Nick Kralevich
b2245d6420
Revert "Restore system_server ioctl socket access."
...
am: 58305da980
2016-11-09 01:33:12 +00:00
Nick Kralevich
58305da980
Revert "Restore system_server ioctl socket access."
...
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.
A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.
This reverts commit ec3285cde0863ce3e7c7
2016-11-08 12:40:44 -08:00
Nick Kralevich
d62abbeea3
profman/debuggerd: allow libart_file:file r_file_perms
...
am: 364fd19782
2016-11-08 20:08:38 +00:00
Nick Kralevich
364fd19782
profman/debuggerd: allow libart_file:file r_file_perms
...
Addresses the following auditallow spam:
avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
2016-11-08 09:28:28 -08:00
Polina Bondarenko
458888a7d3
sepolicy: Add policy for thermal HIDL service
...
am: 9785f2addd
2016-11-08 15:13:48 +00:00
Polina Bondarenko
9785f2addd
sepolicy: Add policy for thermal HIDL service
...
Bug: 32022261
Test: manual
Change-Id: I664a3b5c37f6a3a36e4e5beb91b384a9599c83f8
2016-11-08 13:34:31 +01:00
Nick Kralevich
b8b0d3746f
installd: r_dir_file(installd, system_file)
...
am: 68f233648e
2016-11-08 03:25:38 +00:00
Nick Kralevich
68f233648e
installd: r_dir_file(installd, system_file)
...
Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app
Addresses the following auditallow spam:
avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir
avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir
avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
2016-11-07 16:18:38 -08:00
Roshan Pius
fd637d065f
Merge "wpa.te: Add binder permission back"
...
am: b0c375d46d
2016-11-07 23:39:02 +00:00
Treehugger Robot
b0c375d46d
Merge "wpa.te: Add binder permission back"
2016-11-07 23:28:35 +00:00
Roshan Pius
cec44a61ba
wpa.te: Add binder permission back
...
Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.
Denials in logs:
11-03 14:37:54.831 9011 9011 I auditd : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834 9011 9011 I auditd : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834 9011 9011 I auditd : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834 9011 9011 I auditd : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8
2016-11-07 12:51:07 -08:00
Etan Cohen
2143eab887
Merge "[NAN-AWARE] Remove NAN service"
...
am: 0182a87dab
2016-11-06 22:01:22 +00:00
Etan Cohen
0182a87dab
Merge "[NAN-AWARE] Remove NAN service"
2016-11-06 21:56:05 +00:00
Etan Cohen
66502077a9
Merge "[NAN-AWARE] Add Aware service"
...
am: 8da9cd640b
2016-11-05 04:06:07 +00:00
Etan Cohen
8da9cd640b
Merge "[NAN-AWARE] Add Aware service"
2016-11-05 04:00:40 +00:00
Etan Cohen
43b96aaf12
[NAN-AWARE] Remove NAN service
...
Finish NAN -> Aware rename process. Removes old NAN service.
Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: I2f0d9595efea2494b56074752194e7a6e66070f2
2016-11-04 13:38:14 -07:00
Etan Cohen
44527cb970
[NAN-AWARE] Add Aware service
...
Add Aware service - new name for NAN. But do not remove NAN
yet. Enables smooth transition.
Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: Ieb9f1ebf1d2f31ee27f228562b4601023da5282d
2016-11-04 13:37:17 -07:00
dcashman
84992ead69
Restore system_server ioctl socket access.
...
am: ec3285cde0
2016-11-04 05:16:16 +00:00
dcashman
ec3285cde0
Restore system_server ioctl socket access.
...
Bug: 32290392
Test: Builds.
Change-Id: I46e8af202b41131cfc9bb280f04a214859c9b0de
2016-11-03 19:36:11 -07:00
Ruchi Kandoi
bd85244dbc
hal_memtrack: Add sepolicy for memtrack service.
...
am: 0a924a6e1a
2016-11-04 00:16:28 +00:00
Ruchi Kandoi
77a862665c
hal_power: Add sepolicy for power service.
...
am: 3c30c4e2db
2016-11-04 00:16:26 +00:00
Ruchi Kandoi
0a924a6e1a
hal_memtrack: Add sepolicy for memtrack service.
...
Bug: 31180823
Test: reduced sepolicy errors
Change-Id: Ibfba2efa903adec340e37abec2afb3b94a262678
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
2016-11-03 13:05:48 -07:00
Ruchi Kandoi
3c30c4e2db
hal_power: Add sepolicy for power service.
...
Bug: 31177288
Test: reduced sepolicy errors
Change-Id: I29556276ee14c341ac8f472875e6b69f903851ff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
2016-11-03 13:01:48 -07:00
Steven Moreland
cdd1bd76fa
Sepolicy for light hal.
...
am: 1ec710c8ff
2016-11-01 23:40:27 +00:00
Steven Moreland
1ec710c8ff
Sepolicy for light hal.
...
Bug: 32022100
Test: end to end
Change-Id: I5dd9b64c98a5c549fdaf9e47d5a92fa6963370c7
2016-11-01 21:30:51 +00:00
Dianne Hackborn
33619e31de
Allow new settings system service.
...
am: 11877133ba
2016-11-01 21:30:34 +00:00
Felipe Leme
517a9ed1e3
Merge "Added permissions for the dumpstate service."
...
am: ae9d3c0c31
2016-11-01 21:18:49 +00:00
Dianne Hackborn
11877133ba
Allow new settings system service.
...
Test: N/A
Change-Id: Ib3c85118bf752152f5ca75ec13371073fc2873cc
2016-11-01 21:16:56 +00:00
Treehugger Robot
ae9d3c0c31
Merge "Added permissions for the dumpstate service."
