Skip to content
Snippets Groups Projects
  1. Sep 24, 2019
    • Tri Vo's avatar
      Label /product/lib(64)/* as system_lib_file · 1d833eb6
      Tri Vo authored
      Bug: 138545724
      Test: n/a
      
      (cherry picked from commit 3d58603623dd67b181fb965f437c552428c979bc)
      
      Change-Id: I03c2430778f1112679090bb7aad234c907384ea1
      CRs-Fixed: 2491659
      1d833eb6
  2. Sep 17, 2019
    • Paul Crowley's avatar
      Allow toolbox to rm -rf /data/per_boot · 859f9211
      Paul Crowley authored
      Bug: 140882488
      Test: create files and dirs in /data/per_boot, check they're removed.
      Cherry-Picked-From: 2367ba358f0ec0c0c591e3e2feadabf891f38eef
      Merged-In: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343
      Change-Id: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343
      859f9211
  3. Sep 13, 2019
    • Roland Levillain's avatar
      Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access. · d8a9a493
      Roland Levillain authored
      SELinux has a separate file mmap permission in 4.14+ kernels. Add this
      to dexoptanalyzer(d) in cases where it could already access files (in
      particular, secondary dex files).
      
      Addresses denials of the form:
      
        avc: denied { map } for […] path="/data/data/[…]" […]
        scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0
      
      (cherry picked from commit c72b7d17310499f6bd6545e0e509fd603045d329)
      
      Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel
            and check the absence of SELinux denials
      Bug: 138683603
      
      Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
      d8a9a493
  4. Aug 22, 2019
    • Daniel Solomon's avatar
      selinux: Update Q sepolicy prebuilt · 32481828
      Daniel Solomon authored
      Tag gpu_service as app_api_service. This is the corresponding api 29.0
      change to the public service.te from commit aosp/1105058
      (I30a951cd712b0ae4aacd2c4d6d42e74fac5c0707).
      
      Bug: 139685237
      Test: m selinux_policy
      Change-Id: Ia23cdd5f59b40a3e99cae424d9cf41d5e7442631
      32481828
  5. Aug 13, 2019
    • Carmen Jackson's avatar
      Allow Traceur to record the suspend_resume trace event · afac97a1
      Carmen Jackson authored
      This should be available in user and userdebug builds.
      
      Bug: 137289935
      Test: Alongside atrace changes, recorded a trace using Traceur and
      verified that the tracepoints were included in the recorded trace in
      both user and userdebug builds.
      
      Change-Id: I6131557bdd0a298be9e75b39759599b189b9b988
      Merged-In: I6131557bdd0a298be9e75b39759599b189b9b988
      afac97a1
  6. Jul 16, 2019
  7. Jul 12, 2019
  8. Jul 03, 2019
    • Yichi Chen's avatar
      SF: enable device-specific dataspace for color space agnostic surfaces · 39efa501
      Yichi Chen authored
      To reduce the DPU loading in color conversion, we enable device-specific
      dataspace for color space agnostic surfaces. Since the type of surfaces
      usually provide gray-level surfaces to users, it can be acceptable to
      ignore the color conversion on them.
      
      Bug: 134783740
      Bug: 135140940
      Test: Check ScreenDecorOverlays in expected dataspace
      Test: Play HDR video on C2 and check dataspace
      Change-Id: Ief32f0ff3867b2e154fecd6c9ebd6610b0e6ed11
      39efa501
  9. Jun 28, 2019
    • Sidath Senanayake's avatar
      Allow perfetto to access gpu_frequency tracepoint in user · 9bfaa1c4
      Sidath Senanayake authored
      This will allow Perfetto to capture GPU frequency changes
      on the target, which is useful to graphics developers
      using Perfetto to profile graphics HW usage.
      
      This change also updates the private prebuilt at version
      29.0 to match the update.
      
      Bug: 136062452
      Merged-In: Idb7870b2f674f1359ef3b4487dbeff190b394248
      Change-Id: Ib98ba10d96caa199d7030be3a17148045576a80c
      9bfaa1c4
  10. Jun 27, 2019
    • Todd Kennedy's avatar
      Allow rule to let settings access apex files · 9067699d
      Todd Kennedy authored
      In order to show licensing information, we need to read it from
      an asset stored in the .apex file.
      
