Age | Commit message (Collapse) | Author |
|
This rule is moved from system public policy to vendor policy
Test: Verified radio works fine and no denials
Bug: 36740743
Change-Id: I2baefddf49194bb5b099e56d7b37623b99b6078f
|
|
Logd was hiding a bunch of these denials. Commit
982ad208b5e4d83f966ee4c10ad4f606417bcda6 in AOSP master fixed this
issue and now we're seeing them. Backport the fix to oc-dev where
these denials are occurring unnoticed.
avc: denied { search } for comm="thermal-engine" name="leds" dev="sysfs"
ino=7453 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
avc: denied { read } for comm="thermal-engine" name="lcd-backlight"
dev="sysfs" ino=12242 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file
Bug: 38341453
Test: build and boot bullhead. Denials no longer occur.
Change-Id: I79079659f82a3d97a609d1a7f8009fec2eda1102
|
|
|
|
avc: denied { create } for comm="oid.nexuslogger" name="cfg"
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:diag_logs:s0:c512,c768 tclass=dir permissive=0
Bug: 37426758
Test: No permission issue with Nexus Logger
Change-Id: Ie596cf210a26e2ab58b7c401cba19a8e0794c5a5
|
|
The socket is used for the fingerprint extension, which is used by
sensor test, engineering, and dynamic configuration for navigation.
Bug: 33707851
Change-Id: Iafbffdde9d31de3c3eecb41bb4f2d001821563ee
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
|
|
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motiona and normal), and check that photos
look fine and videos play back with sound.
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call from either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Bug: 34454312
(cherry picked from commit 1267c4c079eb2a796ee5fddc38aca1d26fd694d1)
Merged-In: I70af09ad5662a8b212237d68388b21cecfd625f8
Change-Id: I9cfac8e95a2187c6d5df6d097404063846d8d337
|
|
|
|
Test: lunch bullhead; make vendorimage;
fastboot -w flash vendor vendor.img # on bullhead
Bug: 37186862
Signed-off-by: Ben Fennema <fennema@google.com>
Change-Id: I8dbcbcc12ce5c5db84169894210c5b96e7007024
|
|
Bug: 35850071
Test: CameraDeviceTest#testCameraDeviceStillTemplate,
CameraDeviceTest#testCameraDeviceRecordingTemplate,
CameraDeviceTest#testCameraDevicePreviewTemplate
Change-Id: I2cc0526ab0d9bc7b4263fb7b34134b06ddaa2e4c
|
|
Make sure vendor_file is added everywhere system_file access is granted
to vendor processes. This guarantees non-treble device policy is not
altered (made stricter) in any way after the relabeling.
Bug: 36527360
All test were run on Bullhead.
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
current location, take pictures and record video in camera,
playback recorded video.
Test: Connect to BT headset and ensure audio plays back.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass
Change-Id: I5a28c4a6da2296db312e30686c07e3d27e8963da
Signed-off-by: Sandeep Patil <sspatil@google.com>
|
|
Test: NFC powers up without any denials
Bug: 36645109
Change-Id: Ib33a0042c5d03d2b9ee8a02dac143da9c8c216a9
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
|
|
init-power-sh runs restorecon on sysfs files it is interested in to make
sure they have appropriate labels. Thus, it requires access to
file_contexts.
Bug: 36002414
Test: Boot angler
Change-Id: I33e1d534fc0c4370e348abbbaaedde467a8637dc
Signed-off-by: Sandeep Patil <sspatil@google.com>
|
|
Bug: 36462585
Test: taking picture / video with different modes
Test: Youtube video plays
Test: maps work
Test: Google Play Movies plays
Change-Id: Ia04bd9f0387daaa543fb3e483558a970bdd1392c
|
|
am: b07d0c92a0
Change-Id: Ic614dae01afdb8581489bcfd909eccdb7351d1c4
|
|
am: f80059fa28
Change-Id: Iae9f33062e7e327b9202e175ffd2c7cdf587dfb2
|
|
This is needed for fetching debug info from the wifi driver.
Denials:
03-10 19:16:58.207 452 452 W android.hardwar: type=1400
audit(0.0:319): avc: denied { read } for name="fwdump" dev="proc"
ino=4026547172 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
03-10 19:16:58.207 452 452 W android.hardwar: type=1400
audit(0.0:320): avc: denied { read } for name="driverdump" dev="proc"
ino=4026547174 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
03-10 19:16:58.209 452 452 I WifiHAL : handleResponse: Memory Dump
size: 327680
03-10 19:16:58.209 452 452 E WifiHAL : Failed to open
/proc/debug/fwdump file
03-10 19:16:58.209 452 452 V WifiHAL : Successfully removed event
handler for vendor 0x1374
03-10 19:16:58.210 452 452 E WifiHAL : Failed to open
/proc/debugdriver/driverdump file
BUG: 36126608
Test: Device boots up and the denials no longer seen.
