summaryrefslogtreecommitdiff
path: root/init.flo.rc
AgeCommit message (Collapse)Author
2015-04-02am 2f1f01a6: am 1cab44f7: Merge "flo: updates for SELinux"Nick Kralevich
* commit '2f1f01a66094453fcf14a5a39bcea785a6205054': flo: updates for SELinux
2015-04-01flo: updates for SELinuxNick Kralevich
* Move binaries from /system/etc to /system/bin. That's the proper place for binaries, and avoids having to preface each service entry with /system/bin/sh * Drop seclabel statements and rely on automatic domain transitions. * remove call to init.qcom.class_main.sh , which doesn't exist. This gets rid of the following unnecessary errors: <3>[ 5.286834] init: Warning! Service qcom-c_main-sh needs a SELinux domain defined; please fix! <5>[ 5.288970] type=1400 audit(1425327865.651:5): avc: denied { execute_no_trans } for pid=191 comm="init" path="/system/bin/sh" dev="mmcblk0p22" ino=341 scontext=u:r:init:s0 tcontext=u:object_r:shell_exec:s0 tclass=file Fix some other minor policy issues. Change-Id: Ib47d49b6c239ab7a2ebe6159465deb98b4b8cecb
2015-03-30Updated external storage configuration.Jeff Sharkey
vold now manages external storage in a much more dynamic fashion, so we no longer need to define FUSE daemons or mount points. Bug: 19993667 Change-Id: I17a468fe37ed6d1f7af8524b93072672c2ec2164
2015-03-28delete service asus-dbug-dNick Kralevich
SELinux prohibits init from running executable code from /data, so this is a no-op. Also, we don't want to give any package named com.asus.debugger a full root shell. Nexus devices don't ship with such a package, and it's trivial for anyone to create a package by the same name. Change-Id: I8604eb414c14fca5d873ff4b25105417759b491b
2015-02-01am 7f13d056: Merge "remove useless attempt to chmod /system/bin/ip"Nick Kralevich
* commit '7f13d056dc12502073c7ed1c67d3e432de901200': remove useless attempt to chmod /system/bin/ip
2015-01-31remove useless attempt to chmod /system/bin/ipNick Kralevich
/system is mounted read-only. It's impossible for init to modify the permissions on /system/bin/ip. Change-Id: I7c224b7f488a887c5f0997dd1abccf960178ede8
2015-01-31am 679a5cd7: Merge "move /data/tombstone creation to system/core"Nick Kralevich
* commit '679a5cd731b6a3f6a8f519ba0ee7a36f464c0742': move /data/tombstone creation to system/core
2015-01-30move /data/tombstone creation to system/coreNick Kralevich
Bug: https://code.google.com/p/android/issues/detail?id=93207 Change-Id: I40002b072669cee0df0573fb07472cb8bc1dac27
2014-11-21Move wifi setup script from main to late_startEd Tam
automerge: 346162b * commit '346162be6d53b6b44f2f58e8d2e323456845e377': Move wifi setup script from main to late_start
2014-11-17Move wifi setup script from main to late_startEd Tam
Bug: 17358965 Change-Id: I6064aee5aafc8bc5a8dcecab0a57f552f3233bfb
2014-11-01am 29a6e24d: am 312ae66f: flo: Disable diag device in normal mode.Ed Tam
* commit '29a6e24d8e0f02177c42a1322de941758800a49d': flo: Disable diag device in normal mode.
2014-10-31flo: Disable diag device in normal mode.Ed Tam
Remove the diag device when the device is in normal mode. Bug: 18203257 Change-Id: I878ac648c49ef0940d55d5b6695bac24742847c8
2014-10-03am d0e1ea84: am 6a15bd7e: Merge "Label ↵Nick Kralevich
/sys/devices/system/cpu/cpufreq/ondemand and its files." * commit 'd0e1ea841ce9520f17cf8652d8854278b67c229e': Label /sys/devices/system/cpu/cpufreq/ondemand and its files.
2014-10-03am d0e1ea84: am 6a15bd7e: Merge "Label ↵Nick Kralevich
/sys/devices/system/cpu/cpufreq/ondemand and its files." * commit 'd0e1ea841ce9520f17cf8652d8854278b67c229e': Label /sys/devices/system/cpu/cpufreq/ondemand and its files.
