The denial occurs when system_server dynamically loads AOT artifacts at
runtime.
Sample message:
type=1400 audit(0.0:4): avc: denied { execute } for comm="system_server" path="/data/misc/apexdata/com.android.art/dalvik-cache/arm64/system@framework@com.android.location.provider.jar@classes.odex" dev="dm-37" ino=296 scontext=u:r:system_server:s0 tcontext=u:object_r:apex_art_data_file:s0 tclass=file permissive=0
Currently, system_server is only allowed to load AOT artifacts at startup. odrefresh compiles jars in SYSTEMSERVERCLASSPATH, which are supposed to be loaded by system_server at startup. However, com.android.location.provider is a special case that is not only loaded at startup, but also loaded dynamically as a shared library, causing the denial.
Therefore, this denial is currently expected. We need to compile com.android.location.provider so that its AOT artifacts can be picked up at system_server startup, but we cannot allow the artifacts to be loaded dynamically for now because further discussion about its security implications is needed. We will find a long term solution to this, tracked by b/194054685.
Test: Presubmits
Bug: 194054685
Change-Id: I3850ae022840bfe18633ed43fb666f5d88e383f6
This reverts commit dd4b578c25.
Reason for revert: bug_map is only compiled into vendor partition so this doesn't work for GSI.
Change-Id: I653b937495be93a4de288e7df7525fd7504fa0f6
Sample denial message: auditd : type=1400 audit(0.0:104): avc: denied
{ write } for comm="Binder:1830_4" name="tasks" dev="tmpfs" ino=16681
scontext=u:r:installd:s0 tcontext=u:object_r:device:s0 tclass=file
permissive=0
This denial is triggered for completely unrelated changes when installd
runs dex2oat for service-wifi.jar. One theory is that the unrelated
changes caused certain ART metrics (e.g. number of methods/classes/API) to
change so that dex2oat is triggered earlier and the SELinux denial became
caught by the boot test. So add this to bug_map to unblock the unrelated
changes while a kernel fix is to be tracked in b/177187042
Bug: 177187042
Test: presubmit
Change-Id: I6595b7aa14f73bf967207f1688c8fbd596ee37d1
Denial logging was suppressed in r.android.com/1199618 to de-flake
presubmit tests. Since Android 11, FUSE is enabled for all devices by
default, which is expected to prevent these denials from happening.
This change re-enables logging to check that assumption.
Bug: 145267097
Test: DeviceBootTest#SELinuxUncheckedDenialBootTest
Change-Id: I1e9aa6d1234f2f158ba7a7f6bf8aa8588249eee7
This is not allowed for apps with targetSdkVersion>=Q.
Allow this failure until gmscore fixes.
Bug: 160984921
Test: build
Change-Id: I1e9f2af091b22eef2bc05ae1e571fb45dec05cfe
This is intended to be temporary workaround until the Gboard
developers fix their app.
Addresses
avc: denied { bind } for comm="ThreadPoolForeg"
scontext=u:r:untrusted_app:s0:c166,c256,c512,c768
tcontext=u:r:untrusted_app:s0:c166,c256,c512,c768
tclass=netlink_route_socket permissive=
app=com.google.android.inputmethod.latin
Bug: 155595000
Test: build
Change-Id: I432ac1462329efb4bc118c3967a099833e6eb813
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
This denial is generally a sign that apps are attempting to access
encrypted storage before the ACTION_USER_UNLOCKED intent is delivered.
Suppress this denial to prevent logspam.
While gmscore_app is running in permissive mode, there might be other
denials for related actions (that won't show up in enforcing mode after
the first action is denied). This change adds a bug_map entry to track
those denials and prevent presubmit flakes.
Bug: 142672293
Test: Happy builds
Change-Id: Id2f8f8ff5cde40e74be24daa0b1100b91a7a4dbb
This is part of a series of updates to bug_map across all of android
tree.
Bug: 141014771
Test: Generated a denial, verified that the bug id in the dmesg logs
remains unchanged.
Change-Id: I852e8ac38a162cc074232f15d919212548d485bf
Bug: 72472544
This reverts commit 07efe37c5f.
Reason for revert: The selinux denial is no longer reproducible.
Test: Presubmit builds
Change-Id: I79d18743171315401401c1b06b3f97d837bf500f
ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.
Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
And add neverallow so that it's removed from partner policy if
it was added there due to denials.
Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
The new codepath for creating the classloader in the webview zygote
triggers an selinux denial; track this until it is fixed.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Merged-In: I6835947e81364b5dd43898199108af7b14d31088
Change-Id: I6835947e81364b5dd43898199108af7b14d31088
The isolated service that do nothing except for both AIDL's basic
skeleton and service binding. It still got the SELinux denied.
This should fix presubmit test.
01-01 00:00:29.196 6121 6121 I auditd : type=1400 audit(0.0:6):
avc: denied { getattr } for comm="convert.service"
path="/data/data/com.android.externalstorage" dev="sda35" ino=655437
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
Test: ag/5681059 ag/5660144
Bug: 120394782
Change-Id: I7838def96da30b88d510dab860ed9779a0d4d5ed
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.
01-01 00:00:22.103 5831 5831 I auditd : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0
Test: build
Bug: 119596573
Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.
Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
This adds numerous bug_map entries to try to annotate all denials
we've seen.
Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
