Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
This change allows first-stage init to mount a tmpfs under
/debug_ramdisk to preserve files from the debug ramdisk, for
second-stage init to load sepolicy and property files.
This is to allow adb root on a USER build if the device is unlocked.
Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: Iad3b84d9bdf5d8e789219126c88701bf969253ef
During preloading resources, zygote scans the overlay directories of
supported partitions looking for android RROs to apply statically. Zygote
currently is allowed to read overlays in /oem/overlay, but zygote does
not have the search permission to be able to scan /oem.
Without this patch, this denial is logged:
04-04 14:57:40.136 876 876 I auditd : type=1400 audit(0.0:9):
avc: denied { search } for comm="main" name="oem" dev="dm-3" ino=46
scontext=u:r:zygote:s0 tcontext=u:object_r:oemfs:s0 tclass=dir
permissive=0
Bug: 121033532
Test: booting without denials and stat oem succeeds
Change-Id: I661f3e0aff7ec3513870d08ddc122fc359b8f995
This selector is no longer used.
Bug: 123605817
Bug: 111314398
Test: compiles and boots
(cherry picked from commit 795add585c)
Change-Id: I673ce4b6898d58602e553e7cf194bb5eac8361e0
ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
(cherry picked from commit d40f7fd9d5)
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/
Apps targeting R+ must NOT use that symlink.
For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.
Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
Allow netd to trigger the kernel synchronize rcu with open and close
pf_key socket. This action was previously done by system_server but now
it need to be done by netd instead because there might be race issue
when netd is operating on a map that is cleaned up by system server.
Bug: 126620214
Test: android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf
ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Merged-In: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
(cherry picked from commit a0f998e6de)
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
While the directory is not present anymore in Q, it has been shipped on
Q Beta 2 and the absence of such label might cause issues to devices
with pending installs which receive an OTA > Beta 2.
Bug: 130184133
Test: m
Merged-In: Ie3e77eebd2e7fd7b3a6a940d189cbc2bb386dc0e
Change-Id: Ie3e77eebd2e7fd7b3a6a940d189cbc2bb386dc0e
/system/bin/auditctl is executed by init to set the kernel audit
throttling rate limit. Grant the rules necessary for this to happen.
Test: compiles and boots
Test: Perform an operation which generates lots of SELinux denials,
and count how many occur before and after the time period.
Bug: 118815957
(cherry picked from commit 622ab8a2ba)
Change-Id: Ie5b4852fa217462557fce192c764305893968454
