Since some vendors will have firmware in mount points in
/mnt/vendor/..., we extend the ueventd script language to allow
specifying the firmware directories.
Also, move the existing 4 directories to ueventd.rc as a primary user
of this mechanism.
Bug: 111337229
Test: boot sailfish; firmwares load
Change-Id: I0854b0b786ad761e40d2332312c637610432fce2
/ should not have any character/block devices, so might as well pass in
the nodev flag.
Bug: 73255020
Test: aosp_sailfish still boots
Test: sailfish:/ # find / -xdev -a \( -type b -o -type c -o -type p -o -type s \)
sailfish:/ #
Test: rootfs on / type rootfs (rw,seclabel)
/dev/root on / type ext4 (ro,seclabel,nodevrelatime)
Change-Id: Ia73e04b53a47506892d9d3cb61b471b81bb72dc3
When security.perf_harden is disabled through adb, use some debug
system properties to set profiling limits in the kernel, including
cpu percentage, memory, and max sample rate.
Bug: 110706031
Test: boot hikey960 and manually set system properties to make
Test: sure it works.
Change-Id: I44c0adf3a000bb393905233f2a097c97b5fe91ec
Path of product partitoin can be set as /product or /system/product
whether generate extra product partition or not.
Substitute %PRODUCT% to relevant path to know linker which path should
search and permit.
Bug: 110286945
Test: m -j # Check /system/etc/ld.config.$(PLATFORM_VNDK_VERSION).txt
Change-Id: I6ca177d0c9c5af00ad821879fece40848331fc8d
As linker doesn't resolve paths in permitted paths, /system/product
variants should be added to support devices having product partition
under /system.
Bug: 110286945
Test: m -j succeeds on taimen and libraries under /system can dlopen
libraries under /system/product/apps
Change-Id: Icd102d44511702e4ec66c07a367b59c3d9700a44
adbd has been built as a static executable since the same binary was
copied to the recovery partition where shared library is not supported.
However, since we now support shared library in the recovery partition,
adbd is built as a dynamic executable.
In addition, the dependency from adbd to libdebuggerd_handler is removed
as debuggerd is handled by the dynamic linker.
A few more modules in /system/core are marked as recovery_available:
true as they are transitive dependencies of the dynamic linker.
This change also includes ld.config.recovery.txt which is the linker
config file for the recovery mode. It is installed to /etc/ld.config.txt
and contains linker namespace config for the dynamic binaries under
/sbin.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: Select 'mount /system' in the recovery mode, then `adb shell`.
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.
Change-Id: I363d5a787863f1677ee40afb5d5841321ddaae77
downloaded apns-conf.xml will be stored in the folder
/data/misc/apns/ to make sure TelephonyProvider gets
access.
Bug: 79948106
Test: Manual
Change-Id: I4ba0596fa6523c0eb96328dbe46ead02587bd9b8
Product-specific libraries in /product/lib can be exposed to Android
apps by adding the list of the libs into
/product/etc/public.libraries-<companyname>.txt. The libs MUST be named
as lib<name>.<companyname>.so.
Bug: 73095206
Test: with taimen
mma -j and runtest.sh. The libs are all loaded in system, but not in
vendor. After reinstalling app using adb -r and reopening app, only
libraries listed in .txt are loaded
Change-Id: I7c386813c72a7b225a7f244b6c5fec4ac0660fd3
Previously on Android Things, we used a vendor public.libraries.txt
file. This cl enables us to tag our library correctly.
Bug: 78226207
Test: test app works
Change-Id: I9e69717e5968a903e84f59c1d889c8e4cf9bcc35
Ensure dropbox has the new dropbox_data_file label.
Bug: 31681871
Test: ls -dZ /data/system/dropbox
u:object_r:dropbox_data_file:s0 /data/system/dropbox
Change-Id: Ia67646f4a789155e20650c33fe4412cae7f930d2
Changes to init's behavior during early mount:
1. Mounting of tmpfs on /mnt is moved from init stage to early mount.
2. init creates /mnt/vendor used to mount vendor partitions.
3. If a device tree fstab entry for early mount specifies a mount point
under /mnt/vendor e.g. /mnt/vendor/foo, init will create
/mnt/vendor/foo mount point.
Bug: 64905218
Test: change dt fstab entry to mount persist to /mnt/vendor/persist;
mount point is created correctly, and partition is mounted in early
mount. See go/pag/1069774
Test: device boots with /mnt/vendor and previous contents of /mnt present,
and selinux label "mnt_vendor_file" is applied correctly.
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsAppSecurityHostTestCases
-t android.appsecurity.cts.PermissionsHostTest
Change-Id: I3739130739eadf508355c7f2531366fcaed74175
Merged-In: I3739130739eadf508355c7f2531366fcaed74175
(cherry picked from commit b511475664)
Changes to init's behavior during early mount:
1. Mounting of tmpfs on /mnt is moved from init stage to early mount.
2. init creates /mnt/vendor used to mount vendor partitions.
3. If a device tree fstab entry for early mount specifies a mount point
under /mnt/vendor e.g. /mnt/vendor/foo, init will create
/mnt/vendor/foo mount point.
