tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
45590 commits 1 branch 0 tags 50 MiB
Commit graph

45590 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jan Sebechlebsky
6e1795cad0 Allow virtual camera to do binder calls to apps and vice versa. 
Virtual camera passes Surface to the app which internally uses binder
to communicate with the other side of buffer queue.

Bug: 301023410
Test: atest VirtualCameraTest
Change-Id: I3ea23532a5077c0b57a6f74c7814b9fdf69829ea
 2023-12-06 09:31:17 +01:00
Treehugger Robot
91b6feed24 Merge "crash_dump: read bootstrap libs" into main am: 116f36fdf8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2860733

Change-Id: Ie88318906d183fc271b321b3f8a550739aa4bf1e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-06 07:45:44 +00:00
Treehugger Robot
116f36fdf8 Merge "crash_dump: read bootstrap libs" into main 2023-12-06 06:20:14 +00:00
Steven Moreland
91497cc9db crash_dump: read bootstrap libs 
Required for nicer stacks for crashes
and ANRs, etc..

Bug: N/A
Test: adb shell am hang, check servicemanager
  section no longer displays warnings now that
  that it is dumped by watchdog
Change-Id: I49a93c1fec9c3219c11dc1a82440c7c2a1944010
 2023-12-06 01:43:46 +00:00
Marie Matheson
c3c9ebe781 Merge "Allow isolated to read staged apks" into main am: bce6591af7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854133

Change-Id: Ia140bce50b51b9218b6ba7dd2dac669cdc7b76f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-05 19:38:40 +00:00
Marie Matheson
bce6591af7 Merge "Allow isolated to read staged apks" into main 2023-12-05 17:57:17 +00:00
Marie Matheson
cf2694bf86 Allow isolated to read staged apks 
type=1400 audit(0.0:835): avc: denied { read }
for path="/data/app/vmdl1923101285.tmp/base.apk"
dev="dm-37" ino=29684
scontext=u:r:isolated_app:s0:c512,c768
tcontext=u:object_r:apk_tmp_file:s0 tclass=file
permissive=0

Bug: 308775782
Test: Flashed to device with and without this change, confirmed that this
change allows an isolated process to read already opened staged apk file

Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
 2023-12-05 15:17:19 +00:00
David Drysdale
8d1876b4f6 Allow for ISecretkeeper/default 
Test: VtsAidlAuthGraphSessionTest
Bug: 306364873
Change-Id: I788d6cd67c2b6dfa7b5f14bc66444d18e3fd35d3
 2023-12-05 14:33:47 +00:00
Jan Sebechlebsky
0959befc45 Allow virtual camera service to find permission_service 
Bug: 301023410
Test: atest CtsVirtualDevicesCameraTestCases
Change-Id: I517fa4cdf6c3143eaf8ab9858e13159a7c5a818a
 2023-12-05 14:20:39 +01:00
Jooyung Han
157848354e Introduce vendor_apex_metadata_file 
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Bug: 308058980
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
Merged-In: Icc234bf604e3cafe6da81d21db744abfaa524dcf
 2023-12-05 15:42:14 +11:00
Alexei Nicoara
c2af2e2ec4 Making sys.boot.reason.last restricted 
sys.boot.reason.last needs to be readable by SysUI to correctly display the reason why authentication is required to unlock the phone.

Bug: 299327097
Bug: 308058980
Test: presubmit
Change-Id: I9f83ade92858056609bc665ecb6ce9b93eb051e4
Merged-In: I9f83ade92858056609bc665ecb6ce9b93eb051e4
 2023-12-05 14:56:03 +11:00
Steven Moreland
5830ddb1d9 allow watchdog to dump servicemanager 
Cmd line: /system/bin/servicemanager
ABI: 'x86_64'

"servicemanager" sysTid=202
  NOTE: Function names and BuildId information is missing for some frames due
  NOTE: to unreadable libraries. For unwinds of apps, only shared libraries
  NOTE: found under the lib/ directory are readable.
  NOTE: On this device, run setenforce 0 to make the libraries readable.
  NOTE: Unreadable libraries:
  NOTE:   /system/lib64/bootstrap/libc.so
    #00 pc 00000000000babda  /system/lib64/bootstrap/libc.so
    #01 pc 0000000000017819  /system/lib64/libutils.so (android::Looper::pollAll(int, int*, int*, void**)+441) (BuildId: 2ed0ced7383d1676a37aed1236486ac3)
    #02 pc 0000000000011a25  /system/bin/servicemanager (main+1157) (BuildId: 509b83cb97addfa90aaa4ad911c2a3df)
    #03 pc 00000000000547a9  /system/lib64/bootstrap/libc.so

Bug: 314088872
Test: adb shell am hang and check ANRs
Change-Id: I7daf19a3afbd18aa93093fb152f9555022ece88f
 2023-12-04 23:24:41 +00:00
Thiébaud Weksteen
57b93a9733 Merge "Fix dumpstate denials related to ot_daemon" into main am: cba619bf60 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854492

