Add ro.build.ab_update.gki.prevent_downgrade_{version,spl} for
update_engine to determine whether downgrade in kernel version or SPL is
considered an error or not.
Bug: 162623577
Test: update_engine_unittest
Test: apply OTA
Change-Id: If602924d50a2d5cfb3c256b82491c413a9d39f9d
BINDER_FREEZE is used to block ipc transactions to frozen processes, so
only system_server must be allowed to use it.
Bug: 143717177
Test: manually verified that attempts to use BINDER_FREEZE by processes
other
than system_server receive a sepolicy denial
Test: verified that system_server can enable/disable the freezer in
binder
Change-Id: I0fae3585c6ec409809e8085c1cc9862be4755889
Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.
Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c
`gsid` may receive a FIFO if invoked via `gsi_tool`.
For the `su root` case, allow `gsid` to read `shell` FIFO.
For the `adb root` case, allow `gsid` to read `su` FIFO.
Move `gsi_tool` related allow rules to userdebug and
eng build only, because these are development features
that require root permission, thus shouldn't be shipped
on a user build.
Bug: 166589508
Test: adb unroot && gzip -c system.raw | adb shell "zcat | su root gsi_tool install ..."
Test: adb root && gzip -c system.raw | adb shell "zcat | gsi_tool install ..."
Change-Id: I779e4d49eb57240b1a5422139d7683dbac0da988
We need to add an exception for a private type, it can only be
recognised if these are private policies.
Bug: 79161490
Test: TreeHugger
Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466
/dev/zero is inherited from apexd. This is required for
sh to start.
Bug: 126787589
Bug: 161563386
Test: apply GKI update
Change-Id: I8624996c129872b26d4c17242cb911b5e948d9bd
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.
Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.
Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211
After change Ia7437b8297794502d496e9bd9998dddfdcb747ef, some build
targets are broken. This change fixes it.
Bug: 166334688
Test: build
Change-Id: Iaf6ca1ae5c461bd3c5059b27a148c7858679f795
During boot, system_server will need to write to files under
/sys/fs/cgroup/freezer. Change the cgroup_v2 policy to allow this
operation.
Test: booted device with change, verified that files are properly
accessed.
Bug: 154548692
Change-Id: I2ccc112c8870129cb1b8312023b54268312efcca
This allows Incremental Service (part of system_server) to query the
filled blocks of files on Incremental File System.
Test: atest service.incremental_test
BUG: 165799231
Change-Id: Id63f8f325d92fef978a1ad75bd6eaa8aa5e9e68b
gsid needs this to check if the underlying F2FS filesystem supports
file pinning.
Bug: 164988795
Test: Install a DSU package on CF
Test: avc denial goes away
Change-Id: Idc2456d7576cf61f6f891c082228c5143378d733
hardware/interfaces/dumpstate/1.1 refers to this property,
so it must be defined in system/sepolicy.
Bug: 163759751
Test: atest VtsHalDumpstateV1_1TargetTest
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I058100eacd05e32de56e0ff9de465625a2e71e9c
cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy
will be mounted by init under /sys/fs/cgroup hence proper access rights
are necessary for sysfs. After mounting, the cgroup v2 kernfs will use
the label cgroup_v2 and system_manager will handle the freezer
Bug: 154548692
Test: verified that files undes sysfs and cgroup v2 kernfs are accessed
as required to allow proper functioning for the freezer.
Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960
