tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Wonsik Kim	cf8ae3a3e4	Merge "mediaswcodec: Allow getprop for aac drc params" into main	2024-01-29 19:25:16 +00:00
Hansen Kurli	59bd48484b	Merge "Remove all sepolicy relating to racoon" into main	2024-01-26 09:48:22 +00:00
Kangping Dong	943f869f1b	Merge "Add sepolicy for the Thread Network property" into main	2024-01-25 09:39:13 +00:00
Kangping Dong	75f527a74e	Merge "[Thread] move ot-daemon socket to /dev/socket/ot-daemon" into main	2024-01-24 10:08:28 +00:00
Jay Thomas Sullivan	4e57c74f29	[ECM] Update SELinux policy for EnhancedConfirmationService EnhancedConfirmationService is a new SystemService. These changes are required before the service will boot. Bug: 321053639 Change-Id: I15a4004ca57deb5c6f8757913c1894ba0ced399d	2024-01-23 23:15:16 +00:00
Kangping Dong	0d6679a410	[Thread] move ot-daemon socket to /dev/socket/ot-daemon On Android, unix sockets are located in /dev/socket/ and managed by init. This commit follows the convention for ot-daemon Bug: 320451788 Test: verified that ot-daemon can create socket /dev/socket/ot-daemon/thread-wpan.sock Change-Id: I6b0fe45602bb54d6d482f5be46ddb5402bea477b	2024-01-23 00:00:01 +08:00
Zhanglong Xia	1d75b43704	Add sepolicy for the Thread Network property This CL adds sepolicy for the system property threadnetwork.country_code. This system property is set by init and be read by the ThreadNetworkService. Bug: b/309357909 Test: Configure the system property in ini.product.rc and check the configured country code via the command `dumpsys thread_network`. Change-Id: I6f067ced24842755f2c5519169ba9a94df17829f	2024-01-15 11:48:20 +08:00
Sungtak Lee	45906c7d9a	Allow hal_codec2_server to read fifo_file from non-isolated apps Bug: 254050314 Test: m Change-Id: I5f645988264523cfae5ffcf299691473be41c2ac	2024-01-13 00:56:39 +00:00
Sungtak Lee	4fe99d06b2	Allow hal_codec2_server to read fifo_file from platform_app Test: m Bug: 254050314 Bug: 319322499 Bug: 319532612 Change-Id: I9c2fd760f4069f7c0b3e7c22ac104da4e1373006	2024-01-11 18:50:56 +00:00
Alex Xu	dc265f5426	Update sepolicy for security_state service to include ephermeral API. security_state service manages security state (e.g. SPL) information across partitions, modules, etc. Bug: 315895055 Test: N/A Change-Id: Iee761f8a33f70e8c6bc03849c021f4e165c6f6db	2024-01-03 20:58:23 +00:00
Alan Stokes	8b4d612fd7	Allow su to access virtualization Use our standard macro for granting all the necessary permissions instead of copying a part of it. Add ioctl access for all clients for Unix stream sockets & pipes; this allows them to be used for stdin/stdout without triggering denials. (Only unpriv_sock_ioctls can be used.) Together this allows a root shell to use `vm run` without getting spurious denials such as: avc: denied { ioctl } for comm="crosvm" path="socket:[835168]" dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0 Bug: 316048644 Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid Test: atest MicrodroidTests Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d	2023-12-20 14:55:28 +00:00
Marie Matheson	7b73ec2605	Allow isolated to read staged apks type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Bug: 316442990 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file (cherry picked from https://android-review.googlesource.com/q/commit:cf2694bf863fc31ac5862b92bb9258136de57932) Merged-In: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1 Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1	2023-12-17 23:46:04 +00:00
Peter Collingbourne	4912d266e1	Mount /tmp as tmpfs. /tmp is a volatile temporary storage location for the shell user. As with /data/local/tmp, it is owned by shell:shell and is chmod 771. Bug: 311263616 Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a	2023-12-15 16:46:46 -08:00
Brian Lindahl	46668eaca7	Merge "Allow for server-side configuration of libstagefright" into android14-tests-dev	2023-12-13 06:00:07 +00:00
Harish Mahendrakar	57a351c136	mediaswcodec: Allow getprop for aac drc params Bug: 280783314 Test: adb shell setprop <drc properties> Test: stagefright -a /sdcard/aac.mp4 and check drc params Change-Id: I6ae0b09ecbaa7c52d30e9dcb46cfe36e849bf877	2023-12-12 15:39:55 +00:00
