Use the user policy when running the compatibility tests.
Bug: 74344625
Test: Built policy for many devices. Booted one device.
Test: Delete some compat rules, verify error on userdebug.
Change-Id: Ib2df2dfc06cdf55a839011e9a528e76160a9e436
(cherry picked from commit c148621815)
Verify that the SELabels used in property_contexts correspond to a
real type in the SEPolicy and that this type has the property_type attribute.
Additionally add a check that vendor property_context files do not
duplicate entries in plat property_contexts, and a similar check that
odm property_contexts doesn't duplicate either plat or vendor
property_contexts.
Bug: 74078792
Test: Build property_contexts on bullhead successfully
Test: See failure when using a faulty SELabel in property_contexts
Test: See failure when duplicating label in vendor and plat property_contexts
Change-Id: I4d2338dab68f1c5a8ed110aa7821f0677f61bafb
(cherry picked from commit a15df75ddf)
This allows an optimization that consists in the "perfetto" cmdline
client passing directly the file descriptor for the output trace
to traced (as opposite to having traced streaming back the trace
data to "perfetto" and having that one doing the write() into file).
This reduces sensibly the memory traffic and CPU overhead of traces
with a minor change.
Bug: 73625179
Test: builds + perfetto_integrationtests w/ long_trace.cfg
Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
Merged-In: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
(cherry picked from aosp/648831)
The permission to allow system_server to access sys/fs/bpf/ directory
is missing. Add it back so it can get the bpf maps from the bpf_fs.
Test: device boot and no more denial information of system_server try to
searcg in fs_bpf
atest android.net.cts.TrafficStatsTest
Bug: 75285088
Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6
(cherry picked from aosp commit f83bbd17b2)
Kernel modules are not permitted to be on /system partition.
That was one of Treble requirements in O:
https://source.android.com/devices/architecture/kernel/modular-kernels#file-locations
Bug: 74069409
Test: pixel/nexus devices don't have LKMs in /system, so this change
shoudl be harmless.
Test: walleye boots without issues from modprobe.
Merged-In: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1
Change-Id: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1
(cherry picked from commit 6ef9f5232e)
ro.config.low_ram should be set on Android Go devices by SoC vendors,
and the value can be read by vendor components.
Bug: 76132948
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
Merged-In: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
(cherry picked from commit 7dd2e025d8)
So that perfprofd can send larger packets to dropbox.
Follow-up of commit 3fa95acb1e.
(cherry picked from commit c9df843773)
Bug: 73175642
Test: m
Test: manual
Merged-In: I88d1f83962243589909ff1ce3d02195e7c494256
Change-Id: I88d1f83962243589909ff1ce3d02195e7c494256
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.
This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.
Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Merged-In: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Merged-In: Iba195d571aec9579195d79d4970f760e417608c6
Bug: b/73340039
To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.
Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305
Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
(cherry picked from aosp commit 5c95c16841)
With this attribute it will be easier to reference /proc files.
Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
(cherry picked from commit 41bf08e592)
This should fix audio on non-Treble devices.
Bug: 75949883
Test: Built policy.
Merged-In: I90a4648aaf975d59be36afd5f62c88a015af10f7
Change-Id: I90a4648aaf975d59be36afd5f62c88a015af10f7
(cherry picked from commit 6e8bfa2d3e)
Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: I22d29e8476380d19aca1be359e0228ab6bbc3b0f
Merged-In: I22d29e8476380d19aca1be359e0228ab6bbc3b0f
(cherry picked from commit ad6231f546)
Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: Ibd71219f60644e57370c0293decf11d82f1cb35c
Merged-In: Ibd71219f60644e57370c0293decf11d82f1cb35c
(cherry picked from commit 1f717b1001)
Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: I087292fb23d05fc17272778d668ac78a721b2593
Merged-In: I087292fb23d05fc17272778d668ac78a721b2593
(cherry picked from commit bae1517a58)
This change adds the support of odm sepolicy customization, which can
be configured through the newly added build varaible:
- BOARD_ODM_SEPOLICY_DIRS += device/${ODM_NAME}/${BOM_NAME}/sepolicy
Also moving precompiled sepolicy to /odm when BOARD_ODM_SEPOLICY_DIRS
is set. On a DUT, precompiled sepolicy on /odm will override the one in
/vendor. This is intentional because /odm is the hardware customization
for /vendor and both should be updated together if desired.
Bug: 64240127
Test: boot a device with /odm partition
Change-Id: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
Merged-In: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
(cherry picked from commit 45457e3a2b)
When extraction exif info, certain file formats may requires
parsing the container. Allow mediaprovider to use extractor
to do the parsing.
bug: 73978990
Test: manually test the scenario in b/73978990 and verify
the Exif is extracted correctly.
Change-Id: I1cd46d793ebc9c38b816a3b63f361967e551d046
(cherry picked from commit 8e3fef3d2c)
persist.sys.usb.usbradio.config can be read in vendor init scripts.
Bug: 75202311
Bug: 74266614
Test: succeeded building and tested on pixels
Change-Id: Ib07a436dd22b4b445fd114cc1d0df7c3e7a21527
Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/
This change allows dexopt operations to 'getattr' those symlinks during
OTA.
Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
Merged-In: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
(cherry picked from commit 88cd813fe2)
Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
Merged-In: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
(cherry picked from commit 62acbce4a2)
Allow init the ability to relabel recovery block devices. In the case
where we have recovery as a chain partition, due to its presence in
early mount node, init, in first stage itself would require relabel
permissions for the restorecon operation on recovery block device.
Bug: 73642793
Test: On bootup, recovery partition gets the appropriate se-label.
Perform OTA on non-A/B device with recovery as chain partition,
now the recovery partition gets upgraded successfully, now that
it has the correct se-label.
Change-Id: I370c510320e78ab78c9c55573073415b4983d0f6
Merged-In: I370c510320e78ab78c9c55573073415b4983d0f6
(cherry picked from commit bc14ee3cd7)
vendor-init-settable should be allowed to ro.enable_boot_charger_mode so
that SoC vendors can set its default value.
Bug: 74421250
Test: succeeded building and tested with taimen
Change-Id: I2859aab29fefb7882989413a089b0de55142d2f1
Merged-In: I2859aab29fefb7882989413a089b0de55142d2f1
(cherry picked from commit 46bc518c69)