dmesgd is a daemon that collects kernel memory error reports.
When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.
Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.
Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)
Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.
Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
This should be read-only and corresponds to apexd.payload_metadata.path
Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases
Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
so that it cannot reveal a system api that requires
READ_PRIVILEGED_PHONE_STATE
Bug: 183410189
Bug: 197722115
Test: adb shell getprop -Z
Change-Id: I65f4121fc300447af7d516676166bc8b0b53b727
Merged-In: I65f4121fc300447af7d516676166bc8b0b53b727
It is a system property that keeps the last CID used by the
virtualizationservice. Although the information is local to the
process, a new system property is justified because the information has
to be kept across multiple runs of the process. A file however is not
desirable because the information shouldn't be persisted.
Bug: 196015427
Test: atest MicrodroidHostTestCases
Change-Id: If8ca4b6ad8d9c8cb3bb33dc9ef45de0ae6481d15
This adds a new property prefix owned by snapuserd, for communicating
when the service is ready to accept connections (snapuserd.ready and
snapuserd.proxy_ready).
This also adds a new socket context. This is a seqpacket socket used to
communicate with a special instance of snapuserd that bridges to the
first-stage daemon.
Bug: 193833730
Test: no denials after OTA applies and boots
Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b
Additionally, remove the obsolete permission which allows keystore to
register callbacks with statsd. There's no direct communication between
keystore and statsd now.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: statsd TestDrive script.
Merged-In: I31d202751ba78bb547822020260a7e366cb8826e
Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.
Bug: 166559473
Test: run profcollectd.
Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
Bug: 182546466
Test: Test with getprop code outside system img
Change-Id: I4817c22ecc0a143ea818e0850fb721cbdf1d5ae5
Signed-off-by: Denny cy Lee <dennycylee@google.com>
This node ID will be used to uniquely and anonymously identify a device
by profcollectd on engineering (userdebug or eng) builds.
Test: build
Change-Id: If01f71c62479d63d4d19aac15da24bc835621e66
* Permits setting the sys.drop_caches property from shell.
* Permits init to read and write to the drop_caches file.
* Can only be set to 3 (drop_caches) and 0 (unset).
Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
These properties are used to communicate odsign status, and allow init
to evict keys and start zygote at the correct moments in time.
Bug: 165630556
Test: no denials from init/odsign
Change-Id: I813e5c1c93d6f00a251a9cce02d0b74e5372c1ce
This type is used for properties that provides per-device configuration
for apexd behaviour (so far - timeouts for creating/deleting dm device).
Test: builds
Bug: 182296338
Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
This property is many years old and it does not have a property
context associated with it. It is set by the system server (in
particular, ConnectivityService code, in the Tethering module)
and read by init, which does:
on property:net.tcp_def_init_rwnd=*
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}
There is no need to add read access to init because init can read
and write any property.
Test: m
Fix: 170917042
Change-Id: I594b09656a094cd2ef3e4fd9703e46bf7b2edd4c
This property is written by an .rc file - see aosp/1553819 - and
read by the connectivity mainline code in the system server.
Test: m
Bug: 182333299
Change-Id: Ibac622f6a31c075b64387aadb201ad6cdd618ebd
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.
This gives us insights into how hard linking fails where
it shouldn't.
Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
Follow the steps: go/android-native-flag-api-manual
Bug: 179099277
Test: m -j
Test: manually verify connection to wifi after flash
Change-Id: Ieb5355d40aec9ed7a42b7ae5b250b696fcf00810
These flags should be writeable to the shell for both root and non-root
users. They should be readable everywhere, as they're read in libc
during initialization (and there's nothing secret to hide). We just
don't want to allow apps to set these properties.
These properties are non-persistent, are for local developer debugging
only.
Bug: 135772972
Bug: 172365548
Test: `adb shell setprop memtag.123 0` in non-root shell succeeds.
Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
default_prop has been readable from coredomain and appdomain. It's too
broad, because default_prop is a context for properties which don't have
matching property_contexts entries.
From now on, only coredomain can read default_prop. It's still broad,
but at least random apps can't read default_prop anymore.
Bug: 170590987
Test: SELinux denial boot test for internal devices
Change-Id: Ieed7e60d7e4448705c70e4f1725b2290e4fbcb4a
tests/sepolicy_tests.py has been checking whether the property owner
attributes are mutually exclusive. This is because current policy
language can't express the following snippet:
neverallow domain {
system_property_type && vendor_property_type
}:file no_rw_file_perms;
neverallow domain {
system_property_type && vendor_property_type
}:property_service set;
This uses technical_debt.cil to workaround this.
Bug: 171437654
Test: Try to compile a type having both system_property_type and
vendor_property_type
Change-Id: Ic65f2d00aa0f2fb7f5d78331b0a26e733fcd128e
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.
update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.
This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.
Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.
Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4