This allows Incremental Service (part of system_server) to query the
filled blocks of files on Incremental File System.
Test: atest service.incremental_test
BUG: 165799231
Change-Id: Id63f8f325d92fef978a1ad75bd6eaa8aa5e9e68b
This is a new ioctl for configuring loop devices, and is used by apexd.
Bug: 148607611
Bug: 161575393
Test: boot on device with/without LOOP_CONFIGURE
Change-Id: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Merged-In: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Keystore logging is migrated to use statsd. Therefore,
keystore needs permission to write to statsd.
Test: Treehugger passes.
Bug: 157664923
Change-Id: If15ee3eb2ae7036dbaccd31525feadb8f54c6162
Merged-In: I2fb61fd7e9732191e6991f199d04b5425b637830
audiocontrol_hal, vehicle_hal and evs_hal were added to dump_util.cpp in
b/148098383. But the coresponding dumpstate.te is not updated to relfect
the changes, causing denials when dumpstate attempts to dump auto hal servers.
This CL updates dumpstate.te to allow dumpstate to access auto hal servers.
Bug: 162537916
Test: sesearch -A -s dumpstate -t hal_audiocontrol_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_vehicle_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_evs_server -p signal sepolicy
Change-Id: If6d6e4d9c547da17817f2668dc4f2a093bddd632
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.
Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro
Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
This needs to be updated to api 30.0 which introduced the system_ext.
Bug: 160314910
Test: build and boot
Change-Id: I08c4aed640467d11482df08613039726e7395be0
Merged-In: I08c4aed640467d11482df08613039726e7395be0
(cherry picked from commit 85a92849c73ae2b28e8a33a2e01bac47cc9f1684)
This needs to be updated to api 30.0 which introduced the system_ext.
Bug: 160314910
Test: build and boot
Change-Id: I08c4aed640467d11482df08613039726e7395be0
CTS runs are being polluted by denial logs from the best-effort isatty (
-> TCGETS ioctl) check done by the perfetto's log formatter.
This patch suppresses the denial.
I believe that what's actually being denied is the ioctl itself, NOT the
TCGETS aspect of it (there is a domain-wide fifo_file TCGETS allowxperms
rule in domain.te:303). But the "dontauditxerms" suppresses the denial
anyway.
Bug: 159988048
Merged-In: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1
Change-Id: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1
(cherry picked from commit 8519c6d316)
This is resolving the combination of ag/11956179 + ag/11956180,
as submitted in rvc-dev. The first change is a CP of a change already in
aosp/master, the second change is new.
The merge therefore contains just the second change as far as the
non-prebuilts are concerned, as well as an update of 30.0 prebuilts
for the combined changes.
Bug: 159988048
Change-Id: Ia35358419207dba7984f30da507f32902967ca62
The non-prebuilt files are already up-to-date, as this change exists in
aosp/master as aosp/1267820.
Bug: 159988048
Merged-In: Ie7780128fcd80a051e809bfc98f21179cb3f0ecc
Change-Id: Ie7780128fcd80a051e809bfc98f21179cb3f0ecc
(cherry picked from commit 2b2cde7592)
Per the bug rvc CTS runs are being polluted by denial logs from the
best-effort isatty ( -> TCGETS ioctl) check done by the perfetto's log
formatter.
This patch suppresses the denial, which is what's proposed for the scope
of rvc.
I believe that what's actually being denied is the ioctl itself, NOT the
TCGETS aspect of it (there is a domain-wide fifo_file TCGETS allowxperms
rule in domain.te:303). But the "dontauditxerms" suppresses the denial
anyway.
Bug: 159988048
Tested: flashed crosshatch-userdebug, verified that CTS is no longer
causing audit logs reported in the bug.
Change-Id: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1
Change 1: when running the "perfetto" binary via "adb shell
perfetto...", ctrl-Cing the host process doesn't propagate the teardown
to the on-device process (which normally should stop the tracing session
immediately). Allow signals adbd->perfetto to resolve.
Change 2: don't print audit logs for a harmless isatty() check on adb
sockets when they're the stderr of a "perfetto" process.
Example denials from the isatty() check (ioctl is TCGETS):
avc: denied { getattr } for path="socket:[244990]" dev="sockfs"
ino=244990 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
avc: denied { ioctl } for path="socket:[244992]" dev="sockfs" ino=244992
ioctlcmd=0x5401 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
Example denial from ctrl-c'ing "adb shell perfetto ...":
avc: denied { signal } for comm=7368656C6C20737663203134343537
scontext=u:r:adbd:s0 tcontext=u:r:perfetto:s0 tclass=process
permissive=0
===
This is a CP of commit 5f1f1b6a7a, with
updated 30.0 prebuilts. Using a new Change-Id since as far as I
understand, the prebuilts should still be merged downstream.
Bug: 159988048
Tested: patched onto an internal branch, then verified that denials are
gone on a flashed crosshatch-userdebug.
Change-Id: Ie7780128fcd80a051e809bfc98f21179cb3f0ecc
Bug: 158431662
Test: enable the tracepoint on user build
Change-Id: I61560003c5cc92f2563fb98bdaee9bfd4807f46a
Merged-In: I61560003c5cc92f2563fb98bdaee9bfd4807f46a
Due to AIDL HAL introduction, vendors can publish services
with servicemanager. vendor_service_contexts is labeled as
vendor_service_contexts_file, not nonplat_service_contexts_file.
And pack it to vendor partition.
Bug: 154066722
Test: check file label
Merged-In: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
Change-Id: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
Currently system server also has a GPU service. We use that to observe
updatable driver package changes, in order to communciate that
information down to the GPU service, this patch allows system server to
make binder call.
Bug: b/157832445, b/159240322
Test: adb shell dumpsys gpu
Change-Id: I9c32c690707e24a5cfbdfdc62feeea9705321f5b
Merged-In: I9c32c690707e24a5cfbdfdc62feeea9705321f5b
Currently system server also has a GPU service. We use that to observe
updatable driver package changes, in order to communciate that
information down to the GPU service, this patch allows system server to
make binder call.
Bug: b/157832445, b/159240322
Test: adb shell dumpsys gpu
Change-Id: I9c32c690707e24a5cfbdfdc62feeea9705321f5b
This is needed to run update_engine unittests in cuttlefish. In the test,
the directory is mounted as R/W.
Denial:
avc: denied { write } for path="/data/misc/update_engine/tmp/a_img.NqUpaa" dev="dm-4" ino=3048 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0
strace:
mount("/dev/block/loop26", "/data/local/tmp/.org.chromium.Chromium.3s2KYE", "ext2", 0, "") = -1 EIO (I/O error)
Bug: 157594374
Test: unittests pass
Change-Id: I4658eb60240bd725bac2aef30305747ffe50aeb6
(cherry picked from commit 9f7947348f)
