Winson Chiu
019037a810
Merge "DO NOT MERGE: Allow idmap1 to read vmdl*.tmp APK install files" into qt-dev
2019-04-25 15:56:18 +00:00
Winson Chiu
4b33d68d35
DO NOT MERGE: Allow idmap1 to read vmdl*.tmp APK install files
...
When upgrading a package, PackageParser acts on the temporary
APK file copied from the install location. This is passed to
idmap, which doesn't have read access because it's missing an
SELinux rule.
This is needed to fix a bug with manifest overlaying on updating
an app, a feature kept alive for Q.
Relevant logs when updating a target:
[ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
Bug: 130559507
Test: manual adb push /system/product/app/TestApp.apk with
/system/product/overlay/TestOverlay.apk enabling disabled launcher
Activity in TestApp; adb install -r TestApp.apk keeps enabled state
with changes
Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
(cherry picked from commit 7e7291a763
2019-04-25 11:05:07 +00:00
Ady Abraham
53c096d1aa
Merge "Add new surfaceflinger ro props" into qt-dev
...
am: 58a9b10bb2
2019-04-25 02:45:35 -07:00
Inseob Kim
c096bd0506
Merge "Build contexts files with Soong" am: b60155aeac
...
am: 478b4440e5
2019-04-25 00:56:26 -07:00
Inseob Kim
478b4440e5
Merge "Build contexts files with Soong"
...
am: b60155aeac
2019-04-25 00:51:26 -07:00
Treehugger Robot
b60155aeac
Merge "Build contexts files with Soong"
2019-04-25 07:46:19 +00:00
Miao Wang
3f0eb7134f
Allow NNAPI HAL services access model files provided by privapp. am: 8c2f4babee
...
am: 381b055fe4
2019-04-25 00:36:19 -07:00
Miao Wang
381b055fe4
Allow NNAPI HAL services access model files provided by privapp.
...
am: 8c2f4babee
2019-04-25 00:31:12 -07:00
Miao Wang
8c2f4babee
Allow NNAPI HAL services access model files provided by privapp.
...
Bug: 131169221
Test: mm
Change-Id: I1004821bd30e2a0586b14178e352e885cabfc002
(cherry picked from commit aa568e1c79
2019-04-24 21:15:45 -07:00
Miao Wang
aa568e1c79
Allow NNAPI HAL services access model files provided by privapp.
...
Bug: 131169221
Test: mm
Change-Id: I1004821bd30e2a0586b14178e352e885cabfc002
2019-04-24 21:14:32 -07:00
Luke Huang
91491ed107
Merge "Sepolicy for netutils_wrapper to use binder call" am: 75b25384bb
...
am: a35b8cc42b
2019-04-24 20:27:21 -07:00
Luke Huang
a35b8cc42b
Merge "Sepolicy for netutils_wrapper to use binder call"
...
am: 75b25384bb
2019-04-24 20:21:25 -07:00
Luke Huang
75b25384bb
Merge "Sepolicy for netutils_wrapper to use binder call"
2019-04-25 03:09:30 +00:00
Inseob Kim
b554e594ca
Build contexts files with Soong
...
This is to migrate sepolicy Makefiles into Soong. For the first part,
file_contexts, hwservice_contexts, property_contexts, and
service_contexts are migrated. Build-time tests for contexts files are
still in Makefile; they will also be done with Soong after porting the
module sepolicy.
The motivation of migrating is based on generating property_contexts
dynamically: if we were to amend contexts files at build time in the
future, it would be nicer to manage them in Soong. To do that, building
contexts files with Soong can be very helpful.
Bug: 127949646
Bug: 129377144
Test: 1) Build blueline-userdebug, flash, and boot.
Test: 2) Build blueline-userdebug with TARGET_FLATTEN_APEX=true, flash,
and boot.
Test: 3) Build aosp_arm-userdebug.
