This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
This fixes an incorrect exception in the neverallow rule.
Test: Built policy for all lunch targets.
Change-Id: I283833131c6f1fd741e934de24c838594ac38a18
Finalize Wi-Fi RTT service name per API review.
Note: CL 2 of 2 - removing old entry.
Bug: 65108607
Test: integration tests
Change-Id: Id2b3d91ea2ca578a5834a299275df188c68475da
Finalize Wi-Fi RTT service name per API review.
Note: CL 1 of 2 - adding new entry here, will remove
old entry in next CL.
Bug: 65108607
Test: integration tests
Change-Id: I065ce9d570510180fa8c8f09e1025ac795706405
1) fc_sort is not needed as there is no reason to sort system
properties, so this is removed and replaced with a simply copy
2) Use the new property_info_checker instead of checkfc for
validating property information. This supports exact match
properties and will be extended to verify property schemas in the
future.
Bug: 36001741
Test: verify bullhead's property contexts correct
Test: verify faulty property contexts result in failures
Change-Id: Id9bbf401f385206e6907449a510e3111424ce59e
After offline discussions, we decided that this was the proper
exception to the neverallow rule.
Test: Built policy.
Change-Id: Ic1603bfdd803151ccfb79f90195b83b616acc873
This CL creates a traceur_app domain with userdebug privileges akin to
what shell has with regards to being able to find most services on
device. Previously, traceur was running as shell which was an
unintentional abuse of selinux architecture.
Bug: 68126425
Test: Traceur functions outside of shell user privilege
Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
For consistency with zygote, allow webview_zygote to list directories
in /system.
Test: Boot Taimen. Verify webiew_zygote denials during boot.
Bug: 70857705
Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59
The system server is responsible for providing the network traffic
stats to Apps and services. Allow it to directly reading the eBPF maps
that stored these information can make the process of getting traffic
stats simplier.
Test: No selinux rule violation of system server reading netd bpf object
Bug: 30950746
Change-Id: I6d9438d1ed7c9bab45a708f5d2a85eb22f5e8170
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.
Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
Removing legacy rules. system_server now depends on Lights HAL (which
has its own domain) instead of /sys/class/leds.
Bug: 70846424
Test: sailfish boots; screen, flashlight work fine.
Change-Id: I6f116a599cab26ae71e45f462b33328bc8d43db5
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
CrossProfileAppsService allows apps to do limited cross profile
operations, like checking the caller package is installed in
the specified user. It is similar to LauncherAppsService in some sense.
Merged-In: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Change-Id: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Fix: 67765768
Test: Built with ag/3063260. Can boot and verified those APIs are working.
(cherry picked from commit 6536c9e092)
we are aiming to improve logging performance by having wifi hal
directly write to the flash.
Wifi hal need to be able to create, write, and delete files in
a directory. This will be restricted to userdebug and eng builds only.
Bug: 70170285
Test: compile, run on device
Change-Id: Id0cd317411f4c393d7529aa31b501046d7350edb
Since /odm is an extension of /vendor, libs in /odm should be treated
just like the ones in /vendor.
Bug: 67890517
Test: none as we don't yet have /odm partition.
Change-Id: I5232baef769c7fa8c7641b462cfa1d7537d3cfdf
Bug: 70275668
Test: walleye builds, boots.
This change only expands the existing permissions, so shouldn't regress
runtime behavior.
Change-Id: I36e63f11d78998a88e3f8d1e6913e20762a359af