2014-10-02Label /sys/devices/system/cpu/cpufreq/ondemand and its files.Stephen Smalley
This directory and its files are created in sysfs when the scaling_governor is set to "ondemand" by the init.<board>.rc file. As this occurs after the initial restorecon_recursive("/sys") by init and it does not appear to trigger any uevent notification and thus will not be labeled by ueventd fixup_sys_perms(), we need to explicitly invoke restorecon_recursive on it from the init.<board>.rc file after setting the scaling_governor. Change-Id: Ia65a85e3156fb963a3ad5ea74d7c248cfe410bb8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-25Support Ethernet on flo.Lorenzo Colitti
Bug: 17626589 Change-Id: I581da1782aaf6008f7014795b0ba970503e6c373
2014-06-12Run the charger in the healthd domain.Stephen Smalley
Current policy assumes that the charger will run in the healthd domain. Add a seclabel entry for the charger service to ensure that it runs in the healthd domain even when the charger is a separate binary. Change-Id: I3fb6d3cd298dbec15165bf02496b2388a55f4b59 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30am 01902a06: am 45248675: am 7d491eeb: Merge "Drop ppd selinux policy."Nick Kralevich
* commit '01902a06526bdc737b5c36e917fa5cab70b36763': Drop ppd selinux policy.
2014-05-30Drop ppd selinux policy.Robert Craig
The ppd service which runs the mm-pp-daemon binary appears to no longer be used. The last occurrence of the binary for either flo or deb is with the jss15r and jls36i builds respectively. In fact, current builds report that the ppd service is explicitly being disabled. <3>[ 5.023345] init: cannot find '/system/bin/mm-pp-daemon', disabling 'ppd' Thus, just drop the selinux policy for it. While we're at it, drop the ppd service entries from the init.flo.rc file too. Change-Id: I5902b6876d5bea33bb65dcaa505fc4ee13a61677 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-05-06am 03cb58a7: am 4d421514: am c02a6df6: Merge "SELinux: Add system group to ↵Nick Kralevich
thermald to avoid dac_override denial." * commit '03cb58a7d553b3263ca7f650b95be5ede8e78b9a': SELinux: Add system group to thermald to avoid dac_override denial.
2014-05-06SELinux: Add system group to thermald to avoid dac_override denial.Robert Craig
Change helps resolve the following denial. avc: denied { dac_override } for pid=441 comm="thermald" capability=1 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=capability A similar change already exists for the hammerhead policy. Future changes might need to be added here to accommodate additional dac_override denials that might happen beyond this change. Consult hammerhead change Ied2293d9effb1b2d9e043e01c08b5e7be407c868 for some additional insight. Change-Id: Ica6d657e5c37851b725f0b2bbe6b46d18ceb84bb Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-05-02am 966f7e5e: am 59c26859: am 823251b3: Merge "Address new SELinux denial."Nick Kralevich
* commit '966f7e5ebc3d487a9c4870a7ae28c252380e2b83': Address new SELinux denial.
2014-05-02Address new SELinux denial.Nick Kralevich
system/core commit 75b287b771b302c99797d812122b72f83d2f56f9 fixed /sys/devices/system/cpu/cpu*/cpufreq/scaling_* so that it was properly owned by uid/gid system. That started generating the following SELinux denial: <4>[ 380.676844] type=1400 audit(1398985976.921:19): avc: denied { dac_override } for pid=2033 comm="mpdecision" capability=1 scontext=u:r:mpdecision:s0 tcontext=u:r:mpdecision:s0 tclass=capability Add mpdecision to the system group. This stops the DAC override denial by giving mpdecision DAC read/write access. Change-Id: Iae2d9693f83de36f6b6db7d3e173a1858b20ec59
2014-02-28am 5293d1ea: am caef0ed9: am 9dbd468d: Merge "Drop restorecons from ↵Nick Kralevich
init.flo.rc file." * commit '5293d1ea60ff6c23880d0b9cb5d435b3bd430435': Drop restorecons from init.flo.rc file.
