We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.
Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc
Part of an effort to remove Treble-specifics in the way be build
sepolicy.
Fixes: 64541653
Test: m selinux_policy for aosp_arm64
Change-Id: I9e42c720018674e7d3a6c47e01995401c4e748a7
A default set of options are available, but can override in a fstab
overlay entry with upperdir=, lowerdir= to the same mount point,
workdir=. The default is a valid /mnt/scratch/overlay/
or /cache/overlay/ directory, with .../<mount_point>/upper and
.../<mount_point>/work, associated with each system partition
<mount_point>.
Test: manual
Bug: 109821005
Change-Id: I5662c01fad17d105665be065f6dcd7c3fdc40d95
This property is GMS-specific. It should be set from either /system or /product.
After this change ro.com.google.clientidbase will have default_prop type and
will only be settable from an .rc file.
This property now must be set from system or product images. In case of a
system-only OTA, the old vendor.img might attempt set this property. This will
trigger a denial which is innocuous since the new system.img will correctly set
the property.
Bug: 117348096
Test: walleye can still set ro.com.google.clientidbase
Change-Id: Id0873baecacb4168415b1598c35af1ecbb411e17
system_file_type is an attribute assigned to all files on the /system
partition. Add a compile time test to ensure that the attribute is
assigned to all the relevant types.
Test: code compiles.
Change-Id: I7d69a04a4f04f6269cc408f25527b948756cc079
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
Isolated apps provide a very strict security guarantee, including the
inability to create networking sockets like TCP / UDP sockets. Add an
SELinux neverallow assertion to test for this and prevent regressions.
Test: policy compiles.
Change-Id: I2618abb17375707eb1048e89faa46f57d33e1df4
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.
Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.
Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
Map proc_qtaguid_ctrl to qtaguid_proc, not qtaguid_device.
Map proc_slabinfo to proc in the correct place.
Test: m selinux_policy
Change-Id: I37c9dfe40bd20924215856b5d4ff7d9b3cbd0417
