and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
add the new ro properties added to surfaceflinger:
ro.surface_flinger.set_idle_timer_ms
ro.surface_flinger.use_smart_90_for_video
Bug: 131054357
Test: Boot with SELinux enforcing
Change-Id: I887b318a95db200280344a11fcf7deaadafdeca9
Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d
(cherry picked from commit 1d34b8cc31)
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Merged-In: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
(cherry picked from commit a0f998e6de)
This is needed for bugreport to include ANR trace for the process.
Bug: 128878895
Test: adb bugreport
Change-Id: I92e6952b03ffb047e9fb75b0e44024f2623debb3
We no longer have /system/etc/security/apex/* as the public keys are all
bundled in APEXes. Removing the selinux label and policies for it.
Bug: 936942
Test: device is bootable
Change-Id: I6b6144a8d15910d1ba8584a0778244ed398dc615
Property is NNAPI client-readable and writeable only by init/build.prop.
Bug: 129666983
Bug: 120483623
Test: flashed crosshatch/Cts tests for NNAPI
Change-Id: Ic4c0f176440610a2c54c078863f3d5382323cc65
Denial:
libc : Unable to set property "wifi.active_interface" to "wlan0":
error code: 0x18
Bug: 129506593
Test: Verified that the denial is no longer seen in the logs
Change-Id: Ia345f5df1446e7ba3a44d6e8299bdc1f5f6ad9c8
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.
Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
This allows init to tune some f2fs knobs like cp_interval.
Bug: 127511432
Change-Id: I9353444578cb47bc7965cd7b068954a8270c5391
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Not every device can support GPU protected contents, add a sysprop to allow
configuration.
BUG: 35315015
Test: N/A
Change-Id: I59f1b3ea81db742bc4d0b5a22e82de7385a726b7
Need ability for system components to access psi memory pressure file.
Add required permissions for system_server and init to access
/proc/pressure/memory file.
Bug: 129476847
Test: system_server can read /proc/pressure/memory
Change-Id: I10ce4f4fe0e3618fa77539e93246d0aae933082c
Signed-off-by: Tim Murray <timmurray@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Domains that access super_block_device should instead
access super_block_device_type, which includes appropriate
block devices for retrofit DAP devices.
Test: boots (sanity)
Test: manual OTA
Bug: 128991918
Change-Id: Ie025b1e3c17e82330042aaa4a3e2e4a02ec1265b
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
- proc_cmdline and device-tree access to call ReadDefaultFstab().
This is ultimately used to check whether system's dm-verity has
check_at_most_once enabled, which is disallowed with sdcards.
- vfat read/write access to write files to the sdcard. Note that
adopted sdcards are not supported here.
- read access to the sdcard block device. To enable this without
providing access to vold_block_device, a new sdcard_block_device
label was added. Devices must apply this label appropriately to
enable gsid access.
- FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
This only appears to work by granting SYS_RAWIO.
Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
works without setenforce 0
Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading. Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
