Prevents this build error:
mkuserimg_mke2fs.py ERROR: Failed to run e2fsdroid_cmd: set_selinux_xattr: No such file or directory searching for label "/firmware"
Change-Id: Ia58a78edb01e21724ceedd64c2f5a0ae23018ff3
Some QCOM devices require sysfs to trigger boot/init which are blocking
the init process.
[ 7.453205] init: Command 'write /sys/kernel/boot_adsp/boot 1' action=post-fs-data (/init.angler.rc:166) returned 0 took 271.936ms.
This CL is to put those slow to start devices in a
separate service and wait for the service to be done later on.
Bug: 32712851
Test: On device
Change-Id: Idd4e965f122cbc8421b443a41573d363112dfa50
I have backported enough kernel stuff to align our implementation
with android-3.10.
Use ~500MB disk, 4 compression streams, lz4 compression.
Change-Id: I82ee5c43aefb732ee603bdf1ae190e5e9936e660
This moves cameraserver domain policy to do with Camera HAL running
inside that domain into hal_camera. cameraserver is now associated
with hal_camera.
Test: Taking photod and recording videos using Google Camera works
Bug: 34170079
Change-Id: I3031f1cdeebe0773f765adffa8c0bd617ab2cebd
(cherry picked from commit 15f5ee011a51e9e7574d1ecb1b82658281d294be)
Grant access to qualcomm camera daemon.
Bug: 28359909
Change-Id: I92520b4c9fe5d94a6c191f40963fec6b6ed1acb4
Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I7573fdb24f9c53ad169bce2aeab1baac8b2a11ea
Move device specific policy to a local device_domain_deprecated attribute
to focus effort on core policy.
Bug: 28760354
Change-Id: Id08cc74a3a2c7b8ff242b3c6f26bd514e6855a48
camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.
Thus, drop camera_device from the policy.
Change-Id: Ib7773985ba3b93537702b113a2deb5d2f6f3c7ef
perfprofd was generating warnings when being built that
it was using the deprecated unix_socket_connect() macro
to access the init property subsystem.
To correct this, change this to use the newer set_prop()
macro.
Change-Id: I622c554b0238ffbc00b40a966558df684be750d4
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>