Skip to content
Snippets Groups Projects
Select Git revision
  • 93f99cb1d940b83b076d7a1a4619c811f8029716
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

Android.mk

  • Jeff Vander Stoep's avatar
    74434848
    Grant additional permissions for ASAN builds · 74434848
    Jeff Vander Stoep authored
    ASAN builds may require additional permissions to launch processes
    with ASAN wrappers. In this case, system_server needs permission to
    execute /system/bin/sh.
    
    Create with_asan() macro which can be used exclusively on debug
    builds. Note this means that ASAN builds with these additional
    permission will not pass the security portion of CTS - like any
    other debug build.
    
    Addresses:
    avc: denied { execute } for name="sh" dev="dm-0" ino=571
    scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
    tclass=file
    
    Test: lunch aosp_marlin-userdebug;
          cd system/sepolicy; mm SANITIZE_TARGET=address;
          Verify permissions granted using with_asan() are granted.
    Test: lunch aosp_marlin-userdebug;
          cd system/sepolicy; mm;
          Verify permissions granted using with_asan() are not granted.
    Test: lunch aosp_marlin-user;
          cd system/sepolicy; mm SANITIZE_TARGET=address;
          Verify permissions granted using with_asan() are not granted.
    Bug: 36138508
    Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
    74434848
    History
    Grant additional permissions for ASAN builds
    Jeff Vander Stoep authored
    ASAN builds may require additional permissions to launch processes
    with ASAN wrappers. In this case, system_server needs permission to
    execute /system/bin/sh.
    
    Create with_asan() macro which can be used exclusively on debug
    builds. Note this means that ASAN builds with these additional
    permission will not pass the security portion of CTS - like any
    other debug build.
    
    Addresses:
    avc: denied { execute } for name="sh" dev="dm-0" ino=571
    scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
    tclass=file
    
    Test: lunch aosp_marlin-userdebug;
          cd system/sepolicy; mm SANITIZE_TARGET=address;
          Verify permissions granted using with_asan() are granted.
    Test: lunch aosp_marlin-userdebug;
          cd system/sepolicy; mm;
          Verify permissions granted using with_asan() are not granted.
    Test: lunch aosp_marlin-user;
          cd system/sepolicy; mm SANITIZE_TARGET=address;
          Verify permissions granted using with_asan() are not granted.
    Bug: 36138508
    Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8