Commit graph

352 commits

Author SHA1 Message Date
Nick Kralevich
7da1b68236 generic_x86: delete system_server execmem
https://android-review.googlesource.com/175922 removed all uses
of system_server execmem and neverallowed it. The x86 emulator policy
inappropriately includes this rule. Delete it.

Fixes the following build breakage:

  libsepol.report_failure: neverallow on line 473 of external/sepolicy/system_server.te (or line 12452 of policy.conf) violated by allow system_server system_server:process { execmem };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy

Change-Id: I7fbfaa0a09e8f4e8a372d2f1a64bbe58d5302204
2015-10-15 02:37:40 -07:00
Nick Kralevich
64e4d8a211 am 35a075db: am 36d91b53: Merge "Only allow toolbox exec where /system exec was already allowed."
* commit '35a075db60bc5553b57ef3311b9643d3b04ea7da':
  Only allow toolbox exec where /system exec was already allowed.
2015-08-25 22:53:03 +00:00
Stephen Smalley
75770de701 Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 11:46:12 -04:00
Konstantinos Menychtas
8694cf75b6 am 956e4693: Increasing MIPS emulator system image size and user-data image size
* commit '956e469327b1da4b635f20795ed48f6c36ba10d6':
  Increasing MIPS emulator system image size and user-data image size
2015-08-19 01:40:09 +00:00
Konstantinos Menychtas
956e469327 Increasing MIPS emulator system image size and user-data image size
Size increase taken as a precaution against recent built breakage
due to lack of space on a number of targets (e.g. x86, ARM64).
System and user-data image sizes set to match currently most common
setup for the emulator: system image: 1.25gb, user-data image 700mb.

Change-Id: I7118eb26dd78f5fa9e4f0006e15c8d47dee8e28c
2015-08-18 17:34:09 +00:00
Ian Pedowitz
c3bc0b112c resolved conflicts for merge of e5a63158 to mnc-dev-plus-aosp
Change-Id: Ifcbf55d0f4a158602867c01546f4c0f7e668697f
2015-08-11 15:06:29 -07:00
Ian Pedowitz
4e0d34c7c7 Increasing arm(64)? emulator partition sizes to 1.5GB
Bug: 23093319
Change-Id: I5e493ef4715cee96ae6ab40d6415f5330075fad6
2015-08-11 12:53:39 -07:00
Ian Pedowitz
c08c3507be am 073f74d9: Merge "Increasing x86 emulator system partition size" into mnc-dev
* commit '073f74d90853b39de32308fa3eeab9aa8998bd69':
  Increasing x86 emulator system partition size
2015-08-11 19:18:43 +00:00
Ian Pedowitz
5394e8bd12 Increasing x86 emulator system partition size
Seems sdk_google_phone_x86 is building larger than 750MB

Bug: 23093319
Change-Id: Ib3ddbbb96a9dcea02eb6da7362ac0142bdfae4de
2015-08-11 03:39:34 +00:00
Ying Wang
9e7d6d152b am 86162e64: am b1c0a86f: Merge "Bump generic_arm64 system partition size to 1200 MB."
* commit '86162e6439e8035494b187efbf138d9cabae92fb':
  Bump generic_arm64 system partition size to 1200 MB.
2015-07-27 19:17:51 +00:00
Ying Wang
97ba885a7b Bump generic_arm64 system partition size to 1200 MB.
Change-Id: I31740673829e578d7fc0edd895868bf1f21cfe15
2015-07-27 11:01:50 -07:00
Nick Kralevich
385457dc31 am 4a5f5a7b: am a972891f: Merge "file_contexts: Label /dev/ttyS2 as console_device"
* commit '4a5f5a7b15e27ed159e2398c77de1de7f9fd4da9':
  file_contexts: Label /dev/ttyS2 as console_device
2015-07-16 19:19:20 +00:00
Miodrag Dinic
df2620ada4 file_contexts: Label /dev/ttyS2 as console_device
This fixes the issue with the emulator "-shell" option.
Init tries to open the console which is passed through
the kernel androidboot.console property, but fails to
open it because "avc" denies it. Init only has permissions
to open console_device in rw mode. This ensures that
/dev/ttyS2 is properly labeled as console_device.