Bug: 64905218
Test: change dt fstab entry to mount persist to /mnt/vendor/persist;
mount point is created correctly, and partition is mounted in early
mount. See go/pag/1069774
Test: device boots with /mnt/vendor and previous contents of /mnt present,
and selinux label "mnt_vendor_file" is applied correctly.
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsAppSecurityHostTestCases
-t android.appsecurity.cts.PermissionsHostTest
Change-Id: I3739130739eadf508355c7f2531366fcaed74175
Set F() capability set and 'drop' lmkd from AID_ROOT to AID_LMKD uid
and from AID_ROOT to AID_LMKD and AID_SYSTEM gid.
/dev/memcg/memory.pressure defaults to root.root mode 0000, set it up
as root.system mode 0040 to allow lmkd read access.
Instrument failure to set SCHED_FIFO.
Annotate access points that require elevated capabilities.
Test: check /proc/`pidof lmkd`/status for capability set
Test: lmkd_unit_test
Bug: 77650566
Change-Id: I986081a0434cf6e842b63a55726380205b30a3ea
Need a larger tmpfs to stop crashes
Need to run start-zygote after mounting the real data
Test: Cherry-pick ag/3898232. System boots, can set pattern, system
reboots. Wifi works at all points.
Bug: 76452634
Change-Id: Id24241db940d352fd3bcdef594b5358854c6f71d
Split healthd section from init.rc into its own. This allows
healthd.rc to be excluded from the build when healthd is excluded.
Test: builds
Test: exclude healthd from build, healthd.rc is not installed
Bug: 77541952
Change-Id: I1c055f14c5862631f359fd0029289da8f43af063
This commit adds a wildcard linker namespace link between the "vndk"
namespace and the "sphal" namespace of the system processes. This is
created for VNDK-SP-Ext to load vendor libs in "sphal" namespace.
Bug: 77249955
Test: lunch aosp_walleye-userdebug && make -j8 # runs unit tests
Test: lunch aosp_sailfish-userdebug && make -j8 # runs unit tests
Test: Create a VNDK-SP-Ext, link to vendor libs, and run it.
Change-Id: I71b0fb604a84272156aa119130c272f891847008
Merged-In: I71b0fb604a84272156aa119130c272f891847008
(cherry picked from commit fbaf9767b51891491903521c24b0d4a1ec1c87e8)
This commit adds a wildcard linker namespace link between the "vndk"
namespace and the "sphal" namespace of the system processes. This is
created for VNDK-SP-Ext to load vendor libs in "sphal" namespace.
Bug: 77249955
Test: lunch aosp_walleye-userdebug && make -j8 # runs unit tests
Test: lunch aosp_sailfish-userdebug && make -j8 # runs unit tests
Test: Create a VNDK-SP-Ext, link to vendor libs, and run it.
Change-Id: I71b0fb604a84272156aa119130c272f891847008
With the usb control fd changes, there
is no longer a need to wait for this
property to trigger before starting the
connection.
Bug: 72877174
Test: switch config to mtp/ptp
Change-Id: Ib29419e7948025be3f3295106cad18943d314f0b
This change increases the default expiration length of an SA to 1h. The
IPsec API expects that SPIs are allocated indefinitely, but potential
for instability requires that these get cleaned up automatically. As
such, the duration was chosen as a sane, but long timeout value.
Bug: 72316671
Test: Added CTS tests to enforce this behavior
Merged-In: I47aef9cea4a09da253b2ec048a8797af5fa25529
Change-Id: I47aef9cea4a09da253b2ec048a8797af5fa25529
(cherry picked from commit 00308f8554)
There has been no section in the linker config file for the binaries
under /postinstall. As a result, the binaries were run with the legacy
default config where /vendor/lib and /odm/lib are added to the search
paths. This is causing selinux denials as the binaries for OTA are not
allowed to access /vendor/lib or /odm/lib, but the dynamic linker calls
realpath(3) on the paths to canonicalize them.
Fixing the issue by letting /postinstall/* binaries to run with a
dedicated linker namespace config, where /vendor/lib and /odm/lib are
not added to the search paths. Not having the paths is okay because
he OTA binaries should not have dependency to the libs there.
Bug: 75287236
Test: do the OTA, selinux denials on postinstall_file is not shown
Test: above test should pass on wahoo, marlin and pre-treble devices
Merged-In: I49c11a0929002adfef667890c0a375c2b41054f4
Change-Id: I49c11a0929002adfef667890c0a375c2b41054f4
(cherry picked from commit d7e6cb27b6)
There has been no section in the linker config file for the binaries
under /postinstall. As a result, the binaries were run with the legacy
default config where /vendor/lib and /odm/lib are added to the search
paths. This is causing selinux denials as the binaries for OTA are not
allowed to access /vendor/lib or /odm/lib, but the dynamic linker calls
realpath(3) on the paths to canonicalize them.
Fixing the issue by letting /postinstall/* binaries to run with a
dedicated linker namespace config, where /vendor/lib and /odm/lib are
not added to the search paths. Not having the paths is okay because
he OTA binaries should not have dependency to the libs there.
Bug: 75287236
Test: do the OTA, selinux denials on postinstall_file is not shown
Test: above test should pass on wahoo, marlin and pre-treble devices
Change-Id: I49c11a0929002adfef667890c0a375c2b41054f4