Brian Lindahl	660e460e8c	Allow for server-side configuration of libstagefright Relaxation of SELinux policies to allow users of libstagefright and MediaCodec to be able to query server-side configurable flags. Bug: 301372559 Bug: 301250938 Bug: 308043377 Fixes: 308043377 Test: run cts -m CtsSecurityHostTestCases Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b (cherry picked from commit `1b32bccc1a`)	2023-12-11 23:02:32 +00:00
Treehugger Robot	aa35fe3f97	Merge "Allow hal_codec2_server to read fifo_file from untrusted_app_all" into main am: `b52c0719d0` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2862780 Change-Id: I74a4ed4b44ac0d26482a33b329ea94337691daa5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-12-07 23:44:58 +00:00
Treehugger Robot	b52c0719d0	Merge "Allow hal_codec2_server to read fifo_file from untrusted_app_all" into main	2023-12-07 23:10:50 +00:00
Sungtak Lee	cc2a7ddd66	Allow hal_codec2_server to read fifo_file from untrusted_app_all Test: m Bug: 254050314 Change-Id: I6f7968dd63258e3f5496205f70af180d71fd9517	2023-12-07 21:23:12 +00:00
David Drysdale	98c169553f	Merge "Allow for ISecretkeeper/default" into main am: `3f63eead74` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829790 Change-Id: Ieb11eab2afcf05d9cde00938b9afe3350b53f769 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-12-06 11:21:07 +00:00
David Drysdale	3f63eead74	Merge "Allow for ISecretkeeper/default" into main	2023-12-06 11:12:33 +00:00
Marie Matheson	c3c9ebe781	Merge "Allow isolated to read staged apks" into main am: `bce6591af7` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854133 Change-Id: Ia140bce50b51b9218b6ba7dd2dac669cdc7b76f3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-12-05 19:38:40 +00:00
Marie Matheson	bce6591af7	Merge "Allow isolated to read staged apks" into main	2023-12-05 17:57:17 +00:00
Marie Matheson	cf2694bf86	Allow isolated to read staged apks type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1	2023-12-05 15:17:19 +00:00
David Drysdale	8d1876b4f6	Allow for ISecretkeeper/default Test: VtsAidlAuthGraphSessionTest Bug: 306364873 Change-Id: I788d6cd67c2b6dfa7b5f14bc66444d18e3fd35d3	2023-12-05 14:33:47 +00:00
Jooyung Han	157848354e	Introduce vendor_apex_metadata_file A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Bug: 308058980 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf Merged-In: Icc234bf604e3cafe6da81d21db744abfaa524dcf	2023-12-05 15:42:14 +11:00
Daniel Norman	4ea95b1730	Merge "Allow system_server access to hidraw devices." into main am: `27bb0c60f6` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2855126 Change-Id: I6afaec68f2dc3f3436c6894d36e30ebcce874642 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-12-01 18:45:33 +00:00
Daniel Norman	27bb0c60f6	Merge "Allow system_server access to hidraw devices." into main	2023-12-01 18:12:02 +00:00
Andrea Zilio	d7d0bc5b7f	Merge "Add pm.archiving.enabled system property" into main am: `1a3e09bdf1` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2852511 Change-Id: Icebf658d13eb7a1e20fae9932fbffe5ffd82e2a1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-12-01 11:38:39 +00:00
Andrea Zilio	1a3e09bdf1	Merge "Add pm.archiving.enabled system property" into main	2023-12-01 10:52:21 +00:00
Daniel Norman	4245d0413b	Allow system_server access to hidraw devices. This allows AccessibilityManagerService in system_server to interact with a HID-supported Braille Display. Bug: 303522222 Test: ls -z /dev/hidraw0 Test: plat_file_contexts_test Test: Open FileInputStream and FileOutputStream on this device path from AccessibilityManagerService (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db) Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c	2023-11-30 23:33:55 +00:00
Treehugger Robot	99cf9a3df5	Merge "Allow hal_codec2_server to read fifo_file" into main am: `f6a4cb8115` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2847905 Change-Id: Ia220902299ab47e6f80025527143605fe283c146 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-30 22:42:39 +00:00
Treehugger Robot	f6a4cb8115	Merge "Allow hal_codec2_server to read fifo_file" into main	2023-11-30 21:43:42 +00:00
Andrea Zilio	32ab868eac	Add pm.archiving.enabled system property Test: Builds and starts up fine on acloud Bug: 314160630 Change-Id: I1d90876979bcdb9416bb711f59678a0e640a3e89	2023-11-30 21:14:21 +00:00
