For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.
Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
VTS for Netlink Interceptor needs access to netlink_route_socket, and
other services routing traffic to Netlink Interceptor may as well.
Bug: 201467304
Test: VtsHalNetlinkInterceptorV1_0Test
Change-Id: Ic52e54f1eec7175154d2e89e307740071b1ba168
Steps taken to produce the mapping files:
1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil
as an empty file.
When adding plat_pub_versioned.cil, leave only type and typeattribute
statements, removing the other statements: allow, neverallow, role, etc.
2. Add new file private/compat/32.0/32.0.cil by doing the following:
- copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev
aosp_arm64-eng device to private/compat/32.0/32.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 32 sepolicy.
Find all such types using treble_sepolicy_tests_32.0 test.
- for all these types figure out where to map them by looking at
31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_32.0 and installs
32.0.cil mapping file onto the device.
Bug: 206330997
Test: m treble_sepolicy_tests_32.0
Test: m 32.0_compat_test
Test: m selinux_policy
Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
On non-A/B devices, recovery needs to check if battery
is okay before applying the update. This requires
talking to the AIDL health HAL if the device uses
AIDL health HAL.
Test: manually calling GetBatteryInfo and check for denials
Bug: 170338625
Bug: 177269435
Change-Id: Ia89353cfff023376a4176c0582312bdcab00b5e6
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.
Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
Currently BetterBug (privileged app) cannot access the details form
/data/misc/wmtrace.
Test: access a trace from /data/misc/wmtrace/ in betterbug
Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
Overlayfs product/overlay in init first stage is allowed in AndroidS.
product/overlay directory contains RRO apks, it is plausible to allow
dumpstate to access it since dumpstate will call df command.
Or there will be an avc denial:
01-01 07:09:37.234 13582 13582 W df : type=1400 audit(0.0:1717): avc: denied { getattr } for path="/product/overlay"
dev="overlay" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0
Actually, it is more reasonable to set /product/overlay to u:object_r:system_file:s0 since
there already had definiitions releated to /product/overlay
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
Bug: https://b.corp.google.com/u/0/issues/186342252
Signed-off-by: sunliang <sunliang@oppo.com>
Change-Id: I493fab20b5530c6094bd80767a24f3250d7117a8
Needed because the packet socket setup has been moved from clatd
to netd.
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Change-Id: If6c3ba70cd7b3a44a31b8deab088303c22838da8
This seems like an oversight when system_server_startup was
introduced (commit caf42d615d).
Test: Presubmits
Change-Id: Ia371caa8dfc2c250d6ca6f571cf002e25703e793
- Add hal_dumpstate_service AIDL service to hal_dumpstate.te,
service.te
- Add default example hal_dumpstate service to file_contexts,
service_contexts
- Adde hal_dumpstate_service to API level 31 compatibility
ignore list (31.0.ignore.cil)
Bug: 205760700
Test: VtsHalDumpstateTargetTest, dumpstate, dumpstate_test, dumpsys
Change-Id: If49fa16ac5ab1d3a1930bb800d530cbd32c5dec1
Clean up fc_sort to facilitate the migration to Python3. Use PEP8 for
naming scheme.
Test: atest --host fc_sort_test
Bug: 200119288
Change-Id: Ia2c40a850a48ec75e995d5233b5abaae10917a89
Add badge for gsm.operator.iso-country and gsm.sim.operator.iso-country.
Test: Manual test
Bug: 205807505
Change-Id: If4f399cd97b2297094ef9431450f29e0a91e5300
This relaxes the neverallow so that it is possible to write a new
SELinux allow for system_server to read /dev/block/vd*. It still isn't
possible unless a vendor enables it.
Bug: 196965847
Test: m -j
local_test_runner arc.Boot.vm
Change-Id: Idad79284778cf02066ff0b982480082828f24e19
They are served by the same process but have different clients:
- the main interface is exposed to system server;
- the internal interface is called by odrefresh when spawned by composd.
Test: compos_cmd forced-compile-test
Bug: 199147668
Change-Id: Ie1561b7700cf633d7d5c8df68ff58797a8d8bced
New type added in sepolicy to restrict Vendor defined uuid mapping
config file access to SecureElement.
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: I81d715fa5d5a72c893c529eb542ce62747afcd03
Label defined for OMAPI Vendor Stable Interface
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: Ifa67a22c85ffb38cb377a6e347b0e1f18af1d0f8
This is to make the SafetyCenterManager usable in CTS tests.
Test: SafetyCenterManager CTS test in ag/16284943
Bug: 203098016
Change-Id: I28a42da32f1f7f93c45294c7e984e6d1fd2cdd8d
