This is the service offered by Keystore 2.0 to provide APC service to
application. It was formerly part of the IKeystoreService interface.
Not it is an interface in ints own right.
Test: Keystore 2.0 can register the apc service interface.
Apps can lookup and call this interface.
Bug: 159341464
Change-Id: I058adf0021d9b89f4eac7534e366c29071f0f98b
- Update policy for new system service, used for Launcher/Apps to
fetch and render search results in their UI.
Bug: 162234997
Test: manual verification ($ adb shell service list)
Reference CL: aosp/831251
Change-Id: If3ae22aa2ad1d13aeac3dfefc5244db4b1734d96
The updatable and non-updatable permission manager cannot share one
AIDL, so we need to create a new system service for the non-updatable
legacy one, and add the SELinux policy for it.
Bug: 158736025
Test: presubmit
Change-Id: Ief8da6335e5bfb17d915d707cf48f4a43332f6ae
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.
Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
One day we won't need this mechanism any more & can remove all traces
of it.
Bug: 141677108
Test: builds
Change-Id: I95525a163ab4f19d8ca411c02a3c06498c6777ef
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.
update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.
This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.
Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.
Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
We no longer allow apps with mlstrustedsubject access to app_data_file
or privapp_data_file. For compatibility we grant access to all apps on
vendor images for SDK <= 30, whether mlstrustedsubject or not. (The
ones that are not already have access, but that is harmless.)
Additionally we have started adding categories to system_data_file
etc. We treat these older vendor apps as trusted for those types only.
The result is that apps on older vendor images still have all the
access they used to but no new access.
We add a neverallow to prevent the compatibility attribute being
abused.
Test: builds
Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
We want to tweak some device params at runtime via shell (alleviates the
need to recompile HAL for changing device configuration). This will help
us test/teamfood couple of new features under development.
Bug: 173044646
Test: Wifi HAL can read persist.vendor.debug.wifi properties.
Change-Id: Iabd07e72aa5f0d97519a37d0ebb1e0a3458b6d06
Any partitions should be able to write this property with build.prop.
This adds a new context for ro.product.property_source_order so it can
be set from any build.prop, e.g. vendor/build.prop, product/build.prop,
etc.
Bug: 172459064
Test: PRODUCT_VENDOR_PROPERTIES can set this property
Change-Id: Ibf85a4ad02d8454f621428b271e8e298067aa126
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.
This adds some missing properties to property_contexts. Newly added
property contexts are:
- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.
- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.
- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.
Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.
Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
Test: ls -lZ /sys/kernel/tracing/printk_formats
[...] u:object_r:debugfs_tracing_printk_formats:s0 [...]
Test: setenforce 0;
runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
logcat complains about /sys/kernel/tracing/printk_formats
Test: setenforce 0;
runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
logcat does not complain about /sys/kernel/tracing/printk_formats
(need to setenforce 0, because otherwise the exec of ls is denied).
Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.
snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.
Bug: 168259959
Test: ctl.start snapuserd, no denials
vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
This property controls the minimal timing window that triggers init
process fatal abort, when the zygote service crashes repeatedly in it.
Bug: 146818493
Change-Id: Ibd371be0daf6510df8b4d1a1f12f0aab8d6392c7
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].
[1] 4cbffc461e/kernel/sysctl.c (L2254)
Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882
Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
It will be used to dump system_server data that is not associated
with any service.
Test: adb shell dumpsys system_server
Bug: 163921395
Change-Id: I5719f7cd3a9022dc0ab12a3b3b22487e2b4866e0
This re-alignes aosp and internal master to avoid
conflicts when uploading CLs upstream.
Bug: 170126760
Change-Id: I9c087e70998cd529b71dec7428641c4bfef10d31
This is to support the addition of the device state manager service and
its associated binder service.
Test: Manual - Modify policy and verify binder service can be published.
Fixes: 170034199
Change-Id: Id63cb1db3ee80ec699e98443457c113d6be809fe
This patch adds the requisite permissions for the VcnManagementService.
Bug: 163431877
Test: Compiles, boots, FrameworksNetTests passes
Change-Id: I6e03ee798027b28f67d60c6e4280fb3410ec94c4
The framework_watchdog_config_prop properties control framework watchdog
configurations to handle watchdog timeout loop. The properties are
written only by vendor_init.
More details and background: go/break-sys-watchdog-loop
Bug: 141948707
Change-Id: I6c0da5fdafba8165e79d0f04e0a82874f605a06d
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.
The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.
Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
In addition, allow shell to read this property.
Test: getprop -Z
Test: cts-tradefed run cts -m CtsGestureTestCases
and check /sdcard/device-info-files/PropertyDeviceInfo.deviceinfo.json
Bug: 169169031
Change-Id: Ib71b01bac326354696e159129f9dea4c2e918c51
This will allow SystemServer to add the new vibrator manager service.
