forked from openkylin/platform_build
emulator: move sepolicy to goldfish project
The sepolicies are emulator specific and are installed under vendor partition, move them to the right location. this cl does not impact real devices, as the selinux rules are for emulator only BUG: 110030159 Change-Id: I6acc27a3b787a3fafd9373c84492537185b184c5 Merged-In: I6acc27a3b787a3fafd9373c84492537185b184c5
This commit is contained in:
bohu
Bo Hu
parent
941f8e102c
commit
0d749a7a3e
|
|
@ -77,7 +77,7 @@ BOARD_USES_METADATA_PARTITION := true
|
|||
BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
||||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
|
||||
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
jeffv@google.com
|
||||
dcashman@google.com
|
||||
jbires@google.com
|
||||
sspatil@google.com
|
||||
|
|
@ -1 +0,0 @@
|
|||
set_prop(adbd, ctl_mdnsd_prop);
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow audioserver bootanim:binder call;
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
allow bootanim self:process execmem;
|
||||
allow bootanim ashmem_device:chr_file execute;
|
||||
#TODO: This can safely be ignored until b/62954877 is fixed
|
||||
dontaudit bootanim system_data_file:dir read;
|
||||
|
||||
allow bootanim graphics_device:chr_file { read ioctl open };
|
||||
|
||||
typeattribute bootanim system_writes_vendor_properties_violators;
|
||||
set_prop(bootanim, qemu_prop)
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
allow cameraserver system_file:dir { open read };
|
||||
allow cameraserver hal_allocator:fd use;
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# Network namespace creation
|
||||
type createns, domain;
|
||||
type createns_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(createns)
|
||||
|
||||
allow createns self:capability { sys_admin net_raw setuid setgid };
|
||||
allow createns varrun_file:dir { add_name search write };
|
||||
allow createns varrun_file:file { create mounton open read write };
|
||||
|
||||
#Allow createns itself to be run by init in its own domain
|
||||
domain_auto_trans(goldfish_setup, createns_exec, createns);
|
||||
allow createns goldfish_setup:fd use;
|
||||
|
||||
|
|
@ -1 +0,0 @@
|
|||
type qemu_device, dev_type, mlstrustedobject;
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# DHCP client
|
||||
type dhcpclient, domain;
|
||||
type dhcpclient_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(dhcpclient)
|
||||
net_domain(dhcpclient)
|
||||
|
||||
allow dhcpclient execns:fd use;
|
||||
|
||||
set_prop(dhcpclient, net_eth0_prop);
|
||||
allow dhcpclient self:capability { net_admin net_raw };
|
||||
allow dhcpclient self:udp_socket create;
|
||||
allow dhcpclient self:netlink_route_socket { write nlmsg_write };
|
||||
allow dhcpclient varrun_file:dir search;
|
||||
allow dhcpclient self:packet_socket { create bind write read };
|
||||
allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
|
||||
SIOCSIFADDR
|
||||
SIOCSIFNETMASK
|
||||
SIOCSIFMTU
|
||||
SIOCGIFHWADDR };
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# DHCP server
|
||||
type dhcpserver, domain;
|
||||
type dhcpserver_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(dhcpserver)
|
||||
net_domain(dhcpserver)
|
||||
|
||||
allow dhcpserver execns:fd use;
|
||||
|
||||
get_prop(dhcpserver, net_eth0_prop);
|
||||
allow dhcpserver self:udp_socket { ioctl create setopt bind };
|
||||
allow dhcpserver self:capability { net_raw net_bind_service };
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
allow domain qemu_device:chr_file rw_file_perms;
|
||||
|
||||
get_prop(domain, qemu_prop)
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
# Network namespace transitions
|
||||
type execns, domain;
|
||||
type execns_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(execns)
|
||||
|
||||
allow execns varrun_file:dir search;
|
||||
allow execns varrun_file:file r_file_perms;
|
||||
allow execns self:capability { sys_admin setuid setgid };
|
||||
allow execns nsfs:file { open read };
|
||||
|
||||
#Allow execns itself to be run by init in its own domain
|
||||
domain_auto_trans(init, execns_exec, execns);
|
||||
|
||||
# Allow dhcpclient to be run by execns in its own domain
|
||||
domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
|
||||
|
||||
# Allow dhcpserver to be run by execns in its own domain
|
||||
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
|
||||
|
||||
# Allow hostapd_nohidl to be run by execns in its own domain
|
||||
domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
|
||||
|
||||