      Bug: 135183006
      Test: Manual; settings can access apex files stored on /data
      Change-Id: I71fbde6e295d9c890c9b9b0449e5150834a6680e
      Merged-In: I71fbde6e295d9c890c9b9b0449e5150834a6680e
      9067699d
  11. Jun 19, 2019
    • Pirama Arumuga Nainar's avatar
      In native coverage builds, allow all domains to access /data/misc/trace · b6582464
      Pirama Arumuga Nainar authored
      Bug: http://b/135139675
      
      Coverage files are written to /data/misc/trace (governed by the
      method_trace_data_file selinux type).  Allow all domains to access
      (create directories, access files) this directory when native coverage
      is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
      build.
      
      Also relax neverallow constraints to allow access to
      method_trace_data_file for native coverage builds.
      
      Test: Build 32-bit cuttlefish with coverage:
                m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
            and verify that there are no selinux denials in kernel log and
            logcat.
      
      Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
      (cherry picked from commit ce9c0c5a5fbd3fda8e1fd102d2bf1ca6afebbdf9)
      b6582464
    • Kevin Chyn's avatar
      Add rules to dump hal traces · 6d976f4d
      Kevin Chyn authored
      Test: manual
      Bug: 126802513
      
      Change-Id: If037483f305e161a158e30f6322d5e25b7770952
      6d976f4d
    • Benjamin Schwartz's avatar
      Add power stats HAL to ANR list · 8273f191
      Benjamin Schwartz authored
      Bug: 135111122
      Test: Ran "adb shell am hang" and verified that power.stats HAL
      information is in /data/anr/<anr_file>
      Change-Id: I60a6191626a20c737124033e8ad453fa91425e39
      8273f191
  12. Jun 17, 2019
    • Hridya Valsaraju's avatar
      Add permission required by libdm_test · 9bb71537
      Hridya Valsaraju authored
      This CL fixes the following denials during libdm_test
      that is part of VTS.
      
      avc: denied { read } for comm="loop1" path=2F6D656D66643A66696C655F32202864656C6574656429
      dev="tmpfs" ino=97742 scontext=u:r:kernel:s0 tcontext=u:object_r:appdomain_tmpfs:s0
      tclass=file permissive=0
      W loop1   : type=1400 audit(0.0:371): avc: denied { read } for
      path=2F6D656D66643A66696C655F32202864656C6574656429 dev="tmpfs" ino=97742 scontext=u:r:kernel:s0
      tcontext=u:object_r:appdomain_tmpfs:s0 tclass=file permissive=0
      
      Bug: 135004816
      Test: adb shell libdm_test
      Change-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa
      9bb71537
    • Tao Bao's avatar
      Add persist.sys.theme. · 75182a1e
      Tao Bao authored
      This property will be set by system_server (to indicate the currently
      selected theme for device), and can be accessed by vendor init.rc.
      
      avc:  denied  { read } for property=persist.sys.theme pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:theme_prop:s0 tclass=file
      
      Bug: 113028175
      Test: Set a vendor init trigger that waits on `persist.sys.theme`. Check
            that the trigger fires without denial.
      Change-Id: Ibb4e392d5059b76059f36f7d11ba82cd65cbe970
      75182a1e
  13. Jun 14, 2019
    • Jeff Vander Stoep's avatar
      system_server_startup: allow SIGCHLD to zygote · e0d9e50c
      Jeff Vander Stoep authored
      avc: denied { sigchld } for comm="main"
      scontext=u:r:system_server_startup:s0 tcontext=u:r:zygote:s0
      tclass=process permissive=0
      
      Test: build
      Bug: 134496658
      Change-Id: I98c106b17ba1740f953c3108bd0fc927c150096f
      (cherry picked from commit 67dc274f87b25b80d507f8ad8263648f5f9a1dd1)
      e0d9e50c
  14. Jun 07, 2019
    • Ryan Savitski's avatar
      userdebug: support perfetto traces as a section in incident reports · 72f247f5
      Ryan Savitski authored
      This set of patches adds a way for the perfetto command line client to
      save a trace to a hardcoded location,
      /data/misc/perfetto-traces/incident-trace, and call into incidentd to
      start a report, which will include said trace in a new section.
      
