Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Mar 28, 2016
    • Daichi Hirono's avatar
      Add mlstrustedobject to appfuse object type. · 4d19f98c
      Daichi Hirono authored 
      To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
      4d19f98c
  3. Mar 25, 2016
  5. Mar 24, 2016
    • dcashman's avatar
      Move sysfs_thermal to global policy and grant access. · df72abb3
      dcashman authored 
      sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

(cherry-pick of internal commit: 98eff7c3)

Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f
      df72abb3
    • Mark Salyzyn's avatar
      Add recovery_persist & recovery_refresh · 16fe52c9
      Mark Salyzyn authored 
      One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
      16fe52c9
  7. Mar 22, 2016
  9. Mar 21, 2016
  11. Mar 17, 2016
  13. Mar 16, 2016
    • Evgenii Stepanov's avatar
      Add /data/lib64, /data/vendor/lib64 to ASan sepolicy. · dda55908
      Evgenii Stepanov authored 
      This policy takes effect only when building with
SANITIZE_TARGET=address and allows the Zygote to load libraries from
/data. That's where ASan-instrumented copies of system libraries are
located. 32-bit library directories have been added a while back;
this CL extends the same policy to 64-bit directories.

Bug: 25751174

Change-Id: Ieb4701b78db9649ec8563f2962a69db537ae61b3
      dda55908
  15. Mar 14, 2016
    • dcashman's avatar
      Mark batteryproperties service as app_api_service. · 9ed71eff
      dcashman authored 
      Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries.  Mark it as an app_api_service so
that all applications may use this API.  Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties.  As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

Bug: 27442760
Change-Id: I5c0f9d7992ff2ec64adaeef22356e88fd0e8169c
      9ed71eff
    • dcashman's avatar
      Create sysfs_hwrandom type. · f100b2c4
      dcashman authored 
      HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

(cherry-pick from internal commit: 85c0f8af)

Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
      f100b2c4
  17. Mar 11, 2016
  19. Mar 10, 2016
    • dcashman's avatar
      Allow domains to getattr proc lnk_file. · f4c403d1
      dcashman authored 
      Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely.  Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.

Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be
      f4c403d1
    • Josh Gao's avatar
      Merge "Allow debuggerd to send SIGKILL." · 07e6b041
      Josh Gao authored
      07e6b041
  21. Mar 09, 2016
  23. Mar 07, 2016
  25. Mar 04, 2016
  27. Mar 03, 2016
    • Stephen Smalley's avatar
      Update netlink socket classes. · d27df960
      Stephen Smalley authored 
      am: 01d95c23

* commit '01d95c23':
  Update netlink socket classes.
      d27df960
    • Stephen Smalley's avatar
      Update netlink socket classes. · 01d95c23
      Stephen Smalley authored 
      
Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      01d95c23
  29. Mar 02, 2016
    • Alex Deymo's avatar
      New postinstall domain and rules to run post-install program. · 6cb2c893
      Alex Deymo authored 
      When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
      6cb2c893
    • Nick Kralevich's avatar
      suppress unnecessary makefile output · 1274aa15
      Nick Kralevich authored 
      am: 6ef10bd4

* commit '6ef10bd4':
  suppress unnecessary makefile output
      1274aa15
  31. Mar 01, 2016
    • Nick Kralevich's avatar
      suppress unnecessary makefile output · 6ef10bd4
      Nick Kralevich authored 
      checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.

SELinux compile time errors are printed to stderr, and are
uneffected by this change.

Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
      6ef10bd4
  33. Feb 29, 2016
    • Nick Kralevich's avatar
      Allow bluetooth access to the tun device. · 087601e0
      Nick Kralevich authored 
      am: 9a1347ee

* commit '9a1347ee':
  Allow bluetooth access to the tun device.
      087601e0
    • Nick Kralevich's avatar
      Allow bluetooth access to the tun device. · 9a1347ee
      Nick Kralevich authored 
      Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573
Change-Id: I07724d8d68ffcdda691f1179787a4f40a0ab1c73
      9a1347ee
  35. Feb 27, 2016
    • Nick Kralevich's avatar
      Don\'t allow permissive SELinux domains on user builds. · 0551e9e8
      Nick Kralevich authored 
      am: bca98efa

* commit 'bca98efa':
  Don't allow permissive SELinux domains on user builds.
      0551e9e8
    • Nick Kralevich's avatar
      Don't allow permissive SELinux domains on user builds. · bca98efa
      Nick Kralevich authored 
      It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
      bca98efa
  37. Feb 24, 2016
  39. Feb 23, 2016
  41. Feb 22, 2016
    • Tao Bao's avatar
      Add recovery service. · fe06f87e
      Tao Bao authored 
      am: 65b5fde9

* commit '65b5fde9':
  Add recovery service.
      fe06f87e
    • Tao Bao's avatar
      Add recovery service. · 65b5fde9
      Tao Bao authored 
      RecoverySystemService is separated from PowerManagerService as a
dedicated system service to handle recovery related requests (such as
invoking uncrypt to uncrypt an OTA package on /data or to set up /
clear the bootloader control block (i.e. /misc) and etc).

The matching CL in frameworks/base is in:
  Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560.

Bug: 26830925
Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e
      65b5fde9
  43. Feb 19, 2016