- Feb 14, 2017
-
-
Michael Peck authoredam: f54b3622 Change-Id: I0a304ed2b5591e58b0e39b37cb9fb8f392fe663b
-
Michael Peck authored
This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
-
-
Treehugger Robot authored
-
Steven Moreland authored
am: ee2faadc Change-Id: Ic12fe80e16972a172092291058c12dd53c95ee14
-
Treehugger Robot authored
-
Steven Moreland authored
am: d734f151 Change-Id: I600ecaf5fac9401db036a733a7afa186f6de7eb2
-
Steven Moreland authored
-
Paul Lawrence authored
am: ff5784f3 Change-Id: Ieb6e5cc4711add33fbd7b276bbbd362f249fb51e
-
Pawin Vongmasa authored
am: 5b4f15e1 Change-Id: Ic7c0de32ac3970c000062bc35bb0c50254510b3a
-
Treehugger Robot authored
-
Pawin Vongmasa authored
-
- Feb 13, 2017
-
-
Steven Moreland authored
Update shell.te to reflect the fact that hwbinder_user permission is for lshal, not dumpsys. Bug: 33382892 Test: pass Change-Id: I1d298261cea82177436a662afbaa767f00117b16
-
Steven Moreland authored
Bug: 34135607 Test: hals work Merged-In: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4 Change-Id: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
-
-
Treehugger Robot authored
-
Nick Kralevich authored
am: 4cae28d4 Change-Id: Ie22e0c2a1c84188666a38dba21129e7547d83fbc
-
Chia-I Wu authored
Bug: 35210697 Test: manual Change-Id: I0e1e8923851f668d5fe6c210f411a8e4ff0470c7
-
Paul Lawrence authored
Don't audit directory writes to sysfs since they cannot succees and therefore cannot be a security issue Bug: 35303861 Test: Make sure denial is no longer shown Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
-
- Feb 12, 2017
-
-
Nick Kralevich authored
On boot, Android runs restorecon on a number of virtual directories, such as /sys and /sys/kernel/debug, to ensure that the SELinux labels are correct. To avoid causing excessive boot time delays, the restorecon code aggressively prunes directories, to avoid recursing down directory trees which will never have a matching SELinux label. See: * https://android-review.googlesource.com/93401 * https://android-review.googlesource.com/109103 The key to this optimization is avoiding unnecessarily broad regular expressions in file_contexts. If an overly broad regex exists, the tree pruning code is ineffective, and the restorecon ends up visiting lots of unnecessary directories. The directory /sys/kernel/debug/tracing contains approximately 4500 files normally, and on debuggable builds, this number can jump to over 9000 files when the processing from wifi-events.rc occurs. For comparison, the entire /sys/kernel/debug tree (excluding /sys/kernel/debug/tracing) only contains approximately 8000 files. The regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching a significant number of files, which impacts boot performance. Instead of using an overly broad regex, refine the regex so only the files needed have an entry in file_contexts. This list of files is essentially a duplicate of the entries in frameworks/native/cmds/atrace/atrace.rc . This change reduces the restorecon_recursive call for /sys/kernel/debug from approximately 260ms to 40ms, a boot time reduction of approximately 220ms. Bug: 35248779 Test: device boots, no SELinux denials, faster boot. Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
-
Nick Kralevich authored
am: 6ebcfe47 Change-Id: I6999a1aaf79a559e0477166523ee71cfbfeb3a1b
-
- Feb 11, 2017
-
-
Nick Kralevich authored
Use the default filesystem label from genfs_contexts for the directory /sys/kernel/debug/tracing and /sys/kernel/tracing, instead of explicitly attempting to relabel it. There are three cases we need to consider: 1) Old-style tracing functionality is on debugfs 2) tracing functionality is on tracefs, but mounted under debugfs 3) tracefs is mounted at /sys/kernel/tracing For #1, the label on /sys/kernel/debug/tracing will be debugfs, and all processes are allowed debugfs:dir search, so having the label be debugfs instead of debugfs_tracing will not result in any permission change. For #2, the label on /sys/kernel/debug/tracing will be debugfs_tracing, which is the same as it is today. The empty directory /sys/kernel/tracing wlll retain the sysfs label, avoiding the denial below. For #3, /sys/kernel/debug/tracing won't exist, and /sys/kernel/tracing will have the debugfs_tracing label, where processes are allowed search access. Addresses the following denial: avc: denied { associate } for pid=1 comm="init" name="tracing" dev="sysfs" ino=95 scontext=u:object_r:debugfs_tracing:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem permissive=0 Bug: 31856701 Bug: 35197529 Test: no denials on boot Change-Id: I7233ea92c6987b8edfce9c2f1d77eb25c7df820f -
Pawin Vongmasa authored
Bug: 31399200 Test: Compiles Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57
-
Craig Donner authored
am: 3651bae6 Change-Id: Idbda0045c91888051350d77765d17f85d12d4046
-
Treehugger Robot authored
-
Craig Donner authored
There is only a single systemapi at the moment that is callable, and it is protected by a signature/preinstalled permission. (cherry picked from commit I778864afc9d02f8b2bfcf6b92a9f975ee87c4724) Bug: 35059826,33297721 Test: manually on a marlin Change-Id: I3789ce8238f5a52ead8f466dfa3045fbcef1958e
-
- Feb 10, 2017
-
-
Jeff Vander Stoep authored
am: e6ff034a Change-Id: I0cadd202cfa6f898df7ef4f8c128a91b4ff31675
-
Treehugger Robot authored
-
Nick Kralevich authored
am: d4f93469 Change-Id: Idc8dc4fb33c8c10f2398c01af22d29635e16e0d9
-
Jeff Vander Stoep authored
am: f5f0c596 Change-Id: Iec73c9ac8ad891b7054f2e15b6b5d7afc3950064
-
Treehugger Robot authored
-
Treehugger Robot authored
-
Nick Kralevich authored
am: b2513f98 Change-Id: I67af386f16cb643f3bb13c993c76728bc42d8516
-
Treehugger Robot authored
* changes: init.te: remove domain_deprecated Remove logspam
-
Jeff Vander Stoep authored
Addresses avc: denied { find } for service=vrmanager pid=472 uid=1000 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vr_manager_service:s0 tclass=service_manager Test: Marlin builds and boots. Denial no longer observed. Bug: 35258608 Bug: 35197529 Change-Id: I480dff3fdaf01f71e29e96f08350f705c6a23bba -
-
Jeff Vander Stoep authored
avc: denied { read } for name="modalias" dev="sysfs" ino=17624 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file Test: Marlin builds and boots without this denial. Bug: 35197529 Change-Id: I3b64db571ac10c843f3765ed557ceac07bc6580e -
Treehugger Robot authored
-
Nick Kralevich authored
Make the policy smaller and less noisy on user builds by suppressing auditallow rules. Bug: 28760354 Test: policy compiles and device boots. No obvious problems. Change-Id: Iddf6f12f8ce8838e84b09b2f9f3f0c8b700543f5
-
Nick Kralevich authored
auditallows have been in place for a while, and no obvious denials. Remove domain_deprecated from init.te While I'm here, clean up the formatting of the lines in domain_deprecated.te. Bug: 28760354 Test: policy compiles and device boots. No obvious problems. Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056
-