Replaced tabs with spaces.

Change-Id: I9ef94576799bb724fc22f6be54f12de10ed56768
2015-07-16 20:36:07 +02:00
dcashman
e7733e55f6 am 2a3a2dc3: Merge "Allow init to create /mnt/sdcard symlink." into mnc-dev
* commit '2a3a2dc33c7e5cbd9da95ece2eec0c100e9fbc14':
  Allow init to create /mnt/sdcard symlink.
2015-07-06 16:06:06 +00:00
dcashman
19eeccdaf2 Allow init to create /mnt/sdcard symlink.
Addresses the following denial:
avc:  denied  { create } for  pid=1 comm="init" name="sdcard" scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 22084499
Change-Id: Icffef8330d07b00f36fda11374e39e0df7181ca3
2015-07-01 09:14:18 -07:00
Mark Salyzyn
31f116de07 am 70749857: am 9ec84792: Merge "goldfish: rename goldfish_logcat.te to logd.te"
* commit '70749857595a100bf9e8f009767030812101d365':
  goldfish: rename goldfish_logcat.te to logd.te
2015-06-03 18:36:22 +00:00
Mark Salyzyn
9f8e1e1c7d goldfish: rename goldfish_logcat.te to logd.te
(cherrypicked from commit fd8c30177c)

Bug: 19608716
Change-Id: I5c76648a4bcbbb15a033465e8af66b12af6e0a18
2015-06-03 10:48:35 -07:00
Mark Salyzyn
94871b94ef goldfish: logcat -Q in logd domain
Deal with a build failure in conflict with cl/152105

(cherrypicked from commit 1cc7735ffa)

Bug: 19608716
Change-Id: I1078046db3b159c1baf0a22435c3e777424453a1
2015-06-03 10:47:34 -07:00
Mark Salyzyn
86997b8809 am defa1737: am b37ac46b: Merge "goldfish: logcat -Q in logd domain"
* commit 'defa1737973575e3be2dce415c68c6b13fb4fbd0':
  goldfish: logcat -Q in logd domain
2015-06-03 17:43:28 +00:00
Mark Salyzyn
fd8c30177c goldfish: rename goldfish_logcat.te to logd.te
Bug: 19608716
Change-Id: I5c76648a4bcbbb15a033465e8af66b12af6e0a18
2015-06-03 09:00:14 -07:00
Mark Salyzyn
1cc7735ffa goldfish: logcat -Q in logd domain
Deal with a build failure in conflict with cl/152105

Bug: 19608716
Change-Id: I1078046db3b159c1baf0a22435c3e777424453a1
2015-06-03 07:52:21 -07:00
bohu
4abbca83a9 am a2eccba1: Bump x86_64 system image size to fix build
* commit 'a2eccba17f2d9f0c6df1885c6a96987f23f0a390':
  Bump x86_64 system image size to fix build
2015-05-26 18:11:40 +00:00
bohu
a2eccba17f Bump x86_64 system image size to fix build
Bumped from 1G to 1.25G

Change-Id: I8d04166c43c792030f346cbe6ba9d6889b31359b
2015-05-26 10:40:36 -07:00
Yu Ning
0f54ada1cd Allow goldfish-setup to put the emulator in WiFi-only mode
The goldfish-setup service (essentially /system/etc/init.goldfish.sh)
executes the following commands when certain conditions are met:

 setprop ro.radio.noril yes
 stop ril-daemon

so as to stop the RIL daemon and emulate a WiFi-only device. Both would
fail, though, because goldfish-setup does not have the permissions to
set relevant properties.

