- Apr 20, 2018
-
-
Paul Crowley authoredBug: 77335096 Test: booted device with metadata encryption and without Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
-
- Apr 17, 2018
-
-
Bookatz authored
Statsd sepolicy hal_health Statsd monitors battery capacity, which requires calls to the health hal. Fixes: 77923174 Bug: 77916472 Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests#testFullBatteryCapacity Merged-In: I2d6685d4b91d8fbc7422dfdd0b6ed96bbddc0886 Change-Id: I767068c60cff6c1baba615d89186705107531c02
-
- Apr 16, 2018
-
-
Joel Galenson authored
After adding a new user, deleting it, and rebooting, some of the user's data still remained. This adds the SELinux permissions necessary to remove all of the data. It fixes the followign denials: avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 74866238 Test: Create user, delete user, reboot user, see no denials or leftover data. Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc (cherry picked from commit 254a872c) -
Joel Galenson authored
This adds numerous bug_map entries to try to annotate all denials we've seen. Bug: 78117980 Test: Build Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49 (cherry picked from commit f55786cf)
-
Jeff Sharkey authored
We're adding support for OEMs to ship exFAT, which behaves identical to vfat. Some rules have been manually enumerating labels related to these "public" volumes, so unify them all behind "sdcard_type". Test: atest Bug: 67822822 Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
-
Tri Vo authored
Bug: 64905218 Test: device boots with /mnt/vendor present and selinux label mnt_vendor_file applied correctly. Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
-
- Apr 13, 2018
-
-
Joel Galenson authored
This should help fix presubmit tests. Bug: 77634061 Test: Built policy. Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c (cherry picked from commit c6b5a96b)
-
Joel Galenson authored
This addresses the following denials: avc: denied { fowner } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:storaged_data_file:s0 tclass=file avc: denied { relabelfrom } for comm="vold_prepare_su" name="storaged" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 77875245 Test: Boot device. Test: Mislabel directories used by vold_prepare_subdirs, reboot, and ensure it can relabel them without denials. Test: Add user, reboot, delete user, reboot, observe no denials. (cherry picked from commit 855dd5a8562494f78f99e5bd5096f617ac70438f) Merged-In: Id67bc99f151a6ccb9619bbfb7080452956405121 Change-Id: Ic86be1e1afed37602255448e5700811d197403f9 -
Jaekyun Seok authored
Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5 Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5 (cherry picked from commit 224921d1)
-
- Apr 11, 2018
-
-
Jeff Vander Stoep authored
Addresses: avc: denied { find } for interface=android.hardware.tetheroffload.config::IOffloadConfig scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager Bug: 77855688 Test: build/boot Sailfish, turn on tethering, no selinux denial Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f -
Jeff Vander Stoep authored
Addresses: avc: denied { sys_resource } for comm="ip6tables" capability=24 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability Bug: 77905989 Test: build and flash taimen-userdebug Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
-
- Apr 10, 2018
-
-
- Apr 09, 2018
-
-
Jeff Vander Stoep authored
avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs" scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file Bug: 77816522 Test: build Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
-
- Apr 06, 2018
-
-
Mikhail Naganov authored
Bug: 73405145 Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
-
Florian Mayer authored
This is needed to be able to scan the labels we have permission on. Denial: 04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0 Bug: 73625480 cherry-picked from aosp/658243 Change-Id: I52f3865952004bfc6fe22c488d768276866f8ae1 Merged-In: I52f3865952004bfc6fe22c488d768276866f8ae1 -
Alan Stokes authored
cgroupfs doesn't allow files to be created, so this can't be needed. Also remove redundant neverallow and dontaudit rules. These are now more broadly handled by domain.te. Bug: 74182216 Test: Denials remain silenced. Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f
-
Alan Stokes authored
This allows system_server to access it for determining battery stats (see KernelMemoryBandwidthStats.java). batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 72643420 Bug: 73947096 Test: Denial is no longer present. Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7
-
- Apr 05, 2018
-
-
Kweku Adams authored
Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912 (cherry picked from commit 985db6d8)
-
- Apr 04, 2018
-
-
Jeff Vander Stoep authored
avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
-
- Apr 03, 2018
-
-
Nathan Harold authored
Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
-
- Mar 31, 2018
-
-
yro authored
Bug: 75968642 Test: manual testing to check for sepolicy violation Cherry-picked from aosp/652222 Change-Id: Idc83669feaf9fd17bed26f89dfce33e3f2f5424f
-
- Mar 30, 2018
-
-
Chenbo Feng authored
The netutils_wrapper is a process used by vendor code to update the iptable rules on devices. When it update the rules for a specific chain. The iptable module will reload the whole chain with the new rule. So even the netutils_wrapper do not need to add any rules related to xt_bpf module, it will still reloading the existing iptables rules about xt_bpf module and need pass through the selinux check again when the rules are reloading. So we have to grant it the permission to reuse the pinned program in fs_bpf when it modifies the corresponding iptables chain so the vendor module will not crash anymore. Test: device boot and no more denials from netutils_wrapper Bug: 72111305 Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be (cherry picked from aosp commit 2623ebcf)
