This sets up a selinux domain (notify_traceur) that can be called from
init and has the permissions to run the activitymanager script.
Bug: 116754134
Test: manual
Change-Id: Ia371bafe5d3d354efdf8cd29365cd74ed3e5cdfd
Chrome Crashpad uses the the dynamic linker to load native executables
from an APK (b/112050209, crbug.com/928422)
Addresses the following denial:
avc: denied { execute_no_trans } for comm="Chrome_IOThread" path="/bionic/bin/linker" dev="loop5" ino=24 scontext=u:r:untrusted_app_27:s0:c106,c256,c512,c768 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0 app=com.android.chrome
Test: compiles and builds.
Change-Id: I14f80592a74c36754c28313e94399258b2c42170
Will be used to forcefully turn on memfd if device supports it.
Currently used only for debugging.
Change-Id: I46a1b7169677ea552d4b092e7501da587c42ba1a
Signed-off-by: Joel Fernandes <joelaf@google.com>
We're investigating a bug where vold gets wedged, and we need to
collect ANR stack traces from it to debug further.
avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
Bug: 122090837
Test: manual
Change-Id: I738e63717715189b9ae2317472f671e3563afaa9
Allow traced to read the format file for the print event on user.
This does not allow traced to enable any event it could not already
as the events under /d/tracing/events/ftrace/ are special and are
always enabled. Being able to read the format file means we don't have
to speculate on the id and layout of the print event.
Bug: 122471587
Test: atest CtsPerfettoTestCases:PerfettoTest#TestFtraceFlush
Change-Id: I39379f2fa13ab80bf3d14e244066c2ba1bd4d11b
This CL introduces allows traced to set the
sys.traceur.trace_end_signal property at the end
of the tracer. In turn that property notifies the
the Traceur app.
This is to allowing Traceur to be killed during
a long-trace and avoid wasting resources making
it a persistent service.
See aosp/886616 for the matching traceur change.
Test: manual
Bug: 116754732
Change-Id: I89e2f02b3f973813ce8ff3507d397a06502f84c1
In order to offload application tcp socket’s keepalive
message, system server must know if application's socket
is idle with no data in send/receive queues. Allow
system_server to use ioctl on all tcp sockets.
Bug: 114151147
Test: -build, flash, boot
Change-Id: I3f5a0e06bc22f8a64ae6180db48df2a31106c511
In order to support rollback for apex files, apexd will need to unlink
previously active apex files in /data/apex/active folder. Those files
are hardlinked from /data/staging/session_XXXX which means that they
have staging_data_file:file SELinux fields.
I double checked that this change won't allow apexd to unlink files in
/data/staging/session_XXXX folders, because it will lack write access,
logcat contains following entries:
avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0
Bug: 122339211
Test: verified that apexd can't unlink files in /data/staging/session_XXXX
Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
Add some missing fields, document undocumented fields, update
precedence rules, and attempt to give slightly more context.
Test: Builds
Change-Id: Id106ebe3aa6c18697db82a775cc54ed07b6c1a57
