Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Jul 16, 2014
    • Colin Cross's avatar
      lmkd: allow removing cgroups and setting self to SCHED_FIFO · 2203fda5
      Colin Cross authored 
      Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0

(cherry picked from commit 53297318)

Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b
      2203fda5
  3. Jul 15, 2014
    • Nick Kralevich's avatar
      Tweak rules for su domain. · caf347b5
      Nick Kralevich authored 
      1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45b)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d
      caf347b5
    • Riley Spahn's avatar
      Add access control for each service_manager action. · 344fc109
      Riley Spahn authored 
      Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
      344fc109
    • Nick Kralevich's avatar
      fix system_server dex2oat exec · 10370f5f
      Nick Kralevich authored 
      Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
      10370f5f
    • Ed Heyl's avatar
      reconcile aosp (c103da87) after branching. Please do not merge. · 8ee37b4f
      Ed Heyl authored 
      Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
      8ee37b4f
    • Ed Heyl's avatar
      reconcile aosp (3a8c5dc0) after branching. Please do not merge. · 81839dfb
      Ed Heyl authored 
      Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2
      81839dfb
    • Ed Heyl's avatar
      reconcile aosp (a7c04dcd) after branching. Please do not merge. · 7563a6f1
      Ed Heyl authored 
      Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7
      7563a6f1
    • Ed Heyl's avatar
      reconcile aosp (4da3bb14) after branching. Please do not merge. · e9c90bdd
      Ed Heyl authored 
      Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e
      e9c90bdd
  5. Jul 14, 2014
    • Nick Kralevich's avatar
      DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true · 2aa727e3
      Nick Kralevich authored 
      Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
      2aa727e3
  7. Jul 11, 2014
  9. Jul 10, 2014
  11. Jul 09, 2014
    • Jeff Sharkey's avatar
      Let DCS read staged APK clusters. · d3356826
      Jeff Sharkey authored 
      DCS is DefaultContainerService.

avc: denied { getattr } for path="/data/app/vmdl2.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:platform_app:s0
    tcontext=u:object_r:apk_tmp_file:s0 tclass=dir

Bug: 14975160
Change-Id: Ifca9afb4e74ebbfbeb8c01e1e9ea65f5b55e9375
      d3356826