tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
45450 commits 1 branch 0 tags 50 MiB
Commit graph

45450 commits

This branch
This branch
All branches
Author SHA1 Message Date
Brian Lindahl
0027546b06 Merge "Revert "bugmap selinux failure"" into main 2023-12-18 14:29:22 +00:00
Treehugger Robot
f336eec750 Merge "traced_probes: allow perfetto to read /proc/pressure entries" into main 2023-12-15 23:06:32 +00:00
Jared Duke
8db0b2be1e traced_probes: allow perfetto to read /proc/pressure entries 
Allow perfetto to read /proc/pressure/* entries for cpu/io/memory.

Test: Capture perfetto psi traces manually
Bug: 315152880
Change-Id: I08c3d3eca39ee65eb3f93d609a8ef7cf9c25f6a0
 2023-12-15 19:15:57 +00:00
Yu-Ting Tseng
4de7a537b0 Merge "Revert^2 "Update uprobestats SELinux policy"" into main 2023-12-15 18:02:57 +00:00
Jiakai Zhang
32c47c94be Merge "Allow watchdog to dump artd." into main 2023-12-15 15:27:26 +00:00
Treehugger Robot
c45d9f8263 Merge "Revert^2 "virtualizationmanager is a client of secretkeeper"" into main 2023-12-15 12:37:43 +00:00
Shikha Panwar
c9b992126c Revert^2 "virtualizationmanager is a client of secretkeeper" 
It ferries SecretManagement messages to/from Sk. Reflect this is
sepolicies.

Test: With topic, check selinux denials
Bug: 291213394
Change-Id: Ia0d25e46232d56c59fb18f8642767bfa2d5ffab1
 2023-12-15 11:23:54 +00:00
Treehugger Robot
d5f372ff3c Merge "Add lmk pressure_after_kill_min_score prop" into main 2023-12-15 06:27:08 +00:00
Treehugger Robot
28b5f9afd4 Merge "Allow remount to update the super partition." into main 2023-12-15 01:43:49 +00:00
Yu-Ting Tseng
43cae4ea24 Revert^2 "Update uprobestats SELinux policy" 
This reverts commit 5e1d7f1c85.

Reason for revert: retry with a fix to the failed tests

Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
 2023-12-14 17:17:18 -08:00
Matt Stephenson
531cdc930f Add lmk pressure_after_kill_min_score prop 
Add ro.lmk.pressure_after_kill_min_score property to config.

Test: pressure_after_kill_min_score applies if SELinux is enabled
Bug: 316242513
Change-Id: Ie974fb3eddc0c1bc5c28b2c11d516b152c390396
 2023-12-14 23:36:56 +00:00
Inseob Kim
8a0d6d1f17 [automerger skipped] Remove vfio_handler entry am: 4a14ebeb3e -s ours 
am skip reason: Merged-In I5559dfca1a29852b65481c95f37edc9977ee9d7d with SHA-1 094e8e81a2 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2875635

Change-Id: I48daef2abbfaff2790f13f759b9d2402a2e6ba68
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-14 23:10:08 +00:00
Shikha Panwar
322d4efbcf Merge "Revert "virtualizationmanager is a client of secretkeeper"" into main 2023-12-14 22:04:24 +00:00
Yu-Ting Tseng
675247f370 Merge "Revert "Update uprobestats SELinux policy"" into main 2023-12-14 21:00:06 +00:00
Trevor Black
dcef23db69 Revert "virtualizationmanager is a client of secretkeeper" 
Revert submission 2705357-sk_vm

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_aosp-main-with-phones&target=aosp_oriole-trunk_staging-userdebug&lkgb=11221468&lkbb=11221626&fkbb=11221480

Reverted changes: /q/submissionid:2705357-sk_vm

Bug: 316391577
Change-Id: Ibc92e4b2c578cdf210e873d82af0f413d6a37dc0
 2023-12-14 20:29:33 +00:00
Yu-Ting Tseng
5e1d7f1c85 Revert "Update uprobestats SELinux policy" 
This reverts commit a87a13f16c.

Reason for revert: b/316386186

Change-Id: Ia39371ee9d96c1b1fdf71d67abc7765019c4f185
 2023-12-14 19:50:49 +00:00
Shikha Panwar
751837e26e Merge "virtualizationmanager is a client of secretkeeper" into main 2023-12-14 19:44:12 +00:00
Shikha Panwar
e6c5f205e0 virtualizationmanager is a client of secretkeeper 
It ferries SecretManagement messages to/from Sk. Reflect this is
sepolicies.

