Fixes the following denials:
avc: denied { getattr } for path="/dev/dma_heap/system" dev="tmpfs"
ino=534 scontext=u:r:mediatranscoding:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=0
Bug: 185867872
Test: No more DMA-BUF heap related denials from
CtsMediaTranscodingTestCases
Change-Id: I45b57b45e0db996f08b82618dcd085ba0f7e6ef6
Once b/186727553 is fixed, booting GSI on cuttlefish will no longer load
cuttlefish's system_ext sepolicy. These domains are all private and
hence the permissions are being added to system/sepolicy to avoid
making them public(especially mediatranscoding that was changed from
public to private in Android S).
Test: build, boot
Change-Id: I4a78030015fff147545bb627c9e62afbd0daa9d7
This will make debugging of keystore issues in dogfood populations much
easier than it previously was, as developers will have detailed crash
dump reporting on any issues that do occur.
Bug: 186868271
Bug: 184006658
Test: crash dumps appear if keystore2 explodes
Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99
Extend existing restrictions targeting only apps with API level >= 30 to
all apps.
To be merged when automerge to sc-dev ends.
Bug: 170188668
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdk28TestCases
Test: atest CtsSelinuxTargetSdk29TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Ibd6b9f1e23f12320f3bec782cdd7a6837013597a
This allows us to log metrics from traced_probes to statsd
for failures. This is required for implementation of
go/perfetto-failure-stats.
This matches the CL aosp/1690788 which adds the initial logging to
traced_probes.
This solves the following denied message from logcat:
avc: denied { write } for comm="traced_probes" name="statsdw" scontext=u:r:traced_probes:s0 tcontext=u:object_r:statsdw_socket:s0
Bug: 177215620
Change-Id: I1523df818562f839b28061ef88f1910d4745a289
I haven't reviewed a single sepolicy change for over a year.
There are plenty of OWNERs who know the current code better.
Test: N/A
Bug: None
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: I2f8345a0220e0f59ca56fad44768a074c3921f05
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.
- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform
Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
precompiled_system_ext_and_mapping.sha256 and
precompiled_product_and_mapping.sha256 has been installed, regardless of
existence of system_ext and product policies. This change only installs
such hash files when policy files exist, for consistency.
Bug: 186727553
Test: boot yukawa and see precompiled sepolicy is used
Change-Id: Iaad827cefdbe82e68288cd6cc59b55b5f28c229d
The ABI for system-secure heap was originally created to allow codec2 to
continue allocation in protected heaps by specifying the heap name via
the C2 HAL's ComponentStore interface. This patch make the ABI
expandable to accommodate multiple heaps both for usage by codec2 as well
as to allow unbinderized SP HALs to allocate in protected heaps.
Bug: 175697666
Test: manual
Change-Id: Ia8c1797c16441e73398c46d8727eee99614a35f1
otadexopt needs to be able to invoke derive_classpath in order to
determine the boot-classpath after the OTA finishes.
Test: manual OTA on blueline
Bug: 186432034
Change-Id: I3ec561fc0aa9de25ae1186f012ef72ba851990d0
Some jars, such com.android.location.provider.jar, are both on the
system_server classpath and loaded as libraries. If the .oat files are
in the ART apexdata cache (due to being system_server classpath), they
need to be execute permission to be usable as AOT compiled libraries.
Bug: 184881321
Test: install an updated ART apex, open apps, see no more denials
Change-Id: I89b74dfa047699c568575d99a29c5e74abdef076
