When SELinux is in enforcing mode, any process executed by
init must have a domain transition defined. See
https://android-review.googlesource.com/108640 for details. This
prevents an executable spawned by init from remaining in init's
(very powerful) SELinux domain.
However, this is only enforced when SELinux is in enforcing mode.
During new device bringup, it's common to run an Android device
in globally permissive mode. In globally permissive mode, SELinux
denials are logged only, but otherwise ignored. If appropriate
SELinux domain transitions are not defined from init to init spawned
processes, this could cause misleading SELinux denials attributed
to init instead of the child process.
To help address these misleading denials, modify init to not spawn
processes unless a domain transition is defined. This essentially
enforces the rules in https://android-review.googlesource.com/108640
on both permissive and enforcing kernels.
While I'm here, change some "freecon()" calls to "free()", with the
long term goal of deleting freecon() entirely.
Change-Id: I3ef3a372bb85df61a3f6234cb1113cc25fc6506a
We need to have partition.*.verified properties even when bootloader
is managing dm-verity mode, because we may have failed to set up the
verified partition and need a property to indicate this.
This means we still need to run fs_mgr_update_verity_state and walk
through all the partitions to verify the device mapper status, just
without updating verity mode.
Bug: 22489805
Change-Id: Iaf28185adb8b80e5452447e54e1f4e4417a34168
In isolatedProcess, the app_code_cache_dir is not needed
for native bridge. This commit allows native bridge to work
without a code cache in isolatedProcess.
Change-Id: I8580268d5ec6ca8d44e4500c3fafe10408e1e0d3
Signed-off-by: jgu21 <jinghui.gu@intel.com>
If the first read when dumping memory returns no data, skip ahead to
the next page boundary and try and read from there. This fixes a case
where the address at which to start dumping memory is unreadable, but
crosses back into readable memory.
Bug: 22234753
Change-Id: Ie28d5c027013577ca06f5396aba498366a3b6749
One of my build aliases doesn't play nice with USE_MINGW=1, so my build lied to me. Will revert until I fix it up.
This reverts commit 459df8f3a1.
Change-Id: I7905c5ae5ee85fb2d228ce63d81c79f140998c18
Upstream clang has a new diagnostic, '-Wmismatched-new-delete' to
generate a warning (that becomes an error with -Werror) when delete is
used to deallocate pointers created with 'new[]'. This patch fixes
'delete's that trigger this warning/error.
Change-Id: I7551e856b4b13bfae4cb78b5664d8652322683cf
Apparently there are two classes of this warning in clang.
-Wformat-security is only emitted for cases of
`func(nonliteral_fmt_string)` (no args), and -Wformat-nonliteral is
emitted for cases *with* arguments. For whatever reason, the latter
isn't included in -Wextra and must be manually enabled.
To make this more easily portable to Windows, move the existing
gnu_printf/__printf__ decision into base/macros.h as ATTRIBUTE_FORMAT.
Change-Id: I3b0990e1d1f0a2e9c13b32f5cd60478946cb5fc6
Folders in the root directory are now created during the build,
as we may be building without a ramdisk, and when we do that,
the root directory will be read-only. With those changes,
these mkdirs will never need to run.
Change-Id: I49c63e8bfc71d28e3f938ed41f81d108359fa57a
When the ramdisk is built into the system image, we need to create
those folders during the build.
Change-Id: I40881940c75e379d7599dc1f743b35fbc7cc66e8
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I157ccbebf36bee9916f3f584551704ec481ae1d1
Use debug.debuggerd.wait_for_gdb being set to non-zero to
determine if debuggerd should stop and wait for someone to
attach gdb to the crashing process.
Bug: 22233908
Change-Id: Id55a1572b479a70d395b7270392ce6fb70dbfdca
We improved gdbclient to make the process simpler, but didn't update
debuggerd to match.
Bug: http://b/22233857
Change-Id: If4137943f567a9e566a3ac7f485c9b1eab2c68e9
Prior to the documentation told users to pass 0 in as
the first argument to write messages, when they should
be outting in their local-id. It is now corrected.
Change-Id: Ia2c6c84f95383baa5ca471493a29a39e5173b604
Signed-off-by: Derrick Bonafilia <dbonafilia@google.com>
The debuggerd code sometimes calls _LOG(..., logtype::ERROR, ...)
and sometimes ALOGE(). Standardize on ALOGE since the _LOG message
will wind up in the tombstone in weird places, but using ALOGE
will wind up in the logcat portion of the tombstone.
Bug: 21467089
Change-Id: Ie893f5e91d45b48ef3f5864c3a714e60ac848fb3
It's easier for people to debug, and side-steps the problem that errno
values differ between architectures.
Bug: http://b/17458391
Change-Id: I1db9b2cbb653839d3936b91e37e5cff02671318a
Linking against both libziparchive-host and libz-host results in
libz loaded twice (because it is also linked statically in
libziparchive).
Change-Id: Ib34eef60200a702c2d7fbca3589b324992e78eab
since the struct is now used for other purposes. Also add some
comparator functions to the struct to simplify zip_archive.cc.
This is a follow-up CL for f1d3d3b247.
Bug: 21957428
Change-Id: I60d4171eeacc561d59226d946e9eb5f9c96d80cf
so that PackageManagerService can iterate over files with a
specific file extension like ".so".
(cherry picked from commit a4a80693d9)
Bug: 21957428
Change-Id: I36ba3c33a8b366a65f67cb6d156067c5caca1151
Quick low-risk to resolve possible hash table corruption.
Resolved an unlikely path memory leak.
ToDo: replace lock with nested lock so no lock
helpers are required.
Bug: 22068332
Change-Id: I303ab06608502c7d61d42f111a9c43366f184d0c
