- 06 Apr, 2015 2 commits
-
-
Nick Kralevich authored
-
Nick Kralevich authored
Bionic commit 8fdb3419a51ffeda64f9c811f22a42edf9c7f633 modified how we handle shared libraries with text relocations, which triggered an execmod denial when handling /system/vendor/lib/libmmjpeg.so. Allow the mediaserver process to load shared libraries with text relocations. STEPS TO REPRODUCE: 1.Flash and Factory wipe the device. 2.Launch Camera. 3.Capture image tapping on shutter button and observe. 4.Then try to switch to video mode and observe. OBSERVED RESULTS: Shutter button gets disabled on capturing a picture and then switching to video mode displays 'Can't connect to camera error' EXPECTED RESULTS: Camera should work without any error. Addresses the following denial: avc: denied { execmod } for path="/system/vendor/lib/libmmjpeg.so" dev="mmcblk0p25" ino=1734 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=file Bug: 20081970 Bug: 20013628 Change-Id: Ie98e7316bd124d58ebb1c529acc865074c8851e6
-
- 02 Apr, 2015 2 commits
-
-
Nick Kralevich authored
-
Nick Kralevich authored
the qcom camera driver needs to load a shared library from /system which contains a text relocation. Allow it. Due to bug 20013628, SELinux policy was inappropriately treating an execmod denial as an execmem denial. Move to using a proper execmod denial and get rid of execmem. Addresses the following denial: avc: denied { execmod } for pid=208 comm="mm-qcamera-daem" path="/system/vendor/lib/libmmcamera_faceproc.so" dev="mmcblk0p22" ino=1739 scontext=u:r:camera:s0 tcontext=u:object_r:system_file:s0 tclass=file Bug: 20013628 Change-Id: I9a1079b5e95390f1aebeeaeceaa0271f58c6b2de
-
- 01 Apr, 2015 4 commits
-
-
Nick Kralevich authored
-
Nick Kralevich authored
* Move binaries from /system/etc to /system/bin. That's the proper place for binaries, and avoids having to preface each service entry with /system/bin/sh * Drop seclabel statements and rely on automatic domain transitions. * remove call to init.qcom.class_main.sh , which doesn't exist. This gets rid of the following unnecessary errors: <3>[ 5.286834] init: Warning! Service qcom-c_main-sh needs a SELinux domain defined; please fix! <5>[ 5.288970] type=1400 audit(1425327865.651:5): avc: denied { execute_no_trans } for pid=191 comm="init" path="/system/bin/sh" dev="mmcblk0p22" ino=341 scontext=u:r:init:s0 tcontext=u:object_r:shell_exec:s0 tclass=file Fix some other minor policy issues. Change-Id: Ib47d49b6c239ab7a2ebe6159465deb98b4b8cecb
-
Nick Kralevich authored
-
Stephen Smalley authored
As suggested in the comments on https://android-review.googlesource.com/#/c/141560/ drop BOARD_SEPOLICY_UNION and simplify the build_policy logic. Union all files found under BOARD_SEPOLICY_DIRS. Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- 28 Mar, 2015 2 commits
-
-
Nick Kralevich authored
-
Nick Kralevich authored
SELinux prohibits init from running executable code from /data, so this is a no-op. Also, we don't want to give any package named com.asus.debugger a full root shell. Nexus devices don't ship with such a package, and it's trivial for anyone to create a package by the same name. Change-Id: I8604eb414c14fca5d873ff4b25105417759b491b
-
- 28 Feb, 2015 3 commits
-
-
Nick Kralevich authored
* commit '8bdf4da7': flo: label boot block device
-
Nick Kralevich authored
-
Nick Kralevich authored
Bug: 19534538 Change-Id: I13856956cb2565682f17e01fd3e2c9bceed8d52a
-
- 06 Feb, 2015 6 commits
-
-
Nick Kralevich authored
* commit '30e972dc': Allow init to rm /dev/diag
-
Nick Kralevich authored
-
Nick Kralevich authored
Commit 312ae66f (AOSP cherrypick c05a5227) ensures that /dev/diag is always removed on boot on user builds. Allow for it in SELinux policy. Change-Id: Icfe707ea27c54f2961687b63c9722961cb3e6f79
-
Nick Kralevich authored
* commit '1cdcc8f8': flo: Disable diag device in normal mode.
-
Nick Kralevich authored
-
- 31 Jan, 2015 4 commits
-
-
Nick Kralevich authored
* commit '7f13d056': remove useless attempt to chmod /system/bin/ip
-
Nick Kralevich authored
-
Nick Kralevich authored
/system is mounted read-only. It's impossible for init to modify the permissions on /system/bin/ip. Change-Id: I7c224b7f488a887c5f0997dd1abccf960178ede8
-
Nick Kralevich authored
* commit '679a5cd7': move /data/tombstone creation to system/core
-
- 30 Jan, 2015 5 commits
-
-
Nick Kralevich authored
-
Nick Kralevich authored
Bug: https://code.google.com/p/android/issues/detail?id=93207 Change-Id: I40002b072669cee0df0573fb07472cb8bc1dac27
-
Elliott Hughes authored
* commit 'a155eeba': Add missing includes.
-
Elliott Hughes authored
-
Elliott Hughes authored
Change-Id: If5385cc1af1826f56a55b5374816135d6bc3fc41
-
- 29 Jan, 2015 3 commits
-
-
Elliott Hughes authored
* commit '823c6264': Add missing includes.
-
Elliott Hughes authored
-
Elliott Hughes authored
Change-Id: Ia9c13709218c9b3b7c1f25a16023a1bffaf9fe0d
-
- 26 Jan, 2015 3 commits
-
-
Elliott Hughes authored
* commit '7e7384e4': Add missing <string.h> include.
-
Elliott Hughes authored
-
Elliott Hughes authored
Change-Id: Iec90d46b480f2d08d26d0dde998c6aa164844750
-
- 22 Jan, 2015 1 commit
-
-
Shuzhen Wang authored
* commit 'df7652db': Camera3: Override AE state for front camera during precapture trigger
-
- 20 Jan, 2015 1 commit
-
-
Shuzhen Wang authored
For front camera (YUV sensor), 3A doesn't run, so HAL cannot provide metadata with regard to precapture trigger. Override the result AE state to CONVERGED for a request with precapture trigger. Bug: 18456128 Change-Id: Iadb9b9d8dbd26fba891337ba2bbfc928c950cb83
-
- 15 Jan, 2015 2 commits
-
-
Nick Kralevich authored
* commit '1a5fb6ed': netmgrd: give explicit read access to /proc/net
-
Nick Kralevich authored
-
- 14 Jan, 2015 1 commit
-
-
Nick Kralevich authored
We plan to remove /proc/net access from domain.te in a future change. Make sure netmgrd doesn't depend on the rules in domain.te. Bug: 9496886 Change-Id: Idbc9d0140735ef626693923474fa8f6f2a0a02df
-
- 05 Jan, 2015 1 commit
-
-
Brian Carlstrom authored
* commit '7765daf8': Remove obsolete dalvik.gc.type-precise
-