Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
This denial is generally a sign that apps are attempting to access
encrypted storage before the ACTION_USER_UNLOCKED intent is delivered.
Suppress this denial to prevent logspam.
While gmscore_app is running in permissive mode, there might be other
denials for related actions (that won't show up in enforcing mode after
the first action is denied). This change adds a bug_map entry to track
those denials and prevent presubmit flakes.
Bug: 142672293
Test: Happy builds
Change-Id: Id2f8f8ff5cde40e74be24daa0b1100b91a7a4dbb
This is part of a series of updates to bug_map across all of android
tree.
Bug: 141014771
Test: Generated a denial, verified that the bug id in the dmesg logs
remains unchanged.
Change-Id: I852e8ac38a162cc074232f15d919212548d485bf
Bug: 72472544
This reverts commit 07efe37c5f.
Reason for revert: The selinux denial is no longer reproducible.
Test: Presubmit builds
Change-Id: I79d18743171315401401c1b06b3f97d837bf500f
ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.
Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
And add neverallow so that it's removed from partner policy if
it was added there due to denials.
Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
The new codepath for creating the classloader in the webview zygote
triggers an selinux denial; track this until it is fixed.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Merged-In: I6835947e81364b5dd43898199108af7b14d31088
Change-Id: I6835947e81364b5dd43898199108af7b14d31088
The isolated service that do nothing except for both AIDL's basic
skeleton and service binding. It still got the SELinux denied.
This should fix presubmit test.
01-01 00:00:29.196 6121 6121 I auditd : type=1400 audit(0.0:6):
avc: denied { getattr } for comm="convert.service"
path="/data/data/com.android.externalstorage" dev="sda35" ino=655437
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
Test: ag/5681059 ag/5660144
Bug: 120394782
Change-Id: I7838def96da30b88d510dab860ed9779a0d4d5ed
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.
01-01 00:00:22.103 5831 5831 I auditd : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0
Test: build
Bug: 119596573
Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.
Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
This adds numerous bug_map entries to try to annotate all denials
we've seen.
Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
This should fix presubmit tests.
Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7
(cherry picked from commit 2995e996b9)
Remove a fixed bug from bug_map.
Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef
(cherry picked from commit f3f93eaf1d)
These denials seem to be caused by a race with the process that labels
the files. While we work on fixing them, hide the denials.
Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.
Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.
Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
