tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29080 commits 1 branch 0 tags 50 MiB
Commit graph

29080 commits

This branch
This branch
All branches
Author SHA1 Message Date
Weilun Du
e2a8a145ec Revert^2 "Add qemu.hw.mainkeys to system property_contexts" 
509b35e5d9

Bug: 180412668
Merged-In: I4067bba36613fa41e3c7a085da76cda4784753ad
Change-Id: I4067bba36613fa41e3c7a085da76cda4784753ad
 2021-02-17 18:29:59 +00:00
Hasini Gunasinghe
685ca0c888 Keystore 2.0: Add permissions and policy for user manager AIDL. 
Bug: 176123105
Test: User can set a password and unlock the phone.
Change-Id: I96c033328eb360413e82e82c0c69210dea2ddac9
 2021-02-17 08:55:31 -08:00
Treehugger Robot
dff0472cba Merge "Add /data/misc/a11ytrace folder to store accessibility trace files." am: bdfc2c96ce 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1580634

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ibd585373539bc476f2345f283fea6cf53e1a7907
 2021-02-17 13:37:09 +00:00
Treehugger Robot
bdfc2c96ce Merge "Add /data/misc/a11ytrace folder to store accessibility trace files." 2021-02-17 13:02:34 +00:00
Treehugger Robot
b4eb963fe4 Merge "Check vendor_property_contexts namespaces" am: e91790707a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1532995

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I47576e9ee3737716a683a092d4f984474b6c3246
 2021-02-17 07:47:15 +00:00
Treehugger Robot
e91790707a Merge "Check vendor_property_contexts namespaces" 2021-02-17 07:12:30 +00:00
Inseob Kim
2bcc045724 Check vendor_property_contexts namespaces 
For devices launching with Android Q or later, vendor_property_contexts
and odm_property_contexts should only contain vendor and odm properties.
This checks property_contexts files in build time.

To temporarily disable this check, users can set
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk. But
VTS is still enforced, so users will have to fix the violations anyway.

Bug: 175526482
Test: m vendor_property_contexts after making violations
Change-Id: I99d6fff9033d78e1d276eed2682a2719dab84ae2
 2021-02-17 12:41:38 +09:00
Treehugger Robot
1091c5cf7c Merge "Add CEC HAL 1.1" am: 9c26e0265d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1588313

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Id054c116eaea9823f3116e6f3e1401e088f2770b
 2021-02-17 00:42:09 +00:00
Treehugger Robot
9c26e0265d Merge "Add CEC HAL 1.1" 2021-02-17 00:17:54 +00:00
Treehugger Robot
d074d435c8 Merge "Adding SEPolicy for IRemotelyProvisionedComponent" am: 5ace493461 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1569961

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I4cf7e4a8c094891d374766766434978e2e59e446
 2021-02-17 00:10:04 +00:00
Treehugger Robot
5ace493461 Merge "Adding SEPolicy for IRemotelyProvisionedComponent" 2021-02-16 23:48:44 +00:00
Treehugger Robot
cfbb43120d Merge "Allow third-party apps to access tuner hal fd" am: 01a9e4de24 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1587542

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I36900a4e59d8e7de6ce8f7cd79e1a7c6f4ca5a2b
 2021-02-16 22:56:39 +00:00
Treehugger Robot
01a9e4de24 Merge "Allow third-party apps to access tuner hal fd" 2021-02-16 22:25:18 +00:00
Elliott Hughes
dbcd3b6d9c Merge "init/ueventd and system_server no longer need access to /dev/hw_random." am: adaf4fe7a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1580967

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I250e585dba494335017001e72fb33fbb399db8b6
 2021-02-16 20:40:17 +00:00
Elliott Hughes
adaf4fe7a9 Merge "init/ueventd and system_server no longer need access to /dev/hw_random." 2021-02-16 20:08:39 +00:00
Ram Muthiah
fa10ab3955 Merge "Revert "Add qemu.hw.mainkeys to system property_contexts"" am: 523a649401 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1590671

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ibc3afb978c5f79942d6a10b5790172bceb920288
 2021-02-16 19:35:42 +00:00
Amy Zhang
db13ae741e Allow third-party apps to access tuner hal fd 
The fd shared here is the fast message queue descriptor of the Tuner
Filter MQ or DVR MQ, sent from the Tuner HAL HIDL interface to Tuner Service.

