mkdir /data/misc/wifi subdirectories and /data/misc/dhcp is performed
in the various device-specific init*.rc files but seems generic.
Move it to the main init.rc file.
Drop the separate chown for /data/misc/dhcp as this is handled by mkdir
built-in if the directory already exists.
Add a restorecon_recursive /data/misc/wifi/sockets.
Change-Id: I51b09c5e40946673a38732ea9f601b2d047d3b62
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When adbd runs as root, it should transition into the
su domain. This is needed to run the adbd and shell
domains in enforcing on userdebug / eng devices without
breaking developer workflows.
Introduce a new device_banner command line option.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
Otherwise it will be mislabeled on upgrades with existing userdata.
Change-Id: Ibde88d5d692ead45b480bb34cfe0831baeffbf94
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On a 64-bit system, 64-bit processes will want one path, 32-bit processes
another. The dynamic linker already provides the correct defaults for
native code, and we've coupled the VM and dynamic linker so that
LD_LIBRARY_PATH will be set correctly in any VM during startup if it's not
being manually overridden.
Change-Id: Icbffc0d451dbc242cdfb9267413d8bcac434e108
Use restorecon_recursive to label devices
where the directory and subfiles have
already been built and labeled.
Change-Id: I0dfe1e542fb153ad20adf7b2b1f1c087b4956a12
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
If checkreqprot == 1, SELinux only checks the protection flags passed
by the application, even if the kernel internally adds PROT_EXEC for
READ_IMPLIES_EXEC personality flags. Switch to checkreqprot == 0
to check the final protection flags applied by the kernel.
Change-Id: Ic39242bbbd104fc9a1bcf2cd2ded7ce1aeadfac4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This allows it to be permissive in userdebug/eng builds
but confined/enforcing in user builds.
Change-Id: Ie322eaa0acdbefea2de4e71ae386778c929d042b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The files in zoneinfo changed from system_data_file to
zoneinfo_data_file. Fixup pre-existing files.
Change-Id: Idddbd6c2ecf66cd16b057a9ff288cd586a109949
There is no longer any reason to permit system UID to set enforcing mode.
Change-Id: Ie28beed1ca2b215c71f2847e2390cee1af1713c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need the set correct permission for print-tgid option or tracing of
sched can't work on user build.
Change-Id: Ia88aabe58128b911afd78f01c27f7da884ed03f0
Signed-off-by: Carton He <carton.he@marvell.com>
MS_MOVE was used when staging external storage devices, which no
longer occurs. In fact, having a writable tmpfs was masking a vold
bug around moving apps to SD cards.
Bug: 11175082
Change-Id: Ib2d7561c3a0b6fde94f651a496cb0c1f12f88d96
Add sdcard FUSE daemon flag to specify the GID required for a package
to have write access. Normally sdcard_rw, but it will be media_rw
for secondary external storage devices, so DefaultContainerService
can still clean up package directories after uninstall.
Create /mnt/media_rw which is where vold will mount raw secondary
external storage devices before wrapping them in a FUSE instance.
Bug: 10330128, 10330229
Change-Id: I4385c36fd9035cdf56892aaf7b36ef4b81f4418a
I97b3d86a69681330bba549491a2fb39df6cf20ef introduced a separate type
for the adb_keys file. Set the security context of the adb_keys file
accordingly by adding restorecon commands to init.rc.
Change-Id: I30e4d2a1ae223a03eadee58a883c79932fff59fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The log_target parameter of android_fork_execvp_ext() is now a
bit field, and multiple targets can be set to log to multiple
places at the same time.
The new target LOG_FILE will log to a file specified by the new
parameter file_path.
Set LOG_FILE and log to a file in /dev (the only writable filesystem
avilable when e2fsck runs) when invoking e2fsck in fs_mgr.
Bug: 10021342
Change-Id: I63baf644cc8c3afccc8345df27a74203b44d0400
