| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
This patch decreases userdata image size due to partition size
changes in u-boot[1].
from project https://android.googlesource.com/platform/external/u-boot
commit: 528920f94ef22f9e5cf183cc193246e01280c65e
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
| |
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
|
|
|
|
|
|
|
| |
Allow ueventd to request the kernel to load modules
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
Acked-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 1f229f1307e374b2d7e2a6041b5ffdf4441ff305.
Now that we have proper sepolicy rule in place and touchscreen works fine,
let's enable dynamic kernel module loading again (instead of loading the
modules on init).
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
| |
Allow ueventd daemon to load modules in response to modalias events.
This patch makes dynamic kernel module loading work in 'enforcing' mode.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
| |
Signed-off-by: Hongmei Gou <a0271529@ti.com>
|
|
|
|
|
|
| |
Disable a routine way to boot up of the wificond service.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow system_server to update timerslack_ns for hal_audio_default.
The path based on commit [1] and ensures an eliminations of SELinux
warning during audio/video playback:
avc: denied { write } for pid=321 comm="Binder:321_6"
name="timerslack_ns" dev="proc" ino=21459 scontext=u:r:system_server:s0
tcontext=u:r:hal_audio_default:s0 tclass=file permissive=0
[1] https://android-review.googlesource.com/c/platform/system/sepolicy/+/647420
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mark /system/lib/vndk-sp/hw path as 'sp-hal' namespace.
This patch fixes SELinux messages like:
avc: denied { open } for pid=222 comm="HwBinder:222_5"
path="/system/lib/vndk-sp/hw" dev="mmcblk1p10" ino=799
scontext=u:r:mediacodec:s0 tcontext=u:object_r:system_file:s0 tclass=dir
permissive=1
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
Acked-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Associate the proc_net filesystem with the proc filesystem.
This patch fixes the follow SELinux message:
avc: denied { associate } for pid=141 comm="Binder:141_2"
name="globalAlert" scontext=u:object_r:proc_net:s0
tcontext=u:object_r:proc:s0 tclass=filesystem permissive=1
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow access for memtrack to sync device file.
This patch fixes the follow SELinux message:
avc: denied { map } for pid=169 comm="android.hardwar"
path="/dev/pvrsrvkm" dev="tmpfs" ino=9924
scontext=u:r:hal_memtrack_default:s0 tcontext=u:object_r:gpu_device:s0
tclass=chr_file permissive=1
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow system_server to load input device configurations.
This patch fixes the follow SELinux message:
avc: denied { map } for pid=326 comm="InputReader"
path="/vendor/usr/idc/pixcir_tangoc.idc" dev="mmcblk1p11" ino=14
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_file:s0
tclass=file permissive=1
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
| |
These are not avaliable anymore, drop them.
Signed-off-by: Andrew F. Davis <afd@ti.com>
|
|
|
|
|
|
| |
This file is empty and not needed anymore.
Signed-off-by: Andrew F. Davis <afd@ti.com>
|
|
|
|
|
|
|
| |
This patch removes all wifi configuration parameters.
Fixes monkeytest wifi-related nullpointer dereferences.
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 4a0699e373861e9f8967eb4e42256e54b84bc64d.
System error with a report "Internal problem with your device".
This could be due to missing treble /sepolicy fixes on o-mr1 too.
kernel module (touchscreen) needs to be initialized late on o-mr1.
So reverting for now, Re enable the feature when all the needed fixes
for udev dynamic module loading are identified.
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
| |
This patch allows selinux enforced board to boot up. For this some
vendor libs are marked as Same-Process HAL.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
android.hardware.cas@1.0-service communicates to other vendor
components via /dev/vndbinder.
(/hardware/interfaces/cas/1.0/default/service.cpp):
android::ProcessState::initWithDriver("/dev/vndbinder");
At bootup SELinux shows message:
avc: denied { open } for pid=165 comm="android.hardwar"
path="/dev/vndbinder" dev="tmpfs" ino=5362
scontext=u:r:hal_cas_default:s0 tcontext=u:object_r:vndbinder_device:s0
tclass=chr_file permissive=1
Was added the rule that allows the vndbinder to be used by the
conditional access system.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hwcomposer module uses the kernel messages interface
(NETLINK_KOBJECT_UEVENT) (hardware/ti/dra7xx/hwcomposer/hwc.cc):
uevent_init();
...
