This is to remove bad context name "exported3_system_prop".
- persist.sys.device_provisioned -> provisioned_prop
- sys.retaildemo.enabled -> retaildemo_prop
Bug: 154885206
Test: boot device and see no denials
Change-Id: Ia19a19d93d0689deb56d66fe0b039ace44e4836f
The IPv6 link-local address is used to avoid expose device to out of
network segment.
BUG: 155198345
Test: manual test.
Change-Id: I0ce8c12de9976c01e57a6433c7fb50235e907dc5
For whatever reason sys.usb.config* has been labeled as
system_radio_prop, which doesn't make sense. Changing context name as
usb_prop. For the same reason exported_system_radio_prop is also
renamed to usb-related names.
Bug: 71814576
Bug: 154885206
Test: m selinux_policy
Change-Id: If30bc620dbeac926a8b9bcde908357fda739a6c1
Merged-In: If30bc620dbeac926a8b9bcde908357fda739a6c1
(cherry picked from commit 44fbcdb677)
It was used within external/ims to save its internal state. Removing it
from property_contexts as it's deleted now (aosp/1209267).
Bug: 152471138
Test: N/A
Change-Id: I1451390aada3dfff6c147de585cc316c5307c0b4
For whatever reason sys.usb.config* has been labeled as
system_radio_prop, which doesn't make sense. Changing context name as
usb_prop. For the same reason exported_system_radio_prop is also
renamed to usb-related names.
Bug: 71814576
Bug: 154885206
Test: m selinux_policy
Change-Id: If30bc620dbeac926a8b9bcde908357fda739a6c1
persist.sys.dalvik.vm.lib.2 is moved to a new context
dalvik_runtime_prop from bad context name.
Bug: 154885206
Test: boot device and see logcat
Change-Id: I9dea95105c266088d5f071bf2d890048f0999b0b
This is an experimental property on Q and doesn't need anymore.
Exempt-From-Owner-Approval: cherry-pick
Bug: 154885206
Test: N/A
Change-Id: I80415edc002345849b375e07fdf5783cf60c2446
Merged-In: I80415edc002345849b375e07fdf5783cf60c2446
(cherry picked from commit 7b59ae50e6)
[already merged in master and AOSP]
Make ro.incremental.enable a vendor-specific property. Allow
system_server and vold to read this property.
Test: manual
BUG: 155212902
Merged-In: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
Change-Id: Id432390023de232deb4cc4d0ff3fb73904093b60
[cherry-picking]
Make ro.incremental.enable a vendor-specific property. Allow
system_server and vold to read this property.
Test: manual
BUG: 155212902
Change-Id: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
Merged-In: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
[Will cherry-pick to AOSP]
Make ro.incremental.enable a vendor-specific property. Allow
system_server and vold to read this property.
Test: manual
BUG: 155212902
Change-Id: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
Merged-In: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
Cleaning up exported*_system_prop and moving surfaceflinger properties
to new property contexts.
Bug: 152468529
Bug: 154885206
Test: boot cf_x86 and crosshatch
Change-Id: I7f8a684e9cbabce2f55a5292d7b2283ac0716cd9
These comments were added when public/property_contexts was introduced.
The main purpose was to categorize exported properties by accessibility
from vendor. Removing the comments as these are now obsolete and makes
confusion.
Bug: 71814576
Test: N/A
Change-Id: Ibc1c8eefcd68c79b90df82d227fe03f2c09da3a3
Assigning a new context boot_status_prop for following two properties:
- sys.boot_completed
- dev.bootcomplete
Bug: 154885206
Test: boot cf_x86 and crosshatch, see no denials
Change-Id: Ieadabf90a9a1b54b52a1283bd648c11c95d558dd
Merged-In: Ieadabf90a9a1b54b52a1283bd648c11c95d558dd
(cherry picked from commit 2973c96055)
Assigning a new context boot_status_prop for following two properties:
- sys.boot_completed
- dev.bootcomplete
Bug: 154885206
Test: boot cf_x86 and crosshatch, see no denials
Change-Id: Ieadabf90a9a1b54b52a1283bd648c11c95d558dd
This prop allows vendors to specify whether their devices
have basic eBPF compatibility (ie. Linux kernel 4.9 with P VINTF).
Make it exported_default_prop because the shared library
libbpf_android is used in a lot of places.