Change-Id: I576f6f20686f6f2121204f76657274696d652121
2019-04-25 09:59:28 +09:00
Jooyung Han
dd57671b44
Merge "Adding vendor_apex_file for /vendor/apex" am: 91c35aeab6
...
am: 37985b73c4
2019-04-24 16:57:07 -07:00
Jooyung Han
37985b73c4
Merge "Adding vendor_apex_file for /vendor/apex"
...
am: 91c35aeab6
2019-04-24 16:52:04 -07:00
Treehugger Robot
91c35aeab6
Merge "Adding vendor_apex_file for /vendor/apex"
2019-04-24 23:32:56 +00:00
TreeHugger Robot
5f30c238ec
Merge "Allow signals to power/thermal HAL from dumpstate" into qt-dev
2019-04-24 20:18:26 +00:00
Winson Chiu
8ef4d78fbb
Merge "Allow idmap1 to read vmdl*.tmp APK install files" am: e4af840db6
...
am: 8d18a3bd51
2019-04-24 13:16:21 -07:00
Winson Chiu
8d18a3bd51
Merge "Allow idmap1 to read vmdl*.tmp APK install files"
...
am: e4af840db6
2019-04-24 13:06:16 -07:00
Treehugger Robot
e4af840db6
Merge "Allow idmap1 to read vmdl*.tmp APK install files"
2019-04-24 19:56:48 +00:00
TreeHugger Robot
58a9b10bb2
Merge "Add new surfaceflinger ro props" into qt-dev
2019-04-24 19:55:07 +00:00
Jooyung Han
ea61d198f2
Adding vendor_apex_file for /vendor/apex
...
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
2019-04-25 02:54:14 +09:00
Winson Chiu
7e7291a763
Allow idmap1 to read vmdl*.tmp APK install files
...
When upgrading a package, PackageParser acts on the temporary
APK file copied from the install location. This is passed to
idmap, which doesn't have read access because it's missing an
SELinux rule.
This is needed to fix a bug with manifest overlaying on updating
an app, a feature kept alive for Q.
Relevant logs when updating a target:
[ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
Bug: 130559507
Test: manual adb push /system/product/app/TestApp.apk with
/system/product/overlay/TestOverlay.apk enabling disabled launcher
Activity in TestApp; adb install -r TestApp.apk keeps enabled state
with changes
Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
2019-04-24 16:48:06 +00:00
Ryan Mitchell
d46c32894d
Merge "Allow zygote to scan static overlays on /oem" into qt-dev
...
am: 5e967d8780
2019-04-24 05:08:18 -07:00
TreeHugger Robot
5e967d8780
Merge "Allow zygote to scan static overlays on /oem" into qt-dev
2019-04-24 08:33:39 +00:00
Wei Wang
309aeabccb
Merge "Allow signals to power/thermal HAL from dumpstate" am: e556d33294
...
am: ffd8b90b6e
2019-04-23 23:57:23 -07:00
Wei Wang
ffd8b90b6e
Merge "Allow signals to power/thermal HAL from dumpstate"
...
am: e556d33294
2019-04-23 23:52:20 -07:00
Sudheer Shanka
29b537127e
Merge "Remove obsolete denials tracking." am: a3c532295b
...
am: efc03d8ef8
2019-04-23 23:47:22 -07:00
Treehugger Robot
e556d33294
Merge "Allow signals to power/thermal HAL from dumpstate"
2019-04-24 06:39:24 +00:00
Sudheer Shanka
efc03d8ef8
Merge "Remove obsolete denials tracking."
...
am: a3c532295b
2019-04-23 23:37:14 -07:00
Treehugger Robot
a3c532295b
Merge "Remove obsolete denials tracking."
2019-04-24 06:30:23 +00:00
Bowgo Tsai
fc98d153c9
[automerger skipped] Merge "Fix denial of /debug_ramdisk/adb_debug.prop" into qt-dev
...
am: e28daa61725a234338c1
2019-04-23 19:58:18 -07:00
TreeHugger Robot
e28daa6172
Merge "Fix denial of /debug_ramdisk/adb_debug.prop" into qt-dev
2019-04-24 02:47:19 +00:00
Jack Yu
58329f6536
Add sepolicy for nfc hal v1.2
...
Bug: 130509605
Test: No avc denial log and NFC works with hal v1.2
Change-Id: If54884f76a32705d11f2085f66fe83b9e0354f79
Merged-In: If54884f76a32705d11f2085f66fe83b9e0354f79
(cherry picked from commit a5dde796b5
2019-04-24 09:58:44 +08:00
Bowgo Tsai
62fb037476
Fix denial of /debug_ramdisk/adb_debug.prop
...
