Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);
This is an intended behavior and the log is useless for debugging so I
suppress them.
Bug: 226717429
Test: do bugreport with relevant error gone.
Change-Id: Ide03315c1189ae2cbfe919566e6b97341c5991bb
Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.
Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f
wpa_supplicant needs permission to access the Netlink Interceptor HAL.
Bug: 224844967
Test: Modified version of wpa_supplicant can access Netlink Interceptor
Change-Id: I80c6c980b6655beadfaf14535702ad8e96c2befe
commit 7fd8933f0c removed this from host
sepolicy. It's redundant here as well.
Bug: 223596375
Test: Builds
Change-Id: I39d7432c6e31f49de5eb8dca8acc7e9c5d190617
This adds the two top interfaces: IConfig and IModule
to service context, allows the HAL service to call
Binder, and registers the example implementation
service executable.
Bug: 205884982
Test: m
Change-Id: I322e813c96123167ea29b6c25a08ec9677c9b4d1
This isn't really used at the moment, but since the decision was to keep
the capability for future ART change, we should also allow it in CompOS
for consistency.
While I'm on in, rearrange the policy to group mirrored policies
together.
Bug: 209488862
Test: None
Change-Id: Id6afafc42005e711127a1e0831d4dd03e48959eb
This system property is going to be used by vold and MediaProvider to
enable/disable the FUSE-BPF feature in dogfood.
This is a simple way to quickly turn the feature off is breakages are
detected.
Bug: 202785178
Test: adb logcat | grep "FuseDaemon" | grep BPF
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I65ae60b6a505db52b30232b9e5a504eccaafa1eb
This change adds selinux policies to allow EVS HAL implementations to
use cardisplayproxyd, which implements a stable AIDL version of the
automotive display proxy service interface.
Bug: 170401743
Bug: 217271351
Test: Manually confirm that evs_app renders the camera preview through
cardisplayproxyd
Change-Id: Ia301b782c6c031fe8351bdcda5ce264da6b8aa4d
Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);
This is an intended behavior and the log is useless for debugging so I
suppress them.
Bug: 225767289
Test: do bugreport with no su related avc errors
Change-Id: I0f322cfc8a461da9ffb17f7493c6bbdc58cce7b6
Init will try restorecon /dev/console, together with /dev, at the second
stage boot.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ie9796368b54bb0773eabf5ff6feb2b4aa41d0bfa
This is in addition to allowing setting of extended attributes (for project quota IDs) on files and dirs and to enable project ID inheritance through FS_IOC_SETFLAGS
Bug: b/215154615
Test: atest installd/StorageHostTest
Test: atest installd/installd_service_test.cpp
Change-Id: I769ae7ed110175dbb5d511a4345c57057d71ae64
We don't use MLS in Microdroid, so we don't need MLS rules, nor
mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy
checkpolicy.)
A lot of attributes are unused in Microdroid, so we can remove their
declarations and any references to them. (That may not make the
compiled policy smaller, since hopefully they get optimised out
anyway, but it means there is less policy for humans to deal with.)
Remove labels that relate only to apps, which we don't have - MAC
permissions, run-as, seapp_contexts.
In passing, fix a comment snafu in both system & microdroid policy.
Bug: 223596375
Test: Run staged-apex-compile & compos_verify, no denials
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
