(cherry picked from commit eb717421b1)
The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.
Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.
Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b
(cherry picked from commit 6c3f2831ac)
Allow priv_app, uncrypt, update_engine to access the OTA packages at
/data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks
the existence of the folder, and downloads the package there if present.
Bug: 28944800
Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
* changes:
Allow wificond to drop privileges after startup
Allow wificond to set interfaces up and down
Allow wificond to clean up wpa_supplicant state
Allow wificond to drop signals on hostapd
Give wificond permission to start/stop init services
Give hostapd permissions to use its control socket
Allow wificond to write wifi component config files
add netlink socket permission for wificond
SEPolicy to start hostapd via init
Allow system_server to call wificond via Binder
Allow wificond to mark interfaces up and down
Separate permissions to set WiFi related properties
Define explicit label for wlan sysfs fwpath
sepolicy: Add permissions for wpa_supplicant binder
sepolicy: add sepolicy binder support for wificond
Sepolicy files for wificond
(cherry picked from commit e8a53dff5b)
With the breakup of mediaserver, distinguishing between
camera_device and video_device is meaningful. Only grant
cameraserver access to camera_device.
Bug: 28359909
Change-Id: I0ae12f87bac8a5c912f0a693d1d56a8d5af7f3f3
While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.
Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.
Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f8553)
This sepolicy change allows wificond to run as a deamon.
BUG=28865186
TEST=compile
TEST=compile with ag/1059605
Add wificond to '/target/product/base.mk'
Adb shell ps -A | grep 'wificond'
Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d
(cherry picked from commit 4ef44a616e)
A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.
The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps
Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037
am: ad7a0ad2ce
* commit 'ad7a0ad2ce259de8146fe79c21e5f7fac2569b6f':
sepolicy: add support for devices without cache partition
Change-Id: I0a81cd1aafb01cd722e5cf452cd8dd2e3b136bd4
Adds the rules for /data/cache used for devices which do
not have a cache partition.
Bug: 28747374
Change-Id: I7c749e7692c9b8eab02029bbae5a3c78585030da
Give mount & chroot permissions to otapreopt_chroot related to
postinstall.
Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.
Allow postinstall files to call the system server.
Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7
(cherry pick from commit 16fe52c90c)
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.
Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.
Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
(cherry-pick from internal commit: 85c0f8affa)
Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
... and client apps to read them.
A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png
System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps
Client apps will:
- Receive file descriptors and read from them.
Bug 27548047
Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
(cherry picked from commit 6cb2c893b1)
Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.
Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.
Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.
Bug: 27334750
Bug: 26080105
Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked. To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.
Also fix bug where wallpaper_file wasn't getting data_file_type.
Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d
Part of media security hardening
This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.
bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
