This reverts commit f4ab6c9f3c.
Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.
Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
Bug: 242892591
Test: atest GtsFontHostTestCases
Test: Manually verified the font files can be updated
Change-Id: Ic72fcca734dc7bd20352d760ec43002707e4c47d
We need to separate out the feature flags in use by remote key
provisioning daemon (RKPD). For this, I have set up a new namespace
remote_key_provisioning_native. This change adds the SELinux policies to
make sure appropriate permissions are present when accessing the feature
flag for read/write.
Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7
Test: TreeHugger
Add a new selinux type for a system property used to hold metadata about
the time zone setting system property. Although system settings are
world readable, the associated metadata only needs to be readable by the
system server (currently).
Bug: 236612872
Test: treehugger
Change-Id: Iac1bc3301a049534ea5f69edf27cd85443e6a92e
Reduce use of "exported_system_prop" by defining 2 new (currently
identical) "locale_prop" and "timezone_prop" types for the system
properties that are for "global system settings". See the comments in
private/property_contexts for details.
Initially the rights of the new types should be identical to
exported_system_prop but they will be reduced with a follow-up commit to
enable easier rollback / progress to be made on related work.
Bug: 236612872
Test: treehugger
Change-Id: I8d818342023bc462376c091b8a522532ccaf15d3
ro.tuner.lazyhal: system_vendor_config_prop to decide whether the lazy
tuner HAL is enabled.
tuner.server.enable: system_internal_prop to decide whether tuner server
should be enabled.
Bug: 236002754
Test: Check tuner HAL and framework behavior
Change-Id: I6a2ebced0e0261f669e7bda466f46556dedca016
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native boot experiments.
Bug: 241730607
Test: Build
Merged-In: Idc2334534c2d42a625b451cfce488d7d7a651036
Change-Id: I3e98f1b05058245cad345061d801ecd8de623109
This is needed for Watchdog to be able to dump InputProcessor HAL.
Watchdog can be triggered locally for testing by patching
InputDispatcher.cpp:
void InputDispatcher::monitor() {
// Acquire and release the lock to ensure that the dispatcher has not deadlocked.
std::unique_lock _l(mLock);
+ std::this_thread::sleep_for(std::chrono::minutes(40));
mLooper->wake();
mDispatcherIsAlive.wait(_l);
Bug: 237322365
Test: adb bugreport (after triggering watchdog)
Change-Id: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
Merged-In: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.
Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.
Bug: 233392908
Test: Compiled
Change-Id: I25539dc579f21d6288fa962d1fad9b51573f017d
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file. This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.
Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
It will be used by system_server only (i.e., not even Shell) to let
developers change the system user mode (to be headless or full).
Test: sesearch --allow -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927
Change-Id: Iaba42fd56dce0d8d794ef129634df78f9599260f
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native experiments.
Bug: 226456604
Test: Build
Change-Id: Ib2420cf6eaf1645e7f938db32c93d085dd8950a3
odsign will be writing(metrics) to file
/data/misc/odsign/metrics/odsign-metrics.txt & system_server needs from it.
Test: adb pull /data/misc/odsign/metrics/odsign-metrics.txt after reboot
Bug: 202926606
Change-Id: I020efcee8ca7f5b81f1aa3374bbf2b3a7403186d
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.
Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
dmesgd is a daemon that collects kernel memory error reports.
When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.
Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.
Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)
Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.
Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
This partly reverts fa10a14fac. There we
removed individual labels for various apexdata labels, replacing them
with apex_system_server_data_file.
Unfortunately that doesn't handle upgrade scenarios well, e.g. when
updating system but keeping the old vendor sepolicy. The directories
keep their old labels, and vold_prepare_subdirs is unable to relabel
them as there is no policy to allow it to.
So we bring back the legacy labels, in private not public, and add the
rules needed to ensure system_server and vold_prepare_subdirs have the
access they need. All the other access needed is obtained via the
apex_data_file_type attribute.
Bug: 217581286
Test: Reset labels using chcon, reboot, directories are relabeled, no denials
Change-Id: If696882450f2634e382f217dab8f9f3882bff03f
System server needs to do this to know whether a suitable VM for
CompOS can be created. System server does not need the ability to
actually start a VM, so we don't grant that.
Bug: 218276733
Test: Presubmits
Change-Id: Ibb198ad55819aa924f1bfde68ce5b22c89dca088
Allow system_server to trigger the kernel synchronize rcu with open and
close pf_key socket. This action was previously done by netd but now
it need to be done by system_server instead because the handling code in
netd are moved to mainline module which will be loaded by system_server
in JNI mode.
Note: the permission will be removed from netd once all bpf interactions
have moved out of netd.
Bug: 202086915
Test: android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: I440e0c87193775115a9b9ffb19270c47b01b082e
Should system_server kill zygote on crashes, it will attempt to kill any
process in the same process group. This ensures that no untracked
children are left.
