GitLab

This reverts commit c761ab30.

Bug: 22929087

This is a temporary font profile to get razor and razorg (Nexus 7,
2013 version). It's not tested thoroughly, and should not be used for
any other devices.

The CONSTRAINED profile removes Bamum, Lisu, Mandaic, Mongolian, New
Tai Lue, Syriac, Tibetan, and Vai fonts from razor[g] devices, and
switches the CJK fonts to the limited pre-Lollipop fonts.

Bug: 22929087
Change-Id: I7edd001adf950fcf787a28c416aada9b449f2197

Bug: 21016403
Change-Id: Iaadd805dd5326b810e6dd83c1e509cab48995d9d

Bug: 21016403
Change-Id: Iaadd805dd5326b810e6dd83c1e509cab48995d9d

Change-Id: I35a71883932d9acf33859fdc3ddc1761bc821bd4

As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/


drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit 312ae66f
(AOSP cherrypick c05a5227) ensures
that /dev/diag is always removed on boot on user builds. Allow for
it in SELinux policy.

Change-Id: Icfe707ea27c54f2961687b63c9722961cb3e6f79

Change-Id: If44327fc3356a701cf60e7df8e68b7246922fbba

Change-Id: Ibf51c91241b1bfcefbb48306ad9b7fbd3fd02602

b/18402205 External reports: Video playback failing on Flo after upgrade to
	   Lollipop
Change-Id: I8569a59f357a0bd689ed5a86da27fcf524a28143
Signed-off-by: Iliyan Malchev <malchev@google.com>

Change-Id: I0ea9768f801865f95f2774b8377cc8f3d75e30bf
(cherry picked from commit 35251f09)

Bug: 16938924

Change-Id: Iadf3235cbd93375b8c3b89faa07d7d6c42cd6fb0
(cherry picked from commit c8030c7f)

Change-Id: I0ea9768f801865f95f2774b8377cc8f3d75e30bf

Bug: 16938924

Change-Id: Iadf3235cbd93375b8c3b89faa07d7d6c42cd6fb0

Google's internal master has been updated to not use
/dev/mem. Update the SELinux rules to allow for this.

Keep rmt in permissive for AOSP. The updated userspace / kernel
aren't in AOSP, and we don't want to break those users.
We'll flip this to enforcing in Google's internal tree.

(cherry picked from commit 023162b9)

Change-Id: Idcd3952608cac966c045dad3fc8c1dc73311e6e6

Google's internal master has been updated to not use
/dev/mem. Update the SELinux rules to allow for this.

Keep rmt in permissive for AOSP. The updated userspace / kernel
aren't in AOSP, and we don't want to break those users.
We'll flip this to enforcing in Google's internal tree.

(cherry picked from commit 023162b9)

Change-Id: Ie9de15361c4f283baa912bcd15e3e3c93c897c6a

Google's internal master has been updated to not use
/dev/mem. Update the SELinux rules to allow for this.

Keep rmt in permissive for AOSP. The updated userspace / kernel
aren't in AOSP, and we don't want to break those users.
We'll flip this to enforcing in Google's internal tree.

Change-Id: I18fdc7d6c718252e1efe4f1a4dabfc6866c1dc8d

please enjoy your new selection of CJK fonts!

Bug: 15569561
Change-Id: Ia9cacbe788e0ebcd4f34e44fc6edad4f621f47f7

This change will necessitate a rebuilt GPU driver:
https://android-review.googlesource.com/80951

Change-Id: I61f4098305422021f6f78dc7f3b99e2cc9b4c116

The ppd service which runs the mm-pp-daemon binary appears
to no longer be used. The last occurrence of the binary for
either flo or deb is with the jss15r and jls36i builds
respectively. In fact, current builds report that the ppd
service is explicitly being disabled.

<3>[    5.023345] init: cannot find '/system/bin/mm-pp-daemon', disabling 'ppd'

Thus, just drop the selinux policy for it. While we're
at it, drop the ppd service entries from the init.flo.rc
file too.

Change-Id: I5902b6876d5bea33bb65dcaa505fc4ee13a61677
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

All its functionality is now in the default UI.

Change-Id: I013f864bae10e3e1e8bee65241d05a8e5529f680

Addresses the following denials:
  avc:  denied  { search } for  pid=9143 comm="hostapd" name="wifi" dev="mmcblk0p16" ino=12 scontext=u:r:hostapd:s0 tcontext=u:object_r:persist_wifi_file:s0 tclass=dir
  avc:  denied  { getattr } for  pid=9143 comm="hostapd" path="/persist/wifi/.macaddr" dev="mmcblk0p16" ino=19 scontext=u:r:hostapd:s0 tcontext=u:object_r:persist_wifi_file:s0 tclass=file
  avc:  denied  { read } for  pid=9143 comm="hostapd" name=".macaddr" dev="mmcblk0p16" ino=19 scontext=u:r:hostapd:s0 tcontext=u:object_r:persist_wifi_file:s0 tclass=file
  avc:  denied  { open } for  pid=9143 comm="hostapd" name=".macaddr" dev="mmcblk0p16" ino=19 scontext=u:r:hostapd:s0 tcontext=u:object_r:persist_wifi_file:s0 tclass=file

Change-Id: I0e86c92d91601c341c1798f869b935b359c2577a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Also just remove all specific domain access and instead
allow diag_device access for all domains on the
userdebug/user builds.

