During mountFstab call, vold might need to wipe and re-format a device.
See code in system/vold/model/PublicVolume.cpp , PublicVolume::doFormat
Allow IOCTLs such as BLKDISCARDZEROES for wiping.
Test: th
Bug: 279808236
Change-Id: I0bebf850aa45ece6227fa5c3e9c3fdb38164f79e
These issues pop up on ocassion, and are very hard to diagnose. Since
renderscript is deprecated, we shouldn't be seeing any new problems with
it, but there isn't pressure to fix these issues as renderscript should
go away on it's own eventually.
Fixes: 291211299
Test: Boot, no audit statements.
Change-Id: I9d595520ecabea562b8e9d4b113bb18db101219a
/data/bootanim location is changed to /data/misc/bootanim as a follow up
change to aosp/q/topic:"bootanim_data_folder". The label is updated for the new file location.
Bug: 210757252
Test: /data/misc/bootanim is labeled correctly. BootAnimation can access this folder.
Change-Id: I9a54cf0dba470302df4180fb17fb104fb483b23d
Adds a policy to run the virtual_camera process which:
- registers a service implementing the camera HAL
- registers a service to reveive communicate with virtual cameras via
system_server
Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera
Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b
With the introduction of DCLA (/apex/sharedlibs APEX), .so files can be
symlinked into that APEX, so we need to allow reading symlinks to be
able to link the dex2oat binary successfully.
This fixes "CANNOT LINK EXECUTABLE" errors for dex2oat during OTA
preopting.
Test: Apply an OTA manually and check logs for errors
Bug: 291974157
Change-Id: I9eca91c94e8d33fe618783cea262ea3881957620
It will be used to mount bootstrap APEXes. (with bind-mount to /apex)
Bug: 290148078
Test: atest VendorApexHostTestCases
Change-Id: I1a82af37db368a0eb2bf3a002a47439fb1f8b61d
Add required SELinux configuration to support the sensor
configuration property:
sensors.aosp_low_power_sensor_fusion.maximum_rate
Test: use getprop to verify presence and readability
of the new property. dumpsys sensorservice to verify
sensor service is picking up the property value.
Change-Id: I96b8fd6ce72d7a5bf69b028802b329b03f261585
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.
For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched. It turns out to actually
be needed for a bit more than that. We should be able to replace it
with something more precise, but we need to be careful.
Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
Add SELinux context for a new lmk system property to add configurability
for delaying psi monitoring until boot completed.
Bug: 288566858
Test: Build, boot and verified logs for avc denial logs.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6a80da52aa35a942e064c19fd31c01145d965688)
Merged-In: I7ba35f0ee5aad8f917e01c7586f04d11ed078633
Change-Id: I7ba35f0ee5aad8f917e01c7586f04d11ed078633
Give lpdump read (but not write) access to /metadata/ota so it can call
SnapshotManager::Dump for diagnostics.
Bug: 291083311
Test: lpdump
Change-Id: I732bcebcd809449c86254ea23785dc2c692bedd5
On 32 bit gsi img, when the webview launch, system will crash, due to
system_server not have the selinux permission of cgroup dir create.
Only 32 bit gsi img has this issue, 64 bit not have.
Bug: 288190486
Test: flash 32-bit GSI image and boot to check whether webview crash
Change-Id: I60fe69087ddbf97b5ebba62bf151626f9422c43c
Test: Manually validated that GmsCore can access the properties, but not a test app.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
(cherry picked from commit c97b3a244f)
The enable_rkpd property is no longer needed. This change removes the
vestigial property.
Test: Successful build
Change-Id: I810d5a21cbe01b43a37244959e21febd0880be59
Some HAL implementations can't support setLayerBuffer multiple times to
clear the per-layer buffer caches. Therefore, default this behavior to
disabled, and allow HALs to explcitily enable this behavior to obtain
the necessary memory savings.
Test: play videos with both true and false on both HIDL and AIDL
Bug: 285561686
Change-Id: I928cef25e35cfc5337db4ceb8581bf5926b4fbe3
Binary translation maps these regions to install translated code,
see linked bug for more context.
Bug: http://b/189502716
Test: run cts -m CtsExternalServiceTestCases -t android.externalservice.cts.ExternalServiceTest#testBindExternalServiceWithZygote
in binary translated enviroment.
Change-Id: I3bc978b9013e9fc5cf700d1efca769331ec395b0
app_process couldn't map /data/asan/system_ext/lib/libgpud_sys.so
avc: denied { execute } for path="/data/asan/system_ext/lib/libgpud_sys.so"
dev="dm-43" ino=784 scontext=u:r:zygote:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=0
Bug: 286479817
Test: bootup, app_process can work well with asan enabled.
Change-Id: I577105fe1b0c4cb7fa98ccb33eac0f59a0e645f6
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.
Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
To read overlay from vendor apex, app_zygote needs to have access to
vendor_apex_metadata_file:dir with {getattr,search} permissions.
Bug: 286320150
Test: atest
CtsExternalServiceTestCases: android.externalservice.cts.ExternalServiceTest#testBindExternalServiceWithZygote
Change-Id: Icef716e6d238936d04c5813c23042ec4b0e28541
