tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
4790 commits 1 branch 0 tags 50 MiB
Commit graph

196 commits

Author SHA1 Message Date
Narayan Kamath
01898ea4aa Revert "Allow system_server to link,relabel and create_dir dalvikcache_data_file." 
This reverts commit e929ad8b524a7e444008b657adaafff97b5dea79.

bug: 20889739
Change-Id: I6729f4e26041b481f2442a2d8c3dfb42e2d4144a
 2015-06-05 13:45:39 +01:00
Narayan Kamath
41f233f465 Allow system_server to link,relabel and create_dir dalvikcache_data_file. 
Required by the installation flow for split APKs.

bug: 20889739

Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1
 2015-06-04 11:07:24 +00:00
Tao Bao
12e8b61bc0 Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev 2015-05-28 21:47:45 +00:00
Tao Bao
70c6dbf06c Allow system server and uncrypt to operate pipe file 
System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.

Bug: 20012567
Bug: 20949086
Change-Id: I9494a67016c23294e803ca39d377ec321537bca0
 2015-05-27 17:06:40 -07:00
Jim Miller
83554d2c92 Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev 2015-05-22 01:42:29 +00:00
Jim Miller
a39b131e9d Selinux: Allow system_server to create fpdata dir. 
Fixes avc errors;
avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0

Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6
 2015-05-21 17:43:28 -07:00
Chad Brubaker
b3df4389f3 Merge "Rename keystore methods and delete unused permissions" into mnc-dev 2015-05-21 17:26:54 +00:00
Jim Miller
264eb6566a Add selinux policy for fingerprintd 
Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
 2015-05-19 18:28:45 -07:00
dcashman
807d8d0249 Label /dev/rtc0 as rtc_device. 
Grant access to system_server, as it is used by AlarmManagerService.

(cherry-pick of c7594898db)

Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f
 2015-05-18 14:18:11 -07:00
Chad Brubaker
eaa1a1e975 Rename keystore methods and delete unused permissions 
Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

(cherry-picked from commit cbc8f79655)

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
 2015-05-18 12:19:19 -07:00
Chad Brubaker
77a824600b Add keystore user_changed permission 
user_changed will be used for state change methods around android user
creation/deletion.

(cherry-picked from commit 520bb816b8)

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
 2015-05-18 16:26:41 +01:00
Adam Lesinski
3526a6696f Allow system_server to read/write /proc/uid_cputime/ module 
Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868
 2015-05-13 04:47:32 +00:00
William Roberts
2f5a6a96bd Replace unix_socket_connect() and explicit property sets with macro 
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
 2015-05-07 10:32:06 -07:00
Nick Kralevich
1301f2b64b am 2a7a4037: am 2234f9ff: gatekeeperd: neverallow non-system_server binder call 
* commit '2a7a403724370ebe16f05602685a654ca4448d59':
  gatekeeperd: neverallow non-system_server binder call
 2015-04-10 04:34:58 +00:00
Nick Kralevich
2234f9ff57 gatekeeperd: neverallow non-system_server binder call 
The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
 2015-04-09 12:55:38 -07:00
dcashman
710c5a2af9 am 29f90b1e: am 7f2bb0c1: Merge "Enforce more specific service access." 
* commit '29f90b1eb7376b39d94cd5d981a15ff8317a5cdb':
  Enforce more specific service access.
 2015-04-09 17:47:22 +00:00
dcashman
bd7f5803f9 Enforce more specific service access. 
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
 2015-04-09 09:45:54 -07:00
dcashman
2686b6ab80 am 18867dbb: am 03a6f64f: Enforce more specific service access. 
* commit '18867dbb42f128db00f6c8ee4f05fd098d9eaaa4':
  Enforce more specific service access.
 2015-04-08 22:07:21 +00:00
Nick Kralevich
746a73c41b am 2a762352: am 9bef2502: system_server: support hard linking for split APKs 
* commit '2a762352f34f147cdb83e34bf3591e48a9378425':
  system_server: support hard linking for split APKs
 2015-04-08 22:07:21 +00:00
dcashman
03a6f64f95 Enforce more specific service access. 
Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
 2015-04-08 20:26:50 +00:00
Nick Kralevich
9bef25026b system_server: support hard linking for split APKs 
Commit 85ce2c706e removed hard link
support from create_file_perms, but system_server requires hard
link support for split APKs. Allow it.