Tuner service would convert the hidl mq descriptor into an aidl one then
passed to the Tuner JNI. Tuner JNI would read/write data into fmq
through the shared fd when the third-party app calls corresponding APIs.
The fd won't be exposed through SDK APIs.

The same fd won't be shared among apps. Each app only has access to
their own Tuner java instance through Tuner SDK, and read/write their
own Filter/Dvr.

Test: atest TunerDvrTest#testDvrPlayback
Bug: 159067322
Bug: 174500129
Bug: 171378420
Bug: 158868205
Change-Id: I34c113a092673f8ea9bcb7428b5562101c4d35ec
 2021-02-16 11:17:49 -08:00
Ram Muthiah
523a649401 Merge "Revert "Add qemu.hw.mainkeys to system property_contexts"" 2021-02-16 19:05:10 +00:00
Ram Muthiah
509b35e5d9 Revert "Add qemu.hw.mainkeys to system property_contexts" 
Revert submission 1582845-qemu-prop

Reason for revert: aosp_hawk-userdebug is broken on an RVC branch
Reverted Changes:
Idfc2bffa5:Add qemu.hw.mainkeys to system property_contexts
If013ff33f:Remove qemu.hw.mainkeys from vendor_qemu_prop
Bug: 180412668
Change-Id: I335afb931eaeb019f66e3feedea80b0c8888f7a3
 2021-02-16 18:58:10 +00:00
Hongming Jin
58f83415ea Add /data/misc/a11ytrace folder to store accessibility trace files. 
Bug: 157601519
Test: adb shell cmd accessibility start-trace
      adb shell cmd accessibility stop-trace
Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
 2021-02-16 09:35:09 -08:00
Weilun Du
baf97e40f9 Merge "Add qemu.hw.mainkeys to system property_contexts" am: 23bb01756e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1582845

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I7eb61f01903b343c1cf2a210ffe6f7bae3034922
 2021-02-16 17:22:58 +00:00
Nick Chalko
81a4dd40d6 Add sepolicy swcodec native flag namespace. 
Test: add sepolicy, build, check GetServerConfigurableFlag function
Bug: 179286276
Change-Id: Ia16d110900251b3fb3e3959d73524c8814199270
 2021-02-16 09:22:16 -08:00
Weilun Du
23bb01756e Merge "Add qemu.hw.mainkeys to system property_contexts" 2021-02-16 16:44:00 +00:00
Max Bires
d2a9e6e630 Adding SEPolicy for IRemotelyProvisionedComponent 
This SEPolicy change allows the hal_keymint domain to add
hal_remotelyprovisionedcomponent_service to hwservice_manager.

Test: The Keymint HAL can successfully start an instance of
IRemotelyProvisionedComponent

Change-Id: I15f34daf319e8de5b656bfacb8d050950bf8f250
 2021-02-15 20:48:45 -08:00
Gavin Corkery
cd3bb575ab Add sepolicy for scheduling module data directories 
Test: Manually test writing and reading files
Bug: 161353402
Change-Id: Ifbc0e4db0ec51f6565a0f52df06b1d148577b788
 2021-02-15 22:31:27 +00:00
Maciej Żenczykowski
fd596bf799 Merge "apply 'fs_bpf_tethering' label to /sys/fs/bpf/tethering" am: c281113ea8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1566557