-
- Mar 29, 2018
-
-
Florian Mayer authored
See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Cherry-picked from aosp/631805 Change-Id: I891a0209be981d760a828a69e4831e238248ebad Merged-In: I891a0209be981d760a828a69e4831e238248ebad
-
Joel Galenson authored
This allows init to write to it, which it does for atrace. Bug: 72643420 Test: Boot two devices, observe no denials, test atrace. Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
-
Jeff Vander Stoep authored
Access to these files was removed in Oreo. Enforce that access is not granted by partners via neverallow rule. Also disallow most untrusted app access to net.dns.* properties. Bug: 77225170 Test: system/sepolicy/tools/build_policies.sh Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1 (cherry picked from commit 886aa54b)
-
Alan Stokes authored
The kernel generates file creation audits when O_CREAT is passed even if the file already exists - which it always does in the cgroup cases. We add neverallow rules to prevent mistakenly allowing unnecessary create access. We also suppress these denials, which just add noise to the log, for the more common culprits. Bug: 72643420 Bug: 74182216 Test: Ran build_policies.sh and checked failures were unrelated. Test: Device still boots, denials gone. Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
-
Pawin Vongmasa authored
Test: Builds Bug: 64121714 Bug: 31973802 Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
-
- Mar 28, 2018
-
-
Yi Jin authored
Bug: 73354384 Test: manual Change-Id: I4fa630624cc247275e11965471461502f451edf4
-
Joel Galenson authored
These denials occur fairly often, causing some logspam. Bug: 77225170 Test: Boot device. Change-Id: Icd73a992aee44007d0873743f706758f9a19a112
-
Jaekyun Seok authored
A default value of persist.radio.multisim.config can be set by SoC vendors, and so vendor-init-settable should be allowed to it. Bug: 73871799 Test: succeeded building and tested with taimen Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4 Merged-In: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4 (cherry picked from commit ac8c6e3d)
-
Andreas Gampe authored
Give statsd rights to connect to perfprofd in userdebug. (cherry picked from commit 488030ee) Bug: 73175642 Test: mmma system/extras/perfprofd Merged-In: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd
-
- Mar 26, 2018
-
-
Jeff Vander Stoep authored
Suppress WAI denials from crashdump. Test: build/flash Taimen. Verify no new denials. Bug: 68319037 Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16
-
Primiano Tucci authored
This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2 Merged-In: I81f5a230338ced20dc543fd91c5a0bd0e58725f2 (cherry picked from aosp/648831)
-
- Mar 24, 2018
-
-
Chenbo Feng authored
The permission to allow system_server to access sys/fs/bpf/ directory is missing. Add it back so it can get the bpf maps from the bpf_fs. Test: device boot and no more denial information of system_server try to searcg in fs_bpf atest android.net.cts.TrafficStatsTest Bug: 75285088 Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6 (cherry picked from aosp commit f83bbd17)
-
- Mar 23, 2018
-
-
Andreas Gampe authored
So that perfprofd can send larger packets to dropbox. Follow-up of commit 3fa95acb. (cherry picked from commit c9df8437) Bug: 73175642 Test: m Test: manual Merged-In: I88d1f83962243589909ff1ce3d02195e7c494256 Change-Id: I88d1f83962243589909ff1ce3d02195e7c494256
-
- Mar 22, 2018
-
-
Mikhail Naganov authored
Based on the following audit message: type=1400 audit(1521738979.005:385): avc: denied { write } for pid=1269 comm="Binder:1269_B" name="timerslack_ns" dev="proc" ino=254190 scontext=u:r:system_server:s0 tcontext=u:r:hal_audio_default:s0 tclass=file permissive=1 Bug: 74110604 Test: adb shell dmesg | grep hal_audio_default Change-Id: I4c2e787588eb9d223d5e50e1bc8f67876de97c2e -
Primiano Tucci authored
This CL adds the SELinux permissions required to execute atrace and get userspace tracing events from system services. This is to enable tracing of events coming from surfaceflinger, audio HAL, etc. atrace, when executed, sets a bunch of debug.atrace. properties and sends an IPC via binder/hwbinder to tell the services to reload that property. This CL does NOT affect systrace. In that case (i.e. when atrace is executed from adb/shell) atrace still runs in the shell domain and none of those changes apply. Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e Merged-In: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e Merged-In: Iba195d571aec9579195d79d4970f760e417608c6 Bug: b/73340039
-
- Mar 21, 2018
-
-
Chenbo Feng authored
To better record the network traffic stats for each network interface. We use xt_bpf netfilter module to do the iface stats accounting instead of the cgroup bpf filter we currently use for per uid stats accounting. The xt_bpf module will take pinned eBPF program as iptables rule and run the program when packet pass through the netfilter hook. To setup the iptables rules. netd need to be able to access bpf filesystem and run the bpf program at boot time. The program used will still be created and pinned by the bpfloader process. Test: With selinux enforced, run "iptables -L -t raw" should show the xt_bpf related rule present in bw_raw_PREROUTING chain. Bug: 72111305 Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04 (cherry picked from aosp commit 5c95c168)
-
Fyodor Kupolov authored
Test: manual Bug: 75318418 Merged-In: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7 Change-Id: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7
-
- Mar 20, 2018
-
-