Commit graph

29461 commits

Author SHA1 Message Date
Nikita Ioffe
8f6d68c504 Merge "Give adbd and shell read access to /apex/apex-info-list.xml" 2021-06-13 21:41:45 +00:00
Songchun Fan
f1a60ca2fe [sepolicy] allow installd to query apps installed on Incremental File System
Addresses denial messages like:
06-10 19:36:56.269  1214  1214 I Binder:1214_5: type=1400 audit(0.0:58): avc: denied { use } for path="/data/incremental/MT_data_app_vmdl199/backing_store/st_2_1/com.unity.megacity-HlbmeQJjThgePchBlByuoQ==" dev="dm-5" ino=10445 scontext=u:r:installd:s0 tcontext=u:r:vold:s0 tclass=fd permissive=1
06-10 19:36:56.516  1214  1214 I Binder:1214_6: type=1400 audit(0.0:59): avc: denied { use } for path="/data/incremental/MT_data_app_vmdl199/backing_store/st_2_1/com.unity.megacity-HlbmeQJjThgePchBlByuoQ==" dev="dm-5" ino=10445 scontext=u:r:installd:s0 tcontext=u:r:vold:s0 tclass=fd permissive=1

BUG: 190699430
Test: manual
Change-Id: Iee4bdb382b6af5bc8cd63fde2c0db5f0b9b4f02b
2021-06-10 13:16:28 -07:00
Nikita Ioffe
681ad260b4 Give adbd and shell read access to /apex/apex-info-list.xml
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.

Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.

Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
2021-06-10 19:57:17 +01:00
Treehugger Robot
03b80a12e4 Merge "Allow system_server to read /proc/vmstat" 2021-06-10 11:10:30 +00:00
Andrew Walbran
60f40c02a0 Merge "Allow init to clear VirtualizationService data directory." 2021-06-10 08:48:57 +00:00
Yi Kong
953aa5643f Allow system server to read profcollectd data files
This allows the system server to read the reports for uploading.

also cleaned up the out of order qemu_hw_prop entry.

Test: manual
Bug: 178561556
Bug: 183487233
Change-Id: I9e5aef9cbcf50fd085dd72900e3ab00a1b6c20a7
2021-06-09 13:01:50 +00:00
Treehugger Robot
c73a91f49d Merge "Add sys.usb.mtp.batchcancel to usb_config_prop" 2021-06-09 01:52:39 +00:00
Yifan Hong
a66a5df13d Merge "Allow binder services to r/w su:tcp_socket" 2021-06-08 22:13:23 +00:00
Yifan Hong
be04b091bb Allow binder services to r/w su:tcp_socket
Test: binderHostDeviceTest
Bug: 182914638
Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9
2021-06-08 10:39:02 -07:00
David Anderson
b0efbee6ed Merge "Fix fastbootd denials when using /proc/bootconfig." 2021-06-08 16:47:41 +00:00
Ioannis Ilkos
351326b578 Allow system_server to read /proc/vmstat
/proc/vmstat oom_kill counts the number of times __oom_kill_process
was actioned
(https://lore.kernel.org/lkml/149570810989.203600.9492483715840752937.stgit@buzz/)

We want to record this in the context of system_server for tracking
purposes.

Bug: 154233512
Change-Id: I27bcbcd5d839e59a1dca0e87e2f4ae107201654c
Test: build, verify vmstat can be read
2021-06-08 14:24:26 +00:00
Wei Wang
0e139d0a3a Merge "Rename surfaceflinger uclamp.min property" 2021-06-08 05:54:57 +00:00
Ray Chi
07bb5d076a Add sys.usb.mtp.batchcancel to usb_config_prop
Add sys.usb.mtp.batchcancel to usb_config_prop to allow
mediaprovider to read this property.

Bug: 181729410
Test: boot the device, and confirm the property could be read
Change-Id: I44b2d9c36bfa439cdbf8b8a874ead424381e3e50
2021-06-08 02:32:20 +00:00
Wei Wang
4d9438808e Rename surfaceflinger uclamp.min property
Bug: 190137562
Test: boot and check uclamp.min of SF
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I058c72012a28cebe09f001688a35fb4c6839e6cc
2021-06-07 18:52:50 -07:00
David Anderson
08a08ab21f Fix fastbootd denials when using /proc/bootconfig.
Bug: 189493387
Test: fastboot flashall on device using bootconfig
Change-Id: Ibfb7c8a2861f61803a449a4b0ec9ed92ded5c4de
2021-06-07 18:40:24 -07:00
Inseob Kim
31db274078 Call SkipInstall before InstallFile
InstallFile skips install only if SkipInstall is called before
InstallFile.

Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
2021-06-08 10:31:09 +09:00
Inseob Kim
af2697a452 Merge "Remove microdroid specific rules and files" 2021-06-08 00:53:26 +00:00
Tej Singh
6550adcaed Merge "Make *-apex-info-list.xml readable by shell" 2021-06-08 00:47:33 +00:00
Tej Singh
75385efd27 Make *-apex-info-list.xml readable by shell
Enables CTS testing of the bootstrap apexes.

Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
2021-06-07 21:39:34 +00:00
Treehugger Robot
6a94b64583 Merge "Add a new SF property for setting uclamp.min" 2021-06-07 20:55:10 +00:00
Wei Wang
7dc88f080b Add a new SF property for setting uclamp.min
Bug: 190137562
Test: boot and check uclamp.min of SF
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I2acca834f6257f5e718413b831b78c487520b0cd
2021-06-07 11:51:56 -07:00
Nikita Ioffe
5b4e13f73f Allow apexd to write to /apex/apex-info-list.xml
After non-staged install apexd needs to be update apex-info-list.xml.

Test: m
Bug: 187864524
Bug: 188713178
Change-Id: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6
Merged-In: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6
(cherry picked from commit 894657bea3)
2021-06-07 18:05:16 +01:00
Treehugger Robot
c9b4286e05 Merge "Revert "priv_app: use per-app selinux contexts"" 2021-06-07 15:09:32 +00:00
Jeff Vander Stoep
538e0d6d0e Revert "priv_app: use per-app selinux contexts"
There's some fragility in how selinux contexts are assigned
to apps with sharedUserId. As a result, some apps which share
a UID can end up in separate selinux domains. This causes bugs
when part of the app has the levelFrom=all categories set, and
other parts only have levelFrom=user resulting in an mls category
mismatch. Until this is fixed, revert back to using levelFrom=user
for priv_app.

This reverts commit 4e7769e040.
Bug: 188141923
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest#testPendingSystemUpdate

Change-Id: Ic4256f9056f2c218ca94628d0707eb893f83fa5a
2021-06-07 14:28:34 +02:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
2021-06-07 19:22:18 +09:00
Calin Juravle
cf6a7e9821 Allow system_server_startup to read ART config
Denial:

06-03 14:18:31.491   691   691 I auditd  : type=1400 audit(0.0:88): avc:
denied { read } for comm="system_server"
name="u:object_r:device_config_runtime_native_prop:s0" dev="tmpfs"
ino=140 scontext=u:r:system_server_startup:s0
tcontext=u:object_r:device_config_runtime_native_prop:s0 tclass=file
permissive=0

Test: DeviceBootTest.DeviceBootTest#SELinuxUncheckedDenialBootTest
Bug: 181748174
Change-Id: I5e7624e2410e6c533e7ef238a0c3cc38ff6e368a
2021-06-03 08:17:21 -07:00
Calin Juravle
c4efcbdc06 Merge "Enable ART properties modularization" 2021-06-02 14:39:36 +00:00
Treehugger Robot
7188696c6d Merge "Allow adb to pull jar files from /vendor/framework/." 2021-06-02 14:23:50 +00:00
Andrew Walbran
eb21b41c90 Allow init to clear VirtualizationService data directory.
Bug: 184131523
Bug: 189725484
Test: mm
Change-Id: Ie4f38266e32c64b52f55da2c6d3fc9e4c1a4c572
2021-06-02 14:05:28 +00:00
satayev
e3571ab94d Allow adb to pull jar files from /vendor/framework/.
Bug: 187823488
Bug: 189417875
Test: atest GtsEdiHostTestCases in sc-dev
Change-Id: I8e1fa1682fb042d995585b4841cff97f32c4a09f
2021-06-02 14:18:56 +01:00
Treehugger Robot
bab54f92e3 Merge "Add permissions for microdroid vold and keymint" 2021-06-02 13:13:21 +00:00
Treehugger Robot
17a5e930cb Merge "uncrypt: allow reading /proc/bootconfig" 2021-06-02 10:35:28 +00:00
Jooyung Han
f90484c205 Merge "Allow microdroid_manager to execute shell, etc." 2021-06-02 10:28:19 +00:00
Thiébaud Weksteen
cf09580dc7 Merge "Add tweek@ to OWNERS" 2021-06-02 08:59:04 +00:00
Thiébaud Weksteen
51a115c0fc Add tweek@ to OWNERS
Change-Id: If18014ae5a94de2381ac5f01c4b8583fb04f1f92
2021-06-02 09:22:40 +02:00
Jeff Vander Stoep
e4116b4e44 uncrypt: allow reading /proc/bootconfig
It's needed when calling ReadDefaultFstab.