Bug: 166586119
Test: manually build and install on test device
Change-Id: I496f46e2f5482aaa7bfba31d6c6b2967486941cc
Denial when not listed in priv_app.te:
E SELinux : avc: denied { find } for pid=3213 uid=10170 name=music_recognition scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:music_recognition_service:s0 tclass=service_manager permissive=0
Bug: 158194857
Test: patched and tested on internal master
Change-Id: I30e9ea79a57d9c353b732b629bd5a829c89bbcb0
Add ro.build.ab_update.gki.prevent_downgrade_{version,spl} for
update_engine to determine whether downgrade in kernel version or SPL is
considered an error or not.
Bug: 162623577
Test: update_engine_unittest
Test: apply OTA
Change-Id: If602924d50a2d5cfb3c256b82491c413a9d39f9d
There is no need for this type to be declared because it is never
registered with hwservicemanager.
This has been removed in the past but it seems it didn't automerge.
Bug: 109802374
Test: N/A
Change-Id: Id9bbc5762b6dcc8066c8543cb93db937cc4fc858
The LocationTimeZoneManagerService is being added as a "true" service so
that it can be invoked by a shell command (i.e. adb shell cmd). This
also means it will be dumped as part of dumpsys.
Test: Build only
Bug: 149014708
Change-Id: Ie60c4bea3af27a89b88ed753f9cf6e74aab04cd3
Define the label dmabuf_system_heap_device for /dev/dma_heap/system.
This the default DMA-BUF heap that Codec2 will use one ION is
deprecated.
Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162
Change-Id: Ief48165cd804bde00e1881a693b5eb44a45b633b
Bug: 167636754
Test: on a device that has triggers configured for this property
Test: adb shell setprop power.battery_input.suspended true to disable charging
Test: adb shell setprop power.battery_input.suspended false to reenable charging
Merged-In: I79209530d5355a59a1cb7a61c629339cd62f8eb1
Merged-In: I4692d84d5c137d11c6f648d15083614e707fdd07
Change-Id: I7a20c0d561a21fa958cf71c499604d70efdbe979
Bug: 167636754
Test: on a device that has triggers configured for this property
Test: adb shell setprop power.battery_input.suspended true to disable charging
Test: adb shell setprop power.battery_input.suspended false to reenable charging
Merged-In: I79209530d5355a59a1cb7a61c629339cd62f8eb1
Merged-In: I4692d84d5c137d11c6f648d15083614e707fdd07
Change-Id: I4692d84d5c137d11c6f648d15083614e707fdd07
Add updateable_module_file that describes all files under /modules. If
more directories (e.g. /modules/apex etc.) are added in the future,
separate labels should be applied to them.
Bug: 163543381
Test: on CF check /proc/mounts
Change-Id: Iceafebd85a2ffa47a73dce70d268d8a6fb5a5103
Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.
Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.
Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.
Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211
hardware/interfaces/dumpstate/1.1 refers to this property,
so it must be defined in system/sepolicy.
Bug: 163759751
Test: atest VtsHalDumpstateV1_1TargetTest
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I058100eacd05e32de56e0ff9de465625a2e71e9c
cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy
will be mounted by init under /sys/fs/cgroup hence proper access rights
are necessary for sysfs. After mounting, the cgroup v2 kernfs will use
the label cgroup_v2 and system_manager will handle the freezer
Bug: 154548692
Test: verified that files undes sysfs and cgroup v2 kernfs are accessed
as required to allow proper functioning for the freezer.
Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960
Adds proper file_contexts and domains for pre/postinstall hooks.
Allow the pre/postinstall hooks to communicate with update_engine stable
service.
Bug: 161563386
Test: apply a GKI update
Change-Id: I4437aab8e87ccbe55858150b95f67ec6e445ac1f
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.
Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
The context name exported3_radio_prop is ambiguous and does not reflect
the usage and role of the properties. This changes its name to
radio_control_prop.
Some downstream branches are still using exported3_radio_prop, so
get_prop(domain, radio_control_prop) is added to avoid regression. It's
just a workaround and to be removed soon, after all exported3_radio_prop
are cleaned up.
Bug: 162214733
Test: boot a device with a sim and see basic functions work
Change-Id: If5fe3be7c64b36435c4ad0dc9a8089077295d502
Merged-In: If5fe3be7c64b36435c4ad0dc9a8089077295d502
This is the stable AIDL binder interface that update_engine exposes in
addition to update_engine_service.
Test: run update_engine
Bug: 160996544
Change-Id: I28ba11810844373d48c8c203f79e98150f932942