Sungtak Lee	46c6c0e28e	Allow hal_codec2_server to read fifo_file Test: m Bug: 254050314 Change-Id: I5b2fc4fade7d9ff05af88044c0c779ac20478851	2023-11-29 22:32:24 +00:00
Alex Xu	2664a80285	Merge "Update sepolicy for security_state service to include public API." into main am: `11f4cc754d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2851545 Change-Id: Id6d8d09b4c9bda0c8d4c1e6538fbb493eff4c5f4 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-29 19:23:56 +00:00
Alex Xu	c4fb354a37	Update sepolicy for security_state service to include public API. security_state service manages security state (e.g. SPL) information across partitions, modules, etc. Bug: 307819014 Test: Manual Change-Id: I70c5d24b19cc457215d329b03ce2fd696c765905	2023-11-29 01:23:59 +00:00
Hansen Kurli	1aac0c51a0	Remove all sepolicy relating to racoon Legacy VPNs are removed, including the usage of racoon. Bug: 161776767 Test: m Change-Id: I8211b3f00cc0213b1c89b269857adc7c21b97efb	2023-11-28 14:16:07 +08:00
Seungjae Yoo	d60c51cbe4	vendor_microdroid_file shouldn't be overwrited am: `ed25d9436d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2846873 Change-Id: I8617f2cad23e811d32502f5130321c1213fe4f73 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-28 04:48:33 +00:00
Seungjae Yoo	ed25d9436d	vendor_microdroid_file shouldn't be overwrited If malicious process in the host overwrites microdroid vendor image, unexpected behavior could be happened. Bug: 285854379 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --vendor /vendor/etc/avf/microdroid/microdroid_vendor.img Change-Id: I18ce5112b75b2793c85bb59c137715beb602a5f3	2023-11-28 11:20:18 +09:00
Alice Wang	8bbd637329	Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" am: `e79bbf9cf8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828234 Change-Id: Icf926e78100ec48014ca24e6a51b51c5ea93f7c1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-22 10:03:25 +00:00
Alice Wang	e79bbf9cf8	Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK Reason for revert: Relands the original topic: https://r.android.com/q/topic:%22expose-avf-rkp-hal%22 Changes from the reverted cl aosp/2812455: - The AIDL service type has been renamed from avf_* to hal_* to be consistent with the others. - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service, for the IRPC/avf service, has been set up with the server/client model for AIDL Hal. The virtualizationservice is declared as server and RKPD is declared as client to access the service instead of raw service permission setup as in the reverted cl. This is aligned with the AIDL Hal configuration recommendation. - Since the existing type for IRPC hal_remotelyprovisionedcomponent is already associated with keymint server/client and has specific permission requirements, and some of the keymint clients might not need the AVF Hal. We decided to create a new AIDL service type instead of reusing the exisiting keymint service type. Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK Bug: 312427637 Bug: 310744536 Bug: 299257581 Test: atest MicrodroidHostTests librkp_support_test Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad	2023-11-22 08:21:27 +00:00
Ahmad Khalil	a6c6bf0889	Add fwk_vibrator_control_service am: `95ee9ea719` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2824730 Change-Id: Ic05d0a548a76ee70c2f8377afe2b3a087355870b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-21 23:20:27 +00:00
Ahmad Khalil	95ee9ea719	Add fwk_vibrator_control_service Convert vibrator_control to a framework service (fwk_vibrator_control_service) in system_server. Bug: 305961689 Test: N/A Change-Id: I5f3aba2c58a3166593a11034a8d21dfd12311c2e	2023-11-21 20:59:48 +00:00
Matías Hernández	b58ddfddee	Merge "Make color_display app_api_service in addition to system_api_service" into main am: `e2e44c0156` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2841713 Change-Id: I3386f10c848e5acee1a5313bf9c64b8dfc1293ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-21 20:18:38 +00:00
Matías Hernández	e2e44c0156	Merge "Make color_display app_api_service in addition to system_api_service" into main	2023-11-21 19:52:44 +00:00
