Change all uses of the file_contexts file to use the
file_contexts.bin file instead.
Depends on
I75a781100082c23536f70ce3603f7de42408b5ba
I43806d564b83d57f05f5c36c8eba7b1ff4831b04
Id560d093440a2aba99cef28c20133b35feebf950
I15660f4b3e4c5cb8ae0ec1498c74d6fcbb9a0400
Change-Id: Iaf8c4b2e420f610425a07f48db7af32bda3f5b3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This change supports external/libselinux changes to implement
a PCRE formatted binary file_contexts file.
Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Browser is going away. Browser2 is a tiny, WebView-based browser for
testing purposes. BookmarkProvider will take over the
"com.android.browser;browser" authorities and return empty Cursors for
all queries. See packages/apps/Browser2/README for how to obtain a
regular browser.
BUG:19351071
Change-Id: I8af605ec65a1185923598ba553a98e3fd9b887db
This fixes the issue with the emulator "-shell" option.
Init tries to open the console which is passed through
the kernel androidboot.console property, but fails to
open it because "avc" denies it. Init only has permissions
to open console_device in rw mode. This ensures that
/dev/ttyS2 is properly labeled as console_device.
Replaced tabs with spaces.
Change-Id: I9ef94576799bb724fc22f6be54f12de10ed56768
This commit adds android.hardware.ethernet.xml file for ethernet
permission to PRODUCT_COPY_FILES which will be copied to
/system/etc/permission folder on the target. Reason for adding
this permission file is for enabling the ethernet and having
functional networking until RIL backend support in ranchu is
implemented.
This requires dhcpcd_eth0 service definition in init.ranchu.rc.
Architectures that use goldfish emulator do not need ethernet
support, because networking is provided by RIL.
Change-Id: I7972f80cf78c0fdecf3fde45bf018230bbcefd38
For historical reason, the aosp_* products were named full_*.
We keep the full, full_x86 and full_mips in case some tools still
reference these legacy names; But no reason the have the full_* product
names for the new 64-bit archs.
Change-Id: I240ed0c6ded0ded2d80603bd0c5ff24750999afc
The goldfish-setup service (essentially /system/etc/init.goldfish.sh)
executes the following commands when certain conditions are met:
setprop ro.radio.noril yes
stop ril-daemon
so as to stop the RIL daemon and emulate a WiFi-only device. Both would
fail, though, because goldfish-setup does not have the permissions to
set relevant properties.
This CL modifies the emulator's SELinux policy to grant the necessary
permissions. It is a step towards fixing the ril-daemon-keeps-getting-
killed-and-restarted problem with the new ("ranchu") emulator, which
does not support telephony emulation yet. (The other step is to have
init start goldfish-setup, which will be done in a seperate CL.)
Change-Id: Ice7e7898804b7353ac4a8c49d871b1b2571d7a5f
Signed-off-by: Yu Ning <yu.ning@intel.com>
In goldfish kernel 3.10, the goldfish_tty device instantiates virtual
serial ports as /dev/ttyGF* (e.g. /dev/ttyGF0), not as /dev/ttyS* as in
goldfish kernel 3.4. However, in the emulator's SELinux security policy,
there is no specific security context assigned to /dev/ttyGF*, and the
one inherited from /dev (u:object_r:device:s0) prevents services such as
qemud and goldfish-logcat from reading and writing ttyGF*. Consequently,
qemud terminates abnormally on the classic x86_64 emulator:
init: Service 'qemud' (pid XXX) exited with status 1
Fix this issue by assigning /dev/ttyGF* the same security context as
/dev/ttyS*.
Change-Id: Ia7394dc217bd82f566c4d1b7eda3cc8ce3ac612f
Signed-off-by: Yu Ning <yu.ning@intel.com>
In goldfish kernel 3.10, qemu_pipe has been renamed to goldfish_pipe.
However, in the emulator's SELinux policy, there is no specific security
context assigned to /dev/goldfish_pipe, and the one inherited from /dev
(u:object_r:device:s0) prevents various processes (qemud, qemu-props,
etc.) from reading and writing goldfish_pipe. Consequently, the classic
x86_64 emulator will not boot if GPU emulation is enabled ("-gpu host"),
and does not render the UI correctly if launched with "-gpu off".
Fix this issue by assigning /dev/goldfish_pipe the same security context
as /dev/qemu_pipe.
This CL also benefits the new ("ranchu") emulator, where all supported
ABIs (arm64, mips64, x86 and x86_64) use 3.10-based kernels. Without
this fix, the new emulator boots and works, but there are avc denials
related to goldfish_pipe.
Last but not least, it is now possible to boot the classic x86 emulator
with a 3.10-based kernel instead of the current 3.4-based one, without
disabling SELinux.
Change-Id: Iad979c0ee9d0a410be12b83ac1bef9476b50a6dc
Signed-off-by: Yu Ning <yu.ning@intel.com>
For ART testing, we need:
1) A larger userdata partition. A lot of files end up there as it
is multi-arch.
2) Don't strip prebuilts. Technically we only care about core-libart,
but this is the best high-level change that doesn't impact other
files.
Change-Id: Ic36bfcf80ba50a602752ca0a3031dda89a0f3051
Define BOARD_SEPOLICY_DIRS for the arm64, mips64, and x86_64
emulator targets. As a first cut, simply inherit from the
existing policy directories used for generic and generic_x86.
We may need further board-specific policy added for these targets
but testing will require first enabling SELinux in the relevant
kernel configs.
Change-Id: I7b4459b32298698fc2908cbbdd0e3afadbe5ac24
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.
Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's obsolete and -- other than a mention in the reference RIL and
another in a shell script that no longer works -- unused.
Change-Id: Ibbf2613778802222865528644c7e59a2d7c68b48
Previously the recovery binary was configured to be installed to the
system.img and then got copied to recovery.img in the recovery.img's
build rule.
With this change, a module, such as the recovery binary, can configure
itself to be installed directly to the recovery.img, just like how other
modules get installed to system.img.
Bug: 19667686
Change-Id: I46b0b4a95cf078a68999db9c0f6635d6a3f5cd86
The extra system space is needed for mips64r6/mips32r6 quick
mode images and the extra userdata is needed to run ART tests.
Change-Id: I96dc1553d950dcf046b57feff10a369e9155bd4d
Nick Kralevich