Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Dec 10, 2016
    • Nick Kralevich's avatar
      remove more domain_deprecated · 6a259ccd
      Nick Kralevich authored 
      Test: no denials showing up in log collection
Test: device boots
Bug: 28760354
Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23
      6a259ccd
  3. Oct 06, 2016
    • dcashman's avatar
      Split general policy into public and private components. · cc39f637
      dcashman authored 
      Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
      cc39f637
  5. Feb 04, 2016
    • Jeff Sharkey's avatar
      Allow 'vdc' to be invoked with logwrapper. · 3ade7cef
      Jeff Sharkey authored 
      Currently vdc emits logs to stderr, which makes sense for command
line invocations, but when exec'ed they're silently dropped unless
the caller uses logwrapper.

avc: denied { read write } for path="/dev/pts/2" dev="devpts" ino=5 scontext=u:r:vdc:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 25796509
Change-Id: Ib92e0a7f580b1934a9853a83684f95b24bdc355c
      3ade7cef
  7. Nov 03, 2015
    • Jeff Vander Stoep's avatar
      Create attribute for moving perms out of domain · d22987b4
      Jeff Vander Stoep authored 
      Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
      d22987b4
  9. Jun 25, 2014
    • Nick Kralevich's avatar
      dumpstate: transition into vdc domain · c0d14767
      Nick Kralevich authored 
      dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.

Addresses the following denial:

  <4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0

Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
      c0d14767
  11. Jun 21, 2014
    • Nick Kralevich's avatar
      Create vdc domain · bf8a37b8
      Nick Kralevich authored 
      The init.rc one-shot services "defaultcrypto" and "encrypt" call
out to the /system/bin/vdc command line to ask vold to perform
encryption operations. Create a new domain for these one-shot
services. Allow the vdc domain to talk to vold.

Change-Id: I73dc2ee4cc265bc16056b27307c254254940fd9f
      bf8a37b8