { create } for pid=811 comm="cnd" name="wpa_ctrl_811-1"
scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file

denied { add_name } for pid=811 comm="cnd" name="wpa_ctrl_811-1"
scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

denied { write } for pid=811 comm="cnd" name="sockets" dev="sda45"
ino=638992 scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0
tclass=dir

denied { search } for pid=811 comm="cnd" name="sockets" dev="sda45"
ino=638992 scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0
tclass=dir

denied { search } for pid=811 comm="cnd" name="wifi" dev="sda45"
ino=638991 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_data_file:s0
tclass=dir

denied { write } for pid=1551 comm="HwBinder:790_1" name="perfd"
dev="tmpfs" ino=23062 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:perfd_socket:s0 tclass=sock_file

denied { write } for pid=810 comm="imsqmidaemon" name="property_service"
dev="tmpfs" ino=18259 scontext=u:r:ims:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=810 comm="imsqmidaemon"
path="/dev/socket/property_service" scontext=u:r:ims:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=sys.ims.QMI_DAEMON_STATUS pid=810 uid=1000
gid=1001 scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

denied { ioctl } for pid=1114 comm="lowi-server" path="socket:[25101]"
dev="sockfs" ino=25101 ioctlcmd=8927 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=1114 comm="lowi-server" path="socket:[25101]"
dev="sockfs" ino=25101 ioctlcmd=8be5 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=6504 comm="lowi-server" path="socket:[90743]"
dev="sockfs" ino=90743 ioctlcmd=c304 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=socket

denied { search } for pid=812 comm="netmgrd" name="soc0" dev="sysfs"
ino=49100 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { read } for pid=3684 comm="csbootstraputil"
name="u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { open } for pid=3684 comm="csbootstraputil"
path="/dev/__properties__/u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { getattr } for pid=3684 comm="csbootstraputil"
path="/dev/__properties__/u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { write } for pid=669 comm="ramdump" name="property_service"
dev="tmpfs" ino=18259 scontext=u:r:ramdump:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=669 comm="ramdump"
path="/dev/socket/property_service" scontext=u:r:ramdump:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=debug.htc.hrdump pid=669 uid=0 gid=0
scontext=u:r:ramdump:s0 tcontext=u:object_r:debug_prop:s0
tclass=property_service

denied { setattr } for pid=688 comm="tftp_server" name="rfs" dev="sdd3"
ino=17 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=dir

denied { search } for pid=931 comm="thermal-engine"
name="0.qcom,rmtfs_sharedmem" dev="sysfs" ino=18392
scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=dir

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I6977fc0bf94bc68cdbc081ca7771ff6c91cc9805
 2017-03-29 17:47:24 +00:00
Jeff Vander Stoep
ead208b3b3 annotate vendor components that access core data types 
Grant cnd a temporary exemption to a neverallow rule
asserting vendor processes may not access core data types outside
/data/vendor.

Bug: 34980020
Bug: 36712542
Test: Muskie builds
Change-Id: I68baee81282343b5627b012ff39d2f038fb99054
 2017-03-29 08:10:29 -07:00
Jeff Vander Stoep
83256ce993 Mark vendor components that access core data types am: 5182fda3a2 
am: 3a3c8bdf06

Change-Id: Ibce7df17a968ba488762ab35ecfc5a5e28834922
 2017-03-29 14:14:10 +00:00
Jeff Vander Stoep
3a3c8bdf06 Mark vendor components that access core data types 
am: 5182fda3a2

Change-Id: Ie31c7698cc2ec1e5b32f44691e5c1cc80c56cb0d
 2017-03-29 14:12:11 +00:00
Brian Carlstrom
921b1fdad0 Set wahoo default log size to 1M on userdebug/eng builds 
Test: m -j32
Bug: 36703476
Change-Id: Ia2a8ef5777ede9ce3dbc4c27fb095c905b69ca62
 2017-03-29 05:01:46 +00:00
Ruchi Kandoi
50cc0a03c2 Merge "Remove libnfc-nxp.conf" 2017-03-29 01:21:32 +00:00
Max Bires
4e841d2abc Merge "Removing allow rule." 2017-03-28 23:03:52 +00:00
Max Bires
6a6d8a7e80 Removing allow rule. 
Allow rule was triggering a neverallow, missed due to a bug.
Test: The device builds

Change-Id: Ie79d15c294d798a0ed65ef4705636dc63576a76d
 2017-03-28 16:00:38 -07:00
TreeHugger Robot
6b44fe98ee Merge "The IUsb interface uses "default" service name" 2017-03-28 22:50:05 +00:00
Ruchi Kandoi
4fd68ab1ff Remove libnfc-nxp.conf 
The config files are device specific in terms of the
clock the NFC controller uses.

