summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* jacinto6evm: sepolicy: Add rules for APPEMisael Lopez Cruz2016-12-057-0/+50
| | | | | | | | Add the initial version of the SELinux rules for the Audio Post-Processing Engine based audio. Change-Id: If7b940bdd05da75b0e26d53d9102936c5eb8f54e Signed-off-by: Misael Lopez Cruz <misael.lopez@ti.com>
* jacinto6evm: sepolicy: initial sepolicy rules for lad daemonVishal Mahaveer2016-11-303-0/+27
| | | | | | | Initial rules for lad_dra7xx daemon Change-Id: I4cff5b47bf978dc87c05bc43926b34899981eefb Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: add rules for cpuset scriptVishal Mahaveer2016-09-212-0/+10
| | | | | | | | | | | | | | | | Fix below denials generated for the script we added to support both J6 and J6 Eco cpuset configuration. [ 5.956998] init: Warning! Service exec 1 (/system/bin/init.jacinto6evmboard.cpuset.sh) needs a SELinux domain defined; please fix! [ 5.978447] type=1400 audit(5.969:3): avc: denied { execute_no_trans } for pid=177 comm="init" path="/system/bin/init.jacinto6evmboard.cpuset.sh" dev="mmcblk0p10" ino=206 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 Change-Id: I36c482e052fc60c9c2d82c7daceae604fcf242d5 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: update pvr module_load permissionVishal Mahaveer2016-09-201-0/+1
| | | | | | | | | | | | | | Latest AOSP sepolicy places restriction on where the kernel module file can be loaded from [1]. Adapt pvr sepolicy to this change. There is a change needed in pvr um to move from init_module to finit_module. [1] https://android-review.googlesource.com/#/c/214021/3 Change-Id: I77c938e2772243c559e5e3e5edfc91f17db816d8 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: allow init to delete symlinks on /configVishal Mahaveer2016-08-221-2/+1
| | | | | | | | | | | Cherry-picked from AOSP Project: device/google/dragon Commit: f8dc614d1bd1105a53194560d05704bf92f4bdea Author: Jeff Vander Stoep <jeffv@google.com> Change-Id: Ia7ec0b86a523d2d0c8c8f98c00c0eda83fad984f Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: update crda rule for kernel4.4Vishal Mahaveer2016-06-231-1/+1
| | | | | | | Update socket class name for kernel4.4 Change-Id: I6a7143e9072371a7748b5007e3a9d2b4a9b41082 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: updates for configFSVishal Mahaveer2016-06-233-0/+8
| | | | | | | selinux updates for configFS Change-Id: If9bfeef4ec8b2ef3293bbb2fedb777cb9839b3f4 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: update block device namesVishal Mahaveer2016-06-071-4/+4
| | | | | | | | Update block device names to use "by-name" entries instead of hardcoded partition names. Change-Id: Id89063ae01a871949dd538546d5f72be8d0899fd Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: sepolicy: add sync node as gpu_deviceVishal Mahaveer2016-03-111-0/+1
| | | | | | | Add /dev/sw_sync as gpu_device. Change-Id: I30895a125abea5ace90d6378290b24eb42af9769 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* Revert "jacinto6evm: TEMP: don't audit module_request"Praneeth Bajjuri2016-01-181-2/+0
| | | | | | | | | | | | | | This reverts commit cd059a21607e5631ba18332409c867e94f446b4d. Kernel 3.14 has the right fix in selinux driver done. this patch is now integrated commit c037c42d164e186809b43838b8772aa1fe7cc8d5 author: John Stultz <john.stultz@linaro.org> ANDROID: exec_domains: Disable request_module() call for personalities Change-Id: I3440cd2dd2ca2cf0d82db4284177e38f1983b521 Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
* jacinto6evm: Allow system_server access to rpmsg deviceVishal Mahaveer2015-11-041-0/+1
| | | | | | | Allow system server to access rpmsg device. Change-Id: Id916392eb7231ab03f5c39430e4fa5dfb515d3f9 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: TEMP: don't audit module_requestVishal Mahaveer2015-10-141-0/+2
| | | | | | | | | | | | | | | | | | | | For time being don't audit module_request denials. There are lot of module_request denials logged currently with all 32-bit binaries in M. Android introduced this domain in bionic and our kernel does not have a separate 32 bit exec domain defined. This generates lot of unnecessary module request for "personality-8". Ex: [ 6.332380] type=1400 audit(946685140.029:22): avc: denied { module_request } for pid=2025 comm="drmserver" kmod="personality-8" scontext=u:r:drmserver:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 Making module_requests dontaudit for time being till we figure out how to handle this. In kernel version 4.0 and later the exec domain support is completely removed anyways. Change-Id: Ia50df94edb7609f29f4d866d49ce58d8a593df1f Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: allow init to create symlinksVishal Mahaveer2015-10-121-0/+2
| | | | | | | Allow init to create /mnt/sdcard symlink Change-Id: I0c385dbdc66f525875dab763ab49393331a8c877 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add types for block devicesVishal Mahaveer2015-10-121-0/+6
