- Sep 26, 2017
-
-
TreeHugger Robot authored
-
Jeff Vander Stoep authored
am: 6b8088ba Change-Id: Id33c3e7f23b84fa10bad8c2ee7bf7c44265acc25
-
- Sep 25, 2017
-
-
Jeff Vander Stoep authored
It's used in CTS neverallow tests. Addresses: Warning! Type or attribute hal_cas_server used in neverallow undefined in policy being checked. Bug: 66910049 Test: build Change-Id: Ia185f266fc1e3cb87c39939fdd45d02efa6c2c94 Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38
-
Jeff Vander Stoep authored
am: 5d8b059f Change-Id: I511ddcdb2f8bec7b52985e25b0c9d4c8d763cf21
-
- Sep 23, 2017
-
-
Jeff Vander Stoep authored
These are no longer necessary as domain_deprecated has been removed in AOSP master. Bug: 66749762 Test: build Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a Change-Id: I01878a4410f8cb3c97ff96c67845dfaa7b0051ce
-
- Sep 20, 2017
-
-
Robert Quattlebaum authored
Bug: b/64090883 Change-Id: I566a380db2f8f4d886252eee26181e37a4fb0d61
-
Robert Quattlebaum authored
* changes: RESTRICT AUTOMERGE: lowpan: Add wpantund to SEPolicy RESTRICT AUTOMERGE: lowpan: Added support for LoWPAN Service and android.hardware.lowpan
-
- Sep 19, 2017
-
-
Robert Quattlebaum authored
Bug: b/64399219 Test: Manual Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796
-
Robert Quattlebaum authored
Bug: b/64090883 Bug: b/33073713 Test: Manual Change-Id: I7aa23c31b1fccae56c1a0e0bd4cfe370aeb911dd
-
- Sep 18, 2017
-
-
Peng Xu authored
Added permission related to use of wake lock. Wakelock in sensor HAL is used to gurantee delivery of wake up sensor events before system go back to sleep. Bug: 63995095 Test: QCOM and nanohub sensor hal are able to acquire wakelock successfuly. Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9 Merged-In: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
- Sep 16, 2017
-
-
Jeff Vander Stoep authored
am: aa5f37da Change-Id: I2bf881164990b2517b81d3bf3b6560537dc94636
-
- Sep 15, 2017
-
-
Jeff Vander Stoep authored
Addresses: junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule: neverallow { domain -adbd -dumpstate -hal_drm -hal_cas -init -mediadrmserver -recovery -shell -system_server } serialno_prop:file { getattr open read ioctl lock map }; Warning! Type or attribute hal_cas used in neverallow undefined in policy being checked. libsepol.report_failure: neverallow violated by allow mediaextractor serialno_prop:file { ioctl read getattr lock map open }; libsepol.report_failure: neverallow violated by allow mediacodec serialno_prop:file { ioctl read getattr lock map open }; libsepol.report_failure: neverallow violated by allow hal_cas_default serialno_prop:file { ioctl read getattr lock map open }; libsepol.check_assertions: 3 neverallow failures occurred Bug: 65681219 Test: build Change-Id: I2a6445d6372ee4e768cc2cea2140c6de97707a74 Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38
-
- Sep 11, 2017
-
- Sep 01, 2017
-
-
Ray Essick authored
am: 123cf237 Change-Id: Ic6b60c2168b9f5b75cbeaeebee2acd5310df489d
-
Ray Essick authored
-
Jeff Vander Stoep authored
am: 15f9d052 Change-Id: I0c1390ade37884ff86a8089d25c9cce794b31877
-
Robert Benea authored
am: ba4d04e0 Change-Id: I54773febe86aeb79eba33494f5481762f2698584
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Steven Moreland authored
am: 60e53837 Change-Id: I43de8298c9dac061ca6fbd81e17fb4b8eed904c3
-
Steven Moreland authored
am: f606a51e Change-Id: Id385d64ac63bee08c1457f0a003718ecb03546ea
-
Steven Moreland authored
am: 9c571765 Change-Id: I6ea1d962cf03ee18102e22d29df59749afc3d5bd
-
Jeff Vander Stoep authored
Allows groups to be mounted at /dev/memcg Addresses: avc: denied { associate } for comm="init" name="memcg" scontext=u:object_r:cgroup:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0 Bug: 64067152 Test: build Change-Id: Ic8f641e841fe09c8f7fd487ed67cf0ab4860a1cc
-
Robert Benea authored
Currently lmkd is not able to read memcg info. The mem/swap usage info are used by lmkd to ugrade medium pressure events to critical level. Test: tested on gobo Bug: 65180281 Change-Id: I19d0eb53d5e754c176ffeda1b5d07049e6af8570
-
Steven Moreland authored
This reverts commit f27bba93. Bug: 65206688 Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
-
Steven Moreland authored
This reverts commit c12c7349. Bug: 65206688 Change-Id: Ia2a04906f8585bf295b8c75e0b3d09490afb5d24
-
Steven Moreland authored
This reverts commit b5dd44b1. Bug: 65206688 Change-Id: I00431ae7834a562e34e8959446d84a0077834091
-
Steven Moreland authored
am: b5dd44b1 Change-Id: I8343f7bd5caa8d51fde608464b4a98e7fd99ae62
-
- Aug 31, 2017
-
-
Steven Moreland authored
screencap domain needs additional permissions for dumpstate to dump screenshots. Test: adb shell cmd activity bug-report Bug: 65206688 Change-Id: I824f345fd90d286454d570576c5888d7719c4c5c
-
Steven Moreland authored
am: c12c7349 Change-Id: I254f296e81225510d909d8bab8e20e648b2d18df
-
Ray Essick authored
relax the sepolicy for media.metrics to allow access to package manager for uid->packagename mapping functionality. Bug: 65027506 Test: read output of 'dumpsys media.metrics' Change-Id: I0d25af16c06dc65154cfda854e28ab70ada097c4
-
Steven Moreland authored