Test: NFC is enabled on both the devices
Bug: 36163226
Change-Id: I805e4581216d673741777a1aea5baa16d5c96f99
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
 2017-03-28 22:43:32 +00:00
Connor O'Brien
314713bf96 Merge "Add binderized memtrack HAL service" 2017-03-28 22:24:27 +00:00
Badhri Jagan Sridharan
dfc1cbd1d9 The IUsb interface uses "default" service name 
By default, it is expected that the service does not rename itself
unless there is more than one service exposed by the interface. This
CL changes the usb hal service name back to "default" instead of
"usb_hal"

Bug: 36097487
Test: Manually tested role swap and UI behavior
Change-Id: I4a0aa4423c80cd893c578bc58b9276956daba732
 2017-03-28 14:28:16 -07:00
Jeff Vander Stoep
5182fda3a2 Mark vendor components that access core data types 
Grant these components a temporary exemption to a neverallow rule
asserting vendor processes may not access core data types outside
/data/vendor.

Bug: 34980020
Test: Build and boot Muskie.
Change-Id: I1e536fb7c09a3a2907d06db8304279551a6de81e
 2017-03-28 14:17:44 -07:00
TreeHugger Robot
7a95e0d0d1 Merge "Adding allows to handle boot and runtime denials" 2017-03-28 21:13:23 +00:00
TreeHugger Robot
ab1e608280 Merge "time_daemon: No longer on device so remove sepolicy" 2017-03-28 17:26:35 +00:00
TreeHugger Robot
626d542203 Merge "Annotate violators of "no sockets between core and vendor" rule" 2017-03-28 00:04:55 +00:00
TreeHugger Robot
23a96c7cb2 Merge "USB HAL: type-c hal for muskie/walleye" 2017-03-27 23:51:16 +00:00
Steven Moreland
d556b43cd0 Merge "liblight: remove button light." 2017-03-27 23:25:30 +00:00
Thierry Strudel
d5dfd2260c init.hardware.rc: move out non common part 
Change-Id: If2a580c53da0554748c22afded341c3ea98c6288
Signed-off-by: Thierry Strudel <tstrudel@google.com>
 2017-03-27 23:07:24 +00:00
Max Bires
10bb91bd69 Adding allows to handle boot and runtime denials 
Denials dealt with:
denied { read } for pid=1174 comm="BootAnimation::" name="system"
dev="sda45" ino=3407873 scontext=u:r:bootanim:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir

denied { search } for pid=811 comm="cnd" name="soc0" dev="sysfs"
ino=49100 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { fsetid } for pid=811 comm="cnd" capability=4
scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability

denied { chown } for pid=811 comm="cnd" capability=0 scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=capability

denied { read write } for pid=794 comm="android.hardwar" name="video3"
dev="tmpfs" ino=10129 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:video_device:s0 tclass=chr_file

denied { open } for pid=794 comm="android.hardwar" path="/dev/video3"
dev="tmpfs" ino=10129 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:video_device:s0 tclass=chr_file

denied { sendto } for pid=811 comm="cnd" path="/dev/socket/wpa_wlan0"
scontext=u:r:cnd:s0 tcontext=u:r:hal_wifi_supplicant_default:s0
tclass=unix_dgram_socket

denied { sendto } for pid=6516 comm="wpa_supplicant"
path="/data/misc/wifi/sockets/wpa_ctrl_811-1"
scontext=u:r:hal_wifi_supplicant_default:s0 tcontext=u:r:cnd:s0
tclass=unix_dgram_socket

denied { ioctl } for pid=811 comm="cnd" path="socket:[108403]"
dev="sockfs" ino=108403 ioctlcmd=8921 scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=udp_socket

denied { create } for pid=811 comm="cnd" scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=udp_socket

denied { create } for pid=811 comm="cnd" name="wpa_ctrl_811-1"
scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file

denied { add_name } for pid=811 comm="cnd" name="wpa_ctrl_811-1"
scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

denied { write } for pid=811 comm="cnd" name="sockets" dev="sda45"
ino=638992 scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0
tclass=dir

denied { search } for pid=811 comm="cnd" name="sockets" dev="sda45"
ino=638992 scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0
tclass=dir

denied { search } for pid=811 comm="cnd" name="wifi" dev="sda45"
ino=638991 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_data_file:s0
tclass=dir

denied { write } for pid=1551 comm="HwBinder:790_1" name="perfd"
dev="tmpfs" ino=23062 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:perfd_socket:s0 tclass=sock_file

