Age | Commit message (Collapse) | Author |
|
Allow shell users to have permission to update sysfs node
/sys/class/kgsl/kgsl-3d0/perfcounter
Bug: 193434313
Change-Id: Id964c20d49b21a9a21a19d86eed46b9ca4ee9138
|
|
avc: denied { find } for pid=4219 uid=10202
name=vendor.qti.hardware.radio.ims.IImsRadio/imsradio0
scontext=u:r:qtelephony:s0:c202,c256,c512,c768
tcontext=u:object_r:default_android_service:s0
tclass=service_manager
permissive=0
avc: denied { read } for name="wakeup24" dev="sysfs" ino=63576
scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
permissive=0
avc: denied { read } for name="wakeup23" dev="sysfs" ino=63561
scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
permissive=0
Bug: 215046366
Change-Id: Ia5a1e0647473250ccbab46df4be88a2a6f2f033a
|
|
avc: denied { search } for comm="com.qti.phone"
name="com.qualcomm.qti.telephonyservice" dev="dm-39" ino=2607
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c154,c256,c512,c768 tclass=dir
permissive=0 app=com.qualcomm.qti.telephonyservice
Bug: 209719286
Change-Id: I70a013563ac53ec725801c7aff77444340b75e3d
|
|
avc: denied { search } for comm="HwBinder:1281_1"
name="5000000.qcom,kgsl-3d0" dev="sysfs" ino=34274
scontext=u:r:cameraserver:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir permissive=0
avc: denied { search } for comm="EvtQ_c2.qti.avc"
name="5000000.qcom,kgsl-3d0" dev="sysfs" ino=34274
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir permissive=0
Bug: 208956148
Change-Id: I9438386217458159446bbe88029384e48c3dda57
|
|
Bug: 219538389
Test: atest GtsMediaTestCases
Change-Id: If8d3d9469592654082edc0004d7802d8da722ee7
Merged-In: If8d3d9469592654082edc0004d7802d8da722ee7
|
|
Bug: 205056467
Merged-In: I83cf7b45d6e4146d112a3bed08a5fd5a4f5089ce
Change-Id: Ib4c2882c506f8c3f35dc2d5616f4986ee30cfdcb
|
|
This reverts commit 2ce2569b3507b20f6f733fcc6dcf79e72c66682d.
Reason for revert: Restore this patch since it was not necessary to revert this patch.
Bug: 202520796
Change-Id: I640160b0c310e67fed6cf1374bf0fdfcbfdd5e1e
|
|
Revert "Revert "Add the 'bdev_type' attribute to all block devic..."
Revert^2 "Add the 'bdev_type' attribute to all block devices"
8a13547df44e5492d5b2c87a97412337c5088786
Change-Id: Ia727348093a068dd07d3168d9d95f63c6dc2aeeb
|
|
Bug: 202520796
Test: Untested.
Change-Id: I9c4b2c48b04c30e835784fc0dd52f11e543320bf
Signed-off-by: Bart Van Assche <bvanassche@google.com>
|
|
Original change: https://googleplex-android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/15957759
Change-Id: Ibafc6339b2427f91b60d7a032a28b5a8f70aa5c4
|
|
Fix sepolicy error:
avc: denied { find } for
interface=vendor.qti.ims.factory::IImsFactory
sid=u:r:hal_rcsservice:s0 pid=10907 scontext=u:r:hal_rcsservice:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager permissive=0
Ref: redbull-sepolicy:71ca806a5d6005f18eef94a61fa9edff419dc39c
Bug: 193992611
Change-Id: Ia290227a0bb851608d5e7b2b85bb719a5477c88e
|
|
This patch fixes the following SELinux denial, reported by Treehugger
for patch https://android-review.git.corp.google.com/c/platform/system/apex/+/1782069:
07-29 02:52:54.320 582 582 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="apexd" path="/dev/block/mmcblk0rpmb" dev="tmpfs" ino=15991 scontext=u:r:apexd:s0
Bug: 194450129
Test: Untested.
Change-Id: I796546dacd3e309ea0b127100560b23856bdbc8e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
|
|
Patch https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947
("Allow the init and apexd processes to read all block device properties")
associates the sysfs_block_type attribute with the files under
/sys/class/block. SCSI device information needs to be labeled separately
because it exists elsewhere:
# ls -ld /sys/class/block/sda
lrwxrwxrwx 1 root root 0 2021-08-17 14:49 /sys/class/block/sda -> ../../devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda
Hence this patch that associates the sysfs_block_type attribute with SCSI
device information in sysfs.