See: https://r.android.com/1261922
Bug: 151753987
Signed-off-by: Felix <google@ix5.org>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifd9af558d84ea1619a6af7fce81b700fdfb22b9f
This is to clean up bad name "exported_dalvik_prop"
Bug: 154465224
Test: sepolicy_tests
Test: treble_sepolicy_tests 26.0 ~ 29.0
Change-Id: Ie5e738b5985c1db1bca7a857971d8490a7980b5b
The following properties are used in AudioService:
ro.config.alarm_vol_default
ro.config.alarm_vol_steps
ro.config.media_vol_default
ro.config.system_vol_default
ro.config.system_vol_steps
ro.config.vc_call_vol_default
Test: properties can be set from vendor with PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE := true
Change-Id: Ib90103173989fcb0723f3d8465df3cd03334cc53
This property controls how much userspace reboot watchdog will wait for
userspace reboot to start before falling back to hard reboot.
Test: builds
Bug: 152803929
Change-Id: I6955e8c94708e7e4161e4f334b03c052d42c0f9f
Merged-In: I6955e8c94708e7e4161e4f334b03c052d42c0f9f
(cherry picked from commit 7947d580e3)
This property controls how much userspace reboot watchdog will wait for
userspace reboot to start before falling back to hard reboot.
Test: builds
Bug: 152803929
Change-Id: I6955e8c94708e7e4161e4f334b03c052d42c0f9f
Defined a new signal intended to allow the system to reboot
the audio/soundtrigger HAL process.
Fixes: 153461865
Test: See main change in topic
Change-Id: I1e4a770670bb1274fa6a23cd0641f2554d4679f7
Merged-In: I1e4a770670bb1274fa6a23cd0641f2554d4679f7
Defined a new signal intended to allow the system to reboot
the audio/soundtrigger HAL process.
Fixes: 153461865
Test: See main change in topic
Change-Id: I1e4a770670bb1274fa6a23cd0641f2554d4679f7
Bug: 150761030
Test: setting to 1 in device/google/cuttlefish/shared/device.mk
causes "default-key: Not enough arguments" as expected.
Change-Id: I73262efff0be15f0295d23168049ed9e3721a7f7
Three properties are declared as vendor-init-settable:
ro.media.xml_variant.codecs
ro.media.xml_variant.codecs_performance
ro.media.xml_variant.profiles
media_codecs.xml can now be named
media_codecs${ro.media.xml_variant.codecs}.xml
media_codecs_performance.xml can now be named
media_codecs_performance${ro.media.xml_variant.codecs_performance}.xml
media_profiles_V1_0 can now be named
media_profiles${ro.media.xml_variant.profiles}.xml
Test: Rename "media_codecs.xml" to "media_codecs_test.xml",
set ro.media.xml_variant.codecs to "_test", then
call "stagefright -i".
Test: Rename "media_codecs_performance.xml" to
"media_codecs_performance_test.xml",
set ro.media.xml_variant.codecs_performance to "_test", then
run android.media.cts.VideoDecoderPerfTest.
Test: Rename "media_profiles_V1_0.xml" to "media_profiles_test.xml",
set ro.media.xml_variant.profiles to "_test", then
run vts_mediaProfiles_validate_test.
Bug: 142102953
Change-Id: I407a0a327fcc8e799bb4079b11048a497565be48
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1
Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8
(cherry picked from commit 3bd53a9cee)
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1
Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
Add a vendor-specified system property to allow GPU fallback composition to occur at a lower resolution than the display mode resolution. This is required on platforms like TVs which have, for example, 2k GPUs but 4k capabilities, or 4k GPUs but 8k capabilities.
Bug: 144574809
Test: Tested with sysprop disabled, and tested backport in Android Q with sysprop enabled. Unable to test on Android R due to device issues.
Change-Id: Ife63c21a6e959d16e796d57956dd7dda2f5d383e
Originally public/property_contexts was introduced to create a whitelist
of system properties which can be accessed from vendor, and to be used
from VTS to ensure that the whitelist isn't modified. But it doesn't fit
well on sepolicy public/private split as the split isn't for stability,
but for letting vendor compile their sepolicy with public types. Also it
doesn't make sense only to check the whitelist on VTS, because platform
internal ones must also be unchanged.
This commit merges public/property_contexts into private as before. This
gives consistency with other context files such as file_contexts which
are already containing entries for vendor but are only defined in
private. This also simplifies property_contexts as there will be only one
property_contexts file. Another benefit is that VTS will check all
entries defined by system, not only exported ones.