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Iec1e9556373de5508097bf9a9264455238728353
 2021-02-15 12:52:33 +00:00
Galia Peycheva
efff2e4789 Merge "Add blur sysprop to sepolicy" am: 7959b6eb1b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1585067

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I5a046f94f8233ffdaf5cb6fef3a1952393448ad3
 2021-02-15 12:51:58 +00:00
Maciej Żenczykowski
c281113ea8 Merge "apply 'fs_bpf_tethering' label to /sys/fs/bpf/tethering" 2021-02-15 12:21:54 +00:00
Galia Peycheva
7959b6eb1b Merge "Add blur sysprop to sepolicy" 2021-02-15 12:20:29 +00:00
Marvin Ramin
90c2c856ae Add CEC HAL 1.1 
Update contexts to include CEC HAL v1.1

Bug: 169121290
Test: make
Change-Id: Ia28afad7d9963886b0d4286436e2024cdd93c8d4
 2021-02-15 09:36:55 +01:00
Treehugger Robot
cec7de1859 Merge changes from topic "uid_pid with recovery mode" am: cbf08f8cc7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1587544

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ibffd60cdad4211d0d95f5068b1457161ff0a34d6
 2021-02-13 21:52:06 +00:00
Marco Ballesio
9afaef844b sepolicy: rules for uid/pid cgroups v2 hierarchy am: aa4ce95c6f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1585406

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Icd7136331223fa9f4a215ce07330da173ba61db0
 2021-02-13 21:51:47 +00:00
Treehugger Robot
cbf08f8cc7 Merge changes from topic "uid_pid with recovery mode" 
* changes:
  sepolicy: grant system_server process group creation rights
  sepolicy: rules for uid/pid cgroups v2 hierarchy
 2021-02-13 21:32:31 +00:00
Marco Ballesio
98a5e60592 sepolicy: grant system_server process group creation rights 
system_server must be allowed to create process groups in behalf of
processes spawned by the app zygote

Bug: 62435375
Bug: 168907513
Test: verified that webview processes are migrated in their own process
group

Change-Id: Icd9cd53b759a79fe4dc46f7ffabc0cf248e6e4b8
 2021-02-12 15:16:18 -08:00
Elliott Hughes
5aaf7f3461 init/ueventd and system_server no longer need access to /dev/hw_random. 
We let the kernel worry about that now.

Bug: http://b/179086242
Test: treehugger
Change-Id: I51bdfaf7488717cc4e4c642261e31d1801cfba68
 2021-02-12 09:33:22 -08:00
Pavel Grafov
7934b50f03 Allow wificond access wifi keys in KeyStore2 
Bug: 171305388
Test: manual
Change-Id: If2ce168e1415c28259d5fa2ad9d2b409bd977756
 2021-02-12 15:58:57 +00:00
Mohammad Islam
3663ec7d1e Merge "Allow apexd to relabel files in /data/apex/decompressed" am: 1a2a3bd369 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1561696

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: If4af5950e9a44a123331a2e94c3695d7a072c411
 2021-02-12 10:50:06 +00:00
Mohammad Islam
1a2a3bd369 Merge "Allow apexd to relabel files in /data/apex/decompressed" 2021-02-12 10:16:55 +00:00
Treehugger Robot
cf5f18538e Merge "The SE Policies to incorporate ISecureClock and ISharedSecret services along with IKeyMintDevice service into default keymint HAL Server. Test: Rebuild, execute and run atest VtsAidlSharedSecretTargetTest and atest VtsAidlSecureClockTargetTest. Bug: b/171844725, b/168673523." am: 98e48ac6b4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1562770

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I0589e6bcbdde95f1d465ee5ec4d591ed96287f47
 2021-02-12 04:47:46 +00:00
Shubang Lu
fd40534a40 Merge "Add SE policy for media_metrics" am: a19f9d2455 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1580990

