Add the wifi namespace to sepolicy and allow system_app (Settings) and
wifi_supplicant to manage/use the keys in that namespace
Test: N/A
Bug: 171305388
Change-Id: Ib6af8656b18288a1116c241c2e76d9aea421a889
This change adds the SEPolicy changes required to support the remote
provisioning flow. The notable additions are specifically labeling the
remote provisioning app and giving it access to find the remote
provisioning service which is added in keystore. It also requires
network access in order to communicate to the provisioning servers.
This functionality is extremely narrow to the point that it seems worth
it to define a separate domain for this app, rather than add this in to
the priv_app or platform_app permission files. Since this app also
communicates with the network, it also seems advantageous to limit its
permissions only to what is absolutely necessary to perform its
function.
Test: No denials!
Change-Id: I602c12365a575d914afc91f55e6a9b6aa2e14189
aosp/1574082 added sepolicy for a "vpnmanager" system service
which is being introduced to move code from ConnectivityService
to a new VpnManagerService.
Unfortunately that CL missed the fact that "vpn_management" is
already a service name and present in the public API since R.
Instead of adding another service name, use the existing service
name to lessen confusion. It is difficult to avoid confusion
entirely because there was already a public class called
VpnService when the VpnManager class was added to the public API
surface.
Bug: 173331190
Test: builds, boots, "dumpsys vpn_management" throws no errors
Change-Id: I4ab188ef62592aac167ba1f7b586accc882815e8
Follow the steps: go/android-native-flag-api-manual
Bug: 179099277
Test: m -j
Test: manually verify connection to wifi after flash
Change-Id: Ieb5355d40aec9ed7a42b7ae5b250b696fcf00810
The system server code that backs VPN APIs such as VpnService and
VpnManager currently lives in ConnectivityService and is accessed
via IConnectivityManager.
In S, ConnectivityService is being moved to the tethering
mainline module, but the VPN code is not. So add an new
service (vpnmanager, IVpnManager, VpnManagerService) to support
these APIs.
Service implementation at http://r.android.com/1572982 . That CL
cannot be in a topic with this one because it will conflict in
master and sc-dev.
Bug: 173331190
Test: builds, boots, "dumpsys vpnmanager" throws no errors
Change-Id: Ic09c93cc454ec959a3beda2b09efa74b8db30c27
These permissions are required for dumpstate to read the DMA-BUF sysfs
stats present at /sys/kernel/dmabuf/buffers
Bug: 167709539
Test: adb shell am bug-report
Change-Id: I1c00843775452b7a7aa39b059e1d77d77aed1e9c
This directory is used to store override config, so that they can
persist across reboot.
Test: atest CompatConfigTest
Bug: 145509340
Change-Id: I5e8f2b3093daeccd6c95dff24a8c6c0ff31235ca
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.
Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
For upcoming @SystemApi DomainVerificationManager.
Test: manual, accessing new manager from test app works
Change-Id: Ic73733dce3e9152af9c6f08fb7e460fa5a01ebdf
The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).
Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
Add selinux policy so the app hibernation system service can be accessed
by other processes/apps.
Bug: 175829330
Test: builds
Change-Id: I96ea9dd977ec007bc11560601554547749b4df03
This is a shared part that all NN HAL users otherwise would have to
define themselves.
Bug: 172922059
Test: m
Test: VtsHalNeuralnetworksTest on master (locally)
Change-Id: I3616d0afbb115bc0feaed00488855646633da915
IncFS in S adds a bunch of new ioctls, and requires the users
to read its features in sysfs directory. This change adds
all the features, maps them into the processes that need to
call into them, and allows any incfs user to query the features
Bug: 170231230
Test: incremental unit tests
Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
The interaface now provided by IKeystoreAuthorization AIDL interface was
previously provided by Keystore AIDL interface.
This CL adds policy to allow Keystore2 to register
IKeystoreAuthorization aidl service and to allow service manager to
look up and connect to the service.
Bug: 159475191
Test: Needs to be tested in runtime
Change-Id: I56829a8764e0efe55efdc92b75d7a3d918a20dae
