We run it in our domain since it requires fairly minimal access.
Bug: 210472252
Test: atest virtualizationservice_device_test
Test: composd_cmd test-compile
Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b
We run it in the compos domain, since it doesn't require very much
additional access.
Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e
If the directory is non-empty when we start we need to delete
everything in it, but didn't have enough access:
avc: denied { getattr } for
path="/data/misc/apexdata/com.android.art/staging/boot-framework.art"
dev="dm-37" ino=57755 scontext=u:r:composd:s0
tcontext=u:object_r:apex_art_staging_data_file:s0 tclass=file
permissive=0
Bug: 205750213
Test: create files in staging/, composd_cmd test-compile
Change-Id: I3a66db7f5fbff82abcf547cb1c2b24e9c53ab158
Because Go command line tooling assumes *_test.go files are tests and
not package sources.
Test: build
Change-Id: Ie332b89140b93c4ea448009cafa2556ef888497c
A new module type se_neverallow_test is added, to migrate
sepolicy_neverallow modules. se_neverallow_test is affected by
SELINUX_IGNORE_NEVERALLOWS.
Bug: 33691272
Test: m selinux_policy
Test: intentionally create neverallow violations and m selinux_policy
Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
Although it's not needed for Treblized devices, some targets are still
requiring it due to PRODUCT_SEPOLICY_SPLIT := false. To mitigate build
breakage, this change revives the sepolicy module.
Bug: 211936491
Test: build/soong/soong_ui.bash --make-mode dist \
TARGET_PRODUCT=bertha_x86_64 ndk_translation_all
Change-Id: Ie64c223db8900967cfb54897f5366ad5ef13d4d9
Because Android.bp is getting bigger and bigger.
Test: build and boot
Test: set OVERRIDE_TARGET_FLATTEN_APEX=true and build
Change-Id: I397ce084bfbc98449d177dd553ff73fdfbdddcaf
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.
Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
sepolicy is a module which outputs precompiled sepolicy and performs
permissive domain check on user builds. se_policy_binary module is
updated so it checks permissive domain in user builds.
sepolicy module is removed since we don't need it anymore. Instead,
precompiled_sepolicy is used.
Bug: 33691272
Test: build
Test: add "permissive adbd;" and build on aosp_arm64-user
Change-Id: I3dcf0c32d2fc1312dfceeee74894c08b38395d19
Because we should ignore neverallow when SELINUX_IGNORE_NEVERALLOWS is
true.
Test: add a fake rule and build with/without SELINUX_IGNORE_NEVERALLOWS
Change-Id: I7811f5cef2243dae5b5de1154a36ab167871dc4f
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.
Like we do with cgroup_v2, we set attribute permission to cgroup
as well.
This is the same fix as
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927857/
but it applies it to the prebuilts for api 32.0.
Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 211037424, 211514318
Change-Id: Ib57c94d72d50317619aa513e9f784582e0c45862
The following files are built with Android.bp:
- vendor_sepolicy.cil
- odm_sepolicy.cil
- prebuilt_sepolicy
Also, prebuilt_policy.mk is removed as it's now redundant.
Bug: 33691272
Test: build and compare artifacts
Test: build with rvc-dev sepolicy
Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.
Like we do with cgroup_v2, we set attribute permission to cgroup
as well.
Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 209933729
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
IR interface is converted to AIDL and this contains the necessary
permissions for the default service to serve the interface.
Test: atest VtsHalIrTargetTest hal_implementation_test
Test: check for permission issues after tests
Bug: 205000342
Change-Id: I8d9d81d957bf6ef3c6d815ce089549f8f5337555
