This can detect a common mistake of not labeling binaries in APEX.
Note - we can't simply check if the lable has exec_type attribute
because there're many exceptions.
Bug: 324005965
Test: atest apex_sepolicy_tests_test
Change-Id: Ib643e8b73fac1a3b8851804e58e69b19d32b997d
ro.llndk.api_level is included in system/build.prop.
It must have the system build_prop context instead of the vendor prop.
Bug: 312098788
Test: TH
Change-Id: I223ae2cd56490a2cfd6f6454ad685d23d90d9329
Open up CAP_SYS_NICE policies so that crosvm can adjust uclamp on its
vCPU threads to provide a boost in performance.
Bug: 322197421
Test: Booted device and processes that checked that the correct
capabilites are given with no sepolicy denials.
Change-Id: I089bf26caf862c32e85440575800bb095bb9087b
Signed-off-by: David Dai <davidai@google.com>
This is used for mapper sphal library which is defined in VINTF and
queried via servicemanager.
Bug: 317178925
Test: cuttlefish loads mapper.minigbm
Change-Id: Ibddc0239e52065a89c656f885f34835406665009
Memhealth driver has been removed from all android kernels.
Test: m
Bug: 315560026
Change-Id: Ia4f91bde3a999a490b42b57abcd521ff9cc94633
Signed-off-by: Carlos Galo <carlosgalo@google.com>
Revert submission 2929484-fix-b-321651892-ihaladapter
Reason for revert: possible cause of b/323385784
Reverted changes: /q/submissionid:2929484-fix-b-321651892-ihaladapter
Change-Id: I9664f8f9dd6eec159be7fbf3b148a12d44cef582
am skip reason: Merged-In I1f61b687be4abe53c62c21769fb57dc9cf9daf45 with SHA-1 fb5d221b27 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2935110
Change-Id: Ia809efc5132a240185d8f954215aaaa5ff40cf2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
When running a VM from a root shell (e.g. via vm_shell), we see
frequent ipc_lock denials:
avc: denied { ipc_lock } for comm="crosvm" capability=14
scontext=u:r:crosvm:s0 tcontext=u:r:crosvm:s0 tclass=capability
permissive=0
These don't appear for non-root crosvm, and don't prevent the VM from
working. Suppress them to reduce log spam.
Test: Run vm_shell
Change-Id: I3b68ca9e3f15709a1f0fce285ba8916419ee82e8
Description:
Since the Android N project uses Keymaster 1.5 and added full disk encryption support in vold when upgrading to Android T, the SELinux rules need to allow vold to use the keymaster HAL directly.
Bug: 319506037
Change-Id: Ib21c59156a6de0c2b148e33de2fe8efb3606e697
Although /proc/device-tree is symlink to /sys/firmware/devicetree/base,
/proc/device-tree is the stable API but the absolute path may be
changed in the future.
Bug: 322465386
Test: atest CustomPvmfwHostTestCases
Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378
Restricting that properties can only be written by platform and module.
It will be read and written from init and sytem_server.
Bug: b/289203818
Test: m
Change-Id: Ie6b44d1222ec1a9fbfc9b90e0455588f9defe848
This change updates neverallow list to allow accessing udp
sockets from hal_bluetooth_server.
Bug: 305104428
Change-Id: Ic1d80c7cb1aa62969b541ee30686afd57ec51fb0
This change updates neverallow list to allow accessing tcp
sockets from hal_bluetooth_server.
Bug: 305104428
Change-Id: I609380108ccd7b73ed251dd006caa0849bf6c53c
Legacy VPNs are removed, including the usage of mtpd/pppd.
Only the type ppp and mtp remain as there are usages elsewhere.
Bug: 161776767
Test: m, presubmit
Change-Id: I556b0daa55f9ea7bf844f6a52d10dda02e324ee0
This service is used by the audio server for translating
between legacy string KV pairs and AIDL vendor parameters.
It resides on the system_ext partition.
Since it has to be implemented by every SoC vendor, provide
an example implementation. This example service is added
to CF and GSI system_ext. Vendors can use their own names
and policy labels, the only thing that the audio server
depends on is the AIDL interface.
There is no fuzzer for this service because the example
implementation only contains trivial code (interface
methods are stubbed out).
Bug: 321651892
Test: atest audiorouting_tests
Change-Id: I8ab922660a30ffd44772987204ac4a28c1007c66
crosvm calls mlock. It used to need this capability, but now we remove
the rlimit (in Virtualization Manager via Virtualization Service) so
it no longer needs it and in fact is no longer granted it.
(This was previously removed in
commit 88f98d96da, but accidentally
re-introduced in commit 88f98d96dae3fb2616e93969685cbd737c364a0f.)
Bug: 322197421
Test: atest MicrodroidTests
Change-Id: I091170d0cb9b5617584b687e7f24cff153e06c85
