Currently, /system/xbin/su is world executable. Prior to SELinux
enforcement, anyone (including third party apps) could run su.
The su code itself checks to see if the calling UID is root or shell.
Rather than relying on enforcement within the su binary, modify the
binary so it has group=shell, and remove world-execute permission.
This helps avoid some annoying SELinux denial messages as third party
apps call su on userdebug/eng builds.
Change-Id: I61c9231bb7e201d14ee3a5b6fe81b3fa7b12599f
Define a UID to be used by the process responsible for creating shared
RELRO files for the WebView native library, and create a directory owned
by that UID to use to store the files.
Bug: 13005501
Change-Id: I5bbb1e1035405e5534b2681f554fe16f74e3da1a
Automatically assigned as a GID to all apps running under the same
Android profile. Used for exposing to or sharing files with apps
running in a specific profile.
Analogous to AID_SHARED_GID only the sharing is between processes with
the same userId rather than with the same appId.
The name to be displayed for uids/gids with this AID is 'u*_everyone'.
Change-Id: I46efb749f74cb86868c5609a0ce1a6aab2f9e9c9
* Create a new userspace log daemon for handling logging messages.
Original-Change-Id: I75267df16359684490121e6c31cca48614d79856
Signed-off-by: Nick Kralevich <nnk@google.com>
* Merge conflicts
* rename new syslog daemon to logd to prevent confusion with bionic syslog
* replace racy getGroups call with KISS call to client->getGid()
* Timestamps are filed at logging source
* insert entries into list in timestamp order
* Added LogTimeEntry tail filtration handling
* Added region locking around LogWriter list
* separate threads for each writer
* /dev/socket/logd* permissions
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from commit 3e76e0a497)
Author: Nick Kralevich <nnk@google.com>
Change-Id: Ice88b1412d8f9daa7f9119b2b5aaf684a5e28098
* Create a new userspace log daemon for handling logging messages.
Original-Change-Id: I75267df16359684490121e6c31cca48614d79856
Signed-off-by: Nick Kralevich <nnk@google.com>
* Merge conflicts
* rename new syslog daemon to logd to prevent confusion with bionic syslog
* replace racy getGroups call with KISS call to client->getGid()
* Timestamps are filed at logging source
* insert entries into list in timestamp order
* Added LogTimeEntry tail filtration handling
* Added region locking around LogWriter list
* separate threads for each writer
* /dev/socket/logd* permissions
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Change-Id: Ice88b1412d8f9daa7f9119b2b5aaf684a5e28098
The script that writes the recovery partition after a successful
update of system needs to be made executable. This change also moves
it from /system/etc to /system/bin.
Bug: 12893978
Change-Id: I686e2392a2392515a6859a7381b735de1007b7ea
Add a service called "pre-recovery" which is normally stopped but can
be started by the system server when we want to go into recovery. It
will do any preparation needed (currently needed to handle update
packages that reside on an encrypted /data partition) and then set
sys.powerctl when it's ready to actually reboot.
Bug: 12188746
Change-Id: I894a4cb200395a0f6d7fe643ed4c2ac0a45d2052
See the comment-block at the top of Aarch64Assembler.cpp
for overview on how AArch64 support has been implemented
In addition, this commit contains
[x] AArch64 inline asm versions of gglmul series of
functions and a new unit test bench to test the
functions
[x] Assembly implementations of scanline_col32cb16blend
and scanline_t32cb16blend for AArch64, with unit
test bench
Change-Id: I915cded9e1d39d9a2a70bf8a0394b8a0064d1eb4
Signed-off-by: Ashok Bhat <ashok.bhat@arm.com>
Pixelflinger's code makes assumptions, at certain places,
that pointers can be stored as ints. This patch makes use
of uintptr_t wherever pointers are stored as int or cast
to int.
Change-Id: Ie76f425cbc82ac038a747f77a95bd31774f4a8e8
Signed-off-by: Ashok Bhat <ashok.bhat@arm.com>
The struct in the union with GGLSurface in struct surface_t assumed
that the reserved field, which corresponds to the GGLsizei version
field in the GGLSurface structure (where GGLsizei is define as being
ssize_t in the system/core/include/pixelflinger/pixelflinger.h header
file) is uint32_t. That is appropriate to the 32-bit system but is
not appropriate to the 64-bit system, where ssize_t is 64-bits rather
than 32-bits.
The 32-bit system has also been tested and has no regression
because of this change.
