Since clatd is shipped by mainline module, remove the following privs
/system/bin/clatd u:object_r:clatd_exec:s0
Test: build
Change-Id: Id98470fc5e641acc7e5635af02a520d2ed531cd8
microdroid_manager needs to give the measurements to diced and get
per-VM secret from it for encrypting/decrypting the instance disk.
Bug: 214231981
Test: run microdroid
Change-Id: Ia4cab3f40263619e554466433cbb065e70ae0f07
We no longer use keystore, nor do we run dex2oat directly.
But we do now use IDiceNode::derive() to get our CDI_seal for key
derivation.
Bug: 214233409
Bug: 210998077
Test: atest ComposKeyTestCase
Change-Id: Id8ba882e7c250ad0365a7f493801e02cb5a0b700
The two are now started before APEXes are activated. Therefore they need
access to the bootstrap bionic libraries.
file_contexts is also updated because their file names are changed to
avoid the conflict with their non-bootstrap variants.
Bug: 214231981
Test: m
Change-Id: I30fb1422f228b71251d6618dd7f6e4e5422717f8
To generate compat files, we need the following files.
- base_plat_sepolicy: to get all types
- base_plat_pub_policy.cil: to get public types
- {ver}_plat_sepolicy: to get old types
This creates a new dist goal, base-sepolicy-files-for-mapping, to
conveniently generate and gather desired files under out/dist.
Bug: 214336258
Test: build/soong/soong_ui.bash --make-mode dist \
base-sepolicy-files-for-mapping \
TARGET_PRODUCT=aosp_arm64 TARGET_BUILD_VARIANT=userdebug
Change-Id: I2f210ab47be777cd91346d635f75064845821144
system_server needs search/read/open access to the directory.
This change gives system_server permissions to fetching the
information from sys/class/net.
Bug: 202086915
Test: build, flash, boot
Change-Id: I7b245510efbc99427f3491c9234c45c8cc18fea1
This sepolicy is needed so that the vendor can launch a new HAL process,
and then this HAL process could join the servicemanager as an impl for
IInputProcessor. This HAL will be used to contain the previous impl of
InputClassifier and also new features that we are going to add.
Bug: 210158587
Test: use together with a HAL implementation, make sure HAL runs
Change-Id: I476c215ad622ea18b4ce5cba9c07ae3257a65817
As the Fastpair in Mainline Module design, we intend to let OEM to:
* Support Fast Pair initial pairing by setting up its own server to
sync and serve certified Fast Pair devices’ metadata.
* Support Fast Pair subsequent pairing by associating already
paired Fast Pair devices to OEM’s accounts.
We also want to migrate GMS Fast Pair to use this mainline
implementation in the future and let our test signed with "platform"
can access to the NearbyManager.
Therefore, we need to make NearbyManager available as System API.
Bug: 214495869
Test: build, flash, boot, check "nearby_service" available for "privileged apps"
Change-Id: Icda959a33ba61eb39a3b584fc3b7a8b340fba11e
Bug: 197684182
Test: Manually verified that BinaryTransparencyService is correctly
started and running.
Change-Id: I4eaf5698dd2edb428205afcd57c22502d56d2ec2
A new service, SurfaceFlingerAIDL, is added to surfaceflinger during
the process of mirgrating ISurfaceComposer interface to AIDL.
Once migration is complete, this service will be deleted.
Bug: 211037638
Test: screencap
Change-Id: I0e41700b1af1f482cda6a6d6c67b057553485cfd
btfloader is a standalone binary that receives a path to a bpf .o file
from bpfloader, parses & loads the BTF type info from the file, passes
BTF info back to bpfloader & exits. Include it in bpfloader's domain &
grant bpfloader permission to run it.
Bug: 203823368
Test: build & boot, bpfloader successfully executes btfloader
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: Ia08776a90763a8477d9f3e393d5d723b88a3176f
The identity service must be able to return a binder handle to an
IRemotelyProvisionableComponent for remote key provisioning support.
Since the default identity service works with the default keymint
service, allow calling into service manager to get an
IRemotelyProvisionableComponent binder handle.
Bug: 194696876
Test: VtsHalIdentityTargetTest
Change-Id: I01d086a4b38c23a6567fd36bcbb9421ea072caab
Contexts must have this permission to fetch remotely provisioned
attestation key blobs. It is expected that only credstore will have
this permission.
Test: manual, build and run cuttlefish
Bug: 194696876
Change-Id: Ieebd552129bc8be6b8831ec2e38eb6bda522b216
This reverts commit eee72d6cb3d9f5c6001192247861b28cb0787827.
REASON: not needed. See the other CL in the same topic.
Bug: 197358423
Test: m
Change-Id: Ice0813ed9e349e37c83b163e2c21f17bb1105013
Add diced to security_class and access_vectors so it can check its
permissions in side Microdroid.
This was part of commit 2b6c6063ae
outside the VM.
Bug: 214231981
Test: composd_cmd dice
Change-Id: Ia503db183d16a4efcb975f654bb4483df44f51ad
sepolicy_generate_compat will be used to generate compat files for ToT,
based on the mapping file from aosp_arm64-userdebug target of {ver}
source tree. For now, it only supports downloading a mapping file
system/etc/selinux/mapping/{ver}.cil from the Android build server.
Bug: 214336258
Test: sepolicy_generate_compat --branch sc-v2-dev --version 32.0
Change-Id: I48043c71a6866aa385ecd67462f7678561cc5a38
Since the clatd has some code cleanup, these privs are not required
anymore.
Bug: 212345928
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Change-Id: Ib801a190f9c14ee488bc77a43ac59c78c44773ab
