The code used to look like this, but in commit
4cae28d43c we replaced the generic
regexes to improve performance. Now that we've switched to genfs,
this no longer affects performance, so let's simplify the labeling.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.
Change-Id: I1a859d17075fa25543ee090cc7a7478391bc45c1
This should slightly improve performance, as file_contexts is slower
than genfs_contexts.
Now that the kernel patch enabling genfs labeling of tracefs has
landed, we can re-enable this.
Bug: 62413700
Test: Built, flashed, and booted two devices. Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.
Change-Id: Ifc1c6ac634b94e060ed1f311049bd37f6fcc8313
Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)
Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
(cherry picked from commit 4dc88795d0)
A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.
avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
adb shell cmd package compile -r bg-dexopt --secondary-dex \
com.google.android.googlequicksearchbox
Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e627081)
This reinstates the selinux changes for the timezone service that
were reverted on oc-dr1-dev and undesirably merged down to master.
This reverts commit 96c619c826.
Test: make
Bug: 31008728
Change-Id: Ief2129c409de09b2782881a6556d918af59badd9
This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.
(Originally submitted in commit: 8c60f74dcc)
Bug: 38242876
Test: Builds and boots.
Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
(Originally commited in a015186fab)
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.
avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
adb shell cmd package compile -r bg-dexopt --secondary-dex \
com.google.android.googlequicksearchbox
Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.
Test: Policy builds
Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
A previous commit reverted us back to using file_contexts
instead of genfs_contexts but did not remove the new
genfs_contexts rules, which caused this problem.
Bug: 62901680
Test: Verified that the errors do not apepar and that wifi
and traceur work.
Change-Id: Ic0078dc3a2a9d3d35a10599239fdf9fa478f1e2b
