Tao Bao
51523e59da
resolve merge conflicts of 42baca019b to master.
...
Change-Id: I7fe13cbe563dcd2f286696010f0a5034dfee0202
2016-01-25 21:03:36 -08:00
Tao Bao
42baca019b
Merge "Allow update_engine to use Binder IPC."
...
am: 6899e0a38b
2016-01-26 04:52:53 +00:00
Tao Bao
6899e0a38b
Merge "Allow update_engine to use Binder IPC."
2016-01-26 04:33:51 +00:00
dcashman
d357760531
Add adbd socket perms to system_server. am: b037a6c94b
...
am: c37fa20383
2016-01-26 01:44:45 +00:00
dcashman
c37fa20383
Add adbd socket perms to system_server.
...
am: b037a6c94b
2016-01-26 01:42:44 +00:00
Tao Bao
dce317cf43
Allow update_engine to use Binder IPC.
...
Register service with servicemanager and name the context.
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
Also allow priv_app to communicate with update_engine.
avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder
Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
2016-01-25 16:42:38 -08:00
dcashman
b037a6c94b
Add adbd socket perms to system_server.
...
Commit 2fdeab3789
2016-01-25 16:09:01 -08:00
Jeff Vander Stoep
dfd82ecbbf
app: connect to adbd am: 2fdeab3789
...
am: 97ebf96aba
2016-01-25 23:29:18 +00:00
Jeff Vander Stoep
97ebf96aba
app: connect to adbd
...
am: 2fdeab3789
2016-01-25 23:27:33 +00:00
Jeff Vander Stoep
2fdeab3789
app: connect to adbd
...
Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.
Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496
2016-01-25 15:20:05 -08:00
Jeff Vander Stoep
042d37c3a4
domain: allow dir search in selinuxfs am: 45517a7547
...
am: cfa5d76fb8
2016-01-25 18:31:12 +00:00
Jeff Vander Stoep
cfa5d76fb8
domain: allow dir search in selinuxfs
...
am: 45517a7547
2016-01-25 18:28:59 +00:00
Jeff Vander Stoep
45517a7547
domain: allow dir search in selinuxfs
...
Domain is already allowed to stat selinuxfs, it also needs
dir search.
Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir
Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07
2016-01-25 18:18:36 +00:00
Jeffrey Vander Stoep
5c091945c7
Merge "watchdog: remove domain_deprecated" am: c1b0ffcfdc
...
am: febf92ea52
2016-01-25 17:16:59 +00:00
Jeffrey Vander Stoep
febf92ea52
Merge "watchdog: remove domain_deprecated"
...
am: c1b0ffcfdc
2016-01-25 17:14:11 +00:00
Jeffrey Vander Stoep
c1b0ffcfdc
Merge "watchdog: remove domain_deprecated"
2016-01-25 17:09:46 +00:00
Jeff Vander Stoep
1eeaa47eac
watchdog: remove domain_deprecated
...
Change-Id: I60d66da98a8da9cd7a9d0130862242e09b7dccf1
2016-01-25 08:12:21 -08:00
Nick Kralevich
9ed70dc59b
app.te: grant /system dir/file/symlink read am: 5c8854abef
...
am: 2f89f3c1e6
2016-01-23 17:28:44 +00:00
Nick Kralevich
2f89f3c1e6
app.te: grant /system dir/file/symlink read
...
am: 5c8854abef
2016-01-23 17:26:53 +00:00
Nick Kralevich
5c8854abef
app.te: grant /system dir/file/symlink read
...
Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.
Addresses the following denials:
RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
/system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
--library-path=/system/vendor/lib64 --library-path=/system/lib64
-lRSDriver -lm -lc
/data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
-o
/data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
ld.mc : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
ld.mc : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
RenderScript: Child process "/system/bin/ld.mc" terminated with status 256
Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3
2016-01-23 08:41:47 -08:00
dcashman
ee25c98428
Remove domain_deprecated from untrusted_app. am: cbf7ba18db
...
am: b768bd4642
2016-01-23 01:04:30 +00:00
dcashman
0503a40570
Temporarily allow untrusted_app to read proc files. am: 2193f766bc
...
am: d7ff314ada
2016-01-23 01:04:27 +00:00
dcashman
b768bd4642
Remove domain_deprecated from untrusted_app.
...
am: cbf7ba18db
2016-01-23 00:03:24 +00:00
dcashman
d7ff314ada
Temporarily allow untrusted_app to read proc files.
...
am: 2193f766bc
2016-01-23 00:03:21 +00:00
dcashman
cbf7ba18db
Remove domain_deprecated from untrusted_app.
...
Bug: 22032619
Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
2016-01-22 15:51:41 -08:00
dcashman
2193f766bc
Temporarily allow untrusted_app to read proc files.
...
Address the following denial:
01-22 09:15:53.998 5325 5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c
2016-01-22 15:49:42 -08:00
James Hawkins
7060411a28
Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat." am: 447041a940
...
am: 701b7d3cae
2016-01-22 18:32:26 +00:00
dcashman
67211b022b
resolve merge conflicts of 09f01c5f1d to master.
...
Change-Id: Ia6fa29637a3679836c61800d6a1cbe2917e8c43e
2016-01-22 10:21:19 -08:00
James Hawkins
701b7d3cae
Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat."
...
am: 447041a940
2016-01-22 18:10:57 +00:00
dcashman
09f01c5f1d
Allow access to /dev/ion and proc_net dir.