This CL fix the following SELinux denial, by allowing init to getatter
for tmpfs:file.
audit: type=1400 audit(15464939.926:4): avc: denied { getattr } for
pid=1 comm="init" path="/debug_ramdisk/adb_debug.prop" dev="tmpfs"
ino=25480 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=file
permissive=0
Note: the current sepolicy (before this change) has the following rules
for tmpfs:file:
$ sesearch --allow -t tmpfs -c file $OUT/vendor/etc/selinux/precompiled_sepolicy
allow dex2oat tmpfs:file { read map getattr };
allow init tmpfs:file { read unlink open setattr };
allow postinstall_dexopt tmpfs:file read;
allow profman tmpfs:file { read map };
allow vendor_init tmpfs:file { read map open setattr };
Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: I6dd356de989d597828a6e04846b793d611c477fa
Merged-In: I6dd356de989d597828a6e04846b793d611c477fa
(cherry picked from commit 5a234338c1
2019-04-23 23:13:43 +00:00
Tao Bao
60d7c03c0a
Merge "Move ro.build.ab_update to vendor property." am: 2952a20565
...
am: 8ee8407cf6
2019-04-23 15:34:52 -07:00
Tao Bao
8ee8407cf6
Merge "Move ro.build.ab_update to vendor property."
...
am: 2952a20565
2019-04-23 15:29:51 -07:00
Tri Vo
030c8b6127
[automerger skipped] Merge "Treble-ize sepolicy for fwk HIDL services." into qt-dev
...
am: 0b0f1cf7081d34b8cc31
2019-04-23 15:23:23 -07:00
Chenbo Feng
f8ad3ca9fe
[automerger skipped] Merge "Move pf_key socket creation permission to netd" into qt-dev
...
am: 847149180c3bf0e82198
2019-04-23 15:20:46 -07:00
Tao Bao
2952a20565
Merge "Move ro.build.ab_update to vendor property."
2019-04-23 22:16:48 +00:00
Chenbo Feng
112be37442
[automerger skipped] Move pf_key socket creation permission to netd
...
am: 3bf0e821988a5539b5f0
2019-04-23 15:15:16 -07:00
Tri Vo
0b0f1cf708
Merge "Treble-ize sepolicy for fwk HIDL services." into qt-dev
2019-04-23 22:10:50 +00:00
TreeHugger Robot
847149180c
Merge "Move pf_key socket creation permission to netd" into qt-dev
2019-04-23 21:57:09 +00:00
Wei Wang
addfe4679d
Allow signals to power/thermal HAL from dumpstate
...
Bug: 129711808
Test: Take BR
Change-Id: Ibcb03698a6e2966f4913ddb6e674502bce4df235
2019-04-23 14:22:41 -07:00
Wei Wang
76d93f0ce8
Allow signals to power/thermal HAL from dumpstate
...
Bug: 129711808
Test: Take BR
Change-Id: Ibcb03698a6e2966f4913ddb6e674502bce4df235
2019-04-23 14:21:03 -07:00
Ady Abraham
ff9d4bdd63
Add new surfaceflinger ro props
...
add the new ro properties added to surfaceflinger:
ro.surface_flinger.set_idle_timer_ms
ro.surface_flinger.use_smart_90_for_video
Bug: 131054357
Test: Boot with SELinux enforcing
Change-Id: I887b318a95db200280344a11fcf7deaadafdeca9
2019-04-23 14:17:32 -07:00
Mikhail Naganov
374c044e58
Merge "Allow mediaserver to find "audio" service" am: 1c3b84b00d
...
am: 7660bb4514
2019-04-23 10:47:22 -07:00
Bowgo Tsai
9c81edf05f
[automerger skipped] Adding userdebug_plat_sepolicy.cil
...
am: f89ea09308e763667ee1
2019-04-23 10:34:30 -07:00
Bowgo Tsai
d7959076b9
Merge "Fix denial of /debug_ramdisk/adb_debug.prop" am: 98fcefb276
...
am: 65c01163ba
2019-04-23 10:13:58 -07:00