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I7f1fbabf3dd22beebd91654d046e9b3fff4b67c3
 2021-02-12 04:46:21 +00:00
Treehugger Robot
98e48ac6b4 Merge "The SE Policies to incorporate ISecureClock and ISharedSecret services along with IKeyMintDevice service into default keymint HAL Server. Test: Rebuild, execute and run atest VtsAidlSharedSecretTargetTest and atest VtsAidlSecureClockTargetTest. Bug: b/171844725, b/168673523." 2021-02-12 02:42:35 +00:00
Shubang Lu
a19f9d2455 Merge "Add SE policy for media_metrics" 2021-02-12 02:00:32 +00:00
Maciej Żenczykowski
d68cb48e90 apply 'fs_bpf_tethering' label to /sys/fs/bpf/tethering 
We want to label /sys/fs/bpf/tethering/... with a new label distinct
from /sys/fs/bpf, as this will allow locking down the programs/maps
tighter then is currently possible with the existing system.

These programs and maps are provided via the tethering mainline module,
and as such their number, names, key/value types, etc. are all prone to
be changed by a tethering mainline module update.

Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifc4108d76a1106a936b941a3dda1abc5a65c05b0
 2021-02-11 17:45:06 -08:00
Treehugger Robot
099e2f1a09 Merge "Allow dumpsys meminfo to print out DMA-BUF statistics" am: 83d6f96fdc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1582856

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Id76c925e6f3a36fca52962d75c8a4f5b8907ac76
 2021-02-12 00:28:10 +00:00
Treehugger Robot
83d6f96fdc Merge "Allow dumpsys meminfo to print out DMA-BUF statistics" 2021-02-11 23:48:04 +00:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy 
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
 2021-02-11 23:40:38 +00:00
shubang
2210767054 Add SE policy for media_metrics 
Test: CTS;
Change-Id: Ib9382f2513d8fd0e6812d0157c710d0ad5817231
 2021-02-11 18:38:07 +00:00
Hridya Valsaraju
0001dee765 Allow dumpsys meminfo to print out DMA-BUF statistics 
These permissions fix the following denials:

avc: denied { read } for name="buffers" dev="sysfs" ino=3267
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_dmabuf_stats:s0
tclass=dir permissive=1
avc: denied { open } for path="/sys/kernel/dmabuf/buffers" dev="sysfs"
ino=3267 scontext=u:r:system_server:s0
tcontext=u:object_r:sysfs_dmabuf_stats:s0 tclass=dir permissive=1
avc: denied { read } for name="size" dev="sysfs"
ino=30556 scontext=u:r:system_server:s0
tcontext=u:object_r:sysfs_dmabuf_stats:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/kernel/dmabuf/buffers/41673/size" dev="sysfs"
ino=30556 scontext=u:r:system_server:s0
tcontext=u:object_r:sysfs_dmabuf_stats:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/kernel/dmabuf/buffers/41673/size" dev="sysfs"
ino=30556 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_dmabuf_stats:s0
tclass=file permissive=1
avc: denied { read } for name="dma_heap" dev="tmpfs" ino=344
scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_heap_device:s0
tclass=dir permissive=1
avc: denied { open } for path="/dev/dma_heap" dev="tmpfs" ino=344
scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_heap_device:s0
tclass=dir permissive=1

Test: adb shell dumpsys meminfo
Bug: 167709539
Change-Id: Ifa43fd16369d5da1db16e45ff0e189da0c975b75
 2021-02-11 10:04:26 -08:00
Galia Peycheva
201414cff6 Add blur sysprop to sepolicy 
Bug: 170378891
Test: m
Change-Id: I6876e3bfe9dfdf066bfa54334555fdab5b3598d5
 2021-02-11 17:32:30 +00:00
Weilun Du
180a277d67 Add qemu.hw.mainkeys to system property_contexts 
Bug: 178143857

Signed-off-by: Weilun Du <wdu@google.com>
Change-Id: Idfc2bffa52016d1e880974bb193025400e90a538
 2021-02-11 04:18:54 +00:00