Was added the sepolicy that allows operations with the uevent socket.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
android.hardware.graphics.composer@2.1-service communicates to other
vendor components via /dev/vndbinder.
(/hardware/interfaces/graphics/composer/2.1/default/service.cpp):
android::ProcessState::initWithDriver("/dev/vndbinder");
At bootup SELinux shows message:
avc: denied { open } for pid=169 comm="android.hardwar"
path="/dev/vndbinder" dev="tmpfs" ino=5362 ioctlcmd=0x6209
scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
Was added the rule that allows the vndbinder to be used by
graphics.composer@1.0-service.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'netd' daemon require access to /proc/net items, for example [1]:
asprintf(&fname, "/proc/net/xt_quota/%s", quotaName);
fp = fopen(fname, "we");
Were added the rules for manipulations with /proc/net filesystem.
[1] system/netd/server/BandwidthController.cpp
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generic init.rc contains the commands for write operations to /proc and
/sys, for example:
write /proc/sys/kernel/sysrq 0
write /sys/class/leds/vibrator/trigger "transient"
but generic sepolicies don't contain accorded rules.
Were added the permissions for access to /proc and /sys.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generic init.rc contains the commands for creating cgroup nodes, for
example:
mkdir /dev/memcg 0700 root system
mount cgroup none /dev/memcg memory
but generic sepolicies don't contain accorded rules.
Also generic zygote .rc files contain commands for PID writing to
process list in cgroup nodes. These commands can require the creating
permission.
Were added the creating permissions for 'init' and 'zygote' processes.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SELinux was generating warnings about vndservicemanager attempts to
gain access to events tags storage (/dev/event-log-tags) for map
action. That used to happen once during a boot process in consequence
of initialisation selinux handler in module
frameworks/native/cmds/servicemanager/service_manager.c:
sehandle = selinux_android_vendor_service_context_handle();
In context of this initialisation the selinux_log function is performed
that causes a call to /dev/event-log-tags. Unwinding of followed calls
leads to __write_to_log_daemon function in module
system/core/liblog/logger_write.c This function contains the code which
interacts with EventTagMap data. As a result this code performs in
vndservicemanager context.
Sepolicy dontaudit for vndservicemanager for map action is generated.
Change-Id: I21cc555a44731b9734d09eff63eda447de2df366
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
init.rc contains a write instruction for managing the alignment:
write /proc/cpu/alignment 4
As a result SELinux generates warning:
avc: denied { write } for pid=1 comm="init" name="alignment" dev="proc"
ino=4026532139 scontext=u:r:init:s0 tcontext=u:object_r:proc:s0
tclass=file permissive=1
avc: denied { open } for pid=1 comm="init" path="/proc/cpu/alignment"
dev="proc" ino=4026532139 scontext=u:r:init:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
The generated policy allows write access for 'init' to
/proc/cpu/alignment
Change-Id: I0b94aa79d94722393f2ed9d5f5e158c13f657dd4
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
android.hardware.drm@1.0-service communicates to other vendor
components via /dev/vndbinder.
(hardware\interfaces\drm\1.0\default\service.cpp):
android::ProcessState::initWithDriver("/dev/vndbinder");
At bootup SELinux shows message:
avc: denied { read } for comm="android.hardwar" name="vndbinder"
dev="tmpfs" ino=5320 scontext=u:r:hal_drm_default:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=0
Was added rule that allows the vndbinder to be used by drm@1.0-service.
Change-Id: I81974cd4d4bfdf482bddd11bad5aaf6d9ba6435c
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
| |
Add rule for 'healthd' daemon for access to wake_alarm.
Change-Id: I4258e66503693f2d7500f1f86e7360c08a607b66
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit disable audit for dac_read_search for the next domains:
- init
- vold
- zygote
- installd
- lmkd
These processes already has 'dac_override' capability with greater
permissions. Also the presence of both capabilities in kernel 4.14+
causes warnings with dac_read_search denials, but access is allowed
anyway.
Change-Id: Ifb35fc83267201a51a0f1565ec98132d2e439728
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
|
|
|
| |
This patch switches default framework compatibility
matrix to legacy. It is done to turn off the gatekeeper
as a mandatory hal when treble is on.