Change-Id: I232a38e79d8311dcbf8b0e0fac48f02d22fb8d5b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-03 23:54:34 +00:00
Thiébaud Weksteen
cba619bf60 Merge "Fix dumpstate denials related to ot_daemon" into main 2023-12-03 23:09:01 +00:00
Daniel Norman
4ea95b1730 Merge "Allow system_server access to hidraw devices." into main am: 27bb0c60f6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2855126

Change-Id: I6afaec68f2dc3f3436c6894d36e30ebcce874642
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 18:45:33 +00:00
Ted Wang
2ca6c9a46a Merge "Add bluetooth finder hal" into main am: fb82802fc0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2836616

Change-Id: Ia3824b12b13d2f53c8770076a41c4c0da59fdf3b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 18:16:59 +00:00
Daniel Norman
27bb0c60f6 Merge "Allow system_server access to hidraw devices." into main 2023-12-01 18:12:02 +00:00
Ted Wang
fb82802fc0 Merge "Add bluetooth finder hal" into main 2023-12-01 17:41:04 +00:00
Andrea Zilio
d7d0bc5b7f Merge "Add pm.archiving.enabled system property" into main am: 1a3e09bdf1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2852511

Change-Id: Icebf658d13eb7a1e20fae9932fbffe5ffd82e2a1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 11:38:39 +00:00
Jeff Pu
0a522a3d8f [automerger skipped] Add biometric face virtual hal service am: e0755e0d68 -s ours am: 374f35be24 -s ours 
am skip reason: Merged-In I1f61b687be4abe53c62c21769fb57dc9cf9daf45 with SHA-1 fb5d221b27 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854489

Change-Id: I94e3698227d268eec1f8f0a36b6d71dfc3f3b23f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 11:38:04 +00:00
Andrea Zilio
1a3e09bdf1 Merge "Add pm.archiving.enabled system property" into main 2023-12-01 10:52:21 +00:00
Jeff Pu
374f35be24 [automerger skipped] Add biometric face virtual hal service am: e0755e0d68 -s ours 
am skip reason: Merged-In I1f61b687be4abe53c62c21769fb57dc9cf9daf45 with SHA-1 fb5d221b27 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854489

Change-Id: Ic29a37f6fd5248c578d334f83322ee9b3ef8133c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 10:27:29 +00:00
Kangping Dong
e1ee768a97 Fix dumpstate denials related to ot_daemon 
Bug: 313794601
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I5dfa427e3c7ad99ec21392d2f219f14b66dd6256
 2023-12-01 13:02:38 +08:00
Jeff Pu
e0755e0d68 Add biometric face virtual hal service 
Bug: 228638448
Bug:313817413
Test: Manually following face virtual hal provisioning procedure
Change-Id: I1f61b687be4abe53c62c21769fb57dc9cf9daf45
Merged-In: I1f61b687be4abe53c62c21769fb57dc9cf9daf45
 2023-12-01 03:16:38 +00:00
Daniel Norman
4245d0413b Allow system_server access to hidraw devices. 
This allows AccessibilityManagerService in system_server to
interact with a HID-supported Braille Display.

Bug: 303522222
Test: ls -z /dev/hidraw0
Test: plat_file_contexts_test
Test: Open FileInputStream and FileOutputStream on this device
      path from AccessibilityManagerService
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db)
Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c
Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c
 2023-11-30 23:33:55 +00:00
Treehugger Robot
419203bea5 Merge "Fix dumpstate denials related to virtual_camera" into main am: d3fe043eb8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2852613

Change-Id: Ifd5829ddd964479ed7b53320a2470bc8e993138b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-30 22:43:12 +00:00
Treehugger Robot
99cf9a3df5 Merge "Allow hal_codec2_server to read fifo_file" into main am: f6a4cb8115 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2847905

Change-Id: Ia220902299ab47e6f80025527143605fe283c146
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-30 22:42:39 +00:00
Treehugger Robot
d3fe043eb8 Merge "Fix dumpstate denials related to virtual_camera" into main 2023-11-30 22:34:24 +00:00
Treehugger Robot
f6a4cb8115 Merge "Allow hal_codec2_server to read fifo_file" into main 2023-11-30 21:43:42 +00:00
Andrea Zilio
32ab868eac Add pm.archiving.enabled system property 
Test: Builds and starts up fine on acloud
Bug: 314160630
Change-Id: I1d90876979bcdb9416bb711f59678a0e640a3e89
 2023-11-30 21:14:21 +00:00
Jan Sebechlebsky
de644175a9 Fix dumpstate denials related to virtual_camera 
Bug: 313794601
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5b7c89388190fa927f8c762b2e65557f9d9870b
 2023-11-30 10:57:16 +01:00
Sungtak Lee
46c6c0e28e Allow hal_codec2_server to read fifo_file 
Test: m
Bug: 254050314
Change-Id: I5b2fc4fade7d9ff05af88044c0c779ac20478851
 2023-11-29 22:32:24 +00:00
Alex Xu
2664a80285 Merge "Update sepolicy for security_state service to include public API." into main am: 11f4cc754d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2851545

