MS_MOVE was used when staging external storage devices, which no
longer occurs. In fact, having a writable tmpfs was masking a vold
bug around moving apps to SD cards.
Bug: 11175082
Change-Id: Ib2d7561c3a0b6fde94f651a496cb0c1f12f88d96
Add sdcard FUSE daemon flag to specify the GID required for a package
to have write access. Normally sdcard_rw, but it will be media_rw
for secondary external storage devices, so DefaultContainerService
can still clean up package directories after uninstall.
Create /mnt/media_rw which is where vold will mount raw secondary
external storage devices before wrapping them in a FUSE instance.
Bug: 10330128, 10330229
Change-Id: I4385c36fd9035cdf56892aaf7b36ef4b81f4418a
I97b3d86a69681330bba549491a2fb39df6cf20ef introduced a separate type
for the adb_keys file. Set the security context of the adb_keys file
accordingly by adding restorecon commands to init.rc.
Change-Id: I30e4d2a1ae223a03eadee58a883c79932fff59fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Use kernel oom_score_adj interface to make init and children unkillable.
Stop using older, deprecated oom_adj interface.
Use OOM_SCORE_ADJ_MIN to make the processes unkillable (previously the processes
were set to a very low score, but not unkillable).
Change-Id: I680965009585c2a5a580859fb946f2d0caa95d9c
The log_target parameter of android_fork_execvp_ext() is now a
bit field, and multiple targets can be set to log to multiple
places at the same time.
The new target LOG_FILE will log to a file specified by the new
parameter file_path.
Set LOG_FILE and log to a file in /dev (the only writable filesystem
avilable when e2fsck runs) when invoking e2fsck in fs_mgr.
Bug: 10021342
Change-Id: I63baf644cc8c3afccc8345df27a74203b44d0400
Before this change, FUSE lookup() would have the side effect of
creating the directory on behalf of apps. This resulted in most
directories being created just by Settings trying to measure disk
space. Instead, we're switching to have vold do directory creation
when an app doesn't have enough permissions.
Create fs_mkdirs() utility to create all parent directories in a
path as needed. Allow traversal (+x) into /storage directories.
Fix FUSE derived permissions to be case insensitive. Mark well-known
directories as .nomedia when created.
Bug: 10577808, 10330221
Change-Id: I53114f2e63ffbe6de4ba6a72d94a232523231cad
Policy reload is handled by setting the selinux.reload_policy property
and letting the init process perform the actual loading of policy into
the kernel. Thus, there should be no need for the system UID to directly
write to /sys/fs/selinux/load.
Change-Id: I240c5bb2deaee757a2e1e396e14dea9e5d9286f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's a security best practice to carry entropy across reboots.
(see "man 4 random"). Currently, entropy saving and mixing occur
in the system_server, via the EntropyMixer code. Unfortunately, the
EntropyMixer code runs fairly late in the boot process, which means
early boot doesn't have high quality entropy. This has caused security
problems in the past.
Load entropy data as soon as we can in the early boot process, so that
we can get /dev/random / /dev/urandom into a "random" state earlier.
Bug: 9983133
Change-Id: Id4a6f39e9060f30fe7497bd8f8085a9bec851e80
Changing mem cgroups permissions to only be accessible by root and system.
Bug: 10210529
Bug: 10210900
Change-Id: Ib4fff6f49b33013b3629d40ae98a5e2464571b2d
Once userdata is available and decrypted, trigger a policy reload to pick
up any policy update files stored under /data/security.
Change-Id: Ic2b3121c3395429b108c40d1d7f5a3124a5896c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Restarting ueventd upon policy reloads has reportedly created
stability problems for some users and could cause events to be lost.
Stop restarting ueventd and instead handle policy reloads within ueventd.
Also stops restarting installd upon policy reloads.
Change-Id: Ic7f310d69a7c420e48fbc974000cf4a5b9ab4a3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ActivityManager can't directly write to extra_free_kbytes because
/proc/sys rejects all chown and chmod syscalls. Proxy the writes
through init by using the sys.sysctl.extra_free_kbytes property.
Bug: 10024467
Change-Id: I441e00478421254355fcafb252bc878166483d4c
- BOOTCLASSPATH now is derived from PRODUCT_BOOT_JARS, which is a product
configuration variable set up by the core build system.
