This service is requested by AOSP framework, but there is no context for
it defined.
Bug: 136023468
Test: N/A
Change-Id: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
Merged-In: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
(cherry picked from commit 67cb30fabf)
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to dexoptanalyzer(d) in cases where it could already access files (in
particular, secondary dex files).
Addresses denials of the form:
avc: denied { map } for […] path="/data/data/[…]" […]
scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0
Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel
and check the absence of SELinux denials
Bug: 138683603
Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.
Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
This should be available in user and userdebug builds.
Bug: 137289935
Test: Alongside atrace changes, recorded a trace using Traceur and
verified that the tracepoints were included in the recorded trace in
both user and userdebug builds.
Change-Id: I6131557bdd0a298be9e75b39759599b189b9b988
Additional permission is required for linkerconfig from domain to get
access to ld.config.txt file from linker. This change allows linker to
get /dev/linkerconfig/ld.config.txt
Bug: 138920271
Test: m -j && confirmed from cuttlefish
Change-Id: Id130a072add8ae82840b0b4d9e997e146f502124
This change is part of enabling upcoming platform changes that are
described in the bug linked below.
Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
DEFAULT_SYSTEM_DEV_CERTIFICATE is not appropriate as some OEMs may need
to change only the certificates used to generate
plat_mac_permissions.xml for mainline modules.
Test: m, checked output plat_mac_permissions.xml
Bug: 138097611
Bug: 134995443
Change-Id: Ie19130a243db043f432039c54c379f06e60ab6c6
Allow dexoptanalyzer(d) to lock `system_file` files, so that it can
lock `/system/framework/$ISA/*.art` files (which is harmless as these
files live in a read-only partition, but admittedly simplifies the
corresponding logic in ART).
Addresses denials of the form:
avc: denied { lock } for path="/system/framework/arm/boot.art"
dev="dm-0" ino=1330 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:system_file:s0 tclass=file permissive=0 […]
Test: Reproduce steps in bug 138683603 and check the absence of SELinux denials
Bug: 138683603
Change-Id: I8a08822b4908b3b37bd0e450dd1356ed92332327
Used to restrict properties init.svc_debug_pid.*
Bug: 138114550
Test: getprop | grep init.svc_debug_pid only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678
Used to lazily start AIDL services.
Bug: 138756857
Test: Manual (using mediaextractor as a test service)
Change-Id: Ia1f2c10072e42d8917985c38500be0955f98b8eb
Now that our tools are routed to system_suspend, there is no reason for
system_suspend to write to /sys/power/wake_[un]lock.
Bug: 128923994
Bug: 115946999
Test: boot blueline, no denials from system_suspend
Change-Id: I1097d30c050ce7d88677e07f4aaef07ce78dc958