Change-Id: I8a518536f449e11fcf3c28046c0dbd547063743e
|
|
Fingerprintd was removed in O in favor of fingerprint_hal service.
Bug: 35152091
Change-Id: I5c4eb7a494f6b4716c02d3323561e8b0fb23af3f
|
|
am: cfbd6b4d1d
Change-Id: Idf5a1d772427b4f42598831ebae18c6f1d95d979
|
|
HAL wifi creates a LOWI client for accessing the LOWI server to share
wifi gscan results for location purposes.
Move all "location" access permissions from system_server to hal_wifi
since these were most likely added for the old wifi hal which was loaded
in system_server.
Denials:
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:97): avc: denied { search } for name="location" dev="sda35"
ino=3850313 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:98): avc: denied { write } for name="location-mq-s"
dev="sda35" ino=3850337 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=sock_file permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:99): avc: denied { connectto } for
path="/data/misc/location/mq/location-mq-s"
scontext=u:r:hal_wifi_default:s0 tcontext=u:r:location:s0
tclass=unix_stream_socket permissive=1
Bug: 35959128
Test: Device boots up and able to connect to wifi network.
Denials no longer seen. Previously some wifi HAL calls would take
a long time to complete because it tries to create a LOWI client for
every request and fail.
Change-Id: Ib465d0c97efbb1f1adb7ec0f2d499f46b6111419
|
|
HAL wifi creates a LOWI client for accessing the LOWI server to share
wifi gscan results for location purposes.
Move all "location" access permissions from system_server to hal_wifi
since these were most likely added for the old wifi hal which was loaded
in system_server.
Denials:
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:97): avc: denied { search } for name="location" dev="sda35"
ino=3850313 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:98): avc: denied { write } for name="location-mq-s"
dev="sda35" ino=3850337 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=sock_file permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:99): avc: denied { connectto } for
path="/data/misc/location/mq/location-mq-s"
scontext=u:r:hal_wifi_default:s0 tcontext=u:r:location:s0
tclass=unix_stream_socket permissive=1
Bug: 35959128
Test: Device boots up and able to connect to wifi network.
Denials no longer seen. Previously some wifi HAL calls would take
a long time to complete because it tries to create a LOWI client for
every request and fail.
Change-Id: Ib465d0c97efbb1f1adb7ec0f2d499f46b6111419
|
|
system_server calls the power HAL, which requires access to debugfs_rpm.
Addresses this denial:
denied { read } for name="rpm_stats" dev="debugfs" ino=11376
scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_rpm:s0
tclass=file permissive=0
Test: Built and checked for denials
Change-Id: I1a762dd61496c85ac3b3d2be0467149e040d11b9
Signed-off-by: Connor O'Brien <connoro@google.com>
|
|
This is a follow up to system/sepolicy commit
47174e3b9f8b4c065d4477114cd9a2ee0c31b98e. We can now switch
device-specific policy for Dumpstate HAL from hal_impl_domain (which is
deprecated) to hal_server_domain.
Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079
Change-Id: I65ab34fd0397f3268d581c518b37e12d4ea4a1a1
|
|
am: 6d42f11586
Change-Id: I535e541addd2d4e82bf6beb76d5168a5bb876ade
|
|
am: 77459de7b2
Change-Id: Ic88c86fd8c936dfb2f753d498295a20bad72f348
|
|
|
|
6c7f9ad635
am: 552d765488
Change-Id: I43a2845883dd917c6f604ccbdc90931e9f6dd8ad
|
|
am: 6c7f9ad635
Change-Id: I328c5a047f064bb99f2294ce301bd81f7319cc0d
|
|
This moves bluetooth domain policy to do with Bluetooth HAL running
inside that domain into hal_bluetooth. bluetooth domain is now
associated with hal_bluetooth when Bluetooth HAL is in passthrough
mode.
Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that speaker
over Bluetooth
Bug: 34170079
Change-Id: Ibfff5d4d6e86f085cf3323282768ebc5de2c1baa
|
|
This moves cameraserver domain policy to do with Camera HAL running
inside that domain into hal_camera. cameraserver is now associated
with hal_camera.