...
am: 8666bf25cf
2016-01-22 18:08:07 +00:00
James Hawkins
447041a940
Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat."
2016-01-22 18:05:25 +00:00
dcashman
8666bf25cf
Allow access to /dev/ion and proc_net dir.
...
Address the following:
01-21 13:35:41.147 5896 5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152 5896 5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152 5896 5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152 5896 5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed
and
01-22 08:58:47.667 7572 7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671 7498 7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671 7498 7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13
Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38
2016-01-22 09:29:00 -08:00
James Hawkins
39c198ac6f
bootstat: Implement the SELinux policy to allow reading/writing to
...
/data/misc/bootstat.
BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e
2016-01-22 08:08:37 -08:00
Jeffrey Vander Stoep
0c34837e08
Merge "Allow domains to stat filesystems." am: e1224de04d
...
am: f6da64bfb3
2016-01-22 00:47:35 +00:00
Jeff Vander Stoep
14c17ebd07
vold launched e2fsck must run in fsck domain am: 67d9932c67
...
am: 32eff0cb0d
2016-01-22 00:47:30 +00:00
Jeffrey Vander Stoep
f6da64bfb3
Merge "Allow domains to stat filesystems."
...
am: e1224de04d
2016-01-22 00:45:03 +00:00
Jeffrey Vander Stoep
e1224de04d
Merge "Allow domains to stat filesystems."
2016-01-22 00:27:50 +00:00
Jeff Vander Stoep
32eff0cb0d
vold launched e2fsck must run in fsck domain
...
am: 67d9932c67
2016-01-22 00:17:58 +00:00
Jeffrey Vander Stoep
911292ee13
Merge "fsck: allow e2fsck to stat swap_block_device" am: 792622c383
...
am: 26164a6331
2016-01-22 00:03:55 +00:00
Jeffrey Vander Stoep
26164a6331
Merge "fsck: allow e2fsck to stat swap_block_device"
...
am: 792622c383
2016-01-21 23:49:18 +00:00
Jeff Vander Stoep
67d9932c67
vold launched e2fsck must run in fsck domain
...
Bug: 22821100
Change-Id: I549abfd31f7286ad50be3adeadaf559816c0ee38
2016-01-21 23:33:32 +00:00
Jeffrey Vander Stoep
792622c383
Merge "fsck: allow e2fsck to stat swap_block_device"
2016-01-21 23:26:27 +00:00
dcashman
fcea726390
Allow domains to stat filesystems.
...
Address the following denials:
01-21 12:44:53.704 4595 4595 W ndroid.calendar: type=1400 audit(0.0:21): avc: denied { getattr } for name="/" dev="dm-0" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
01-21 12:45:23.177 5544 5544 W roid.music:main: type=1400 audit(0.0:46): avc: denied { getattr } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
7618 W .android.chrome: type=1400 audit(0.0:413): avc: denied { getattr } for path="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
01-21 12:44:53.709 4595 4595 D AndroidRuntime: Shutting down VM
01-21 12:44:53.727 4595 4595 E AndroidRuntime: FATAL EXCEPTION: main
01-21 12:44:53.727 4595 4595 E AndroidRuntime: Process: com.google.android.calendar, PID: 4595
01-21 12:44:53.727 4595 4595 E AndroidRuntime: java.lang.RuntimeException: Unable to get provider com.google.android.syncadapters.calendar.timely.TimelyProvider: java.lang.IllegalArgumentException: Invalid path: /data
01-21 12:44:53.727 4595 4595 E AndroidRuntime: at android.app.ActivityThread.installProvider(ActivityThread.java:5550)
...
Change-Id: I0e9d65438d031e19c9abc5dca8969ed4356437a0
2016-01-21 15:18:39 -08:00
Jeff Vander Stoep
d644f26066
fsck: allow e2fsck to stat swap_block_device
...
In libext2fs ext2fs_check_mount_point() calls is_swap_device() to
verify that a device is swap before setting the EXT2_MF_SWAP mount
flag.
Addresses:
avc: denied { getattr } for path="/dev/block/zram0" dev="tmpfs" ino=9951
scontext=u:r:fsck:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file
Bug: 22821100
Change-Id: Ic7a1b6f83b34a40bf4bd35a1564300c58ca27089
2016-01-21 14:43:36 -08:00
Jeffrey Vander Stoep
9b16fbb99e
Merge "vold: allow execute cp and rm" am: 352e63546f
...
am: 0bbe2ffff9
2016-01-21 20:15:15 +00:00
Jeffrey Vander Stoep
0bbe2ffff9
Merge "vold: allow execute cp and rm"
...
am: 352e63546f
2016-01-21 20:13:25 +00:00
Jeffrey Vander Stoep
352e63546f
Merge "vold: allow execute cp and rm"
2016-01-21 20:07:53 +00:00
Jeff Vander Stoep
d1f8f731ea
vold: allow execute cp and rm
...
Used in system/vold/MoveTask.cpp
Addresses:
avc: denied { execute } for name="toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
Change-Id: I2eb6288aaed510ae5be0f3605088ace6b865ef83
2016-01-21 11:02:02 -08:00
Jeffrey Vander Stoep
0f10bd0acb
Merge "system_app: remove perms to write to system_data_file" am: db634aa0ac
...
am: c199f0a6a4
2016-01-21 18:59:56 +00:00
Jeffrey Vander Stoep
c199f0a6a4
Merge "system_app: remove perms to write to system_data_file"
...
am: db634aa0ac
2016-01-21 18:55:49 +00:00
