The GPU driver uses vframe-secure for secure allocations, so the
corresponding DMA heap file should be visible to all processes so
use the dmabuf_system_secure_heap_device type instead.
In order for this type to be used, we need to ensure that the HAL
Allocator has access to it, so update hal_graphics_allocator_default.te
Finally, since there are no longer any buffer types associated with the
vframe_heap_device type, remove it.
Bug: 182090311
Test: run cts-dev -m CtsDeqpTestCases --module-arg CtsDeqpTestCases:include-filter:dEQP-VK.protected_memory.stack.stacksize_64 and ensure secure allocations succeed
Test: Play DRM-protected video in ExoPlayer and ensure videos render correctly via MFC->DPU.
Change-Id: Id341e52322a438974d4634a4274a7be2ddb4c9fe
edgetpu_service was splitted into two in previous change:
edgetpu_service and edgetpu_vendor_service, where the new
vendor service for vendor clients, and the old service keeps
serving app clients.
This change updated the SELinux policy to rename the edgetpu_service
into edgetpu_app_service to make the purpose clearer.
Bug: 188463446
Test: Oriole + GCA
Change-Id: I3a133319edc84fc02ef211934d0542575580da14
GPU nnhal needed a file update when update upgrading to 1.3 revision,
modify this so the device uses all the 1.2 rules.
Fixes: 187981206
Test: make sure hal starts
Change-Id: Ie1054fc092f1aa459cd36b6eb0f0a1a5cc032dbc
and logbuffer_btuart device node
* add sepolicy rules to let bthal can access bluetooth kernel device
nodes dev/logbuffer_btlpm and dev/logbuffer_tty16 in engineer
or user debug build
Bug: 177794127
Test: Manually
Change-Id: I5253719df82ca7ef8e64cbd3f2b0ff6d3f088edc
To comply with the GSI compliance test, this change
splits the compiler part of the edgetpu_service into a
separate edgetpu_vendor_service under vendor.
The edgetpu_service locates under /system_ext/ and used
to be connected by both applications and vendor clients.
With this change, vendor clients could talk to the vendor
part of this service directly without having to cross
the system and vendor boundary.
Applications will still talk to the system_ext one, which
will forward the requests to the vendor service.
Bug: 185432427
Test: tested on Oriole + GCA.
Change-Id: I1ee47946f1fc3694d5f8b5325c192d6bd720a76e
Vendor kernel modules were moved to /vendor_dlkm/lib/modules. Let's
remove the old directory /vendor/lib/modules from file_contexts.
Bug: 185184472
Bug: 186777291
Change-Id: I38f1b25cb2d73a804f1cdb113edc9b11f8e516f7
Provide necessary permissions to run usf_reg_edit from bugreport.
Bug: 187081112
Test: Run "adb bugreport <zip>" and verify it contains the output
from "usf_reg_edit save -".
Change-Id: Iade132d93105d461d51273d19fe570d48cce46fe
This reverts commit a346a7fa34.
Let's move back to wildcards for kernel modules. This better supports
kernel pre-submit testing and local kernel development where the script
build.sh from the kernel repo is used to create the vendor_dlkm parition
image. With build.sh, the path to a .ko file includes the kernel
version as well as additional directory components like "extra/" that
describe where in the kernel source key the module is located. Example:
/vendor_dlkm/lib/modules/5.10.33-g2f01cf4c7282-dirty/extra/ftm5.ko
Bug: 185184472
Bug: 186777291
Change-Id: I32f85dae7ca60d9063ad6c63f21ffdaecbb66039
Fix the following avc denial:
avc: denied { module_load } for comm="insmod" path="/vendor_dlkm/lib/modules/cl_dsp.ko" dev="overlay" ino=41 scontext=u:r:init-insmod-sh:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
Bug: 184610991
Test: Full built. Check if the avc denial was gone.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Ic41ea6a6add818bfdf95e71e20df77b9e06db6c1
Secure persistent storage has been moved to persist root.
The corresponding pathes on SELinux policy has to be updated.
Bug: 173971240
Bug: 173032298
Test: Trusty storage tests
Change-Id: I0e7756f3b4d5c6be705a87e1d7d80247df1ec4bb
Bug: 168013500
Test: Check that abox and rpmbd are not in ROM anywhere in oriole, raven user,
userdebug and factory ROM
Change-Id: Ie091a1036ba6c25a3c7f0ef0b8f69cc9fc4e306a
In order for AGI to work, it needs to dlopen the libgpudataproducer.so
shared object.
Bug: 185127179
Bug: 175593589
Change-Id: I9ad9c587f10e0fd6e27c4743c1d4cb85c896c41d
Copy selinux policy for tcp dump binary from previous Pixel to support
TCP logging on P21 through PixelLogger.
Bug: 184777243
Test: Check PixelLogger TCP dump works.
Change-Id: Id958c8a3e6375a7aae569d6fc94deb9f8072b57b
