tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
40154 commits 1 branch 0 tags 50 MiB
Commit graph

40154 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
02ee86e98b Merge "Add sepolicy for background_install_control service" am: 878ac541e7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2263542

Change-Id: I7a5d62ff7b3c329f2adcb9dcdf2c602d867d7c27
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-24 21:41:53 +00:00
Treehugger Robot
878ac541e7 Merge "Add sepolicy for background_install_control service" 2022-10-24 21:18:14 +00:00
Wenhao Wang
e825ad2a62 Add sepolicy for background_install_control service 
The background_install_control service is going to detect
background installed apps and provide the list of such apps.

Bug: 244216300
Test: manual
Change-Id: I6500f29ee063da4a3bc18e109260de419dd39218
 2022-10-24 11:26:35 -07:00
Reema Bajwa
556771a8f6 Merge "Add app_api_service and ephemeral_app_api to credential_service selinux policy to allow regular apps and instant apps to access credential manager Test: Built & deployed locally Bug: 253155284 Feature Bug: 241268646" am: 7e707248b2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2260243

Change-Id: I69442233d4bfd4573a1cd86da1421f0f4b24b918
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-22 01:06:05 +00:00
Reema Bajwa
7e707248b2 Merge "Add app_api_service and ephemeral_app_api to credential_service selinux policy to allow regular apps and instant apps to access credential manager Test: Built & deployed locally Bug: 253155284 Feature Bug: 241268646" 2022-10-22 00:41:37 +00:00
Arthur Ishiguro
cd563757f9 Merge "Add sepolicy for default Context Hub HAL access to stats service" am: 3002f1afe2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2260773

Change-Id: I2eee571031f0e8277de66056f779fe9b023e48f8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-20 17:05:51 +00:00
Arthur Ishiguro
3002f1afe2 Merge "Add sepolicy for default Context Hub HAL access to stats service" 2022-10-20 16:29:32 +00:00
Treehugger Robot
dddcfee197 Merge changes I9deb367b,I8c88622e,I18747dc6,I4e94db4a am: 8cd5d0b899 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2261556

Change-Id: I8a296f33ea9b1d75bb339b389385afa572b1cd91
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-20 04:42:47 +00:00
Treehugger Robot
8cd5d0b899 Merge changes I9deb367b,I8c88622e,I18747dc6,I4e94db4a 
* changes:
  Generate compat files and modules with scripts
  Fix wrongly hardcoded version
  Remove deprecated distutils dependency
  Remove redundant comments
 2022-10-20 04:12:45 +00:00
Arthur Ishiguro
ca5474c5cf Add sepolicy for default Context Hub HAL access to stats service 
Bug: 254328944
Test: Verify no selinux error through logcat
Change-Id: Iebc7e6c42a99d091dd1afcc5ff0204bd6f3c71e7
 2022-10-19 16:49:01 +00:00
Reema Bajwa
d151d63fa0 Add app_api_service and ephemeral_app_api to credential_service selinux policy to allow regular apps and instant apps to access credential manager 
Test: Built & deployed locally
Bug: 253155284
Feature Bug: 241268646

Change-Id: I6cf6738858bccfbb07f0cf2e92fcbd472b4c56ce
 2022-10-19 14:50:46 +00:00
Inseob Kim
f87eb38696 Generate compat files and modules with scripts 
The steps have been done by hand, which is highly errorprone.

Bug: 207344718
Test: run the script manually
Change-Id: I9deb367b0cbd8d357147f83964bc214cd00266f7
 2022-10-19 18:32:01 +09:00
Inseob Kim
bf2a967f1f Fix wrongly hardcoded version 
Also removed 10000.0 as there is no 10000.0 in the cil (only 10000_0
exists)

Test: manual
Change-Id: I8c88622e75847388394ba7a0e2e16ceb600ac4f1
 2022-10-19 18:31:07 +09:00
Inseob Kim
73172d83ca Remove deprecated distutils dependency 
Test: manual
Change-Id: I18747dc6dc47d8e865cadb87dee4a88d1ec32d49
 2022-10-19 18:25:23 +09:00
Inseob Kim
0c4a3ed6e9 Remove redundant comments 
Because compat/Android.bp will be modified by compat generate script.

