Without VNDK, libcutils has to probe for /dev/binder access before
reaching to ashmemd via binder. Ignore denials generated when probing
/dev/binder.
Bug: 129073672
Test: boot sailfish without denials to /dev/binder
Change-Id: I07ba2e094586df353d54507458e891a3d14c1ca6
This is the type used on super partition block devices.
- On devices launch with DAP, super is already marked
as super_block_device_type.
- On retrofit devices, appropriate block devices must
be marked as super_block_device_type, for example:
typeattribute system_block_device super_block_device_type;
Bug: 128991918
Test: builds
Change-Id: I7e26d85b577ce08d8dc1574ddc43146d65843d9c
- lpdump is a binary on the device that talks to lpdumpd
via binder.
- lpdumpd is a daemon on the device that actually reads
dynamic partition metadata. Only lpdump can talk to it.
Bug: 126233777
Test: boots (sanity)
Test: lpdump
Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.
Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.
04-28 06:15:22.290 618 618 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431 900 900 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316 1 1 W init : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
Previously we dumped the data into dropbox. This improves a couple
things:
- We write into dropbox via the fd, so dropbox doesn't pull from the
incidentd directory anymore.
- There is a new API to for priv apps to explicitly read incident
reports. That gives incidentd finer grained control over who can
read it (specifically, it only allows apps to access the incident
reports they requested, or were requested for them via statsd,
instead of getting DUMP and reading whatever they want from
dropbox).
Test: bit incident_test:* GtsIncidentManagerTestCases:*
Bug: 123543706
Change-Id: I9a323e372c4ff95d91419a61e8a20ea5a3a860a5
Logical partitions are handled through libdm. Allow access to
device-mapper.
Bug: 128867786
Test: m
Change-Id: I6979487b91d24b7309c876f2bdc26a827e2fcd1e
scenario: droid.apps.docs: type=1400 audit(0.0:77): avc: denied {
use } for path="/mnt/appfuse/10028_6/9" dev="fuse" ino=9
scontext=u:r:mediaserver:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0
root cause: DocumentsUI provides ArchiveProvider to browse the entries
in archive files by using StorageManager.openProxyFileDescriptor.
i.e. the file descriptor comes from the archive entries is belong to
the void fd. The file descriptor is used by mediaserver but
mediaserver doesn't have the permission to use the file descriptor.
Fixes: 120491318
Test: build, flash, manual test
Change-Id: Ibaf9a625c7b68c3f1977fcaddd6c7d5419352f93
No semantic changes. Just trying to make this easier to understand:
- Separate out common bundles of services from individual services
(the naming doesn't make this obvious).
- Comment the common ones.
- Put related binder_call and service_manager:find rules together.
Test: Builds
Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
This is needed because some oat dex files are generated without world
readable permissions. See the bug for details.
We are still constrained by the SELinux rules above.
Bug: 129048073
Change-Id: I84e34f83ceb299ff16b29a78f16c620fc0aa5d68
To check issue on userbuild, wlan hal log
is helpful.
Bug: 122265104
Test: Manully, log collected on user build
Change-Id: I5aa96aa796ca7dfb92e97df3e7be054ff79f6e3d
Dexoptanalyzer is getting a new mode to instruct installd on which dex
files it needs to open for itself and dex2oat from class loader context.
The file list is communicated by a pipe from a forked dexoptanalyzer
process to the installd parent. Give dexoptanalyzer permission to write
to installd's pipes.
Bug; 126674985
Test: atest installd_dexopt_test
Change-Id: Ic415e2dc543099d26681103c9d368c941d21b49a
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
- persist.bluetooth.bluetooth_audio_hal.disabled
Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
This CL fixes leaks of the policy that we're building up. The analyzer
only caught the leaks on the error path, but I assume that
`check_assertions` does nothing to free the object that it's handed.
Analyzer warnings:
system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'avrule'
[clang-analyzer-unix.Malloc]
system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'neverallows'
[clang-analyzer-unix.Malloc]
Bug: None
Test: Treehugger; reran the analyzer
Change-Id: I79a0c34e8b53d33a1f01497337590eab660ad3ec
Allow the zygote to pick up integrity-checked boot classpath
artifacts from the dalvik cache.
Bug: 125474642
Test: m
Test: manual
Merged-In: I45d760c981c55a52bd0b22c79a9cba4868a09528
Change-Id: I45d760c981c55a52bd0b22c79a9cba4868a09528
Allow the startup domain to pick up integrity-checked artifacts
from the dalvik-cache. The corresponding framework code will
only load the system server classpath.
Bug: 128688902
Test: m
Test: manual
Merged-In: Ib37f8d7c39431e2792eeb4dac1cd732307519827
Change-Id: Ib37f8d7c39431e2792eeb4dac1cd732307519827
This is required for accessing package_native_service
in libneuralnetworks.so for NNAPI Vendor Extension checks.
package_service is (ephemeral_)?app_api_service, native
one is a subset of it.
Bug: 120483623
Test: NeuralNetworksTest_FibonacciExtension
Change-Id: I9fa2c9aa263724d2256bbf26de19d6b357c82f9b
- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
execute `dex2oat` from `/postinstall` -- this is for the case where
it is located in a flattened Runtime APEX in
`/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
`/postinstall/system/apex` (which are bind-mounted in
`/postinstall/apex`).
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
The following denial caused a presubmit failure:
06-15 15:16:24.176 956 956 I auditd : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.
Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507
After moving IpMemoryStore service to network stack module(aosp/906907),
the following untracked SELinux denials are observed on boot.
W id.networkstack: type=1400 audit(0.0:63): avc: denied { write } for
name="com.android.networkstack" dev="sda13" ino=704810
scontext=u:r:network_stack:s0:c49,c260,c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
Add radio_data_file type for network stack user configuration and
relevant permission to allow access to its data, as the network stack
is a privileged app.
Test: m -j passed
Change-Id: I6eab528714df6a17aae0cb546dcc3ad4bb21deea
The linker is behind a symlink. Allow to read and follow.
Bug: 128840749
Test: m
Test: manual a/b ota
Test: DexoptOtaTests
Change-Id: I15bd76e517ab3cebf13ebd42ff6e5dae42364c83
Move complete domain to private/. Move referencing parts in domain
and kernel to private.
Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
Suppress noise associated with test mounting scratch partition.
Add internal fs_mgr_is_ext4 and fs_mgr_is_f2fs to get heads up on
mount failures and thus bypass trying. Resolve all the avc
complaints associated with overlay handling including these new
operations.
Test: adb-remount-test.sh
Bug: 109821005
Change-Id: Ieb1f8c19ced930b6fe2d1791ef710ce528da7e37
