Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.
Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.
Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.
As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).
I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)
Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
It's a test tool which is generally run as root, and will be deleted
eventually. It doesn't need its own label; system_file works fine.
We never actually allowed it anything, nor defined a transition into
the domain.
Bug: 194474784
Test: Device boots, no denials
Test: compos_key_cmd run from root works
Change-Id: If118798086dae2faadeda658bc02b6eb6e6bf606
This is to unblock the apex setup.
There is only a system_file in the context, but we might need more
specific ones later.
Bug: 186126404
Test: m
Change-Id: Icf713c9bb92e7f7402c0b45bd0f1b06e9cb35d2b
Address any denials in the log - currently just adding
the virtualization service.
Bug: 183583115
Test: ps -AZ | grep virtmanager
u: r:virtmanager:s0 virtmanager 2453 1 10930880 4544 0 0 S virtmanager
Change-Id: Ie034dcc3b1dbee610c591220358065b8508d81cf
Revert submission 1602413-derive_classpath
Bug: 180105615
Fix: 183079517
Reason for revert: SELinux failure leading to *CLASSPATH variables not being set in all builds
Reverted Changes:
I6e3c64e7a:Introduce derive_classpath service.
I60c539a8f:Exec_start derive_classpath on post-fs-data.
I4150de69f:Introduce derive_classpath.
Change-Id: I17e2cd062d8fddc40250d00f02e40237ad62bd6a
The service generates /data/system/environ/classpath with values for
BOOTCLASSPATH, SYSTEMSERVERCLASSPATH, and DEX2OATCLASSPATH to be
exported by init.
See go/updatable-classpath for more details.
Bug: 180105615
Test: manual
Change-Id: I4150de69f7d39f685a202eb4f86c27b661f808dc
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).
There are two types of change here:
1) enabling odrefresh to run dex2oat and write updated boot class path
and system server AOT artifacts into the ART APEX data directory.
2) enabling the zygote and assorted diagnostic tools to use the
updated AOT artifacts.
odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.
Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
com.android.virt is an APEX for virtual machine monitors like crosvm.
The APEX currently empty and isn't updatable.
Bug: 174633082
Test: m com.android.virt
Change-Id: I8acc8e147aadb1701dc65f6950b61701131f89d2
Add additional sepolicy so linkerconfig in Runtime APEX can be executed
from init.
Bug: 165769179
Test: Cuttlefish boot succeeded
Change-Id: Ic08157ce4c6a084db29f427cf9f5ad2cb12e50dd
The new geotz module has files that need to be readable by the system
process.
Bug: 172546738
Test: build / boot
Change-Id: I4b9867fa1f738b0fabdf5b72e9e73282f1bd9cbc
Earlier changes removed the scripts for ART APEX pre- and post-install
hooks (I39de908ebe52f06f19781dc024ede619802a3196) and the associated
boot integrity checks (I61b8f4b09a8f6695975ea1267e5f5c88f64a371f), but
did not cleanup the SELinux policy.
Bug: 7456955
Test: Successful build and boot
Test: adb install com.android.art.debug && adb reboot
Change-Id: I1580dbc1c083438bc251a09994c28107570c48c5
Adds proper file_contexts and domains for pre/postinstall hooks.
Allow the pre/postinstall hooks to communicate with update_engine stable
service.
Bug: 161563386
Test: apply a GKI update
Change-Id: I4437aab8e87ccbe55858150b95f67ec6e445ac1f
The change was reverted due to a cause unrelated to sepolicy change.
It was submitted in https://r.android.com/1283724.
Now, submit this independent of the topic.
Bug: 138994281
Test: device boots
Change-Id: I9943abb814a8043f66545e7db5225adbd62d19d2
Revert "Make com_android_i18n namespace visible"
Revert submission 1299494-i18nApex
Reason for revert: Breaking aosp_x86-eng on aosp-master
Reverted Changes:
I30fc3735b:Move ICU from ART APEX to i18n APEX
Icb7e98b5c:Calling @IntraCoreApi from core-icu4j should not c...
Ic7de63fe3:Move core-icu4j into I18n APEX
I65b97bdba:Make com_android_i18n namespace visible
Ia4c83bc15:Move v8 and libpac into i18n APEX
I10e6d4948:Move core-icu4j into i18n APEX
I8d989cad7:Move ICU from ART APEX into i18n APEX
I72216ca12:Move ICU into i18n APEX
Ief9dace85:Add shared library into i18n APEX and add the requ...
I7d97a10ba:Move libpac into i18n APEX
I90fff9c55:Move ICU from ART APEX into i18n APEX
Change-Id: I863878038af1290611b441f7f9190494cf0851b8
Add a filegroup for extservices so that it can be shared between the main
extservices apex and the one used for testing.
Bug: 138589409
Test: Manually
Change-Id: I2cca8a583b2aa72c8c29a32dd839fe599300b40f
It follows examples of other APEX to make file_contexts of cronet
module as "android:path" property
Bug: 146416755
Test: atest cronet_e2e_tests
Test: atest CronetApiTest
Change-Id: I0608eb4bb43cee50f49217f19fb53f297fbf5ead
Merged-In: I0608eb4bb43cee50f49217f19fb53f297fbf5ead
The module is getting renamed, so rename all the policy
relating to it at the same time.
Bug: 137191822
Test: presubmit
Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
(cherry picked from commit 6505573c36)
Add a filegroup for telephony so that it can be shared between the main
telephony apex and the one used for testing.
Bug: 145232009
Test: atest telephony_e2e_tests
Change-Id: I5e20d7b7fc30d2c28de8f339c7b4722e1e438e17
