Adding two labels: "incfs" for the incremental filesystem and
"incremental_root_file" for file paths /data/incremental/*.
Doc: go/incremental-selinux
Test: manual
Change-Id: I7d45ed1677e3422119b2861dfc7b541945fcb7a2
In order for system_server to report ION allocations in dumpsys meminfo
report it needs access to ION sysfs nodes.
Bug: 138148041
Test: dumpsys meminfo
Change-Id: I8b1efebe8f4b06a3975e96ddd6a8cbcacdb52fb2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes
Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
Due to Factory OTA client install in product partition but it also declare coredomian in
its sepolicy setting. That will let Factory OTA unable to find a property type could write system property.
But now Factory OTA have a restore NFC wake function need to write system property for communicate with bootloader.
So we need to create a new property type in system framework which could allow Factory OTA client to write system property.
Bug: 145178094
Test: Manual
Change-Id: Ic549cc939893ec67a46bf28a23ebeb9f9b81bd0b
* changes:
Allow audio_server to access soundtrigger_middleware service
Allow soundtrigger_middleware system service
Allow system service to access audio HAL (for soundtrigger)
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.
Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.
Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.
Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.
Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.
See go/apex-data-directories.
Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).
Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.
In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.
Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.
ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split. It is also read by system_server and installd
currently.
Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
