Steps taken to produce the mapping files:
1. Add prebuilts/api/29.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
plat_pub_versioned.cil contains all public attributes and types from Q
Leave vendor_sepolicy.cil is empty.
2. Add new file private/compat/29.0/29.0.cil by doing the following:
- copy /system/etc/selinux/mapping/29.0.cil from pi-dev aosp_arm64-eng
device to private/compat/29.0/29.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 29 sepolicy.
Find all such types using treble_sepolicy_tests_29.0 test.
- for all these types figure out where to map them by looking at
28.0.[ignore.]cil files and add approprite entries to 29.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_29.0 and installs
29.0.cil mapping file onto the device.
Bug: 133155528
Bug: 133196056
Test: m treble_sepolicy_tests_29.0
Test: m 29.0_compat_test
Test: m selinux_policy
Change-Id: I59f6251e9baa6527a358dec024e9fae62388db2b
I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:
mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec
Bug: 133196056
Test: n/a
Change-Id: I2cbe749777684146114c89e1e6fc3f07400c0ae5
These lines are copied from update_engine.te, and are needed to update
dynamic partitions in recovery.
Bug: 132943965
Test: sideload OTA on cuttlefish
Change-Id: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
Merged-In: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
* changes:
Add vendor_misc_writer change to API 29 prebuilts.
Add vendor_misc_writer.
Add persist.sys.device_provisioned change to API 29 prebuilts.
Set persist.sys.device_provisioned vendor-init-readable.
This is a matching change for commit 8f39cce73a ("Add
vendor_misc_writer."), which updates the prebuilts for API 29.
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: Id12a1ed45c8cef6e4039a9dda6a1fb41f9e014de
This is a matching change for commit 97d4561941 ("Set
persist.sys.device_provisioned vendor-init-readable."), which updates
the prebuilts for API 29.
Bug: 131702833
Bug: 132906936
Test: Set an init trigger that waits on `persist.sys.device_provisioned`.
Check that there's no longer a denial.
Change-Id: I2cea3d000b7faa471fa524dcd7a3d4843ae5960f
Similar to aosp/961857, but enables the logging of atrace events from
the camera HAL (primarily HIDL interactions, but also a couple of ION
events).
Keeping it confined to userdebug_or_eng. Longer-term planning belongs on
b/78136428.
Not adding fwk_camera_hwservice, as it is a HIDL interface to
cameraserver (which is already covered above).
Plus slight reorganization of existing atrace.te contents, and donaudits
to reduce logspam from denials (including pre-existing ones that were
hitting the rate limiter).
Specific denials addressed (listing HALs, finding camera HAL, notifying it):
05-15 18:07:19.684 618 618 E SELinux : avc: denied { list } for scontext=u:r:atrace:s0 tcontext=u:r:hwservicemanager:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.701 618 618 E SELinux : avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider sid=u:r:atrace:s0 pid=10137 scontext=u:r:atrace:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.698 10137 10137 I atrace : type=1400 audit(0.0:273): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=1
Bug: 130543265
Tested: flashed blueline-userdebug, took a trace with perfetto, confirmed HIDL atrace slices present in camera hal trace.
Merged-In: I0f8ce989355603e41d6c05c3de07e7dd615555eb
Change-Id: I0f8ce989355603e41d6c05c3de07e7dd615555eb
(cherry picked from commit 19459a3802)
This allows the atrace cmd to notify cameraserver (the host of
media.camera service) that the set of tracing-related system properties
have changed. This allows the cameraserver to notice that it might need
to enable its trace events.
The atrace cmd has the necessary permission when running as shell, but
not when it is running as the "atrace" domain (notably when exec'd by
perfetto's traced_probes).
We're adding cameraserver to the whitelist as it contains important
events for investigating the camera stack.
Example denial:
05-14 22:29:43.501 8648 8648 W atrace : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0
Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
Bug: 130543265
Merged-In: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
(cherry picked from commit 232295e8db)
