com.android.cronet has never been released and has since been deleted as
Cronet was added to the tethering module.
Test: TH
Bug: 266673389
Change-Id: Ia288d4322c13ba986164a12f4999fea1cd60d529
Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.
The virtualizationservice domain remains responsible for:
* allocating CIDs (access to props)
* creating temporary VM directories (virtualization_data_file, chown)
* receiving tombstones from VMs
* pushing atoms to statsd
* removing memlock rlimit from virtmgr
The new virtualizationmanager domain becomes responsible for:
* executing crosvm
* creating vsock connections, handling callbacks
* preparing APEXes
* pushing ramdumps to tombstoned
* collecting stats for telemetry atoms
The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.
Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
Start a new security domain for virtmgr - a child proces of an app that
manages its virtual machines.
Add permissions to auto-transition to the virtmgr domain when the client
fork/execs virtmgr and to communicate over UDS and pipe.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: I7624700b263f49264812e9bca6b83a003cc929be
This is a part of changes to bring up Remote Key Provisioning Daemon
module. See packages/modules/RemoteKeyProvisioning for more info.
Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616
Test: atest rkpd_client_test
Replicate change
https://android-review.googlesource.com/c/1663786/2/apex/com.android.art-file_contexts
in `apex/com.android.art.debug-file_contexts`.
Test: Patch this commit into a tree that uses `artd` (only internal
ones at the moment) and run the following command on a device
running the Debug ART APEX:
adb shell pm art \
get-optimization-status com.google.android.youtube
Change-Id: If0b10b585778e8b585e76b2a4512a2f23facd22e
- Adapt installd rules for app compilation.
- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.
Bug: 229268202
Test: -
1. adb shell pm art optimize-package -m speed-profile -f \
com.google.android.youtube
2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
Also, rename the file_contexts file to match the new BT stack apex name
(com.android.bluetooth)
Test: TH
Bug: 236187653
Bug: 236192423
Ignore-AOSP-First: LSC
Change-Id: Ie610775d397d0a81f83e251ed3b5f73006bfd272
Will not need this in near future.
Fix: 230729916
Test: Build
Change-Id: Iec5049bb2cc16de1d947e07eec0f151182f5a22a
Merged-In: Iec5049bb2cc16de1d947e07eec0f151182f5a22a
Ignore-AOSP-First: cherry-picked from AOSP
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
clatd binary is starting to be shipped by apex since T+ release
and the shipped clatd is belong to u:object_r:clatd_exec:s0.
Test: manual test
1. Connect to ipv6-only wifi.
2. Make IPv4 traffic.
$ ping 8.8.8.8
Change-Id: I4f6f0944e94e165983a19a5d3c3a117274f6bbac
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.
Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
Test: loaded to an AVD
Bug: b/210728915
Ignore-AOSP-First: this feature is developed in an internal branch
Change-Id: I8a3d1ec25938c84cfe35a36e706e891ce2b9659e
Test: loaded to an AVD
Bug: b/210728915
Ignore-AOSP-First: this feature is developed in an internal branch
Change-Id: I000ec62b5aa8fba1fbf2ac5f65ae5deb3ebe9ff7
composd spawns odrefresh in its usual domain. odrefresh then spawns
fd_server in a different domain, and makes binder calls back to
composd to perform individual compilation steps.
fd_server is fairly generic, and part of the virt APEX, but this
instance is specific to composd (e.g. it has access to ART files), so
I named the domain composd_fd_server.
Bug: 186126194
Test: Run composd_cmd, artifacts generated
Change-Id: I5a431dd00b5b396a67021c618fc6edcfb25aa21b
The pre/post-install hook functionality has been deprecated and removed.
Bug: 172606645
Test: atest ApexTestCases
Test: atest CtsStagedInstallHostTestCases
Change-Id: I8a5f726a0c8f005654d0430b5a4598e416ff9c28
Add what we need to allow composd to run and expose an AIDL service.
Also delete the policy for compsvc; we never access it in the host
now, and the real policy is in microdroid. Retain the compos_exec
type, since it is referenced in the APEX sepolicy.
Bug: 186126194
Test: adb shell cmd -w android.system.composd; no denials.
Change-Id: I5f06b2b01852cdebd2d67009b363ec08b17ce33a
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.
Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.
Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.
As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).
I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)
Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
It's a test tool which is generally run as root, and will be deleted
eventually. It doesn't need its own label; system_file works fine.
We never actually allowed it anything, nor defined a transition into
the domain.
Bug: 194474784
Test: Device boots, no denials
Test: compos_key_cmd run from root works
Change-Id: If118798086dae2faadeda658bc02b6eb6e6bf606
