* Added new kernel GID named "wakelock" (AID_WAKELOCK = 3010)
* Changed the group access for /sys/power/wake_lock and
/sys/power/wake_unlock from "system" to "wakelock"
* Added "wakelock" to the list of groups for the healthd process/service
Bug: 25864142
Change-Id: Ieabee9964cccec3107971a361a43aa9805164aa9
If /sys/kernel/debug is present, make sure it has all the appropriate
SELinux labels.
Labeling of /sys/kernel/debug depends on kernel support
added in commit https://android-review.googlesource.com/122130
This patch depends on an external/sepolicy change with the
same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
update_verifier verifies the updated partitions and marks the current
slot as having booted successfully. It needs to be triggered prior to
the start of the framework, otherwise it won't be able to fall back to
the old system without a data wipe.
Bug: 26039641
Change-Id: I6fd183cdd3dfcc72feff2a896368158875b28591
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
3.18 has a warning in dmesg that appears when the parent cpuset's cpus
and mems are changed to something other than what the child has. Reorder
init.rc to prevent this warning from appearing.
bug 24941443
Change-Id: I49d8394063b23dce03222dcc9ddccdc32bb97ea2
Don't allow the accidental triggering of sysrq functionality
from the keyboard. The only expected use of sysrq functionality
is via /proc/sysrq-trigger
Please see https://www.kernel.org/doc/Documentation/sysrq.txt for
additional information on /proc/sys/kernel/sysrq
Bug: 13435961
Change-Id: I60dc92a4b2b4706e8fa34a6cead9abd449f7375f
Ensure that /data/misc/update_engine exists since it will be referenced
by selinux policy.
Bug: 23186405
Change-Id: I96e4ff341086da6474ef7f7c934f1f35bffc1439
Move uncrypt from /init.rc to /system/etc/init/uncrypt.rc using the
LOCAL_INIT_RC mechanism
Bug 23186545
Change-Id: Ibd838dd1d250c0e6536e44b69f11fb5ed42ba10b
init.trace.rc will be renamed to atrace.rc and use the LOCAL_INIT_RC
mechanism to be included on /system appropriately.
Bug 23186545
Change-Id: I55c37d3ff98c9ac10e6c1a713fadc7eb37346195
This CL adds a new init script init.usb.configfs.rc
to add generic configfs commands. Setting
sys.usb.configfs in init.usb.{hardware}.rc
enables executing commands in this script
Bug=23633457
Change-Id: Iaae844a7957d6c9bf510648aaff86d56aa0c6243
This is used for app launches (and maybe other high priority tasks
in the future). It's to be set to whatever cores should be used
for short term high-priority tasks.
bug 21915482
Change-Id: Id0ab0499146c09e860b97f4cb8095834cb12dd50
Services definitions for core services are now bundled with the source
for the service itself in the form of <service name>.rc. These
individual .rc files are now located in /system/init/... and are
parsed when the system partition is mounted.
Bug: 23186545
Change-Id: Ia1b73af8d005633aa4252d603892064d7804163d
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
This CL adds a trigger and a service so that Systrace can be used
for tracing events during boot.
persist.debug.atrace.boottrace property is used for switching on
and off tracing during boot. /data/misc/boottrace/categories
file is used for specifying the categories to be traced.
These property and file are rewritten by Systrace when the newly
added option --boot is specified.
Here is an example of tracing events of am and wm catetories
during boot.
$ external/chromium-trace/systrace am wm --boot
This command will cause the device to reboot. Once the device has
booted up, the trace report is created by hitting Ctrl+C.
As written in readme.txt, this mechanism relies on persistent
property, so tracing events that are emitted before that are not
recorded. This is enough for tracing events after zygote is
launched though.
This only works on userdebug or eng build for security reason.
BUG: 21739901
Change-Id: I03f2963d77a678f47eab5e3e29fc7e91bc9ca3a4
Pavlin Radoslavov