Ueventd is now granted write access to all files in /sys
in core policy.
avc: denied { write } for pid=790 comm="ueventd" name="uevent"
dev="sysfs" ino=52014 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_usb_device:s0 tclass=file
Bug: 63147833
Test: build
Change-Id: I61f742a6151fe37ec99654bda6074f055a84a163
This is used to persist RFC 7217 stable secrets across device reboots.
For now this is device-specific; in future releases it will be moved
to public sepolicy.
Bug: 17613910
Test: stable_secret is generated on first use and persists across reboots
Test: "adb shell getprop persist.netd.stable_secret" doesn't work after "adb unroot"
Change-Id: I0a609c724799a15b1926e62534c16810d34f2275
- Hook up Encoder hint with CameraHal
- Remove dead code for EAS kernel for decoder hint and camera preview
This CL will enable powerhint for CameraHal to cap Big CPU
Cluster max freq to 1.958 Ghz.
Bug: 38000354
Bug: 62354242
Bug: 63039461
Test: Build and test camera preview on
Change-Id: I13e93915499f6cc83335b72ab2076d90bc9edfcc
Bug: 62837579
Test: place test files in /persist/elabel, check that they are copied to /data/misc/elabel on boot
Change-Id: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
Merged-In: Id29e7c7c01ed54bf4d2f488cfa6dba51046bc5bf
Allow init to copy elabel data from /persist/elabel to
/data/misc/elabel. Allow settings app to access elabel data
from /data/misc/elabel.
Bug: 62837579
Change-Id: Ie2241abe8c2384a537b001a90830a3f42c566748
Merged-In: Ie2241abe8c2384a537b001a90830a3f42c566748
Wahoo's sepolicy is changed merged to add Marlin permissions
based on compliance test needs. Marlin's sepolicy can be
found at device/google/marlin/sepolicy/hal_gnss_default.te
Bug: 37409476
Test: Boots with no avc denials or crashes. GNSS incl. post XTRA
delete runs well with no denials.
Change-Id: Id51197120d142850fe0d7c97f747818e23c178f8
avc: denied { read } for pid=694 comm="update_verifier" name="block" dev="sysfs" ino=27770 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { read } for pid=719 comm="update_verifier" name="name" dev="sysfs" ino=51336 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=file
update_verifier reads /sys/block/dm-X/dm/name to find the device-mapper
entries for system and vendor partitions.
Also remove the unneeded "block_device:dir r_dir_perms" permission.
Bug: 63146601
Test: As follows.
a) Set up /data/ota_package/care_map.txt.
b) Reset the slot boot-successful flag with fastboot set_active.
c) Boot the device and check update_verifier successfully verifies
the blocks.
Change-Id: I581136249e93ec2d4bd9ceda316590ee31148643
Also cleanup sepolicy files that was using /data/vendor as they are not
needed and /data is not ready by the time we start time_daemon
Bug: 62184939
Test: walleye boot with correct time in airplane mode
Change-Id: Ic7b025a8c795092a1dd4b1ab1d7497d1440c0a4b
Add an entry to init.hardware.rc to create /data/vendor/sensors at
startup, and sepolicy entries that allow the sensors daemon to create
files in that directory. These will be used to persist runtime
calibration across reboot, but not across factory reset.
denied { getattr } for pid=14080 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { write } for pid=14113 comm="sensors.qcom" name="vendor"
dev="sda45" ino=2179073 scontext=u:r:sensors:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
denied { add_name } for pid=14113 comm="sensors.qcom" name="sensors"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir permissive=1
denied { create } for pid=14113 comm="sensors.qcom" name="sensors"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir permissive=1
denied { create } for pid=14113 comm="sensors.qcom" name="cal.bin"
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { write open } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.bin" dev="sda45" ino=2179115
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { read } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
denied { getattr } for pid=14113 comm="sensors.qcom"
path="/data/vendor/sensors/cal.txt" dev="sda45" ino=2179116
scontext=u:r:sensors:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=1
Bug: 38425697
Test: confirm folder is created on boot, and calibration files are
created, updated, and read successfully by sensors daemon
Change-Id: Ie23cafe4f43b3335e07cf0d13dde0c5d06b69f80
Also add tetheroffload HALs to the manifest.
Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
...
Log:
...
06-28 11:46:58.841 - SET master tether settings: ON
06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
06-28 11:46:58.853 816 947 I IPAHALService: IPACM was provided two FDs (18, 19)
06-28 11:46:58.853 1200 1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I40e23c1863901330dfe59e2ea196314c5c7bb52a
(cherry picked from commit c6ecb207d7032bf43e9b39941ff7e47dd127e361)
Wahoo's sepolicy is changed to mirror Marlin's. Marlin's sepolicy can be
found at device/google/marlin/sepolicy/hal_gnss_default.te
BUG: 37409476
Change-Id: Id6f49defd70923c56da2dfd68f55cf3dfc2e62fc
Move policy from global file to device specific file
Bug: 62908056
Change-Id: I72557ca5120df8cdea59e843cd20f9cf676b5e01
Merged-In: I20f0cc40276ef434fae1e4390c10765a4c9fd909
Reading time from /data/system/time is not used on Wahoo.
denied { read } for pid=619 comm="BootAnimation::" name="system"
scontext=u:r:bootanim:s0 tcontext=u:object_r:system_data_file:s0
tclass=dir
Bug: 62954877
Test: build policy
Change-Id: I0d5bc69797f7a11ca4e612c00228e87dd48942c7