Shikha Panwar	67d30d0d61	Merge "Secretkeeper/Sepolicy: Create required domains" into main am: `2838e84381` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2719356 Change-Id: Ia9c31d6b68999da467613bc25185e0a1123082ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-21 18:05:34 +00:00
Shikha Panwar	2838e84381	Merge "Secretkeeper/Sepolicy: Create required domains" into main	2023-11-21 17:56:46 +00:00
Matías Hernández	b8762f78b2	Make color_display app_api_service in addition to system_api_service This makes the service available for CTS tests (specifically NotificationManagerZenTest). Test: m -j Bug: 308673540 Change-Id: I45917abd0c0dd3f2c5365b2780ac3ab5e28f2580	2023-11-21 18:51:56 +01:00
Shikha Panwar	59c970703b	Secretkeeper/Sepolicy: Create required domains Add sepolicies rules for Secretkeeper HAL & nonsecure service implementing the AIDL. Test: atest VtsHalSkTargetTest & check for Selinux denials Bug: 293429085 Change-Id: I907cf326e48e4dc180aa0d30e644416d4936ff78	2023-11-21 12:29:18 +00:00
Thiébaud Weksteen	fa2999a627	Revert^2 "Add permission for VFIO device binding" This reverts commit `c6227550f7`. Reason for revert: Faulty merging paths have been removed Change-Id: Icf56c2e977c5517af63e206a0090159e43dd71eb Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272	2023-11-21 02:18:30 +00:00
Shubang Lu	26e47c1bd9	Merge "Add SE policy for tv_ad_service" into main am: `0d65502e9e` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2831310 Change-Id: Icf09548281fd42d35c3f6878a717424d38a6d4e9 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-20 19:49:58 +00:00
Shubang Lu	0d65502e9e	Merge "Add SE policy for tv_ad_service" into main	2023-11-20 19:08:50 +00:00
Jeongik Cha	e113739003	Merge "declare setupwizard_mode_prop as system_vendor_config_prop" into main am: `bfb5615f52` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2832590 Change-Id: I95e2d32c59af119280a637a7691649729522aff1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-20 02:02:27 +00:00
Jeongik Cha	bfb5615f52	Merge "declare setupwizard_mode_prop as system_vendor_config_prop" into main	2023-11-20 01:22:22 +00:00
Seungjae Yoo	a43ef400f7	Merge "Introduce vendor_microdroid_file for microdroid vendor image" into main am: `e95f3f5bd3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2831710 Change-Id: If1708562153d678a7d5a816977a44a0faea368a2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-17 02:42:39 +00:00
Shubang Lu	98dddde9f0	Add SE policy for tv_ad_service Bug: 303506816 Bug: 311074646 Test: cuttlefish; Change-Id: I5dea6d65cf374392bb9b079dda9aa90fb63a4bbd	2023-11-16 23:10:15 +00:00
Jeongik Cha	6cb91a086e	declare setupwizard_mode_prop as system_vendor_config_prop 1. declare setupwizard_mode_prop for ro.setupwizard.mode 2. that prop could be set during vendor_init, so changed prop type Bug: 310208141 Test: boot and check if there is no sepolicy issue Change-Id: I89246ab2c686db139cad48550b860d69a41106ff	2023-11-17 01:22:37 +09:00
Seungjae Yoo	d2a0892121	Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a	2023-11-16 16:44:15 +09:00
Inseob Kim	c6227550f7	Revert "Add permission for VFIO device binding" This reverts commit `901385f711`. Reason for revert: breaking build Change-Id: Ib936ca7c347b657b94bb44692cd0e9ceee5db55a Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272	2023-11-14 08:41:48 +00:00
Treehugger Robot	fc06236fcc	Merge "Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..."" into main am: `3f92c1beb3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829351 Change-Id: I7a498e1911a666539ae6eeef9fd5040ecf4c34fa Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-14 03:10:27 +00:00
Treehugger Robot	3f92c1beb3	Merge "Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..."" into main	2023-11-14 02:41:56 +00:00
Inseob Kim	901385f711	Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Bug: 308058980 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272 Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272 (cherry picked from commit `825056de9a`)	2023-11-14 01:56:24 +00:00
Alan Stokes	18bcf12fbb	Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..." Revert submission 2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT Reason for revert: SELinux denials: b/310744536 Reverted changes: /q/submissionid:2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT Change-Id: I88b5f03dccb1b4ab906afde7d66853e816cce7f1	2023-11-14 01:40:53 +00:00
