Policy reload is handled by setting the selinux.reload_policy property
and letting the init process perform the actual loading of policy into
the kernel. Thus, there should be no need for the system UID to directly
write to /sys/fs/selinux/load.
Change-Id: I240c5bb2deaee757a2e1e396e14dea9e5d9286f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's a security best practice to carry entropy across reboots.
(see "man 4 random"). Currently, entropy saving and mixing occur
in the system_server, via the EntropyMixer code. Unfortunately, the
EntropyMixer code runs fairly late in the boot process, which means
early boot doesn't have high quality entropy. This has caused security
problems in the past.
Load entropy data as soon as we can in the early boot process, so that
we can get /dev/random / /dev/urandom into a "random" state earlier.
Bug: 9983133
Change-Id: Id4a6f39e9060f30fe7497bd8f8085a9bec851e80
Changing mem cgroups permissions to only be accessible by root and system.
Bug: 10210529
Bug: 10210900
Change-Id: Ib4fff6f49b33013b3629d40ae98a5e2464571b2d
Once userdata is available and decrypted, trigger a policy reload to pick
up any policy update files stored under /data/security.
Change-Id: Ic2b3121c3395429b108c40d1d7f5a3124a5896c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Restarting ueventd upon policy reloads has reportedly created
stability problems for some users and could cause events to be lost.
Stop restarting ueventd and instead handle policy reloads within ueventd.
Also stops restarting installd upon policy reloads.
Change-Id: Ic7f310d69a7c420e48fbc974000cf4a5b9ab4a3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ActivityManager can't directly write to extra_free_kbytes because
/proc/sys rejects all chown and chmod syscalls. Proxy the writes
through init by using the sys.sysctl.extra_free_kbytes property.
Bug: 10024467
Change-Id: I441e00478421254355fcafb252bc878166483d4c
- BOOTCLASSPATH now is derived from PRODUCT_BOOT_JARS, which is a product
configuration variable set up by the core build system.
- Moved files from the legacy ALL_PREBUILT to PRODUCT_COPY_FILES in
build/target/product/embedded.mk.
Bug: 9990214
Change-Id: I98bac36c1ca8c779dda572a0a5e0a22b7e4c4a7a
Add /system/framework/webviewchromium.jar to BOOTCLASSPATH. This jar
contains the implementation classes for the new WebView. It has been
processed with jarjar to ensure that it doesn't define any classes
outside of com.android.
Change-Id: If65913638df0088f4dd7d62a087750b90038a7fb
This commit sets up the system property which is actually used by the
Connectivity Service
(frameworks/base/services/java/com/android/server/ConnectivityService.java).
It fixes an (obsolete?) convention where the dns was affected directly by
the interface (i.e. "net.eth0.dns1=10.0.2.3"), which causes the Android
Emulator (goldfish) to ignore this value, and effectively have no DNS
resolving at all.
An immediate fix can be either add reference to net.eth%s.dns%s in the
ConnectivityService and possibly on the dhcp code as well which would be
bloated, or just stick to the apparant new convention.
I chose the latter as a one line fix which gets the job done.
Change-Id: Id4364129e9a82c1f48403068a837aca54de07944
This helps to ensure that when a new system image is installed,
old userdata policy isn't applied over the top of it.
Bug: 8841348
Change-Id: I135af32250aa62979763e775842ce0af3c8b6f9f
