Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.
The virtualizationservice domain remains responsible for:
* allocating CIDs (access to props)
* creating temporary VM directories (virtualization_data_file, chown)
* receiving tombstones from VMs
* pushing atoms to statsd
* removing memlock rlimit from virtmgr
The new virtualizationmanager domain becomes responsible for:
* executing crosvm
* creating vsock connections, handling callbacks
* preparing APEXes
* pushing ramdumps to tombstoned
* collecting stats for telemetry atoms
The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.
Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.
Bug: 261729059
Test: atest vts_treble_vintf_framework_test
atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
This CL adds a new cameraservice type to allow vendor clients of
cameraservice to query and find the stable cameraservice
implementation.
Bug: 243593375
Test: Manually tested that cameraservice can register a vendor facing
instance.
Change-Id: I61499406d4811c898719abcb89c51b4b8a29f4a7
This new service is exposed by system_server and available to all apps.
Bug: 259175720
Test: atest and check the log
Change-Id: I522a3baab1631589bc86fdf706af745bb6cf9f03
Start a new security domain for virtmgr - a child proces of an app that
manages its virtual machines.
Add permissions to auto-transition to the virtmgr domain when the client
fork/execs virtmgr and to communicate over UDS and pipe.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: I7624700b263f49264812e9bca6b83a003cc929be
aosp/2291528 should have had the `binder_call` macro in hal_can.te be a
`binder_use` macro instead. This fixes that.
Bug: 170405615
Test: AIDL CAN HAL starts up and configures
Change-Id: I7b18c25afef5a243bf0bba7c77a682f7cff092a3
Otherwise, we will encounter SELinux denials like:
W binder:6200_7: type=1400 audit(0.0:327): avc: denied { read } for name="PrebuiltGmsCoreNext_DynamiteLoader.apk" dev="dm-51" ino=2576 scontext=u:r:artd:s0 tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=lnk_file permissive=0
Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iccb97b1973f8efbe859b59e729f7a0194d05ba5e
Overlayfs failed to mount during second stage init because init is
lacking these permissions.
These permissions are asserted by the overlayfs driver during mount
operation, see fs/overlayfs/super.c:ovl_check_rename_whiteout
(https://source.corp.google.com/kernel-upstream/fs/overlayfs/super.c;l=1182;bpv=1;bpt=1)
Bug: 243501054
Test: adb remount && check that overlay is active after reboot
Change-Id: I258646b65a49487e6f22a6742ff59e9a0d57b5c0
As a reminder, per:
https://source.corp.google.com/search?q=p:aosp-master%20file:sepolicy%20-file:prebuilts%20proc_bpf%20file:genfs
we currently have:
aosp-master system/sepolicy/private/genfs_contexts
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
So the above are the files which will no longer be writable by init.
A cs/ search for p:android$ (/sys/kernel/bpf_|/sys/kernel/unprivileged_bpf_|/sys/net/core/bpf_) file:[.]rc
only finds bpfloader.rc init script as actually doing these writes.
Those writes are removed in:
https://android-review.git.corp.google.com/c/platform/system/bpf/+/2325617
'bpfloader - move sysctl setting from rc to binary'
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I19ccdf293966dd982e1d36836b0b962d99ed7275
There should be no need for this and it fixes a long outstanding TODO.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id1764cbc713addbbda6827fe6c6689e45e8f584c
1. Allow them to be configured by vendor_init.
2. Introduce a new system property
hypervisor.memory_reclaim.supported, which is configured by
vendor_init and accessed only by virtualizationservice, and is not
as widely accessible as the existing hypervisor sysprops.
Bug: 235579465
Test: atest MicrodroidTests
Change-Id: I952432568a6ab351b5cc155ff5eb0cb0dcddf433
With AIDL fastboot, wiping partition will be handled by new service.
Allow hal_fastboot_server to the exception to neverallow rule.
Bug: 260140380
Test: th
Test: fastboot -w
Change-Id: Ic38ad715cb097ccd9c8936bb8e2a04e3e70b3245
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
when recording, the encoders need access to determine if on
a handheld and enable some quality standards.
Bug: 251205971
Test: atest android.media.recorder.cts.MediaRecorderTest
Change-Id: I534a6aa24c188002ab0baab9d891e07db0af81f2
This app talks to the remote provisioning HALs, and therefore requires
access to the tee_device domain.
Bug: 254112668
Test: Manually verify rkpd can run and find remote provisioning hals
Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.
Bug: 210811873
Test: m -j, boot device
Change-Id: Idbcc4928c8d0d433f819d8b114e84a5f09466ad0
Create adaptive haptics system property to store adaptive haptics enable
state.
Bug: 198239103
Test: Verified system property usage
Change-Id: I5d4f0a5c8ec4a5b0ce18bc03a6d30879dd76d58b
Signed-off-by: Chris Paulo <chrispaulo@google.com>