Alice Wang	9f1f416b17	Merge "Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL"" into main am: `dd034824b1` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2812455 Change-Id: Ided47a6c565f8153868e717f14a70a5650cc5ff2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-13 22:11:40 +00:00
Alice Wang	dd034824b1	Merge "Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL"" into main	2023-11-13 21:33:49 +00:00
Kelvin Zhang	2012f906e9	Merge "Allow update_engine to read /proc/filesystems" into main am: `f5877aafe2` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2736859 Change-Id: Ie71f2b1d2a626c43518b0cd94784a3ecbb89af45 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-08 19:24:30 +00:00
Kelvin Zhang	f5877aafe2	Merge "Allow update_engine to read /proc/filesystems" into main	2023-11-08 18:40:26 +00:00
Kelvin Zhang	f7e9111376	Allow update_engine to read /proc/filesystems During OTA install, update_engine needs to read this file to determine if overlayfs is enabled, as OTA requires overlayfs to be disabled. The selinux denial looks like audit(0.0:242): avc: denied { read } for name="filesystems" dev="proc" ino=4026532076 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0 Bug: 309812002 Test: th Change-Id: I10903ced21e79c90dec45fb40ecd169d98c94e89	2023-11-08 18:40:12 +00:00
Keith Mok	e4fee01bfc	Merge "SEPolicy for AIDL MACSEC HAL" into main am: `4bd043ca67` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2816915 Change-Id: I15f64ed6b9d6de08af90822dc4858e9e6131a8ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-07 22:07:35 +00:00
Keith Mok	4bd043ca67	Merge "SEPolicy for AIDL MACSEC HAL" into main	2023-11-07 21:40:41 +00:00
Shashwat Razdan	218266ac57	Changes in SELinux Policy for CSS API Bug: 309657924 Change-Id: If8717cdf4483c3b116053c952b9da1ad4670244a Test: manual verification ($ adb shell service list)	2023-11-07 20:08:46 +00:00
Treehugger Robot	1515bd7382	Merge "add percpu_pagelist_high_fraction type" into main am: `6f789851e9` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2817160 Change-Id: I7c2fa400ca25ca5b0ae3ab78e5aa6e4dc48eac1c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-07 14:01:22 +00:00
Martin Liu	52aa5039ba	add percpu_pagelist_high_fraction type Bug: 309409009 Test: boot Change-Id: I04db2ab3a95a5427e6d89cf128ed953fdc823107 Signed-off-by: Martin Liu <liumartin@google.com>	2023-11-07 11:36:00 +08:00
Keith Mok	df794b4590	SEPolicy for AIDL MACSEC HAL Bug: 254108688 Test: AIDL MACSEC HAL VTS (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fba6480fa08001a36faf524d0a6952f29d916a6b) Change-Id: I5ccaa24c6b9600713bbc0e4c523822567b64c662	2023-11-03 21:29:48 +00:00
Ahmad Khalil	ac754f9f4e	Merge "Add new vibrator control service to system_server" into main am: `70b7a8c76d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2810415 Change-Id: I99ee24b82fac6ff833eec1d7bd7b895efa2d9f6a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-03 14:39:03 +00:00
Ahmad Khalil	70b7a8c76d	Merge "Add new vibrator control service to system_server" into main	2023-11-03 14:03:19 +00:00
Ahmad Khalil	7c22e8b3cd	Add new vibrator control service to system_server Bug: 305961689 Test: N/A Change-Id: Ia4f061d6ae7656fce4c01f5acc2a1314f8ba4ac4	2023-11-03 12:09:04 +00:00
Kyle Zhang	5fddc6a386	Merge "Add system property persist.drm.forcel3.enabled" into main am: `dcf977ac99` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2806495 Change-Id: I9064851c7c19d0a8447869945ca1f5fe1b0d61c1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-02 17:47:37 +00:00
Kyle Zhang	dcf977ac99	Merge "Add system property persist.drm.forcel3.enabled" into main	2023-11-02 17:16:42 +00:00
Hasini Gunasinghe	2e63cca5d7	Merge "Add sepolicy for non-secure AuthGraph impl" into main am: `daa1cec849` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2786255 Change-Id: I60e60866831801d876bbac7fa4b14134ceef3ca1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-01 17:10:38 +00:00
Hasini Gunasinghe	daa1cec849	Merge "Add sepolicy for non-secure AuthGraph impl" into main	2023-11-01 16:27:51 +00:00
