- Jan 20, 2018
-
-
Badhri Jagan Sridharan authoredSepolicy for the usb daemon. (ag/3373886/) Bug: 63669128 Test: Checked for avc denial messages. Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af
-
Tri Vo authored
Bug: 65643247 Test: manual Test: browse internet Test: take a picture Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
-
Treehugger Robot authored
-
- Jan 19, 2018
-
-
Tao Bao authored
system_update service manages system update information: system updater (priv_app) publishes the pending system update info through the service, while other apps can read the info accordingly (design doc in go/pi-ota-platform-api). This CL adds the service type, and grants priv_app to access the service. Bug: 67437079 Test: Build and flash marlin image. The system_update service works. Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375
-
Yifan Hong authored
-
Daniel Rosenberg authored
Test: esdfs should be mountable and usable with selinux on Bug: 63876697 Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e
-
Treehugger Robot authored
-
Treehugger Robot authored
-
Treehugger Robot authored
-
Treehugger Robot authored
-
Yifan Hong authored
Test: boots Test: hwservicemanager can read these files Bug: 36790901 Change-Id: I0431a7f166face993c1d14b6209c9b502a506e09
-
Badhri Jagan Sridharan authored
Bug: 63669128 Test: Checked for avc denail messages. Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
-
Tri Vo authored
-
Treehugger Robot authored
-
Treehugger Robot authored
-
Jaekyun Seok authored
-
Treehugger Robot authored
-
Steven Moreland authored
Bug: 70846424 Test: neverallow not tripped Change-Id: I9e351ee906162a594930b5ab300facb5fe807f13
-
Yifan Hong authored
Test: charger mode correctly shuts off when unplugged Change-Id: I06a7ffad67beb9f6d9642c4f53c35067b0dc2b3d Fixes: 71328882
-
- Jan 18, 2018
-
-
Treehugger Robot authored
-
Jaekyun Seok authored
Bug: 72154054 Test: tested with walleye Change-Id: I35271c6044946c4ec639409c914d54247cfb9f79
-
Tri Vo authored
Bug: 65643247 Test: builds, the change doesn't affect runtime behavior. Change-Id: I621a8006db7074f124cb16a12662c768bb31e465
-
Tri Vo authored
-
Treehugger Robot authored
-
Pavel Grafov authored
This is needed to allow system apps to know whether security logging is enabled, so that they can in this case log additional audit events. Test: logged a security event from locally modified KeyChain app. Bug: 70886042 Change-Id: I9e18d59d72f40510f81d1840e4ac76a654cf6cbd
-
Jeff Vander Stoep authored
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1 -
Jaekyun Seok authored
Since /odm is an extension of /vendor, its default property contexts should be consistent with ones of /vendor. Bug: 36796459 Test: tested on wahoo devices Change-Id: Ia67ebe81e9c7102aab35a34f14738ed9a24811d3
-
Treehugger Robot authored
-
Tri Vo authored
Bug: 62041836 Test: policies for internal devices build successfully Change-Id: I6856c0ab9975210efd5b4bed17c103ba3364d1ab
-
- Jan 17, 2018
-
-
Tri Vo authored
-
Chenbo Feng authored
Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
-
Tri Vo authored
CpuFrequency.java seems to be the only thing that depends on /sys/devices/system/cpu in system_server. And according to b/68988722#comment15, that dependency is not exercised. Bug: 68988722 Test: walleye boots without denials to sysfs_devices_system_cpu Change-Id: If777b716bf74188581327b7f5aa709f5d88aad2d
-
Tri Vo authored
Bug: 62041836 Test: sailfish sepolicy builds Change-Id: Iad865fea852ab134dd848688e8870bc71f99788d
-
Andy Hung authored
Test: adb bugreport Bug: 71483452 Change-Id: Ibd98702c1f757f17ada61a906ae4e0ec750aac79
-
Yang Ni authored
-
Jeffrey Vander Stoep authored
-
Treehugger Robot authored
-
Svet Ganov authored
If a UID is in an idle state we don't allow recording to protect user's privacy. If the UID is in an idle state we allow recording but report empty data (all zeros in the byte array) and once the process goes in an active state we report the real mic data. This avoids the race between the app being notified aboout its lifecycle and the audio system being notified about the state of a UID. Test: Added - AudioRecordTest#testRecordNoDataForIdleUids Passing - cts-tradefed run cts-dev -m CtsMediaTestCases -t android.media.cts.AudioRecordTest bug:63938985 Change-Id: I8c044e588bac4182efcdc08197925fddf593a717 -
Treehugger Robot authored
-
Jeff Vander Stoep authored
There is a race condition between when /data is mounted and when processes attempt to access it. Attempting to access /data before it's mounted causes an selinux denial. Attribute these denials to a bug. 07-04 23:48:53.646 503 503 I auditd : type=1400 audit(0.0:7): avc: denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 07-15 17:41:18.100 582 582 I auditd : type=1400 audit(0.0:4): avc: denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2 scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 Bug: 68864350 Test: build Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5
-