emulator: move sepolicy to goldfish project
The sepolicies are emulator specific and are installed under vendor partition, move them to the right location. BUG: 110030159 Change-Id: I6acc27a3b787a3fafd9373c84492537185b184c5 Merged-In: I6acc27a3b787a3fafd9373c84492537185b184c5
This commit is contained in:
parent
378da0f328
commit
4abeb75f32
|
@ -77,7 +77,7 @@ BOARD_USES_METADATA_PARTITION := true
|
|||
BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
||||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
|
||||
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
alanstokes@google.com
|
||||
bowgotsai@google.com
|
||||
jbires@google.com
|
||||
jeffv@google.com
|
||||
jgalenson@google.com
|
||||
sspatil@google.com
|
||||
tomcherry@google.com
|
||||
trong@google.com
|
|
@ -1 +0,0 @@
|
|||
set_prop(adbd, ctl_mdnsd_prop);
|
|
@ -1 +0,0 @@
|
|||
allow audioserver bootanim:binder call;
|
|
@ -1,9 +0,0 @@
|
|||
allow bootanim self:process execmem;
|
||||
allow bootanim ashmem_device:chr_file execute;
|
||||
#TODO: This can safely be ignored until b/62954877 is fixed
|
||||
dontaudit bootanim system_data_file:dir read;
|
||||
|
||||
allow bootanim graphics_device:chr_file { read ioctl open };
|
||||
|
||||
typeattribute bootanim system_writes_vendor_properties_violators;
|
||||
set_prop(bootanim, qemu_prop)
|
|
@ -1,2 +0,0 @@
|
|||
allow cameraserver system_file:dir { open read };
|
||||
allow cameraserver hal_allocator:fd use;
|
|
@ -1,14 +0,0 @@
|
|||
# Network namespace creation
|
||||
type createns, domain;
|
||||
type createns_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(createns)
|
||||
|
||||
allow createns self:capability { sys_admin net_raw setuid setgid };
|
||||
allow createns varrun_file:dir { add_name search write };
|
||||
allow createns varrun_file:file { create mounton open read write };
|
||||
|
||||
#Allow createns itself to be run by init in its own domain
|
||||
domain_auto_trans(goldfish_setup, createns_exec, createns);
|
||||
allow createns goldfish_setup:fd use;
|
||||
|
|
@ -1 +0,0 @@
|
|||
type qemu_device, dev_type, mlstrustedobject;
|
|
@ -1,20 +0,0 @@
|
|||
# DHCP client
|
||||
type dhcpclient, domain;
|
||||
type dhcpclient_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(dhcpclient)
|
||||
net_domain(dhcpclient)
|
||||
|
||||
allow dhcpclient execns:fd use;
|
||||
|
||||
set_prop(dhcpclient, net_eth0_prop);
|
||||
allow dhcpclient self:capability { net_admin net_raw };
|
||||
allow dhcpclient self:udp_socket create;
|
||||
allow dhcpclient self:netlink_route_socket { write nlmsg_write };
|
||||
allow dhcpclient varrun_file:dir search;
|
||||
allow dhcpclient self:packet_socket { create bind write read };
|
||||
allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
|
||||
SIOCSIFADDR
|
||||
SIOCSIFNETMASK
|
||||
SIOCSIFMTU
|
||||
SIOCGIFHWADDR };
|
|
@ -1,12 +0,0 @@
|
|||
# DHCP server
|
||||
type dhcpserver, domain;
|
||||
type dhcpserver_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(dhcpserver)
|
||||
net_domain(dhcpserver)
|
||||
|
||||
allow dhcpserver execns:fd use;
|
||||
|
||||
get_prop(dhcpserver, net_eth0_prop);
|
||||
allow dhcpserver self:udp_socket { ioctl create setopt bind };
|
||||
allow dhcpserver self:capability { net_raw net_bind_service };
|
|
@ -1,3 +0,0 @@
|
|||
allow domain qemu_device:chr_file rw_file_perms;
|
||||
|
||||
get_prop(domain, qemu_prop)
|
|
@ -1,27 +0,0 @@
|
|||
# Network namespace transitions
|
||||
type execns, domain;
|
||||
type execns_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(execns)
|
||||
|
||||
allow execns varrun_file:dir search;
|
||||
allow execns varrun_file:file r_file_perms;
|
||||
allow execns self:capability { sys_admin setuid setgid };
|
||||
allow execns nsfs:file { open read };
|
||||
|
||||
#Allow execns itself to be run by init in its own domain
|
||||
domain_auto_trans(init, execns_exec, execns);
|
||||
|
||||
# Allow dhcpclient to be run by execns in its own domain
|
||||
domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
|
||||
|
||||
# Allow dhcpserver to be run by execns in its own domain
|
||||
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
|
||||
|
||||
# Allow hostapd_nohidl to be run by execns in its own domain
|
||||
domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
|
||||
|
||||
# Allow execns to read createns proc file to get the namespace file
|