      This is not a long-term solution, and is structured to minimize changes
      to perfetto and incidentd. The latter is currently architected in a way
      where it can only pull pre-defined information out of the system, so
      we're resorting to persisting the intermediate results in a hardcoded
      location.
      
      This will introduce at most two more linked files at the same time.
      
      Bug: 130543265
      Bug: 134706389
      Tested: manually on crosshatch-userdebug
      Merged-In: I2aa27e25f0209b3a5cdf5d550d0312693932b808
      Change-Id: I2aa27e25f0209b3a5cdf5d550d0312693932b808
      (cherry picked from commit ce3a33ff182ce49cf91091cea553a3003d2c20f6)
      72f247f5
  15. May 29, 2019
  16. May 28, 2019
  17. May 23, 2019
    • Max Dashouk's avatar
      Allows StatsCompanionService to pipe data to statsd. · d0482ba4
      Max Dashouk authored
      Bug: 132444397
      Test: manually tested with ag/7555609
      
      Change-Id: I9e5f0a9d501a6728af3f27241300b3bb5c5c2123
      Merged-In: I9e5f0a9d501a6728af3f27241300b3bb5c5c2123
      (cherry picked from commit febfa8f22dc829c32ed493969afc43378e327ecf)
      d0482ba4
    • David Anderson's avatar
      Fix selinux denials when applying updates in recovery. · 115aafa7
      David Anderson authored
      These lines are copied from update_engine.te, and are needed to update
      dynamic partitions in recovery.
      
      Bug: 132943965
      Test: sideload OTA on cuttlefish
      Change-Id: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
      Merged-In: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
      115aafa7
    • Narayan Kamath's avatar
      sepolicy: Add policy for migrate_legacy_obb_data.sh · 0574e4cd
      Narayan Kamath authored
      .. and let installd execute it. Required to migrate legacy obb contents
      
      Bug: 129167772
      Test: make
      
      Change-Id: I35d35016680379e3a9363408704ee890a78a9748
      0574e4cd
    • Pawin Vongmasa's avatar
      Properly define hal_codec2 and related policies · 609c243d
      Pawin Vongmasa authored
      Test: make cts -j123 && cts-tradefed run cts-dev -m \
      CtsMediaTestCases --compatibility:module-arg \
      CtsMediaTestCases:include-annotation:\
      android.platform.test.annotations.RequiresDevice
      
      Bug: 131677974
      Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
      609c243d
  18. May 22, 2019
  19. May 21, 2019
    • Hridya Valsaraju's avatar
      Allow init to set context for super_block_device · 6d66c021
      Hridya Valsaraju authored
      Fixes the following denial during boot:
      
      [    1.358156] selinux: SELinux: Could not set context for
      /dev/block/platform/soc/1d84000.ufshc/by-name/super:  Permission denied\x0a
      [    1.358275] audit: type=1400 audit(951562.676:7):
      avc:  denied  { relabelto } for  pid=1 comm="init" name="super"
      dev="tmpfs" ino=17657 scontext=u:r:init:s0 tcontext=u:object_r:super_block_device:s0
      tclass=lnk_file permissive=0
      
      Bug: 124410201
      Test: make
      Change-Id: Ib6752b8a6ae4211ba8c0a7417295b8144a2fed67
      Merged-In: Ib6752b8a6ae4211ba8c0a7417295b8144a2fed67
      6d66c021
    • Tao Bao's avatar
      Add vendor_misc_writer change to API 29 prebuilts. · e6188741
      Tao Bao authored
      This is a matching change for commit 8f39cce7 ("Add
      vendor_misc_writer."), which updates the prebuilts for API 29.
      
      Bug: 132906936
      Test: Build crosshatch that includes misc_writer module. Invoke
            /vendor/bin/misc_writer to write data to /misc.
      Change-Id: Id12a1ed45c8cef6e4039a9dda6a1fb41f9e014de
      e6188741
    • Tao Bao's avatar
      Add persist.sys.device_provisioned change to API 29 prebuilts. · ab8db099
      Tao Bao authored
      This is a matching change for commit 97d45619 ("Set
      persist.sys.device_provisioned vendor-init-readable."), which updates
      the prebuilts for API 29.
      