2016-11-01 21:13:31 +00:00
Jorge Lucangeli Obes
52dd15a0c1
Merge "init: Allow SETPCAP for dropping bounding set."
...
am: 02c8383521
2016-11-01 20:28:16 +00:00
Treehugger Robot
02c8383521
Merge "init: Allow SETPCAP for dropping bounding set."
2016-11-01 20:23:14 +00:00
Jorge Lucangeli Obes
847bfa4ab2
init: Allow SETPCAP for dropping bounding set.
...
This is required for https://android-review.googlesource.com/#/c/295748
so that init can drop the capability bounding set for services.
Bug: 32438163
Test: With 295748 and a test service using ambient capabilities.
Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
2016-11-01 14:32:13 -04:00
Felipe Leme
b5f5931e8c
Added permissions for the dumpstate service.
...
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.
BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-11-01 10:43:25 -07:00
Nick Kralevich
a9aac6a9bf
Merge "system_server: allow appendable file descriptors"
...
am: 184851a212
2016-10-31 15:55:34 +00:00
Nick Kralevich
fa418650d2
Merge "Get rid of more auditallow spam"
...
am: 82b9182ef3
2016-10-31 15:55:22 +00:00
Treehugger Robot
184851a212
Merge "system_server: allow appendable file descriptors"
2016-10-31 15:45:38 +00:00
Treehugger Robot
82b9182ef3
Merge "Get rid of more auditallow spam"
2016-10-31 15:43:42 +00:00
Nick Kralevich
74b8425929
kernel.te: tighten entrypoint / execute_no_trans neverallow
...
am: 02cfce49ae
2016-10-31 15:22:50 +00:00
Nick Kralevich
02cfce49ae
kernel.te: tighten entrypoint / execute_no_trans neverallow
...
The kernel domain exists solely on boot, and is used by kernel threads.
Because of the way the system starts, there is never an entrypoint for
that domain, not even a file on rootfs. So tighten up the neverallow
restriction.
Remove an obsolete comment. The *.rc files no longer have a setcon
statement, and the transition from the kernel domain to init occurs
because init re-execs itself. The statement no longer applies.
Test: bullhead policy compiles.
Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
2016-10-30 18:46:44 -07:00
Nick Kralevich
8044129f42
system_server: allow appendable file descriptors
...
system_server is currently allowed write (but not open) access to
various app file descriptor types, to allow it to perform write
operations on file descriptors passed to it from Android processes.
However, system_server was not allowed to handle file descriptors
open only for append operations.
Write operations are a superset of that allowed by appendable
operations, so it makes no sense to deny system_server the use of
appendable file descriptors. Allow it for app data types, as well as a
few other types (for robustness).
Addresses the following denial generated when adb bugreport is run:
type=1400 audit(0.0:12): avc: denied { append } for
path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt"
dev="dm-2" ino=384984 scontext=u:r:system_server:s0
tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0
Bug: 32246161
Test: policy compiles
Test: No more append denials when running adb shell am bug-report --progress
Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487
2016-10-29 08:20:56 -07:00
Nick Kralevich
2c8ea36ad8
Get rid of more auditallow spam
...
Addresses the following audit messages:
[ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr
} for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2"
ino=106324 scontext=u:r:init:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
[ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.531176] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir
[ 65.531465] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir
[ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.531827] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.713056] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
Bug: 32246161
Test: policy compiles
Test: dumpstate no longer generates the audit messages above.
Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
2016-10-29 08:15:08 -07:00
Roshan Pius
a70008f691
Merge changes I5bbbcad3,Ifa4630ed
...
am: ece327292c
2016-10-28 23:43:18 +00:00
Roshan Pius
e1d1b3dc07
wifi_hal: Rename to 'hal_wifi'
...
am: 8224596a32
2016-10-28 23:43:17 +00:00
Roshan Pius
35ac63bab2
wpa: Add permissions for hwbinder
...
am: 6caeac7b47
2016-10-28 23:43:15 +00:00
Treehugger Robot
ece327292c
Merge changes I5bbbcad3,Ifa4630ed
...
* changes:
wifi_hal: Rename to 'hal_wifi'
wpa: Add permissions for hwbinder
2016-10-28 23:36:21 +00:00
Nick Kralevich
6f2f72c2b1
Get rid of auditallow spam.
...
am: 79a08e13bd
2016-10-28 20:50:31 +00:00
Nick Kralevich
79a08e13bd
Get rid of auditallow spam.
...
Fixes the following SELinux messages when running adb bugreport:
avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
[ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 11:46:00 -07:00
Roshan Pius
8224596a32
wifi_hal: Rename to 'hal_wifi'
...
Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.
Denials:
01-01 21:55:23.896 2865 2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898 2865 2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899 2865 2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899 2865 2865 F libc : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901 377 377 W : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907 2867 2867 E : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908 2867 2867 F DEBUG : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908 2867 2867 F DEBUG : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908 2867 2867 F DEBUG : Revision: '0'
01-01 21:55:23.908 2867 2867 F DEBUG : ABI: 'arm64'
01-01 21:55:23.908 2867 2867 F DEBUG : pid: 2865, tid: 2865, name:
android.hardwar >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909 2867 2867 F DEBUG : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910 2867 2867 F DEBUG : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'
Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-28 09:00:31 -07:00
William Roberts
14742b0f92
Merge "domain: neverallow on setfcap"
...
am: e112faeaa8
2016-10-28 00:03:22 +00:00
Treehugger Robot
e112faeaa8
Merge "domain: neverallow on setfcap"
2016-10-27 23:45:58 +00:00