Bug: 150331497
Test: m && run VtsTrebleSysProp manually
Change-Id: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
Merged-In: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
(cherry picked from commit 31391fa78e)
Originally public/property_contexts was introduced to create a whitelist
of system properties which can be accessed from vendor, and to be used
from VTS to ensure that the whitelist isn't modified. But it doesn't fit
well on sepolicy public/private split as the split isn't for stability,
but for letting vendor compile their sepolicy with public types. Also it
doesn't make sense only to check the whitelist on VTS, because platform
internal ones must also be unchanged.
This commit merges public/property_contexts into private as before. This
gives consistency with other context files such as file_contexts which
are already containing entries for vendor but are only defined in
private. This also simplifies property_contexts as there will be only one
property_contexts file. Another benefit is that VTS will check all
entries defined by system, not only exported ones.
Bug: 150331497
Test: m && run VtsTrebleSysProp manually
Change-Id: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
Merged-In: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
(cherry picked from commit 31391fa78e)
For system prop flags from DeviceConfig namespace "Configuration".
Test: Build and run on local device
Bug: 149420506
Change-Id: If4196b4bf231e7c52f98b92cc0031a08dad06120
Merged-In: If4196b4bf231e7c52f98b92cc0031a08dad06120
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
I've not caught any crashes in practice, but believe there's a
possibility that the zygote forks while holding a non-whitelisted fd
due to the signal handler.
Bug: 144281346
Merged-In: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
(cherry picked from commit 008465e5ec)
For system prop flags from DeviceConfig namespace "Configuration".
Test: Build and run on local device
Bug: 149420506
Change-Id: If4196b4bf231e7c52f98b92cc0031a08dad06120
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
I've not caught any crashes in practice, but believe there's a
possibility that the zygote forks while holding a non-whitelisted fd
due to the signal handler.
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
service.adb.tls.port contains the adbd tcp port running the TLS server.
persist.sys.adb.wifi tells adbd when to enable the TLS server.
Bug: 149348431
Bug: 111434128
Test: Enable wireless debugging, check if TLS port information is
displayed in the Developer options > Wireless debuggging.
Change-Id: I5b5c5a3d064bc003f41386ede9051609fefec53e
This is renamed to ro.organization_owned to cover the extended
usage now that there is a new management mode for fully-managed
organization owned devices: organization-owned managed profile.
A device is considered fully-managed if there is a device owner
or an organization-owned managed profile.
Bug: 148437300
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: atest FrameworksServicesTests:SecurityEventTest
Test: atest FrameworksCoreTests:EventLogTest
Test: atest com.android.cts.devicepolicy.DeviceOwnerTest#testSecurityLoggingWithSingleUser
Test: atest com.android.cts.devicepolicy.DeviceOwnerTest#testSecurityLoggingWithTwoUsers
Test: atest com.android.cts.devicepolicy.DeviceOwnerTest#testSecurityLoggingEnabledLogged
Change-Id: Ic3288fe343d3b51c59f08678e114fe9a81cb39a4
sys.linker property was defined to enable / disable generate linker
configuration, but the property has been removed. Remove sys.linker
property definition as it is no longer in use
Bug: 149335054
Test: m -j passed && cuttlefish worked without sepolicy error
Change-Id: Iacb2d561317d0920f93104717ce4f4bb424cc095
Merged-In: Iacb2d561317d0920f93104717ce4f4bb424cc095
Add a new nfc_cfg persist property for nfc features
Bug: 142626304
Test: set property and load target files.
Change-Id: I853c97e8113dbcf729cf59ad45895402b0c82b3e
This reverts commit 34240604aa.
Reason for revert: Droidcop: Potential culprit for Bug149218822- verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: Iaba9f6e9125ac456a5787b1fcbb67d68c91c5f42
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.
Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.
Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
Add a new nfc persist property for nfc features
Bug: 148056494
Test: set property and load target files.
Change-Id: Iad5ffea125a457eb1af3d56f2f3cabfb273d5218
The module is getting renamed, so rename all the policy
relating to it at the same time.
Bug: 137191822
Test: presubmit
Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
(cherry picked from commit 6505573c36)
* These properties are used by the wifi hal and it works as expected on
devices with compatible property. However, on devices without
compatible property, these prperties are labeled as "default_prop"
because public/property_contexts is not used. Thus they can't be set
by the hal.
* To tackle the problem, label them as "wifi_prop" in
private/property_contexts which also works on devices without compatible
property. The label will be overridden later by
public/property_contexts rules if exist.
