Although /proc/device-tree is symlink to /sys/firmware/devicetree/base,
/proc/device-tree is the stable API but the absolute path may be
changed in the future.
Bug: 322465386
Test: atest CustomPvmfwHostTestCases
Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378
crosvm calls mlock. It used to need this capability, but now we remove
the rlimit (in Virtualization Manager via Virtualization Service) so
it no longer needs it and in fact is no longer granted it.
(This was previously removed in
commit 88f98d96da, but accidentally
re-introduced in commit 88f98d96dae3fb2616e93969685cbd737c364a0f.)
Bug: 322197421
Test: atest MicrodroidTests
Change-Id: I091170d0cb9b5617584b687e7f24cff153e06c85
Set up minimal file_contexts for the com.android.webview.bootstrap APEX.
Bug: 318717084
Test: m com.android.webview.bootstrap
Change-Id: Id707617447dc44111891446eea442b31b7ff1b57
EnhancedConfirmationService is a new SystemService.
These changes are required before the service will boot.
Bug: 321053639
Change-Id: I15a4004ca57deb5c6f8757913c1894ba0ced399d
On Android, unix sockets are located in /dev/socket/ and managed by
init. This commit follows the convention for ot-daemon
Bug: 320451788
Test: verified that ot-daemon can create socket
/dev/socket/ot-daemon/thread-wpan.sock
Change-Id: I6b0fe45602bb54d6d482f5be46ddb5402bea477b
This is needed to allow vendor xt_bpf programs.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de
NFC stack is becoming an unbundled apex which embeds the existing NFC
APK. Unbundling requires the apex & apk to be signed by non-platform
certificates, hence adding new seapp_contexts rule for the NFC stack.
The old rule is also left behing to support `-next` config builds where
we are still using the platform signed NFC APK.
Ignore-AOSP-First: All of the NFC mainline work is only present in
internal master. Will cherry-pick this CL once we cherry-pick all its
dependencies.
Bug: 320583956
Test: Bootup test with signed NFC APK (within NFC apex)
Merged-In: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33
Change-Id: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33
There will not be separate private/public BPF directories. All BPFs will
be under a uprobestats/ directory.
Bug: 296108553
Test: m selinux_policy
Change-Id: I00934cb14ead44c457ccee6957763dc01370dac6
This CL adds sepolicy for the system property
threadnetwork.country_code. This system property
is set by init and be read by the ThreadNetworkService.
Bug: b/309357909
Test: Configure the system property in ini.product.rc and
check the configured country code via the command
`dumpsys thread_network`.
Change-Id: I6f067ced24842755f2c5519169ba9a94df17829f
Allow system_app to call update engine and update engine
to call callback registered by system app.
Test: m Settings && adb install -r
$ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk,
Update using 16k dev option.
Bug: 295573133
Change-Id: Ice7e75f86283637ad67a675682ecd0d27038d9e7
am skip reason: Merged-In Ie495f6f9ad43146a0bfcd5bb291fca3760467370 with SHA-1 980c33614e is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2895200
Change-Id: If342c7411a202b239631bf90ac5083223bfe6656
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Add initial sepolicy for suspend.debug.wakestats_log.enabled
Allow set from init
Allow read by system suspend
Bug: 301657457
Test: manual
Change-Id: I1123e169d69eadb909ed474c0c246a8a45eab2f0
Signed-off-by: Radu Solea <radusolea@google.com>
security_state service manages security state (e.g. SPL) information across partitions, modules, etc.
Bug: 315895055
Test: N/A
Change-Id: Iee761f8a33f70e8c6bc03849c021f4e165c6f6db
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
Looks like we missed this, and so non-rooted locked devices can't override the persistent sysprops. On Pixel 8 for example, we ship with 'persist.arm64.memtag.system_server=off' by default (from some droidfood carry-overs), and this can't be edited (https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html).
We should allow these advanced users to set all the MTE properties on the device that they own, and they can already control the non-persistent properties.
Test: N/A
Bug: N/A
(cherry picked from https://android-review.googlesource.com/q/commit:980c33614e691dde070b59bc746bd252b6edb189)
Merged-In: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Change-Id: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Bug: 309888546