Change-Id: I2dc79eb47e05290902af2dfd61a361336ebc8bca
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Allow r/w access to /dev/diag on userdebug/eng builds.
  avc:  denied  { read write } for  pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
  avc:  denied  { open } for  pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file

Grant radio sockets access to rild.
  avc:  denied  { write } for  pid=323 comm="rild" name="qmux_radio" dev="tmpfs" ino=1053 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
  avc:  denied  { write } for  pid=323 comm="rild" name="qmux_connect_socket" dev="tmpfs" ino=1309 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
  avc:  denied  { connectto } for  pid=323 comm="rild" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:rild:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket

Change-Id: I89f7531fb006bfcae9f97b979fba61f3ed6badde
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

This change will necessitate a rebuilt GPU driver:
https://android-review.googlesource.com/80951

Change-Id: I61f4098305422021f6f78dc7f3b99e2cc9b4c116

Initially unconfined and enforcing.

Change-Id: I49be1c53afb1f91836d5e49dbce84c4a0c789478

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* Make gpu_device a trusted object since all apps can
  write to the device.
    denied  { write } for  pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

* Drop dead type mpdecision_device.

* Create policy for mm-pp-daemon and keep it permissive.
  Address the following initial denials.
    denied  { write } for  pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
    denied  { connectto } for  pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
    denied  { read write } for  pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
    denied  { open } for  pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
    denied  { ioctl } for  pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file

* Add kickstart_exec labels for kickstart binaries
  that are used by deb devices.

* Add tee policy. Label /data/misc/playready and
  allow tee access.
    denied  { write } for  pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
    denied  { read } for  pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
    denied  { create } for  pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { search } for  pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { read } for  pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { write } for  pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
    denied  { create } for  pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
    denied  { read write open } for  pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file

* Give surfaceflinger access to /dev/socket/pps and allow
  access to certain sysfs nodes.
    denied  { write } for  pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file
    denied  { write } for  pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3

Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.

Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.

Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f

Labeling nodes with appropriate types doesn't
introduce any new denials to the mix. This
list largely addresses the Qualcomm specific
nodes.

Various nodes are labeled with radio specific
types. Since the deb build inherits from this flo
policy, it is a good idea to include them.

Change-Id: Ia55a80af027c8bde933d45c41f4ed287f01adb2e

Created a new label and addressed the following denials.

* For system server
    denied  { read write } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { open } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { ioctl } for  pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file

* For surfaceflinger
    denied  { ioctl } for  pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { read write } for  pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file

* For app domains
    denied  { read write } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { open } for  pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
    denied  { ioctl } for  pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file

Change-Id: I417bbd12fbdc17cd3d1110dcf3bff73dd5e385a4

00739e3d14f2f1ea9240037283c3edd836d2aa2f in external/sepolicy
moved ueventd into enforcing. This broke wifi on flo/deb.
Fix it.

This addresses the following denials:

<5>[  219.755523] type=1400 audit(1384456650.969:107): avc:  denied  { search } for  pid=2868 comm="ueventd" name="wifi" dev="mmcblk0p30" ino=637740 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir
<5>[  219.755706] type=1400 audit(1384456650.969:108): avc:  denied  { read } for  pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[  219.755889] type=1400 audit(1384456650.969:109): avc:  denied  { open } for  pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[  219.756134] type=1400 audit(1384456650.969:110): avc:  denied  { getattr } for  pid=2868 comm="ueventd" path="/data/misc/wifi/WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file

Bug: 11688129
Change-Id: Ice0d3432010cfbbce88dd0ede013af3b2297d3d6

Don't run rmt in init's domain. /system/bin/rmt_storage
is a qualcomm specific daemon responsible for servicing modem
filesystem requests. It doesn't make sense to run rmt_storage
in init's domain, as doing so prevents us from fine tuning
its policy.

Keep the domain in permissive mode right now until we address
the following denials:

<5>[    7.497467] type=1400 audit(1383939680.983:5): avc:  denied  { read write } for  pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file
<5>[    7.497741] type=1400 audit(1383939680.983:6): avc:  denied  { open } for  pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file

We still need to get a better understanding of what rmt_storage
does and what rules should be applied to it.

Change-Id: I45d03fb93870f1b4bb64215f5dcd9a2a443f5566

Otherwise keystore in enforcing is broken.

Bug: 11518274
Change-Id: I10ead7cabe794d1752a8cba4dc3193217aad7805

Bug: 10624956
Change-Id: If0908918defb54ac7101586636ced55d4f411e17

b/10429994
Change-Id: Ia03f3a7628448afb8b115a898a3373f95e1dcbd0
Signed-off-by: Iliyan Malchev <malchev@google.com>

b/10429994
Change-Id: Ia03f3a7628448afb8b115a898a3373f95e1dcbd0
Signed-off-by: Iliyan Malchev <malchev@google.com>

Change-Id: I584c414d27477937e59bbf64114d513cc1988c69
Signed-off-by: Iliyan Malchev <malchev@google.com>