2014-02-26Drop restorecons from init.flo.rc file.Robert Craig
Recent changes have obsoleted the need to call restorecon on any of /data files and dirs. This patch drops those restorecons from the file. Also use a global macro where appropriate. Change-Id: Id3322180cfe431a4065cfd39046711d7ddfd9f31 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-19flo: Get rid of ctrl_interface=/data/misc/wifi/socketsDmitry Shmidt
Bug: 10893961 Change-Id: I489251a3383039c99ecbdb35347e0e86ccf6d728 Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-02-12Enabled logging of wakeup reasons in the kernel logEd Tam
Change-Id: I0217f69a7de1e678e57cb009edff3394ae46fcbe
2014-02-04am c87267c8: am a508b397: Merge "Move creation of /data/misc/wifi and ↵Nick Kralevich
/data/misc/dhcp to main init.rc file." * commit 'c87267c8a95564e0f0181f45f15ca79c3cd51092': Move creation of /data/misc/wifi and /data/misc/dhcp to main init.rc file.
2014-01-29Move creation of /data/misc/wifi and /data/misc/dhcp to main init.rc file.Stephen Smalley
mkdir /data/misc/wifi subdirectories and /data/misc/dhcp is performed in the various device-specific init*.rc files but seems generic. Move it to the main init.rc file. Change-Id: I51b09c5e40946673a38732ea9f601b2d047d3b62 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-16am 2292d800: am 1cac1c2c: am d534d7f1: Merge "Remove ↵Nick Kralevich
/data/app/sensor_ctl_socket on boot." * commit '2292d8008a591f2950a037289f5c08e0840b846c': Remove /data/app/sensor_ctl_socket on boot.
2014-01-15am 741f806c: am 5641db53: am 134c4bc9: Merge "restorecon /data/media and ↵Nick Kralevich
/data/misc/audio." * commit '741f806c938827eb0a6411f59f77b66f79952919': restorecon /data/media and /data/misc/audio.
2014-01-15Remove /data/app/sensor_ctl_socket on boot.Stephen Smalley
Unix domain sockets need to be unlinked and re-created on each reboot regardless, and removing the old socket left by a prior boot ensures that we do not have a dead socket file in the wrong security context, thereby yielding denials and preventing proper removal and re-creation by the sensors service. Change-Id: Ibe15768d9ae6955a0358568b11804f0267a1680e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-15restorecon /data/media and /data/misc/audio.Stephen Smalley
Just as with hammerhead. Other files/directories were already addressed for flo. Change-Id: I90d10e2654d5e52d40a553a9b7db4d8e5989037b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-20am e2cf0ad9: am ffcb51c7: am 23ad4374: Merge "Relabel sensors files"Nick Kralevich
* commit 'e2cf0ad97c78d20fea04a9130ee801b25a251f65': Relabel sensors files
2013-12-18Relabel sensors filesNick Kralevich
In 9d6624a0, /data/misc/sensors and /data/system/sensors were changed from system_data_file to sensors_data_file. /data/nfc was changed from system_data_file to nfc_data_file. However, we forgot to fix up existing files. Addresses the following sensors denials: <5>[ 103.234466] type=1400 audit(1387408621.036:26): avc: denied { setattr } for pid=4833 comm="sensors.qcom" name="debug" dev="mmcblk0p31" ino=188441 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir <5>[ 103.254089] type=1400 audit(1387408621.066:27): avc: denied { append } for pid=4833 comm="sensors.qcom" name="error_log" dev="mmcblk0p31" ino=188442 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file <5>[ 103.273681] type=1400 audit(1387408621.086:28): avc: denied { open } for pid=4833 comm="sensors.qcom" name="error_log" dev="mmcblk0p31" ino=188442 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=file <5>[ 103.293914] type=1400 audit(1387408621.106:29): avc: denied { read } for pid=4833 comm="sensors.qcom" name="debug" dev="mmcblk0p31" ino=188441 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir <5>[ 103.313537] type=1400 audit(1387408621.126:30): avc: denied { open } for pid=4833 comm="sensors.qcom" name="debug" dev="mmcblk0p31" ino=188441 scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir nfc denials: <5>[ 579.726409] type=1400 audit(1387410509.432:35): avc: denied { write } for pid=1257 comm=4173796E635461736B202331 name="nfc" dev="mmcblk0p31" ino=253953 scontext=u:r:nfc:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir <5>[ 579.746185] type=1400 audit(1387410509.452:36): avc: denied { add_name } for pid=1257 comm=4173796E635461736B202331 name="halStorage.bin4" scontext=u:r:nfc:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir <5>[ 579.765014] type=1400 audit(1387410509.472:37): avc: denied { create } for pid=1257 comm=4173796E635461736B202331 name="halStorage.bin4" scontext=u:r:nfc:s0 tcontext=u:object_r:system_data_file:s0 tclass=file <5>[ 579.783477] type=1400 audit(1387410509.492:38): avc: denied { write } for pid=1257 comm=4173796E635461736B202331 name="halStorage.bin4" dev="mmcblk0p31" ino=253956 scontext=u:r:nfc:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Change-Id: I4a1824ecb4c339d849b0a25c331d53be70837994
2013-11-25am 965bf8c2: am 19128041: Merge "SELinux policy updates."Nick Kralevich
* commit '965bf8c2eae4ab2c1597c85ba690815e8dd27a0d': SELinux policy updates.
