A new sysprop neverallow rules are mandatory only for devices launching
with R or later. For devices already launched, neverallow rules can be
relaxed with adding following line to BoardConfig.mk:
BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
Bug: 131162102
Test: Set PRODUCT_SHIPPING_API_LEVEL := 30 and try building with
changing some system_public_prop to system_internal_prop
Test: m cts sepolicy_tests
Change-Id: Id978b4d81a8683a57304bb639961105e2d91fa9a
Merged-In: Id978b4d81a8683a57304bb639961105e2d91fa9a
(cherry picked from commit 3be11e7abb)
Error out if we detect that there is a security_classes or
access_vectors file outside of system/sepolicy.
Of course, this test can't enforce any requirements, as it's not part of
CTS. But it can still serve as an early signal.
Fixes: 142153384
Test: add access_vectors to device policy, observe build error
Change-Id: Ib94b7f85e184340de8ec7943c8da88a0af3427e8
This property is used for testing purposes when verifying the
behavior when an OTA occurs. It should be readable by the
system server, and be settable by the shell.
Test: Set property from shell, read with PackageManager
Bug: 140992644
Change-Id: I39ad9b7961208f02fa45011215c2ff5ac03b7380
NetworkStack will need to use netlink_tcpdiag_socket to get tcp
info. In order to support updatability for NetworkStack as it's
a mainline module, get the information from kernel directly to
reduce the dependecy with framework.
Test: Build and test if NetworkStack can get the tcp_info without
SEPolicy exception
Bug: 136162280
Change-Id: I8f584f27d5ece5e97090fb5fafe8c70c5cbbe123
Install mapping files in SYSTEM_EXT_PRIVATE_POLICY and
PRODUCT_PRIVATE_POLICY into /system_ext and /product respectively.
Bug: 141084341
Test: boot taimen
Test: system mapping files are unchanged
Test: create mapping files in device/google/wahoo/sepolicy/ and check
that they are correctly expanded and installed.
Change-Id: I4d251c957b30a16df71eec47c871e24e5fc773a4
We need an APEX module for permission to reliably roll back runtime
permission state, specifically, platform runtime-permissions.xml will
be moved into the data directory of this APEX and be rolled back when
PermissionController is rolled back.
Bug: 136503238
Test: build
Change-Id: Id3ade3f2f7d31f7badf456d438e01ce0eac964eb
This CL addresses the following denial, when vendor_misc_writer tries to
read DT fstab (i.e. device tree fstab) for /misc entry.
avc: denied { search } for comm="misc_writer" name="android" dev="sysfs" ino=17456 scontext=u:r:vendor_misc_writer:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=dir
DT fstab was used for devices shipped prior to Q, for early-mounting
partitions (e.g. /system, /vendor, /product), which has been disallowed
for Q launch devices. vendor_misc_writer is a new module added since Q,
so it doesn't need to worry about the legacy code path; in practice
there's no benefit of putting /misc entry into DT fstab either.
Bug: 134122603
Test: Build and flash taimen with the change that enables
vendor_misc_writer. Check that it no longer gives the above denial
during boot.
Change-Id: Id2fb206706f7cd19a4cde2701e4155bfc03f01b4
Newly added ro.lmk.psi_partial_stall_ms, ro.lmk.psi_complete_stall_ms,
ro.lmk.thrashing_limit and ro.lmk.thrashing_limit_decay should be
configurable by vendors.
Bug: 132642304
Change-Id: Ifd3513c78e75d77be8d7c3594bef48ea27cc80b3
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This is needed to get Java heap graphs.
Test: flash aosp; profile system_server with setenforce 1
Bug: 136210868
Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
APEX modules can be configured with apex_name and file_contexts
properties.
- apex_name overrides the activation point
for example, if apex_name is 'foo', it will be flattened under
/system/apex/foo even if its name is 'bar'.
- file_contexts overrides file_contexts filename
for example, it file_contexts is 'foo',
/system/sepolicy/apex/foo-file_contexts should be used even if its
name is 'bar'.
Previously, file_contexts files for flattened apexes are assumed to have
names like "/system/sepolicy/apex/<apex_name>-file_contexts". But, as
described above, calculating <apex_name> from file entries might be
wrong
Now, it relies on Soong's makevar APEX_FILE_CONTEXTS_INFOS which is list of
<apex_name>:<file_contexts> pairs.
Bug: 123314817
Bug: 142300241
Test: add apex module(foo) with apex_name:bar and file_contexts:baz
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m file_contexts.bin
Test: check intermediate files for file_contexts
Change-Id: I3793c0f01469baaa0ddb1965093a56304a10e99c
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.
Bug: 134434505
Test: boot crosshatch
Change-Id: I0a54d64bd4656fafd2f03701d7828cfa94c08f04
https://boringssl-review.googlesource.com/c/boringssl/+/38024 will
introduce a feature allowing vendors finer grained control over
BoringSSL's random source by setting a system property.
The property needs to be settable from vendor init and readable by all
processes on the device.
As BoringSSL will be in a mainline module, we need to provide a
non-source code way of allowing vendor customisations.
Bug: 142129238
Test: Observe property is settable from /vendor/default.prop and
readable by non-root, non-vendor processes.
Change-Id: I4c20349f1b2ab2f51ac11ec552b99b1e15b14dd8
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
![](/avatar/ef4a85532a29218c6b19b60e782b0746?size=56 "Harpreet \\"Eli\\" Sangha"){kind=small}