- Moved files from the legacy ALL_PREBUILT to PRODUCT_COPY_FILES in
build/target/product/embedded.mk.
Bug: 9990214
Change-Id: I98bac36c1ca8c779dda572a0a5e0a22b7e4c4a7a
Add /system/framework/webviewchromium.jar to BOOTCLASSPATH. This jar
contains the implementation classes for the new WebView. It has been
processed with jarjar to ensure that it doesn't define any classes
outside of com.android.
Change-Id: If65913638df0088f4dd7d62a087750b90038a7fb
This commit sets up the system property which is actually used by the
Connectivity Service
(frameworks/base/services/java/com/android/server/ConnectivityService.java).
It fixes an (obsolete?) convention where the dns was affected directly by
the interface (i.e. "net.eth0.dns1=10.0.2.3"), which causes the Android
Emulator (goldfish) to ignore this value, and effectively have no DNS
resolving at all.
An immediate fix can be either add reference to net.eth%s.dns%s in the
ConnectivityService and possibly on the dhcp code as well which would be
bloated, or just stick to the apparant new convention.
I chose the latter as a one line fix which gets the job done.
Change-Id: Id4364129e9a82c1f48403068a837aca54de07944
This helps to ensure that when a new system image is installed,
old userdata policy isn't applied over the top of it.
Bug: 8841348
Change-Id: I135af32250aa62979763e775842ce0af3c8b6f9f
This forces a policy reload + fixcon to deal with dynamically
delivered policy changing labels on device nodes.
It's implemented as a new keyword in init.
Bug: 8702843
Change-Id: I803cf1ecf6ff8318ce25dcc5cda4f292adc9738c
DBUS had been needed by bluetooth bluz stack. It is not needed after
we replaced bluez stack with bluedroid stack.
bug 6872904
Change-Id: I3fa41c1dd4ac80bc679d5950b3b20c7f6d12265f
Move the responsibility for rebooting the system from the
reboot command to init. Init is in a better position to take
actions to bring the system down cleanly, including making sure
filesystems are mounted read-only.
The only UIDs which can perform an init triggered reboot are
root, system, and shell.
Modify the reboot command so that it calls into init to perform
the reboot. The reboot command no longer requires CAP_SYS_BOOT.
Remove the -n reboot option and code which supports it. Anyone needing
to do an unclean shutdown can just do a 'echo c > /proc/sysrq-trigger'.
Modify adb so that it calls into init to perform a shutdown.
Bug: 8646621
Change-Id: I84c0513acb549720cb0e8c9fcbda0050f5c396f5
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
goldfish is ported to linux-3.4 and have capability to run atrace.
But can't run atrace yet because debugfs is not mounted on boot time.
Change-Id: I0ce23bde3b8d1b2a88d4238272123e3ab8cb6970
Signed-off-by: Young-Ho Cha <ganadist@gmail.com>
Allow userspace programs to create IPPROTO_ICMP sockets.
This socket type allows an unprivileged program to safely
send ICMP_ECHO messages and receive the corresponding
ICMP_ECHOREPLY messages, without relying on raw sockets or
setuid programs.
Please see http://lwn.net/Articles/443051/ for details.
In particular, this allows us to use a version of ping
which doesn't have any capabilities
(https://android-review.googlesource.com/52072).
In addition, this allows us to safely implement an IPv4 ICMP
based version of InetAddress.isReachable()
(https://code.google.com/p/android/issues/detail?id=20106)
Change-Id: I876718151efa8219c4f34f573e35e21256fe2316
This can cause init to be stucked in a loop in very rare cases where
persist.sys.usb.config is set to "none" (because the "setprop
sys.usb.config none" action is added twice to the action list).
The original issue on encrypted devices has been fixed differently
by change # I350c5aab986f8ca86b95f316398d03012553e581
This reverts commit 80828af3de.
Change-Id: Id0a7af8dd861c8d10b80a13b540c8a339b432007
This will help get rid of android_aid.h in the kernel.
The group of the proc entries will be used in place of the default
values picked up by the xt_qtaguid netfilter module
(AID_NET_BW_STATS, AID_NET_BW_ACCT).
This change has no effect until the matching kernel changes are submitted.
