Commit graph

10462 commits

Author SHA1 Message Date
Dennis Shen
62f4363b39 selinux: allow system server access aconfigd socket
During storage migration, we need to route aconfig flag write requests
from settingsprovider to aconfig storage daemon via aconfigd unix domain
socket.

Bug: b/312444587
Test: m and avd
Change-Id: I051d1ed42bf51f2ebd90cbd590237cd9213f0bde
2024-05-02 18:20:25 +00:00
Martin Liu
13f4811f5e Allow vendor init to access compaction_proactiveness
Bug: 330670954
Test: boot
Change-Id: Id274910e84d36cb662cea45d3b701c5fecada327
Merged-In: Id274910e84d36cb662cea45d3b701c5fecada327
Signed-off-by: Martin Liu <liumartin@google.com>
2024-04-23 11:18:28 +00:00
Treehugger Robot
7ea1dd6dd1 Merge "c2: add default1 and default2" into main 2024-04-20 00:07:33 +00:00
Steven Moreland
f877f5dbec c2: add default1 and default2
This is causing some targets to fail.

Bug: 335897540
Test: N/A
Change-Id: Ia077fc6bee952ff06ed13a555b96a00d6b5216e4
2024-04-19 22:02:34 +00:00
Song Chun Fan
38f029ee7b Merge "Remove the usage of the pm.archiving.enabled system property" into main 2024-04-19 16:55:52 +00:00
Song Chun Fan
015429cc84 Remove the usage of the pm.archiving.enabled system property
This property is no long used.

BUG: 331165939
FIXES: 331165939
Change-Id: Ifaa8c14e8452a5ebf32c3fe39d7953fe7c16d543
2024-04-18 20:15:49 +00:00
Treehugger Robot
4b94b1f5d0 Merge "Fix selinux denial when running adb shell cmd virtual_camera commands" into main 2024-04-16 12:18:35 +00:00
Inseob Kim
edf58243dd Add debugfs permission to 29.0 and 30.0 compat cil
Since Android S, we started to enforce the debugfs restrictions. However,
GSI had it turned off (PRODUCT_SET_DEBUGFS_RESTRICTIONS := false) in order
to support pre-S vendor images.

This has an undesirable side effect that the restriction is turned off even
for S+ vendors.

This CL fixes it by

1) re-enabling the restriction for GSI and

2) manually adding the debugfs permissions only to the compat cil for the
pre-S (29 and 30) vendors, effectively turning the restriction off for
them.

Bug: 330671086
Test: build
Test: run neverallow CTS
Change-Id: I5cd554b1b9f729a540e6b0f2aa0662091b691f0c
2024-04-16 01:24:41 +00:00
Jan Sebechlebsky
7f271ce061 Fix selinux denial when running adb shell cmd virtual_camera commands
Bug: 333889277
Test: forrest
Change-Id: I195125b907f56e9a50d13e3ca4c28a1cfcc257b1
2024-04-15 08:30:53 +00:00
Shrinidhi Hegde
1f24c3788d Merge "Adding a new property" into main 2024-04-12 14:30:23 +00:00
Shrinidhi Hegde
24aba1e127 Adding a new property
Adding a property to store time at which reboot was triggered from
native watchdog.

Test: manual
Bug: 291137901
Change-Id: Ied48c3690d0481fd8b08c9789cbfcb205759876c
2024-04-11 15:27:52 +00:00
Treehugger Robot
949b5d7e4e Merge "Revert^2 "Add pm.archiving.enabled system property"" into main 2024-04-11 03:34:52 +00:00
Inseob Kim
e972e936da Revert^2 "Add pm.archiving.enabled system property"
This reverts commit 840041d5d2.

Reason for revert: 202404 prebuilts must not be changed since freeze.

Change-Id: I320fde8de611ad4ae1546f4ce754871a0646dcc4
2024-04-11 00:56:13 +00:00
Treehugger Robot
808a734c09 Merge "Revert "Add pm.archiving.enabled system property"" into main 2024-04-11 00:12:11 +00:00
Treehugger Robot
64a23c81f3 Merge "add compaction_proactiveness type" into main 2024-04-10 23:24:33 +00:00
Ted Bauer
ba5998d7a2 Merge "Let system server set permissions on marker file" into main 2024-04-10 21:16:43 +00:00
Song Chun Fan
840041d5d2 Revert "Add pm.archiving.enabled system property"
This reverts commit 32ab868eac.