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
Acked-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch sets ro.treble.enabled option to true, configures build and allows
board to boot to UI. for thi thing above need were done:
- Enabled FULL_TREBLE and vndk support in device.mk
- Enforced VINFT manifest as part of treble requirements
- Added compatibility matrix to match device manifest and pass prebuild checks
- Added missing services for compatibility matrix
- Changed raw copying of device manifest with core build variable
- Extended device manifest with missing hals
Change-Id: Id08af9a66d95bdf8496ce793eeef6060c519802c
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
Acked-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
| |
Signed-off-by: Andrew F. Davis <afd@ti.com>
Acked-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel disabled support of legacy lvl7
(both on 32 and 64 bit boards) hwbinder API due to aosp updates.
That is why hwbinder API lvl 8 only is used for both
32 and 64 bit platforms since that update.
need to enable TARGET_USES_64_BIT_BINDER to fix binder protocol
mismatch and opening errors.
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
| |
Removing vpetest from list of product packages for installation.
Change-Id: I83ffa53afd914a759cc211a543374b81cd1cd1cb
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
Acked-by: Andrew F. Davis <afd@ti.com>
[praneeth@ti.com: minor edit: whitespace error]
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
| |
While CTS execution maximum available heap was reached.
This commit expands max heap by changing dalvik-heap.mk
This fixes OOM errors during CTS full test plan execution.
Change-Id: I9aaf9327081eb6a3fad870517b9d657deab2b201
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
|
|
|
|
|
| |
Signed-off-by: Hongmei Gou <a0271529@ti.com>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit c9981037c95dfcfaeedc2b20445545291754bef0.
This causes build failure on android master and further needs
investigation
libsepol.report_failure: neverallow on system/sepolicy/public/domain.te violated by
allow zygote cgroup:file { create };
init cgroup:file { create };
init proc:dir { write add_name };
init sysfs:dir { add_name };
zygote zygote:capability { dac_read_search };
installd installd:capability { dac_read_search };
init init:capability { dac_read_search };
vold vold:capability { dac_read_search };
surfaceflinger surfaceflinger:capability { dac_override };
libsepol.check_assertions: 9 neverallow failures occurred
Error while expanding policy
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
| |
add vndk_package and libunwind as this is needed for
aosp master build
Change-Id: I027877d3401ae1bcca97d1397fd3894d17a00fdb
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
[praneeth@ti.com: cherry-pick to ti android baseline]
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
| |
This is more in line with other vendors who use clickwrap archives
to store binaries that extract into vendor/ based directories.
Signed-off-by: Andrew F. Davis <afd@ti.com>
|
|
|
|
|
|
|
|
| |
None of the supported platforms, AM572x EVM, AM57xx IDK, nor BeagleBoard
X15 have on-board WiFi. Remove these definitions that incorrectly declare
we have a WL12xx module.
Signed-off-by: Andrew F. Davis <afd@ti.com>
|
|
|
|
|
|
|
| |
We do not use Launcher2 anymore, remove these unused
configuration overlays.
Signed-off-by: Andrew F. Davis <afd@ti.com>
|
|
|
|
|
|
|
|
| |
remove pru eth and icss support inherited during previous android
version.
This should be added back ,when all of the applicable changes are ready.
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
| |
remove IPU2 M4 FW packaging and build from am57xevm android
sdk
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
| |
remove LDC 3001 touch controller support as this is not present on
am57xevm platform variants.
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
| |
cleanup:
remove unapplicable selinux policy for APPE service(doesnt exist anymore).
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
| |
remove 2D Blitter GC320 module initialization from init
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
| |
remove cmem service and assocated service and selinux policy,
as this is not applicable for targeted am57xevm
android sdk.
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
On am57xevm we hold a dummy wake lock via init*.rc.
Add sepolicy rule to cover this.
Change-Id: Ibc7117daede874edd7b9e959fdfacd7815a21842
Signed-off-by: Vishal Mahaveer <vishalm@ti.com>
[praneeth@ti.com: cherry-pick to device/ti/am57xevm and minor
commitmsg update]
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
| |
The "DUCATI" video accelerators are not currently supported. Remove
their definition here.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
|
|
|
|
|
|
|
|
|
|
| |
Update SELinux policies for Android boot process.
Android can boot to UI in enforced mode. Further
Android working logs should be captured and checked
for SE warnings. Policies should be updated due to
new warnings appeared in logs.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
|
|
|
|
|
|
| |
Turn off all BT components from device config.
Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
|