Bug: 207344718
Test: N/A
Change-Id: I4e94db4a9aab492d7fd6df97fad7bfe80756260c
 2022-10-19 18:22:48 +09:00
Treehugger Robot
67f9821aa4 Merge "Add policies for new services HDMI and HDMICEC" am: 4a5c2dee68 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2223061

Change-Id: I40f635565583adb88a98fb2304eacb04adc8dab2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-19 03:31:09 +00:00
Treehugger Robot
4a5c2dee68 Merge "Add policies for new services HDMI and HDMICEC" 2022-10-19 02:58:03 +00:00
Steven Moreland
2b39859d1a Merge "servicemanager: kernel log perms" am: 586703a90c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2120755

Change-Id: I64241a470ee02206e7513f0d9bd9b5f827ee1ab6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-18 20:27:45 +00:00
Steven Moreland
586703a90c Merge "servicemanager: kernel log perms" 2022-10-18 20:06:41 +00:00
Steven Moreland
5c3f315771 servicemanager: kernel log perms 
Bug: 210919187
Fixes: 235390578
Test: boot (logs still only show up sometimes)
Change-Id: I16b9814260103ce550836655d0409d43b8850ea0
 2022-10-17 21:30:50 +00:00
Pawan Wagh
ed30ef1e1e Merge "Revert "Revert "Updating exisiting fuzzers in fuzzer bindings""" am: 59f3e11574 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2255140

Change-Id: I6ebe139f6d4dcd524eb409fb4ab07bc20940af82
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-17 16:52:45 +00:00
Pawan Wagh
59f3e11574 Merge "Revert "Revert "Updating exisiting fuzzers in fuzzer bindings""" 2022-10-17 16:21:46 +00:00
Hunsuk Choi
40e6ec320b Merge "Add IRadioIms and IImsMedia context" am: 0c00096874 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2252878

Change-Id: Iffe9f97bf14f9e8e051d0c7000ea54f21d0c5d20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-17 06:46:26 +00:00
Hunsuk Choi
0c00096874 Merge "Add IRadioIms and IImsMedia context" 2022-10-17 06:13:01 +00:00
Treehugger Robot
6a520d6622 Merge "Add selinux policy to register remote access HAL." am: 184064cd13 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2242819

Change-Id: I107d43afa110e509f097f0dbdb923d2589cacfd7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-15 03:50:05 +00:00
Treehugger Robot
184064cd13 Merge "Add selinux policy to register remote access HAL." 2022-10-15 03:13:07 +00:00
Pawan Wagh
fe3d48f3fb Revert "Revert "Updating exisiting fuzzers in fuzzer bindings"" 
This reverts commit e3245a40df.

Reason for revert: Check for missing dependency is added now. It should fix builds on master-art branch.
Bug: 253648584
Change-Id: I1ecd4521a1038ace711a4abeb0964b764ad5bc94
 2022-10-14 18:51:34 +00:00
Pawan Wagh
d1c05f92bb Merge "sepolicy : check if missing dependencies are allowed" am: 093c870e67 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2253074

Change-Id: Idda66a62e55b9d1a575ccf243317594259d33f4c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-14 18:37:34 +00:00
Rob Seymour
7aaf88d74f Merge "Allow service managers access to apex data." am: 9833c60b35 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2168782

Change-Id: Ic07e1e7fed18781c587c99d451738f034650475e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-14 18:36:49 +00:00
Pawan Wagh
093c870e67 Merge "sepolicy : check if missing dependencies are allowed" 2022-10-14 18:04:55 +00:00
Rob Seymour
9833c60b35 Merge "Allow service managers access to apex data." 2022-10-14 18:04:46 +00:00
Keir Fraser
267c488ccb Allow microdroid_manager to create a ZRAM swap device am: 5cbe30c386 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2251456

Change-Id: I46d954514c634529237991387de94bbbed176eaf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-13 15:50:13 +00:00
Keir Fraser
5cbe30c386 Allow microdroid_manager to create a ZRAM swap device 
Bug: 238284600
Test: Start a VM, confirm swap is available
Change-Id: I5b6050fabd652d9c15584afa0bfdc10b33401dd1
 2022-10-13 14:22:15 +00:00
Hunsuk Choi
24abed20f5 Add IRadioIms and IImsMedia context 
Bug: 216387835
Test: build & flash
Change-Id: I7eb3a45e1b13ca702e6bab7e152c4b4722ceccdd
(cherry picked from commit 26a4cc08701586459e1042604a204f6485c27d08)
Merged-In: I7eb3a45e1b13ca702e6bab7e152c4b4722ceccdd
 2022-10-13 06:17:30 +00:00
Treehugger Robot
1989e9a3a7 Merge "Fix too-broad allows granted to domain" am: c3b7489ee5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2251313

