Currently BetterBug (privileged app) cannot access the details form
/data/misc/wmtrace.
Test: access a trace from /data/misc/wmtrace/ in betterbug
Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
Overlayfs product/overlay in init first stage is allowed in AndroidS.
product/overlay directory contains RRO apks, it is plausible to allow
dumpstate to access it since dumpstate will call df command.
Or there will be an avc denial:
01-01 07:09:37.234 13582 13582 W df : type=1400 audit(0.0:1717): avc: denied { getattr } for path="/product/overlay"
dev="overlay" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0
Actually, it is more reasonable to set /product/overlay to u:object_r:system_file:s0 since
there already had definiitions releated to /product/overlay
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
Bug: https://b.corp.google.com/u/0/issues/186342252
Signed-off-by: sunliang <sunliang@oppo.com>
Change-Id: I493fab20b5530c6094bd80767a24f3250d7117a8
This seems like an oversight when system_server_startup was
introduced (commit caf42d615d).
Test: Presubmits
Change-Id: Ia371caa8dfc2c250d6ca6f571cf002e25703e793
Clean up fc_sort to facilitate the migration to Python3. Use PEP8 for
naming scheme.
Test: atest --host fc_sort_test
Bug: 200119288
Change-Id: Ia2c40a850a48ec75e995d5233b5abaae10917a89
Add badge for gsm.operator.iso-country and gsm.sim.operator.iso-country.
Test: Manual test
Bug: 205807505
Change-Id: If4f399cd97b2297094ef9431450f29e0a91e5300
This relaxes the neverallow so that it is possible to write a new
SELinux allow for system_server to read /dev/block/vd*. It still isn't
possible unless a vendor enables it.
Bug: 196965847
Test: m -j
local_test_runner arc.Boot.vm
Change-Id: Idad79284778cf02066ff0b982480082828f24e19
They are served by the same process but have different clients:
- the main interface is exposed to system server;
- the internal interface is called by odrefresh when spawned by composd.
Test: compos_cmd forced-compile-test
Bug: 199147668
Change-Id: Ie1561b7700cf633d7d5c8df68ff58797a8d8bced
New type added in sepolicy to restrict Vendor defined uuid mapping
config file access to SecureElement.
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: I81d715fa5d5a72c893c529eb542ce62747afcd03
Label defined for OMAPI Vendor Stable Interface
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: Ifa67a22c85ffb38cb377a6e347b0e1f18af1d0f8
This is to make the SafetyCenterManager usable in CTS tests.
Test: SafetyCenterManager CTS test in ag/16284943
Bug: 203098016
Change-Id: I28a42da32f1f7f93c45294c7e984e6d1fd2cdd8d
Context about this is on ag/16182563.
Test: Ensure no build failures, ensure no SecurityException on boot when
SafetyCenterService is added as boot phase
Bug: 203098016
Change-Id: I4c20980301a3d0f53e6d8cba0b56ae0992833c30
1. Splitted plat_property_contexts, plat_file_contexts, and
plat_service_contexts so they can be included by the
CtsSecurityHostTestCases module.
2. Add temporary seapp_contexts Soong module, which are needed by the
CtsSecurityHostTestCases, and makefile_goal is an interim solution before
migrating both of them to Soong.
Bug: 194096505
Test: m CtsSecurityHostTestCases
Change-Id: I99ba55b1a89f196b3c8504e623b65960a9262165
Bug: 202785178
Test: Along with rest of topic, file
/sys/fs/bpf/prog_fuse_media_fuse_media
appears on boot with fuse-bpf in kernel
Merged-In: Ibccdf177c75fef0314c86319be3f0b0f249ce59d
Change-Id: Ibccdf177c75fef0314c86319be3f0b0f249ce59d
Revert "Convert security/Android.mk to Android.bp"
Revert "Add seapp_contexts to allowlist of makefile goal"
Revert submission 1795972-Convert security/Android.mk to Android.bp
Reason for revert: http://b/206976319 Broken build 7928060 on aosp-master on sdk_arm64-sdk
Reverted Changes:
I0e0e7f677:Split property and file contexts modules
I5596d6f00:Add seapp_contexts to allowlist of makefile goal
If685e5ccc:Convert security/Android.mk to Android.bp
Change-Id: Ibbca0a17886d15b3fd7ecaf974a06df7107fd9aa
This change adds a permission migrate_any_key that will help the system
server in migrating keys for an app that wants to leave a sharedUserId.
Bug: 179284822
Test: compiles
Change-Id: I2f35a1335092e69f5b3e346e2e27284e1ec595ec
Also allow composd to kill odrefresh (it execs it); this is necessary
for cancel() to work.
Bug: 199147668
Test: manual
Change-Id: I233cac50240130da2f4e99f452697c1162c10c40
