Transfers access permissions into the system policy which
would otherwise be setup on a per-device basis in exactly
the same recurring way.
For surfacefliner it avoids errors when it
(via its dependent graphics libraries) tries to allocate
memory from the protected heap, e.g. when operating on a
Vulkan device with protected memory support.
Bug: 235618476
Change-Id: I7f9a176c067ead2f3bd38b8c34fc55fa39d87655
This way, remote provisioner can decide to noop when rkpd is
enabled.
Test: RemoteProvisionerUnitTests
Change-Id: I9c300360dc08c6d70431b83e1db714941d8caca1
This property contains the server name for the remote provisioning
service, if any, used by the device.
Test: RkpdAppUnitTests
Change-Id: Iad7805fe6da1ce89a9311d5caf7c9c651af2d16d
Zoned block device will be used along with userdata_block_device
for /data partition.
Bug: 197782466
Change-Id: I777a8b22b99614727086e72520a48dbd8306885b
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Bug: 262230400
Test: -
1. Remove the "oat" directory of an app.
2. Dexopt the app using ART Service.
3. See no SELinux denials.
Change-Id: I717073b0172083d73a1b84e5c2bea59076663b2f
We use this as a namespace of all system properties used by ART Service.
As ART Service is in the updatable ART module, we need to be able to add
new properties.
Bug: 256639711
Test: Presubmit
Change-Id: Idcee583abccef9c0807699122074eb26927ca57b
The automotive display service is moved to /system_ext partition.
Bug: 246656948
Test: Build selinux policy for aosp_cf_x86_64_only_auto target.
> lunch aosp_cf_x86_64_only_auto-userdebug
> m -j selinux_policy
Change-Id: If822e54aa99053c1aaee9f41d067860ea965c2f2
Commit 2d736569e716b5c143f296ae124bcfed9630a4d2 improved the logging
in virtualization service by attempting to get the real path from
/proc/self/fd/N for various files.
However, CompOS stores its log files in a directory
(/data/misc/apexdata/...) which VS has no access to, triggering an
SELinux denial:
avc: denied { search } for name="apexdata"
scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:apex_module_data_file:s0 tclass=dir
Suppress this denial, since it causes no harm (we just don't log the
real path).
Bug: 264496291
Bug: 251751405
Test: composd_cmd test-compile;
see no denials
Change-Id: Ia55e593c0c0735b8f3085a964f0c789c177375f2
Based on:
cs/p:aosp-master -file:prebuilts/ get_prop.*bpf_progs_loaded_prop
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If07026b1ea5753a82401a62349c494b4cbf699b6
Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.
The virtualizationservice domain remains responsible for:
* allocating CIDs (access to props)
* creating temporary VM directories (virtualization_data_file, chown)
* receiving tombstones from VMs
* pushing atoms to statsd
* removing memlock rlimit from virtmgr
The new virtualizationmanager domain becomes responsible for:
* executing crosvm
* creating vsock connections, handling callbacks
* preparing APEXes
* pushing ramdumps to tombstoned
* collecting stats for telemetry atoms
The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.
Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
Before this change, system_server only has write access. We want read
access the directory so that we can check if it has the right
permissions before we write to it.
Bug: 262230400
Test: No longer see SELinux denials on that directory.
Change-Id: Ic26b2a170031c4f14423b8b1f1a8564d64f532ae
This is required during OTA. File will be removed
once OTA update is completed.
Bug: 262407519
Test: OTA on Pixel
Change-Id: I8922ebaaa89f9075fe47d2b74f61071b657850f0
Signed-off-by: Akilesh Kailash <akailash@google.com>
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.
Bug: 261729059
Test: atest vts_treble_vintf_framework_test
atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
