"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
Test: atest treble_sepolicy_tests
Change-Id: Iaa22af41a07b13adb7290f570db7a9d43b6e85cc
The root init.rc does "write /proc/cpu/alignment 4", but we don't
actually allow this write in core sepolicy. This seems to be a 32-bit
ARM only proc file.
Noticed when booting 32-bit ARM Cuttlefish.
Bug: 145371497
Change-Id: Ic099395708f7236bcc2fc5c561809a7e129786de
Make Netlink Interceptor work when SELinux is enforcing
Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
Remove these SELinux attributes since the apexd and init SELinux policies
no longer rely on these attributes.
The only difference between a previous version of this patch and the
current patch is that the current patch moves these attributes to the
'compat' policy. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Change-Id: Id7d32a914e48bc74da63d87ce6a09f11e323c186
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In virtualized deployments of Android, it can be useful to have
access to a description of the hypervisor/host environment being
used to run the guest OS instance.
This is represented by means of a new system property
ro.boot.hypervisor.version, which is meant to convey a
free-form descriptor of the current host/hypervisor version
The property is meant to be provided to Android as androidboot.
by whatever host-specific means are used to supply other boot
properties to the target Android instance. Access could be later
opened to other vendor processes to set if needed for specific
setups where init is not a sufficiently-early stage for
host/guest communication. Such setups are not known at this time.
For a native Android incantation, the property defaults to
being missing
Other properties could later be added to this same namespace
and context if they turn out to be useful in specific scenarios.
Bug: 178749018
Test: build cuttlefish
Change-Id: Id721c14ef1958b525c2866a660dcae8fd176a79d
No new HIDL HAL's are allowed in Android T. UWB HAL converted to
versioned AIDL interface to be compliant.
Bug: 195308730
Test: Compiles
Change-Id: I35cf8edd244baa02778ee8eff46840ae26424869
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.
Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Ignore-AOSP-First: Dependent changes in internal-only projects.
Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
(cherry picked from commit 40465250e4)
(cherry picked from commit 27ab309fad)
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.
Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Ignore-AOSP-First: Dependent changes in internal-only projects.
Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
extra_free_kbytes.sh is used by init to set /sys/vm/watermark_scale_factor
value. Allow init to execute extra_free_kbytes.sh and the script to access
/proc/sys/vm/watermark_scale_factor and /proc/sys/vm/extra_free_kbytes
files.
Bug: 109664768
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I55ec07e12a1cc5322cfdd4a48d0bdc607f45d832
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.
Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.
Don't prevent crosvm from reading such a SoC-specific VM disk images.
Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.
Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
Previously vendor_sched is put under product area which will be replaced
by GSI. To solve it, move it to system/sepolicy.
Bug: 194656257
Test: build pass
Change-Id: Ia0b855e3a876a58b58f79b4fba09293419797b47
