This is useful for certain tests. Note that it is already possible to
access these files without root via adb pull, since adbd has
access. Shell also already has access to non-updated APEXes on
/system/apex.
Bug: 220918654
Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex
Change-Id: I35725499365b297a64c9005c8e45325531d3991d
Sepolicy files for new ConnectivityNative service.
This is a new service implemented in java accessible from
native code. Stable aidl is used to avoid having to manually write
the unparcling code in two different languages. A new service is
required because there is no connectivity service in the system
server that exposes a stable aidl interface.
Bug: 179733303
Change-Id: If2372712a4a8ac7b0631a2195aabc910d1a829cc
These domains already can't transition to crash_dump, but also need to
make sure crash_dump can't be run and pointed at them.
Bug: 218494522
Test: Builds
Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928
perfetto traced_probes executes atrace with a pipe for stdout/stderr.
That aleady works because atrace can `write` onto traced_probes's pipes.
Now traced_probes needs to invoke atrace at boot time. This revealed a
problem (I'm pretty sure it was an existing problem and it was
completely harmless):
```
02-23 22:00:41.951 605 605 I auditd : type=1400 audit(0.0:94): avc:
denied { getattr } for comm="atrace" path="pipe:[17964]" dev="pipefs"
ino=17964 scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0
tclass=fifo_file permissive=0
```
atrace doesn't just need `write` permissions on its
stdout/stderr pipes, it also needs `getattr` permissions (probably
because of [this][1]?)
[1]: https://cs.android.com/android/platform/superproject/+/master:bionic/libc/bionic/libc_init_common.cpp;l=156;drc=7a2386bf89f9bfd4e53eba9304e4239b3fdf0d06)
Bug: 219393750
Change-Id: I53b0f60cdd763863c834a883fbb77664e528dd15
Any virtualization service client should be able to use a pipe for the
VM log fds.
We previously had some support for this in crosvm (but appdomain is
the wrong label), but not for virtualizationservice. Instead I've
centralised it in the virtualizationservice_use macro so it applies to
exactly those things that can start a VM.
I've removed read permission from crosvm; it doesn't seem to be
needed, and logically it shouldn't be.
Test: Patch in https://r.android.com/1997004, see no denials
Change-Id: Ia9cff469c552dd297ed02932e9e91a5a8cc2c13f
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.
Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
We would like SurfaceFlinger to be able to create a pipe and provide
the write-end to the graphics composer to dump debug info for dumpsys.
Bug: 220171623
Test: atest VtsHalGraphicsComposer3_TargetTest
Test: adb shell dumpsys SurfaceFlinger
Test: adb shell dumpsys android.hardware.graphics.composer3.IComposer/default
Change-Id: Ie2cbe76fb0d224235a8ea99f68a20e2139e1cc56
Make sure all the permissions are granted to let the HAL do its work
properly.
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I54c633b8163ea313c87856fb0513074a76ac86a1
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
