Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. May 22, 2018
  3. May 09, 2018
  5. Apr 30, 2018
  7. Apr 13, 2018
    • Wale Ogunwale's avatar
      Finalizing P SDK · 49b79029
      Wale Ogunwale authored 
      Bug: 77588754
Test: builds
Change-Id: I61ceb438cd532584847ddd55c0eeaefebdcfa51c
      49b79029
  9. Apr 09, 2018
    • Jeff Vander Stoep's avatar
      whitelist test failure that bypassed presubmit · 2ccd99a5
      Jeff Vander Stoep authored 
      avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs"
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 77816522
Test: build
Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
      2ccd99a5
  11. Apr 04, 2018
    • Jeff Vander Stoep's avatar
      priv_app: remove more logspam · 558cdf1e
      Jeff Vander Stoep authored 
      avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
      558cdf1e
  13. Mar 26, 2018
    • Jeff Vander Stoep's avatar
      crashdump: cleanup logs · cc0304cf
      Jeff Vander Stoep authored 
      Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16
      cc0304cf
  15. Mar 07, 2018
    • Joel Galenson's avatar
      Clean up bug_map. · f3f93eaf
      Joel Galenson authored 
      Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef
      f3f93eaf
    • Joel Galenson's avatar
      Track platform_app SELinux denial. · 2995e996
      Joel Galenson authored 
      This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7
      2995e996
  17. Feb 28, 2018
    • Jeff Vander Stoep's avatar
      system_server: grant read access to vendor/framework · 9e33565c
      Jeff Vander Stoep authored 
      avc: denied { getattr } for path="/vendor/framework"
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0
tclass=dir

Bug: 68826235
Test: boot Taimen, verify denials no longer occur.
Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88
      9e33565c
  19. Feb 27, 2018
    • Joel Galenson's avatar
      Clean up bug_map. · 40c112c8
      Joel Galenson authored 
      Remove a fixed bug from bug_map.

Bug: 73068008
Test: Built policy.
Change-Id: Id0072788953cb6b939a11caace0158da7799f540
      40c112c8
  21. Feb 15, 2018
    • Joel Galenson's avatar
      Dontaudit denials caused by race with labeling. · f7ec4138
      Joel Galenson authored 
      These denials seem to be caused by a race with the process that labels
the files.  While we work on fixing them, hide the denials.

Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
      f7ec4138
  23. Feb 12, 2018
  25. Feb 09, 2018
  27. Feb 08, 2018
  29. Feb 07, 2018
  31. Feb 02, 2018
  33. Feb 01, 2018
  35. Jan 31, 2018
  37. Jan 30, 2018
    • Joel Galenson's avatar
      Clean up bug_map. · 26ccebd7
      Joel Galenson authored 
      Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.

Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.

Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
      26ccebd7
  39. Jan 29, 2018
    • Joel Galenson's avatar
      Track usbd SELinux denial. · 07efe37c
      Joel Galenson authored 
      This should fix presubmit tests.

Bug: 72472544
Test: Built policy.
Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7
      07efe37c
  41. Jan 28, 2018
  43. Jan 25, 2018
    • Joel Galenson's avatar
      Track crash_dump selinux denial. · 6e705357
      Joel Galenson authored 
      This should fix presubmit tests.

Bug: 72507494
Test: Built policy.
Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39
      6e705357
    • Joel Galenson's avatar
      Suppress denials from idmap reading installd's files. · b050dccd
      Joel Galenson authored 
      We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
      b050dccd
    • Joel Galenson's avatar
      Track idmap selinux denial. · 7b1e9a5f
      Joel Galenson authored 
      This should fix presubmit tests.

Bug: 72444813
Test: Built policy.
Change-Id: I5b8661b34c9417cd95cb0d6b688443dcbe0d1c0b
      7b1e9a5f
  45. Jan 17, 2018
    • Jeff Vander Stoep's avatar
      Annotate denials · 1e1a3f7c
      Jeff Vander Stoep authored 
      There is a race condition between when /data is mounted
and when processes attempt to access it. Attempting to access
/data before it's mounted causes an selinux denial. Attribute
these denials to a bug.

07-04 23:48:53.646   503   503 I auditd  : type=1400 audit(0.0:7): avc:
denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
07-15 17:41:18.100   582   582 I auditd  : type=1400 audit(0.0:4): avc:
denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2
scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
permissive=0

Bug: 68864350
Test: build
Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5
      1e1a3f7c
  47. Jan 10, 2018
  49. Nov 29, 2017
    • Jeff Vander Stoep's avatar
      Fix bug map entry · 53950b65
      Jeff Vander Stoep authored 
      Tclass was omitted for two entries.

Bug: 69928154
Bug: 69366875
Test: build
Change-Id: Ie12c240b84e365110516bcd786b98dc37295fdb9
      53950b65
  51. Nov 21, 2017
  53. Nov 14, 2017
    • Jeff Vander Stoep's avatar
      Add tracking bugs to crash_dump denials · 41401f47
      Jeff Vander Stoep authored 
      avc: denied { search } for name="com.sf.activity" dev="sda35"
ino=1444147 scontext=u:r:crash_dump:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
avc: denied { search } for comm="crash_dump64"
name="com.android.bluetooth" dev="sda13" ino=1442292
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0
tclass=dir
avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1"
ino=938 scontext=u:r:crash_dump:s0
tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Bug: 68705274
Bug: 68319037
Test: build
Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f
      41401f47
  55. Nov 13, 2017
    • Jeff Vander Stoep's avatar
      Add tracking bugs to denials · 29666d12
      Jeff Vander Stoep authored 
      These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.

Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability

Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16
      29666d12
  57. Oct 13, 2017