aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Remove fixed bug from bug_map.Alan Stokes2018-04-181-1/+0
| | | | | | | | Bug: 77816522 Bug: 73947096 Test: Flashed device, no denial seen Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af
* Add bug_map entries for bugs we've seen.Joel Galenson2018-04-161-0/+35
| | | | | | | | | This adds numerous bug_map entries to try to annotate all denials we've seen. Bug: 78117980 Test: Build Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
* whitelist test failure that bypassed presubmitJeff Vander Stoep2018-04-131-0/+1
| | | | | | | | | | avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs" scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file Bug: 77816522 Test: build Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd (cherry picked from commit 2ccd99a53a2efd0a62c0b2f2e2f8944cfd98891f)
* priv_app: remove more logspamJeff Vander Stoep2018-04-101-2/+0
| | | | | | | | | | | | | | | | avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
* Track storaged SELinux denial.Joel Galenson2018-04-051-0/+1
| | | | | | | | This should help fix presubmit tests. Bug: 77634061 Test: Built policy. Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c
* crashdump: cleanup logsJeff Vander Stoep2018-03-261-5/+0
| | | | | | | | | Suppress WAI denials from crashdump. Test: build/flash Taimen. Verify no new denials. Bug: 68319037 Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16 (cherry picked from commit cc0304cfc2ca307595108bb8ccafeb363e0103a0)
* Track platform_app SELinux denial.Joel Galenson2018-03-071-0/+1
| | | | | | | | | This should fix presubmit tests. Bug: 74331887 Test: Built policy. Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7 (cherry picked from commit 2995e996b99a18246a184041ce6ccc2d0ab52131)
* Clean up bug_map.Joel Galenson2018-03-071-1/+0
| | | | | | | | | Remove a fixed bug from bug_map. Bug: 62140539 Test: Built policy. Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef (cherry picked from commit f3f93eaf1d0ec7df3327d1376e3d7170e45c54f2)
* system_server: grant read access to vendor/frameworkJeff Vander Stoep2018-02-281-1/+0
| | | | | | | | | | avc: denied { getattr } for path="/vendor/framework" scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir Bug: 68826235 Test: boot Taimen, verify denials no longer occur. Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88
* Clean up bug_map.Joel Galenson2018-02-271-1/+0
| | | | | | | | Remove a fixed bug from bug_map. Bug: 73068008 Test: Built policy. Change-Id: Id0072788953cb6b939a11caace0158da7799f540
* Dontaudit denials caused by race with labeling.Joel Galenson2018-02-141-4/+0
| | | | | | | | | | These denials seem to be caused by a race with the process that labels the files. While we work on fixing them, hide the denials. Bug: 68864350 Bug: 70180742 Test: Built policy. Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
* Track crash_dump selinux denial.Joel Galenson2018-02-121-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 68319037 Test: Built policy. Change-Id: I0c3bc08c9b114e7a3737cdb3005fb59b2df47d55
* Track untrusted_app SELinux denial.Joel Galenson2018-02-091-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72550646 Test: Built policy. Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5
* Track system_server SELinux denial.Joel Galenson2018-02-081-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 73128755 Test: Built policy. Change-Id: Ie389de04360090594e627e629a59a60092dda6ca
* Track priv_app SELinux denial.Joel Galenson2018-02-071-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 73068008 Test: Built policy. Change-Id: Ib27fbad2803eb86ff12526f0ae42eb35917ce59b
* Track priv_app SELinux denial.Joel Galenson2018-02-021-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72749888 Test: Built policy. Change-Id: Ie55127f1b570832c03878d1c697262239ac14003
* Track priv_app SELinux denial.Joel Galenson2018-02-011-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72811052 Test: Built policy. Change-Id: Ifcfe71c717a3b1e59cd1810c7f9be588d48c99a5
* Track priv_app SELinux denial.Joel Galenson2018-01-311-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72749888 Test: Built policy. Change-Id: I588bba52d26bcc7d93ebb16e28458d9125f73108
* Clean up bug_map.Joel Galenson2018-01-301-7/+5