denied { write } for pid=810 comm="imsqmidaemon" name="property_service"
dev="tmpfs" ino=18259 scontext=u:r:ims:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=810 comm="imsqmidaemon"
path="/dev/socket/property_service" scontext=u:r:ims:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=sys.ims.QMI_DAEMON_STATUS pid=810 uid=1000
gid=1001 scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

denied { ioctl } for pid=1114 comm="lowi-server" path="socket:[25101]"
dev="sockfs" ino=25101 ioctlcmd=8927 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=1114 comm="lowi-server" path="socket:[25101]"
dev="sockfs" ino=25101 ioctlcmd=8be5 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=6504 comm="lowi-server" path="socket:[90743]"
dev="sockfs" ino=90743 ioctlcmd=c304 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=socket

denied { search } for pid=812 comm="netmgrd" name="soc0" dev="sysfs"
ino=49100 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { read } for pid=3684 comm="csbootstraputil"
name="u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { open } for pid=3684 comm="csbootstraputil"
path="/dev/__properties__/u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { getattr } for pid=3684 comm="csbootstraputil"
path="/dev/__properties__/u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { write } for pid=669 comm="ramdump" name="property_service"
dev="tmpfs" ino=18259 scontext=u:r:ramdump:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=669 comm="ramdump"
path="/dev/socket/property_service" scontext=u:r:ramdump:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=debug.htc.hrdump pid=669 uid=0 gid=0
scontext=u:r:ramdump:s0 tcontext=u:object_r:debug_prop:s0
tclass=property_service

denied { setattr } for pid=688 comm="tftp_server" name="rfs" dev="sdd3"
ino=17 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=dir

denied { search } for pid=931 comm="thermal-engine"
name="0.qcom,rmtfs_sharedmem" dev="sysfs" ino=18392
scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=dir

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I6977fc0bf94bc68cdbc081ca7771ff6c91cc9805
 2017-03-27 20:48:52 +00:00
TreeHugger Robot
5287e34b38 Merge "Add SchedTune configuration" 2017-03-27 20:40:49 +00:00
Badhri Jagan Sridharan
1cf5094895 USB HAL: type-c hal for muskie/walleye 
Bug: 36097487
Test: Manually tested role swap and UI behavior
Change-Id: I5ce520da521e0714001b60164ac850dddbd644c3
 2017-03-27 20:18:35 +00:00
TreeHugger Robot
abd026d8e5 Merge "Enable partitions on loop devices." 2017-03-27 19:50:34 +00:00
TreeHugger Robot
ccfe224b18 Merge "Add SIP feature to makefile" 2017-03-27 19:33:48 +00:00
Connor O'Brien
a202169318 Add binderized memtrack HAL service 
Test: Boots and passes memtrack VTS with no memtrack-related SELinux
denials; dumpsys meminfo reports reasonable values for graphics memory
usage.
Bug: 36097468
Change-Id: I878bf682a74d479011e0435a427551ec606d032f
Signed-off-by: Connor O'Brien <connoro@google.com>
 2017-03-27 11:53:48 -07:00
Jeff Sharkey
485715094f Enable partitions on loop devices. 
This is used by the new "virtual disk" feature used by vold to help
debug and test storage code on devices without physical media.

Bug: 34903607
Test: builds, boots
Change-Id: Ifb7653a2100ef40a83b2c663c5dd3114d4b05ab6
 2017-03-27 12:05:44 -06:00
TreeHugger Robot
67db39201a Merge "Set up adb in recovery mode" 2017-03-27 16:50:37 +00:00
Alex Klyubin
6b6e6bc3f4 Annotate violators of "no sockets between core and vendor" rule 
These vendor domains use communicate with core domains over sockets,
which is not permitted. This commit thus temporarily associates these
domains with socket_between_core_and_vendor_violators attribute which
permits this banned behavior to continue for now. This is a temporary
workaround. The fix is to fix these domains to not communicate with
core domains over sockets.

NOTE: Some of the domains on the list are there for a benign reason:
passthrough HALs. Core domains which host passthrough HAL
implementations may initiate socket connections to vendor domains and
this is completely permitted. I could've whitelisted all HAL client
domains in the neverallow rules (using halclientdomain attribute) but
this increases the risk of not noticing banned communications from
these domains. Thus, as a workaround until we stop using passthrough
HALs (b/34274385), I added the affected vendor domains to the list of
exemptions.