| | | | | | | Add types for block device partitions defined in fstab. Change-Id: I72310678e17ce11e4dfc55d534cae59f2e699278 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: define sync graphics nodeVishal Mahaveer2015-09-181-0/+1
| | | | | | | Define sync dev node as gpu_device Change-Id: I6870b8ea5b75c3e3b512fe6ad770d4c15bda5ec0 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: ignore devtmpfs warningsVishal Mahaveer2015-09-161-0/+5
| | | | | | | | | | Our kernel has kdevtmpfs enabled for test purpose, but the denial reported by SELinux does not affect Android. Adding a rule to supress those denial logs. Change-Id: I57a320409e62abe934b0fba3815466dd0d2c5911 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: suppress netd denialsVishal Mahaveer2015-07-281-0/+4
| | | | | | | These denials are seen with WLAN and are not harmful. Ignore them. Change-Id: I62a0143fa750abfd8840e67b854d55f558695ec9 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: allow system_server to access rtc0Vishal Mahaveer2015-07-273-0/+5
| | | | | | | | | | | | | | | | | | Address following denials during network time update [ 31.969050] type=1400 audit(1438006232.316:5): avc: denied { read write } for pid=2618 comm="NetworkTimeUpda" name="rtc0" dev="tmpfs" ino=528 scontext= u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=chr_filepermissive=1 [ 31.993488] type=1400 audit(1438006232.316:6): avc: denied { open } for pid=2618 comm="NetworkTimeUpda" path="/dev/rtc0" dev="tmpfs" ino=528 scontext= u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 [ 32.015360] type=1400 audit(1438006232.316:7): avc: denied { ioctl } for pid=2618 comm="NetworkTimeUpda" path="/dev/rtc0" dev="tmpfs" ino=528 ioctlcmd= 700a scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 Change-Id: Ib1e80bd6f3be0fd6d52c9c986d33df787b628fd3 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: fix uim domain definitionVishal Mahaveer2015-07-201-0/+2
| | | | | | | Fix for the below log seen with Bluetooth service [ 5.775481] init: Warning! Service uim needs a SELinux domain defined; please fix! Change-Id: I8b32ba158e2d9b8092372d3713ef41a58b4a2951 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add rule for camera scanVishal Mahaveer2015-07-151-0/+3
| | | | | | | Allow camera hal to scan for video devices. Change-Id: I08cd422ddc4e0165b1d3e883f968ec70d533d069 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add rule for mediaserver/rpmsgVishal Mahaveer2015-07-132-0/+4
| | | | | | | Add sepolicy rules for mediaserver/rpmsg Change-Id: I070f4a1acbb0af6961083483c33b899b9d023ac8 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add rules for crdaVishal Mahaveer2015-07-131-0/+3
| | | | | | | | crda is executed vis ueventd rules from kernel. Add rules for the same. Change-Id: I8058e0279ca6d77709bca362e12eaceaefb42715 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add rule for insmod from init.rcVishal Mahaveer2015-07-131-0/+2
| | | | | | | | Add rule for loading modules via init.rc file. We load WLAN and CMEM modules via init.rc Change-Id: I7303c7e4b1804965d19be1e2debf9a42a636faae Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: fix typo in bluetooth device nameVishal Mahaveer2015-07-101-1/+1
| | | | | | | Fix typo in bluetooth device name of SELinux policy Change-Id: I4d67d08a287bf1eb8a3006303e2313675626ffe9 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add initial policies for graphicsVishal Mahaveer2015-07-102-0/+19
| | | | | | | | Add policies for graphics binaries and device. Reference for pvr taken from device/asus/fugu project Change-Id: I8dba7b622096cdff8b609a9973a9e960b06b572c Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add rule for consoleVishal Mahaveer2015-07-101-0/+3
| | | | | | | Update sepolicy rule for console device used in J6 EVM. Change-Id: Ie7c4aee44a8a1fc63b89c535a85f78ce21101972 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: remove old policyVishal Mahaveer2015-07-101-1/+0
| | | | | | | | This rule was cherry-picked in KitKat days, no longer needed for Lollipop. Change-Id: Ib34caf05532affb7f2f48fecbe542d98df2fc8c7 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: add rule for bluetooth deviceVishal Mahaveer2015-07-103-0/+4
| | | | | | | Add SELinux policy for bluetooth device Change-Id: I3d0117a4658aeaa061e1bef458d909b235d51500 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
* jacinto6evm: SELinux: initial policy for enabling enforcing modeVishal Mahaveer2014-07-211-0/+1
With this change we are able to boot with enforcing mode. The rule added for healthd in this patch is taken from AOSP master. When we switch to next Android version, this policy could be removed. Change-Id: I8a87e1e4084c0186ae76b8b6f0cb87baf6e2ecf3 Signed-off-by: Vishal Mahaveer <vishalm@ti.com>