This CL modifies the emulator's SELinux policy to grant the necessary
permissions. It is a step towards fixing the ril-daemon-keeps-getting-
killed-and-restarted problem with the new ("ranchu") emulator, which
does not support telephony emulation yet. (The other step is to have
init start goldfish-setup, which will be done in a seperate CL.)

(cherrypicked from commit 33dca8090f)

Change-Id: Ice7e7898804b7353ac4a8c49d871b1b2571d7a5f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-18 19:46:18 -07:00
William Roberts
c434f71bd8 Update device to use set_prop() macro
(cherrypicked from commit cccc901639)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-18 19:20:03 -07:00
Nick Kralevich
e4ed2db2f5 am 8da1acf8: am c3b58d4a: Merge "Allow goldfish-setup to put the emulator in WiFi-only mode"
* commit '8da1acf8b702665ce7891799cdbc86499533cc54':
  Allow goldfish-setup to put the emulator in WiFi-only mode
2015-05-19 00:50:05 +00:00
Yu Ning
33dca8090f Allow goldfish-setup to put the emulator in WiFi-only mode
The goldfish-setup service (essentially /system/etc/init.goldfish.sh)
executes the following commands when certain conditions are met:

 setprop ro.radio.noril yes
 stop ril-daemon

so as to stop the RIL daemon and emulate a WiFi-only device. Both would
fail, though, because goldfish-setup does not have the permissions to
set relevant properties.

This CL modifies the emulator's SELinux policy to grant the necessary
permissions. It is a step towards fixing the ril-daemon-keeps-getting-
killed-and-restarted problem with the new ("ranchu") emulator, which
does not support telephony emulation yet. (The other step is to have
init start goldfish-setup, which will be done in a seperate CL.)

Change-Id: Ice7e7898804b7353ac4a8c49d871b1b2571d7a5f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-19 08:22:41 +08:00
Nick Kralevich
ae7c835923 am 7b6e1ba2: am 94b4f9a5: Merge "Label /dev/ttyGF* as serial_device"
* commit '7b6e1ba2fa4edb757ff9e1c08deee9edf06fc1cc':
  Label /dev/ttyGF* as serial_device
2015-05-18 17:12:33 +00:00
Yu Ning
e9ec053e99 Label /dev/ttyGF* as serial_device
In goldfish kernel 3.10, the goldfish_tty device instantiates virtual
serial ports as /dev/ttyGF* (e.g. /dev/ttyGF0), not as /dev/ttyS* as in
goldfish kernel 3.4. However, in the emulator's SELinux security policy,
there is no specific security context assigned to /dev/ttyGF*, and the
one inherited from /dev (u:object_r:device:s0) prevents services such as
qemud and goldfish-logcat from reading and writing ttyGF*. Consequently,
qemud terminates abnormally on the classic x86_64 emulator:

 init: Service 'qemud' (pid XXX) exited with status 1

Fix this issue by assigning /dev/ttyGF* the same security context as
/dev/ttyS*.

(cherrypicked from commit 4783467922)

Change-Id: Ia7394dc217bd82f566c4d1b7eda3cc8ce3ac612f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-18 09:55:07 -07:00
Yu Ning
4783467922 Label /dev/ttyGF* as serial_device
In goldfish kernel 3.10, the goldfish_tty device instantiates virtual
serial ports as /dev/ttyGF* (e.g. /dev/ttyGF0), not as /dev/ttyS* as in
goldfish kernel 3.4. However, in the emulator's SELinux security policy,
there is no specific security context assigned to /dev/ttyGF*, and the
one inherited from /dev (u:object_r:device:s0) prevents services such as
qemud and goldfish-logcat from reading and writing ttyGF*. Consequently,
qemud terminates abnormally on the classic x86_64 emulator:

 init: Service 'qemud' (pid XXX) exited with status 1

Fix this issue by assigning /dev/ttyGF* the same security context as
/dev/ttyS*.

