The type is declared in vendor policy, so the mapping should live
there as well.
Fixes: 185288751
Test: TH
Change-Id: Ia446d7b5eb0444cdbd48d3628f54792d8a6b2786
BINDER_ENABLE_ONEWAY_SPAM_DETECTION is used to enable/disable oneway
spamming detection in binder driver, and can be set per-proc.
Bug: 181190340
Change-Id: Id799b19ee5a74b458e286dc29122c140a047bdad
This allows NNAPI users to pass in model data from the asset folder.
Bug: 184880878
Test: nnapi demo app with model data from asset file
Test: NNAPI benchmark CTS
Change-Id: I79ded4e9f35eb15e1f9f0d91308840e8b318d218
- Add dir read access to /sys/class/devfreq/
- Add file read access to /sys/class/devfreq/$DEVICE/cur_freq
Resolves the following denials:
W traced_probes: type=1400 audit(0.0:8):
avc: denied { read } for name="devfreq" dev="sysfs"
ino=28076 scontext=u:r:traced_probes:s0
tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
W traced_probes: type=1400 audit(0.0:226):
avc: denied { read } for name="cur_freq" dev="sysfs"
ino=54729 scontext=u:r:traced_probes:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
See ag/14187061 for device specific sysfs_devfreq_cur labels
Bug: 181850306
Test: ls -Z, record perfetto trace
Change-Id: I23cebb16505313160e14b49e82e24da9b81cad70
This patch adds ro.product.enforce_debugfs_restrictions to
property_contexts. When the property is set to true in non-user builds,
init mounts debugfs in early-init to enable boot-time debugfs
initializations and unmounts it on boot complete. Similarly dumpstate
will mount debugfs to collect information from debugfs during bugreport
collection via the dumpstate HAL and unmount debugfs once done. Doing
so will allow non-user builds to keep debugfs disabled during runtime.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS, adb shell am
bugreport
Bug: 184381659
Change-Id: Ib720523c7f94a4f9ce944d46977a3c01ed829414
Add property & property context to configure whether the bootanimation
should be played in a quiescent boot.
Bug: 185118020
Test: Set property through PRODUCT_PRODUCT_PROPERTIES
Test: Read property from bootanimation process
Change-Id: Ib9e88444da7f5e8000d7367199f5230f1e4d26d9
This is an Android Studio Emulator (aka ranchu)
specific property, it is used for emulator
specific workarounds.
Bug: 182291166
Test: presubmit
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I2b8daf7c8ddb05b4082e4229f7b606c6ad4e717e
Fixed SELinux denials when trying to render the camera preview
to a texture in an internal test app. See the bug for additional
information.
Bug: 183749637
Test: Ran the internal test app, doesn't crash anymore.
Change-Id: I8fb62be424cd91c46cada55bb23db1624707997d
NetworkStack GTS tests need get network_watchlist_service and
system_config_service to test their APIs which are used by
module. But it will block by avc denied when trying to get
these services. Thus, amend networkstack sepolicy that can get
these services correctly.
Bug: 185309847
Test: Verify GTS test can get service correctly.
Change-Id: Icb18065e94d0026c3232cebb7d5eb39277fe7552
to ensure the file size is greater than 0, as secilc cannot handle
zero-sized cil files.
Fixes: 185256986
Bug: 183362912
Test: Forrest re-run broken test
Change-Id: Ief3039d38728fbeff67c6e39d6b15bddb006e5f8
Add "ro.camerax.extensions.enabled" vendor-specific property.
Allow public apps to read this property.
Bug: 171572972
Test: Camera CTS
Change-Id: Id5fadedff6baaaebe5306100c2a054e537aa61ed
Allow keystore to call statsd.
Allow statsd to call back to keystore to pull atoms.
Bug: 172013262
Test: atest system/keystore/keystore2
Test: statsd_testdrive 10103
Change-Id: I2d1739e257e95b37cc61f655f98f7a2724df7d76
The su domain is always permissive. Operations which occur in this
domain should never be logged.
Addresses the following denials:
avc: denied { bpf } for comm="bpf_module_test" capability=39
scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1
Bug: 185230825
Test: builds
Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5
untrusted apps were already granted this policy and we now extend it
to all apps. This allows FileManager apps with the
MANAGE_EXTERNAL_STORAGE permisssion to access USB OTG volumes mounted
on /mnt/media_rw/<vol>.
This permission access in the framework is implemented by granting
those apps the external_storage gid. And at the same time USB volumes
will be mounted on /mnt/media_rw/<vol> with the external_storage gid.
There is no concern of interferring with FUSE on USB volumes because
they are not FUSE mounted.
For sdcards (non-USB) volumes mounted on /mnt/media_rw/<vol>, those
volumes are mounted with the media_rw gid, so even though they are
FUSE mounted on /storage/<vol>, arbitrary apps cannot access the
/mnt/media_rw path since only the FUSE daemon is granted the media_rw
gid.
Test: Manual
Bug: 182732333
Change-Id: I70a3eb1f60f32d051f44253b0db2c7b852d79ba1