# Allow execns to read createns proc file to get the namespace file
|
||||
allow execns createns:file read;
|
||||
allow execns createns:dir search;
|
||||
allow execns createns:lnk_file read;
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type varrun_file, file_type, data_file_type, mlstrustedobject;
|
||||
type mediadrm_vendor_data_file, file_type, data_file_type;
|
||||
type nsfs, fs_type;
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
# goldfish
|
||||
/dev/block/mtdblock0 u:object_r:system_block_device:s0
|
||||
/dev/block/mtdblock1 u:object_r:userdata_block_device:s0
|
||||
/dev/block/mtdblock2 u:object_r:cache_block_device:s0
|
||||
|
||||
# ranchu
|
||||
/dev/block/vda u:object_r:system_block_device:s0
|
||||
/dev/block/vdb u:object_r:cache_block_device:s0
|
||||
/dev/block/vdc u:object_r:userdata_block_device:s0
|
||||
/dev/block/vdd u:object_r:metadata_block_device:s0
|
||||
/dev/block/vde u:object_r:system_block_device:s0
|
||||
|
||||
/dev/goldfish_pipe u:object_r:qemu_device:s0
|
||||
/dev/goldfish_sync u:object_r:qemu_device:s0
|
||||
/dev/qemu_.* u:object_r:qemu_device:s0
|
||||
/dev/ttyGF[0-9]* u:object_r:serial_device:s0
|
||||
/dev/ttyS2 u:object_r:console_device:s0
|
||||
/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
|
||||
/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
|
||||
/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
|
||||
/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
|
||||
/vendor/bin/createns u:object_r:createns_exec:s0
|
||||
/vendor/bin/execns u:object_r:execns_exec:s0
|
||||
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
|
||||
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
|
||||
/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
|
||||
/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
|
||||
|
||||
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
|
||||
|
||||
/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
|
||||
/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
|
||||
|
||||
# data
|
||||
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
|
||||
/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0
|
||||
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# On the emulator, device tree dir is configured to be
|
||||
# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to
|
||||
# /sys/devices/platform/ANDR0001:00/properties/android/
|
||||
genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0
|
||||
|
||||
# We expect /sys/class/power_supply/* and everything it links to to be labeled
|
||||
# as sysfs_batteryinfo.
|
||||
genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
|
||||
# /sys/class/rtc
|
||||
genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0
|
||||
genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
|
||||
|
||||
# /sys/class/net
|
||||
genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
|
||||
|
||||
# /proc/<pid>/ns
|
||||
genfscon nsfs / u:object_r:nsfs:s0
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
# goldfish-setup service: runs init.goldfish.sh script
|
||||
type goldfish_setup, domain;
|
||||
type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(goldfish_setup)
|
||||
|
||||
# TODO(b/79502552): Invalid property access from emulator vendor
|
||||
#set_prop(goldfish_setup, debug_prop);
|
||||
allow goldfish_setup self:capability { net_admin net_raw };
|
||||
allow goldfish_setup self:udp_socket { create ioctl };
|
||||
allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
|
||||
allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
|
||||
wakelock_use(goldfish_setup);
|
||||
allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
|
||||
|
||||
# Set system properties to start services
|
||||
set_prop(goldfish_setup, ctl_default_prop);
|
||||
|
||||
# Set up WiFi
|
||||
allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
|
||||
allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
allow goldfish_setup self:capability { sys_module sys_admin };
|
||||
allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
|
||||
allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
|
||||
allow goldfish_setup execns_exec:file rx_file_perms;
|
||||
allow goldfish_setup proc_net:file rw_file_perms;
|
||||
allow goldfish_setup proc:file r_file_perms;
|
||||
allow goldfish_setup nsfs:file r_file_perms;
|
||||
allow goldfish_setup system_data_file:dir getattr;
|
||||
allow goldfish_setup kernel:system module_request;
|
||||
set_prop(goldfish_setup, qemu_prop);
|
||||
get_prop(goldfish_setup, net_share_prop);
|
||||
# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
|
||||
allow goldfish_setup system_file:file execute_no_trans;
|
||||
# Allow goldfish_setup to run init.wifi.sh
|
||||
allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
|
||||
#Allow goldfish_setup to run createns in its own domain
|
||||
domain_auto_trans(goldfish_setup, createns_exec, createns);
|
||||
# iw
|
||||
allow goldfish_setup sysfs:file { read open };
|
||||
# iptables
|
||||
allow goldfish_setup system_file:file lock;
|
||||
allow goldfish_setup self:rawip_socket { create getopt setopt };
|
||||
# Allow goldfish_setup to read createns proc file to get the namespace file
|
||||
allow goldfish_setup createns:file { read };
|
||||
allow goldfish_setup createns:dir { search };
|
||||
allow goldfish_setup createns:lnk_file { read };
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
vndbinder_use(hal_camera_default);
|
||||
allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
|
||||
hal_client_domain(hal_camera_default, hal_graphics_composer)
|
||||
|
|
@ -1 +0,0 @@
|
|||
vndbinder_use(hal_cas_default);
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
vndbinder_use(hal_drm_default);
|
||||
hal_client_domain(hal_drm_default, hal_graphics_composer)
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# define SELinux domain
|
||||
type hal_drm_widevine, domain;
|
||||
hal_server_domain(hal_drm_widevine, hal_drm)
|
||||
|
||||
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_drm_widevine)
|
||||
|
||||
allow hal_drm mediacodec:fd use;
|
||||
allow hal_drm { appdomain -isolated_app }:fd use;
|
||||
|
||||
vndbinder_use(hal_drm_widevine);
|
||||
hal_client_domain(hal_drm_widevine, hal_graphics_composer);
|
||||
allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
|
||||
allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
|
||||
# hal_fingerprint no longer directly accesses fingerprintd_data_file.
|
||||
typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
#============= hal_gnss_default ==============
|
||||
allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
|
||||
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
allow hal_graphics_allocator_default graphics_device:dir search;
|
||||
allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write };
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
#============= hal_graphics_composer_default ==============
|
||||
allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
|
||||
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read };
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
# Allow to read /sys/class/power_supply directory
|
||||
allow healthd sysfs:dir r_dir_perms;
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
type hostapd_nohidl, domain;
|
||||
type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(hostapd_nohidl)
|
||||
net_domain(hostapd_nohidl)
|
||||
|
||||
allow hostapd_nohidl execns:fd use;
|
||||
|
||||
allow hostapd_nohidl self:capability { net_admin net_raw };
|
||||
allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
|
||||
allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
|
||||
allow hostapd_nohidl self:packet_socket { create setopt };
|
||||
allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
# hostapd will attempt to search sysfs but it's not needed and will spam the log
|
||||
dontaudit hostapd_nohidl sysfs_net:dir search;
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
allow init tmpfs:lnk_file create_file_perms;
|
||||
dontaudit init kernel:system module_request;
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
# IPv6 proxying
|
||||
type ipv6proxy, domain;
|
||||
type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(ipv6proxy)
|
||||
net_domain(ipv6proxy)
|
||||
|
||||
# Allow ipv6proxy to be run by execns in its own domain
|
||||
domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy);
|
||||
allow ipv6proxy execns:fd use;
|
||||
|
||||
allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
|
||||
allow ipv6proxy self:packet_socket { bind create read };
|
||||
allow ipv6proxy self:netlink_route_socket nlmsg_write;
|
||||
allow ipv6proxy varrun_file:dir search;
|
||||
allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
# goldfish logcat service: runs logcat -Q in logpersist domain
|
||||
|
||||
# See global logcat.te/logpersist.te, only set for eng & userdebug,
|
||||
# allow for all builds in a non-conflicting manner.
|
||||
|
||||
domain_auto_trans(init, logcat_exec, logpersist)
|
||||
|
||||
# Read from logd.
|
||||
unix_socket_connect(logpersist, logdr, logd)
