See go/rescue-party-reboot for more context.
One integer will be stored in a file in this
directory, which will be read and then deleted at the
next boot. No userdata is stored.
Test: Write and read from file from PackageWatchdog
Bug: 171951174
Change-Id: I18f59bd9ad324a0513b1184b2f4fe78c592640db
We will link files under /data/apex/active and /data/app to
/data/rollback when enabling rollbacks to avoid copy.
When creating hard links, we have to enusre source and target have the
same label to avoid subtle bugs.
We will assign apk_data_file to *.apk files and
staging_data_file to *.apex files under /data/rollback.
Also allow system_server to link /data/apex/active files.
Bug: 168562373
Test: m
Change-Id: I4be38cc8c84494c4ddfa03e37f2af3958bff5dfb
Revert "Add ability to declare licenses in soong."
Revert submission 1377717-metalics
Reason for revert: This has broken renderscript_mac target for aosp-master, see b/176909442
Reverted Changes:
I26ac54ca9:Define the standard license_kind rules.
I656486070:Export soong license data to make.
If9d661dfc:Export soong license data to make.
I97943de53:Add ability to declare licenses in soong.
Icaff40171:Rough-in license metadata support to make.
Ib8e538bd0:Add variables for notice deps, license kinds etc.
Change-Id: I9af3727fba03f6b40cd6d77c7e259ef4c9b7f29d
Now newer system policy and older vendor policy can be built together by
setting following variables:
- BOARD_SEPOLICY_VERS
- BOARD_REQD_MASK_POLICY (copy of older system/sepolicy/reqd_mask)
- BOARD_PLAT_VENDOR_POLICY (copy of older system/sepolicy/vendor)
- BOARD_(SYSTEM_EXT|PRODUCT)_(PUBLIC|PRIVATE)_PREBUILT_DIRS (copy of
older system_ext and product policies)
Bug: 168159977
Test: try normal build and mixed build
Test: boot and check selinux denials
Change-Id: Ie239580433ffd293fa6891cd665fb5ef83c0a14f
ConnectivityService is going to become mainline and can not
access hidden APIs. Telephony and Settings were both accessing
the hidden API ConnectivityManager#getMobileProvisioningUrl.
Moving #getMobileProvisioningUrl method into telephony means
that there is one less access to a hidden API within the overall
framework since the Connectivity stack never needed this value.
Thus, move getMobileProvisioningUrl parsing to telephony surface
and provide the corresponding sepolicy permission for its access.
The exsting radio_data_file is an app data type and may allow
more permission than necessary. Thus create a new type and give
the necessary read access only.
Bug: 175177794
Test: verify that the radio process could read
/data/misc/radio/provisioning_urls.xml successfully
Change-Id: I191261a57667dc7936c22786d75da971f94710ef
This macro creates the necessary neverallow to assert the
hal_power_stats_{client,server} attribute has exclusive ownership of
the service.
Bug: 176180039
Test: build/TH
Change-Id: I710eadc4c4f4642937aa16a25fe559e1cd3c9224
This macro creates the necessary neverallow to assert the
hal_can_*_{client,server} attribute has exclusive ownership of
the service.
Bug: 176180039
Test: build/TH
Change-Id: I876b50e4184ef787117d5ca67c7fbd522d82687c
This macro creates the necessary neverallow to assert the
hal_audiocontrol_{client,server} attribute has exclusive ownership of
the service.
Bug: 176180039
Test: build/TH
Change-Id: I2046e31f5cf04b560b842a03eafbec597443f15f
Use of StrictMode in framework code running in the app process can
generate a denial:
avc: denied { find } for pid=4050 uid=1037 name=network_management
scontext=u:r:shared_relro:s0:c13,c260,c512,c768
tcontext=u:object_r:network_management_service:s0
tclass=service_manager permissive=0
But the code handles the failure properly so we suppress this.
Bug: 174750397
Test: Manual
Change-Id: I7b334db0dde4365ff19a7cf42a5139f35b5e6512
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.
This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.
Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666
Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
Revert "Add android.hardware.memtrack-unstable-ndk_platform"
Revert submission 1518702-memtrack-aidl
Reason for revert: Broken tests and boot time regressions
Reverted Changes:
Ic4dd70e2c:Add android.hardware.memtrack-unstable-ndk_platfor...
Iaf99d0ca4:Add stable aidl memtrack HAL to product packages
Iac54ae2ba:Add stable aidl memtrack hal to vndk list
If310210a3:libmemtrack: Add support for AIDL memtrack HAL
Ib6c634def:Memtrack HAL: Add stable AIDL implementation
I5e1d0e006:Memtrack HAL stable aidl sepolicy
Change-Id: I0c55ee100c7fd8d09a5b188a39b17c95c8a43c39
This service manager is registered by Keystore 2.0 to lookup legacy
wrapper services.
Keystore 2.0 is now written in rust. We have AIDL binding for rust but
no HIDL binding. Keystore 2.0 has to support legacy HIDL based
interfaces. So we implement the AIDL KeyMint interface in terms of the
legacy HIDL Keymaster <= V4.1 devices in C++. This wrapper is linked
into the Keystore 2.0 process but it cannot be called directly but must
be treated like a remote binder instead. However, we cannot register
these wrappers directly, because a) we are not a vendor component, and
b) it would conflict with genuine KeyMint devices on newer devices. So
Instead we register Keystore 2.0 itself as a legacy service provider.
Which it can query itself for the legacy wrappers if it does not find
a genuine KeyMint implementation to connect to.
Bug: 171351607
Test: Keystore 2.0 can register this Service and lookup legacy wrapper
services.
Change-Id: I935f23837721ce126531236f4920dba469a47be4