Bug: 216097542
Test: m selinux_policy
Change-Id: Ie16074f76e351d80d9f17be930a731f923f99835
mdns service is a subset of netd-provided services, so it gets
the same treatment as netd_service or dnsresolver_service
Bug: 209894875
Test: built, flashed, booted
Change-Id: I33de769c4fff41e816792a34015a70f89e4b8a8c
system_server needs search/read/open access to the directory.
This change gives system_server permissions to fetching the
information from sys/class/net.
Bug: 202086915
Test: build, flash, boot
Change-Id: I7b245510efbc99427f3491c9234c45c8cc18fea1
This sepolicy is needed so that the vendor can launch a new HAL process,
and then this HAL process could join the servicemanager as an impl for
IInputProcessor. This HAL will be used to contain the previous impl of
InputClassifier and also new features that we are going to add.
Bug: 210158587
Test: use together with a HAL implementation, make sure HAL runs
Change-Id: I476c215ad622ea18b4ce5cba9c07ae3257a65817
This is required for listing all key aliases of other APP domains' keys
in order to migrate keys on behalf of the updated app by PMS.
Test: builds
Bug: 211665859
Change-Id: I541fb81e6186288a1e852ce60882651f838e36dc
The logd binder service is on logd side.
The logcat binder service is on system_server side.
These two binder services facilitate the binder RPC
between logd and system_server.
Bug: 197901557
Test: manual
Change-Id: I5f08bbb44a88dc72302331ab11c7d54f94db16ac
This relaxes the neverallow so that it is possible to write a new
SELinux allow for system_server to read /dev/block/vd*. It still isn't
possible unless a vendor enables it.
Bug: 196965847
Test: m -j
local_test_runner arc.Boot.vm
Change-Id: Idad79284778cf02066ff0b982480082828f24e19
This change adds a permission migrate_any_key that will help the system
server in migrating keys for an app that wants to leave a sharedUserId.
Bug: 179284822
Test: compiles
Change-Id: I2f35a1335092e69f5b3e346e2e27284e1ec595ec
Also allow composd to kill odrefresh (it execs it); this is necessary
for cancel() to work.
Bug: 199147668
Test: manual
Change-Id: I233cac50240130da2f4e99f452697c1162c10c40
Grant system_server and flags_health_check permission to set the
properties that correspond to the AVF experiments.
Bug: 192819132
Test: m
Change-Id: I0e6fa73187abb4412d07ecfd42c1074b8afa5346
This patch adds some ioctls for odex/vdex files.
Bug: 205257122
Test: Manual. Code runs.
Signed-off-by: Ken Bian <kenjc.bian@rock-chips.com>
Change-Id: Ibf7890f0910ed04e0355bef9c0bfb21b406fb7eb
This reverts commit 7ed2456b45.
Reason for revert: /dev/userspace-panic is discarded (b/188777408#comment13)
Bug: 188777408
Change-Id: I98b0159890ee755ffaefc5533f9c40d54f8f26d2
The target device needs to lable the SoC's extcons to sysfs_extcon in
the device's vendor sepolicy to allow the system_server access.
Bug: 152245127
Bug: 193492798
Bug: 193114615
Test: pressubmit and manual
Change-Id: Ib0a90ac5ce2c9437b19d6dc1e0b2cc50fed41dc3
Define type userspace_panic_device and macro userpanic_use for init,
llkd, and system_server to access /dev/userspace_panic - a kernel file
node for userspace processes to request kernel panic.
Bug: 188777408
Change-Id: I1e9d115d85f664aa84bdd6bb4b95bdb48e3aab9a
We ended up with 4 labels for specific APEX files that were all
identical; I've replaced them with a single one
(apex_system_server_data_file).
Additionally I created an attribute to be applied to a "standard" APEX
module data file type that establishes the basics (it can be managed
by vold_prepare_subdirs and apexd), to make it easier to add new such
types - which I'm about to do.
Fix: 189415223
Test: Presubmits
Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
This allows the system server to read the reports for uploading.
also cleaned up the out of order qemu_hw_prop entry.
Test: manual
Bug: 178561556
Bug: 183487233
Change-Id: I9e5aef9cbcf50fd085dd72900e3ab00a1b6c20a7
/proc/vmstat oom_kill counts the number of times __oom_kill_process
was actioned
(https://lore.kernel.org/lkml/149570810989.203600.9492483715840752937.stgit@buzz/)
We want to record this in the context of system_server for tracking
purposes.
Bug: 154233512
Change-Id: I27bcbcd5d839e59a1dca0e87e2f4ae107201654c
Test: build, verify vmstat can be read
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:
- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART
Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
This patch adds some ioctls for apk files and allows
shell to query for f2fs features.
Bug: 189169940
Test: Manual. Code runs.
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ia8bccf1bf663404b902703326a1853947b64e5ab
This reverts commit e95e0ec0a5.
Now that b/186727553 is fixed, it should be safe to revert this revert.
Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call
Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).
This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
Metrics are written to /data/misc/odrefresh by odrefresh during early
boot, then native code in ART system_server initialization passes them
to statsd and deletes the metrics files. This hand-off is necessary
because statsd does not start until after odsign and odrefresh have run.
Bug: 169925964
Test: manual
Change-Id: I8054519a714907819886dd6e5e78f3b5796d0898
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.
Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
This property is many years old and it does not have a property
context associated with it. It is set by the system server (in
particular, ConnectivityService code, in the Tethering module)
and read by init, which does:
on property:net.tcp_def_init_rwnd=*
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}
There is no need to add read access to init because init can read
and write any property.
Test: m
Fix: 170917042
Change-Id: I594b09656a094cd2ef3e4fd9703e46bf7b2edd4c
This property is written by an .rc file - see aosp/1553819 - and
read by the connectivity mainline code in the system server.
Test: m
Bug: 182333299
Change-Id: Ibac622f6a31c075b64387aadb201ad6cdd618ebd
The persistent data block is protected by a copy-on-write scratchpad when
running a Dynamic System Update (DSU). The copy-on-write scratchpad
uses a backing file for write operations. This CL adds permissions
to write the backing file for the PersistentDataBlockService.
Bug: 175852148
Test: gsi_tool install & vts_kernel_net_tests
Change-Id: Id0efe407e707fc382679c0eee249af52f877f5d2
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
As part of the keystore2 requirement, we give the keys used for
resume on reboot a separate context in keystore. And grant system
server the permission to generate, use and delete it.
Bug: 172780686
Test: resume on reboot works after using keystore2
Change-Id: I6b47625a0864a4aa87b815c6d2009cc19ad151a0
Revert submission 1572240-kernel_bootreceiver
Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance
Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
We no longer use this sysprop-based interface for communication between
Traceur and Perfetto, this change removes the associated policy.
Test: atest TraceurUiTests
Bug: 179923899
Change-Id: Ic59d866d3c75a3f804f6c19a703d6d10560c627a
Revert submission 1582845-qemu-prop
Reason for revert: aosp_hawk-userdebug is broken on an RVC branch
Reverted Changes:
Idfc2bffa5:Add qemu.hw.mainkeys to system property_contexts
If013ff33f:Remove qemu.hw.mainkeys from vendor_qemu_prop
Bug: 180412668
Change-Id: I335afb931eaeb019f66e3feedea80b0c8888f7a3
system_server must be allowed to create process groups in behalf of
processes spawned by the app zygote
Bug: 62435375
Bug: 168907513
Test: verified that webview processes are migrated in their own process
group
Change-Id: Icd9cd53b759a79fe4dc46f7ffabc0cf248e6e4b8
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes
This reverts commit aa8bb3a29b.
Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
Recently, WatchDog gained the ability to query AIDL HAL PIDs in order to
amend ANR reports. However, since this was tested on cuttlefish (and
b/65201432 means that system_server is permissive), the denial was not
enforced, and broke ANRs in the dogfood population.
Fixes: 179753319
Test: simulate hanging w/ 'adb shell am hang', and the following denial
no longer occurs:
02-10 00:50:05.719 200 200 E SELinux : avc: denied { list } for
pid=575 uid=1000 name=service_manager scontext=u:r:system_server:s0
tcontext=u:r:servicemanager:s0 tclass=service_manager permissive=1
Change-Id: I210527ad7492b155d7cf08c7d67894ef602d37a6
This is needed because Wifi module needs to import and
generate keys and it runs in system_server.
Also, remove "grant" from system_app and system_server
since there is no need to grant any keys.
Test: Create an enterprise wifi config with EAP-TLS
Bug: 171305388
Change-Id: I50c25f2fe52e968c8cdf1ea20d110f9f052699db
a54bed6907
Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery
Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
Follow the steps: go/android-native-flag-api-manual
Bug: 179099277
Test: m -j
Test: manually verify connection to wifi after flash
Change-Id: Ieb5355d40aec9ed7a42b7ae5b250b696fcf00810
This directory is used to store override config, so that they can
persist across reboot.
Test: atest CompatConfigTest
Bug: 145509340
Change-Id: I5e8f2b3093daeccd6c95dff24a8c6c0ff31235ca
The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).
Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
This change gives system_server read permissions to SurfaceFlinger in
order to pin it with PinnerService.
Bug: 176197656
Test: adb shell dumpsys pinner
/system/bin/surfaceflinger was successfully pinned.
Change-Id: Ic845eebe298ec2d602b86003c07889f37fc44159
IncFS in S adds a bunch of new ioctls, and requires the users
to read its features in sysfs directory. This change adds
all the features, maps them into the processes that need to
call into them, and allows any incfs user to query the features
Bug: 170231230
Test: incremental unit tests
Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
To support multi-client resume on reboot, the recovery system
service want to query the active boot slot on the next boot; and
abort the reboot if the active slot is different from clients'
expectation.
Denial:
SELinux : avc: denied { find } for interface=android.hardware.boot::IBootControl
sid=u:r:system_server:s0 pid=1700 scontext=u:r:system_server:s0
tcontext=u:object_r:hal_bootctl_hwservice:s0 tclass=hwservice_manager permissive=1
Bug: 173808057
Test: adb shell cmd recovery reboot-and-apply ota reason
Change-Id: I6a303d8dcbae89a2287d96ae3116109e2a43bbd6
