Commit 9a5992336e changed the label of
/data/vendor_de. Unfortunately some devices with very old tz applets
store fingerprint configuration directly in /data/vendor_de.
Since we do not have source code access and we cannot modify/hex patch
the tz applet because it is signed, use the existing
data_between_core_and_vendor_violators attribute to make fingerprint
work again on these devices.
Test: m
Change-Id: Ibb78f837ff808fc5e15c4b790105c07f4501a08b
* ATV can't use the newer mobile method for ADB over Wi-Fi
as ethernet is a massive usecase for us, and that implementation
refuses to play nicely with any interface but Wi-Fi.
* Therefore, to avoid having to carry the crappy intermediate prop
solutions in device/lineage/atv, relax this, as it's still a
system namespace and still a limited context that is allowed to
set the property.
Change-Id: Id87ebae6d0552bb8b9faac3114dca42128eaf5b0
Hostside test needs to check existence of /proc/device-tree/avf/guest
to check whether AVF debug policy is installed.
Bug: 345118393
Test: Verified manually on tangorpro-user
(cherry picked from https://android-review.googlesource.com/q/commit:168e04da79db850714afd018a6e88da983c89579)
Merged-In: I33d6bd1bd7c5513395f162e2bcbbfd15c1b80bcd
Change-Id: I33d6bd1bd7c5513395f162e2bcbbfd15c1b80bcd
This reverts commit 70e6e885ae.
Reason for revert: <Potential culprit for b/347203579 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.>
Change-Id: I28064a2f38114d4e91356828576bfb3b9030b977
traced_relay is a service that takes the place of traced
in a guest VM and relays the producer connections to the
host tracing service. (aosp/2646664)
The service requires the same permissions as traced.
Bug: 333835162
Bug: 340402999
Test: Run traced_relay in a guest VM
Change-Id: Ifc7854e0d3ebaf0f9021cf455a2433037525a0bc
To delete TAP interface in vmnic, it should retrieve libc::ifreq struct
object from file descriptor of TAP interface, to execute SIOCSIFFLAGS
and TUNSETIFF ioctls.
On the other hand, we can reuse libc::ifreq struct for executing
SIOCSIFFLAGS ioctl constructed for executing TUNSETIFF and TUNSETPERSIST
ioctls. So we don't need to grant SIOSGIFFLAGS ioctl anymore, to get
libc::ifreq struct.
Bug: 340376951
Test: Presubmit
Change-Id: I448c8ca5366c0e27d5d5fe09bcb366c5f23650ac
With the dontaudit line in keystore.te commented out on an otherwise clean build, I was unable to see the SELinux denial on boot. So, it seems like this denial may not be occurring anymore and it’s safe to remove the dontaudit line.
Bug: 312427637
Test: manual
Change-Id: Ib8887f0593ea984e3c011b76a81b7bf99cff2a44
Older vendor policy may apply the label vendor_hidraw_device to the
HID device.
From 202404 we use the new label hidraw_device for this.
Fix the compatibility rules to allow new system policy to work with
older vendor policy by adding specific compat logic.
Note that the original 34.0 system policy didn't mention hidraw_device
at all, so the more normal compatibility mechanisms don't really work.
Bug: 340923653
Test: Builds, boots, no new denials
Change-Id: I358118b217c82b5f8111f3e05d35aa16c464b941
Introduce a new system property
avf.remote_attestation.enabled to allow vendors
to disable the feature in vendor init.
Bug: 341598459
Test: enable/disable the feature and check VmAttestationTestApp
Change-Id: I809e4c62a8590822eef70093e33854ab79757835
A comment within system_app.te implies that system_apps can read/write
the /data/data directory (and all subdirectories). The comment is
misleading. Fix the comment.
Test: comment only change. No test needed
Change-Id: I51b95f8b55ac89730a866d2a829326b276b11824
We have moved the encryption policy assignment from vold to
vold_prepare_subdirs. This CL removes some permissions from vold
over storage areas that are no longer needed due to this change,
and adds some permissions to vold_prepare_subdirs.
Bug: 325129836
Test: atest StorageAreaTest
Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
