Add selinux policies required for formatting the crypt device.
1. Allow encryptedstore to execute mk2fs.
2. The execution will happen without domain transition - so add
permissions related to formatting the device.
3. Allow encryptedstore to write on /dev/vd device - required to zero
starting bits initially
Test: Run vm with --storage & --storage-size option
Bug: 241541860
Change-Id: I9766e3c67e47a58707beee8b3a156944e3b0a9ce
As servicemanager is removed from microdroid.
Bug: 222479468
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: Ie39e4b214f297258f3dceecc11fa3d8289af3be4
Since the microdroid.servicemanager has been removed.
Bug: 222479468
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: I90228ca2d1bc3c66a6967412942e1c3372ed09ca
This cl removes SELinux policies related to
authfs_service / servicemanager communication as authfs_service
now uses rpc binder instead of servicemanager.
Bug: 257260848
Test: atest ComposHostTestCases
Change-Id: I3e3de94a837c95e8f486438cc6a76fea39ffc6f3
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
(cherry picked from commit e6da3b80d1)
when recording, the encoders need access to determine if on
a handheld and enable some quality standards.
Bug: 251205971
Test: atest android.media.recorder.cts.MediaRecorderTest
Change-Id: I534a6aa24c188002ab0baab9d891e07db0af81f2
microdroid_manager has stdio_to_kmsg, so it's good to have the same
permission to microdroid_manager's children for better debuggability.
Bug: 259241719
Test: atest MicrodroidHostTestCases MicrodroidTestApp
Change-Id: Ibaaed365e970e6b9f2d458ccae4d128fd3b84f38
am skip reason: Merged-In Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83 with SHA-1 96268c6622 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2300079
Change-Id: If35e0a373418e1205aba8d87c1b6e6f8169592e5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This app talks to the remote provisioning HALs, and therefore requires
access to the tee_device domain.
Bug: 254112668
Test: Manually verify rkpd can run and find remote provisioning hals
Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56
encryptedstore is Microdroid's dm-crypt based encryption solution. It
requires access to block device, mapper devices etc.
Test: Run a VM & look for sepolicy denials.
Bug: 241541860
Change-Id: I556f56a184fc7a1ea71d67c3e591cc567dab2431
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.
Bug: 210811873
Test: m -j, boot device
Change-Id: Idbcc4928c8d0d433f819d8b114e84a5f09466ad0
Widevine is now in an APEX. com.android.vending tries to access widevine
apex, which results in a sepolicy error. Modifying sepolicy to allow
com.android.vending to access apex directory.
Bug: 247100406
Test: https://android-build.googleplex.com/builds/abtd/run/L54600000956675013
Change-Id: Ie73411dbe1c35027cb498c2cfa6847515a41d08a
Create adaptive haptics system property to store adaptive haptics enable
state.
Bug: 198239103
Test: Verified system property usage
Change-Id: I5d4f0a5c8ec4a5b0ce18bc03a6d30879dd76d58b
Signed-off-by: Chris Paulo <chrispaulo@google.com>
To track any possible bugs on microdroid_manager.
Bug: 258760809
Test: intentionally crash microdroid_manager and see console
Change-Id: I6cd24f3129d153159d76115c833a80353aeee42a
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev. If needed we can add this to
AOSP later.
Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
