Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.
This set of permissions is analogous to allowances for the fscrypt
keyring and keys.
Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
This CL add new label for files created by fsverity.
Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a
Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.
Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.
Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.
/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.
The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.
Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.
Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1
Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
Remove unnecessary rules which will be added from 28.0.cil automatically
by the build process.
Bug: 111308141
Test: builds
Change-Id: I02064785cac1ed6d8b4e462604a1b8db10c1a25a
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Update copy-paste comment header. Fix file access to the right
type.
Follow-up to commit 1845b406fc.
Bug 125474642
Test: m
Test: boot
Change-Id: I33bfef51c78ca581063c0f950e1837546d013050
Changed the system properties to enum. The valid modes
are "default", "legacy", and "AP-assisted".
Test: Manual
Bug: 126218288
Change-Id: Ib70ed8606e845ca29453013a400b377647e15490
Allows power rail data to be logged in the trace, allowing
high fidelity attribution of battery power use.
Matching feature CL: aosp/891533
SELinux denials that lead to this:
avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder
Test: checked data in a trace
Bug: 122584217
Change-Id: I7e0f4e825be3f54bc78d91da1cb85c2f61465a44
Lmkd needs read access to /proc/pressure/memory, proc/pressure/cpu
and proc/pressure/io nodes to read current psi levels.
Lmkd needs write access to /proc/pressure/memory to set psi monitor
triggers.
Bug: 111308141
Test: modified lmkd to use PSI and tested using lmkd_unit_test
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Merged-In: I9efd60c7fbb89cc08938fa5119b13d794813b52b
Change-Id: I9efd60c7fbb89cc08938fa5119b13d794813b52b
This is for Non-AB ota update recovery partition on GMS Express 2.0 project.
recovery partition update via /vendor/bin/install-recovery.sh from /vendor/etc/recovery.img
Bug: 124277294
Test: builds and test GOTA.
Change-Id: I97521c03a881bd0427e5d02836220ee2c0db7650
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.
Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
Third parameter of a property_context entry should be "exact" if the
entry is for a single property, not a prefix.
And the type of each entry should be the fourth parameter.
Bug: 112386364
Test: m -j
Change-Id: I2ed31c9fd7c7424e3a6a51d44b4e85413ae316b7