2013-11-25SELinux policy updates.Robert Craig
* Make gpu_device a trusted object since all apps can write to the device. denied { write } for pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file * Drop dead type mpdecision_device. * Create policy for mm-pp-daemon and keep it permissive. Address the following initial denials. denied { write } for pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file denied { connectto } for pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket denied { read write } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file denied { open } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file denied { ioctl } for pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file * Add kickstart_exec labels for kickstart binaries that are used by deb devices. * Add tee policy. Label /data/misc/playready and allow tee access. denied { write } for pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { read } for pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir denied { create } for pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { search } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { read } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { write } for pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir denied { create } for pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file denied { read write open } for pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file * Give surfaceflinger access to /dev/socket/pps and allow access to certain sysfs nodes. denied { write } for pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file denied { write } for pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3
2013-11-23am 5f1df086: am e43c3f5a: am 3dd91d02: Merge "Add to selinux policy."Nick Kralevich
* commit '5f1df0863503b9a9aa465b10b5045ad3aa59de81': Add to selinux policy.
2013-11-22am 3dd91d02: Merge "Add to selinux policy."Nick Kralevich
* commit '3dd91d0298097d990ff37ddc6885fe63d819eae2': Add to selinux policy.
2013-11-22Merge commit 'e741348065428222edfd3486180e1778ffb489d6' into HEADThe Android Open Source Project
2013-11-15Add to selinux policy.Robert Craig
Bring policy over from the mako board which has a lot of similar domains and services. mako is also a Qualcomm board which allows a lot of that policy to be directly brought over and applied. Included in this are some radio specific pieces. Though not directly applicable to flo, the deb board inherits this policy. Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
2013-11-14am 844ca906: am adf59eed: am 409b90f8: Merge "Avoid logwrapper calls"Nick Kralevich
* commit '844ca90669666dea9791994bf1e1fe2874157a7a': Avoid logwrapper calls
2013-11-14am adf59eed: am 409b90f8: Merge "Avoid logwrapper calls"Nick Kralevich
* commit 'adf59eed02d281b43926e62d8cb250c5e84789e9': Avoid logwrapper calls
2013-11-14am 409b90f8: Merge "Avoid logwrapper calls"Nick Kralevich
* commit '409b90f8507b9c967b2e443b72a9df9d45654fd8': Avoid logwrapper calls
2013-11-14Merge "Avoid logwrapper calls"Nick Kralevich
2013-11-14am 4318e8bb: am 32c5e2e0: am 4cae6946: Merge "Drop incorrect param for ↵Nick Kralevich
socket creation." * commit '4318e8bb332c462f013051c7364bf9e607041e2b': Drop incorrect param for socket creation.
2013-11-14am 32c5e2e0: am 4cae6946: Merge "Drop incorrect param for socket creation."Nick Kralevich
* commit '32c5e2e06578d8c0f8d6d771537143346d4976f3': Drop incorrect param for socket creation.
2013-11-14am 4cae6946: Merge "Drop incorrect param for socket creation."Nick Kralevich
* commit '4cae69465c8cce60a00b6d9f00dd58e38b52f132': Drop incorrect param for socket creation.
2013-11-14Drop incorrect param for socket creation.Robert Craig
The socket line in the service stanza doesn't support multiple groups. Adding multiple listed groups will conflict with setting the security context if used. Change-Id: I4a9e91e6bd5e2d2997789af990f7e5315522dcaa
2013-11-13Avoid logwrapper callsRobert Craig
Logwrapper is useful for debugging, but isn't intended to be kept on for production devices. Remove it. Change-Id: I11c5aaf0cec65e162fcf9a6cc1785f3bc1ed17c1
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-18 05:04:32 +0000