Test: With topic, check selinux denials
Bug: 291213394
Change-Id: I0acc06424eb834d66a85f9d4f6b8b632d95c4190
 2023-12-14 17:05:16 +00:00
Yu-Ting Tseng
ef639990c7 Merge "Update uprobestats SELinux policy" into main 2023-12-14 17:03:35 +00:00
Inseob Kim
4a14ebeb3e Remove vfio_handler entry 
Bug: 313817413
Test: TH
Change-Id: I2f68b85f3b91e687eb1f885023d374869d0a7ce5
Merged-In: I5559dfca1a29852b65481c95f37edc9977ee9d7d
 2023-12-14 18:06:19 +09:00
Yu-Ting Tseng
a87a13f16c Update uprobestats SELinux policy 
The changes include
- allow binder calls to ActivityManager and NativePackageManager
- allow binder calls from system server
- allow writes of statsd atoms
- allow init to start uprobestats
- permission for uprobestats config files and propery
- allow execution of oatdump so it can look up code offsets
- allow scanning /proc.

Test: m selinux_policy
Change-Id: Id1864b7dac3a2c5dcd8736c4932778e36b658ce3
 2023-12-13 16:49:23 -08:00
Treehugger Robot
cc90a2a0c6 Merge "sepolicy: grant network_stack CAP_WAKE_ALARM" into main 2023-12-13 20:55:37 +00:00
David Anderson
17fbd9c607 Allow remount to update the super partition. 
"adb remount" runs the remount command, which needs to be able to update
bits in the super partition metadata. This change only affects
userdebug_or_eng policy.

Bug: 297923468
Test: adb-remount-test.sh
Change-Id: Ia78d4b0ea942a139c8a4070dc63a0eed218e3e18
 2023-12-13 12:09:30 -08:00
Maciej Żenczykowski
fd0efeb043 sepolicy: grant network_stack CAP_WAKE_ALARM 
It is effectively an oversight that bluetooth has this
but network stack does not.

This prevents the network stack process from (for example)
using timerfd_create with CLOCK_{REAL,BOOT}TIME_ALARM,
without trampolining through parts of the mainline module
which are shipped as part of the system server.

See:
  https://man7.org/linux/man-pages/man2/timerfd_create.2.html

Bug: 316171727
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iba95c80f830784a587fa4df6867a99bcb96ace79
 2023-12-13 18:52:51 +00:00
Brian Lindahl
89312a1bfc Revert "bugmap selinux failure" 
This reverts commit c6132a2ae7.

Reason for revert: Fixed via aosp/2869455

Bug: 308043377
Change-Id: Iaa42e34bc08e2ce056b0c624fe5665ff026bc654
 2023-12-13 16:13:47 +00:00
Brian Lindahl
623646c3b6 [automerger skipped] Merge "Allow for server-side configuration of libstagefright" into android14-tests-dev am: 46668eaca7 -s ours 
am skip reason: Merged-In I95aa6772a40599636d109d6960c2898e44648c9b with SHA-1 ffeb680417 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2869455

Change-Id: Ic3f9aa6bb7aa559e391448fa5198b8f73df9af28
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-13 06:23:26 +00:00
Brian Lindahl
8b33232c76 [automerger skipped] Allow for server-side configuration of libstagefright am: 660e460e8c -s ours 
am skip reason: Merged-In I95aa6772a40599636d109d6960c2898e44648c9b with SHA-1 ffeb680417 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2869455

Change-Id: Ia9cdc30aacb17db751fd42a957c8787270d1ae2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-13 06:23:22 +00:00
Brian Lindahl
46668eaca7 Merge "Allow for server-side configuration of libstagefright" into android14-tests-dev 2023-12-13 06:00:07 +00:00
Andrea Zilio
65af65df10 Allow pm.archiving.enabled to be read by priv apps. 
Test: Presubmit
Bug: 314160630
Change-Id: Ibf844ce8a44244d0791490ae6c5df91039f4e9a7
 2023-12-12 23:55:49 +00:00
Avichal Rakesh
728e475da0 Allow more AIDL Camera Provider versions 
The current sepolicy only allows V1 of AIDL CameraProvider
services. This CL updates the regex to allow for future
versions as well.

Bug: 314912354
Test: Verified by vendor
Change-Id: I80351a8bb7c2538c4ad1e0d418ea7a718d60be05
 2023-12-12 09:37:28 -08:00
Jiakai Zhang
ac3d139e24 Allow watchdog to dump artd. 
Bug: 314171605
Change-Id: Iabb2da390dfe68e9993e0dc7023297afd51a8b3c
Test: Presubmit
 2023-12-12 13:22:16 +00:00
Thiébaud Weksteen
405e221ae3 Merge "Revert "Remove implicit access for isolated_app"" into main 2023-12-12 01:04:50 +00:00
Treehugger Robot
4e2c7e05d8 [automerger skipped] Merge "Introduce vendor_apex_metadata_file" into android14-tests-dev am: 5732cf8282 -s ours 
am skip reason: Merged-In Icc234bf604e3cafe6da81d21db744abfaa524dcf with SHA-1 b6211b88cf is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2858826