||||
allow execns createns:file read;
|
||||
allow execns createns:dir search;
|
||||
allow execns createns:lnk_file read;
|
|
@ -1,4 +0,0 @@
|
|||
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type varrun_file, file_type, data_file_type, mlstrustedobject;
|
||||
type mediadrm_vendor_data_file, file_type, data_file_type;
|
||||
type nsfs, fs_type;
|
|
@ -1,47 +0,0 @@
|
|||
# goldfish
|
||||
/dev/block/mtdblock0 u:object_r:system_block_device:s0
|
||||
/dev/block/mtdblock1 u:object_r:userdata_block_device:s0
|
||||
/dev/block/mtdblock2 u:object_r:cache_block_device:s0
|
||||
|
||||
# ranchu
|
||||
/dev/block/vda u:object_r:system_block_device:s0
|
||||
/dev/block/vdb u:object_r:cache_block_device:s0
|
||||
/dev/block/vdc u:object_r:userdata_block_device:s0
|
||||
/dev/block/vdd u:object_r:metadata_block_device:s0
|
||||
/dev/block/vde u:object_r:system_block_device:s0
|
||||
|
||||
/dev/goldfish_pipe u:object_r:qemu_device:s0
|
||||
/dev/goldfish_sync u:object_r:qemu_device:s0
|
||||
/dev/qemu_.* u:object_r:qemu_device:s0
|
||||
/dev/ttyGF[0-9]* u:object_r:serial_device:s0
|
||||
/dev/ttyS2 u:object_r:console_device:s0
|
||||
/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
|
||||
/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
|
||||
/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
|
||||
/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
|
||||
/vendor/bin/createns u:object_r:createns_exec:s0
|
||||
/vendor/bin/execns u:object_r:execns_exec:s0
|
||||
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
|
||||
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
|
||||
/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
|
||||
/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
|
||||
|
||||
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
|
||||
|
||||
/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
|
||||
|
||||
# data
|
||||
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
|
||||
/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# On the emulator, device tree dir is configured to be
|
||||
# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to
|
||||
# /sys/devices/platform/ANDR0001:00/properties/android/
|
||||
genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0
|
||||
|
||||
# We expect /sys/class/power_supply/* and everything it links to to be labeled
|
||||
# as sysfs_batteryinfo.
|
||||
genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
|
||||
# /sys/class/rtc
|
||||
genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0
|
||||
genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
|
||||
|
||||
# /sys/class/net
|
||||
genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
|
||||
|
||||
# /proc/<pid>/ns
|
||||
genfscon nsfs / u:object_r:nsfs:s0
|
|
@ -1,47 +0,0 @@
|
|||
# goldfish-setup service: runs init.goldfish.sh script
|
||||
type goldfish_setup, domain;
|
||||
type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(goldfish_setup)
|
||||
|
||||
# TODO(b/79502552): Invalid property access from emulator vendor
|
||||
#set_prop(goldfish_setup, debug_prop);
|
||||
allow goldfish_setup self:capability { net_admin net_raw };
|
||||
allow goldfish_setup self:udp_socket { create ioctl };
|
||||
allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
|
||||
allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
|
||||
wakelock_use(goldfish_setup);
|
||||
allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
|
||||
|
||||
# Set system properties to start services
|
||||
set_prop(goldfish_setup, ctl_default_prop);
|
||||
|
||||
# Set up WiFi
|
||||
allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
|
||||
allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
allow goldfish_setup self:capability { sys_module sys_admin };
|
||||
allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
|
||||
allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
|
||||
allow goldfish_setup execns_exec:file rx_file_perms;
|
||||
allow goldfish_setup proc_net:file rw_file_perms;
|
||||
allow goldfish_setup proc:file r_file_perms;
|
||||
allow goldfish_setup nsfs:file r_file_perms;
|
||||
allow goldfish_setup system_data_file:dir getattr;
|
||||
allow goldfish_setup kernel:system module_request;
|
||||
set_prop(goldfish_setup, qemu_prop);
|
||||
get_prop(goldfish_setup, net_share_prop);
|
||||
# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
|
||||
allow goldfish_setup system_file:file execute_no_trans;
|
||||
# Allow goldfish_setup to run init.wifi.sh
|
||||
allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
|
||||
#Allow goldfish_setup to run createns in its own domain
|
||||
domain_auto_trans(goldfish_setup, createns_exec, createns);
|
||||
# iw
|
||||
allow goldfish_setup sysfs:file { read open };
|
||||
# iptables
|
||||
allow goldfish_setup system_file:file lock;
|
||||
allow goldfish_setup self:rawip_socket { create getopt setopt };
|
||||
# Allow goldfish_setup to read createns proc file to get the namespace file
|
||||
allow goldfish_setup createns:file { read };
|
||||
allow goldfish_setup createns:dir { search };
|
||||
allow goldfish_setup createns:lnk_file { read };
|
|
@ -1,3 +0,0 @@
|
|||
vndbinder_use(hal_camera_default);
|
||||
allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
|
||||
hal_client_domain(hal_camera_default, hal_graphics_composer)
|
|
@ -1 +0,0 @@
|
|||
vndbinder_use(hal_cas_default);
|
|
@ -1,2 +0,0 @@
|
|||
vndbinder_use(hal_drm_default);
|
||||
hal_client_domain(hal_drm_default, hal_graphics_composer)
|
|
@ -1,14 +0,0 @@
|
|||
# define SELinux domain
|
||||
type hal_drm_widevine, domain;
|
||||
hal_server_domain(hal_drm_widevine, hal_drm)
|
||||
|
||||
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_drm_widevine)
|
||||
|
||||
allow hal_drm mediacodec:fd use;
|
||||
allow hal_drm { appdomain -isolated_app }:fd use;
|
||||
|
||||
vndbinder_use(hal_drm_widevine);
|
||||
hal_client_domain(hal_drm_widevine, hal_graphics_composer);
|
||||
allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
|
||||
allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
|
|
@ -1,5 +0,0 @@
|
|||
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
|
||||
# hal_fingerprint no longer directly accesses fingerprintd_data_file.
|
||||
typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
|
|
@ -1,3 +0,0 @@
|
|||
#============= hal_gnss_default ==============
|
||||
allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
allow hal_graphics_allocator_default graphics_device:dir search;
|
||||
allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write };
|
|
@ -1,3 +0,0 @@
|
|||
#============= hal_graphics_composer_default ==============
|
||||
allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read };
|
|
@ -1,2 +0,0 @@
|
|||
# Allow to read /sys/class/power_supply directory
|
||||
allow healthd sysfs:dir r_dir_perms;
|
|
@ -1,16 +0,0 @@
|
|||
type hostapd_nohidl, domain;
|
||||
type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(hostapd_nohidl)
|
||||
net_domain(hostapd_nohidl)
|
||||
|
||||
allow hostapd_nohidl execns:fd use;
|
||||
|
||||
allow hostapd_nohidl self:capability { net_admin net_raw };
|
||||
allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
|
||||
allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
|
||||
allow hostapd_nohidl self:packet_socket { create setopt };
|
||||
allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
# hostapd will attempt to search sysfs but it's not needed and will spam the log
|
||||
dontaudit hostapd_nohidl sysfs_net:dir search;
|
|
@ -1,2 +0,0 @@
|
|||
allow init tmpfs:lnk_file create_file_perms;
|
||||
dontaudit init kernel:system module_request;
|
|
@ -1,16 +0,0 @@
|
|||
# IPv6 proxying
|
||||
type ipv6proxy, domain;
|
||||
type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(ipv6proxy)
|
||||
net_domain(ipv6proxy)
|
||||
|
||||
# Allow ipv6proxy to be run by execns in its own domain
|
||||
domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy);
|
||||
allow ipv6proxy execns:fd use;
|
||||
|
||||
allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
|
||||
allow ipv6proxy self:packet_socket { bind create read };
|
||||
allow ipv6proxy self:netlink_route_socket nlmsg_write;
|
||||
allow ipv6proxy varrun_file:dir search;
|
||||
allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };
|
|
@ -1,13 +0,0 @@
|
|||
# goldfish logcat service: runs logcat -Q in logpersist domain
|
||||
|
||||
# See global logcat.te/logpersist.te, only set for eng & userdebug,
|
||||
# allow for all builds in a non-conflicting manner.
|
||||
|
||||
domain_auto_trans(init, logcat_exec, logpersist)
|
||||
|
||||
# Read from logd.
|
||||
unix_socket_connect(logpersist, logdr, logd)
