To remove bad context names "exported*_prop"
Bug: 155844385
Test: boot and see no denials
Change-Id: Icd30be64355699618735d4012461835eca8cd651
Merged-In: Icd30be64355699618735d4012461835eca8cd651
(cherry picked from commit 37c2d4d0c9)
(cherry picked from commit 3b66e9b9f8)
The rule "get_prop(coredomain, vts_status_prop)" is duplicated by
mistake. It's already in coredomain.te, and it should be deleted from
app.te
Bug: N/A
Test: m selinux_policy
Change-Id: I816c8da74940fc6ccdd50fe377aa54eae36237b4
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.
Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.
Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro
Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
We already have ro.logd. and persist.logd. as logd_prop, but not
logd. so this change adds it. New properties should be read-write by
default so logd. should be preferred to ro.logd.
Test: set logd.buffer_type appropriately.
Change-Id: I51ed19f0093a0302709116944153f37067814d08
A few netd avc denials are observed. Supress audit messages since they
don't cause a problem.
Bug: 77870037
Test: build, flash, boot
Change-Id: I019c5af62630fcd0a35e22c560b9043bba58f6f1
This is not allowed for apps with targetSdkVersion>=Q.
Allow this failure until gmscore fixes.
Bug: 160984921
Test: build
Change-Id: I1e9f2af091b22eef2bc05ae1e571fb45dec05cfe
ro.enable_boot_charger_mode and sys.boot_from_charger_mode are moved to
new property contexts for charger props to remove exported*_prop.
Bug: 155844385
Test: boot device with ro.enable_boot_charger_mode
Change-Id: I17d195d3c9c002a42125d46a5efcdb890f1c2a5c
All files under vendor_dlkm are tagged vendor_file.
All build props for vendor_dlkm are mapped as build_vendor_prop.
Test: build and
`ls /vendor_dlkm -lZ`
`adb shell getprop -Z | grep vendor_dlkm`
Bug: 154633114
Change-Id: Ie9dc26d948357767fec09aca645606310ad3425c
tombstoned.max_tombstone_coun becomes tombstone_config_prop to remove
exported*_default_prop
Bug: 155844385
Test: tombstoned is running and logcat shows no denials
Change-Id: I57bebb5766d790dc52d40a6d106f480e0e34fa4e
keyguard.no_require_sim becomes keyguard_config_prop to remove
exported*_default_prop
Bug: 155844385
Test: boot and see no denials
Change-Id: Icffa88b650a1d35d8c1cd29f89daf0644a79ddd3
apexd runs in two separate mount namespaces: bootstrap & default.
To support separate apex-info-list.xml for each mount namespaces, apexd
needs to emit separate .xml file according to the mount namespace and
then bind-mount it to apex-info-list.xml file.
Bug: 158964569
Test: m & boot
nsenter -m/proc/1/ns/mnt -- ls -lZ /apex/apex-info-list.xml
nsenter -m/proc/2/ns/mnt -- ls -lZ /apex/apex-info-list.xml
=> shows the label apex_info_file correctly
Change-Id: I25c7445da570755ec489edee38b0c6af5685724b
This needs to be updated to api 30.0 which introduced the system_ext.
Bug: 160314910
Test: build and boot
Change-Id: I08c4aed640467d11482df08613039726e7395be0
This does not yet list all the required capabilities for profcollectd,
but it at least allows the service to start under permissive mode.
Bug: 79161490
Test: start profcollectd
Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030
CTS runs are being polluted by denial logs from the best-effort isatty (
-> TCGETS ioctl) check done by the perfetto's log formatter.
This patch suppresses the denial.
I believe that what's actually being denied is the ioctl itself, NOT the
TCGETS aspect of it (there is a domain-wide fifo_file TCGETS allowxperms
rule in domain.te:303). But the "dontauditxerms" suppresses the denial
anyway.
Bug: 159988048
Merged-In: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1
Change-Id: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1
(cherry picked from commit 8519c6d316)
The non-prebuilt files are already up-to-date, as this change exists in
aosp/master as aosp/1267820.
Bug: 159988048
Merged-In: Ie7780128fcd80a051e809bfc98f21179cb3f0ecc
Change-Id: Ie7780128fcd80a051e809bfc98f21179cb3f0ecc
(cherry picked from commit 2b2cde7592)
There is a desire to ensure that modprobe as a service can log to
kmesg to help triage issues, so add support for the -s or --syslog
flag to do so.
Bug: 159424228
Bug: 151950334
Test: use modprobe as a service to load modules, check logs
Change-Id: I884995f364b0fc604861797eb90d7225a372f864