Change-Id: If8b8bd5bea64f2ea08864cc62f6dc405cb394e00
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).
Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
This reverts commit baa06ee2cd.
Reason for revert: Added missing property name in vendor_init.te.
Bug: none
Test: none (other than neverallow checking)
Change-Id: I9e93bf4ea6ca3a4634f8f4cbce2f13c5f410883b
Add the SELinux policy to implement a no-write persistent property
controlling whether to launch a JVMTI agent in the system server.
Bug: none
Test: none (other than the neverallow)
Change-Id: Ic70ee5b05c5507b4159ef4c825a360be47bc02b0
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.
Only init should be allowed to set userspace reboot related properties.
Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
The property is set to inform kernel to do a warm_reset on the next
reboot. This is useful to persist the logs to debug device boot
failures. More details in http://go/rvc-ota-persist-logs.
The property is set to 1 by update_engine after an OTA. And it's set to
0 by update_verifier or vold after we mark the current slot boot
successful.
The property is read by vendor_init. And according to its value,
vendor_init writes a particular sysfs file to schedule a warm reset
on the following reboot.
Without the new context, the denial message says:
[ 13.423163] audit: type=1107 audit(1746393.166:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=ota.warm_reset pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0'
[ 23.096497] init: Unable to set property 'OTA.warm_reset' from uid:0 gid:2001 pid:841: SELinux permission check failed
[ 23.096574] type=1107 audit(1573768000.668:42): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=OTA.warm_reset pid=841 uid=0 gid=2001 scontext=u:r:update_verifier:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
[ 23.108430] update_verifier: Failed to reset the warm reset flag
Bug: 143489994
Test: check the property can be set by update_engine, and read by vendor_init
Change-Id: I87c12a53a138b72ecfed3ab6a4d846c20f5a8484
This property is used for testing purposes when verifying the
behavior when an OTA occurs. It should be readable by the
system server, and be settable by the shell.
Test: Set property from shell, read with PackageManager
Bug: 140992644
Change-Id: I39ad9b7961208f02fa45011215c2ff5ac03b7380
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.
Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
Used to restrict properties init.svc_debug_pid.*
Bug: 138114550
Test: getprop | grep init.svc_debug_pid only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678
Allow charger to read system properties with this prefix
so that charger's behavior is controlled by runtime.
Test: run offline charging on walleye
Bug: 124118169
Change-Id: I4266b2d043a5323b4adbd1636ada46b7e08ca667
http://aosp/678384 changed property format
Fixes: 137695210
Test: inject timeout and take BR see dumpstate restarted
Change-Id: Ie24e2d42e92410a935ca4c9364b476d72aa459f3
Ueventd can't set properties currently, but this is an artificial
limitation, since ueventd communicates to init that it has finished
cold boot via a file, and init polls this file instead of returning to
the epoll loop, where properties are handled.
A related change replaces that file with a property and thus frees
ueventd to be able to set properties. This change creates the
cold_boot_done property type for this property and gives only ueventd
permissions to set it.
Bug: 62301678
Test: boot, check that properties are set
Change-Id: I40843b423b192ea841db6a82f648e5bab9738e0e
This property will be set by system_server (to indicate the currently
selected theme for device), and can be accessed by vendor init.rc.
avc: denied { read } for property=persist.sys.theme pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:theme_prop:s0 tclass=file
Bug: 113028175
Test: Set a vendor init trigger that waits on `persist.sys.theme`. Check
that the trigger fires without denial.
Change-Id: Ia85b1a8dfc118efdbb9337ca017c8fb7958dc386
Merged-In: Ibb4e392d5059b76059f36f7d11ba82cd65cbe970
(cherry picked from commit 75182a1ea6)
apexd stops itself when it finds that it is running on a device with
flattened APEXes (i.e. ro.apex.updatable = false).
Bug: 133907211
Test: launch sdk_phone_x86_64
adb logcat -d | grep apexd | wc -l
returns 3
Change-Id: I7fa161b069aa34adb028194b55f367fe740a0cfc
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Property is NNAPI client-readable and writeable only by init/build.prop.
Bug: 129666983
Bug: 120483623
Test: flashed crosshatch/Cts tests for NNAPI
Change-Id: Ic4c0f176440610a2c54c078863f3d5382323cc65
- lpdump is a binary on the device that talks to lpdumpd
via binder.
- lpdumpd is a daemon on the device that actually reads
dynamic partition metadata. Only lpdump can talk to it.
