Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.
Test: Manual
Bug: b/227745962
Bug: b/227581095
Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
These ioctls don't need to be allowed, as they'd only be needed to set
project quota IDs. But this is only done by other domains (installd,
vold, and mediaprovider_app). Probably it was originally planned for an
init script to run 'chattr -p ID', but this didn't end up happening.
This is a basically revert of commit 4de3228c46 ("Allow toolbox to set
project quota IDs.") (https://r.android.com/1224007).
Also remove an outdated comment at the top of the file.
Test: booted Cuttlefish, no denials seen.
Change-Id: If61179a35f419c6cbfcf1432a86b2c1375db71ed
se_build_files is a replacement for se_filegroup module. se_build_files
can be used with the normal Soong convention ":module_name{.tag}" by
implementing android.OutputFileProducer. It's better than implementing
ad-hoc logics across various modules, which is the case for se_filegroup
module.
Test: build and boot
Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
The properties for rkp_only are no longer read only.
This allows remote provisioner unit tests to enable/disable the remote
provisioning only mode, which is required to fully verify functionality.
Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I8006712a49c4d0605f6268068414b49714bbd939
It will be used by system_server only (i.e., not even Shell) to let
developers change the system user mode (to be headless or full).
Test: sesearch --allow -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927
Change-Id: Iaba42fd56dce0d8d794ef129634df78f9599260f
Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.
Note that the open access is still disallowed in user builds.
Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
Since Android 12, vold goes through the keystore daemon instead of using
the keymaster HAL directly. Therefore, the SELinux rules that allow
vold to use the keymaster HAL directly are no longer needed.
Bug: 181910578
Change-Id: I8ecc47530cba82128c869ffd2fed9009dd7d5e05
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
LOOP_CONFIGURE is more efficient than LOOP_SET_FD/SET_STATUS64.
apkdmverity has used the latter because LOOP_CONFIGURE didn't work for
loop-mounting IDSIG file.
apkdmverity can use LOOP_CONFIGURE and enabling DIRECT_IO only when
necessary.
Bug: 191344832
Test: atest MicrodroidTestApp
Change-Id: I9503f17a689e2447acee1f6ef9c2aac53cf3c457
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it. Remove two rules that are no longer
needed. Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons. Finally, fix some outdated documentation links.
Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
from the shell.
This fixes a regression from https://r.android.com/1921457, so that
dex2oat without a path can still be run from the adb shell. That CL
removed the symlink from /system/bin, which means the shell finds it in
/apex/com.android.art/bin instead, and hence it needs to be covered by
this sepolicy.
Test: adb unroot && adb shell dex2oat
Bug: 218986148
Bug: 124106384
Change-Id: Ic52b30e0974829b5e5cde5106e6c4eec9f61eec6
This is a key system process for certain performance investigations, so
allow perfetto profiling of its native heap and general callstack
sampling. This is already allowed on debuggable builds via domain.te.
In addition to the sepolicy, the profiler itself does checks on whether
to allow profiling. At the time of writing, profiling requests coming
from "shell" for surfaceflinger will be disallowed (as it is a native
process running as "system"). However profiling requests coming from the
platform via "statsd" will be allowed.
Bug: 217368496
Tested: profiled surfaceflinger on local internal/master sargo-user build
Change-Id: Ib092064ea911aed08d981adc823cd871fc271a96
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native experiments.
Bug: 226456604
Test: Build
Change-Id: Ib2420cf6eaf1645e7f938db32c93d085dd8950a3
