See aosp/2681476 for more details.
Bug: 285185747
Test: Call installd from a local client, no denial
Change-Id: Ie3fa45aceb8a6e61123d477bd994d964a3ae6529
Add SEPolicy for the RemoteAuth Manager/Service
Add Fuzzer exception, remote_auth service is going to be in Java and
Rust only
Design doc: go/remote-auth-manager-fishfood-design
Test: loaded on device.
Bug: 290092977
Change-Id: I4decb29b863170aed5e7c85da9c4b50c0675d3bd
During mountFstab call, vold might need to wipe and re-format a device.
See code in system/vold/model/PublicVolume.cpp , PublicVolume::doFormat
Allow IOCTLs such as BLKDISCARDZEROES for wiping.
Test: th
Bug: 279808236
Change-Id: I0bebf850aa45ece6227fa5c3e9c3fdb38164f79e
On 32 bit gsi img, when the webview launch, system will crash, due to
system_server cgroup not have the selinux permission that setattr of file.
Bug:288190486
Test: flash 32-bit GSI image and boot to check whether webview crash
Change-Id: Ibe136965d7c47c6240a8e4464e4580fe7bd7eccc
So far, it has been labeled as default_prop because there was no entry
for the sysprop in property_context. As a result, it couldn't be set by
vendor_init.
Fixing that by correctly labeling it. build_config_prop is defined as
`system_vendor_config_prop` which vendor_init can set.
Bug: 250125146
Test: adb root && adb shell ro.property_service.async_persist_write 1
adb shell getprop -Z ro.property_service.async_persist_write
shows [ro.property_service.async_persist_write]: [u:object_r:build_config_prop:s0]
Change-Id: Ib30c708c8c2693892503a8f0d590541984c2667b
to get the list of active APEXes.
Bug: 293949266
Bug: 293546778
Test: CtsPackageSettingHostTestCases
Change-Id: I86f58158b97463206fb76a0c31f29b78874f4c35
While searching the policy I came across some ancient TODOs, which can
now be done.
Bug: 186396070
Test: atest MicrodroidTests MicrodroidHostTests
Test: Manually run vm_shell start-microdroid
Change-Id: I21b9f992394b637399cc074dca8339e3167cf5af
These issues pop up on ocassion, and are very hard to diagnose. Since
renderscript is deprecated, we shouldn't be seeing any new problems with
it, but there isn't pressure to fix these issues as renderscript should
go away on it's own eventually.
Fixes: 291211299
Test: Boot, no audit statements.
Change-Id: I9d595520ecabea562b8e9d4b113bb18db101219a
/data/bootanim location is changed to /data/misc/bootanim as a follow up
change to aosp/q/topic:"bootanim_data_folder". The label is updated for the new file location.
Bug: 210757252
Test: /data/misc/bootanim is labeled correctly. BootAnimation can access this folder.
Change-Id: I9a54cf0dba470302df4180fb17fb104fb483b23d
Adds a policy to run the virtual_camera process which:
- registers a service implementing the camera HAL
- registers a service to reveive communicate with virtual cameras via
system_server
Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera
Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b
With the introduction of DCLA (/apex/sharedlibs APEX), .so files can be
symlinked into that APEX, so we need to allow reading symlinks to be
able to link the dex2oat binary successfully.
This fixes "CANNOT LINK EXECUTABLE" errors for dex2oat during OTA
preopting.
Test: Apply an OTA manually and check logs for errors
Bug: 291974157
Change-Id: I9eca91c94e8d33fe618783cea262ea3881957620
It will be used to mount bootstrap APEXes. (with bind-mount to /apex)
Bug: 290148078
Test: atest VendorApexHostTestCases
Change-Id: I1a82af37db368a0eb2bf3a002a47439fb1f8b61d
Add required SELinux configuration to support the sensor
configuration property:
sensors.aosp_low_power_sensor_fusion.maximum_rate
Test: use getprop to verify presence and readability
of the new property. dumpsys sensorservice to verify
sensor service is picking up the property value.
Change-Id: I96b8fd6ce72d7a5bf69b028802b329b03f261585
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.
For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched. It turns out to actually
be needed for a bit more than that. We should be able to replace it
with something more precise, but we need to be careful.
Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
When VNDK is being deprecated, former VNDK-SP libraries should be loaded
from vendor when system process uses SP-HAL, but this currently fails
because all former VNDK-SP libraries will be marked as vendor library.
This change labels former VNDK-SP libraries installed in the vendor
partition as same labels with SP-HAL libraries so it can be loaded from
system processes.
Bug: 291673098
Test: aosp_cf boot succeded with KEEP_VNDK=false build flag.
Change-Id: I2601ae8e7acd5bbd16fdbe6cee078dfcaa1a5aa2
