System server needs to do this to know whether a suitable VM for
CompOS can be created. System server does not need the ability to
actually start a VM, so we don't grant that.
Bug: 218276733
Test: Presubmits
Change-Id: Ibb198ad55819aa924f1bfde68ce5b22c89dca088
Microdroid_manager uses the ioctl to flush data to the block device.
Bug: 208639280
Test: atest MicrodroidTestApp
Change-Id: Icd708702618850e1f003b16bdc8a1698c45f6442
sepolicy_generate_compat is a binary that creates a new compat file when
freezing sepolicy API.
Suppose that we are adding {ver} compat file, after freezing {ver}
sepolicy. Then the workflow would be:
1) copy prebuilts to system/sepolicy/prebuilts/api/{ver}
2) add {ver} to PLATFORM_SEPOLICY_COMPAT_VERSIONS under
build/make/core/config.mk
3) touch the following three files
- system/sepolicy/private/compat/{ver}/{ver}.cil
- system/sepolicy/private/compat/{ver}/{ver}.compat.cil
- system/sepolicy/private/compat/{ver}/{ver}.ignore.cil
- system/sepolicy/prebuilts/api/{ver}/vendor_sepolicy.cil
- system/sepolicy/prebuilts/api/{ver}/plat_pub_versioned.cil
* This step is to build base compat files, and won't be needed in the
future.
4) add compat module files (won't be needed in the future)
- {ver}.cil
- {ver}.compat.cil
- {ver}.ignore.cil
* This step is to build base compat files, and won't be needed in the
future.
5) run the following command to update above three files:
$ source build/envsetup.sh && lunch aosp_arm64-userdebug
$ m sepolicy_generate_compat
$ sepolicy_generate_compat --branch=(branch_for_ver) \
--build latest --target-version {ver} \
--latest-version {ver-1}
6) upload build/make and system/sepolicy changes.
This script still lacks:
- handling of plat_pub_versioned.cil
- test cases
We will tackle such problems with follow-up changes.
Bug: 214336258
Test: manual
Change-Id: I21723a0832e5adadae7c22797c5aba867dc0174e
Clients of virtualization service use these properties to
determine whether normal and protected VMs are supported and tailor
their VM requests accordingly.
Bug: 217687661
Test: adb unroot; adb shell getprop | grep ro.boot.hypervisor
Change-Id: Ia1c017c2346217dbc45973cbfb5adbecabedf050
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.
Add a new service context and include it in the keystore services.
Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.
Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
Bug: 217452259
Test: Manual, set property in system.prop, build, flash, make sure value
is reflected in getprop | grep bluetooth.device
Change-Id: Id4bfebb4da5bcd64ea4bac8e3c9e9754c96256c6
Though libsepol supports it since selinux commit 644c5bbb,
test code couldn't handle whitespace in file name in policy
database.
Solved by splitting string once from left and then once
from right to avoid split of whitespace in file name.
Minimal reproducing example:
$ echo '(genfscon sysfs "/s/p a/ce" (USER ROLE TYPE ((SENS) (SENS))))' > s.cil
$ secilc -m -o s.db external/selinux/secilc/test/minimum.cil s.cil
$ searchpolicy --libpath out/host/linux-x86/lib64/libsepolwrap.so -sX --allow s.db
Traceback (most recent call last):
File "/tmp/Soong.python_ra9it1nk/searchpolicy.py", line 52, in <module>
pol = policy.Policy(args.policy, None, args.libpath)
File "/tmp/Soong.python_ra9it1nk/policy.py", line 460, in __init__
self.__InitGenfsCon()
File "/tmp/Soong.python_ra9it1nk/policy.py", line 419, in __InitGenfsCon
self.__GenfsDictAdd(self.__GenfsDict, buf.value.decode("ascii"))
File "/tmp/Soong.python_ra9it1nk/policy.py", line 399, in __GenfsDictAdd
fs, path, context = buf.split(" ")
ValueError: too many values to unpack (expected 3)
Test: manual, as described above
Test: cts SELinuxHostTest with spaces in a genfscon path
Change-Id: I7c74292513a63819ee7dc03ab4977ce9363589a4
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.
Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