Change-Id: I5cd84fd4a18fa0e63e27975f7b3d3e95b99cea58
Signed-off-by: Marcus Oakland <marcus.oakland@arm.com>
* Add healthd charger mode ops
* Check for executable invocation as "charger", set charger mode if so
* Incorporate charger executable as healthd charger mode
Change-Id: I4a44e7a4c3a65ae9be94491f7f498aa48d4f8a84
Changes the FUSE daemon to synthesize an Android-specific set of
filesystem permissions, even when the underlying media storage is
permissionless. This is designed to support several features:
First, apps can access their own files in /Android/data/com.example/
without requiring any external storage permissions. This is enabled
by allowing o+x on parent directories, and assigning the UID owner
based on the directory name (package name). The mapping from package
to appId is parsed from packages.list, which is updated when apps are
added/removed. Changes are observed through inotify. It creates
missing package name directories when requested and valid.
Second, support for separate permissions for photos and audio/video
content on the device through new GIDs which are assigned based on
top-level directory names.
Finally, support for multi-user separation on the same physical media
through new /Android/user/ directory, which will be bind-mounted
into place. It recursively applies the above rules to each secondary
user.
rwxrwx--x root:sdcard_rw /
rwxrwx--- root:sdcard_pics /Pictures
rwxrwx--- root:sdcard_av /Music
rwxrwx--x root:sdcard_rw /Android
rwxrwx--x root:sdcard_rw /Android/data
rwxrwx--- u0_a12:sdcard_rw /Android/data/com.example
rwxrwx--x root:sdcard_rw /Android/obb/
rwxrwx--- u0_a12:sdcard_rw /Android/obb/com.example
rwxrwx--- root:sdcard_all /Android/user
rwxrwx--x root:sdcard_rw /Android/user/10
rwxrwx--- u10_a12:sdcard_rw /Android/user/10/Android/data/com.example
These derived permissions are disabled by default. Switched option
parsing to getopt().
Change-Id: I21bf5d79d13f0f07a6a116122b16395f4f97505b
DBUS had been needed by bluetooth bluz stack. It is not needed after
we replaced bluez stack with bluedroid stack.
bug 6872904
Change-Id: I3fa41c1dd4ac80bc679d5950b3b20c7f6d12265f
Move the responsibility for rebooting the system from the
reboot command to init. Init is in a better position to take
actions to bring the system down cleanly, including making sure
filesystems are mounted read-only.
The only UIDs which can perform an init triggered reboot are
root, system, and shell.
Modify the reboot command so that it calls into init to perform
the reboot. The reboot command no longer requires CAP_SYS_BOOT.
Remove the -n reboot option and code which supports it. Anyone needing
to do an unclean shutdown can just do a 'echo c > /proc/sysrq-trigger'.
Modify adb so that it calls into init to perform a shutdown.
Bug: 8646621
Change-Id: I84c0513acb549720cb0e8c9fcbda0050f5c396f5
Set the CAP_SYS_BOOT filesystem capability on the new reboot
command and keep CAP_SYS_BOOT in adb bounding set so that the
shell user can run it.
Change-Id: I1dd6143445ee2a952254f0452ab6e544318431dd
Make /vendor have the same permissions as /system/vendor for devices
that have a vendor partition.
Bug: 8341435
Change-Id: I077a2caf9da41fc072a4d3e334be28c24b70c7cd
/system/bin/ping no longer requires CAP_NET_RAW, as we're now
using IPPROTO_ICMP. Please see the following for more details:
* http://lwn.net/Articles/443051/
* https://android-review.googlesource.com/52090
* https://android-review.googlesource.com/52072
We can now make ping a normal, unprivileged program.
/system/bin/run-as only requires CAP_SETUID and CAP_SETGID.
Explicitly set the capabilities of this file, and remove
the setuid bit.
This is equivalent to running the following commands:
* chmod 750 /system/bin/run-as
* chown root:shell /system/bin/run-as
* setcap cap_setgid,cap_setuid+ep /system/bin/run-as
Change-Id: I65df858b45e6de4e2190ac9d6d592c06ea9d28cf
For now, remove linux/capability.h . We're haven't started using
capabilities yet, and this file doesn't exist on mac builds.
Change-Id: Id6ec7fdb408bcdfdd538dac65187194c8ee226ff
Modify android_filesystem_config.h and add a capabilities
field. This field can be used to add filesystem capabilities
to a particular file.
Change-Id: If8953a322457ea7275aa6df75660b714e6dc678a
clatd(464xlat) runs as its own UID after it drops root privs
Change-Id: I2392f8127dcd90d16b0f20ff31bcc5aa096db464
Signed-off-by: Daniel Drown <dan-android@drown.org>
It's safe to change the permissions on files in the root partitions;
incremental OTA now knows how to handle this case.
This reverts commit 08c370cc50.
Change-Id: I503bf8ebd037fa9715494c6539e5430eee47acfe
Instead of specifying in init what to mount, and having various hacks in init
itself to deal with encryption, use a filesystem manager library to do the
work, that can also be invoked by vold when mounting an encrypted volume.
Keep all the magic filesystem info an a device specific fstab file.
Change-Id: Ib988f1e4fb0638ba1d5fd98407fa6d8cf862aaca
Elliott Hughes