The root init.rc does "write /proc/cpu/alignment 4", but we don't
actually allow this write in core sepolicy. This seems to be a 32-bit
ARM only proc file.
Noticed when booting 32-bit ARM Cuttlefish.
Bug: 145371497
Change-Id: Ic099395708f7236bcc2fc5c561809a7e129786de
This is needed for the camera service to be able to use
AChoreographer ndk.
Test: adb shell dmesg | audit2allow -p policy
Bug: 200306379
Change-Id: I191760f1cdd0a88c9d140fffd4470e9ae1956c52
This will allow apexd to determine if a staged apex contributes to
classpath or not.
Bug: 187444679
Test: atest ApexTestCases
Test: atest StagedInstallInternalTest
Change-Id: I336001ef1dab3aa45835662eecc02d63645b5980
And microdroid_manager can set it to shut down when verification fails.
Bug: 204073443
Test: MicrodroidHostTestCases
Change-Id: I12ec7c8b832f5d1e382961ce7866502c2cc8a9b8
These are similar to the existing exceptions added for
`hal_uwb_vendor_server`.
Also, added a TODO to remove the older `hal_uwb_vendor` tags once we
migrate to the new T architecture.
Bug: 196225233
Test: Compiles
Change-Id: I2077d409f575a2e46684de4fb92fe3da0cceaf70
The bufferhub daemon policy still remains, since it still needs to be
deleted. However, since the HAL no longer exists, removing policy
related to this.
Bug: 204068144
Test: build only
Change-Id: I96b96c77a39e2ba2024680ebaf3067283d0cfc65
This is not settable by vendor init at the moment, which appears to be a mistake
because it is often used as a board-level configuration.
Change-Id: I7a49d55712e9606446b3e6307627a208657d5da2
Test: adb shell getprop -Z | grep lmk
Bug: 184041905
Make Netlink Interceptor work when SELinux is enforcing
Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
Remove these SELinux attributes since the apexd and init SELinux policies
no longer rely on these attributes.
The only difference between a previous version of this patch and the
current patch is that the current patch moves these attributes to the
'compat' policy. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Change-Id: Id7d32a914e48bc74da63d87ce6a09f11e323c186
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In Microdroid, logcat is started as a daemon process (whose service name
is seriallogging) whose job is to read logs from logd and sends them to
the host side via a virtual console.
The daemon process is controlled by microdroid_manager, so the process
is given write access to ctl.start$seriallogging and also to some
sysprops originated from bootconfig so that it can know if the VM is
configured as debuggable or not.
Bug: 200914564
Test: start microdroid using the vm tool. logcat logs are shown in
stdout.
Change-Id: I79bc6486ae1f84515ad31a09e24d8368fb54bc6d
Some devices might have the ODM partition so set those properties
as well.
Bug: 203720638
Test: Presubmit
Change-Id: I50ee65e21c471f0691f4c1dfc93be8eb1677ad1b
Move type to public so that it can be vendor customized. This
can be necessary if (for example) the gralloc/gpu same-process-HAL
requires additional permissions.
Bug: 199581284
Test: build
Change-Id: I61a5a3ad96112d4293fd4bf6d55f939c974643ce
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert submission 1850578-remove-selinux-bdev-type
Reason for revert: DroidMonitor-triggered revert due to breakage, bug b/203480787
BUG: 203480787
Reverted Changes:
I263bce9c4:Remove the bdev_type and sysfs_block_type SELinux ...
Ibc9039f96:Revert "Add the 'bdev_type' attribute to all block...
Ic6ae83576:Remove the bdev_type and sysfs_block_type SELinux ...
Ie493022a8:Remove the bdev_type and sysfs_block_type SELinux ...
I1f1ca439b:Revert "Add the 'bdev_type' attribute to all block...
I283f8676b:Revert "Add the 'bdev_type' attribute to all block...
I7c5c242c5:Revert "Add the 'bdev_type' attribute to all block...
Id78d8f7dc:Remove the bdev_type and sysfs_block_type SELinux ...
I9c4b2c48b:Remove the bdev_type and sysfs_block_type SELinux ...
I51e9d384a:Remove the bdev_type and sysfs_block_type SELinux ...
I2c414de3b:Remove the sysfs_block_type SELinux attribute
Change-Id: I55609803d530772d507d9dca8ba202a96daf24b7
Some permissions used to make denials, but it seems that it's not the
case anymore.
Bug: 195751698
Test: atest MicrodroidHostTestCases
Change-Id: I3329bb9a6d4d17dc49a2469bae2cf17e6f0e49a9
The existing host-side tests for virtualizationservice will be migrated
to device tests. In order for the self-instrumented test apks be able to
talk to the service, re-introduce the allow rule only for the
non-production builds.
Note that the access to the service is still guarded with the app
permission whose protection level now has the 'development' bit. So,
ordinary apks that are not testing-purpose (i.e. no
android:testOnly="true") can't use the service.
Bug: 203483081
Test: run MicrodroidDemoApp
Change-Id: Ia441fc5ca0a1f076d2e267a26e0df7c11730ec94