Change-Id: Ia7394dc217bd82f566c4d1b7eda3cc8ce3ac612f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-18 17:19:08 +08:00
Nick Kralevich
05c3f7cee1 am 53df3d67: am e89b6f5d: Merge "Update device to use set_prop() macro"
* commit '53df3d67b22b70dff841b41603945d1ae4221246':
  Update device to use set_prop() macro
2015-05-15 19:46:52 +00:00
Nick Kralevich
e89b6f5df1 Merge "Update device to use set_prop() macro" 2015-05-15 19:26:56 +00:00
Nick Kralevich
b00d6937cd am 45d8cf5a: am cea991d7: Merge "Label /dev/goldfish_pipe as qemu_device"
* commit '45d8cf5aafd3108c861dadfa85e1177714fee4ae':
  Label /dev/goldfish_pipe as qemu_device
2015-05-15 16:45:04 +00:00
Yu Ning
b23b5cc4a4 Label /dev/goldfish_pipe as qemu_device
In goldfish kernel 3.10, qemu_pipe has been renamed to goldfish_pipe.
However, in the emulator's SELinux policy, there is no specific security
context assigned to /dev/goldfish_pipe, and the one inherited from /dev
(u:object_r:device:s0) prevents various processes (qemud, qemu-props,
etc.) from reading and writing goldfish_pipe. Consequently, the classic
x86_64 emulator will not boot if GPU emulation is enabled ("-gpu host"),
and does not render the UI correctly if launched with "-gpu off".

Fix this issue by assigning /dev/goldfish_pipe the same security context
as /dev/qemu_pipe.

This CL also benefits the new ("ranchu") emulator, where all supported
ABIs (arm64, mips64, x86 and x86_64) use 3.10-based kernels. Without
this fix, the new emulator boots and works, but there are avc denials
related to goldfish_pipe.

Last but not least, it is now possible to boot the classic x86 emulator
with a 3.10-based kernel instead of the current 3.4-based one, without
disabling SELinux.

(cherry-pick of commit: a5053e6b35)

Change-Id: I52e75c94d3ae3758cbbf5bc0e1d84254fdf5c6cb
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-15 07:44:28 -07:00
Yu Ning
a5053e6b35 Label /dev/goldfish_pipe as qemu_device
In goldfish kernel 3.10, qemu_pipe has been renamed to goldfish_pipe.
However, in the emulator's SELinux policy, there is no specific security
context assigned to /dev/goldfish_pipe, and the one inherited from /dev
(u:object_r:device:s0) prevents various processes (qemud, qemu-props,
etc.) from reading and writing goldfish_pipe. Consequently, the classic
x86_64 emulator will not boot if GPU emulation is enabled ("-gpu host"),
and does not render the UI correctly if launched with "-gpu off".

Fix this issue by assigning /dev/goldfish_pipe the same security context
as /dev/qemu_pipe.

This CL also benefits the new ("ranchu") emulator, where all supported
ABIs (arm64, mips64, x86 and x86_64) use 3.10-based kernels. Without
this fix, the new emulator boots and works, but there are avc denials
related to goldfish_pipe.

Last but not least, it is now possible to boot the classic x86 emulator
with a 3.10-based kernel instead of the current 3.4-based one, without
disabling SELinux.

Change-Id: Iad979c0ee9d0a410be12b83ac1bef9476b50a6dc
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-15 16:30:57 +08:00
William Roberts
cccc901639 Update device to use set_prop() macro
Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-12 20:44:37 -07:00
Stephen Smalley
901d792cbf Define BOARD_SEPOLICY_DIRS for 64-bit emulators.
Define BOARD_SEPOLICY_DIRS for the arm64, mips64, and x86_64
emulator targets.  As a first cut, simply inherit from the
existing policy directories used for generic and generic_x86.
We may need further board-specific policy added for these targets
but testing will require first enabling SELinux in the relevant
kernel configs.

