Allow system_app to call update engine and update engine
to call callback registered by system app.
Test: m Settings && adb install -r
$ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk,
Update using 16k dev option.
Bug: 295573133
Change-Id: Ice7e75f86283637ad67a675682ecd0d27038d9e7
Add initial sepolicy for suspend.debug.wakestats_log.enabled
Allow set from init
Allow read by system suspend
Bug: 301657457
Test: manual
Change-Id: I1123e169d69eadb909ed474c0c246a8a45eab2f0
Signed-off-by: Radu Solea <radusolea@google.com>
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
As virtualizationmanager holds references to IBoundDevice returned by
vfio_handler, virtualizationmanager should also have permission to
binder_call.
Bug: 278008519
Test: boot microdroid with assigned devices
Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c
Post OTA reboot, snapshot-merge threads will be run in the background cgroup so that they don't run on big cores. Hence, use SetTaskProfiles() API to move the thread to the relavant cgroup.
When setting SetTaskProfile API, /dev/cpuset/background/tasks path
is accessed which requires process to be in system group.
Use setgid to move the task to system group.
Bug: 311233916
Test: OTA on Pixel 6 - Verify that merge threads are not run on big
cores
Change-Id: Ie4921910985292b0b05f4ffc70b0d08ad9e4a662
Signed-off-by: Akilesh Kailash <akailash@google.com>
codecs.
This is required to allow Surface originating from
virtual_camera to be used by mediaserver & writen
to by codecs(for example to decode video into the
surface usign MediaPlayer).
Bug: 301023410
Test: Virtual Camera Test app
Change-Id: I2cac88accd4e1777f6c441c012cd0d36579a55e5
Use our standard macro for granting all the necessary permissions
instead of copying a part of it.
Add ioctl access for all clients for Unix stream sockets & pipes; this
allows them to be used for stdin/stdout without triggering
denials. (Only unpriv_sock_ioctls can be used.)
Together this allows a root shell to use `vm run` without getting
spurious denials such as:
avc: denied { ioctl } for comm="crosvm" path="socket:[835168]"
dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0
tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0
Bug: 316048644
Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: atest MicrodroidTests
Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d
Allow r_file_perms rather than just open+read, mainly because I saw
this denial:
avc: denied { getattr } for comm="binder:11247_2"
path="/sys/firmware/devicetree/base/avf/guest/common/log"
dev="sysfs" ino=16469 scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:sysfs_dt_avf:s0 tclass=file permissive=0
Also refactor slightly in microdroid_manager.te.
Test: TH
Change-Id: If2963441b3490a502c293c7a7cdd204d9db7d48a
This prop is read in its .rc file to stop the service. Otherwise,
evertyime the service exits, it is restarted.
We don't want it to be `oneshot` because under normal operation, it
should be restarted if it exits/crashes.
Test: remove kTempHidlSupport && m && launch_cvd
Bug: 218588089
Change-Id: I9a4c61778c244a08ff753689604e79168058dd4c
Being a system_api_service prevents non-privileged apps from getting a reference to WearableSensingManager via Context#getSystemService (it returns null). CTS tests are run as non-privileged apps, so we need this change to properly test the API.
The API methods are protected by a signature|privileged permission. CTS tests can gain this permission by adopting the Shell's permission identity, but it can't get around the SELinux policy.
wearable_sensing_service is mostly modelled after ambient_context_service, which is an app_api_service, so we believe this change is fine from a security's perspective.
Test: A CTS test can get a WearableSensingManager via Context#getSystemService after this change.
Change-Id: I9d854353f48ff7b3fa5a07527bee0bcc83cb6236
/tmp is a volatile temporary storage location for the shell user.
As with /data/local/tmp, it is owned by shell:shell and is chmod 771.
Bug: 311263616
Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a
It ferries SecretManagement messages to/from Sk. Reflect this is
sepolicies.
Test: With topic, check selinux denials
Bug: 291213394
Change-Id: Ia0d25e46232d56c59fb18f8642767bfa2d5ffab1
This reverts commit 5e1d7f1c85.
Reason for revert: retry with a fix to the failed tests
Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
It ferries SecretManagement messages to/from Sk. Reflect this is
sepolicies.
Test: With topic, check selinux denials
Bug: 291213394
Change-Id: I0acc06424eb834d66a85f9d4f6b8b632d95c4190
"adb remount" runs the remount command, which needs to be able to update
bits in the super partition metadata. This change only affects
userdebug_or_eng policy.
Bug: 297923468
Test: adb-remount-test.sh
Change-Id: Ia78d4b0ea942a139c8a4070dc63a0eed218e3e18
It is effectively an oversight that bluetooth has this
but network stack does not.
This prevents the network stack process from (for example)
using timerfd_create with CLOCK_{REAL,BOOT}TIME_ALARM,
without trampolining through parts of the mainline module
which are shipped as part of the system server.
See:
https://man7.org/linux/man-pages/man2/timerfd_create.2.html
Bug: 316171727
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iba95c80f830784a587fa4df6867a99bcb96ace79
