ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.
Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
And add neverallow so that it's removed from partner policy if
it was added there due to denials.
Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
The new codepath for creating the classloader in the webview zygote
triggers an selinux denial; track this until it is fixed.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Merged-In: I6835947e81364b5dd43898199108af7b14d31088
Change-Id: I6835947e81364b5dd43898199108af7b14d31088
The isolated service that do nothing except for both AIDL's basic
skeleton and service binding. It still got the SELinux denied.
This should fix presubmit test.
01-01 00:00:29.196 6121 6121 I auditd : type=1400 audit(0.0:6):
avc: denied { getattr } for comm="convert.service"
path="/data/data/com.android.externalstorage" dev="sda35" ino=655437
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
Test: ag/5681059 ag/5660144
Bug: 120394782
Change-Id: I7838def96da30b88d510dab860ed9779a0d4d5ed
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.
01-01 00:00:22.103 5831 5831 I auditd : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0
Test: build
Bug: 119596573
Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.
Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
This adds numerous bug_map entries to try to annotate all denials
we've seen.
Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
This should fix presubmit tests.
Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7
(cherry picked from commit 2995e996b9)
Remove a fixed bug from bug_map.
Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef
(cherry picked from commit f3f93eaf1d)
These denials seem to be caused by a race with the process that labels
the files. While we work on fixing them, hide the denials.
Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.
Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.
Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
We are occasionally seeing the following SELinux denial:
avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file
This commit suppresses that exact denial.
We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.
Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
There is a race condition between when /data is mounted
and when processes attempt to access it. Attempting to access
/data before it's mounted causes an selinux denial. Attribute
these denials to a bug.
07-04 23:48:53.646 503 503 I auditd : type=1400 audit(0.0:7): avc:
denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
07-15 17:41:18.100 582 582 I auditd : type=1400 audit(0.0:4): avc:
denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2
scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
permissive=0
Bug: 68864350
Test: build
Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5
These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.
Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability
Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16
This denial should not be allowed. Add bug information to the denial
to give context.
Bug: 63801215
Test: build
Change-Id: I3dc5ce6a5aa1c6bf74c6fd13cab082c7f263c4e8
