Remove access from untrusted apps and instead grant it to platform_app
(but on user builds as well as debug).
Also restrict any app from creating a vsock_socket; using an already
created one is fine.
Bug: 193373841
Test: Microdroid demo app now gets a denial
Test: Rebuild demo with certifcate: platform, adb install, no denial
Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d
No new HIDL HAL's are allowed in Android T. UWB HAL converted to
versioned AIDL interface to be compliant.
Bug: 195308730
Test: Compiles
Change-Id: I35cf8edd244baa02778ee8eff46840ae26424869
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.
Below is the summary of the added rules.
* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
- permission_service: to check Android permission
- apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.
Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json
without disabling selinux.
Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
Allow system_suspend to server the suspend AIDL hal service.
Bug: 170260236
Test: Check logcat for supend avc denials
Change-Id: Ie4c07e2e8d75fd4b12e55db15511060e09be59cf
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
Add app_api_service to pac_proxy_service so that
it can be reach by Cts tests.
Ignore-AOSP-First: this is cherry-pick and add a change in
prebuilts/api/31.0 which is a path doesn't exist in AOSP
Bug: 181745786
Test: build, CtsNetTestCases:PacProxyManagetTest
Change-Id: I9bf4ff810635aa5b3cbf984b77b547aa96cdd543
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
The feature is public, we can change the fake name to formal name.
Bug: 185550380
Test: build pass and can run service correctly
Merged-In: I956d916077f9a71cdf1df2f0be6f83e6f1f30a98
Change-Id: Idc29942eee6c2fd7658beb69ba62a70397176a66
Add app_api_service to pac_proxy_service so that
it can be reach by Cts tests.
Bug: 181745786
Test: CtsNetTestCases:PacProxyManagetTest
Change-Id: I9bf4ff810635aa5b3cbf984b77b547aa96cdd543
Marked the fwk_stats_service service as app_api_service so that
it can be reached by apps (also means that it's stable)
Bug: 185789914
Test: Build, flash, boot & and logcat | grep "SELinux"
Change-Id: Ifbb111dbee0429d8aaea4688c0390ee80e25cb22
We use a fake name to prevent feature leak, we should change it back
before API freeze.
We will update the AOSP when our feature is public released.
Bug: 181179744
Test: build pass and can run service correctly
Ignore-AOSP-First: to prevent new feature leak.
Test: atest CtsTranslationTestCases
Change-Id: I956d916077f9a71cdf1df2f0be6f83e6f1f30a98
This service will intercept all UwbManager API calls and then perform
necessary permission checks before forwarding the call to the vendor
UWB service. Adding sepolicy permissions for exposing the service that
handles all public API's.
Bug: 183904955
Test: atest android.uwb.cts.UwbManagerTest
Change-Id: Icce4d2f586926421c06e8902a91533002c380b8d