Before screencap was in its own domain, it was able to do this by using all of shell's permissions. The following denials are caused (along with times from running the below test command) when screencap is invoked to write a file onto the sdcard: 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:23): avc: denied { read } for name="primary" dev="tmpfs" ino=19547 scontext=u:r:screencap:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:24): avc: denied { search } for name="/" dev="tmpfs" ino=19529 scontext=u:r:screencap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:25): avc: denied { search } for name="user" dev="tmpfs" ino=19535 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:26): avc: denied { read } for name="primary" dev="tmpfs" ino=31198 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=lnk_file permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:27): avc: denied { search } for name="/" dev="sdcardfs" ino=1310722 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:28): avc: denied { write } for name="image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:29): avc: denied { open } for path="/storage/emulated/0/image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1 08-30 21:03:32.009 4986 4986 I screencap: type=1400 audit(0.0:30): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1 08-30 21:03:32.582 4990 4990 I screencap: type=1400 audit(0.0:31): avc: denied { execute } for name="sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 08-30 21:03:32.582 4990 4990 I screencap: type=1400 audit(0.0:32): avc: denied { read open } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 08-30 21:03:32.582 4990 4990 I screencap: type=1400 audit(0.0:33): avc: denied { execute_no_trans } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 08-30 21:03:32.582 4990 4990 I sh : type=1400 audit(0.0:34): avc: denied { getattr } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1 08-30 21:03:32.586 4990 4990 I sh : type=1400 audit(0.0:35): avc: denied { ioctl } for path="socket:[57515]" dev="sockfs" ino=57515 ioctlcmd=5401 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1 08-30 21:03:32.586 4990 4990 I sh : type=1400 audit(0.0:36): avc: denied { getattr } for path="socket:[57515]" dev="sockfs" ino=57515 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1 08-30 21:03:32.589 4991 4991 I sh : type=1400 audit(0.0:37): avc: denied { execute_no_trans } for path="/system/bin/am" dev="dm-0" ino=1178 scontext=u:r:screencap:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 08-30 21:03:32.739 4992 4992 I cmd : type=1400 audit(0.0:38): avc: denied { call } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1 08-30 21:03:32.739 4992 4992 I cmd : type=1400 audit(0.0:39): avc: denied { use } for path="/dev/null" dev="tmpfs" ino=19514 scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=fd permissive=1 08-30 21:03:32.739 4992 4992 I cmd : type=1400 audit(0.0:40): avc: denied { transfer } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1 08-30 21:03:32.741 575 575 E SELinux : avc: denied { find } for service=activity pid=4992 uid=2000 scontext=u:r:screencap:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1 08-30 21:03:32.749 837 837 I Binder:837_9: type=1400 audit(0.0:41): avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=binder permissive=1 If /data/media/ is deleted, the following denials also occur: 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:43): avc: denied { search } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:44): avc: denied { read open } for path="/data/media/0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:48): avc: denied { write } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:49): avc: denied { add_name } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:50): avc: denied { create } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:51): avc: denied { setattr } for name="image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1 08-31 00:45:45.966 8899 8899 I screencap: type=1400 audit(0.0:53): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1 08-31 01:04:29.741 6625 6625 W screencap: type=1400 audit(0.0:23): avc: denied { write } for name="0" dev="sdcardfs" ino=655364 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0 Test: adb shell screencap -p /sdcard/phone.png Bug: 65206688 Change-Id: I808429b25fa3118fef7931050ab757c9bcd61881
-
- Aug 29, 2017
-
-
Martijn Coenen authored
am: 4d3df312 Change-Id: Ia5490934824eb2ff4c99d6143b3e15012f4dc82e
-
TreeHugger Robot authored
-
Tomasz Wasilczyk authored
am: 4f6e5b98 Change-Id: I9b9142f1bc2a467c365481f4f34b5a308b93de5d
-
Tomasz Wasilczyk authored
-
Jeff Vander Stoep authored
am: e14d6a98 Change-Id: Ie5fcb6dcdcc67f13907fa404fe9124a6e9113326
-
TreeHugger Robot authored
-
Jeff Vander Stoep authored
This is needed to retain app's previous access to /sys/devices/system/cpu. When these files were previously labeled in file_contexts, symlinks were labeled as sysfs_devices_system_cpu. When labeling was moved to genfs_contexts symlinks all have the default sysfs label. avc: denied { getattr } for comm="main" path="/sys/devices/system/cpu/cpu0/cpufreq" dev="sysfs" ino=41897 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0 Change-Id: Idaa565390bca13d3819e147fcea4214956c0f589 Bug: 64270911 Test: build aosp_marlin (cherry picked from commit 8d021a94)
-