Change-Id: I3c177e7b5caf9c59300eba6bd4a976634b333674
On encrypted devices, persistent properties are loaded after the device
is decrypted. To properly change sys.usb.config to its persistent value,
it must first be set to "none" and then to ${persist.sys.usb.config}.
Bug: 7678835
Change-Id: I4f91245cedc04e3178ce9cee21390f5b657733c9
This is necessary for some HWC hals to be able to communicate with
secure side to grant protected access to hardware owned by the
hwc. This is necessary on some architectures to grant access to
secure buffers to overlay/csc hardware
Change-Id: I4e4becba5b4a80310ce8932edea5d0d046fa9b00
Signed-off-by: Dima Zavin <dima@android.com>
When vold mounts things in /mnt/secure/staging, it expects to MS_MOVE
those mountpoints when vetting is finished. However, the kernel
doesn't allow MS_MOVE when the source is shared to child namespaces.
To work around this, create a tmpfs at /mnt/secure and mark it as
private (not shared). Verified that vold can now successfully move
from the staging area.
Bug: 7094858
Change-Id: I5e05b1005c63efa277935c9bbd18cbf3ffdd47a3
Define /storage as top-level concept, so that we enforce permissions
uniformly. Moves external storage paths from headers to per-device
environment variables. Added missing mount flags, and we no longer
have adb-specific external storage.
Bug: 6925012
Change-Id: Ic7ca953be2f552d3f0ec9e69f89fef751daa1b29
Also remove mount() from adb, since it can come online long before
data partition is ready. Set EXTERNAL_STORAGE environment variable
to point to owner for backwards compatibility.
Bug: 7005701
Change-Id: I63444f6636624eb7ad89f053daa289663424639e
Remount rootfs as recursively shared, so that mount changes are
propagated into child namespaces. Mount external storage for access
from adb.
Clean multi-user dependencies for use in Dalvik. Also define
external storage paths.
Bug: 6925012
Change-Id: I375de581a63f4f36667894c56a34a9dd45361e8f
To support runtime policy management, add support for reloading
policy from /data/system. This can be triggered by setting the
selinux.loadpolicy property to 1, whether from init.rc after
mounting /data or from the system_server (e.g. upon invocation of
a new device admin API for provisioning policy). ueventd and
installd are restarted upon policy reloads to pick up the new
policy configurations relevant to their operation.
Change-Id: I97479aecef8cec23b32f60e09cc778cc5520b691
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
chown /proc/last_kmsg to user system group log during init, and
chmod it to readable only by user and group.
Bug: 6925227
Change-Id: I645b6a2d4fecc01a2bd4b7fa7ed6aae3ef638cb9
Set the security context for the init process.
Restore the security contexts of /cache and /data in case they were reset.
Specify the security context for services launched from the rootfs since
we cannot label their executables.
If on the emulator, set a policy boolean and restore the context of
/sys/qemu_trace to allow accesses not normally permitted on a device.
Change-Id: I166ffc267e8e0543732e7118eb0fd4b031efac3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This device is required by libdrm for GPUs like IvyBridge.
Change-Id: I0ac47056a9cec2100f3e6eaa5591571fe6bbc145
Signed-off-by: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This change adds init.rc steps to:
* allow kernel tracing to be enabled via adb
* allow a limited set of kernel trace events to be enabled via adb
* allow the kernel trace to be read via adb
* allow all users to write to the kernel trace from userland
Bug: 6513400
Change-Id: Ic3c189b5697aa5edf88d2f507c932971bed6caff
With this change, the audio rr/fifo threads will just run in
the fg cgroup.
Also, the RR budget for the apps fg/bg threads has been bumped
to 80%. Ideally, the bg budget would be much smaller but there
are legacy libraries that seem to be very sensitive to this so
for now keep it at this value.
Bug: 6528015
Change-Id: I08f295e7ba195a449b96cd79d954b0529cee8636
Signed-off-by: Dima Zavin <dima@android.com>
GPS on yakju puts SCHED_RR threads in the fg and bg groups, and
is unhappy with 0.1% limits. Increase the limits to 10%.
Change-Id: I971c9b0a815890d41694b965fdd2b023937a4411
rt_runtime_us=0 can cause deadlocks if a SCHED_FIFO/SCHED_RR thread
is moved into the wrong cgroup.
Change-Id: I4633392fb529039dff6ba5d3a6b672e0de9fc2d9
Jianzheng Zhou