Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem
Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.
Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.
Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.
Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
Fixes: 126604492
Test: Build userdebug and user.
Test: Test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules129
on userdebug.
Change-Id: I0716e566570114878842644339401331513bae22
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).
Test: adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.
Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
In preparation for additions that should be private-only, move the
types to private. Both have to be moved as they are dependent.
Bug: 125474642
Test: m
Change-Id: I6a76eba41b036bc6fb83588adbe9d63767d3e159
In preparation for moving other components to private, so that
private-only components can stay private.
Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
In some scenarios (native watchdog finding a regression, apexd failing
to mount apexes), a rollback of apexd will be triggered which requires
device reboot.
Bug: 123622800
Test: manually triggered apexd rollback and verified it reboots phone
Change-Id: I4c5d785a69dd56a63348c75c1897601749db9bc5
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.
Addresses the following denial:
audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0
Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
In order to support deleting session files after a staged session reaches
a final state, installd will need to delete the session directories from
/data/staging.
Bug: 123624108
Test: triggered 2 flows in which a staged session reaches a final state
and made sure installd can delete the session files
Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
In preparation for additions that should be private-only, move
the neverallows to domain's private part.
Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e
The ro.surface_flinger.display_primary* properties are added to
property_contexts. Because these properties are located in vendor
partition, but surfaceflinger service which use these properties
is in the system partition.
Bug: 124531214
Test: m -j && boot test
Change-Id: If90c4bc75796d8966bbf3ee2e3bab39145395800
Needed for the bionic stdlib.getloadavg test.
Access to /proc/loadavg was inadvertantly removed when a new label was
assigned to that file in system/sepolicy commit
8c2323d3f9.
Addresses the following denial:
CtsBionicTestCa: type=1400 audit(0.0:188192): avc: denied { read } for name="loadavg" dev="proc" ino=4026531959 scontext=u:r:shell:s0 tcontext=u:object_r:proc_loadavg:s0 tclass=file permissive=0
Bug: 124024827
Test: compiles
Change-Id: Iadb5c98cb96f69ddc9418a64720370adae1bb51f