Test: mmm system/sepolicy
Bug: 36577153
Change-Id: I4b1c0dd92b000cd802dfc2eed003ac8e4d7c6000
 2017-03-25 15:56:26 -07:00
TreeHugger Robot
e80b60c317 Merge "set_os_desc use to 1 for functions where diag is enabled" 2017-03-25 01:25:12 +00:00
Andres Oportus
cb3ed63677 Add SchedTune configuration 
Bug: 36367381
Test: Boot and check stune configuration effect on sysfs

Change-Id: I838c31d164684a5d88550c92284b65bb50f2ed56
Signed-off-by: Andres Oportus <andresoportus@google.com>
 2017-03-24 17:46:33 -07:00
John Dias
cc89b85d81 Merge "Change the firmware image search path to /vendor/firmware" 2017-03-24 23:15:29 +00:00
Badhri Jagan Sridharan
b23fe6bedc Merge "usb.rc: separate out common usb scripts" 2017-03-24 23:03:59 +00:00
Badhri Jagan Sridharan
f5d7ba5d43 set_os_desc use to 1 for functions where diag is enabled 
Test: Manually verify modem overlay functions for usbradio bootmode
Bug: 31947358
Change-Id: I433ca7a574b9535fc0fe470f7d4a5dec169ba683
 2017-03-24 15:45:14 -07:00
Hall Liu
e696ee5edf Add SIP feature to makefile 
Change-Id: I9feee40d1defce93e4fc7bec997f8fe8af745424
Test: manual
Fixes: 36454749
 2017-03-24 15:05:34 -07:00
Alex Klyubin
c0d916e7c5 wcnss_service is using Binder services. sad 
Test: mmm system/sepolicy
Bug: 36599434
Change-Id: I6d49f5eac823f5ba0a45ab6e548e76e7fc9d2b66
 2017-03-24 14:51:42 -07:00
TreeHugger Robot
dec94fbf9b Merge "Adding rules and contexts for following denials" 2017-03-24 21:25:50 +00:00
Alex Klyubin
feaee1da05 Merge "Annotate violators of "no Binder in vendor" rule" 2017-03-24 21:13:20 +00:00
Badhri Jagan Sridharan
ba9132eaf9 Set up adb in recovery mode 
The default commands in the init script for recovery mode does not
cover configfs. This CL adds support for them.

Test: tested adb devices on recovery
Bug: 36516174
Change-Id: I5e9a82bd6d5514a842410d57b6e896302339ea09
 2017-03-24 11:44:43 -07:00
Badhri Jagan Sridharan
7a7be27f91 usb.rc: separate out common usb scripts 
The root directly will now contain init.muskie.usb.rc which would
be included into target specific files.

Change-Id: I9334ae4c1a7b48ac08faca4d8a267fa68e512141
 2017-03-24 11:44:19 -07:00
Max Bires
3608be21ba Merge "Adding context and allows to handle boot denials" 2017-03-24 16:12:17 +00:00
Alex Klyubin
ba3d873cf8 Annotate violators of "no Binder in vendor" rule 
These vendor domains use Binder, which is not permitted. This commit
thus temporarily associates these domains with
binder_in_vendor_violators attribute which permits the domains to use
Binder. This is a temporary workaround. The fix is to fix these domains
to not use Binder.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I2bc329387bfdcc250a59f5d92419b4349e49c0cf
 2017-03-24 08:40:00 -07:00
Trevor Bunker
7f5f979b95 Adding rules and contexts for following denials 
denied { read } for pid=774 comm="android.hardwar" name="mnh_sm"
dev="tmpfs" ino=20667 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=chr_file

denied { open } for pid=774 comm="android.hardwar" path="/dev/mnh_sm"
dev="tmpfs" ino=20667 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=chr_file

denied { ioctl } for pid=774 comm="android.hardwar" path="/dev/mnh_sm"
dev="tmpfs" ino=20667 ioctlcmd=5401 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=chr_file

denied { read write } for pid=774 comm="android.hardwar"
name="easelcomm-client" dev="tmpfs" ino=20570
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0
tclass=chr_file

denied { open } for pid=774 comm="android.hardwar"
path="/dev/easelcomm-client" dev="tmpfs" ino=20570
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0
tclass=chr_file

denied { ioctl } for pid=4319 comm="android.hardwar"
path="/dev/easelcomm-client" dev="tmpfs" ino=20570 ioctlcmd=ea02
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0
tclass=chr_file

Test: manual flash, check kernel log to make sure denials were gone
Bug: 36584629
Change-Id: I978f700d6a15e0e485a319c070f10a7fbe73bcbb
Signed-off-by: Trevor Bunker <trevorbunker@google.com>
 2017-03-24 07:58:14 -07:00
Jeff Vander Stoep
2212dbb325 time_daemon: No longer on device so remove sepolicy 
Test: verify that /vendor/bin/time_daemon no longer exists on device
Test: Policy builds.
Bug: 34980020
Change-Id: I54714e42ed3c33f7ea22135e42429d7dbf454dca
 2017-03-23 15:29:04 -07:00