This is needed to load GKI leaf modules like zram.ko.
Bug: 279227085
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8a8205e50aa00686f478aba5336299e03490bbb5
Merged-In: I8a8205e50aa00686f478aba5336299e03490bbb5
This reverts commit 92251f5d15.
Reason for revert: Remove deferred list functionality now that the shape
of ANGLE shipping form is binaries. Applications on the list are broken
with ANGLE due to the lack of YUV support, this is currently being
worked on.
Ignore-AOSP-First: Cherry-pick revert.
Bug: 280450222
Change-Id: Ied92e6f482fe77e045139b4b0531b1db1a7ffb13
Test: atest CtsAngleIntegrationHostTestCases
Ignore-AOSP-First: confidential feature
Adding a system property to be read by AudioService
to override the minimum volume setting for the
assistant stream.
Bug: 277829235
Test: Build only
Change-Id: I08c500c0a3bb040559ca99d1817b7b848deee8c6
An app may wish to pass an open FD for the SDK sandbox
to consume, and vice versa. Neither party will be
permitted to write to the other's open FD.
Ignore-AOSP-First: Cherrypick
Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
Merged-In: I73f79b6566ed3e3d8491db6bed011047d5a650ce
Add sdk_sandbox_next and apply it if a new input selector,
isSdkSandboxNext, is applied. This is set to true by libselinux
if a flag is set in the seInfo passed to it.
This enables some testers to test out the set of restrictions
we're planning for the next SDK version.
sdk_sandbox_next is not the final set of restrictions of the next SDK
version.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
Merged-In: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
When ART Service is enabled, the runtime uses a different strategy to
write profiles: it first creates a temp profile file, and then moves it
to the final location, instead of mutating the file in place. This new
strategy requires the permission to create files. While apps have this
permission, unfortunately, system_server didn't. This CL fixes this
problem.
Bug: 282019264
Test: -
1. Enable boot image profiling
(https://source.android.com/docs/core/runtime/boot-image-profiles#configuring-devices)
2. Snapshot the boot image profile
(adb shell pm snapshot-profile android)
3. Dump the boot image profile
(adb shell profman --dump-only --profile-file=/data/misc/profman/android.prof)
4. See profile data for services.jar
Ignore-AOSP-First: This change requires updating the 34.0 prebuilt,
which doesn't exist on AOSP. Will cherry-pick to AOSP later.
Change-Id: Ie24a51f2d40d752164ce14725f122c73432d50c9
Revert submission 22955599-euicc_selinux_fix2
Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules
Reverted changes: /q/submissionid:22955599-euicc_selinux_fix2
Change-Id: I00cac36ac2f2a23d02c99b9ad9df57061d1ae61c
Revert submission 22899490-euicc_selinux_fix
Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules
Reverted changes: /q/submissionid:22899490-euicc_selinux_fix
Change-Id: I0c2bfe55987949ad52f62e468c84df954f39a4ad
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
(ag/23125728)
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
Rename sdk_sandbox to sdk_sandbox_34.
Additionally, Extract out parts of sdk_sandbox_34 to
sdk_sandbox_all.te that will be shared with all sdk_sandbox domains.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: I36e0c8795148de83c81dfe12559452812aa2b25e
Merged-In: I36e0c8795148de83c81dfe12559452812aa2b25e
Context: go/videoview-local-sandbox. This change is required to
play local files in a VideoView in the SDK sandbox.
Ignore-AOSP-First: Cherrypick
Test: Manual steps described in doc
Bug: 266592086
Change-Id: I940609d5dff4fc73d0376489646488c7b96eebb8
auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ic4ce690e82b09ed176495f3b55be6069ffc074ac
Merged-In: Ic4ce690e82b09ed176495f3b55be6069ffc074ac
SDK's data should not be accessible directly by other domains, including
system server. Added neverallow to ensure that.
Bug: b/279885689
Test: make and boot device
Change-Id: If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2
Merged-In: If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2