E init : Do not have permissions to set 'persist.vendor.ssr.restart_level' to 'ALL_ENABLE' in property file '/vendor/build.prop': SELinux permission check failed
Signed-off-by: pix106 <sbordenave@gmail.com>
Energy aware feature control is previously done through debugfs,
which will be deprecated, so move the control to sysctl. Added
permisson for it, and removed the one unused.
[ 1.460128] audit: type=1400 audit(2753763.033:8): avc: denied { write } for pid=537 comm="init" name="energy_aware" dev="proc" ino=21663 scontext=u:r:vendor_init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-05 16:49:18.933 820 820 W NodeLooperThrea: type=1400 audit(0.0:1097): avc: denied { write } for name="energy_aware" dev="proc" ino=66567 scontext=u:r:hal_power_default:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-05 17:00:15.726 822 822 W NodeLooperThrea: type=1400 audit(0.0:262): avc: denied { open } for path="/proc/sys/kernel/energy_aware" dev="proc" ino=51228 scontext=u:r:hal_power_default:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 141333728
Test: function works as expected
Change-Id: I2b4eda73bfa34824244e21d804b48eee49a71eae
Signed-off-by: clarencelol <clarencekuiek@icloud.com>
Signed-off-by: pix106 <sbordenave@gmail.com>
Google moved apex sessions directory from /data/apex/sessions to
/metadata/apex/sessions after commit:
"Move apex sessions directory to /metadata"
36cf4bbac6
Devices with a mounted metadata partition will have the needed
directories set up by system/core/rootdir/init.rc. Xiaomi devices
on sm6125 do not have a metadata partition out of the box, so things
like "Google Play system update" will fail to install the update.
Therefore, create a dummy directory under /data/vendor/metadata_apex
and symlink it to /metadata/apex.
The reason why the old /data/apex/sessions directory is not used
for the symlink is that apexd will call migrateSessionsDirIfNeeded()
to recursively copy things from the old directory to the new one.
Creating the symlink from /data/apex/sessions may result in
unintended behaviors.
Signed-off-by: OdSazib <odsazib@gmail.com>
The restorecon_recursive directive in init is only applied if the
file_contexts file changed between builds, but not necessarily if any
file or folder inside /mnt/vendor/persist/ has changed.
The restorecon code checks whether an xattr named
"security.sehash" contains a string that matches the current
combined hashes of the SELinux context files and skips restoring labels
if there is a match, see
https://android.googlesource.com/platform/external/selinux/+/refs/tags/android-9.0.0_r35/libselinux/src/android/android_platform.c#1546
Force wiping that xattr so that restorecon always runs since it's not
very expensive (there are currently only about 50 files on /persist).
The restorecon is needed to fix issues such as wrong stock labels on
/mnt/vendor/persist/sensors/:
sensors_persist_file -> persist_sensors_file
Change-Id: Ic0cd848836ee550499d9236f56ed6e939e35f01e
The core SEPolicy for vendor_init is being restricted to the proper
Treble restrictions. Since this is a legacy device, it is tagged as a
data_between_core_and_vendor_violators and the needed permissions are
added to its device specific vendor_init.te
Bug: 62875318
Test: boot walleye without audits
Change-Id: I13aaa2278e71092d740216d3978dc720afafe8ea
Signed-off-by: Subhajeet Muhuri <kenny3fcb@gmail.com>
Move vendor policy to vendor and add a place for system extensions.
Also add such an extension: a labeling of the qti.ims.ext service.
Bug: 38151691
Bug: 62041272
Test: Policy binary identical before and after, except plat_service_contexts
has new service added.
Change-Id: Ie4e8527649787dcf2391b326daa80cf1c9bd9d2f
Change-Id: I1493c4c8876c4446a1de46b39942098bf49c79f8
