You need to sign in or sign up before continuing.
- Apr 05, 2017
-
-
Howard Chen authoredThis change extends the recovery mode modprobe sepolicy to support loadable kernel module in normal mode by using statement below in init.rc: exec u:r:modprobe:s0 -- /system/bin/modprobe \ -d /vendor/lib/modules mod Bug: b/35653245 Test: sailfish with local built kernel and LKM enabled Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
-
- Apr 04, 2017
-
-
Treehugger Robot authored
-
Tianjie Xu authored
-
Treehugger Robot authored
-
Tianjie Xu authored
Currently update_verifier only verifies the blocks when dm-verity is in 'enforcing' mode; and dm-verity will reboot the device upon detection of errors. However, sometimes the verity mode is not guaranteed to be correct. When mode is 'eio' for example, dm-verity will not trigger a reboot but rather fail the read. So update_verifier need to take the responsibility to reboot the device. Otherwise the device will continue to boot without setting the flag "isSlotMarkedSuccessful". Denial message: update_verifier: type=1400 audit(0.0:18): avc: denied { write } for name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 36260064 Test: powerctl property sets successfully Change-Id: I7431f87e2d61be1425397732aebb369d4ad4c26c -
Steven Moreland authored
Test: works on internal marlin Bug: 34274385 Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6
-
- Apr 03, 2017
-
-
Mark Salyzyn authored
logcatd is the same as logcat, except that the -L flag, if supplied, runs once, then the command re-runs itself without the -L flag with the same argument set. By introducing a logcatd daemon executable we can solve the problem of the longish reads from pstore that sometimes occur when the system is excessively busy spinning in a foreground task starving this daemon as we absorb the delay in an init service, rather than in an init exec. This would not have been efficiently possible without the introduction of liblogcat. Test: gTest logcat-unit-tests Test: Manual check logpersist operations Bug: 28788401 Bug: 30041146 Bug: 30612424 Bug: 35326290 Change-Id: I3454bad666c66663f59ae03bcd72e0fe8426bb0a
-
- Mar 31, 2017
-
-
Daniel Cashman authored
am: cb6f8f02 Change-Id: I47b6a0362f268ba1a599ab2354f72357fc7b79cc
-
Daniel Cashman authored
-
Tom Cherry authored
am: 6b92e26a Change-Id: Ie76aa1f95e72b6183c13be4f9dc86481a2d63077
-
Vishwath Mohan authored
am: a2e9664c Change-Id: I184d353b6ca0c8e5b712da11b4de777e04a5b79f
-
Tom Cherry authored
-
Treehugger Robot authored
-
Dan Cashman authored
sepolicy-analyze allows users to see all types that have a given attribute, but not the reverse case: all attributes of a given type. Add a '--reverse' option which enables this, but keeps the previous interface. Usage: sepolicy-analyze sepolicy attribute -r init Bug: 36508258 Test: Build and run against current policy. Change-Id: Ice6893cf7aa2ec4706a7411645a8e0a8a3ad01eb
-
-
Treehugger Robot authored
-
- Mar 30, 2017
-
-
Jin Qian authored
Test: adb kill-server && adb shell dumpsys storaged Bug: 36492915 Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
-
Myles Watson authored
am: 02d9d21d Change-Id: I29861f9cc52001f2968c2313f48031dd01afe8c7
-
Tom Cherry authored
Init is no longer calling vdc with logwrapper, so it must take care of logging to kmsg directly. Change-Id: I529f5a95e19c08ef75e0da9a02bae1cb7187eec0 avc: denied { write } for pid=367 comm="vdc" name="kmsg" dev="tmpfs" ino=11056 scontext=u:r:vdc:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 Test: observe vdc logging in kmsg on boot and stderr on normal usage Change-Id: Ie3678509d360f19b95cb03aeea75f29843728203 -
Myles Watson authored
Devices that store their BT MAC address in /data/misc/bluedroid/ need to find another place for that file. Bug: 36602160 Test: Restart Bluetooth, check for selinux denials/files in /data/misc Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66 Merged-In: Ib8d610f201a8c35f95b464c24857c6639205bc66