| | | | | | | | | | Remove bugs that have been fixed, re-map duped bugs, and alphabetize the list. Test: Booted Walleye and Sailfish, tested wifi and camera, and observed no new denials. Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
* Track usbd SELinux denial.Joel Galenson2018-01-291-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72472544 Test: Built policy. Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7
* Track untrusted_app SELinux denial.Joel Galenson2018-01-281-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72550646 Test: Built policy. Change-Id: I51345468b7e74771bfa2958efc45a2a839c50283
* Track crash_dump selinux denial.Joel Galenson2018-01-251-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72507494 Test: Built policy. Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39
* Suppress denials from idmap reading installd's files.Joel Galenson2018-01-251-1/+0
| | | | | | | | | | | | | | We are occasionally seeing the following SELinux denial: avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file This commit suppresses that exact denial. We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread. Bug: 72444813 Test: Boot Walleye and test wifi and camera. Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
* Track idmap selinux denial.Joel Galenson2018-01-241-0/+1
| | | | | | | | This should fix presubmit tests. Bug: 72444813 Test: Built policy. Change-Id: I5b8661b34c9417cd95cb0d6b688443dcbe0d1c0b
* Annotate denialsJeff Vander Stoep2018-01-161-0/+4
| | | | | | | | | | | | | | | | | | | | There is a race condition between when /data is mounted and when processes attempt to access it. Attempting to access /data before it's mounted causes an selinux denial. Attribute these denials to a bug. 07-04 23:48:53.646 503 503 I auditd : type=1400 audit(0.0:7): avc: denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 07-15 17:41:18.100 582 582 I auditd : type=1400 audit(0.0:4): avc: denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2 scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 Bug: 68864350 Test: build Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5
* statsd: annotate boot denialsJeff Vander Stoep2018-01-101-0/+1
| | | | | | | | Point logspam to its owner. Bug: 71537285 Test: build Change-Id: I9db561ee6f2857214b7945b312e6d303630724ea
* Fix bug map entryJeff Vander Stoep2017-11-291-2/+2
| | | | | | | | | Tclass was omitted for two entries. Bug: 69928154 Bug: 69366875 Test: build Change-Id: Ie12c240b84e365110516bcd786b98dc37295fdb9
* Remove tracking bugs that have been resolvedJeff Vander Stoep2017-11-211-2/+0
| | | | | | | Bug: 69175449 Bug: 69197466 Test: build Change-Id: I11e46b65449cb6f451ecab8d4dff9adc162fe115
* Add tracking bugs to crash_dump denialsJeff Vander Stoep2017-11-141-0/+3
| | | | | | | | | | | | | | | | | | avc: denied { search } for name="com.sf.activity" dev="sda35" ino=1444147 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir avc: denied { search } for comm="crash_dump64" name="com.android.bluetooth" dev="sda13" ino=1442292 scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0 tclass=dir avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1" ino=938 scontext=u:r:crash_dump:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0 Bug: 68705274 Bug: 68319037 Test: build Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f
* Add tracking bugs to denialsJeff Vander Stoep2017-11-131-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | These denials should not be allowed. Adding a bug number to the denial properly attributes them to a bug. Bug: 69197466 avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability Bug: 62140539 avc: denied { open } path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver" scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { unlink } for name="17a358cf8dff62ea.weaver" scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 69175449 avc: denied { read } for name="pipe-max-size" dev="proc" scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file Test: build Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16
* Track priv_app firstboot_prop denialJeff Vander Stoep2017-10-131-0/+1
This denial should not be allowed. Add bug information to the denial to give context. Bug: 63801215 Test: build Change-Id: I3dc5ce6a5aa1c6bf74c6fd13cab082c7f263c4e8