Bug: 126233777
Test: boots (sanity)
Test: lpdump
Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.
Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
This CL introduces allows traced to set the
sys.traceur.trace_end_signal property at the end
of the tracer. In turn that property notifies the
the Traceur app.
This is to allowing Traceur to be killed during
a long-trace and avoid wasting resources making
it a persistent service.
See aosp/886616 for the matching traceur change.
Test: manual
Bug: 116754732
Change-Id: I89e2f02b3f973813ce8ff3507d397a06502f84c1
Some runtime properties require reboots and should be in the
native_boot namespace instead of native.
Bug: 120794191
Bug: 123524494
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: I1d1e984dcba26dd04d34a7d30fc63e1b75a8a311
The convention for native properties is to use _native suffix.
Bug: 123524494
Bug: 120794191
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: I69feab9be78f24d812b8f953d3ec06a5d8d18f15
Bug: 120794191
Bug: 123524494
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: Ib37102f35e9987d3d9baff83c45571a5d632ad50
Whitelist the persistent system properties that will be used as
flags in activity manager experiments.
Bug: 120794810
Test: m, flash, test getting flag value in ActivityManagerService.java
Change-Id: I90a10bc87d6db3a64347b62fd02e6f0b12ac9fa8
For input experiments that are enabled at boot time, allow system_server
to read and write the device config flags.
Bug: 120794829
Test: presubmit
Change-Id: I0f075a7579c593d4e07c3e31be529e34554068a6
For experiment flag testing, we add a flag netd and have
SEPolicy updates.
Test: add sepolicy, m -j, check GetServerConfigurableFlag function in netd
Bug:122050512
Change-Id: I21c844c277afc358085d80447f16e4c0d4eba5b3
This is analoguous to what Perfetto does with persist.traced.enable.
Test: m
Test: flash walleye
Test: setprop persist.heapprofd.enable 1
setprop persist.heapprofd.enable 0
Change-Id: I997272ef8c6fe078aca2388ed0cf2ecc3de612a5
This is world-readable so it can be checked in libc's process init.
Test: m
Test: flash sailfish
Bug: 117821125
Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.
Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
apexd_prop is also defined in private/propery_contexts in order to make
the type to exist even when PRODUCT_COMPATIBLE_PROPERTY is false (i.e.,
Pixel 1).
Bug: 119220815
Test: m plat_property_contexts for sailfish
the built plat_property_contexts has apexd_prop defined
Change-Id: I9ef71410533c1f64fc6a3112cfcb199d23aaf3db
Historically, vendor-init-actionable was created since the various
property_contexts files were not yet available when init parses its
scripts. Since then, the property_contexts files are now always
available when init parses its scripts, so we can collapse these two
categories.
Specifically, this change ensures that all of the properties in the
previous 'stable_properties.h' file in init, which contained the
vendor-init-actionable properties, are able to be read by init
according to SEPolicy.
Bug: 71814576
Test: vendor_init fails to use non-readable properties as a trigger
Test: vendor_init successfully uses readable properties as a trigger
Change-Id: Ic6d9919b6047f3076a1a19fc26295c6a77aca627
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.
Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.
Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This change makes it such that only init can start adbd directly. It
also introduces new rules for ctl.{start,stop,restart} properties such
that only usbd and recovery (and su, since it's permissive) can directly
ask init to start adbd.
Bug: 64720460
Test: adbd still runs
Test: /data/nativetest64/adbd_test/adbd_test
Test: python system/core/adb/test_adb.py
Test: "USB debugging" in System Settings still start/stop adbd
Test: Recovery menu still make the device show as "recovery" in adb
devices
Test: "Apply update from ADB" in recovery menu still works
Change-Id: Iafcda8aa44e85129afcc958036b472d856fa1192
This adds a label for system properties that will affect system-wide
time / time detection logic.
The first example will be something like:
persist.time.detection_impl_version
Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a
To ensure a surprise reboot does not take the last boot reason on
face value especially if coming from more than one boot sessions ago.
We shift and clear the value from persist.sys.boot.reason to
sys.boot.reason.last and establish a correct last reboot reason in
the canonical sys.boot.reason property. As a result, the power
manager should read the canonical sys.boot.reason for a definitive
result rather than relying on the possibly incorrect values in the
persistent storage. sys.boot.reason should be a core property as
it represents the canonical boot reason API.