-
Vishwath Mohan authored
This CL changes the policy for ASAN files on-disk to support the changes made by the following CLs - https://android-review.googlesource.com/#/c/359087/ https://android-review.googlesource.com/#/c/359389/ which refactor the on-disk layout of sanitized libraries in the following manner - /data/lib* --> /data/asan/system/lib* /data/vendor/* --> /data/asan/vendor/* There are a couple of advantages to this, including better isolation from other components, and more transparent linker renaming and SELinux policies. Bug: 36574794 Bug: 36674745 Test: m -j40 && SANITIZE_TARGET="address" m -j40 and the device boots. All sanitized libraries are correctly located in /data/asan/*, and have the right SELinux permissions. Change-Id: Ib08e360cecc8d77754a768a9af0f7db35d6921a9
-
- Mar 29, 2017
-
-
Nathan Harold authored
am: 32815389 Change-Id: Id6cc5e3c1dc6b098f893b566dcbf09fc29973162
-
Nathan Harold authored
am: 7eb3dd3b Change-Id: Iafaa3fd315533c4cb49847d927d2c7cbae71bb51
-
Treehugger Robot authored
* changes: Add IpSecService SEPolicy Update Common NetD SEPolicy to allow Netlink XFRM
-
- Mar 28, 2017
-
-
-
Treehugger Robot authored
-
- Mar 27, 2017
-
-
Jeff Vander Stoep authored
am: 915c0070 Change-Id: I6899ca877d1ccf0a3d475fd34cfffc00eacdf23d
-
Treehugger Robot authored
-
Steven Moreland authored
am: 5a9410cf Change-Id: I4cf02d403a045bce6da96939406a886197f5a1a5
-
Treehugger Robot authored
-
- Mar 26, 2017
-
-
Jeff Sharkey authored
am: 3f724c95 Change-Id: Ia390c3537b7efe897154380ee836dbb7ac0ed742
-
Jeff Sharkey authored
This is a special file that can be mounted as a loopback device to exercise adoptable storage code on devices that don't have valid physical media. For example, they may only support storage media through a USB OTG port that is being used for an adb connection. avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 Bug: 34903607 Change-Id: I84721ec0e9495189a7d850461875df1839826212 -
Jeff Vander Stoep authored
Moves selinux policy build decisions to system/sepolicy/Android.mk. This is done because the PRODUCT_FULL_TREBLE variable isn't available in embedded.mk and TARGET_SANITIZE isn't available to dependencies of init. Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are included in policy output. Bug: 36138508 Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235 -
Jeff Sharkey authored
am: 2224f30a Change-Id: I184272269fed360807e41a1cac1fe099477685e6
-
Jeff Sharkey authored
-
Steven Moreland authored
am: 133d5298 Change-Id: I934f58768bd30de9c62d33e83b6a1b60f0d0fb9b
-
Treehugger Robot authored
-
Jeff Sharkey authored
Per loop(4), this device is the preferred way of allocating new loop devices since Linux 3.1. avc: denied { read write } for name="loop-control" dev="tmpfs" ino=15221 scontext=u:r:vold:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 Bug: 34903607 Change-Id: I1f5f62cf0a1c24c6f6453100004812af4b8e1503 -
William Roberts authored
am: 5d0c2e41 Change-Id: I30a0587f8bb4a99a97ddce7d989302f9a89a02af
-
- Mar 25, 2017
-
-
William Roberts authored
secilc is being used without -f which is causing a file_contexts file to be generated in the root of the tree where the build tools run: $ stat $T/file_contexts File: 'file_contexts' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fc00h/64512d Inode: 5508958 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/wcrobert) Gid: ( 1000/wcrobert) Access: 2017-03-23 11:23:41.691538047 -0700 Modify: 2017-03-23 11:23:41.691538047 -0700 Change: 2017-03-23 11:23:41.691538047 -0700 Test: remove $T/file_contexts, touch a policy file and make sepolicy, ensure file is not regenerated. Also, ensure hikey builds and boots. Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79 Signed-off-by:
William Roberts <william.c.roberts@intel.com>
-