This CL updates hal_evs_default to be sufficient for the defautl EVS HAL
implementation and modifies other services' policies to be able to
communicate with EVS HAL implementations
Bug: 217271351
Test: m -j selinux_policy and Treehugger
Change-Id: I2df8e10f574d62f8b84e0ff0381656ab1b18b52f
Revert submission 1956689-add rkp to identity-default
Reason for revert: Broke git-master. Will resubmit later.
Reverted Changes:
I96dcf3027:Add remote key provisioning to the IC HAL
Id686ac33a:Add dependency on keymint cpp lib
Ib368a2a00:Log to logd in the default identity service
I7d2906de0:Refactor IC support for RKP
Iae0f14f1c:Fix formatting of identity credential aidl
I01d086a4b:Allow default identity service to call keymint
Change-Id: I22a9e9bf8b7edc3d6b635b3e4a07a2efc4ff087a
This sepolicy is needed so that the vendor can launch a new HAL process,
and then this HAL process could join the servicemanager as an impl for
IInputProcessor. This HAL will be used to contain the previous impl of
InputClassifier and also new features that we are going to add.
Bug: 210158587
Test: use together with a HAL implementation, make sure HAL runs
Change-Id: I476c215ad622ea18b4ce5cba9c07ae3257a65817
The identity service must be able to return a binder handle to an
IRemotelyProvisionableComponent for remote key provisioning support.
Since the default identity service works with the default keymint
service, allow calling into service manager to get an
IRemotelyProvisionableComponent binder handle.
Bug: 194696876
Test: VtsHalIdentityTargetTest
Change-Id: I01d086a4b38c23a6567fd36bcbb9421ea072caab
IR interface is converted to AIDL and this contains the necessary
permissions for the default service to serve the interface.
Test: atest VtsHalIrTargetTest hal_implementation_test
Test: check for permission issues after tests
Bug: 205000342
Change-Id: I8d9d81d957bf6ef3c6d815ce089549f8f5337555
Add selinux policy for AIDL Vehicel HAL service.
This CL mostly follows https://android-review.googlesource.com/c/platform/system/sepolicy/+/1541205/.
Test: Manually test on emulator, verify AIDL VHAL service is up and
accessible by client.
Bug: 209718034
Change-Id: Icad92e357dacea681b8539f6ebe6110a8ca8b357
This is the context when health HAL runs in offline
charging mode.
This has the same permissions as the health HAL, but
is also able to do charger specific things.
Also restrict neverallow rules in charger_type.
Test: manual in offline charging mode
Bug: 203246116
Change-Id: I6034853c113dff95b26461153501ad0528d10279
- Add hal_dumpstate_service AIDL service to hal_dumpstate.te,
service.te
- Add default example hal_dumpstate service to file_contexts,
service_contexts
- Adde hal_dumpstate_service to API level 31 compatibility
ignore list (31.0.ignore.cil)
Bug: 205760700
Test: VtsHalDumpstateTargetTest, dumpstate, dumpstate_test, dumpsys
Change-Id: If49fa16ac5ab1d3a1930bb800d530cbd32c5dec1
This reverts commit 231c04b2b9.
Now that b/186727553 is fixed, it should be safe to revert this revert.
Test: build
Bug: 184381659
Change-Id: If26ba23df19e9854a121bbcf10a027c738006515
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: I04f8bfdc0e5fe8d2f7d6596ed7b840332d611485
vendor_modprobe loads kernel modules which may create files in
debugfs during module_init().
Bug: 179760914
Test: build
Change-Id: I743a81489f469d52f94a88166f8583a7d797db16
The type is declared in vendor policy, so the mapping should live
there as well.
Fixes: 185288751
Test: TH
Change-Id: Ia446d7b5eb0444cdbd48d3628f54792d8a6b2786
Grant ReadDefaultFstab() callers
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.
Also tighten the neverallow rules in gsid.te.
Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
Test: Rebuild, execute and run atest VtsAidlSharedSecretTargetTest and atest VtsAidlSecureClockTargetTest.
Bug: b/171844725, b/168673523.
Change-Id: I8b81ec12c45566d31edcd117e41fd559df32c37d
mediacodec currently only has permissions to allocate from ION heaps.
The following permission is required for it to allocate from the
DMA-BUF system heap via the the codec2 allocator.
It resolves the following denial in the sdk_gphone_x86_64-userdebug
target:
01-08 22:43:48.712 337 337 I auditd : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="android.hardwar"
path="/dev/dma_heap/system-uncached" dev="tmpfs" ino=311
scontext=u:r:mediacodec:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=0
Bug: 170887642
Test: make and boot
Change-Id: I5503ed6ffa47a84f614792de866ddafbec0cdcda
