This CL updates hal_evs_default to be sufficient for the defautl EVS HAL
implementation and modifies other services' policies to be able to
communicate with EVS HAL implementations
Bug: 217271351
Test: m -j selinux_policy and Treehugger
Change-Id: I2df8e10f574d62f8b84e0ff0381656ab1b18b52f
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.
Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
Who needs all those context switches?
bpfloader controls which types of vendor programs can be used.
Bug: 140330870
Bug: 162057235
Test: successfully load bpf programs from vendor
Change-Id: I36e4f6550da33fea5bad509470dfd39f301f13c8
System server needs to do this to know whether a suitable VM for
CompOS can be created. System server does not need the ability to
actually start a VM, so we don't grant that.
Bug: 218276733
Test: Presubmits
Change-Id: Ibb198ad55819aa924f1bfde68ce5b22c89dca088
Bug: 213519191
Test: On oriole, profcollectd can call callbacks registered by
Test: ProfcollectForwardingService in system_server.
Change-Id: I8531a6e57e5e5c12033d5e8c7651ccff9a1d976a
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.
Add a new service context and include it in the keystore services.
Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.
Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
Bug: 217452259
Test: Manual, set property in system.prop, build, flash, make sure value
is reflected in getprop | grep bluetooth.device
Change-Id: Id4bfebb4da5bcd64ea4bac8e3c9e9754c96256c6
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.
Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
The properties that report hypervisor capabilities are grouped with the
other hypervisor properties for sepolicy.
Bug: 216639283
Test: buid
Change-Id: I013894de637bb7e40a450df6439ebbd5cba28c2b
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400.
Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
Allow system_server to trigger the kernel synchronize rcu with open and
close pf_key socket. This action was previously done by netd but now
it need to be done by system_server instead because the handling code in
netd are moved to mainline module which will be loaded by system_server
in JNI mode.
Note: the permission will be removed from netd once all bpf interactions
have moved out of netd.
Bug: 202086915
Test: android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: I440e0c87193775115a9b9ffb19270c47b01b082e
Should system_server kill zygote on crashes, it will attempt to kill any
process in the same process group. This ensures that no untracked
children are left.
Bug: 216097542
Test: m selinux_policy
Change-Id: Ie16074f76e351d80d9f17be930a731f923f99835
