Notes:
- Added face hal domain, context and file types for the default
SELinux policy.
- Please see aosp/q/topic:"Face+Authentication"
Bug: 80155388
Test: Built successfully.
Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.
Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0
Bug: 116732452
Test: No sepolicy violations observed with this change
(cherry picked from commit I1958182dd8ecc496625da2a2a834f71f5d43e7bb)
Change-Id: Ib386767d8acfacf9fedafd9a79dd555ce233f41c
...to reflect that the HAL operates on storage devices,
not filesystem.
Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.
Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.
Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8)
Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.
Bug: 63932139
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8)
Bug: 64131518
Test: Compile and flash the device, check whether service vendor.radio-config-hal-1-0 starts
Change-Id: Id728658b4acdda87748259b74e6b7438f6283ea5
This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.
Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.
Test: Use Google Camera app to take HDR+ photo, conventional photo,
record video with sound, record slow motion video with sound.
Check that the photos display correctly and that videos play
back fine and with sound. Check that there are no SELinux
denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.
Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.
Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.
Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