Test: compile
Bug: 86671991
Bug: 63736262
Change-Id: If3742c487d6c0ab69c464f056bf48c786b66a945
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04
(cherry picked from commit 60d1767459)
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"
W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)
Had to use precise property definition as com.android.phone accesses
test properties as well.
Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"
W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)
Test: compile
Bug: 78245377
Change-Id: Id21436d281bab27823969a9f7e92318d70b5a2d6
This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.
Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e
This reverts commit 6f2040f873.
Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.
Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784
To enable/disable the traced and traced_probes deamons remotely we would
like system server to be able to set persist.traced.enable.
See also ag/3736001.
Denial:
selinux: avc: denied { set } for
property=persist.traced.enable
pid=1606 uid=1000 gid=1000
scontext=u:r:system_server:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service
permissive=0\x0a
Run:
$ adb shell 'ps -A | grep traced'
Should see traced.
$ adb shell 'settings put global sys_traced 0'
$ adb shell 'ps -A | grep traced'
Should no longer see traced.
Test: See above.
Change-Id: I245b7df3853cabeb0e75db41fb4facaa178ab8f1
Since /odm is an extension of /vendor, its default property contexts
should be consistent with ones of /vendor.
Bug: 36796459
Test: tested on wahoo devices
Change-Id: Ia67ebe81e9c7102aab35a34f14738ed9a24811d3
Duplicate property names are supported now for prefix and exact
matching.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458
This CL lists all the exported platform properties in
private/exported_property_contexts.
Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.
Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
This reverts commit 248b6dc644.
Reason for revert: The dashboard complains that devices don't boot after this revert.
Change-Id: I6a4648b64b096cbaa97c67aae6bc38b76d54cb48
This reverts commit d1cf3a4056.
Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.
Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06
Switch from /data/misc/reboot/last_reboot_reason to persistent
Android property persist.sys.boot.reason for indicating why the
device is rebooted or shutdown.
Introduce protection for all boot reason properties
Protect the following properties with these labels
ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
sys.boot.reason u:object_r:sys_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
Setup the current as-need access rules for each.
ToDo: Remove u:object_r:reboot_data_file after internal fixes.
Test: system/core/bootstat/boot_reason_test.sh
Bug: 64687998
Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
This change must only be submitted when device-specific policies
have been reverted.
This reverts commit 07e631d2e0.
Bug: 17613910
Test: builds
Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad
Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:
1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
net_stable_secret_vendor_prop) and applying it to
persist.netd.stable_secret results in the device not booting
due to attempting to apply two different contexts to the same
property.
Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.
Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.
This reverts commit abb1ba6532.
Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709
This is used to persist RFC 7217 stable secrets across device reboots.
First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.
Test: as follows
- Manually tested that stable_secret is generated on first use and
persists until reset of user data partition (factory reset).
- Tested that "adb shell getprop" was denied access to
persist.netd.stable_secret after running "adb unroot".
Bug: 17613910
Change-Id: I0a609c724799a15b1926e62534c16810d34f2275
This broke the build on master. See b/17613910#comment17
for details.
This reverts commit ef1fd98b6a.
Change-Id: I11f7d463061a9b6340c11827135586266e26f016
This is used to persist RFC 7217 stable secrets across device reboots.
Test: as follows
- Manually tested that stable_secret is generated on first use and
persists until reset of user data partition (factory reset).
- Tested that "adb shell getprop" was denied access to
persist.netd.stable_secret after running "adb unroot".
Bug: 17613910
Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054
Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.
Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b74305011)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
- compared to ro.boottime, this one does not pass time info
bug: 35178781
bug: 34274385
Test: reboot
Change-Id: I6a7bf636a3f201653e2890751d5fa210274c9ede
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.
Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:
* system_server
* system_app (apps which run as UID=system)
* netmgrd
* radio
This change:
1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.
In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.
Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.
Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.
The reason is that some of these properties may leak persistent
identifiers not resettable by the user.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.
Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c
This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.
The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.
Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:
[ro.boottime.init]: [5294587604]
[ro.boottime.InputEventFind]: [10278767840]
[ro.boottime.adbd]: [8359267180]
...
These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.
bullhead:/ $ getprop -Z ro.boottime.adbd
u:object_r:default_prop:s0
Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.
bullhead:/ $ getprop -Z ro.boottime.adbd
u:object_r:boottime_prop:s0
New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).
Additional read access can be granted as-needed.
This is part of a larger effort to implement fine-grain access control
on the properties managed by init.
Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
Allow the system_server to change. Allow the zygote to read it as well.
Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