Bug: 196982345
Test: Untested.
Change-Id: I16746ca6bc55294db83a8aea87f16fe7ad81d97f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
|
|
The following patch iterates over all block devices:
https://android-review.googlesource.com/c/platform/system/core/+/1783847/9
The following patch grants 'init' and 'apexd' permission to iterate over
all block devices:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947
The above SELinux policy change requires to add the 'bdev_type'
attribute to all block devices. Hence this patch.
Bug: 194450129
Test: Untested.
Change-Id: I40776e26f4300859485759b440575d12d779b5a9
Signed-off-by: Bart Van Assche <bvanassche@google.com>
|
|
Bug: 194892738
Test: boot to home with no avc denials
Change-Id: Ie25f87671b5dd80819eff15b362324402dd2c4bd
|
|
Bug: 162370942
Test: build pass
Change-Id: Ib6042e79d74dedae3b07c91769958f58e439f62b
Merged-In: I4c2275e155bd71793d554e5d44d7833d4c4ab9da
|
|
avc: denied { read } for name="android.hardware.graphics
.mapper@4.0-impl-qti-display.so" dev="dm-7"
ino=2012 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:vendor_file:s0 tclass=file
permissive=0
Bug: 189893985
Change-Id: I4c2275e155bd71793d554e5d44d7833d4c4ab9da
|
|
hal_gnss_qti:
avc: denied { search } for comm="android.hardwar" name="location"
dev="dm-6" ino=341 scontext=u:r:hal_gnss_qti:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir permissive=0
Bug: 191613553
Change-Id: Idc2ff2dab3da8cb0b22ae7ea87370dc2348666eb
|
|
avc: denied { dac_read_search } for comm="tftp_server" capability=2 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0
avc: denied { dac_override } for comm="tftp_server" capability=1 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0
Bug: 189167816
Change-Id: I738bb1c1699dd6d2e075fb0f822129d65328eb5a
|
|
avc: denied { dac_read_search } for comm="tftp_server" capability=2 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0
avc: denied { dac_override } for comm="tftp_server" capability=1 scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability permissive=0
Bug: 189167816
Change-Id: Ie694865a835f87c3cdd37418178734ebba24cb99
|
|
1. init_qti_chg_policy sysfs_wakeup:dir read
denied { read } for comm="find" name="wakeup8" dev="sysfs" ino=55134
scontext=u:r:init_qti_chg_policy:s0 tcontext=u:object_r:sysfs_wakeup:s0
tclass=dir permissive=0
init_qti_chg_policy sysfs_iio_devices:dir search
denied { search } for comm="cat" name="devices" dev="sysfs" ino=42746
scontext=u:r:init_qti_chg_policy:s0
tcontext=u:object_r:sysfs_iio_devices:s0 tclass=dir permissive=0
2. cnd default_android_hwservice:hwservice_manager find
denied { find } for
interface=vendor.qti.hardware.mwqemadapter::IMwqemAdapter
sid=u:r:cnd:s0 pid=1224 scontext=u:r:cnd:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager permissive=0
3. rild default_android_hwservice:hwservice_manager find
denied { find } for
interface=vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo
sid=u:r:rild:s0 pid=1424 scontext=u:r:rild:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager permissive=0
4. sensors sensors_vendor_data_file:dir search
denied { search } for name="sensors" dev="dm-6" ino=262
scontext=u:r:sensors:s0
tcontext=u:object_r:sensors_vendor_data_file:s0 tclass=dir
permissive=0
5. qtelephony default_android_hwservice:hwservice_manager find
denied { find } for
interface=vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo
sid=u:r:qtelephony:s0:c32,c257,c512,c768 pid=4377
scontext=u:r:qtelephony:s0:c32,c257,c512,c768
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager permissive=0
6. hvdcp
denied { write } for name="kmsg" dev="tmpfs" ino=26341 scontext=u:r:hvdcp:s0
tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
Bug: 188064567
Change-Id: Ib5e59796a56d6cb39fa1d482599d93903431ab2a
|
|
Bug: 185598142
Bug: 182255618
Change-Id: Idba839ead12334815e0fc989981050f128096cb9
|
|
init: Could not start service 'keymaster-4-1' as part of class 'early_hal':
File /vendor/bin/hw/android.hardware.keymaster@4.1-service-qti(labeled "u:object_r:vendor_file:s0")
has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined.