      Bug: 131702833
      Bug: 132906936
      Test: Set an init trigger that waits on `persist.sys.device_provisioned`.
            Check that there's no longer a denial.
      Change-Id: I2cea3d000b7faa471fa524dcd7a3d4843ae5960f
      ab8db099
    • Nikita Ioffe's avatar
      selinux: Allow dumpstate send signals to vold · f7c3d19d
      Nikita Ioffe authored
      Test: adb bugreport
      Test: verified vold stacktrace is present in bugreport
      Bug: 132344997
      Change-Id: I0ebf7f171d854b9aaf894ccb8c7a5f68f18e692b
      f7c3d19d
  20. May 20, 2019
  21. May 19, 2019
    • Ryan Savitski's avatar
      atrace: debug: allow notifying camera HAL of a change in sysprops · 37f06624
      Ryan Savitski authored
      Similar to aosp/961857, but enables the logging of atrace events from
      the camera HAL (primarily HIDL interactions, but also a couple of ION
      events).
      
      Keeping it confined to userdebug_or_eng. Longer-term planning belongs on
      b/78136428.
      
      Not adding fwk_camera_hwservice, as it is a HIDL interface to
      cameraserver (which is already covered above).
      
      Plus slight reorganization of existing atrace.te contents, and donaudits
      to reduce logspam from denials (including pre-existing ones that were
      hitting the rate limiter).
      
      Specific denials addressed (listing HALs, finding camera HAL, notifying it):
      05-15 18:07:19.684   618   618 E SELinux : avc:  denied  { list } for  scontext=u:r:atrace:s0 tcontext=u:r:hwservicemanager:s0 tclass=hwservice_manager permissive=1
      05-15 18:07:19.701   618   618 E SELinux : avc:  denied  { find } for interface=android.hardware.camera.provider::ICameraProvider sid=u:r:atrace:s0 pid=10137 scontext=u:r:atrace:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager permissive=1
      05-15 18:07:19.698 10137 10137 I atrace  : type=1400 audit(0.0:273): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=1
      
      Bug: 130543265
      Tested: flashed blueline-userdebug, took a trace with perfetto, confirmed HIDL atrace slices present in camera hal trace.
      Merged-In: I0f8ce989355603e41d6c05c3de07e7dd615555eb
      Change-Id: I0f8ce989355603e41d6c05c3de07e7dd615555eb
      (cherry picked from commit 19459a38026f89e266a07cbed88a586f95830ca5)
      37f06624
  22. May 16, 2019
    • Ady Abraham's avatar
      Add ro.surface_flinger.set_touch_timer_ms to sepolicy · a6ba39bd
      Ady Abraham authored
      Test: set ro.surface_flinger.set_touch_timer_ms from init
      Bug: 131906818
      Change-Id: If489ae4ac993984305f764fb172014f42c41df67
      a6ba39bd
    • Ryan Savitski's avatar
      atrace.te: allow notifying cameraserver of a change in sysprops · fb897428
      Ryan Savitski authored
      This allows the atrace cmd to notify cameraserver (the host of
      media.camera service) that the set of tracing-related system properties
      have changed. This allows the cameraserver to notice that it might need
      to enable its trace events.
      
      The atrace cmd has the necessary permission when running as shell, but
      not when it is running as the "atrace" domain (notably when exec'd by
      perfetto's traced_probes).
      
      We're adding cameraserver to the whitelist as it contains important
      events for investigating the camera stack.
      
      Example denial:
      05-14 22:29:43.501  8648  8648 W atrace  : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0
      
      Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
      Bug: 130543265
      Merged-In: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
      Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
      (cherry picked from commit 232295e8dbb25017676e8a68daabc4457addbe31)
      fb897428
  23. May 15, 2019
    • Ian Pedowitz's avatar
      DO NOT SUBMIT: SEPolicy Prebuilts for Q · 869e4905
      Ian Pedowitz authored
      This is a hacked version of ag/7282335 as qt-release is behind qt-dev
      
      Bug: 129943426
      Test: Build
      Change-Id: I5863d433668b90a641d07fdbcd30ed82b28c9c1a
      (cherry picked from commit 8d411adea3eba1e943e45e104113f4efbc3d5d65)
      869e4905
    • Ian Pedowitz's avatar
      SEPolicy Prebuilts for Q · 94b73725
      Ian Pedowitz authored
      Bug: 129943426
      Test: Build
      Change-Id: I3e091652fa8d1757b1f71f7559186d5b32f000d5
      94b73725
Loading