Addresses the following denial:

  audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Steps to reproduce:
1) Find the directory "hellogoogle3.splitapk"
2) adb install-multiple -r hellogoogle3_incremental.apk
3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk

Expected:
  2nd APK installs successfully.

Actual:
  2nd APK fails to install.

Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7
 2015-04-08 10:42:30 -07:00
Nick Kralevich
d20c61af72 am 63b07909: am 8a06c077: Allow system_server to collect app heapdumps (debug builds only) 
* commit '63b0790965be39da4ee1aee13ae1ab029d6d02ae':
  Allow system_server to collect app heapdumps (debug builds only)
 2015-04-08 01:07:00 +00:00
dcashman
5fd66b3cb8 am 0bc36ada: am 91b7c67d: Enforce more specific service access. 
* commit '0bc36adada7421b0e8ec05565617b7a8a6cef794':
  Enforce more specific service access.
 2015-04-08 00:33:51 +00:00
dcashman
6e41435587 am b1a13728: am 3cc6fc5f: Enforce more specific service access. 
* commit 'b1a137280e6e8f282469f91b0f58df6c95919d18':
  Enforce more specific service access.
 2015-04-08 00:33:50 +00:00
Nick Kralevich
8a06c07724 Allow system_server to collect app heapdumps (debug builds only) 
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

  % adb shell am set-watch-heap com.android.systemui 1048576
  % adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

  avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
 2015-04-07 16:40:44 -07:00
dcashman
91b7c67d16 Enforce more specific service access. 
Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
 2015-04-07 15:48:58 -07:00
dcashman
3cc6fc5ffb Enforce more specific service access. 
Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
 2015-04-07 12:43:47 -07:00
Fyodor Kupolov
8a439726b9 am 26ef3bbc: am 3af8c9d0: Allow system_server to read oat dir 
* commit '26ef3bbc8759fb67ad5a71facfdf4f5611621f84':
  Allow system_server to read oat dir
 2015-04-07 18:44:00 +00:00
dcashman
d0c06a7051 am 86501cde: am d4c78f4b: Enforce more specific service access. 
* commit '86501cde107f4208b2afb82f2e21647dab70e4ef':
  Enforce more specific service access.
 2015-04-07 18:05:38 +00:00
Fyodor Kupolov
3af8c9d0ef Allow system_server to read oat dir 
Required for PackageManagerService to perform restorecon recursively on a
staging dir.

Addresses the following denial:
avc: denied { open } for name="oat" dev="mmcblk0p28" ino=163027 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

Bug: 19550105
Bug: 20087446
Change-Id: I0f6ebb79745091ecb4d6d3dbe92f65606b7469da
 2015-04-07 10:50:13 -07:00
dcashman
d4c78f4b3f Enforce more specific service access. 
Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
 2015-04-07 16:59:38 +00:00
Jeff Sharkey
abef255597 am 8a6ac553: am 73d9c2a9: Initial policy for expanded storage. 
* commit '8a6ac553b5f64f002177790823d0e15e8ff74030':
  Initial policy for expanded storage.
 2015-04-07 02:01:43 +00:00
Jeff Sharkey
73d9c2a97b Initial policy for expanded storage. 
Expanded storage supports a subset of the features of the internal
data partition.  Mirror that policy for consistency.  vold is also
granted enough permissions to prepare initial directories.

avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
 2015-04-06 17:59:44 -07:00
Andres Morales
151a02a9bc am 258ea8ed: am e207986e: SELinux permissions for gatekeeper TEE proxy 
* commit '258ea8ed2e199855b4384ce11d7861fb7ae84683':
  SELinux permissions for gatekeeper TEE proxy
 2015-04-07 00:32:50 +00:00
Andres Morales
e207986ea0 SELinux permissions for gatekeeper TEE proxy 
sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
 2015-04-06 16:46:58 -07:00
dcashman
593c1dbd03 am 2e45bba5: am 4cdea7fc: Assign app_api_service attribute to services. 
* commit '2e45bba5a89348febd99ce0e820a3d4f4f4f5a58':
  Assign app_api_service attribute to services.
 2015-04-06 23:28:13 +00:00
dcashman
4cdea7fc40 Assign app_api_service attribute to services. 
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
 2015-04-06 13:20:41 -07:00
dcashman
ad5720c3e5 am b40dd46a: am b075338d: Assign app_api_service attribute to services. 
* commit 'b40dd46a6b9dd60817a178ae929566ca471dcd8a':
  Assign app_api_service attribute to services.
 2015-04-03 22:44:04 +00:00
dcashman
b075338d0e Assign app_api_service attribute to services. 
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
 2015-04-03 14:29:40 -07:00
dcashman
117ba9e2f9 am e83172c5: am 1598b52b: Merge "Remove obsolete system_server auditallow logging." 
* commit 'e83172c5731a7d9272a3ef0e11c72673134f192b':
  Remove obsolete system_server auditallow logging.
 2015-04-02 01:39:56 +00:00
dcashman
73c06a9b00 am c8197153: am 59abf4cc: Merge "Record observed service accesses." 
* commit 'c819715336f06f11b50af521d56998da9e9000de':
  Record observed service accesses.
 2015-04-02 01:39:55 +00:00
dcashman
513d77b5cb Remove obsolete system_server auditallow logging. 
system_server no longer has universal service_manager_type permissions and so no
longer needs the auditallow rules therewith associated.

Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477
 2015-04-01 14:45:45 -07:00
dcashman
8af4e9cb00 Record observed service accesses. 
Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
 2015-04-01 14:30:46 -07:00
Chad Brubaker
6cc74a4745 am 0a913546: am 66cc49c1: Merge "Add keystore add_auth" 
* commit '0a913546f605fd04824750997996b492643fbe22':
  Add keystore add_auth
 2015-04-01 18:13:45 +00:00
Chad Brubaker
8927772caa Add keystore add_auth 
This is for the new addAuthToken keystore method from
I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to
authorize keymaster operations. The tokens are HMAC'd and so shouldn't
be fakeable but this is still limited to system_server only.

Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
 2015-03-31 13:03:41 -07:00
Jeff Sharkey
cab251ed1e am 8d6a1000: am f063f461: Updated policy for external storage. 
* commit '8d6a100067affcea330e97b2294960d32b94ae3d':
  Updated policy for external storage.
 2015-03-31 00:51:00 +00:00
Jeff Sharkey
f063f461a9 Updated policy for external storage. 
An upcoming platform release is redesigning how external storage
works.  At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid.  It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs().  Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
 2015-03-30 17:07:42 -07:00
John Reck
08c224f597 am a8c74889: am ec4008ec: Merge "Add graphicsstats service" 
* commit 'a8c74889a0349cc896c41fdd360e4661ff0cb742':
  Add graphicsstats service
 2015-03-30 18:29:43 +00:00
John Reck
e8064afb5e Add graphicsstats service 
Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
 2015-03-27 19:10:58 +00:00
Nick Kralevich
323d741f1c am a5649f32: am 6ece49c3: Merge "Revert "allow system_server to set kernel scheduling priority"" 
* commit 'a5649f328a0ccf6edf746be3750563e2d3646442':
  Revert "allow system_server to set kernel scheduling priority"
 2015-03-14 00:31:19 +00:00