lmkd needs to read /proc/lowmemorykiller to send statslog events in response to
applications being killed.
Bug: 130017100
Change-Id: I929d5a372e1b2f63b7b5ed421f1898ebddaec01c
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d
(cherry picked from commit 1d34b8cc31)
Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
This change allows first-stage init to mount a tmpfs under
/debug_ramdisk to preserve files from the debug ramdisk, for
second-stage init to load sepolicy and property files.
This is to allow adb root on a USER build if the device is unlocked.
Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: Iad3b84d9bdf5d8e789219126c88701bf969253ef
Merged-In: Iad3b84d9bdf5d8e789219126c88701bf969253ef
(cherry picked from commit 2e86fa0e81)
This change allows first-stage init to mount a tmpfs under
/debug_ramdisk to preserve files from the debug ramdisk, for
second-stage init to load sepolicy and property files.
This is to allow adb root on a USER build if the device is unlocked.
Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: Iad3b84d9bdf5d8e789219126c88701bf969253ef
During preloading resources, zygote scans the overlay directories of
supported partitions looking for android RROs to apply statically. Zygote
currently is allowed to read overlays in /oem/overlay, but zygote does
not have the search permission to be able to scan /oem.
Without this patch, this denial is logged:
04-04 14:57:40.136 876 876 I auditd : type=1400 audit(0.0:9):
avc: denied { search } for comm="main" name="oem" dev="dm-3" ino=46
scontext=u:r:zygote:s0 tcontext=u:object_r:oemfs:s0 tclass=dir
permissive=0
Bug: 121033532
Test: booting without denials and stat oem succeeds
Change-Id: I661f3e0aff7ec3513870d08ddc122fc359b8f995
During preloading resources, zygote scans the overlay directories of
supported partitions looking for android RROs to apply statically. Zygote
currently is allowed to read overlays in /oem/overlay, but zygote does
not have the search permission to be able to scan /oem.
Without this patch, this denial is logged:
04-04 14:57:40.136 876 876 I auditd : type=1400 audit(0.0:9):
avc: denied { search } for comm="main" name="oem" dev="dm-3" ino=46
scontext=u:r:zygote:s0 tcontext=u:object_r:oemfs:s0 tclass=dir
permissive=0
Bug: 121033532
Test: booting without denials and stat oem succeeds
Change-Id: I661f3e0aff7ec3513870d08ddc122fc359b8f995
This selector is no longer used.
Bug: 123605817
Bug: 111314398
Test: compiles and boots
(cherry picked from commit 795add585c)
Change-Id: I673ce4b6898d58602e553e7cf194bb5eac8361e0
Allow netd to trigger the kernel synchronize rcu with open and close
pf_key socket. This action was previously done by system_server but now
it need to be done by netd instead because there might be race issue
when netd is operating on a map that is cleaned up by system server.
Bug: 126620214
Test: android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf
Merged-In: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf
(Cherry picked from commit 8a5539b5f0)
ART follows the /data/user/0 symlink while loading cache files, leading
to:
avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0
Allow this access, the same as app and app_zygote do.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
(cherry picked from commit d40f7fd9d5)