reference to qcom/lito/platform/vendor/qcom/sepolicy_vndr:fefbf6b185221bb37b24ae8eea74862a97389650
cherry-pick from 6903a0fa10f95bec2d05608a20b2d6164177846d
Bug: 185598142
Bug: 178358917
Change-Id: I77c6a6cda6b2772d4ff81a3bb6a0fc819cc47f49
|
|
|
|
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1708166
Change-Id: I6b238f58c7eb0d721437e7c6b9553e29d85e3d3f
|
|
05-12 13:18:16.449 1095 1095 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="pd-mapper" path="/dev/kmsg" dev="tmpfs" ino=17807 scontext=u:r:vendor_pd_mapper:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
Bug: 177335164
Test: boot to home with no avc error
Change-Id: Ia076cca5a5335063edc31990fca7a51fedf117b7
|
|
1. com.qualcomm.qti.telephonyservice
{ read } for comm="elephonyservice"
name="u:object_r:vendor_radio_prop:s0" dev="tmpfs" ino=25322
scontext=u:r:platform_app:s0:c512,
c768 tcontext=u:object_r:vendor_radio_prop:s0 tclass=file
permissive=0 app=com.qualcomm.qti.telephonyservice
Ref: qcom/lito/device/qcom/sepolicy/+/2824781c (CRs-Fixed: 2809413)
2. vendor.qti.hardware.radio.ims.IImsRadio/default
avc: denied { find } for pid=2718 uid=10252
name=vendor.qti.hardware.radio.ims.IImsRadio/default
scontext=u:r:qtelephony:s0:c252,c256,c512,c768
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=0
Bug: 185560630
Bug: 185954927
Change-Id: Ibe935872b7a35ccdc8c2eb8eaea942ec91527abf
|
|
Sign with default key
Test: manually, connect to wifi, reboot and check logcat, no new error
message after apply patch
adb logcat |egrep "Hardware|System.err"
Bug: 162295589
Signed-off-by: Denny cy Lee <dennycylee@google.com>
Change-Id: Iafb8f978981a03020974804f121f04aec7bf334f
Merged-in: Iafb8f978981a03020974804f121f04aec7bf334f
|
|
netmgrd vendor_default_prop:property_service set
avc: denied { set } for property=persist.vendor.data.offload_ko_load
pid=1213 uid=1001 gid=1001
scontext=u:r:netmgrd:s0 tcontext=u:object_r:vendor_default_prop:s0
tclass=property_service permissive=0
Bug: 175076226
Bug: 171353985
Bug: 183061600
Change-Id: Id7e03e22046eb9306f7b0bb6d7c7f56f44ffbbf7
|
|
Bug: 180401296
Merged-In: I6de871f2a9107c4a8438139af720a86e3e760756
Change-Id: I646cf656401a6e71345c4faf7f89ab8d0d1b822b
|
|
Sign with default key
Test: manually, connect to wifi, reboot and check logcat, no new error
message after apply patch
adb logcat |egrep "Hardware|System.err"
Bug: 162295589
Signed-off-by: Denny cy Lee <dennycylee@google.com>
Change-Id: Iafb8f978981a03020974804f121f04aec7bf334f
|
|
which obliviates the need for:
allow secure_ui_service_app activity_service:service_manager find;
allow secure_ui_service_app surfaceflinger_service:service_manager find;
allow secure_ui_service_app telecom_service:service_manager find;
allow secure_ui_service_app thermal_service:service_manager find;
allow secure_ui_service_app trust_service:service_manager find;
because they all are app_api_service's
This should also fix:
auditd : avc: denied { find } for pid=4625 uid=10140 name=tethering scontext=u:r:secure_ui_service_app:s0:c140,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager
which would require:
allow secure_ui_service_app tethering_service:service_manager find;
but again, tethering_service is a app_api_service
See system/sepolicy/public/service.te:
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
Test: TreeHugger
Bug: 179337939
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9bb9f2a580ac615a552f7bac97e478bf086243f6
Merged-In: I9bb9f2a580ac615a552f7bac97e478bf086243f6
|
|
which obliviates the need for:
allow secure_ui_service_app activity_service:service_manager find;
allow secure_ui_service_app surfaceflinger_service:service_manager find;
allow secure_ui_service_app telecom_service:service_manager find;
allow secure_ui_service_app thermal_service:service_manager find;
allow secure_ui_service_app trust_service:service_manager find;
because they all are app_api_service's
This should also fix:
auditd : avc: denied { find } for pid=4625 uid=10140 name=tethering scontext=u:r:secure_ui_service_app:s0:c140,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager
which would require:
allow secure_ui_service_app tethering_service:service_manager find;
but again, tethering_service is a app_api_service
See system/sepolicy/public/service.te:
