In normal Android, libsnapshot interacts with libfiemap over binder (via
IGsid). There is no binder in recovery, so instead, we directly link to
the library and therefore need appropriate sepolicy changes.
Bug: 139154945
Test: no denials in recovery or fastbootd
Change-Id: I356d7b5b906ac198e6f32c4d0cdd206c97faeb84
Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Build successfully, flashed a phone and basic usage of Permission Manager seemed to work well.
Change-Id: I3fb9cfaa216ddbd865b56e72124374eb1c75dea8
/sys/class/wakeup/wakeupN can point to an arbitrary path in sysfs. Add
"search" permission for path resolution.
Bug: 144095608
Test: m selinux_policy
Change-Id: I033d15b4ca56656f144189f5c2b1b885f30155a3
create a single com.android.cellbroadcast apex to pack two apks
together: com.android.cellbroadcastreceiver and
com.android.cellbroadcastservice.
Bug: 135956699
Test: m com.android.cellbroadcast && adb install
com.android.cellbroadcast
Change-Id: Ib3f4447e1215f3dbff2ed019d4e15f3cea062920
incident report contains similar data as in a bugreport, but in proto
format. Currently ro.serialno is not captured due to selinux settings.
Test: adb shell incident -p LOCAL 1000
Bug: 143372261
Change-Id: I6a89308c1347fba2ce4f7b469f9a02b119d4aeb7
com.android.ipsec will be shipped as a mainline module in APEX
format. A file_contexts is required for building an APEX.
Bug: 143905344
Test: Built and installed apex on device
Change-Id: I9f9a6190886181e9e4254ea2a984d338fda533da
Android is moving away from debugfs. Information from /d/wakeup_sources
and /d/suspend_stats is now also exposed in sysfs under
/sys/class/wakeup/* and /sys/power/suspend_stats/* respectively:
https://lkml.org/lkml/2019/7/31/1349https://lkml.org/lkml/2019/8/6/1275
Allow SystemSuspend to read those sysfs nodes.
One caveat is that /sys/class/wakeup/wakeupN can be a symlink to a
device-specific location. In this case, device sepolicy should label
that the files appropriately. This is similar to how device policy
applies "sysfs_net" and "sysfs_batteryinfo" labels.
Bug: 144095608
Bug: 129087298
Test: boot cuttlefish; system_suspend is able to read
/sys/power/suspend_stats/* and /sys/class/wakeup/*
Change-Id: I350c88a271c0f422d0557aeb5e05e1537dc97bc9
init should register native services with lmkd so that they can be killed
when necessary. Allow init to communicate with lmkd over dedicated socket
the same way AMS does. Allow lmkd to kill and manipulate native processes
that were registered with lmkd.
Bug: 129011369
Test: boot and verify native service registration
Test: verify lmkd can kill registered native processes using lmkd_unit_test
Change-Id: Idfc814bd08115c548e97f11a6bdb006790cbb4ed
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Relax the requirement to have both seinfo and name specified for
privapps. The original reason for requiring both was because, normally,
a package can only be uniquely specified by both name and signature,
otherwise package squatting could occur. However, privapps are
pre-installed, so the concerns about the potential for package squatting
are eliminated. This change will drastically simplify sepolicy
configuration for priv-apps.
Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller still runs in the
permissioncontroller_app domain.
Change-Id: I5bb2bf84b9db616c4492bd1402550821c70fdd07
Allow audioserver to signal audio HAL processes and
generate tombstones in case of watchdog restart.
Bug: 141528385
Test: Force watchdog and verify tombstone creation
Change-Id: I39bb4a63aa93efab68baad3890b8f49fc5f79ead
Add some rules based on the SELinux denials observed.
Bug: 143905061
Bug: 142672293
Test: Green builds, no more denials for the 7 services added.
Change-Id: I27e4634cb1df03166e734f6c12c8cb9147568d72
System_server will read this property to determine if it should
expect the lmkd sends notification to it on low memory kills.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: Iff90f7d28dc7417994f5906333d58fb18cb4a04c
