"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/
Apps targeting R+ must NOT use that symlink.
For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.
Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
Allow netd to trigger the kernel synchronize rcu with open and close
pf_key socket. This action was previously done by system_server but now
it need to be done by netd instead because there might be race issue
when netd is operating on a map that is cleaned up by system server.
Bug: 126620214
Test: android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf
ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
While the directory is not present anymore in Q, it has been shipped on
Q Beta 2 and the absence of such label might cause issues to devices
with pending installs which receive an OTA > Beta 2.
Bug: 130184133
Test: m
Merged-In: Ie3e77eebd2e7fd7b3a6a940d189cbc2bb386dc0e
Change-Id: Ie3e77eebd2e7fd7b3a6a940d189cbc2bb386dc0e
/system/bin/auditctl is executed by init to set the kernel audit
throttling rate limit. Grant the rules necessary for this to happen.
Test: compiles and boots
Test: Perform an operation which generates lots of SELinux denials,
and count how many occur before and after the time period.
Bug: 118815957
Change-Id: Id9df65497d1172ab7c2e84ff6a43722f11c61620
This change allows the perfetto cmdline client to access
the (unprivileged) producer socket of traced, with the
intent of triggering finalization of already running traces
(see b/130135730). Matching change: aosp/932138
Note that:
- perfetto cmdline can already access the consumer socket
(to start tracing sessions).
- The producer socket is already exposed to most domains,
including unprivileged apps.
Bug: 130135730
Bug: 128966650
Change-Id: Id9106279584798e6689102085fa46a0b7ecb1ba7
We no longer have /system/etc/security/apex/* as the public keys are all
bundled in APEXes. Removing the selinux label and policies for it.
Bug: 936942
Test: device is bootable
Change-Id: I6b6144a8d15910d1ba8584a0778244ed398dc615
Allow renderscript to use file descriptors created by ephemeral apps.
This is needed to support renderscript execution by ephemeral apps.
Steps to reproduce:
atest com.google.android.pm.gts.PackageManagerHostTest#testRenderScriptLoading
Expected:
Test passes
Actual:
03-26 03:33:45.373 4607 4607 F linker : CANNOT LINK EXECUTABLE "/system/bin/bcc": can't enable GNU RELRO protection for "": Permission denied
03-26 03:33:45.373 4566 4600 E RenderScript: Child process "/system/bin/bcc" terminated with status 256
03-26 03:33:45.373 4566 4600 E RenderScript: bcc: FAILS to compile 'init_test'
03-26 03:33:45.374 4566 4596 E TestRunner: failed: testRenderScriptLoading(com.google.android.gts.packagemanager.InstantAppTestCases)
03-26 03:33:45.375 4566 4596 E TestRunner: ----- begin exception -----
03-26 03:33:45.375 4566 4596 E TestRunner: java.lang.AssertionError: Instant App should be able to access RenderScript APIs.
03-26 03:33:45.375 4566 4596 E TestRunner: at org.junit.Assert.fail(Assert.java:88)
03-26 03:33:45.375 4566 4596 E TestRunner: at com.google.android.gts.packagemanager.InstantAppTestCases.testRenderScriptLoading(InstantAppTestCases.java:338)
03-26 03:33:45.375 4566 4596 E TestRunner: at java.lang.reflect.Method.invoke(Native Method)
03-26 03:33:45.375 4566 4596 E TestRunner: at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
Additional notes: Confusingly ephemeral_app is not part of untrusted_app_all,
but it is part of all_untrusted_apps, which is used for neverallow
assertions.
Bug: 129356700
Test: atest com.google.android.pm.gts.PackageManagerHostTest#testRenderScriptLoading
Change-Id: I47781012b9fd2cd1d03a3d50bed0c693bcf9ec7b
Property is NNAPI client-readable and writeable only by init/build.prop.
Bug: 129666983
Bug: 120483623
Test: flashed crosshatch/Cts tests for NNAPI
Change-Id: Ic4c0f176440610a2c54c078863f3d5382323cc65
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.
Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
Addresses spurious denials caused by users of netutils_wrapper which
open files in /sys without O_CLOEXEC.
avc: denied { read } for comm="iptables-wrappe"
dev="sysfs" ino=47786 scontext=u:r:netutils_wrapper:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file
Test: build
Change-Id: I1c1f82428555be6a9798a189420dd85a9db107f7
Need ability for system components to access psi memory pressure file.
Add required permissions for system_server and init to access
/proc/pressure/memory file.
Bug: 129476847
Test: system_server can read /proc/pressure/memory
Change-Id: I10ce4f4fe0e3618fa77539e93246d0aae933082c
Signed-off-by: Tim Murray <timmurray@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Domains that access super_block_device should instead
access super_block_device_type, which includes appropriate
block devices for retrofit DAP devices.
Test: boots (sanity)
Test: manual OTA
Bug: 128991918
Change-Id: Ie025b1e3c17e82330042aaa4a3e2e4a02ec1265b
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
- proc_cmdline and device-tree access to call ReadDefaultFstab().
This is ultimately used to check whether system's dm-verity has
check_at_most_once enabled, which is disallowed with sdcards.
- vfat read/write access to write files to the sdcard. Note that
adopted sdcards are not supported here.
- read access to the sdcard block device. To enable this without
providing access to vold_block_device, a new sdcard_block_device
label was added. Devices must apply this label appropriately to
enable gsid access.
- FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
This only appears to work by granting SYS_RAWIO.
Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
works without setenforce 0
Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