(cherrypicked from commit 21ebc213bb)

Change-Id: I7b4459b32298698fc2908cbbdd0e3afadbe5ac24
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-11 10:46:51 -07:00
Andreas Gampe
d9e855cd70 am 2e286f46: am afec6236: Merge "Build: Update Mips64 generic build for ART"
* commit '2e286f467b1d156c7ccc741f2c28d3a37cf78a3f':
  Build: Update Mips64 generic build for ART
2015-05-07 16:26:32 +00:00
Andreas Gampe
13761c43c4 Build: Update Mips64 generic build for ART
For ART testing, we need:

1) A larger userdata partition. A lot of files end up there as it
is multi-arch.

2) Don't strip prebuilts. Technically we only care about core-libart,
but this is the best high-level change that doesn't impact other
files.

Change-Id: Ic36bfcf80ba50a602752ca0a3031dda89a0f3051
2015-05-06 21:00:44 -07:00
Nick Kralevich
c665eb9547 am 13d8654f: am 37ddcad5: Merge "Define BOARD_SEPOLICY_DIRS for 64-bit emulators."
* commit '13d8654ffedfd86733feb4712b26a9e24a4ed90d':
  Define BOARD_SEPOLICY_DIRS for 64-bit emulators.
2015-04-29 19:20:41 +00:00
Stephen Smalley
21ebc213bb Define BOARD_SEPOLICY_DIRS for 64-bit emulators.
Define BOARD_SEPOLICY_DIRS for the arm64, mips64, and x86_64
emulator targets.  As a first cut, simply inherit from the
existing policy directories used for generic and generic_x86.
We may need further board-specific policy added for these targets
but testing will require first enabling SELinux in the relevant
kernel configs.

Change-Id: I7b4459b32298698fc2908cbbdd0e3afadbe5ac24
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-29 09:55:08 -04:00
bohu
22f1bc5db2 Bump sdk arm system image size to 750M
To fix broken build of arm system images.

Change-Id: I960dbb2a5a895557499fcf38655cd8907e768ef9
(cherry picked from commit 9f42be14b8)
2015-04-27 19:59:57 +00:00
Nick Kralevich
9160c60f13 am 4e94ed11: am 2d47488e: Merge "Drop BOARD_SEPOLICY_UNION."
* commit '4e94ed11855e56ed498a2e7e83e312d5b691c5b9':
  Drop BOARD_SEPOLICY_UNION.
2015-04-01 18:05:29 +00:00
Stephen Smalley
5699c6cf90 Drop BOARD_SEPOLICY_UNION.
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-01 10:33:24 -04:00
Ying Wang
383cc39285 am 62086971: am d64b853a: Merge "Bump generic_mips64 system partition size."
* commit '62086971c0616c325fd80ef172de1478ade52fbc':
  Bump generic_mips64 system partition size.
2015-03-31 00:19:24 +00:00
Duane Sand
e53cf413e1 Bump generic_mips64 system partition size.
Fix broken mips64 build via 20% increase.

Change-Id: Ie30418c6fc7cf8810139abe53537ef8259a49a2f
2015-03-30 17:02:00 -07:00
Ying Wang
8200eff9a3 am 00391a43: am 082184e7: Merge "Bump generic_arm64 system partition size."
* commit '00391a43166a4271ad2471adffb75849be1984a8':
  Bump generic_arm64 system partition size.
2015-03-20 20:41:09 +00:00
Ying Wang
6c194cb0c5 Bump generic_arm64 system partition size.
Change-Id: Ic53fdaa0143ee2c0cce5a2f750da4c52adc6fdb9
2015-03-20 13:29:10 -07:00
Ying Wang
daeaa57a4e am b9583756: am 8e52e15d: Merge "Bump generic_mips system partition size."
* commit 'b9583756eecda3dbad41b83fcba51ef7c07ac907':
  Bump generic_mips system partition size.
2015-03-20 17:10:51 +00:00
Ying Wang
779e9cc806 Bump generic_mips system partition size.
Change-Id: Ieb3becc3ddc1efa19c6e6d34b4a31c0440d3479d
2015-03-20 09:18:33 -07:00