- Apr 12, 2018
-
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
- Apr 11, 2018
-
-
Jaekyun Seok authored
Bug: 75987246 Test: succeeded builing and tested with taimen Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
-
Jeff Vander Stoep authored
Addresses: avc: denied { find } for interface=android.hardware.tetheroffload.config::IOffloadConfig scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager Bug: 77855688 Test: build/boot Sailfish, turn on tethering, no selinux denial Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f -
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Jeff Vander Stoep authored
Addresses: avc: denied { sys_resource } for comm="ip6tables" capability=24 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability Bug: 77905989 Test: build and flash taimen-userdebug Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c -
Joel Galenson authored
We have seen crash_dump denials for radio_data_file, shared_relro_file, shell_data_file, and vendor_app_file. This commit widens an existing dontaudit to include them as well as others that we might see. Bug: 77908066 Test: Boot device. Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac (cherry picked from commit a3b3bdbb)
-
Joel Galenson authored
We often see the following denials: avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0 These are benign, so we are hiding them. Bug: 37778617 Test: Boot device. Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a (cherry picked from commit bf4afae1)
-
- Apr 10, 2018
-
-
- Apr 09, 2018
-
-
Jeff Vander Stoep authored
avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs" scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file Bug: 77816522 Test: build Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd -
Alan Stokes authored
-
Alan Stokes authored
-
- Apr 07, 2018
-
-
TreeHugger Robot authored
-
- Apr 06, 2018
-
-
Mikhail Naganov authored
Bug: 73405145 Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
-
Yifan Hong authored
-
Yifan Hong authored
This is originally allowed in healthd but the permission was not transfered to health HAL. A typical health HAL implementation is likely to write battery info to kernel logs. Test: device has battery kernel logs with health HAL but without healthd Bug: 77661605 Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2 -
Florian Mayer authored
This is needed to be able to scan the labels we have permission on. Denial: 04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0 Bug: 73625480 cherry-picked from aosp/658243 Change-Id: I52f3865952004bfc6fe22c488d768276866f8ae1 Merged-In: I52f3865952004bfc6fe22c488d768276866f8ae1 -
Alan Stokes authored
cgroupfs doesn't allow files to be created, so this can't be needed. Also remove redundant neverallow and dontaudit rules. These are now more broadly handled by domain.te. Bug: 74182216 Test: Denials remain silenced. Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f
-
Alan Stokes authored
This allows system_server to access it for determining battery stats (see KernelMemoryBandwidthStats.java). batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 72643420 Bug: 73947096 Test: Denial is no longer present. Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7
-
- Apr 05, 2018
-
-
Kweku Adams authored
Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912 (cherry picked from commit 985db6d8)
-
- Apr 04, 2018
-
-
Jeff Vander Stoep authored
avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e -
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Tri Vo authored
* changes: Test that /proc files have proc_type attribute. Assert types labeled in genfs_contexts have correct attributes
-
- Apr 03, 2018
-
-
-
Jeff Vander Stoep authored
Types in sysfs should have the sysfs_type attribute, types in debugfs and tracefs should have the debugfs_type attribute. TODO: Test that files in procfs have the proc_type attribute. TODO: Assert these tests in CTS. Bug: 74182216 Test: build - these are build-time tests. Change-Id: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf Merged-In: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf (cherry picked from commit 1b828444)
-
Nathan Harold authored
Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Jeff Tinker authored
Change-Id: Id7823a3130443107beb4d97426807a6395cf6930 related-to-bug:74607984 test:adb bugreport and check for drm trace dumps
-
TreeHugger Robot authored
-
- Apr 02, 2018
-
-
Jaekyun Seok authored
A default value of persist.sys.sf.native_mode could be set by SoC partners in some devices including some pixels. So it should have vendor_init_settable accessibility. Bug: 74266614 Test: succeeded building and tested with a pixel device with PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true. Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d Merged-In: I5d7a029f82505983d21dc722541fb55761a8714d (cherry picked from commit 0dc35873)
-
Andreas Gampe authored
Update for debugfs labeling changes. Update for simpleperf behavior with stack traces (temp file). (cherry picked from commit c8fe29ff) Bug: 73175642 Test: m Test: manual - run profiling, look for logs Merged-In: Ie000a00ef56cc603f498d48d89001f566c03b661 Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661
-
TreeHugger Robot authored
-
Jiyong Park authored
This reverts commit 942500b9. Bug: 75287236 Test: boot a device Merged-In: If81a2d2a46979ffbd536bb95528c3b4ebe3483df Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df (cherry picked from commit a6d9d6b6)
-
- Mar 31, 2018
-
-
yro authored
Bug: 75968642 Test: manual testing to check for sepolicy violation Cherry-picked from aosp/652222 Change-Id: Idc83669feaf9fd17bed26f89dfce33e3f2f5424f
-
- Mar 30, 2018
-
-
TreeHugger Robot authored
-
TreeHugger Robot authored
-
Chenbo Feng authored
The netutils_wrapper is a process used by vendor code to update the iptable rules on devices. When it update the rules for a specific chain. The iptable module will reload the whole chain with the new rule. So even the netutils_wrapper do not need to add any rules related to xt_bpf module, it will still reloading the existing iptables rules about xt_bpf module and need pass through the selinux check again when the rules are reloading. So we have to grant it the permission to reuse the pinned program in fs_bpf when it modifies the corresponding iptables chain so the vendor module will not crash anymore. Test: device boot and no more denials from netutils_wrapper Bug: 72111305 Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be (cherry picked from aosp commit 2623ebcf)
-
