init is now a dynamic executable. So it has to be able to execute the
dynamic linker (/system/bin/linker) and shared libraries (e.g.,
/system/lib/libc.so). Furthermore, when in recovery mode, the files are
all labeled as rootfs - because the recovery ramdisk does not support
xattr, so files of type rootfs is allowed to be executed.
Do the same for kernel and ueventd because they are executing the init
executable.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396
Legacy hardware and code still depends on the ueventd helpers to
locate the firmware supported files which are on new mount path
labeled with mnt_vendot_file. For ueventd helper to work we need dir search
and read permission on this new label so moving ueventd to exempted list.
Already ueventd has the vendor_file_type read access.
Bug:110083808
Change-Id: Ia15cc39ecef9e29b4f1f684efdddbeb78b427988
If you can get or serve the hal allocator interface,
you should be a hal_allocator_client or
hal_allocator_server.
Bug: 80319537
Test: boot aosp_walleye and (sanity) take photos
Change-Id: Iea14c67c4aa56df7a74ebdb17e99b78b1d3aa105
The timedetector_service will be called from the
telephony process
Bug: 78217059
Test: build / local testing with a client
Change-Id: I25dfa4daabaa80e6b5e697ad1b1e2f7f72377702
To ensure a surprise reboot does not take the last boot reason on
face value especially if coming from more than one boot sessions ago.
We shift and clear the value from persist.sys.boot.reason to
sys.boot.reason.last and establish a correct last reboot reason in
the canonical sys.boot.reason property. As a result, the power
manager should read the canonical sys.boot.reason for a definitive
result rather than relying on the possibly incorrect values in the
persistent storage. sys.boot.reason should be a core property as
it represents the canonical boot reason API.
Test: compile
Bug: 86671991
Bug: 63736262
Change-Id: If3742c487d6c0ab69c464f056bf48c786b66a945
The shell is now available directly in the recovery ramdisk. We no
longer need to mount system.img to /system as the recovery ramdisk is
self-contained. However, there is a problem that every file in the
ramdisk is labeled as rootfs because the ramdisk does not support xattr.
This CL adds several recovery-only rules that are required to make the
recovery ramdisk self-contained. Most importantly, adbd is allowed to
domain_trans to shell. Also shell is allowe to execute files of type
rootfs. Finally, the recovery is allowed to mount on tmpfs since it now
mounts system.img to /mnt/system.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.
Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e
build_test_only is used to denote rules that should not verified
as part of compliance testing.
Use this macro to exclude neverallow rules which we want to check as
part of build, but not CTS.
Bug: 80499271
Test: SELinuxNeverallowRulesTest on walleye has no more failure of type
"Type or attribute * used in neverallow undefined in policy being checked."
Number of failing test cases is reduced by 142.
Test: policy.conf used to check neverallows at build-time still retains
all neverallow rules.
Change-Id: I5f1b383d9096bb5a7b8c0f1bc008b5dd07419580
Previously, supposedly, each individual client of configstore
was supposed to add the add_hwservice attribute itself to get
ahold of the specific sub-interface of configstore relevant to
it. However, there is only one configstore interface,
ISurfaceFlingerConfigs.
From this point onward, the configstore hal is to be thought of
as specifically relating to surface flinger. Other properties
may be added as other attributes/packages.
For instance, if we want a configstore entry for 'IFooConfig',
then we would add the configuration to one of the following
packages:
- android.hardware.foo@X.Y (to the interface itself)
- android.hardware.foo.config@X.Y (to a configuration of the interface)
- android.hardware.configstore.foo@X.Y (as a sub-interface of configstore)
and then it could be associated with the sepolicy attributes
(respectively):
- hal_foo
- hal_foo_config (or just hal_foo if they are 1-1)
- hal_configstore_foo
The specific pattern to be followed irrelevant to this CL
and subject to future discussion, the point being that we're going
to have a separate sepolicy attribute (and package, although this
isn't strictly necessary) for each separate domain's configuration.
Fixes: 109806245
Test: boot walleye, check for denials
Change-Id: If661e3fca012017a6c854fe3f02df4b779d514df
Since this attribute just associates a hal_attribute
with a given hwservice in the standard way.
Bug: 80319537
Test: boot + sanity + test for denials
Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
For sanity, this makes 'hal_attribute_hwservice_client'
be associated with a specific hwservice thus making things
consistent.
After this change, only configstore, hal_allocator, and the
fwk_* services are inconsistent with all other HALs.
Bug: 80319537
Test: boot device, sanity tests, check for denials
Change-Id: Ibffc65c9567a429e07a3dc4dd41117738459dc2a
This change removes references to the common time management
service.
Bug: 80462439
Test: build / boot
Merged-In: I2c8fca44fe05e3a35f5580d23e23a4c033075613
Change-Id: I2c8fca44fe05e3a35f5580d23e23a4c033075613
