to ensure the file size is greater than 0, as secilc cannot handle
zero-sized cil files.
Fixes: 185256986
Bug: 183362912
Test: Forrest re-run broken test
Change-Id: Ief3039d38728fbeff67c6e39d6b15bddb006e5f8
Add "ro.camerax.extensions.enabled" vendor-specific property.
Allow public apps to read this property.
Bug: 171572972
Test: Camera CTS
Change-Id: Id5fadedff6baaaebe5306100c2a054e537aa61ed
The su domain is always permissive. Operations which occur in this
domain should never be logged.
Addresses the following denials:
avc: denied { bpf } for comm="bpf_module_test" capability=39
scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1
Bug: 185230825
Test: builds
Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5
untrusted apps were already granted this policy and we now extend it
to all apps. This allows FileManager apps with the
MANAGE_EXTERNAL_STORAGE permisssion to access USB OTG volumes mounted
on /mnt/media_rw/<vol>.
This permission access in the framework is implemented by granting
those apps the external_storage gid. And at the same time USB volumes
will be mounted on /mnt/media_rw/<vol> with the external_storage gid.
There is no concern of interferring with FUSE on USB volumes because
they are not FUSE mounted.
For sdcards (non-USB) volumes mounted on /mnt/media_rw/<vol>, those
volumes are mounted with the media_rw gid, so even though they are
FUSE mounted on /storage/<vol>, arbitrary apps cannot access the
/mnt/media_rw path since only the FUSE daemon is granted the media_rw
gid.
Test: Manual
Bug: 182732333
Change-Id: I70a3eb1f60f32d051f44253b0db2c7b852d79ba1
Use the new se_compat_cil module type to install compatibility cil
files.
Bug: 183362912
Test: Presubmit; Noop in terms of build artifact.
Change-Id: I5275e9ce524185ce2d228133763456df43834093
Installs backwards compatibility cil files.
Bug: 183362912
Test: Presubmit
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I5e2c6b8dfa8df431edfe96f29daae463b130367f
These are the system_ext counterpart of $(ver).compat.cil. They would
contain device specific compat rules that compliment $(ver).compat.cil,
which are the platform specific compat rules.
Bug: 183362912
Test: Add a $(ver).compat.cil under SYSTEM_EXT_PRIVATE_SEPOLICY_DIR and
verify the file is installed under /system_ext/etc/selinux/mapping/
Change-Id: I2fb9b10bb3bcf112e33f504964fb705e3b63782b
This service will intercept all UwbManager API calls and then perform
necessary permission checks before forwarding the call to the vendor
UWB service. Adding sepolicy permissions for exposing the service that
handles all public API's.
Bug: 183904955
Test: atest android.uwb.cts.UwbManagerTest
Change-Id: Icce4d2f586926421c06e8902a91533002c380b8d
This reverts commit cdf7b0f374.
Reason for revert: libmemtrack now uses a memtrackproxy_service, which allows app access
Change-Id: Id3858a0b813b822fc17f77e14d46525942048066
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.
Bug: 166559473
Test: run profcollectd.
Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
When a bug causes us to leak a file descriptor or resource in the OTA
path, it can cause unremovable device-mapper devices. The companion CL
in this topic attempts to diagnose such problems by performing a quick
scan for things depending on an unremovable block device: mounts, loop
devices, and other device-mapper nodes.
To detect mounts it would normally be enough to scan /proc/mounts, but
with MNT_DETACH the filesystem may still be mounted but not visible to
update_engine. This is exactly what happened in b/184715543.
To scan for such cases, we look for /sys/fs/ext4/<name> or
/sys/fs/f2fs/<name> where <name> is the block device. To make this work,
we grant update_engine r_dir_perms to sysfs and sysfs_f2fs_dir. It
doesn't actually need to read the contents of any files, the presence of
the inode is good enough.
Bug: N/A
Test: manual test
Change-Id: Ib085c9c814180b360e2170135011261bbb7e35b6
Vold needs to be able to search for keystore2 and keystore2 maintenance
services, and call methods provided by those services.
Bug: 181910578
Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
Allow mm_events to periodically arm the mm_events
perfetto trace config if mm_events is enabled.
Bug: 183037386
Test: boot; setprop persist.mm_events.enabled true; No avc denials
Change-Id: Ia9760001e7fb591f18e3e816a63281167a658c74
ro.board.api_level shows the current vendor api level under GRF.
It can be manually defined by setting BOARD_API_LEVEL. Unless
BOARD_API_LEVEL is defined, the ro.board.api_level property will be
defined automatically based on BOARD_SHIPPING_API_LEVEL and
PLATFORM_SDK_VERSION.
Bug: 176950752
Test: getprop ro.board.api_level
Change-Id: I03eeec8d8206abdd0565423d1b6a507d86d9b168
Individual apexes may contribute jars to BOOTCLASSPATH and friends.
Configuration for these contributions are in /apex/foo/etc/ files that
derive_classpath service reads and processes.
Bug: 180105615
Test: presubmit && DeviceBootTest
Change-Id: I61379e55f2ad55e1c65956b854e5a9b8872c61df
