Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.
Bug: 28760354
Change-Id: I0a6363f094c41392469f438c4399c93ed53fb5ac
avc: granted { use } for pid=3067 comm="SoundPoolThread"
scontext=u:r:drmserver:s0 tcontext=u:r:system_server:s0 tclass=fd
Test: builds/boots on Angler. Adds permissions for all "granted" avc
messages observed in three months of log auditing.
Bug: 28760354
Change-Id: I51f13d7c7d40f479b1241dfcd5d925d28f74926b
As fallout from the corresponding fix in libselinux,
this patch adds the missing services without changing
semantics.
Test: bullhead builds and boots
Bug: 31353148
Change-Id: I21026c9435ffef956a59d61c4903174ac7b1ef95
Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.
Test: Angler builds and boots
Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88
This fixes the build error:
=====
libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by
allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl };
libsepol.check_assertions: 1 neverallow failures occurred
=====
Which is caused, in AOSP and downstream branches, by
I123e5d40955358665800fe3b86cd5f8dbaeb8717.
Test: builds.
Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
Allow hwservicemanager to set properties starting with the prefix
"hwservicemanager."
b/31458381
b/31240290
Test: passing build and runtime tests
Change-Id: Id92e2170f52893bbf236987ee59383df2264952f
Signed-off-by: Iliyan Malchev <malchev@google.com>
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.
Bug: 28760354
Change-Id: I76c2752f806b83a6c21fcb17b6f445368936f61b
Currently, we define 4 hardcoded init services to launch dumpstate with
different command-line options (since dumpstate must be launched by
root):
- bugreport
- bugreportplus
- bugreportwear
- bugreportremote
This approach does not scale well; a better option is to have just one
service, and let the framework pass the extra arguments through a system
property.
BUG: 31649719
Test: manual
Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5
Build serial is non-user resettable freely available device
identifier. It can be used by ad-netowrks to track the user
across apps which violates the user's privacy.
This change deprecates Build.SERIAL and adds a new Build.getSerial()
API which requires holding the read_phone_state permission.
The Build.SERIAL value is set to "undefined" for apps targeting
high enough SDK and for legacy app the value is still available.
bug:31402365
Change-Id: I6309aa58c8993b3db4fea7b55aae05592408b6e4
In anticipation of fixing a loophole in the Linux kernel that allows
circumventing the execmem permission by using the ptrace interface,
this patch grants execmem permission on debuggable domains to
debuggerd. This will be required for setting software break points
once the kernel has been fixed.
Bug: 31000401
Change-Id: I9b8d5853b643d24b94d36e2adbcb135dbaef8b1e
update_verifier calls bootcontrol HAL to mark the currently booting slot
as successfully booted.
avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
Bug: 29569601
Test: Device boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0.
Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f
(cherry picked from commit 23a276a295)
DRM 3rd party application with platform signature
requires the permission.
Bug: 30352348
Change-Id: Idd673506764ae435db1be8cc8c13658541ffa687
Add a macro to make this easier for other processes
as well.
Change-Id: I489d0ce042fe5ef88dc767a6fbdb9b795be91601
(cherry picked from commit c2b9c1561e4bd7ac86d78b44ca7927994e781da0)
(cherry picked from commit 88c5146585)
Allow the otapreopt rename script to read file attributes. This is
being used to print the aggregate artifact size for diagnostic
purposes.
Bug: 30832951
Change-Id: Iee410adf59dcbb74fa4b49edb27d028025cd8bf9
(cherry picked from commit eb717421b1)
The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.
Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.
Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b
Needed for legacy VPN access.
Note that ioctl whitelisting only uses the type and command fields
of the ioctl so only the last two bytes are necessary, thus 0x40047438
and 0x7438 are treated the same.
Bug: 30154346
Change-Id: I45bdc77ab666e05707729a114d933900655ba48b
(cherry picked from commit ec4b9d6705)
Vendor apps are usually not preopted, so A/B dexopt should pick
them up. update_engine is not mounting the vendor partition, so
let otapreopt_chroot do the work.
This change gives otapreopt_chroot permission to mount /vendor
into the chroot environment.
Bug: 25612095
Bug: 29498238
Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb
