Grant system_server and flags_health_check permission to set the
properties that correspond to the AVF experiments.
Bug: 192819132
Test: m
Change-Id: I0e6fa73187abb4412d07ecfd42c1074b8afa5346
Test: ran on flame with ipv6 only wifi network
Bug: 144642337
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5610b5e446ed1f2288edb12c665a5bddd69d6dae
This patch adds some ioctls for odex/vdex files.
Bug: 205257122
Test: Manual. Code runs.
Signed-off-by: Ken Bian <kenjc.bian@rock-chips.com>
Change-Id: Ibf7890f0910ed04e0355bef9c0bfb21b406fb7eb
rss_stat will be throttled using histogram triggers and synthetic trace
events. Add genfs context labels for the synthetic tracefs files.
Bug: 145972256
Test: Check log cat for avc denials
Change-Id: I7e183aa930bb6ee79613d011bed7174d553f9c1a
This is the common type for domains that executes charger's
functionalities, including setting and getting necessary properties,
permissions to maintain the health loop, writing to kernel log, handling
inputs and drawing screens, etc.
Permissions specific to the system charger is not moved.
Also enforce stricter neverallow rules on charger_{status,config}_prop.
For charger_config_prop, only init / vendor_init can set.
For charger_status_prop, only init / vendor_init / charger / health HAL
can set.
For both, only init / vendor_init / charger / dumpstate / health HAL
can get.
(Health HAL is determined by the intersection of charger_type and
hal_health_server.)
A follow up CL will be added to add charger_type to hal_health_default,
the default domain for health HAL servers. Vendors may add charger_type
to their domains that serves the health AIDL HAL as well.
Test: manual
Bug: 203246116
Change-Id: I0e99b6b68d381b7f73306d93ee4f8c5c8abdf026
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
Test: atest treble_sepolicy_tests
Change-Id: Iaa22af41a07b13adb7290f570db7a9d43b6e85cc
There's nothing special in the Custom method supplied, replace it
with normal AndroidMkEntries fields.
Bug: 204136549
Test: m checkbuild
Change-Id: I624005d2ee313aaa60397749b0726e393a842618
The software KeyMint implementation used by km_compat needs to read the
vendor security patch level.
Bug: 189973657
Test: Android S GSI starts on rvc-vendor based devices.
Also keystore2_km_compat_tests
Change-Id: I405d6a2b30fa2780321a3e209035c8f8283f5365
* init_daemon_domain because clean_scratch_files is executed by init
* gsid related plumbing for libfs_mgr_binder
Bug: 204836146
Test: Presubmit
Change-Id: Idd7eacd577f538d194252174ab1e3d8396f08fb1
The root init.rc does "write /proc/cpu/alignment 4", but we don't
actually allow this write in core sepolicy. This seems to be a 32-bit
ARM only proc file.
Noticed when booting 32-bit ARM Cuttlefish.
Bug: 145371497
Change-Id: Ic099395708f7236bcc2fc5c561809a7e129786de
Similar to Cuttlefish, Microdroid now has three virtio-console devices.
Bug: 200914564
Test: run MidrodroidDemoApp
Change-Id: I86f9e6298ca0fdccfc2186989126cdd18812caef
Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.
The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
