1. 06 Apr, 2015 2 commits
    • Nick Kralevich's avatar
    • Nick Kralevich's avatar
      mediaserver: allow loading shared library with text relocation · a2909504
      Nick Kralevich authored
      Bionic commit 8fdb3419a51ffeda64f9c811f22a42edf9c7f633 modified how we
      handle shared libraries with text relocations, which triggered
      an execmod denial when handling /system/vendor/lib/libmmjpeg.so.
      
      Allow the mediaserver process to load shared libraries with text
      relocations.
      
      STEPS TO REPRODUCE:
        1.Flash and Factory wipe the device.
        2.Launch Camera.
        3.Capture image tapping on shutter button and observe.
        4.Then try to switch to video mode and observe.
      
      OBSERVED RESULTS:
        Shutter button gets disabled on capturing a picture and then
        switching to video mode displays 'Can't connect to camera error'
      
      EXPECTED RESULTS:
        Camera should work without any error.
      
      Addresses the following denial:
      
         avc: denied { execmod } for path="/system/vendor/lib/libmmjpeg.so" dev="mmcblk0p25" ino=1734 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=file
      
      Bug: 20081970
      Bug: 20013628
      Change-Id: Ie98e7316bd124d58ebb1c529acc865074c8851e6
      a2909504
  2. 02 Apr, 2015 2 commits
    • Nick Kralevich's avatar
    • Nick Kralevich's avatar
      camera: allow loading files with text relocations from /system · 54ea7766
      Nick Kralevich authored
      the qcom camera driver needs to load a shared library from /system
      which contains a text relocation. Allow it.
      
      Due to bug 20013628, SELinux policy was inappropriately treating
      an execmod denial as an execmem denial. Move to using a proper
      execmod denial and get rid of execmem.
      
      Addresses the following denial:
        avc: denied { execmod } for pid=208 comm="mm-qcamera-daem" path="/system/vendor/lib/libmmcamera_faceproc.so" dev="mmcblk0p22" ino=1739 scontext=u:r:camera:s0 tcontext=u:object_r:system_file:s0 tclass=file
      
      Bug: 20013628
      Change-Id: I9a1079b5e95390f1aebeeaeceaa0271f58c6b2de
      54ea7766
  3. 01 Apr, 2015 4 commits
    • Nick Kralevich's avatar
      Merge "flo: updates for SELinux" · 1cab44f7
      Nick Kralevich authored
      1cab44f7
    • Nick Kralevich's avatar
      flo: updates for SELinux · fd585834
      Nick Kralevich authored
      * Move binaries from /system/etc to /system/bin. That's the proper
      place for binaries, and avoids having to preface each service entry
      with /system/bin/sh
      
      * Drop seclabel statements and rely on automatic domain transitions.
      
      * remove call to init.qcom.class_main.sh , which doesn't exist.
      This gets rid of the following unnecessary errors:
        <3>[    5.286834] init: Warning!  Service qcom-c_main-sh needs a SELinux domain defined; please fix!
        <5>[    5.288970] type=1400 audit(1425327865.651:5): avc:  denied  { execute_no_trans } for  pid=191 comm="init" path="/system/bin/sh" dev="mmcblk0p22" ino=341 scontext=u:r:init:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
      
      Fix some other minor policy issues.
      
      Change-Id: Ib47d49b6c239ab7a2ebe6159465deb98b4b8cecb
      fd585834
    • Nick Kralevich's avatar
      Merge "Drop BOARD_SEPOLICY_UNION." · 37a03a81
      Nick Kralevich authored
      37a03a81
    • Stephen Smalley's avatar
      Drop BOARD_SEPOLICY_UNION. · cc341935
      Stephen Smalley authored
      As suggested in the comments on
      https://android-review.googlesource.com/#/c/141560/
      
      
      drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
      Union all files found under BOARD_SEPOLICY_DIRS.
      
      Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      cc341935
  4. 28 Mar, 2015 2 commits
    • Nick Kralevich's avatar
      Merge "delete service asus-dbug-d" · b1ea6cb6
      Nick Kralevich authored
      b1ea6cb6
    • Nick Kralevich's avatar
      delete service asus-dbug-d · 71812b97
      Nick Kralevich authored
      SELinux prohibits init from running executable code from
      /data, so this is a no-op.
      
      Also, we don't want to give any package named com.asus.debugger
      a full root shell. Nexus devices don't ship with such a package,
      and it's trivial for anyone to create a package by the same name.
      
      Change-Id: I8604eb414c14fca5d873ff4b25105417759b491b
      71812b97
  5. 28 Feb, 2015 3 commits
  6. 06 Feb, 2015 6 commits
  7. 31 Jan, 2015 4 commits
  8. 30 Jan, 2015 5 commits
  9. 29 Jan, 2015 3 commits
  10. 26 Jan, 2015 3 commits
  11. 22 Jan, 2015 1 commit
  12. 20 Jan, 2015 1 commit
  13. 15 Jan, 2015 2 commits
  14. 14 Jan, 2015 1 commit
  15. 05 Jan, 2015 1 commit