Change-Id: I83e9ebd22b900a0ca494e49e9f17f35a8c08a785
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-13 06:08:00 +00:00
Treehugger Robot
c3b7489ee5 Merge "Fix too-broad allows granted to domain" 2022-10-13 05:37:13 +00:00
Inseob Kim
4e141f6241 Fix too-broad allows granted to domain 
These are wrongly added to microdroid policy while bring up. The
permissions should be restricted to select domains.

Bug: 248478536
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: I9cd94728e84dfd4d69e1bc8e979d204d9d9afbd1
 2022-10-13 13:14:29 +09:00
Pawan Wagh
54eebadb3e sepolicy : check if missing dependencies are allowed 
Panic only if missing dependencies are not allowed while checking
fuzzer bindings. This fix should breakages on branches like master-art
where SOONG_ALLOW_MISSING_DEPENDENCIES is set.

Bug: 246590424
Test: m
Change-Id: I0f908f27de5f761495848f461c7d479117f9feda
 2022-10-12 22:32:58 +00:00
Sandro Montanari
de9c6f353f Merge "Add auditallow for system properties access from the sdk sandbox" am: 9a8980aed5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2238862

Change-Id: Icabeb208446566922793f286a002c539b0266b12
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-12 09:49:51 +00:00
Sandro Montanari
9a8980aed5 Merge "Add auditallow for system properties access from the sdk sandbox" 2022-10-12 09:27:01 +00:00
Steven Moreland
c0f62b10f4 Merge "crosvm: socket getopt" am: dda67f95f0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2247973

Change-Id: Idd949a6c386ce9cbcc09417f9cef02a8ec39abf2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-12 00:23:47 +00:00
Steven Moreland
dda67f95f0 Merge "crosvm: socket getopt" 2022-10-11 23:57:52 +00:00
Akilesh Kailash
fc9647264a Merge "Supress permissive audit messages post OTA reboot" am: 9f7ab3c0cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2166090

Change-Id: I476e1687df7cbb231bd69d8d8ca8125cf82b3cca
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-11 21:27:48 +00:00
Akilesh Kailash
9f7ab3c0cf Merge "Supress permissive audit messages post OTA reboot" 2022-10-11 21:04:42 +00:00
Xin Li
16c7779256 Merge "Merge tm-qpr-dev-plus-aosp-without-vendor@9129937" into stage-aosp-master 2022-10-11 17:39:01 +00:00
Sandro
d0553529bb Add auditallow for system properties access from the sdk sandbox 
We want to more closely monitor the system properties that the
sdk_sandbox has access to.

Bug: 210811873
Test: adb logcat | grep "r:sdk_sandbox"
Change-Id: I0d590374e931ca41d5451cd7c2de5b02fee619e9
 2022-10-11 15:21:08 +00:00
Seungjae Yoo
ce05fa40cb Allow reading some files in /proc by microdroid_manager am: 3ad46dcaa4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2238394

Change-Id: If027df48e3b5efdaa2cfecd0b8b79ddc4a54e304
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-11 04:03:01 +00:00
Seungjae Yoo
3ad46dcaa4 Allow reading some files in /proc by microdroid_manager 
Bug: 236253808
Test: N/A
Change-Id: I5e5062335ace5c511aab2216c3745a2c8aa1204e
 2022-10-11 10:30:03 +09:00
Steven Moreland
34f6b26719 crosvm: socket getopt 
Required in latest merge.

Bug: 250998415
Test: atest MicrodroidTestApp
Change-Id: I2888636bc5ed69c7908862cdb2ff48da37231a51
 2022-10-11 01:13:29 +00:00
Akilesh Kailash
1044702704 Supress permissive audit messages post OTA reboot 
For post-OTA boot, we run a userspace block device daemon to mount /system.
However if we let the daemon run while loading sepolicy, it would spam permissive audits.
Since sepolicy is still not enforced yet, we can supress these
audit messages.

Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I0af484f95b6a1deb41498d67de82afd3c6bb29b6
 2022-10-10 21:58:41 +00:00