Alice Wang	0407c993d8	Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL" Revert submission 2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ Reason for revert: This change relands the topic https://r.android.com/q/topic:%22expose-avf-rkp-hal%22 The SELinux denial has been fixed in system/sepolicy Reverted changes: /q/submissionid:2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ Bug: 308596709 Bug: 274881098 Change-Id: Ib23ac4680b0f37b760bff043e1f42ce61a58c3e2	2023-10-31 20:06:23 +00:00
Alice Wang	d4a966612b	Merge "Revert "[avf][rkp] Allow virtualizationservice to register RKP H..."" into main am: `072d8fc0db` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2812436 Change-Id: I02e135aa763020746d1687cc2309eb0d22a95a31 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-31 15:41:43 +00:00
Alice Wang	072d8fc0db	Merge "Revert "[avf][rkp] Allow virtualizationservice to register RKP H..."" into main	2023-10-31 15:13:01 +00:00
Alice Wang	ece557dc7a	Revert "[avf][rkp] Allow virtualizationservice to register RKP H..." Revert submission 2778549-expose-avf-rkp-hal Reason for revert: SELinux denial avc: denied { find } for pid=3400 uid=10085 name=android.hardware.security.keymint.IRemotelyProvisionedComponent/avf scontext=u:r:rkpdapp:s0:c85,c256,c512,c768 tcontext=u:object_r:avf_remotelyprovisionedcomponent_service:s0 tclass=service_manager permissive=0 Reverted changes: /q/submissionid:2778549-expose-avf-rkp-hal Bug: 308596709 Change-Id: If8e448e745f2701cf00e7757d0a079d8700d43c0	2023-10-31 15:01:18 +00:00
Alice Wang	3df9e4901a	Merge "[avf][rkp] Allow virtualizationservice to register RKP HAL service" into main am: `7109a31496` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2738393 Change-Id: Ic4552c6a6bf2feb76b0918332edafe0612419450 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-31 12:56:49 +00:00
Alice Wang	7109a31496	Merge "[avf][rkp] Allow virtualizationservice to register RKP HAL service" into main	2023-10-31 12:21:41 +00:00
Treehugger Robot	d8667e1699	Merge "Add appcompat override files and contexts to SELinux" into main am: `12665a9787` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2786963 Change-Id: I501dd4436deedc3c9756173409ebea079447ad02 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-31 02:54:00 +00:00
Treehugger Robot	12665a9787	Merge "Add appcompat override files and contexts to SELinux" into main	2023-10-31 02:29:57 +00:00
Alex Xu	55f133ee5c	Merge "Add sepolicy for security_state service." into main am: `f82b6897cf` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2803335 Change-Id: Ib3c443cfb4ab4a43f345053348de66182d6b4249 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-27 19:47:13 +00:00
Alex Xu	f82b6897cf	Merge "Add sepolicy for security_state service." into main	2023-10-27 19:20:58 +00:00
Alice Wang	104626ca99	[avf][rkp] Allow virtualizationservice to register RKP HAL service Bug: 274881098 Test: atest MicrodroidHostTests Change-Id: Ib0953fa49f27719be63bb244071b132bc385dca3	2023-10-27 09:26:42 +00:00
Kyle Zhang	12c42b5f50	Add system property persist.drm.forcel3.enabled Bug: 299987160 Change-Id: Icf945a2bfb7e25225f30630c5d24bf13a8960a01	2023-10-26 22:16:49 +00:00
Xin Li	67d58f5f39	Merge "Merge android14-tests-dev" into main	2023-10-26 20:11:39 +00:00
Xin Li	522f0a9ef2	Merge android14-tests-dev Bug: 263910020 Merged-In: If027337f7e703fe5b80e18ecddeabbac29011c5f Change-Id: Ic7943d9afe12602f3e4289a7aa6ad0c5d340ed81	2023-10-26 10:31:12 -07:00
Alex Xu	902a010aaa	Add sepolicy for security_state service. security_state service manages security state (e.g. SPL) information across partitions, modules, etc. Bug: 307819014 Test: Manual Change-Id: I4ebcd8431c11b41f7e210947b32cf64c2adf3901	2023-10-26 06:11:58 +00:00
David Drysdale	c4ab01baad	Add sepolicy for non-secure AuthGraph impl Bug: 284470121 Bug: 291228560 Test: hal_implementation_test Test: VtsAidlAuthGraphSessionTest Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d	2023-10-26 02:00:43 +00:00
Steven Moreland	012b954125	Merge "binderfs neverallows" into main	2023-10-26 00:07:44 +00:00
Steven Moreland	0365329dad	binderfs neverallows Add neverallow reading these files because this came up in a review recently, and they contain information about processes which is important for security, so we'd like to avoid accidentally granted these permissions. Fixes: 306036348 Test: build (is build time change) Change-Id: I8b8917dacd2a65b809b7b6fb7c1869a3db94156b	2023-10-25 00:41:25 +00:00

1 2 3 4 5 ...

7965 commits