This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.
Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.
Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Merged-In: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Steps taken to produce the mapping files:
0. Add 33.0 prebuilts to prebuilts/api/33.0/.
1. Add the following Android.bp modules.
33.0.board.compat.map
33.0.board.compat.cil
33.0.board.ignore.map
plat_33.0.cil
system_ext_33.0.cil
product_33.0.cil
33.0.ignore.cil
system_ext_33.0.ignore.cil
product_33.0.ignore.cil
33.0.compat.cil
system_ext_33.0.compat.cil
2. Touch the following three files.
private/compat/33.0/33.0.cil
private/compat/33.0/33.0.compat.cil
private/compat/33.0/33.0.ignore.cil
3. Add 33.0 to PLATFORM_SEPOLICY_COMPAT_VERSIONS on
build/make/core/config.mk. Note that we don't update
sepolicy_major_vers to 33, but just update compat versions.
4. Run the following command.
$ source build/make/rbesetup.sh && lunch aosp_arm64-userdebug
$ m sepolicy_generate_compat
$ sepolicy_generate_compat --branch=tm-dev \
--build latest --target-version 33.0 \
--latest-version 32.0
This change also enables treble_sepolicy_tests_33.0 and installs
33.0.cil mapping file onto the device.
Test: m treble_sepolicy_tests_33.0
Test: m 33.0_compat_test
Test: m slinux_policy
Change-Id: Ie969ff0372ff1268776165cee5cb5b07d303453c
This supports the ability to switch between ANGLE and a legacy GLES
driver in cases when transitioning from a legacy GLES driver to ANGLE
as the system driver. With ANGLE as the GLES system driver, the
platform needs a way to identify the legacy GLES driver, so that it
can be used for particular applications.
Test: CtsAngleDeveloperOptionHostTest
Bug: 224558229
Change-Id: I359b37daa96eb6f8424bde530bb1ac79affd1b04
Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice.
Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Change-Id: I4a31e437344974597fc5280d898f23780a820f16
(cherry picked from commit 8e06fb4109)
Group together the rules for setting up app data isolation and get all
the comments up-to-date. Also remove some parts that aren't needed:
- 'allow zygote mnt_expand_file:dir mounton;' -- not needed. It might
have been thought that this was needed for mounting tmpfs on
/mnt/expand/$volume/user{,_de}, but those have type system_data_file.
- 'allow zygote mnt_expand_file:dir relabelto;' -- not needed, as
nothing is ever relabeled to this type.
- 'allow zygote media_rw_data_file:dir getattr;' -- not needed to create
bind mounts. The similar rules for user_profile_* don't include this.
- 'allow zygote mirror_data_file:dir r_dir_perms;' -- tighten to just
the required search permission.
- 'allow zygote system_data_file:dir getattr;' -- redundant with 'allow
zygote system_data_file:dir r_dir_perms;', and not needed for the
stated reason of "Get inode of directories for app data isolation".
Test: booted Cuttlefish, no denials seen.
Change-Id: Id77b8c81625fd785a5d0d88c37d7c85b8fff7244
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.
Test: Manual
Bug: b/227745962
Bug: b/227581095
Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
This reverts commit d338d0ef55.
Reason for revert: The original problem was due to failing to switch mount namespace when bootchart is on (see b/229983560) but this doesn't fix it but only suppresses the symptom. aosp/2073287 fixes the original problem.
Change-Id: I6538de37872e718291e78b591a1ae43e83f7a3e3
The properties for rkp_only are no longer read only.
This allows remote provisioner unit tests to enable/disable the remote
provisioning only mode, which is required to fully verify functionality.
Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I8006712a49c4d0605f6268068414b49714bbd939
It will be used by system_server only (i.e., not even Shell) to let
developers change the system user mode (to be headless or full).
Test: sesearch --allow -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927
Change-Id: Iaba42fd56dce0d8d794ef129634df78f9599260f
Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.
Note that the open access is still disallowed in user builds.
Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it. Remove two rules that are no longer
needed. Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons. Finally, fix some outdated documentation links.
Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
from the shell.
This fixes a regression from https://r.android.com/1921457, so that
dex2oat without a path can still be run from the adb shell. That CL
removed the symlink from /system/bin, which means the shell finds it in
/apex/com.android.art/bin instead, and hence it needs to be covered by
this sepolicy.
Test: adb unroot && adb shell dex2oat
Bug: 218986148
Bug: 124106384
Change-Id: Ic52b30e0974829b5e5cde5106e6c4eec9f61eec6
This is a key system process for certain performance investigations, so
allow perfetto profiling of its native heap and general callstack
sampling. This is already allowed on debuggable builds via domain.te.
In addition to the sepolicy, the profiler itself does checks on whether
to allow profiling. At the time of writing, profiling requests coming
from "shell" for surfaceflinger will be disallowed (as it is a native
process running as "system"). However profiling requests coming from the
platform via "statsd" will be allowed.
Bug: 217368496
Tested: profiled surfaceflinger on local internal/master sargo-user build
Change-Id: Ib092064ea911aed08d981adc823cd871fc271a96
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native experiments.
Bug: 226456604
Test: Build
Change-Id: Ib2420cf6eaf1645e7f938db32c93d085dd8950a3
