Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Apr 09, 2016
    • Alex Deymo's avatar
      Allow postinstall_file to be an entrypoint. · ac52f460
      Alex Deymo authored 
      postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

(cherry picked from commit a9671c6b)

Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c
      ac52f460
  3. Apr 08, 2016
  5. Apr 07, 2016
  7. Apr 06, 2016
    • Ruben Brunk's avatar
      Merge "Update selinux policy for VrManager AIDL." into nyc-dev · 182c4f31
      Ruben Brunk authored
      182c4f31
    • Ruben Brunk's avatar
      Update selinux policy for VrManager AIDL. · 743969ba
      Ruben Brunk authored 
      Bug: 27884853
Change-Id: I097306a324bdc25c5d22868f0342e175ce0dbb9a
      743969ba
    • Daniel Rosenberg's avatar
      Expand bluetooth access to media_rw_data_file for now. · 4a0c8036
      Daniel Rosenberg authored 
      With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 28040634

Change-Id: I492c87e9f232c57f43abd09b7864b52847bc3555
      4a0c8036
    • Jeff Sharkey's avatar
      Allow system_server to execute timeout. · 75b25dd1
      Jeff Sharkey authored 
      We've seen evidence that the logcat binary can end up wedged, which
means we can eventually starve system_server for FDs.  To mitigate
this, wrap logcat using the timeout utility to kill and clean up if
it takes too long to exit.

avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Bug: 27994717, 28021719, 28009200
Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee
      75b25dd1
  9. Apr 05, 2016
    • Daniel Rosenberg's avatar
      Allow search/getattr access to media_rw_data_file for now. · b80bdef0
      Daniel Rosenberg authored 
      With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b
      b80bdef0
  11. Apr 02, 2016
  13. Apr 01, 2016
    • Mark Salyzyn's avatar
      dumpstate: access /data/misc/logd · 3ea709be
      Mark Salyzyn authored 
      (cherry pick from commit 74541338)

Bug: 27965066
Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a
      3ea709be
    • Nick Kralevich's avatar
      refine /data/misc/logd rules · 8a8770cd
      Nick Kralevich authored 
      (cherry pick from commit 6937aa93)

Followup to 121f5bfd.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
Bug: 27965066
      8a8770cd
    • Jesse Hall's avatar
      Define gpu_service and allow surfaceflinger to provide it · 59970a4e
      Jesse Hall authored 
      Bug: 26620936 and 27352427
Change-Id: I3d6d2e479d95133693790a97827e45e9dd30bc4a
      59970a4e
    • Jeff Tinker's avatar
      Merge "Allow mediadrmservice to access processinfo" into nyc-dev · a7a174a5
      Jeff Tinker authored
      a7a174a5
  15. Mar 31, 2016
    • Jeff Tinker's avatar
      Allow mediadrmservice to access processinfo · a6ae3312
      Jeff Tinker authored 
      Needed to support session reclaiming

bug: 27916039
Change-Id: I464e6db5b9bc4e83f85cb4623eeca340e1efd603
      a6ae3312
    • Nick Kralevich's avatar
      bootanim: allow /proc/meminfo read · 7a35c136
      Nick Kralevich authored 
      Allow /proc/meminfo to be read by bootanim. Not sure why
it's needed, but harmless enough.

Modify domain_deprecated so it doesn't use r_dir_file().
/proc/meminfo is neither a symlink nor a directory, so it doesn't
make sense to create allow rules for those classes of objects.

Addresses the following denial:

  avc: denied { read } for comm="BootAnimation" name="meminfo" dev="proc"
  ino=4026536593 scontext=u:r:bootanim:s0
  tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

This denial is only showing up on flounder, flounder_lte, or
dragon devices. I'm not sure why.

Change-Id: I0f808bcae47fc2fda512cd147c3b44593835cac5
      7a35c136
    • Daniel Rosenberg's avatar
      Merge "Allow access to media_rw_data_file for now." into nyc-dev · 81d2811c
      Daniel Rosenberg authored
      81d2811c
    • Daniel Rosenberg's avatar
      Allow access to media_rw_data_file for now. · d25d57a3
      Daniel Rosenberg authored 
      With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
      d25d57a3
    • Daniel Rosenberg's avatar
      Merge "Allow shell and adbd access to media_rw_data_file for now." into nyc-dev · 0f3c37ae
      Daniel Rosenberg authored
      0f3c37ae
    • Daniel Rosenberg's avatar
      Allow shell and adbd access to media_rw_data_file for now. · bb90999e
      Daniel Rosenberg authored 
      With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27925072
Change-Id: I3ad37c0f12836249c83042bdc1111b6360f22b3c
      bb90999e
  17. Mar 30, 2016
  19. Mar 29, 2016
    • Daichi Hirono's avatar
      Add mlstrustedobject to appfuse object type. · f19fb0c9
      Daichi Hirono authored 
      To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

(cherry picked from commit 4d19f98c)

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
      f19fb0c9
  21. Mar 28, 2016
    • Calin Juravle's avatar
      Give dex2oat getattr rights on profiles · f51c0548
      Calin Juravle authored 
      Similar to profman, dex2oat does more checks on profiles now.
It needs to be able to do stat to test for existance and non-emptiness.

03-28 10:41:06.667  8611  8611 W dex2oat : type=1400 audit(0.0:129):
avc: denied { getattr } for
path="/data/misc/profiles/ref/com.google.android.apps.magazines/primary.prof"
dev="dm-0" ino=636928 scontext=u:r:dex2oat:s0
tcontext=u:object_r:user_profile_data_file:s0 tclass=file permissive=0

Bug: 27860201
Change-Id: I3a7cb396596ae28a375ea98224ada29f093f475e
      f51c0548
    • Calin Juravle's avatar
      Give profman getattr rights on profiles. · 070f5625
      Calin Juravle authored 
      We do a bit more work checks in the runtime for the profiles and call
stat on the files to see if they exists and their are not empty.

SElinux error
[  297.842210] type=1400 audit(1459106986.097:7): avc: denied { getattr
} for pid=4504 comm="profman"
path="/data/misc/profiles/cur/0/com.google.android.youtube/primary.prof"
dev="dm-1" ino=636936 scontext=u:r:profman:s0
tcontext=u:object_r:user_profile_data_file:s0:c512,c768 tclass=file
permissive=0

Bug: 27860201
Change-Id: Ic97882e6057a4b5c3a16089b9b99b64bc1a3cd98
      070f5625
  23. Mar 25, 2016
  25. Mar 24, 2016
    • Mark Salyzyn's avatar
      Merge "Add recovery_persist & recovery_refresh" into nyc-dev · 6705526d
      Mark Salyzyn authored
      6705526d
    • Mark Salyzyn's avatar
      Add recovery_persist & recovery_refresh · 05806470
      Mark Salyzyn authored 
      (cherry pick from commit 16fe52c9)

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
      05806470
    • dcashman's avatar
      Move sysfs_thermal to global policy and grant access. · 98eff7c3
      dcashman authored 
      sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

Bug: 27809332
Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d
      98eff7c3