- Jun 21, 2017
-
-
Dan Cashman authored
This reverts commit 3e307a4d. Test: Builds - neverallow change only. Bug: 62806062 Change-Id: Id3aa1b425cf48fc8586890c9850a74594584922d
-
Dan Cashman authored
am: e51e6131 Change-Id: I153a14af008e52fbe6677007e0e1ad4e472be3da
-
Dan Cashman authored
am: 11dcf197 Change-Id: I96b2af315b4c35ddd47315f3ca4a9b098eab1d59
-
Dan Cashman authored
am: 317c4171 Change-Id: I418cc929f8e0a698220e0b8b1c51314ef9ea52a8
-
Dan Cashman authored
am: 044d2072 Change-Id: Ia6f8a806adae230df50f8d06edcf4ba9d2ae4352
-
Dan Cashman authored
am: 3e307a4d Change-Id: Ic144d924948d7b8e73939806d761d27337dbebef
-
Dan Cashman authored
am: 3e307a4d Change-Id: I90e567c8138fa75bf792af181890d0af627b6f48
-
Dan Cashman authored
Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
-
- Jun 20, 2017
-
-
-
-
-
-
-
-
Yabin Cui authored
This is to Allow commands like `adb shell run-as ...`. Bug: http://b/62358246 Test: run commands manually. Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2 (cherry picked from commit 1847a38b)
-
-
-
-
-
TreeHugger Robot authored
-
- Jun 19, 2017
-
-
TreeHugger Robot authored
-
Yabin Cui authored
run-as uses file descriptor created by adbd when running `adb shell -t run-as xxx`. It produces audit warnings like below: [ 2036.555371] c1 509 type=1400 audit(1497910817.864:238): avc: granted { use } for pid=4945 comm="run-as" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:r:adbd:s0 tclass=fd Bug: http://b/62358246 Test: test manually that the warning disappears. Change-Id: I19023ac876e03ce2afe18982fe753b07e4c876bb -
TreeHugger Robot authored
-
Tom Cherry authored
am: ac178672 Change-Id: I1c7919c78b60997a5ead95e8efa604069cbc61d3
-
Tom Cherry authored
am: 0e6a3d87 Change-Id: I3af30f8f65918e273f634a9aa120c5cbeefd3a65
-
Joel Galenson authored
An earlier commit moved tracefs file labels from file_contexts to tracefs. But this requires a kernel patch that is not present on all devices, so let's revert it until that is merged. Bug: 62485981 Test: Built, flashed, and booted two devices. Verified that the files have the correct context. Verified that traceur works. Change-Id: I8ee3ea9864f73a92943cdbc550131d4a71b842ba
-
Tom Cherry authored
-
Jin Qian authored
recovery exec /system/bin/{mke2fs,e2fsdroid} to format userdata Bug: 35219933 Change-Id: I77e75c2dc55d4bea7984707f27bc215de186c4d1 -
Dan Cashman authored
More changes went into oc-dev after the freeze-date. Reflect them. Bug: 37896931 Test: prebuilts - none. Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483
-
Tom Cherry authored
In libprocessgroup, we want to only send signals once to processes, particularly for SIGTERM. We must send the signal both to all processes within a POSIX process group and a cgroup. To ensure that we do not duplicate the signals being sent, we check the processes in the cgroup to see if they're in the POSIX process groups that we're killing. If they are, we skip sending a second signal. This requires getpgid permissions, hence this SELinux change. avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1 avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1 avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1 Bug: 37853905 Bug: 62418791 Test: Boot, kill zygote, reboot Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570 (cherry picked from commit c59eb4d8)
-
- Jun 16, 2017
-
-
Jeff Vander Stoep authored
am: 3c7156b5 Change-Id: I20743966a8eedb8a5168356d6af3907234431e31
-
Daniel Rosenberg authored
am: 581069bf Change-Id: I58f7e0c44e68908101cb874789994885ed9a15e9
-
Daniel Rosenberg authored
am: 77ea7ccb Change-Id: I6ce8f52e97f0198cf712a60fd6af1e77090ec338
-
Jeff Vander Stoep authored
am: 1468f85f Change-Id: Idd803017a8087ac9e9221c0ca6ac5893391db6de
-
Daniel Rosenberg authored
am: 29713c8d Change-Id: I7089b62f8c54e24af47263325e085f092231f29d
-
TreeHugger Robot authored
-
Daniel Rosenberg authored
am: 39c4f76b Change-Id: I54b821fa20f428eaad1c8ab934a7e479664a6038
-
Daniel Rosenberg authored
am: 58d0d1e4 Change-Id: I1a2207be3509ec5bc7797b906e15da16099190ad
-
Daniel Rosenberg authored
am: 58d0d1e4 Change-Id: Ia53beb365c39d501c9d6cd53a4cb72dec14b610b
-
TreeHugger Robot authored
-
