Zoned block device will be used along with userdata_block_device
for /data partition.
Bug: 197782466
Change-Id: I777a8b22b99614727086e72520a48dbd8306885b
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Bug: 262230400
Test: -
1. Remove the "oat" directory of an app.
2. Dexopt the app using ART Service.
3. See no SELinux denials.
Change-Id: I717073b0172083d73a1b84e5c2bea59076663b2f
We use this as a namespace of all system properties used by ART Service.
As ART Service is in the updatable ART module, we need to be able to add
new properties.
Bug: 256639711
Test: Presubmit
Change-Id: Idcee583abccef9c0807699122074eb26927ca57b
Commit 2d736569e716b5c143f296ae124bcfed9630a4d2 improved the logging
in virtualization service by attempting to get the real path from
/proc/self/fd/N for various files.
However, CompOS stores its log files in a directory
(/data/misc/apexdata/...) which VS has no access to, triggering an
SELinux denial:
avc: denied { search } for name="apexdata"
scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:apex_module_data_file:s0 tclass=dir
Suppress this denial, since it causes no harm (we just don't log the
real path).
Bug: 264496291
Bug: 251751405
Test: composd_cmd test-compile;
see no denials
Change-Id: Ia55e593c0c0735b8f3085a964f0c789c177375f2
Based on:
cs/p:aosp-master -file:prebuilts/ get_prop.*bpf_progs_loaded_prop
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If07026b1ea5753a82401a62349c494b4cbf699b6
Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.
The virtualizationservice domain remains responsible for:
* allocating CIDs (access to props)
* creating temporary VM directories (virtualization_data_file, chown)
* receiving tombstones from VMs
* pushing atoms to statsd
* removing memlock rlimit from virtmgr
The new virtualizationmanager domain becomes responsible for:
* executing crosvm
* creating vsock connections, handling callbacks
* preparing APEXes
* pushing ramdumps to tombstoned
* collecting stats for telemetry atoms
The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.
Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
Before this change, system_server only has write access. We want read
access the directory so that we can check if it has the right
permissions before we write to it.
Bug: 262230400
Test: No longer see SELinux denials on that directory.
Change-Id: Ic26b2a170031c4f14423b8b1f1a8564d64f532ae
This is required during OTA. File will be removed
once OTA update is completed.
Bug: 262407519
Test: OTA on Pixel
Change-Id: I8922ebaaa89f9075fe47d2b74f61071b657850f0
Signed-off-by: Akilesh Kailash <akailash@google.com>
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.
Bug: 261729059
Test: atest vts_treble_vintf_framework_test
atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
It is started very early before linker namespaces are configured, thus
making it a bootstrap process.
Bug: 263398430
Test: watch boottime benchmark
Change-Id: I60411601a6be78f8401e43d136b567615002797c
* changes:
Allow biometrics hals to talk to the new AIDL sensorservice
Allow audio HAL to talk to the new AIDL sensorservice
Allow camera to talk to the new AIDL sensorservice
The process has the exclusive access to /dev/hw_random. It instead opens
provides a socket (/dev/prng_seeder/socket) which any process can
connect to to get random numbers.
This CL is basically a Microdroid version of aosp/2215051
Bug: 247781653
Test: same as aosp/I0a7e339115a2cf6b819730dcf5f8b189a339c57d
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
Change-Id: I3483132ead0f5d101b5b3365f78cc36d89528f0e
