app_zygote inherits tmpfs files from zygote, and needs to be able to
stat them after fork.
Bug: 192634726
Bug: 192572973
Bug: 119800099
Test: manually configure JIT zygote and run
atest \
CtsExternalServiceTestCases:\
android.externalservice.cts.ExternalServiceTest\
#testBindExternalServiceWithZygote
Change-Id: I401808c984edd4e3e4ef335f6a75cecc5cf69eca
As part of PhotoPicker, we will be playing the video. To allow video
playback, allow AudioServer `find` access for mediaprovider_app.
Bug: 169737802
Test: Verified that video playback works in PhotoPicker
Change-Id: Ie5acb77b2f446ee8af6cf384fd5a66bf64a15752
These have never been used in AOSP. Looking at ~10,000 Android
build images confirms that these are not used elsewhere within
the Android ecosystem.
Bug: 192532348
Test: build (failures here would be at build-time)
Change-Id: I787b14b531df31fbb9995156eb2e84719b7c90da
So simpleperf can profile these apps when they are marked to be
profileable/debuggable.
Bug: 192404394
Test: build and run simpleperf to profile com.android.systemui.
Change-Id: Ia2defe725a8fafbcb6c2d20e771b343d8822ccbc
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
In ApexTestCases, a temp file in /data/local/tmp is used via a loop
device, which requires the kernel to read it.
This is only allowed in userdebug/eng.
Bug: 192259606
Test: ApexTestCases
Change-Id: Ic7d3e67a8a3e818b43b7caead9053d82cbcbccf7
Before otapreopt_script was indirectly interacting with otadexopt binder
service via `shell cmd otadexopt` interface, but now the interaction is
moved to otapreopt_chroot binary to reduce amount of times we need to
run this binary.
For more context see: aosp/1750143.
Test: m
Bug: 190223331
Change-Id: Ib32cbbbf8f3bd9b5c1b696e39f776631ae60d712
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.
Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: I32ebb407b8dde1c872f53a1bc3c1ec20b9a5cb49
Adds required context for 'vehicle_binding_util' to 'vold' interactions.
The vehicle_binding_util actually fork/execvp vdc.
And vdc will call vold to set the binding seed value.
Test: manual 'make'
Bug: 157501579
Change-Id: I5194c9cd0f5a910b1309b547aabf66bb9c397738
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I2abf108f2504997b06c0269f905608d8063cb3b4
Merged-In: I2abf108f2504997b06c0269f905608d8063cb3b4
This change adds a neverallow rule in traced.te to limit the processes
that can find tracingproxy_service, the context for TracingServiceProxy.
I wanted to avoid moving the tracingproxy_service definition to public,
so there were a few services that are exempted from this neverallow
rule.
Bug: 191391382
Test: Manually verified that with this change, along with the other
change in this topic, I see no errors when taking a bugreport while a
Traceur trace is running.
Change-Id: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
These denials were found in the logs of a test failure that entered
recovery mode.
Recovery uses libfs_mgr which reads /proc/bootconfig.
Test: Boot device into recovery and check for "avd: denied" logs
Bug: 191904998
Bug: 191737840
Change-Id: I96ae514cfd68856717e143d295f2838a7d0eff14
