This fixes the issue with the emulator "-shell" option.
Init tries to open the console which is passed through
the kernel androidboot.console property, but fails to
open it because "avc" denies it. Init only has permissions
to open console_device in rw mode. This ensures that
/dev/ttyS2 is properly labeled as console_device.
Replaced tabs with spaces.
Change-Id: I9ef94576799bb724fc22f6be54f12de10ed56768
The goldfish-setup service (essentially /system/etc/init.goldfish.sh)
executes the following commands when certain conditions are met:
setprop ro.radio.noril yes
stop ril-daemon
so as to stop the RIL daemon and emulate a WiFi-only device. Both would
fail, though, because goldfish-setup does not have the permissions to
set relevant properties.
This CL modifies the emulator's SELinux policy to grant the necessary
permissions. It is a step towards fixing the ril-daemon-keeps-getting-
killed-and-restarted problem with the new ("ranchu") emulator, which
does not support telephony emulation yet. (The other step is to have
init start goldfish-setup, which will be done in a seperate CL.)
Change-Id: Ice7e7898804b7353ac4a8c49d871b1b2571d7a5f
Signed-off-by: Yu Ning <yu.ning@intel.com>
In goldfish kernel 3.10, the goldfish_tty device instantiates virtual
serial ports as /dev/ttyGF* (e.g. /dev/ttyGF0), not as /dev/ttyS* as in
goldfish kernel 3.4. However, in the emulator's SELinux security policy,
there is no specific security context assigned to /dev/ttyGF*, and the
one inherited from /dev (u:object_r:device:s0) prevents services such as
qemud and goldfish-logcat from reading and writing ttyGF*. Consequently,
qemud terminates abnormally on the classic x86_64 emulator:
init: Service 'qemud' (pid XXX) exited with status 1
Fix this issue by assigning /dev/ttyGF* the same security context as
/dev/ttyS*.
Change-Id: Ia7394dc217bd82f566c4d1b7eda3cc8ce3ac612f
Signed-off-by: Yu Ning <yu.ning@intel.com>
In goldfish kernel 3.10, qemu_pipe has been renamed to goldfish_pipe.
However, in the emulator's SELinux policy, there is no specific security
context assigned to /dev/goldfish_pipe, and the one inherited from /dev
(u:object_r:device:s0) prevents various processes (qemud, qemu-props,
etc.) from reading and writing goldfish_pipe. Consequently, the classic
x86_64 emulator will not boot if GPU emulation is enabled ("-gpu host"),
and does not render the UI correctly if launched with "-gpu off".
Fix this issue by assigning /dev/goldfish_pipe the same security context
as /dev/qemu_pipe.
This CL also benefits the new ("ranchu") emulator, where all supported
ABIs (arm64, mips64, x86 and x86_64) use 3.10-based kernels. Without
this fix, the new emulator boots and works, but there are avc denials
related to goldfish_pipe.
Last but not least, it is now possible to boot the classic x86 emulator
with a 3.10-based kernel instead of the current 3.4-based one, without
disabling SELinux.
Change-Id: Iad979c0ee9d0a410be12b83ac1bef9476b50a6dc
Signed-off-by: Yu Ning <yu.ning@intel.com>
For ART testing, we need:
1) A larger userdata partition. A lot of files end up there as it
is multi-arch.
2) Don't strip prebuilts. Technically we only care about core-libart,
but this is the best high-level change that doesn't impact other
files.
Change-Id: Ic36bfcf80ba50a602752ca0a3031dda89a0f3051
Define BOARD_SEPOLICY_DIRS for the arm64, mips64, and x86_64
emulator targets. As a first cut, simply inherit from the
existing policy directories used for generic and generic_x86.
We may need further board-specific policy added for these targets
but testing will require first enabling SELinux in the relevant
kernel configs.
Change-Id: I7b4459b32298698fc2908cbbdd0e3afadbe5ac24
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.
Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The extra system space is needed for mips64r6/mips32r6 quick
mode images and the extra userdata is needed to run ART tests.
Change-Id: I96dc1553d950dcf046b57feff10a369e9155bd4d
This was only needed for platform builds, and was removed in the gap between
armv5 being removed and being added back again for tapas builds. Otherwise it
would have been removed back then.
(I suspect that we don't need the system.prop file in here, either, but I
don't really know how to test that.)
Change-Id: I212ff7b3568b5d5ff3cc66150ec7c4fa0b8cac92
When building a generic arm 32-bit target, we also want to include
support for the ranchu board model for the updated Android emulator
based on recent upstream QEMU.
Since the emulator.mk file is included by both the generic and
generic_arm64 targets and already defines a PRODUCT_COPY_FILES and
PRODUCT_PACKAGES, move duplicate entries from
target/board/generic*/device.mk to target/product/emulator.mk.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Change-Id: I7922ec0c4097776a185dbb245301d760ff332386
Switch the qemud domain from unconfined_domain() to
permissive_or_unconfined() so that we can start collecting and
addressing denials in -userdebug/-eng builds.
Also allow access to the serial device.
Change-Id: I9c7a6ddc8c2e64bfc6c5bb896eed1729ab205d60
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This assigns block device types as per device/generic/goldfish/fstab.goldfish.
Eliminates (permissive) avc: denied messages for fsck.
Change-Id: Ia72bdfb16975f051548b6b2c0636e4f907295789
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow apps running with any level to write to it.
Change-Id: I8fca1f377e14c624db5273bdacf8400addc6210d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Ying Wang