Skip to content
Snippets Groups Projects
Select Git revision
0 results
Search by author
  • Any Author
0 authors
  1. Feb 09, 2016
  3. Feb 05, 2016
  5. Jan 28, 2016
  7. Jan 27, 2016
  9. Jan 26, 2016
    • dcashman's avatar
      Reduce accessibility of voiceinteraction_service. · aedf2236
      dcashman authored 
      The services under this label are not meant to be exposed to all apps.
Currently only priv_app needs access.

Bug: 26799206
Change-Id: I07c60752d6ba78f27f90bf5075bcab47eba90b55
      aedf2236
    • Tao Bao's avatar
      Allow update_engine to use Binder IPC. · dce317cf
      Tao Bao authored 
      Register service with servicemanager and name the context.

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
      dce317cf
  11. Jan 22, 2016
  13. Dec 08, 2015
  15. Nov 19, 2015
    • Jeff Vander Stoep's avatar
      grant country_detector_service app_api_service attribute · 9d8728db
      Jeff Vander Stoep authored 
      All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f
      9d8728db
  17. Nov 18, 2015
    • Jeff Vander Stoep's avatar
      grant country_detector_service app_api_service attribute · 1e1d65a3
      Jeff Vander Stoep authored 
      All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f
      1e1d65a3
  19. Nov 17, 2015
    • Jeff Vander Stoep's avatar
      grant deviceidle_service app_api_service attribute · 692bdc44
      Jeff Vander Stoep authored 
      avc:  denied  { find } for service=deviceidle pid=26116 uid=10007 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:deviceidle_service:s0 tclass=service_manager

Bug: 25734577
Change-Id: I3c955e6df2186ad7adb6b599c5b6b802b8ecd8de
      692bdc44
  21. Oct 27, 2015
  23. Oct 22, 2015
  25. Oct 19, 2015
    • Jeff Vander Stoep's avatar
      Policy for priv_app domain · 7f09a945
      Jeff Vander Stoep authored 
      Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835
      7f09a945
  27. Oct 17, 2015
    • Jeff Vander Stoep's avatar
      Give services app_api_service attribute · 734e4d7c
      Jeff Vander Stoep authored 
      avc:  denied  { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager
avc:  denied  { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0

Bug: 25022496
Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496
      734e4d7c
  29. Oct 16, 2015
    • Jeff Vander Stoep's avatar
      grant webviewupdate_service app_api_service attribute · 7813cc8d
      Jeff Vander Stoep authored 
      avc:  denied  { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0

Bug: 25018574
Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a
      7813cc8d
  31. Sep 25, 2015
  33. May 20, 2015
  35. Apr 29, 2015
    • dcashman's avatar
      Make deviceidle accessible as system_api_service. · 31548db0
      dcashman authored 
      deviceidle service should be accessible to all non third-party apps.

Cherry-pick of commit: 7c1dced7

Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa
      31548db0
    • dcashman's avatar
      Make deviceidle accessible as system_api_service. · 7c1dced7
      dcashman authored 
      deviceidle service should be accessible to all non third-party apps.

Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa
      7c1dced7
    • Alex Klyubin's avatar
      Expand access to gatekeeperd. · ab5cf668
      Alex Klyubin authored 
      This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

(cherry picked from commit effcac7d)

Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
      ab5cf668
    • Alex Klyubin's avatar
      Expand access to gatekeeperd. · effcac7d
      Alex Klyubin authored 
      This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
      effcac7d
  37. Apr 09, 2015
    • dcashman's avatar
      Make persistent_data_block_service a system_api_service. · 53212794
      dcashman authored 
      Settings needs to be able to access it when opening developer options.

Address the following denial:
avc:  denied  { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager

Bug: 20131472
Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b
      53212794
    • dcashman's avatar
      Make backup service app_api_service. · 9378ceaf
      dcashman authored 
      Backup service needs to be accessible to all apps to notify the system when
something changes which is being backed-up.

Bug: 18106000
Change-Id: I8f34cca64299960fa45afc8d09110123eb79338b
      9378ceaf
    • dcashman's avatar
      Enforce more specific service access. · bd7f5803
      dcashman authored 
      Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
      bd7f5803
  39. Apr 08, 2015
    • dcashman's avatar
      Enforce more specific service access. · 03a6f64f
      dcashman authored 
      Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
      03a6f64f
  41. Apr 07, 2015
    • dcashman's avatar
      Enforce more specific service access. · 91b7c67d
      dcashman authored 
      Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
      91b7c67d
    • dcashman's avatar
      Enforce more specific service access. · 3cc6fc5f
      dcashman authored 
      Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
      3cc6fc5f
    • dcashman's avatar
      Enforce more specific service access. · d4c78f4b
      dcashman authored 
      Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
      d4c78f4b
  43. Apr 06, 2015
    • Andres Morales's avatar
      SELinux permissions for gatekeeper TEE proxy · e207986e
      Andres Morales authored 
      sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
      e207986e
    • dcashman's avatar
      Assign app_api_service attribute to services. · 4cdea7fc
      dcashman authored 
      Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
      4cdea7fc
  45. Apr 03, 2015
    • dcashman's avatar
      Assign app_api_service attribute to services. · b075338d
      dcashman authored 
      Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
      b075338d
    • dcashman's avatar
      Add system_api_service and app_api_service attributes. · d12993f0
      dcashman authored 
      System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
      d12993f0
  47. Mar 27, 2015
  49. Mar 19, 2015
  51. Jan 29, 2015
  53. Jan 14, 2015
    • dcashman's avatar
      Make system_server_service an attribute. · 4a89cdfa
      dcashman authored 
      Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
      4a89cdfa
  55. Jul 01, 2014
    • Riley Spahn's avatar
      Add imms service and system_app_service type. · b1ec3dfa
      Riley Spahn authored 
      Map imms to system_app_service in service_contexts and add
the system_app_service type and allow system_app to add the
system_app_service.

Bug: 16005467
Change-Id: I06ca75e2602f083297ed44960767df2e78991140
      b1ec3dfa