(cherry picked from commit 6e9cb8fd79)
Strip off trailing / then /system and then add back the appropriate
config directory. This fixes an issue with reading vendor, oem or odm
partitions.
Test: manual build successfully interprets all etc/fs_config_* files.
Test: manual incremental build successfully interprets all etc/fs_config_* files.
Bug: 36071012
Change-Id: Iba363f0731bb8d15e595bb45c56db97722edabc2
(cherry picked from commit a9403f0db8)
private/fs_config.h is required in order to build an independent
test that requires internal binary knowledge of the
etc/fs_config_(files|dirs) files.
Test: compile
Bug: 36071012
Change-Id: I268bcfdbb6d45b7bf6040cbf307a4e34812f5fef
Add reading of vendor file-system config files
/odm/etc/fs_config_dirs and /odm/etc/fs_config_files.
Order of interpretation (for dirs and files respectively):
- /system/etc/fs_config_dirs or /system/etc/fs_config_files
- /vendor/etc/fs_config_dirs or /vendor/etc/fs_config_files
- /oem/etc/fs_config_dirs or /oem/etc/fs_config_files
- /odm/etc/fs_config_dirs or /odm/etc/fs_config_files
- internal android_dirs[] or android_files[] structures.
No restrictions are placed on the odm file-system config files,
although the developer is advised to restrict the scope to the /odm
file-system since the intent is to provide support only for
customized portions of odm.img.
Test: full build and install smoke test and inspection
Bug: 36071012
Change-Id: Ic3afb5bb4ea20b15bd5df728be9f16045bf5b039
Anyone who can read this file can call flock(..., LOCK_EX) on it,
thereby blocking any future iptables commands from running.
Restrict it to user AID_RADIO, which includes device-specific
network management daemons, and group root.
Bug: 36108349
Test: see https://android-review.googlesource.com/#/c/348939/
Change-Id: I4dae4b5a835fabdc1a61a330e0446b39651f8156
Add reading of vendor file-system config files
/oem/etc/fs_config_dirs and /oem/etc/fs_config_files.
Order of interpretation (for dirs and files respectively):
- /system/etc/fs_config_dirs or /system/etc/fs_config_files
- /vendor/etc/fs_config_dirs or /vendor/etc/fs_config_files
- /oem/etc/fs_config_dirs or /oem/etc/fs_config_files
- internal android_dirs[] or android_files[] structures.
No restrictions are placed on the oem file-system config files,
although the developer is advised to restrict the scope to the /oem
file-system since the intent is to provide support only for
customized portions of oem.img.
Test: full build and install smoke test and inspection
Bug: 36071012
Change-Id: I56f3fed5efa44d622a9a110937dbc949083d44ae
Add reading of vendor file-system config files
/vendor/etc/fs_config_dirs and /vendor/etc/fs_config_files.
Order of interpretation (for dirs and files respectively):
- /system/etc/fs_config_dirs or /system/etc/fs_config_files
- /vendor/etc/fs_config_dirs or /vendor/etc/fs_config_files
- internal android_dirs[] or android_files[] structures.
No restrictions are placed on the vendor file-system config files,
although the developer is advised to restrict the scope to the /vendor
file-system since the intent is to provide support only for
customized portions of vendor.img.
Test: full build and install smoke test and inspection
Bug: 36071012
Change-Id: I4077bd6afcda2ee16189b2eb3c322af15205bbb9
Sort android_files[] first by requirements, grouping, specificity and
finally by alphanumeric order.
Test: full build and install smoke test and inspection
Bug: 36071012
Change-Id: I92c4090eac0067e0327ac7c8dde229747893d585
Sort android_dirs[] first by requirements, grouping, specificity and
finally by alphanumeric order.
Test: full build and install smoke test and inspection
Bug: 36071012
Change-Id: Iff579600b05d7b2a0b9fc7d9e9d897e0bb69aebd
Comply with clang-format. Adjust some comments.
Test: full build and install smoke test and inspection
Bug: 36071012
Change-Id: I459a08b4dc4333ab3d75207621a27587849386a5
Move hostapd to /vendor/bin/ because it's only used by WIFI HAL.
Bug: 34236942
Bug: 34237659
Test: Hotspot works fine. Integration test.
Change-Id: I8d9f51ed85a0614bf0141461dabeddae094ad4e0
Bug: 35328775
Test: works in both binderized and passthrough modes
Merged-In: I61f1ff6b777089d7aad5184c0aee4f653897b32e
Change-Id: I61f1ff6b777089d7aad5184c0aee4f653897b32e
There's no reason for SELinux policy compiler to be accessible by
anybode other than root.
Test: Device boots -- secilc isn't used yet anyway
Bug: 31363362
Change-Id: I26cf34f1412b8dd471f79271c491b473617a6df6
CAP_SYS_PTRACE is needed to ptrace processes that have capabilities
greater than their bounding set. Eventually, this will still be an
improvement, because we can ptrace attach, and then turn on a seccomp
filter that blocks further attaches.
Bug: http://b/34694637
Test: debuggerd `pidof system_server`
Change-Id: I4b9da164ec1fbb5060fdba590e886ac24b6a0785
The following files will be loaded additionally.
- /odm/default.prop and /vendor/default.prop for default props.
- /odm/build.prop for build props.
The props files must follow the following priority order.
- /default.prop > /odm/default.prop > /vendor/default.prop
- /system/build.prop > /odm/build.prop > /vendor/buid.prop
Test: tested default/build prop files with enabling early mount, but
didn't test files of odm partition because odm partition doesn't
exist now.
Bug: 34116668
Change-Id: I946d076dae38f2288865dd986fb16d801d4abcc0
Remove debuggerd in favor of a helper process that gets execed by
crashing processes.
Bug: http://b/30705528
Test: debuggerd_test
Change-Id: I9906c69473989cbf7fe5ea6cccf9a9c563d75906
Enforce that the only API for reading properties is through the property
server, not by reading the (system|vendor|rootfs) *.prop files.
Test: Device boots and no property errors.
Change-Id: Ibb6ed4e74a80cac00010c707d7574f8e92fc6448
Add CAP_SYSLOG, CAP_AUDIT_CONTROL and CAP_SETGID, set
uid and gid to AID_LOGD, and permissions user and group
read and execute only.
Fix up indents for in table for clarity.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Manually inspect owner and group for /system/bin/logd
Bug: 32450474
Change-Id: I5183ab200dbcd13efb0727cb91db5b12018ae804
The webview_zygote is a non-root zygote process that creates isolated_app
children for rendering web content. It needs:
- CAP_SETUID and CAP_SETGID to change the UID of the new child process.
- CAP_SETPCAP to clear the capability bounding set after forking.
Test: m
Test: angler boots
Bug: 21643067
Change-Id: I986fa04be54e812f5dd2afa14e5d2d3e474e2b10
Add netlink permissions for the new wifi HAL daemon name.
Bug: 31821133
Test: Compiled and ensured that the permission denials are no longer
present in logs.
Change-Id: If939df4760d9f7e85f0f134617d3a79030e09347
Mark Salyzyn