DEFAULT_SYSTEM_DEV_CERTIFICATE is not appropriate as some OEMs may need
to change only the certificates used to generate
plat_mac_permissions.xml for mainline modules.
Test: m, checked output plat_mac_permissions.xml
Bug: 138097611
Bug: 134995443
Change-Id: Ie19130a243db043f432039c54c379f06e60ab6c6
Allow dexoptanalyzer(d) to lock `system_file` files, so that it can
lock `/system/framework/$ISA/*.art` files (which is harmless as these
files live in a read-only partition, but admittedly simplifies the
corresponding logic in ART).
Addresses denials of the form:
avc: denied { lock } for path="/system/framework/arm/boot.art"
dev="dm-0" ino=1330 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:system_file:s0 tclass=file permissive=0 […]
Test: Reproduce steps in bug 138683603 and check the absence of SELinux denials
Bug: 138683603
Change-Id: I8a08822b4908b3b37bd0e450dd1356ed92332327
Used to restrict properties init.svc_debug_pid.*
Bug: 138114550
Test: getprop | grep init.svc_debug_pid only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678
Used to lazily start AIDL services.
Bug: 138756857
Test: Manual (using mediaextractor as a test service)
Change-Id: Ia1f2c10072e42d8917985c38500be0955f98b8eb
Now that our tools are routed to system_suspend, there is no reason for
system_suspend to write to /sys/power/wake_[un]lock.
Bug: 128923994
Bug: 115946999
Test: boot blueline, no denials from system_suspend
Change-Id: I1097d30c050ce7d88677e07f4aaef07ce78dc958
LinkerConfig generator runs from early init, so if there is any warning
/ error then logs can be only found from kernel log. To enable kernel
logging from linkerconfig, specific policy should be added.
Test: m -j && Tested from Cuttlefish
Change-Id: I6c49d7693e0334ae8550891b72bcb04e37c16d89
Allow charger to read system properties with this prefix
so that charger's behavior is controlled by runtime.
Test: run offline charging on walleye
Bug: 124118169
Change-Id: I4266b2d043a5323b4adbd1636ada46b7e08ca667
In b/73062966, we add new AID ranges for each partition that doesn't
yet have them (system, system_ext, odm, product). We also add group
and passwd files to these partitions to be able to map these AIDs into
human readable user and group names, and vice versa.
All processes should be able to read all users and groups. We divide
the ranges into non-overlapping regions for each partition and we
namespace the names with the partition name as a prefix.
Allow domain r_file_perms to
/(system|product|system_ext)/etc/(group|passwd).
Vendor and odm passwd and group files already have this access, since
/(vendor|odm)/etc/* is already domain readable.
Example contents:
blueline:/ $ cat /system/etc/passwd
system_tom::6050:6050::/:/bin/sh
blueline:/ $ cat /product/etc/passwd
product_tom::7013:7013::/:/bin/sh
Bug: 73062966
Test: tree-hugger selinux denial during boot test
Change-Id: Ib4dc31778e95e952174e1365497feaf93dca7156
http://aosp/678384 changed property format
Fixes: 137695210
Test: inject timeout and take BR see dumpstate restarted
Change-Id: Ie24e2d42e92410a935ca4c9364b476d72aa459f3
