Skip to content
Snippets Groups Projects
  1. Oct 27, 2016
  2. Oct 24, 2016
  3. Oct 21, 2016
  4. Oct 20, 2016
  5. Oct 19, 2016
    • William Roberts's avatar
      check_seapp: correct output on invalid policy file · f7d6bb3f
      William Roberts authored
      
      If in invalid policy file is loaded check_seapp outputs:
      
      Error: Could not lod policy file to db: Success!
      
      The "Success" value is from errno, which is not manipulated
      by libsepol. Also, load should have an a in it!
      
      Hardcode the error message to:
      
      Error: Could not load policy file to db: invalid input file!
      
      Test: That when providing an invalid sepolicy binary, that the output
      message is correct.
      Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
      Signed-off-by: default avatarWilliam Roberts <william.c.roberts@intel.com>
      f7d6bb3f
    • Prashant Malani's avatar
      Cleanup and renaming of vibrator HAL sepolicy · 2d9d3e6d
      Prashant Malani authored
      Renaming vibrator sepolicy to remove the version number.
      Also moving the related binder_call() to maintain alphabetical order.
      
      Bug: 32123421
      Change-Id: I2bfa835085519ed10f61ddf74e7e668dd12bda04
      Test: booted, and checked vibrate on keypress on bullhead
      2d9d3e6d
  6. Oct 18, 2016
    • Prashant Malani's avatar
      Add sysfs rule for vibrator in system_server · c86eb96f
      Prashant Malani authored
      Helps fix vibrator HAL open issue
      
      avc: denied { write } for pid=907 comm="system_server" name="enable" dev="sysfs" ino=20423 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=file permissive=0
      
      Bug: 32209928
      Bug: 32225232
      
      Test: m, booted, tested keypad to make sure vibrator works
      Change-Id: I4977c42b7fac0c9503be04b6520487f2d6cbc903
      c86eb96f
  7. Oct 17, 2016
  8. Oct 16, 2016
  9. Oct 15, 2016
    • Jeff Vander Stoep's avatar
      racoon: allow setting options on tun interface · d063d230
      Jeff Vander Stoep authored
      Fixes failure in VPN connection
      
      avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8914
      scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
      avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8916
      scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
      
      Test: VPN works
      Bug: 32011648
      Change-Id: I28c4dc7ffbf7e35ef582176674c4e9764719a2a9
      d063d230
  10. Oct 14, 2016
  11. Oct 13, 2016
    • Prashant Malani's avatar
      sepolicy: Add policy for vibrator HIDL service · b32b4a11
      Prashant Malani authored
      Fixes the following denials:
      avc: denied { open } for pid=7530 comm="android.hardwar" path="/sys/devices/virtual/timed_output/vibrator/enable" dev="sysfs" ino=20519 scontext=u:r:android_hardware_vibrator_1_0_service:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
      avc: denied { call } for pid=9173 comm="Binder:7735_C" scontext=u:r:system_server:s0 tcontext=u:r:android_hardware_vibrator_1_0_service:s0 tclass=binder permissive=1
      
      Test: m
      Bug: 32021191
      Change-Id: I243a86b449794e3c2f0abf91ddcf405eff548d0c
      b32b4a11
  12. Oct 12, 2016
  13. Oct 11, 2016
  14. Oct 07, 2016
  15. Oct 06, 2016
    • Prashant Malani's avatar
      system_server: Allow hwservicemanager to make binder calls · abb5c72b
      Prashant Malani authored
      Fixes the following denial:
      avc: denied { call } for pid=791 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
      
      Test: Builds, boots, vibrator works on bullhead
      Change-Id: I56a0a86b64f5d46dc490f6f3255009c40e6e3f8f
      abb5c72b
    • dcashman's avatar
      Split general policy into public and private components. · cc39f637
      dcashman authored
      Divide policy into public and private components.  This is the first
      step in splitting the policy creation for platform and non-platform
      policies.  The policy in the public directory will be exported for use
      in non-platform policy creation.  Backwards compatibility with it will
      be achieved by converting the exported policy into attribute-based
      policy when included as part of the non-platform policy and a mapping
      file will be maintained to be included with the platform policy that
      maps exported attributes of previous versions to the current platform
      version.
      