|
||||
|
||||
# Write to /dev/ttyS2 and /dev/ttyGF2.
|
||||
allow logpersist serial_device:chr_file { write open };
|
||||
get_prop(logpersist, qemu_cmdline)
|
|
@ -1 +0,0 @@
|
|||
allow mediacodec system_file:dir { open read };
|
|
@ -1,3 +0,0 @@
|
|||
dontaudit netd self:capability sys_module;
|
||||
#TODO: This can safely be ignored until b/62954877 is fixed
|
||||
dontaudit netd kernel:system module_request;
|
|
@ -1,5 +0,0 @@
|
|||
#TODO: b/62908025
|
||||
dontaudit priv_app firstboot_prop:file { getattr open };
|
||||
dontaudit priv_app device:dir { open read };
|
||||
dontaudit priv_app proc_interrupts:file { getattr open read };
|
||||
dontaudit priv_app proc_modules:file { getattr open read };
|
|
@ -1,5 +0,0 @@
|
|||
type qemu_prop, property_type;
|
||||
type qemu_cmdline, property_type;
|
||||
type radio_noril_prop, property_type;
|
||||
type net_eth0_prop, property_type;
|
||||
type net_share_prop, property_type;
|
|
@ -1,8 +0,0 @@
|
|||
qemu. u:object_r:qemu_prop:s0
|
||||
qemu.cmdline u:object_r:qemu_cmdline:s0
|
||||
vendor.qemu u:object_r:qemu_prop:s0
|
||||
ro.emu. u:object_r:qemu_prop:s0
|
||||
ro.emulator. u:object_r:qemu_prop:s0
|
||||
ro.radio.noril u:object_r:radio_noril_prop:s0
|
||||
net.eth0. u:object_r:net_eth0_prop:s0
|
||||
net.shared_net_ip u:object_r:net_share_prop:s0
|
|
@ -1,10 +0,0 @@
|
|||
# qemu-props service: Sets system properties on boot.
|
||||
type qemu_props, domain;
|
||||
type qemu_props_exec, vendor_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(qemu_props)
|
||||
|
||||
set_prop(qemu_props, qemu_prop)
|
||||
# TODO(b/79502552): Invalid property access from emulator vendor
|
||||
#set_prop(qemu_props, qemu_cmdline)
|
||||
set_prop(qemu_props, qemu_cmdline)
|
|
@ -1,3 +0,0 @@
|
|||
# Allow the radio to read these properties, they only have an SELinux label in
|
||||
# the emulator.
|
||||
get_prop(radio, net_eth0_prop);
|
|
@ -1,3 +0,0 @@
|
|||
# Allow rild to read these properties, they only have an SELinux label in the
|
||||
# emulator.
|
||||
get_prop(rild, net_eth0_prop);
|
|
@ -1 +0,0 @@
|
|||
allow shell serial_device:chr_file rw_file_perms;
|
|
@ -1,5 +0,0 @@
|
|||
allow surfaceflinger self:process execmem;
|
||||
allow surfaceflinger ashmem_device:chr_file execute;
|
||||
|
||||
typeattribute surfaceflinger system_writes_vendor_properties_violators;
|
||||
set_prop(surfaceflinger, qemu_prop)
|
|
@ -1 +0,0 @@
|
|||
get_prop(system_server, radio_noril_prop)
|
|
@ -1 +0,0 @@
|
|||
set_prop(vendor_init, qemu_prop)
|
|
@ -1 +0,0 @@
|
|||
dontaudit vold kernel:system module_request;
|
|
@ -1,5 +0,0 @@
|
|||
typeattribute zygote system_writes_vendor_properties_violators;
|
||||
set_prop(zygote, qemu_prop)
|
||||
# TODO (b/63631799) fix this access
|
||||
# Suppress denials to storage. Webview zygote should not be accessing.
|
||||
dontaudit webview_zygote mnt_expand_file:dir getattr;
|
|
@ -94,7 +94,7 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
# Builds a special vbmeta.img that disables AVB verification.
|
||||
|
|
|
@ -67,8 +67,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
build/target/board/generic/sepolicy \
|
||||
build/target/board/generic_x86/sepolicy
|
||||
device/generic/goldfish/sepolicy/common \
|
||||
device/generic/goldfish/sepolicy/x86
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
# Builds a special vbmeta.img that disables AVB verification.
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
alanstokes@google.com
|
||||
bowgotsai@google.com
|
||||
jbires@google.com
|
||||
jeffv@google.com
|
||||
jgalenson@google.com
|
||||
sspatil@google.com
|
||||
tomcherry@google.com
|
||||
trong@google.com
|
|
@ -1 +0,0 @@
|
|||
allow domain cpuctl_device:dir search;
|
|
@ -1 +0,0 @@
|
|||
allow healthd self:capability sys_nice;
|
|
@ -1 +0,0 @@
|
|||
allow init tmpfs:lnk_file create_file_perms;
|
|
@ -1 +0,0 @@
|
|||
allow installd self:process execmem;
|
|
@ -1,2 +0,0 @@
|
|||
allow zygote self:process execmem;
|
||||
allow zygote self:capability sys_nice;
|
|
@ -65,8 +65,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
build/target/board/generic/sepolicy \
|
||||
build/target/board/generic_x86/sepolicy
|
||||
device/generic/goldfish/sepolicy/common \
|
||||
device/generic/goldfish/sepolicy/x86
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
# Builds a special vbmeta.img that disables AVB verification.
|
||||
|
|
|
@ -61,4 +61,4 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_FLASH_BLOCK_SIZE := 512
|
||||
TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
||||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
|
||||
|
|
Loading…
Reference in New Issue