A number of things have changed, such as how the linkerconfig is
managed. Update permissions to reflect the changes.
Bug: 181182967
Test: Manual OTA of cuttlefish
Change-Id: I32207eb7c5653969e5cef4830e18f8c8fb330026
It needs to read parameters that have been moved from /proc/cmdline
to /proc/bootconfig
Test: boot Cuttlefish with 5.10 and 4.19 kernels
Bug: 173815685
Change-Id: I437b76634b7c8e779e32b68cd3043d02f4228be5
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
As part of the keystore2 requirement, we give the keys used for
resume on reboot a separate context in keystore. And grant system
server the permission to generate, use and delete it.
Bug: 172780686
Test: resume on reboot works after using keystore2
Change-Id: I6b47625a0864a4aa87b815c6d2009cc19ad151a0
Now that we have proper API using which update_engine can ask apexd to
reserve space, we no longer need to allow update_engine access to
directories at /data/apex.
Instead, apexd should get those permission.
Bug: 172911822
Test: atest ApexHandlerAndroidTest
Change-Id: I3a575eead0ac2fef69e275077e5862e721dc0fbf
Zygote will trigger sdcardfs to read and open media_rw_data_file:dir.
We can safely ignore this message.
Bug: 177248242
Test: Able to boot without selinux warning.
Change-Id: Ie9723ac79547bf857f55fc0e60b461210a4e4557
This allows the FUSE daemon handle FUSE_LOOKUP requests across user boundaries.
Workaround to support some OEMs for their app cloning feature in R
Bug: 162476851
Bug: 172177780
Test: Manual
Change-Id: Ic1408f413ec3dc4917d3acfda2c5f62f9c16f187
Revert submission 1572240-kernel_bootreceiver
Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance
Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
build_sepolicy internally uses other tools like checkpolicy and
version_policy. The dependencies are used to be found under
out/host/linux-x86/bin. But that assumption doesn't hold when soong
tried to sandbox command invocations. This change fixes the problem by
setting --android_host_path to the directory where build_sepolicy is
sandboxed and also by adding the internal dependeicies to the `tools`
property so that they are copied to the sandbox directory.
Bug: N/A
Test: choosecombo into aosp_x86_64 and run
m out/soong/.intermediates/system/sepolicy/microdroid_vendor_sepolicy.cil_gen/gen/vendor_sepolicy.cil
Change-Id: I28ae1f9013439f3ca1196b3816e0388ced5246e1
This reverts commit 2c2c1f7c00.
Reason for revert: reland with a forward fix
Test: m on aosp_x86_64
Change-Id: I5c89ebeda88ca65286dff1e64841c2ada8634d34
The policies allow system server to register a pac_proxy_service.
Bug: 177035719
Test: FrameworksNetTests
Change-Id: Idf64dc6e491f5bce66dcab2dbf15823c8d0c2403
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.
This gives us insights into how hard linking fails where
it shouldn't.
Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
This is required in addition to reading files under the dir, so that
profcollectd can generate profiles for them.
Test: presubmit
Bug: 166559473
Change-Id: Ic46acab3cfc01c549e2f3ba5e765cb2c4ac8a197
This is required for it to be able to create DEVMAP/DEVMAP_HASH maps.
See kernel source code in kernel/bpf/devmap.c:
static struct bpf_map *dev_map_alloc(union bpf_attr *attr) {
...
if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM);
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2fc5b1541133859857fc9baa7564965f240c842a
odrefresh should setattr on generated artifacts. This is apparent now
that it is now launched from init which sets a restrictive umask on
forked processes.
Bug: 181397437
Test: manually apply ART APEX update
Change-Id: I8e30c1ef1e42b3b68b3c07e860abb4dc2728e275