Test: Taking photod and recording videos using Google Camera works
Bug: 34170079
Change-Id: I3031f1cdeebe0773f765adffa8c0bd617ab2cebd
|
|
4d17283f57 am: 85d2d09e49
am: e9ea8ce476
Change-Id: I2def7e2bc7a2216c4fd518c9fd290f6f84c69f09
|
|
am: 85d2d09e49
Change-Id: I0d98b3edc14e48e8de810ab9f1a78a78acbe520c
|
|
audioserver is a client of Audio HAL and thus we can now remove the
rules from audioserver which are induced by Audio HAL running there
in-process.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Ic0d82f8fce6ee1ccdcf07ce3b52fb71e4964a5b1
|
|
The binary was moved from /system/ to /vendor/
Update the hard-coded paths to match.
Bug: 35373416
Test: Bluetooth starts on boot
ls -laZ /vendor/bin/wcnss_filter shows u:object_r:wcnss_filter_exec:s0
Change-Id: I1577f954aa80a4cd090f2339476fc56919d1e0c9
|
|
Test: No change to policy according to sesearch.
Test: "sepolicy-analyze <sepolicy file> attribute haldomain" now also
lists hal_dumpstate_impl
Bug: 34180936
Change-Id: I5e3bd3c9436d3dbaa74bf56bbad3eefa599752d3
|
|
Test: enroll, unlock, navigation. Boot with no errors related to fingerprint
Bug: 33199080
Change-Id: Ib0a746d58852db686cd7779db3fa80465eaa9d34
|
|
Bug: 31982882
Test: bug report runs on device
Change-Id: Ic14a3f325c41f064eb45d7584cd286d283cb51bf
|
|
b2b3c7e03b am: 6958469d97
am: 01a068c8d8
Change-Id: I6299ed26dbe4bc5de069272fa2b3a301f463a26b
|
|
b2b3c7e03b
am: 6958469d97
Change-Id: Ia274b4ec02ac634dc6f346124362c7532fce495e
|
|
system/sepolicy change in this topic removes access to
Bluetooth-related system properties from arbitrary SELinux domains.
wcnss_filter daemon needs the access and thus this commit explicitly
grants the access.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: I0a1341c3a078a984962ed4a06a7e9deaa38bfd6f
|
|
am: cff2f31cc4
Change-Id: I2c675d89df38774dc25e1e24a0d9ddc6981b469d
|
|
am: c957da36e5
Change-Id: If1a9bb819b402bf65d73b03c64747ee4b48b63e0
|
|
The rules in audioserver are in fact for the hal code
which run as hal_audio in binderized hal mode.
Bug: 33818663
Change-Id: I0c8a12575eb8571f9af6e796b6f92f27e41d0e32
|
|
am: e5b2dbab1a
Change-Id: I570ea2c2848690273560d2f4b8e751ff805e3e38
|
|
am: dc14c70176
Change-Id: I9a898955becc235837811bcaf3cfd7e02c9c281d
|
|
- includes fingerprint build option
- add sepolicy for SW20.6
Bug: 33251689
Change-Id: I1ec2df4375a06374af465484a264e594d5f61fb8
|
|
Some QCOM devices require sysfs to trigger boot/init which are blocking
the init process.
[ 7.453205] init: Command 'write /sys/kernel/boot_adsp/boot 1' action=post-fs-data (/init.angler.rc:166) returned 0 took 271.936ms.
This CL is to put those slow to start devices in a
separate service and wait for the service to be done later on.
Bug: 32712851
Test: On device
Change-Id: Idd4e965f122cbc8421b443a41573d363112dfa50
|
|
1efb675333 am: bfe562839b
am: f1e1d2767b
Change-Id: Ic3705dde42eeb00363d4f7ca4344e87dad5d4b24
|
|
1efb675333
am: bfe562839b
Change-Id: I5ca0b8126fd75320aae109e7111f6634d503a0d6
|
|
avc: denied { ioctl } for pid=3112 path="socket:[29649]" dev="sockfs" ino=29649 ioctlcmd=c302 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=socket
avc: denied { ioctl } for pid=3112 path="socket:[29647]" dev="sockfs" ino=29647 ioctlcmd=c304 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=socket
Change-Id: I5018a24464b1160a496e6782284dc8a844b8a114
|
|
am: 0c641cbbf6
Change-Id: Ic4eefec3dc071d8cf75ea076e3dead1095622c6c
|