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
Test: TreeHugger
Bug: 179337939
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9bb9f2a580ac615a552f7bac97e478bf086243f6
|
|
63b44261e6
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1549455
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ied00a6733d75fbedbdeb0e3ebed3ae6aa8eb2f28
|
|
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1549455
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: I9ba2b63b43cf32a64ad9c70f9f49c2303c224805
|
|
avc: denied { set } for property=persist.vendor.sys.ssr.restart_level pid=5997 uid=10304 gid=10304 scontext=u:r:logger_app:s0:c48,c257,c512,c768 tcontext=u:object_r:vendor_ssr_prop:s0 tclass=property_service
avc: denied { set } for property=vendor.sys.ssr.refresh.config pid=5997 uid=10304 gid=10304 scontext=u:r:logger_app:s0:c48,c257,c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service
Bug: 175176951
Change-Id: I4a0fc14faaf4fed2e58488a868968a4a89207ea0
|
|
Bug: 168680634
Test: make
Change-Id: I76e709f96f557abe60cb95aa6d1226e97c177456
|
|
Bug: 172690556
Merged-In: Iafe7161ff9fe501b0e457ef636b4520e002f1061
Change-Id: I0cf5db73ab06fe0f4aa65c1dc0dd75e0769d21d0
|
|
74c4e39472 am: 56074dced0
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1487336
Change-Id: I6c8e34cb113fc943066898cfc49cebed06420376
|
|
74c4e39472
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1487336
Change-Id: I093a6fe01abefca29a63cb9217173871096cb4b0
|
|
10-27 18:44:47.296 1912 1912 I auditd : type=1400 audit(0.0:4): avc: denied { call } for comm="Binder:1912_2" scontext=u:r:vendor_per_mgr:s0 tcontext=u:r:rild:s0 tclass=binder permissive=0
Bug: 171838844
Test: boot with no avc error showing up
Change-Id: I78d1838211ad7f4b73c375328741c5e462876ec2
|
|
6a7687ed4f am: f255d7f54f am: d98684c7c1
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1479779
Change-Id: Ie185479e1ce5e548cfb220c4d8f0a4d0ca5395ea
|
|
6a7687ed4f am: f255d7f54f
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1479779
Change-Id: I111d90692de892b7d0c4fb68d282e195c37c0408
|
|
Original change: https://googleplex-android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/12932515
Change-Id: Ic4ca9e80c96780d9a68b3fad9dce6deef18cee45
|
|
1. Add node /dev/qce.
2. Allow hal_drm_widevine r/w qce_device
3. Allow tee access for secure UI to work
Test: GtsMediaTestCases
Bug: 136317881
Bug: 165071964
Change-Id: If9e71f1415ec79154ccd582d033b0881f0d321cb
Merged-In: If9e71f1415ec79154ccd582d033b0881f0d321cb
(cherry picked from commit e8aaab33deffd4f8f9112e8058489d530e0b724c)
|
|
The property is to define the buffer size in ADM
(Audio Data Manager) and it might lead to glitches
or extra latency if it is not configured properly.
Bug: 160107932
Change-Id: I67e833edb9b7bbd6327297a5c4e86498d2a920f7
Signed-off-by: JJ Lee <leejj@google.com>
|
|
06e776346f am: ef90193359
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1471903
Change-Id: Ib7af735cc44c837a99254a765df0ce38fdb2159c
|
|
06e776346f
Original change: https://android-review.googlesource.com/c/device/google/sunfish-sepolicy/+/1471903
Change-Id: I370e768dff1bb3f50df4c6819bf2a48317eb5db3
|
|
(This is the same as https://r.android.com/1458479, for
crosshatch-sepolicy, but with minor modifications due to different
base policy - e.g. time_daemon is already mlstrustedsubject here. I've
checked again that these changes should be safe with the local
sepolicy and updated the explanation below. I also removed an obsolete
TODO.)
Set levelFrom=user or levelFrom=all explicitly on the apps that were
implicitly using levelFrom=none before. This provides better isolation
for app data files and unblocks future policy changes.
These changes should be safe even if the apps create files with
their new level:
- ssr_detector_app has write access to system_app_data_file and
cgroup, but they are mlstrustedobject.
- data_service_app has write access to radio_data_file, but it is
mlstrustedobject.
- ril_config_service_app has write access to vendor_radio_data_file,
but it is mlstrustedobject.
- timeservice_app connects to time_daemon:unix_stream_socket, but it
is mlstrustedsubject.
Test: presubmits
Bug: 170622707
Change-Id: I4b291c03797e623540ee66c3de034d3e9da29996
|
|
|