Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).
Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
PackageManager tries to scan /apex (apex_mnt_dir) for flattened apexes.
Previously, because /apex was blindly bind-mounted to /system/apex for
"flattened" apexes, the label for /apex is the same as /system/apex,
which is oaky for system_server to handle it.
But to support flattened apexes from other partitions such as /vendor or
/system_ext, every apex should be mounted under /apex individually,
which leaves the se-label of /apex unchanged (apex_mnt_dir).
Bug: 144732372
Test: boot with flattened apexes
see if there are errors "denied system_server with apex_mnt_dir"
Change-Id: I81bd6ab152770c3c569b22274a6caa026615303e
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.
In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.
Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
Init.rc requires to limit max discard to avoid long latencies.
Change-Id: Idf3b295ac15efd5edf979ca896fdf826b9fc3c99
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
We've moved GMS core to its own domain, and this permission should no
longer be applied to the broader priv_app domain.
Before we delete the rule, we are auditing it to see if any other
privapps need it.
Bug: 142672293
Test: TH
Change-Id: I29c29739f4c3caf5d24361b69adc584047da0ef0
Based on guidance from the Mainline team, we're placing the
MediaProvider APK inside a new APEX, as this will allow us to
move MediaStore.java inside the module boundary in a future CL.
Bug: 144247087
Test: manual
Change-Id: I88f6f2e598d9611e8b92143504e4328d93671cab
We need this permission now that GMS core runs in its own domain and not
in the priv_app domain.
Bug: 145379440
Bug: 142672293
Test: TH
Change-Id: Idc4bf6863ba767d287c218c07d0eb5aebbe50f91
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.
ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split. It is also read by system_server and installd
currently.
Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
init and dumpstate should be able to access all properties, but they are
in coredomain, so neverallow rules for vendor properties should be
changed in order to avoid conflicts.
Bug: 145339613
Test: add vendor_internal_prop manually and build.
Change-Id: If582870f855e4444f8ac0d091696c0c7fd833791
This change enforces all the defined rules for the vzwomatrigger_app
domain and unsets permissive mode. There have not been any new denials
in the past weeks for this domain (source: go/sedenials), and hence this
domain appears to not need any new permissions.
Bug: 142672293
Test: Green builds
Change-Id: I588b4e3038a3e8188d97183a592f9023a95dd3a8
VTS and CTS-on-GSI report the device's ro.odm.build.version.incremental
or ro.vendor.build.version.incremental. The properties need to be
readable without root privilege.
Test: adb shell getprop ro.odm.build.version.incremental
Bug: 145255132
Change-Id: Ibb71185888cce022cb3a9be3e6fb2199d5f438d9
It follows examples of other APEX to make file_contexts of ipsec
module as "android:path" property
Bug: 143192273
Test: atest ipsec_e2e_tests
Change-Id: Idbba1f964aad7e54077ac77250f9cfd6a6b5049e
* changes:
Revert "sepolicy: Permission changes for new wifi mainline module"
Revert "wifi_stack: Move to network_stack process"
Revert "sepolicy(wifi): Allow audio service access from wifi"
![](/avatar/ef4a85532a29218c6b19b60e782b0746?size=56 "Harpreet \\"Eli\\" Sangha"){kind=small}
