It's okay for isolated apps to connect to the webview update service to
find out which APK is WebView. This enables isolated renderer processes
to load their code from the WebView APK.
Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f
Vold needs to be able to query if the directory exists and
eventually to fix permissions and the owner.
Typical error:
W vold : type=1400 audit(0.0:485): avc: denied { getattr }
for path="/data/misc/profiles/cur/11/foreign-dex" dev="dm-2"
ino=343857 scontext=u:r:vold:s0
tcontext=u:object_r:user_profile_foreign_dex_data_file:s0 tclass=dir
permissive=0
Bug: 27517932
Change-Id: Iff10c864634baa97cc814916ee7495b262e0c7eb
It's unlikely we'll get /proc locked down for the N release, so
delete the auditallow to avoid spamming the logs. Mark this
commit as DO NOT MERGE so we can continue to make progress on this
for future Android releases.
Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc
Both appdomain and priv_app can set the default ringtones, so the
cache files need to be mlstrustedobject.
avc: denied { write } for path="/data/system_de/0/ringtones/ringtone_cache" dev="mmcblk0p44" ino=1602501 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
Bug: 27366059
Change-Id: Ib362f58b180a62bd46800083d6c538426f955b10
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
(cherry picked from commit 6cb2c893b1)
Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes"). This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).
Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary. Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes. For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 01d95c23ab)
Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
For apps installed /data (vs the system image), Otapreopt puts
A/B artifacts alongside the regular oat location with a "b" suffix.
Give Otapreopt the right to create and write such files.
Bug: 25612095
Change-Id: Idf3f0959816f49407036cea9b8e684b26c510e80
system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.
Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.
Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.
Bug: 27334750
Bug: 26080105
Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
Bluetooth uses the tun device for tethering. Allow access.
STEPS TO REPRODUCE:
0. Have two devices to test on, say Device A and Device B
1. On Device A, Go to settings ->Bluetooth .
2. Turn on the Bluetooth .
3. Pair it with device B
4. Tap on the paired device
OBSERVED RESULTS:
-Bluetooth share crash is observed with "Bluetooth share has stopped"
error message
-Unable to use Bluetooth tethering due to this issue
EXPECTED RESULTS:
No crash and Bluetooth devices should be able to connect for tethering
Addresses the following denial:
com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0
Bug: 27372573
(cherry picked from commit 9a1347eee6)
Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.
In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.
A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:
userdebug_or_eng(`
permissive foo;
')
Bug: 26902605
Bug: 27313768
(cherry picked from commit bca98efa57)
Change-Id: If6abe1fa70c79a1fccdbdd9ff273d92de7565a73
NetworkTimeUpdateService has been registered as a system service, so that
its dump state can be included into bugreports.
Bug: 23983739
Change-Id: I0d364009ba4630dcfd1d22c647195e33eedaa4e0
Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked. To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.
Also fix bug where wallpaper_file wasn't getting data_file_type.
Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d
