The label also needs to be applied in case of the new 2-level deep
app-data directories.
Bug: 149396179
Bug: 148844589
Test: atest AdoptableHostTest
Change-Id: I0f6f41df54e6f74696039b41b4a0c7e5aae1fd84
This reverts commit 34240604aa.
Reason for revert: Droidcop: Potential culprit for Bug149218822- verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: Iaba9f6e9125ac456a5787b1fcbb67d68c91c5f42
This adds the type and permissions for dumping and appending prereboot
information.
Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.
Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd
The binder call to statsd can be removed after the migration.
Test: m -j
Bug: 148641240
Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).
This is a re-landing of https://r.android.com/1210143, which was
reverted due to http://b/142942524. The actual fix was done in
http://ag/10234812.
Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
adbd started calling shutdown and waiting for EOF before closing
sockets in commit 74b7ec72, because closing a TCP socket while you have
pending data to read is specified to send a TCP RST to the other end,
which can result in data that we've written into the socket to be
prematurely thrown away on the other end. Not being able to do so on a
Unix domain socket is benign, aside from the denial showing up in the
log.
Fixes the following selinux denial when installing a package:
avc: denied { shutdown } for scontext=u:r:adbd:s0 tcontext=u:r:shell:s0 tclass=unix_stream_socket permissive=0
Test: manual
Change-Id: I266092a8323ac02bfe96738a8f4a8021f3a10387
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd
The binder call to statsd can be removed after the migration.
Test: m -j
Bug: 148641240
Change-Id: If6cf7eb77aa229751c44e5291d49f05177dbb8dd
Only write snapshotctl_log_data_file for userdebug_or_eng.
Test: boot, still see log
Bug: 148818798
Change-Id: I03e979efd65e3992bd8ef30e6408768a14aa1de2
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.
Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.
Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].
2. /data/incremental/[random]/backing_mount -> hold incfs backing image.
3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.
Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
In order to track time in state data using eBPF, system_server needs
to be able to attach BPF programs to tracepoints, which involves:
- calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl
- running BPF programs
- reading tracepoint ids from tracefs
Grant system_server the necessary permissions for these tasks
Test: modify system_server to try to attach programs; check for
denials
Bug: 138317993
Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328
Signed-off-by: Connor O'Brien <connoro@google.com>
Revert "Add new permissions to test"
Revert submission 1210143-platformcompat-permissions
Reason for revert: http://b/142942524
Reverted Changes:
I3601b12d5: Add new permissions to test
I65d425aac: Make platform_compat discoverable everywhere
I1c8cbb656: Add permissions for using PlatformCompat methods
Change-Id: I356c1d1c4d1213eea6e5585b23faa40722b1a01a
webview_zygote inherits tmpfs files from zygote and needs to stat
them after fork.
Bug: 138851227
Test: run walleye_jitzygote config, fork webview_zygote.
Change-Id: I092b942c0426f3f5731536ae9f2f5886a9196d3d
As apexd now has dac_override, it should also have dac_read_search to
avoid spurious denials.
Bug: 141148175
Test: Build, run apex installation, check denials.
Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
This allows apexd to execute "cp" to perform snapshot and
restore operations.
Other rules for this were added in aosp/1217340, but this one was
missed.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
4eae75c9d4
Reason for revert: This undoes the previous reversion, which was made to fix b/148282665.
Change-Id: I70d6e60a0468abea19f5efd7fde10207a251cf61