The label "persist_ss_file" was created for "/mnt/vendor/persist/ss(/.*)?".
But we erroneously didn't assign the label to the path.
This patch fixes the error.
Bug: 173971240
Bug: 173032298
Test: Trusty storage tests
Change-Id: I8e891ebd90ae47ab8a4aad1c2b0a3bbb734174d8
- add selinuxfs:file for AP TCP dump
- allow userdebug or eng
Bug: 188422036
Signed-off-by: Jiyoung <ji_young.bae@samsung.com>
Change-Id: I9502f9f7320ca4ee298b38e40da0ccf11adfba7f
reuse logbuffer_device group as dumpstate hal already has read perms
on this group.
Bug: 188285071
Test: adb bugreport to include a trusty section in dumpstate_board.txt
Change-Id: I623a5d450bdbe2ceef4fe460bf31bfe740d847b2
The priv_apps could register for QOS notifications for its tcp_socket.
This change allows telephony to access the file descriptor for the
tcp_socket so it could double check the source and destination address
of the socket when the QOS indication is received from modem.
This addresses the following SE policy denial
auditd : type=1400 audit(0.0:219): avc: denied { read write } for
comm="ConnectivitySer" path="socket:[98511]" dev="sockfs" ino=98511
scontext=u:r:radio:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=tcp_socket
permissive=0
Bug: 190580419
Test: Manual
Change-Id: I35d4e1fb06242eb5fcbcb36439a55c11166b149b
In order to access the darwinn metrics library from the google camera
app (product partition), we need to create an SELinux exception for
the related shared library (in vendor) it uses. This CL adds the same_process_hal_file tag to allow this exception.
Bug: 190661153, 151063663
Test: App can load the .so and not crash after this change.
Before: No permission to access namespace.
(https://paste.googleplex.com/6602755121610752)
After: GCA doesn't crash on load.
Change-Id: I8671732184bbbe283c94d1acd3bb1ff397fe651c
Fix the following avc denial:
SELinux : avc: denied { find } for pid=1055 uid=1000 name=android.hardware.power.IPower/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:hal_power_service:s0 tclass=service_manager permissive=0
Bug: 185893477
Test: Observe from systrace that the CPU frequency is boosted when
running fingerprint algorithm.
Change-Id: I245058b912ec2af3555154934dbe722b445181a9
Bug: 190331327
Bug: 190331548
Bug: 189895600
Bug: 190331108
Bug: 182524105
Bug: 183935302
Test: build ROM and check if the modules and sepolicy are still there
Change-Id: I40391a239a16c4fe79d58fab209dcbd1a8f25ede
Bug: 189895314
Bug: 171160755
Bug: 171670122
Bug: 180858476
Test: make sure all affected devices' armnn module has the right label
Change-Id: I6ca736f156497738167ba5eea5606a0e654611b9
Test: 1. build selinux and push related files to phone
2. Use ls -Z "file" to check if selinux content of file is
expected
3. P21 camera checklist
Bug: 168654554
Change-Id: Ie757dd3e8adc151c6340e9ca662efbdf0ccb6110
The GPU driver uses vframe-secure for secure allocations, so the
corresponding DMA heap file should be visible to all processes so
use the dmabuf_system_secure_heap_device type instead.
In order for this type to be used, we need to ensure that the HAL
Allocator has access to it, so update hal_graphics_allocator_default.te
Finally, since there are no longer any buffer types associated with the
vframe_heap_device type, remove it.
Bug: 182090311
Test: run cts-dev -m CtsDeqpTestCases --module-arg CtsDeqpTestCases:include-filter:dEQP-VK.protected_memory.stack.stacksize_64 and ensure secure allocations succeed
Test: Play DRM-protected video in ExoPlayer and ensure videos render correctly via MFC->DPU.
Change-Id: Id341e52322a438974d4634a4274a7be2ddb4c9fe
This is needed to allow USB HAL to create multi-config gadget
(ie. rndis + ncm).
Bug: 172793258
Test: built and booted on oriole
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifb98b23138122ad4e0aeea8dd9c93d7b3e16d3aa
As shannon-rcs has been changed from system app
to non-system app, sepolicy has to be updated.
Bug: 186135775
Bug: 189707387
Test: sanity test
Signed-off-by: jznpark <jzn.park@samsung.com>
Change-Id: I32cce90611c619494136a6b1d01b3fb48330d169
