Now that the selinux policy has been split between the system and
vendor partitions the aosp_arm64_ab build variant no longer
depends on the marlin selinux policy to work on marlin and sailfish.
Test: build and flash aosp_arm64_ab system.img on marlin and sailfish
Change-Id: I7681207284d783ffca1acccf44dbb159ea3b521c
By setting BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED on aosp_arm64_ab
the device specific properties like ro.product.board
are hosted in /vendor/build.prop.
Test: build and flash aosp_arm64_ab system.img on sailfish and marlin.
Change-Id: I8062ff81221a3026626736b012ceaf99d8ca2d12
aosp_arm64_ab is added as a product to build a generic system image for
all devices with ARM64 and A/B ready partitions. For now, it only
supports sailfish/marlin devices because following items are not yet
split.
- fstab
- overlays
- sepolicy
Bug: 35653062
Test: build and flash it to sailfish (or marlin)
$ source build/envsetup.sh; choosecombo 1 sailfish userdebug
$ ENABLE_EARLY_MOUNT=true ENABLE_TREBLE=true m -j 80
$ fastboot flashall
(For now, the two ENABLE_* are required to install *.rc and *.prop
files into vendor partition. This restriction will be removed in the
future.)
$ source build/envsetup.sh; choosecombo 1 aosp_arm64_ab userdebug
$ m -j 80 systemimage
$ fastboot flash system out/target/product/generic_arm64_ab/system.img
$ fastboot -w reboot
Change-Id: Ia91163f2d51e90a488c9451cba23242887ea82ba
BUG: 34861221
Test: build and run sdk_google_phone_x86_64 with emulator
and check radio logcat to make sure it does not complain
about the 32bit library system/lib/libreference-ril.so
being used. Also check the kernel message to make sure
rild is launched properly
Change-Id: I6cbd5abcf64bec9a504066a43fefc55fa698a864
The goldfish_setup shell script needs the ability to set the interface
address via ifconfig. This requires SIOCSIFADDR plus other ioctl
permissions, therefore allow the set of priv_sock_ioctls permissions.
Addresses the following denial that stops internet access via browser:
avc: denied { ioctl } for pid=712 comm="ifconfig" path="socket:[1825]"
dev="sockfs" ino=1825 ioctlcmd=8916 scontext=u:r:goldfish_setup:s0
tcontext=u:r:goldfish_setup:s0 tclass=udp_socket permissive=0
Test: With update can access internet via browser.
Change-Id: I77a52c0b72bb0ebe9451f45c346a399c1f61672d
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Following change disabled preopt for system apps when doing eng build:
4df565786a
Build: Only preopt boot images in eng builds
As a middle way between full preopt/high performance/long builds,
and no preopt/low performance/fast turnaround, preopt only the
boot image in eng builds.
I4a2692f3ce84823cd40c6b7d672fd73257739ef8
This works well for devices, but first boot on emulator takes 10+mins.
Bypass the change by forcing preopt inside the BoardConfig.
Change-Id: I58d100cd65d2a09b644a90d91261102aab31fcbb
On mips64r6 cpus, the preferred zero-emulation-overhead 32-bit arch
variant is mips32r6. Mips32r1 and mips32r2 software runs but with
frequent op-emulation traps to the kernel. Android NDK had support
for mips32r6 prebuilt binaries in release r10 but lacked STL binaries
in r11 and omits all mips32r6 prebuilts in r13.
To keep mips64 buildable using just aosp sources, switch to using the
slower mips32r2 variant as its 2nd cpu arch. This applies only to the
aosp copy of Android. Imgtec's redistribution of Android releases will
instead use mips32r6 as the 2nd cpu arch, using a privately-maintained
prebuilts/ndk that includes all needed mips32r6 libraries.
The standard 32-bit Mips build on aosp uses mips32r2 as its native ABI.
That also runs mips32r1 apps built by NDK and mips32r1 android STL
components built by NDK. Similarly, the 2nd arch for mips64r6 will
use mips32r2 itself but runs fine with mips32r1 apps and components.
Change-Id: I65c3fa9a3e5427be12955b902e6ec965de85e608
Setting EXTENDED_FONT_FOOTPRINT has been a no-op for a while, since
no one reads it anymore. Also do the same for naver-fonts, which had
also become a no-op.
Bug: 21785576
Change-Id: I3818adcbba11398024b82c2f22fe2d545b55418d
The goldfish_setup shell script needs the ability to execute
the shell script interpreter. Allow it.
Addresses the following denial:
avc: denied { getattr } for pid=1220 comm="init.goldfish.s"
path="/system/bin/sh" dev="vda" ino=442 scontext=u:r:goldfish_setup:s0
tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0
(cherrypicked from commit 501c88c029)
Bug: 28941573
Change-Id: I22d26e90f107c8d801229354a5e0513c37e6c31d
The goldfish_setup shell script needs the ability to execute
the shell script interpreter. Allow it.