Change-Id: Id6d8d09b4c9bda0c8d4c1e6538fbb493eff4c5f4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 19:23:56 +00:00
Alex Xu
11f4cc754d Merge "Update sepolicy for security_state service to include public API." into main 2023-11-29 18:31:40 +00:00
Yu-Ting Tseng
de8e7682c0 [automerger skipped] Revert "Revert "SELinux policy changes for uprobe."" am: 086e1f0eaa -s ours am: 09b3def95b -s ours 
am skip reason: Merged-In I5b9a102879a65917d496ba2194187ddd2b4545d1 with SHA-1 3e8e8eac08 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827250

Change-Id: I4cc0c6b114e3b6fc28d1e91a9d12f7341490867b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 07:20:27 +00:00
Thiébaud Weksteen
efa4cf8469 Prebuilt updates am: 448968a6d1 am: 084b293596 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: If8cc1dbc910cb2fec2d4996c1a2f8fef602472cc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:56:58 +00:00
Yu-Ting Tseng
09b3def95b [automerger skipped] Revert "Revert "SELinux policy changes for uprobe."" am: 086e1f0eaa -s ours 
am skip reason: Merged-In I5b9a102879a65917d496ba2194187ddd2b4545d1 with SHA-1 3e8e8eac08 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827250

Change-Id: Ia6fdfbf2e483abdf129f441cd69c330200c96b82
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:25:54 +00:00
Thiébaud Weksteen
084b293596 Prebuilt updates am: 448968a6d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: I991e63e36e9e680edfd21e4a20293ae779caffcb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:25:40 +00:00
Yu-Ting Tseng
086e1f0eaa Revert "Revert "SELinux policy changes for uprobe."" 
This reverts commit e2bd44d48d.

Reason for revert: 2nd attempt to add the policy change

Bug: 308058980
Test: m selinux_policy
Change-Id: I5b9a102879a65917d496ba2194187ddd2b4545d1
Merged-In: I5b9a102879a65917d496ba2194187ddd2b4545d1
 2023-11-29 06:12:36 +00:00
Thiébaud Weksteen
448968a6d1 Prebuilt updates 
Bug: 308058980
Test: m selinux_policy
Change-Id: I23b2265340002b4b9f8d15ad0a8e8324aa0f94e1
 2023-11-29 06:01:56 +00:00
Alex Xu
c4fb354a37 Update sepolicy for security_state service to include public API. 
security_state service manages security state (e.g. SPL) information across partitions, modules, etc.

Bug: 307819014
Test: Manual
Change-Id: I70c5d24b19cc457215d329b03ce2fd696c765905
 2023-11-29 01:23:59 +00:00
Treehugger Robot
4d7c8deb40 Merge "Label wifi.interface." into main am: e22500d7b9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2845878

Change-Id: Ic5b53487a40b2b1b82f91598da3c03355c6b9023
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-28 10:58:50 +00:00
Treehugger Robot
e22500d7b9 Merge "Label wifi.interface." into main 2023-11-28 10:20:23 +00:00
Hansen Kurli
1aac0c51a0 Remove all sepolicy relating to racoon 
Legacy VPNs are removed, including the usage of racoon.

Bug: 161776767
Test: m
Change-Id: I8211b3f00cc0213b1c89b269857adc7c21b97efb
 2023-11-28 14:16:07 +08:00
Seungjae Yoo
d60c51cbe4 vendor_microdroid_file shouldn't be overwrited am: ed25d9436d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2846873

Change-Id: I8617f2cad23e811d32502f5130321c1213fe4f73
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-28 04:48:33 +00:00
Seungjae Yoo
ed25d9436d vendor_microdroid_file shouldn't be overwrited 
If malicious process in the host overwrites microdroid vendor image,
unexpected behavior could be happened.

Bug: 285854379
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --vendor /vendor/etc/avf/microdroid/microdroid_vendor.img

Change-Id: I18ce5112b75b2793c85bb59c137715beb602a5f3
 2023-11-28 11:20:18 +09:00
LuK1337
0372255af1 Label wifi.interface. 
This lets us override AIDL WiFi HAL interfaces.

Bug: 313385486
Change-Id: I3bb0c274f5fb6f709d09b67deff2df7229e04369
 2023-11-27 18:00:55 +00:00
Thiébaud Weksteen
dfd11d7740 Merge "Ignore access to /proc/pagetypeinfo for Settings" into main am: 8c225b0c73 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2845233

Change-Id: Id803459af1bd32bd32d5b4e83a98de2202e55e2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-23 23:49:40 +00:00
Thiébaud Weksteen
8c225b0c73 Merge "Ignore access to /proc/pagetypeinfo for Settings" into main 2023-11-23 22:55:54 +00:00
Max Bires
268cffde84 Remove deprecated enable_rkpd property am: f019332f6d am: 6d82dbcdbb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2843933

Change-Id: I84371a77842a2531ea317e74a607572dbe8e5f2e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-23 20:43:34 +00:00