The properties for rkp_only are no longer read only.
This allows remote provisioner unit tests to enable/disable the remote
provisioning only mode, which is required to fully verify functionality.
Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I8006712a49c4d0605f6268068414b49714bbd939
It will be used by system_server only (i.e., not even Shell) to let
developers change the system user mode (to be headless or full).
Test: sesearch --allow -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927
Change-Id: Iaba42fd56dce0d8d794ef129634df78f9599260f
Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.
Note that the open access is still disallowed in user builds.
Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it. Remove two rules that are no longer
needed. Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons. Finally, fix some outdated documentation links.
Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
from the shell.
This fixes a regression from https://r.android.com/1921457, so that
dex2oat without a path can still be run from the adb shell. That CL
removed the symlink from /system/bin, which means the shell finds it in
/apex/com.android.art/bin instead, and hence it needs to be covered by
this sepolicy.
Test: adb unroot && adb shell dex2oat
Bug: 218986148
Bug: 124106384
Change-Id: Ic52b30e0974829b5e5cde5106e6c4eec9f61eec6
This is a key system process for certain performance investigations, so
allow perfetto profiling of its native heap and general callstack
sampling. This is already allowed on debuggable builds via domain.te.
In addition to the sepolicy, the profiler itself does checks on whether
to allow profiling. At the time of writing, profiling requests coming
from "shell" for surfaceflinger will be disallowed (as it is a native
process running as "system"). However profiling requests coming from the
platform via "statsd" will be allowed.
Bug: 217368496
Tested: profiled surfaceflinger on local internal/master sargo-user build
Change-Id: Ib092064ea911aed08d981adc823cd871fc271a96
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native experiments.
Bug: 226456604
Test: Build
Change-Id: Ib2420cf6eaf1645e7f938db32c93d085dd8950a3
Partners reported an OTA failure caused by selinux denial. GMSCore is
trying to call setattr()/rmdir() on /data/ota_package. Give GMSCore
proper permissions to do so.
Test: th
Bug: 227422503
Change-Id: Ic64ce88e137976149813888a0d6d2910fda359e7
odsign will be writing(metrics) to file
/data/misc/odsign/metrics/odsign-metrics.txt & system_server needs from it.
Test: adb pull /data/misc/odsign/metrics/odsign-metrics.txt after reboot
Bug: 202926606
Change-Id: I020efcee8ca7f5b81f1aa3374bbf2b3a7403186d
For Guest: tombstone_tranmit needs permissions for:
1. keeping track of files being written on /data/tombstones.
2. creating vsock socket to talk to virtualizationservice (to forward
these tombstones)
These permissions will be similar to tombstone_tarnsmit on cuttlefish
(device/google/cuttlefish/guest/monitoring/tombstone_transmit/tombstone_transmit.cpp)
For Host (virtualizationservice) needs:
1. permission to connect to tombstoned.
2. permission to use fd belonging to tombstoned.
3. append and related permissions on tombstone_data file.
Test: Tested by crashing a process in guest (started using microdroid
demo)
Change-Id: Ifd0728d792bda98ba139f18fa9406494a714879d
An example app in this domain is com.android.settings.
This was an accidental omission from https://r.android.com/1966610.
Context and rationale remain the same as for that patch, please see the
bug.
Tested: both traced_perf and heapprofd successfully profiled the
settings app with the right additional profileability permissions on a
user build (beta candidate).
Bug: 217368496
Change-Id: Id8a9e16dab7774f8840cdd6b74d59f70584b5156
These properties are used to inform keystore2 and the RemoteProvisioner
app how they should behave in the system in the event that RKP keys are
exhausted. The usual behavior in a hybrid system is not to take any
action and fallback to the factory provisioned key if key attestation is
requested and no remotely provisioned keys are available.
However, there are instances where this could happen on a device that
was intended to be RKP only, in which case the system needs to know that
it should go ahead and attempt to remotely provision new certificates or
throw an error in the case where none are available.
Test: New properties are accessible from the two domains
Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