|
||||
|
||||
# Write to /dev/ttyS2 and /dev/ttyGF2.
|
||||
allow logpersist serial_device:chr_file { write open };
|
||||
get_prop(logpersist, qemu_cmdline)
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow mediacodec system_file:dir { open read };
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
dontaudit netd self:capability sys_module;
|
||||
#TODO: This can safely be ignored until b/62954877 is fixed
|
||||
dontaudit netd kernel:system module_request;
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
#TODO: b/62908025
|
||||
dontaudit priv_app firstboot_prop:file { getattr open };
|
||||
dontaudit priv_app device:dir { open read };
|
||||
dontaudit priv_app proc_interrupts:file { getattr open read };
|
||||
dontaudit priv_app proc_modules:file { getattr open read };
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
type qemu_prop, property_type;
|
||||
type qemu_cmdline, property_type;
|
||||
type radio_noril_prop, property_type;
|
||||
type net_eth0_prop, property_type;
|
||||
type net_share_prop, property_type;
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
qemu. u:object_r:qemu_prop:s0
|
||||
qemu.cmdline u:object_r:qemu_cmdline:s0
|
||||
vendor.qemu u:object_r:qemu_prop:s0
|
||||
ro.emu. u:object_r:qemu_prop:s0
|
||||
ro.emulator. u:object_r:qemu_prop:s0
|
||||
ro.radio.noril u:object_r:radio_noril_prop:s0
|
||||
net.eth0. u:object_r:net_eth0_prop:s0
|
||||
net.shared_net_ip u:object_r:net_share_prop:s0
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
# qemu-props service: Sets system properties on boot.
|
||||
type qemu_props, domain;
|
||||
type qemu_props_exec, vendor_file_type, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(qemu_props)
|
||||
|
||||
set_prop(qemu_props, qemu_prop)
|
||||
# TODO(b/79502552): Invalid property access from emulator vendor
|
||||
#set_prop(qemu_props, qemu_cmdline)
|
||||
set_prop(qemu_props, qemu_cmdline)
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# Allow the radio to read these properties, they only have an SELinux label in
|
||||
# the emulator.
|
||||
get_prop(radio, net_eth0_prop);
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# Allow rild to read these properties, they only have an SELinux label in the
|
||||
# emulator.
|
||||
get_prop(rild, net_eth0_prop);
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow shell serial_device:chr_file rw_file_perms;
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
allow surfaceflinger self:process execmem;
|
||||
allow surfaceflinger ashmem_device:chr_file execute;
|
||||
|
||||
typeattribute surfaceflinger system_writes_vendor_properties_violators;
|
||||
set_prop(surfaceflinger, qemu_prop)
|
||||
|
|
@ -1 +0,0 @@
|
|||
get_prop(system_server, radio_noril_prop)
|
||||
|
|
@ -1 +0,0 @@
|
|||
set_prop(vendor_init, qemu_prop)
|
||||
|
|
@ -1 +0,0 @@
|
|||
dontaudit vold kernel:system module_request;
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
typeattribute zygote system_writes_vendor_properties_violators;
|
||||
set_prop(zygote, qemu_prop)
|
||||
# TODO (b/63631799) fix this access
|
||||
# Suppress denials to storage. Webview zygote should not be accessing.
|
||||
dontaudit webview_zygote mnt_expand_file:dir getattr;
|
||||
|
|
@ -94,7 +94,7 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
# Builds a special vbmeta.img that disables AVB verification.
|
||||
|
|
|
|||
|
|
@ -67,8 +67,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
build/target/board/generic/sepolicy \
|
||||
build/target/board/generic_x86/sepolicy
|
||||
device/generic/goldfish/sepolicy/common \
|
||||
device/generic/goldfish/sepolicy/x86
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
# Builds a special vbmeta.img that disables AVB verification.
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
jeffv@google.com
|
||||
dcashman@google.com
|
||||
jbires@google.com
|
||||
sspatil@google.com
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow domain cpuctl_device:dir search;
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow healthd self:capability sys_nice;
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow init tmpfs:lnk_file create_file_perms;
|
||||
|
|
@ -1 +0,0 @@
|
|||
allow installd self:process execmem;
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
allow zygote self:process execmem;
|
||||
allow zygote self:capability sys_nice;
|
||||
|
|
@ -65,8 +65,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
||||
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
build/target/board/generic/sepolicy \
|
||||
build/target/board/generic_x86/sepolicy
|
||||
device/generic/goldfish/sepolicy/common \
|
||||
device/generic/goldfish/sepolicy/x86
|
||||
|
||||
# Android Verified Boot (AVB):
|
||||
# Builds a special vbmeta.img that disables AVB verification.
|
||||
|
|
|
|||
|
|
@ -61,4 +61,4 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|||
BOARD_FLASH_BLOCK_SIZE := 512
|
||||
TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
||||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
|
||||
|
|
|
|||
Loading…
Reference in New Issue