am skip reason: Change-Id Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343 with SHA-1 2367ba358f is in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1146877
Change-Id: Ic21917c6dfa1e578bd4bc2fcf963884954e37d5f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In Ic587df21390f6ca553bf6be9ba77685f8c048ebf with SHA-1 2eb0396cb4 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1427751
Change-Id: I306e70904bfa556ab3b566e721dce6d76f1f5ae3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Change-Id Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343 with SHA-1 2367ba358f is in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1146877
Change-Id: If9941d8c57ad0444a72ab8a78b371cc980f83484
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In Ic587df21390f6ca553bf6be9ba77685f8c048ebf with SHA-1 2eb0396cb4 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1427751
Change-Id: Ib5e6e86ccfd91f391663b1058751e264e7edf5e6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This CL partially cherry-picks ag/18156623 to
update prebuilts. Other parts are already included by
aosp/2069127.
Test: m
Bug: 230289468
Change-Id: If52dea348c01113fe1504eb7e51f6780f0ed4a11
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file. This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.
Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
All domains using libbinder need access to this new ioctl in order to
pull precise information upon failed binder operations.
Bug: 28321379
Tested: clients can now use the ioctl through libbinder
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I8d6e5ca6b133b934855a7545cc1a9786e2c4ad65
init should use subcontext (vendor_init) for actions/services from
/{vendor, odm} partitions. However, when configs are from vendor APEXes,
init can't tell whether the APEXes are from /{vendor, odm} just by
looking at the config file paths.
Instead, init can look up /apex/apex-info-list.xml for APEXes
preinstalled paths to tell APEXes' original partition.
Bug: 232021354
Test: atest CtsBluetoothTestCases
(Cuttlefish has BT HAL APEX in /vendor)
Change-Id: I8cb5d9eb3970790499ef1eb1ee00851591a42e98
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
Add a property to be read by system_server's AudioService that
indicates whether the spatializer effect can use head tracking.
If true, head tracking functionality will be initialized and
the corresponding APIs will be active.
Bug: 226474336
Test: atest android.media.audio.cts.SpatializerTest
Change-Id: Id8f574ecd2303034a29da58615018586b68bf55d
The compliance tests rely on this.
Bug: 230660133
Test: run MicrodroidHostTests on a user build
Merged-In: Ic061632d80285182ec2ae7d31f3527948702cf32
Change-Id: Ic061632d80285182ec2ae7d31f3527948702cf32
This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.
Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.
Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Merged-In: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Steps taken to produce the mapping files:
0. Add 33.0 prebuilts to prebuilts/api/33.0/.
1. Add the following Android.bp modules.
33.0.board.compat.map
33.0.board.compat.cil
33.0.board.ignore.map
plat_33.0.cil
system_ext_33.0.cil
product_33.0.cil
33.0.ignore.cil
system_ext_33.0.ignore.cil
product_33.0.ignore.cil
33.0.compat.cil
system_ext_33.0.compat.cil
2. Touch the following three files.
private/compat/33.0/33.0.cil
private/compat/33.0/33.0.compat.cil
private/compat/33.0/33.0.ignore.cil
3. Add 33.0 to PLATFORM_SEPOLICY_COMPAT_VERSIONS on
build/make/core/config.mk. Note that we don't update
sepolicy_major_vers to 33, but just update compat versions.
4. Run the following command.
$ source build/make/rbesetup.sh && lunch aosp_arm64-userdebug
$ m sepolicy_generate_compat
$ sepolicy_generate_compat --branch=tm-dev \
--build latest --target-version 33.0 \
--latest-version 32.0
This change also enables treble_sepolicy_tests_33.0 and installs
33.0.cil mapping file onto the device.
Test: m treble_sepolicy_tests_33.0
Test: m 33.0_compat_test
Test: m slinux_policy
Change-Id: Ie969ff0372ff1268776165cee5cb5b07d303453c
This supports the ability to switch between ANGLE and a legacy GLES
driver in cases when transitioning from a legacy GLES driver to ANGLE
as the system driver. With ANGLE as the GLES system driver, the
platform needs a way to identify the legacy GLES driver, so that it
can be used for particular applications.
Test: CtsAngleDeveloperOptionHostTest
Bug: 224558229
Change-Id: I359b37daa96eb6f8424bde530bb1ac79affd1b04
Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice.
Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Change-Id: I4a31e437344974597fc5280d898f23780a820f16
(cherry picked from commit 8e06fb4109)
Group together the rules for setting up app data isolation and get all
the comments up-to-date. Also remove some parts that aren't needed:
- 'allow zygote mnt_expand_file:dir mounton;' -- not needed. It might
have been thought that this was needed for mounting tmpfs on
/mnt/expand/$volume/user{,_de}, but those have type system_data_file.
- 'allow zygote mnt_expand_file:dir relabelto;' -- not needed, as
nothing is ever relabeled to this type.
- 'allow zygote media_rw_data_file:dir getattr;' -- not needed to create
bind mounts. The similar rules for user_profile_* don't include this.
- 'allow zygote mirror_data_file:dir r_dir_perms;' -- tighten to just
the required search permission.
- 'allow zygote system_data_file:dir getattr;' -- redundant with 'allow
zygote system_data_file:dir r_dir_perms;', and not needed for the
stated reason of "Get inode of directories for app data isolation".
Test: booted Cuttlefish, no denials seen.
Change-Id: Id77b8c81625fd785a5d0d88c37d7c85b8fff7244
