microdroid's domains have been able to read/write any properties. That's
just for convenience while bringing up microdroid. This cleans up such
global permission and grants minimal access.
Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Test: run microdroid demo app
Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505
This reverts commit 7ed2456b45.
Reason for revert: /dev/userspace-panic is discarded (b/188777408#comment13)
Bug: 188777408
Change-Id: I98b0159890ee755ffaefc5533f9c40d54f8f26d2
The pre/post-install hook functionality has been deprecated and removed.
Bug: 172606645
Test: atest ApexTestCases
Test: atest CtsStagedInstallHostTestCases
Change-Id: I8a5f726a0c8f005654d0430b5a4598e416ff9c28
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883
It is a system property that keeps the last CID used by the
virtualizationservice. Although the information is local to the
process, a new system property is justified because the information has
to be kept across multiple runs of the process. A file however is not
desirable because the information shouldn't be persisted.
Bug: 196015427
Test: atest MicrodroidHostTestCases
Change-Id: If8ca4b6ad8d9c8cb3bb33dc9ef45de0ae6481d15
Also allow odrefresh to run pvm_exec to talk to the CompOS VM.
And I moved the dontaudit & neverallow rules to the bottom while I was here.
Bug: 186126194
Test: adb shell apex/com.android.compos/bin/composd_cmd
Change-Id: I6f06dd6467a8eb59123d06c7179a86d9287e7f2f
Currently, the vold detects the factory reset by checking the
metadata encryption key. This logic is only valid when the
device is not in DSU mode. This CL allows vold to get the DSU
status.
Test: run DSU installation on a Pixel device
Bug: 199222795
Change-Id: Ia6ca3b27afd52347b132d7e2d8be244fb9f15e7d
Instead it gets it from virtualization_service, so this TODO is now
done.
Test: Manually run comps_verify_key
Test: Trigger odsign to run compos_verify_key at boot
Bug: 186126194
Change-Id: I705e7fd43b853a19c928ab76209ec321f10ec2d7
This adds properties necessary to run microdroid to property_contexts,
and then removes default_prop access to all domains except for init, as
init should be able to write all properties.
Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I2f80c71ce257613b3c3b019a3e988a5a0653d879
fs_mgr::ReadDefaultFstab calls fs_mgr:ReadFstabFromDt() which eventually
calls fs_mgr_get_boot_config_from_bootconfig_source to read boot config.
Therefore bundle permission to read proc_bootconfig. This resolves some
selinux denials for update_engine
Test: th
Change-Id: Ia8bd94eb33a38ccd939577b54910645fec4ccda8
Add what we need to allow composd to run and expose an AIDL service.
Also delete the policy for compsvc; we never access it in the host
now, and the real policy is in microdroid. Retain the compos_exec
type, since it is referenced in the APEX sepolicy.
Bug: 186126194
Test: adb shell cmd -w android.system.composd; no denials.
Change-Id: I5f06b2b01852cdebd2d67009b363ec08b17ce33a
Microdroid_manager needs to pass APEX pubkeys to APEXd. Since the data
is too big for a system property, it creates a file
/apex/vm-payload-metadata so that APEXd reads/uses it.
Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: Iaf2b4fc08b36610032d9c339f787e5e34994448b
