Commit graph

10 commits

Author SHA1 Message Date
Jooyung Han
cae2368d2d Set apex. property as "system_restricted"
Since the property is supposed to be used by vendor-side .rc file as
read-only (especially by vendor apex), it should be "system_restricted".

Also allow vendor_init to read the property.

Bug: 232172382
Test: boot cuttlefish (with vendor apex using the property)
Change-Id: I502388e550e0a3c961a51af2e2cf11335a45b992
2022-09-02 18:11:33 +09:00
Andrew Scull
aedd65ac20 Allow vendor_init to read AVF device configs
Bug: 192819132
Test: build
Change-Id: Iefa4d2d2dc0a13a9a6c95779d6ebde5cb2834295
2021-10-08 14:51:30 +00:00
Andrew Walbran
a995e84c18 Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-04-13 09:30:20 +00:00
Josh Gao
0cac6fd17a Let adbd set service.adb.tcp.port.
Commit 67c36884 changed the label of service.adb.tcp.port to allow
vendor init to set it, but accidentally prevented adbd from setting it,
which broke `adb tcpip`.

Bug: http://b/171280882
Test: `adb tcpip`
Change-Id: I154e2f43a4d3b72b27508ce02d66298673939738
2020-11-06 13:08:04 -08:00
Paul Crowley
aed0f76ee9 Root of /data belongs to init (re-landing)
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.

Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-09-09 14:42:01 -07:00
Paul Crowley
d98e311952 Revert "Root of /data belongs to init"
This reverts commit 206b6535f1.

Reason for revert: Droidfood is blocked
Bug: 140402208
Change-Id: I1d1eb014747ba5c5bb656342e53b8c4e434878d1
2019-09-06 19:59:17 +00:00
Paul Crowley
206b6535f1 Root of /data belongs to init
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
2019-08-29 15:08:21 -07:00
Tom Cherry
9c778045b2 Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-29 18:07:41 +00:00
Tom Cherry
63492cd625 Copy a dontaudit from init to vendor_init
Copy init's dontaudit for sysfs:dir write; to calm the below denials:

avc:  denied  { write } for  pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1

Bug: 62875318
Test: use pixel + factory reset + vendor_init
Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89
2017-11-15 14:57:14 -08:00
Tom Cherry
621c24cbab add vendor_init.te
First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68
2017-10-25 09:21:30 -07:00