Addresses the following denial:
avc: denied { getattr } for pid=1220 comm="init.goldfish.s"
path="/system/bin/sh" dev="vda" ino=442 scontext=u:r:goldfish_setup:s0
tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0
Bug: 28941573
Change-Id: I22d26e90f107c8d801229354a5e0513c37e6c31d
The current 32-bit configuration for generic x86_64 targets inherits some
variables (SSE4 support) from the 64-bit configuration, and overrides
the make variables used for other configurations (SSSE3). Ideally, these
would be using different variables, but until then, unify the
configuration for x86_64 targets so that everything is consistent.
Bug: 28694691
Change-Id: I47e67299d4c632e7491d7e73dc0fc6480ef08006
am: 94f576d
* commit '94f576d18cb61e672bcc849a324eab244dd4f3f8':
Fix emulator specific SELinux denials related to qemu.gles
Change-Id: Iba1c077238ec1c41434c87e8ac96467a081383fc
This type is never used in core policy, only by emulators.
Move the definition of this type to where it's used.
Bug: 28221393
Change-Id: I38dbc12dbe9813f323d4bcd5f07679db57b2fd4a
Support TARGET_2ND_ARCH as the binary translation arch.
See target/board/generic_x86_arm/BoardConfig.mk and
target/product/aosp_x86_arm.mk as example for the setup.
In BoardConfig, use the TARGET_2ND_ARCH/etc. variables to set up the
binary translation arch;
Set "TARGET_TRANSLATE_2ND_ARCH := true" to tell the build system it's
not a typical 64-bit multilib configuration.
In product makefile, use "PRODUCT_PACKAGES += libfoo_<2nd_arch>" to
install the TARGET_2ND_ARCH libraries. This also pulls in any dependency
libraries.
By default we don't install any TARGET_2ND_ARCH modules, unless it's
pulled in by PRODUCT_PACKAGES.
Bug: 27526885
Change-Id: I0578e9c80da0532d2fa886a8fcdb140bbc703009
(cherry-pick from commit 277e75a488)
This is to allow surfaceflinger to always load vendor provided
egl libraries first and fall back to software renderer, and then
set the qemu.gles to correct value reflecting what libraries
are actually used.
bug: 27273457
Change-Id: Ifaca31aa2e562f50baa41fd228df9836bc3b1667
Use global default USE_CLANG_PLATFORM_BUILD set in core/envsetup.mk,
or user provided environment variable USE_CLANG_PLATFORM_BUILD.
BUG: 26102335
Change-Id: I7e12219a60f36bb44797bb028b4a5873a67c9210
Currently, properties that begin with "ro." are special cased to skip
over the "ro." part of the prefix before matching with entries in
property_contexts. A change to init is removing this special case and
therefore, the "ro." prefixes must be explicitly added to
property_contexts.
Bug 26425619
Change-Id: I735eb9fc208eeec284cda8d778db946eeec24192
This commit fixes the avc denied issues in the emulators:
- goldfish_setup is granted for network access
- netd dontaudit for sys_module
- qemu_prop is granted domain for get_prop
Critical issue was that SELinux denied reading the lcd_density property
by SurfaceFlinger via qemu_prop and this commit fixes it.
Change-Id: I633d96f4d2ee6659f18482a53e21f816abde2a5f
Signed-off-by: Miroslav Tisma <miroslav.tisma@imgtec.com>
This change fixes issue b/25613506
The predefined, fixed system image partition size is failing
to fit content for NYC release MIPS64 images. This change
increases the system image size for all boards to 1.5GB
(up from 1.25GB) to make sure that the system image sizes are
uniform across all virtual boards, and fit new content.
Change-Id: Id9808ad5318cd2390fc666ac35b0f9cd32870993
These boot properties are used by android wear emulator to configure
round and chin shaped devices.
Bug: 23324757
Change-Id: I812da02d771bba0ffc63b14459c7de7cbdeed142
Addresses the following denial:
init: avc: denied { set } for property=opengles.version scontext=u:r:qemu_props:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
Bug: 25148690
Change-Id: I4b197eeabfe37e794104e4e686e9e388b5bc3e0c
https://android-review.googlesource.com/175922 removed all uses
of system_server execmem and neverallowed it. The x86 emulator policy
inappropriately includes this rule. Delete it.
Fixes the following build breakage:
libsepol.report_failure: neverallow on line 473 of external/sepolicy/system_server.te (or line 12452 of policy.conf) violated by allow system_server system_server:process { execmem };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Change-Id: I7fbfaa0a09e8f4e8a372d2f1a64bbe58d5302204
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