Reason for revert: no longer needed

Change-Id: I2ce46773503d39f843038fca3bb8527eb5bb53eb
BUG: 331165939
2024-04-10 17:39:43 +00:00
Ted Bauer
86405531d5 Let system server set permissions on marker file
System server needs to create a file in /metadata/aconfig, and set its
permissions.

Bug: 328444881
Test: m
Change-Id: I30aa576e46d8963e78ff21ad328160a99bd5d523
2024-04-10 15:26:01 +00:00
Martin Liu
f7396914b0 add compaction_proactiveness type
Bug: 332916849
Test: boot
Change-Id: I41c0da22ed5ad738c75fb00e2ac8a22c35dff2d3
Signed-off-by: Martin Liu <liumartin@google.com>
2024-04-10 13:48:15 +00:00
Vikram Gaur
d51e54db82 Merge "Add remote_provisioning.connect_timeout_millis as sysprop" into main 2024-04-09 23:55:00 +00:00
Vikram Gaur
3999879dde Add remote_provisioning.connect_timeout_millis as sysprop
Allow some services to control connection_timeout for testing purposes.

Test: atest RkpdAppUnitTests
Change-Id: Id70ed60c4f67e8f7910870a0b28a2b409fe97f62
2024-04-09 22:20:48 +00:00
Treehugger Robot
5752116370 Merge "Introduce vmlauncher_app domain" into main 2024-04-09 14:04:38 +00:00
Jeongik Cha
77a3ca6b4c Introduce vmlauncher_app domain
Bug: 333485208
Test: check display
Change-Id: I64c09f09615e89cf24398c01b8f87b0136be0a7f
2024-04-09 22:01:06 +09:00
Treehugger Robot
015384b110 Merge "Fix docs in seapp_contexts to point to right file" into main 2024-04-09 07:53:17 +00:00
Nikolay Elenkov
c9d42b5533 Merge "Allow system_server to call ISecretKeeper.deleteAll()" into main 2024-04-09 01:59:35 +00:00
Ellen Arteca
3315a90858 Fix docs in seapp_contexts to point to right file
Fixes a typo in the docs of seapp_contexts: previously they
referenced the wrong file for the order in which input selectors
are compared.

Change-Id: I5e7ca126cdc8b557d5e590eb863bdf4300ec1a18
2024-04-09 01:32:41 +00:00
Treehugger Robot
bc71c77f94 Merge "Remove sepolicy for viewcompiler" into main 2024-04-06 00:14:25 +00:00
Suren Baghdasaryan
dcd387eedb Merge "lmkd: Add ro.lmkd.swap_compression_ratio property policies" into main 2024-04-05 04:38:11 +00:00
Jeongik Cha
bc287fb76a Merge "Sepolicy for crosvm to show display" into main 2024-04-05 03:31:18 +00:00
Suren Baghdasaryan
5a528b4e93 lmkd: Add ro.lmkd.swap_compression_ratio property policies
Add policies to control ro.lmkd.swap_compression_ratio lmkd property.

Test: m
Bug: 285854307
Bug: 327561101
Change-Id: I68eccd2a5a0198248c2c9703f0d1b3bf685aa543
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2024-04-04 23:27:17 +00:00
Jared Duke
abf12e1e9b Remove sepolicy for viewcompiler
This tool has been removed, so remove the associated sepolicy config.

Bug: 158121974
Test: m
Change-Id: I7fe3a731fe5680d192bae640b6fc3ccdacbc60d3
2024-04-04 23:23:10 +00:00
Steven Terrell
996a899051 Merge "Changes to allow trace redactor to run" into main 2024-04-04 15:08:37 +00:00
Jeongik Cha
f09f43c4fd Sepolicy for crosvm to show display
They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES

Bug: 331708504
Test: check if the display shows
Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
2024-04-04 16:52:33 +09:00
Steven Terrell
c5401edfb4 Changes to allow trace redactor to run
Updates to allow profiling module to run new trace_redactor binary.
Allow the trace_redactor binary to read the input trace file and write
the output file.

Bug: 327423523
Test: build/flash and
      atest CtsProfilingModuleTests#testRequestSystemTraceSuccess
Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097
2024-04-03 23:35:36 +00:00
Devin Moore
dfc018f886 Merge "Allow system_server to read binderfs state file" into main 2024-04-02 22:04:34 +00:00
Devin Moore
9645657201 Allow system_server to read binderfs state file
This is for more information on binder threads during ANRs.