Change-Id: I558dab015373373ce5abbb6f6297fdffba0e3736
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-12 00:16:27 +00:00
Jooyung Han
061d75cad3 [automerger skipped] Introduce vendor_apex_metadata_file am: 157848354e -s ours 
am skip reason: Merged-In Icc234bf604e3cafe6da81d21db744abfaa524dcf with SHA-1 b6211b88cf is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2858826

Change-Id: I2d1181c0f222583cf1b347386259d1290e87aa20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-12 00:16:22 +00:00
Treehugger Robot
5732cf8282 Merge "Introduce vendor_apex_metadata_file" into android14-tests-dev 2023-12-11 23:48:39 +00:00
Brian Lindahl
660e460e8c Allow for server-side configuration of libstagefright 
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.

Bug: 301372559
Bug: 301250938
Bug: 308043377
Fixes: 308043377
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b
(cherry picked from commit 1b32bccc1a)
 2023-12-11 23:02:32 +00:00
Chienyuan Huang
6217aedfdb Merge "Add bluetooth ranging hal" into main 2023-12-11 03:43:57 +00:00
Xin Li
aaacfe9a2d Merge Android 14 QPR1 
Merged-In: If116a0f8b55113aff404eebb11d93bc378a0a5e2
Bug: 315507370
Change-Id: I55a1ee9d97d29e67df8f95cfe67c4f71a99e5d58
 2023-12-08 13:14:39 -08:00
Chienyuan Huang
2e19c7632e Add bluetooth ranging hal 
Bug: 310941161
Test: make
Change-Id: I9b2bc9d945b016361f44a5600c61ed2795c00622
 2023-12-08 09:37:17 +00:00
Andy Yu
41a77fd0be Merge "SEPolicy: Add game sysprop read access for system_app" into main am: 34820408dd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2862783

Change-Id: If116a0f8b55113aff404eebb11d93bc378a0a5e2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-08 02:31:02 +00:00
Andy Yu
34820408dd Merge "SEPolicy: Add game sysprop read access for system_app" into main 2023-12-08 02:00:41 +00:00
Andy Yu
43c7ab0688 SEPolicy: Add game sysprop read access for system_app 
To allow Settings application to read game default
frame rate system properties, adding access to system_app

game_manager_config_prop includes
"persist.graphics.game_default_frame_rate.enabled" for
toggling the system UI toggle, which is updated in
GameManagerService. This will only be read in Settings to
determine if the toggle is on or off.

Bug: 286084594
Test: m; boot;
Change-Id: I3d5795a8a462c25eeae90aade6eaf08c06f540c3
 2023-12-07 16:59:30 -08:00
Treehugger Robot
aa35fe3f97 Merge "Allow hal_codec2_server to read fifo_file from untrusted_app_all" into main am: b52c0719d0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2862780

Change-Id: I74a4ed4b44ac0d26482a33b329ea94337691daa5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-07 23:44:58 +00:00
Treehugger Robot
b52c0719d0 Merge "Allow hal_codec2_server to read fifo_file from untrusted_app_all" into main 2023-12-07 23:10:50 +00:00
Sungtak Lee
cc2a7ddd66 Allow hal_codec2_server to read fifo_file from untrusted_app_all 
Test: m
Bug: 254050314
Change-Id: I6f7968dd63258e3f5496205f70af180d71fd9517
 2023-12-07 21:23:12 +00:00
Steven Moreland
bd2c72b393 Merge "allow watchdog to dump servicemanager" into main am: 073b71671c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2858185

Change-Id: I3c209624087bbe691554c97cd0e48fcebabe3b58
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-07 18:33:19 +00:00
Steven Moreland
073b71671c Merge "allow watchdog to dump servicemanager" into main 2023-12-07 18:08:08 +00:00
Jeffrey Vander Stoep
b6c262c238 Revert "Remove implicit access for isolated_app" 
This reverts commit 7ba4801b6e.

Reason for revert: b/315295188

Change-Id: Ib4a4d68763f68bc1cebe6528ce4b81188f35ba49
Test: build and run on Cuttlefish. Verify that isolated_app denials go away.
 2023-12-07 16:52:28 +01:00
Tom Huang
76ab19469f Merge "Add bluetooth finder service sepolicy" into main am: 226f837c4d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2863825

Change-Id: Icf1fbce87dc07904e825e75a6243398c4f4b7305
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-07 05:16:45 +00:00
Tom Huang
226f837c4d Merge "Add bluetooth finder service sepolicy" into main 2023-12-07 04:15:37 +00:00