vendor_modprobe loads kernel modules which may create files in
debugfs during module_init().
Bug: 179760914
Test: build
Change-Id: I743a81489f469d52f94a88166f8583a7d797db16
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).
This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
The type is declared in vendor policy, so the mapping should live
there as well.
Fixes: 185288751
Test: TH
Change-Id: Ia446d7b5eb0444cdbd48d3628f54792d8a6b2786
This patch adds ro.product.enforce_debugfs_restrictions to
property_contexts. When the property is set to true in non-user builds,
init mounts debugfs in early-init to enable boot-time debugfs
initializations and unmounts it on boot complete. Similarly dumpstate
will mount debugfs to collect information from debugfs during bugreport
collection via the dumpstate HAL and unmount debugfs once done. Doing
so will allow non-user builds to keep debugfs disabled during runtime.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS, adb shell am
bugreport
Bug: 184381659
Change-Id: Ib720523c7f94a4f9ce944d46977a3c01ed829414
This is an Android Studio Emulator (aka ranchu)
specific property, it is used for emulator
specific workarounds.
Bug: 182291166
Test: presubmit
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I2b8daf7c8ddb05b4082e4229f7b606c6ad4e717e
Fixed SELinux denials when trying to render the camera preview
to a texture in an internal test app. See the bug for additional
information.
Bug: 183749637
Test: Ran the internal test app, doesn't crash anymore.
Change-Id: I8fb62be424cd91c46cada55bb23db1624707997d
NetworkStack GTS tests need get network_watchlist_service and
system_config_service to test their APIs which are used by
module. But it will block by avc denied when trying to get
these services. Thus, amend networkstack sepolicy that can get
these services correctly.
Bug: 185309847
Test: Verify GTS test can get service correctly.
Change-Id: Icb18065e94d0026c3232cebb7d5eb39277fe7552
Add "ro.camerax.extensions.enabled" vendor-specific property.
Allow public apps to read this property.
Bug: 171572972
Test: Camera CTS
Change-Id: Id5fadedff6baaaebe5306100c2a054e537aa61ed
Allow keystore to call statsd.
Allow statsd to call back to keystore to pull atoms.
Bug: 172013262
Test: atest system/keystore/keystore2
Test: statsd_testdrive 10103
Change-Id: I2d1739e257e95b37cc61f655f98f7a2724df7d76
untrusted apps were already granted this policy and we now extend it
to all apps. This allows FileManager apps with the
MANAGE_EXTERNAL_STORAGE permisssion to access USB OTG volumes mounted
on /mnt/media_rw/<vol>.
This permission access in the framework is implemented by granting
those apps the external_storage gid. And at the same time USB volumes
will be mounted on /mnt/media_rw/<vol> with the external_storage gid.
There is no concern of interferring with FUSE on USB volumes because
they are not FUSE mounted.
For sdcards (non-USB) volumes mounted on /mnt/media_rw/<vol>, those
volumes are mounted with the media_rw gid, so even though they are
FUSE mounted on /storage/<vol>, arbitrary apps cannot access the
/mnt/media_rw path since only the FUSE daemon is granted the media_rw
gid.
Test: Manual
Bug: 182732333
Change-Id: I70a3eb1f60f32d051f44253b0db2c7b852d79ba1
In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.
Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
This service will intercept all UwbManager API calls and then perform
necessary permission checks before forwarding the call to the vendor
UWB service. Adding sepolicy permissions for exposing the service that
handles all public API's.
Bug: 183904955
Test: atest android.uwb.cts.UwbManagerTest
Change-Id: Icce4d2f586926421c06e8902a91533002c380b8d
Metrics are written to /data/misc/odrefresh by odrefresh during early
boot, then native code in ART system_server initialization passes them
to statsd and deletes the metrics files. This hand-off is necessary
because statsd does not start until after odsign and odrefresh have run.
Bug: 169925964
Test: manual
Change-Id: I8054519a714907819886dd6e5e78f3b5796d0898
This reverts commit cdf7b0f374.
Reason for revert: libmemtrack now uses a memtrackproxy_service, which allows app access
Change-Id: Id3858a0b813b822fc17f77e14d46525942048066
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.
Bug: 166559473
Test: run profcollectd.
Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