Test: adb shell am hang
Bug: 316970771
Change-Id: I905c8b605540aabb7463cb0e1b3a9a8b07f8d5cb
2024-03-29 00:30:19 +00:00
Treehugger Robot
350ddbb9dc Merge "Make enable_16k_pages_prop readable by vendor" into main 2024-03-28 03:26:30 +00:00
Inseob Kim
5769fd90f2 Merge "Minimize public policy" into main 2024-03-28 01:14:45 +00:00
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Kelvin Zhang
b9a6b9ac11 Make enable_16k_pages_prop readable by vendor
Vendor_init needs to read this property to process event triggers
depending on ro.product.build.16k_page.enabled .

Test: th
Bug: 319335586
Change-Id: I4f52073fbd2a138d84162710c925f65cc705c356
2024-03-27 14:23:16 -07:00
Kyle Zhang
71a8c6a244 Add drm_hal_server to system_server signal list
Bug: 327704353
Change-Id: I2ce7833508d85dea46902ccabb536005f7bf54fb
2024-03-27 18:39:08 +00:00
Jiakai Zhang
e98c6d2b38 Merge "Update SELinux policy for Pre-reboot Dexopt." into main 2024-03-27 13:16:27 +00:00
Jiakai Zhang
4acd07323e Update SELinux policy for Pre-reboot Dexopt.
- Add pm.dexopt.* properties.
- Add rules for running artd in chroot.

Bug: 311377497
Test: manual - Run Pre-reboot Dexopt and see no denial.
Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
2024-03-27 10:53:50 +00:00
Nikolay Elenkov
b68becbeb7 Allow system_server to call ISecretKeeper.deleteAll()
This allows RecoverySystem to destroy all secretkeeper secrets before
rebooting into recovery, thus ensuring that secrets are unrecoverable
even if data wipe in recovery is interrupted or skipped.

Bug: 324321147
Test: Manual - System -> Reset options -> Erase all data.
Test: Hold VolDown key to interrupt reboot and stop at bootloader
screen.
Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
Test: fastboot reboot
est: Device reboots into recovery and prompts to factory reset:
Test: 'Cannot load Android system. Your data may be corrupt. ...

Change-Id: Ia0c9e4ecf839590ecbb478836efcd00bbeea5f47
2024-03-27 05:57:22 +00:00
Nikolay Elenkov
b584704c28 Merge "Allow system_server to call IKeystoreMaintenance.deleteAllKeys()" into main 2024-03-27 05:55:38 +00:00
Treehugger Robot
0e5b64af14 Merge "lmkd: Add ro.lmkd.direct_reclaim_threshold_ms property policies" into main 2024-03-26 20:19:50 +00:00
Ted Bauer
a2b17ab856 Make system_aconfig_storage_file domain-readable
Read access to this file is needed by any process that reads flags.
For now, exclude access to vendors.

Bug: 328444881
Test: m
Change-Id: I1899d2a0c61a6286fc285a532244730ad1e4a0fc
2024-03-26 13:54:58 +00:00
Nikolay Elenkov
3941b68743 Allow system_server to call IKeystoreMaintenance.deleteAllKeys()
This allows RecoverySystem to destroy all synthetic blob protector keys
and make FBE-encrypted data unrecoverable even if data wipe in recovery
is interrupted or skipped.

Bug: 324321147
Test: Manual - System -> Reset options -> Erase all data.
Test: Hold VolDown key to interrupt reboot and stop at bootloader
screen.
Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
Test: fastboot reboot
Test: Device reboots into recovery and prompts to factory reset:
Test: 'Cannot load Android system. Your data may be corrupt. ...

Change-Id: I5be2f9e8314d36448994f4f14ff585ded7095c8c
2024-03-25 05:10:08 +00:00
Treehugger Robot
78dbd5ea7b Merge "allow aconfigd to mmap test storage files" into main 2024-03-22 00:43:54 +00:00
Dennis Shen
328f91120f allow aconfigd to mmap test storage files
Bug: b/312459182
Test: atest aconfigd_test
Change-Id: Ia4ee6606e3e8721e4ed22c63ac7046f9511be2b9
2024-03-21 18:59:53 +00:00