      Eventually we would like to create a clear interface between the
      platform and non-platform device components so that the exported policy,
      and the need for attributes is minimal.  For now, almost all types and
      avrules are left in public.
      
      Test: Tested by building policy and running on device.
      
      Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
      cc39f637
    • Andreas Gampe's avatar
      Sepolicy: Ignore otapreopt_chroot setsched denial · f1eabc56
      Andreas Gampe authored
      Ignore, as it's a side effect of mounting /vendor.
      
      Bug: 31116514
      Change-Id: If94a27a26181e40de5c5e60f5446de9ce2ccdba0
      (cherry picked from commit 0f81e066)
      f1eabc56
  16. Oct 05, 2016
  17. Oct 03, 2016
    • Jeff Vander Stoep's avatar
      app: audit usage of ion ioctls · 96a85d12
      Jeff Vander Stoep authored
      Test: builds and boots on Bullhead with no selinux audit messages.
      
      Bug: 29795149
      Bug: 30400942
      Change-Id: I93295424a03488234b233d5e2f86d3bf329e53fd
      96a85d12
  18. Oct 02, 2016
  19. Oct 01, 2016
  20. Sep 30, 2016
    • Janis Danisevskis's avatar
      fix lax service context lookup (II) · d6033b41
      Janis Danisevskis authored
      As fallout from the corresponding fix in libselinux,
      this patch adds the missing services without changing
      semantics.
      
      Test: bullhead builds and boots
      
      Bug: 31353148
      Change-Id: I21026c9435ffef956a59d61c4903174ac7b1ef95
      d6033b41
    • Janis Danisevskis's avatar
      fix lax service context lookup · 3e463294
      Janis Danisevskis authored
      Inform checkfc about new service label backend.
      
      Test: bullhead builds
      
      Bug: 31353148
      Change-Id: I499da36108e67483a4f9a18fd8cc7c8f13419abd
      3e463294
  21. Sep 28, 2016
    • Iliyan Malchev's avatar
      add policy for android.hardware.nfc@1.0-service · b8df90a2
      Iliyan Malchev authored
      
      android.hardware.nfc@1.0-service is the generic binderized
      HIDL package implementation of android.hardware.nfc@1.0
      
      Denials:
      avc: denied { read write } for pid=432 comm="android.hardwar"
      name="pn548" dev="tmpfs" ino=10228
      scontext=u:r:android_hardware_nfc_1_0_service:s0
      tcontext=u:object_r:nfc_device:s0 tclass=chr_file
      
      avc: denied { search } for pid=443 comm="Binder:430_1" name="nfc"
      dev="dm-0" ino=670433 scontext=u:r:android_hardware_nfc_1_0_service:s0
      tcontext=u:object_r:nfc_data_file:s0 tclass=dir
      
      Test: pass
      
      Change-Id: Id022b8d1706253ef65a37406c74ff883e12415b2
      Signed-off-by: default avatarIliyan Malchev <malchev@google.com>
      b8df90a2
  22. Sep 27, 2016
    • Treehugger Robot's avatar
      Merge "Audit access to libart" · 6552138b
      Treehugger Robot authored
      6552138b
    • Jeff Vander Stoep's avatar
      Audit access to libart · 88cef4df
      Jeff Vander Stoep authored
      Grant access to all processes and audit access. The end goal is to
      whitelist all access to the interpreter. Several processes including
      dex2oat, apps, and zygote were observed using libart, so omit them
      from auditing and explicitly grant them access.
      
      Test: Angler builds and boots
      
      Bug: 29795519
      Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88
      88cef4df
Loading