Fixes: 189509028
Test: build
Change-Id: I0d4bac7f2e3a25faa921c8d77cbf92f7808f0ab7
2021-06-02 08:46:59 +02:00
Jooyung Han
55393cc42b Allow microdroid_manager to execute shell, etc.
Microdroid_manager should execute a command passed via a VM payload
config. Ideally, the spawned process should be in a dedicated domain
which has the right set of permissions.

For now, it is allowed to execute shell/toybox for testing/debuging. And
also it is allowed to access fusefs to load a library or a config file.

Bug: 189301496
Test: MicrodroidHostTestCases
Change-Id: I7872514b40a9e23bbbed2b3e1ccd322f4e9cf832
2021-06-02 09:54:12 +09:00
Jooyung Han
d470ed7b47 Add rules for microdroid_manager
Microdroid_manager is an executable in microdroid. It's role is to manage tasks
in microdroid and communicate with host's virtualizationservice.

To execute a task in microdroid, microdroid_manager should
- read "metadata" partition
- read VM payload config
- exec a command

Bug: 189301496
Test: atest MicrodroidHostTestCases
Change-Id: Iabbe0d3c8832f00df5c545e6b13fc55afa820b33
2021-06-02 09:50:54 +09:00
Calin Juravle
0b2ca6c22c Enable ART properties modularization
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:

- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART

Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
2021-06-01 16:14:55 -07:00
Todd Kennedy
7e7b6ab054 Merge "sepolicy: allow to play f2fs-compression for apk files" 2021-06-01 14:37:41 +00:00
Inseob Kim
91889d3d6c Add permissions for microdroid vold and keymint
vold uses tune2fs and e2fsck.

Bug: 185767624
Test: boot microdroid
Change-Id: Ie10448c444f80aae9a1d34a6f7f32ffeac03c608
2021-06-01 20:32:42 +09:00
Tianjie Xu
3b71803647 Merge "Add ro.vendor.build.fingerprint_has_digest to property context" 2021-06-01 04:31:07 +00:00
Jaegeuk Kim
1a15808dc0 sepolicy: allow to play f2fs-compression for apk files
This patch adds some ioctls for apk files and allows
shell to query for f2fs features.

Bug: 189169940
Test: Manual. Code runs.
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ia8bccf1bf663404b902703326a1853947b64e5ab
2021-05-27 20:31:17 -07:00
Alexander Dorokhine
73854e626d Merge "Allow the appsearch apex access to the apexdata misc_ce dir." 2021-05-27 20:39:03 +00:00
Michael Ayoubi
880e0ee101 Merge "Change dck properties to int" 2021-05-27 00:35:30 +00:00
Andrew Walbran
04e6256c94 Merge "Rename VirtManager to VirtualizationService." 2021-05-26 21:43:54 +00:00
Tianjie
8428a105b4 Add ro.vendor.build.fingerprint_has_digest to property context
This property indicates if the new fingerprint format is in use.
It's read by VTS to put the correct fingerprint in test report.

Bug: 188824341
Test: boot the device, check build prop
Change-Id: I2694d613e8d91d355506a4c7aaad4bdc191a800a
2021-05-26 11:21:24 -07:00
Alexander Dorokhine
0b2553a32b Allow the appsearch apex access to the apexdata misc_ce dir.
Bug: 177685938
Test: AppSearchSessionCtsTest
Change-Id: I727860a02cb9e612ce6c322662d418cddc2ff358
2021-05-26 09:47:19 -07:00
Michael Ayoubi
c14bc7ef3c Change dck properties to int
Change dck r2/r3 properties to wcc levels.

Bug: 186488185
Test: Confirm GMSCore access

Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I9aab231d3e4bb7bd696e26652b9215d91d07b8b3
2021-05-26 15:04:02 +00:00
Treehugger Robot
b8c6055b6f Merge "Allow mke2fs to format virtual block devices in microdroid" 2021-05-26 00:03:08 +00:00