This is useful for tools like dumpsys, so that they work on all services
equally as well. Also, so that there is no difference with the regular
service manager.
Bug: 150579832
Test: 'adb shell /vendor/bin/dumpsys -l' shows 'manager'
Test: denial is no longer present:
03-05 12:23:47.346 221 221 E SELinux : avc: denied { add } for pid=221 uid=1000 name=manager scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:service_manager_vndservice:s0 tclass=service_manager permissive=0
Change-Id: Id6126e8277462a2c4d5f6022ab67a4bacaa3241e
For system prop flags from DeviceConfig namespace "Configuration".
Test: Build and run on local device
Bug: 149420506
Change-Id: If4196b4bf231e7c52f98b92cc0031a08dad06120
This fixes a bug introduced in aosp/1143430 where the permission
should have been included for the newly introduced
ashmem_libcutils_device type.
Test: Build
Bug: 150193534
Change-Id: I5b1ed8d9548f9dab4ad9373f98e21614c07c3d38
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
I've not caught any crashes in practice, but believe there's a
possibility that the zygote forks while holding a non-whitelisted fd
due to the signal handler.
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
This is driven by 3 things:
- netd no longer needs setattr, since this is now done by bpfloader
- nothing should ever unpin maps or programs
- generic cleanups and additional neverallows
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I881cc8bf9fe062aaff709727406c5a51fc363c8e
This is to allow adding the Tuner Resource Manager as a system service
Test: cuttlefish
Bug: 147380513
Change-Id: I3f61f2542c7fd934bb69dde08079f830196e2344
Adds a context for telephony related cache properties and changes
the bluetooth and system_server properties to match off of prefix
instead of exact string matches.
Test: Flashed phone with PowerManager caches enabled and verified
that the phone boots.
Change-Id: I9110192a12bb6222e49a8fb6b266d6067ef2ea92
service.adb.tls.port contains the adbd tcp port running the TLS server.
persist.sys.adb.wifi tells adbd when to enable the TLS server.
Bug: 149348431
Bug: 111434128
Test: Enable wireless debugging, check if TLS port information is
displayed in the Developer options > Wireless debuggging.
Change-Id: I5b5c5a3d064bc003f41386ede9051609fefec53e
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.
Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
This is needed to run update_engine unittests in cuttlefish. In the test,
the directory is mounted as R/W.
Denial:
avc: denied { write } for path="/data/misc/update_engine/tmp/a_img.NqUpaa" dev="dm-4" ino=3048 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0
strace:
mount("/dev/block/loop26", "/data/local/tmp/.org.chromium.Chromium.3s2KYE", "ext2", 0, "") = -1 EIO (I/O error)
Test: unittests pass
Change-Id: I4658eb60240bd725bac2aef30305747ffe50aeb6
sys.linker property was defined to enable / disable generate linker
configuration, but the property has been removed. Remove sys.linker
property definition as it is no longer in use
Bug: 149335054
Test: m -j passed && cuttlefish worked without sepolicy error
Change-Id: Iacb2d561317d0920f93104717ce4f4bb424cc095
Merged-In: Iacb2d561317d0920f93104717ce4f4bb424cc095
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason. For now, label this file metadata_bootstat_file.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
init has a mount handler that stats mount-points for block devices; on
devices without sdcardfs, that handler will stat the FUSE filesystem,
since we have a bindmount on FUSE to the lower filesystem, which is an
actual block device.
Test: no more denial on cf without sdcardfs
Change-Id: Idb351f5ccba00440f4f8b39616de76336bb81a1b
This key is used for invalidating the per-process cache for calls to
PlatformCompat.isChangeEnabledByPackageName and
PlatformCompat.isChangeEnabledByUid.
Bug: 140441727
Test: atest PlatformCompatTest
Test: atest CompatConfigTest
Test: atest CompatChanges
Test: atest PlatformCompatGating
Change-Id: I203ea43c3451bddc0aeb298f5892868969b67fc3
Define two property_context.
1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.
2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.
Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
libnetd_client can read both properties
libnetd_client can't set both properties
Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395
