tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
30050 commits 1 branch 0 tags 50 MiB
Commit graph

30050 commits

This branch
This branch
All branches
Author SHA1 Message Date
Suren Baghdasaryan
b7e70b2b68 Merge "sepolicy: Allow lmkd to access bpf map to read GPU allocation statistics" 2021-06-15 01:33:14 +00:00
Treehugger Robot
c72ac915a5 Merge "Add ro.vendor.build.dont_use_vabc to property_contexts" am: 49de475b86 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734833

Change-Id: Ib6c34eb8219f5a0c0dbba5e0d6d0ca2a52daf769
 2021-06-14 18:58:47 +00:00
Treehugger Robot
49de475b86 Merge "Add ro.vendor.build.dont_use_vabc to property_contexts" 2021-06-14 18:37:30 +00:00
Treehugger Robot
9caa97b1f4 Merge "Allow shell to read /vendor/apex/*" am: 05b6365178 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1736393

Change-Id: I174846e9ead4300bc4b4563d393184587c671e01
 2021-06-14 13:35:39 +00:00
Treehugger Robot
05b6365178 Merge "Allow shell to read /vendor/apex/*" 2021-06-14 13:20:30 +00:00
Lalit Maganti
a0dc959c9b Merge "sepolicy: add perfetto_producer for platform_app and system_app" am: ebdc2c2ea8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1733275

Change-Id: Iff63c6af0e02b8a116932334f6d236263eaba3d9
 2021-06-14 11:58:37 +00:00
Lalit Maganti
ebdc2c2ea8 Merge "sepolicy: add perfetto_producer for platform_app and system_app" 2021-06-14 11:46:20 +00:00
Treehugger Robot
d8c269b321 Merge "Allow cameraserver to access permission checker" am: 0e1f6a5ddf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734253

Change-Id: I89ae9ab6e067e6997e88858dd26f990b5045c371
 2021-06-14 06:00:37 +00:00
Treehugger Robot
0e1f6a5ddf Merge "Allow cameraserver to access permission checker" 2021-06-14 05:47:01 +00:00
Jiyong Park
abdc9739fc Allow shell to read /vendor/apex/* 
It is used for future xTS tests to read the raw files.

Bug: 190858091
Test: m
Change-Id: If1c7fd92772ff84d92a95fbee74f6c1f8d1cd365
 2021-06-14 08:30:43 +09:00
Nikita Ioffe
78e5b7a6b3 Merge "Give adbd and shell read access to /apex/apex-info-list.xml" am: 8f6d68c504 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734153

Change-Id: Iac2b56b709ace48f381987c56d7783a1e9debc48
 2021-06-13 22:06:41 +00:00
Nikita Ioffe
8f6d68c504 Merge "Give adbd and shell read access to /apex/apex-info-list.xml" 2021-06-13 21:41:45 +00:00
Songchun Fan
87b1f6ad2b [sepolicy] allow installd to query apps installed on Incremental File System am: f1a60ca2fe 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734272

Change-Id: I10d5f61ba54877b462c9261653dc2a7f0c49741b
 2021-06-12 10:16:34 +00:00
Svet Ganov
da0c8923f7 Allow cameraserver to access permission checker 
Test: No SELinux errors and can access

Change-Id: Id7884e0fde4afc235b097be640ffde45fd067f33
 2021-06-12 02:56:00 +00:00
Suren Baghdasaryan
ea2941b84b sepolicy: Allow lmkd to access bpf map to read GPU allocation statistics 
Lmkd needs read access to /sys/fs/bpf/map_gpu_mem_gpu_mem_total_map BPF
map to obtain information on GPU memory allocations.

Bug: 189366037
Test: lmkd_unit_test
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I59ded4bc5ec97861e50b4fd1fdd6efb23990b79c
 2021-06-11 20:59:53 +00:00
Kelvin Zhang
7ce2af4c23 Add ro.vendor.build.dont_use_vabc to property_contexts 
Test: mm
Change-Id: I7d06d0c1d137471a0d7b78678a372b29158f1be7
 2021-06-11 10:00:40 -04:00
Songchun Fan
f1a60ca2fe [sepolicy] allow installd to query apps installed on Incremental File System 
Addresses denial messages like:
06-10 19:36:56.269  1214  1214 I Binder:1214_5: type=1400 audit(0.0:58): avc: denied { use } for path="/data/incremental/MT_data_app_vmdl199/backing_store/st_2_1/com.unity.megacity-HlbmeQJjThgePchBlByuoQ==" dev="dm-5" ino=10445 scontext=u:r:installd:s0 tcontext=u:r:vold:s0 tclass=fd permissive=1
06-10 19:36:56.516  1214  1214 I Binder:1214_6: type=1400 audit(0.0:59): avc: denied { use } for path="/data/incremental/MT_data_app_vmdl199/backing_store/st_2_1/com.unity.megacity-HlbmeQJjThgePchBlByuoQ==" dev="dm-5" ino=10445 scontext=u:r:installd:s0 tcontext=u:r:vold:s0 tclass=fd permissive=1

BUG: 190699430
Test: manual
Change-Id: Iee4bdb382b6af5bc8cd63fde2c0db5f0b9b4f02b
 2021-06-10 13:16:28 -07:00
Nikita Ioffe
681ad260b4 Give adbd and shell read access to /apex/apex-info-list.xml 
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.

Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.

Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
 2021-06-10 19:57:17 +01:00
Michael Ayoubi
0be7c67da0 Add support for hal_uwb 
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
 2021-06-10 17:46:23 +00:00
Lalit Maganti
d6ff0c7062 sepolicy: add perfetto_producer for platform_app and system_app 
This addresses the following SELinux failure:
trigger_perfett: type=1400 audit(0.0:331): avc: denied { write }
  for name="traced_producer" dev="tmpfs" ino=35064
  scontext=u:r:platform_app:s0:c512,c768
  tcontext=u:object_r:traced_producer_socket:s0
  tclass=sock_file permissive=0 app=com.android.systemui

This is necessary so that, on user builds, system apps like systemui can
trigger Perfetto traces. This is already allowed on userdebug/end by the
capability in app.te.

In a follow up, we'll probably remove all the perfetto_producer in the
*_app.te and remove the userdebug_or_eng in app.te.

Bug: 190620348
Change-Id: I715979970cde760efdf4497c7cd2a2039ca86c85
 2021-06-10 13:16:25 +00:00
Treehugger Robot
56b9d1fd7b Merge "Allow system_server to read /proc/vmstat" am: 03b80a12e4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729391

Change-Id: Ib62addb6c8bfebbc2804295996c098d10274a3da
 2021-06-10 11:22:29 +00:00
Treehugger Robot
03b80a12e4 Merge "Allow system_server to read /proc/vmstat" 2021-06-10 11:10:30 +00:00
Joanne Chung
a6657178f4 [Sepolicy] Change sepolicy name back to formal name. 
The feature is public, we can change the fake name to formal name.

Bug: 185550380
Test: build pass and can run service correctly
Merged-In: I956d916077f9a71cdf1df2f0be6f83e6f1f30a98

Change-Id: Idc29942eee6c2fd7658beb69ba62a70397176a66
 2021-06-10 11:02:27 +00:00
Andrew Walbran
fe40a14cbd Merge "Allow init to clear VirtualizationService data directory." am: 60f40c02a0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1724711

Change-Id: Id98b8f9848b699ea75c3f4410cc2cf4499eae497
 2021-06-10 09:01:49 +00:00
Andrew Walbran
60f40c02a0 Merge "Allow init to clear VirtualizationService data directory." 2021-06-10 08:48:57 +00:00
Yi Kong
0b34dcbea6 Allow system server to read profcollectd data files am: 953aa5643f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1730160

Change-Id: I0601b1fe36d9572057edb669506c2ea593ef03ab
 2021-06-09 16:38:41 +00:00
Yi Kong
953aa5643f Allow system server to read profcollectd data files 
This allows the system server to read the reports for uploading.

also cleaned up the out of order qemu_hw_prop entry.

Test: manual
Bug: 178561556
Bug: 183487233
Change-Id: I9e5aef9cbcf50fd085dd72900e3ab00a1b6c20a7
 2021-06-09 13:01:50 +00:00
Treehugger Robot
132707a3c2 Merge "Add sys.usb.mtp.batchcancel to usb_config_prop" am: c73a91f49d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1728031

Change-Id: Ib02c72e90bd0d3691e8deaf9db7eb1489c408799
 2021-06-09 02:14:14 +00:00
Treehugger Robot
c73a91f49d Merge "Add sys.usb.mtp.batchcancel to usb_config_prop" 2021-06-09 01:52:39 +00:00
Yifan Hong
34f017a2d0 Merge "Allow binder services to r/w su:tcp_socket" am: a66a5df13d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729830

Change-Id: If3c55331bc2faaf65871b6e28752d8ae8949129d
 2021-06-08 22:30:46 +00:00
Yifan Hong
a66a5df13d Merge "Allow binder services to r/w su:tcp_socket" 2021-06-08 22:13:23 +00:00
Yifan Hong
be04b091bb Allow binder services to r/w su:tcp_socket 
Test: binderHostDeviceTest
Bug: 182914638
Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9
 2021-06-08 10:39:02 -07:00
David Anderson
2291ad9dcd Merge "Fix fastbootd denials when using /proc/bootconfig." am: b0efbee6ed 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729182

Change-Id: I524e06fb79b0056497a59257210e337ceed60170
 2021-06-08 17:03:40 +00:00
David Anderson
b0efbee6ed Merge "Fix fastbootd denials when using /proc/bootconfig." 2021-06-08 16:47:41 +00:00
Ioannis Ilkos
351326b578 Allow system_server to read /proc/vmstat 
/proc/vmstat oom_kill counts the number of times __oom_kill_process
was actioned
(https://lore.kernel.org/lkml/149570810989.203600.9492483715840752937.stgit@buzz/)

We want to record this in the context of system_server for tracking
purposes.

Bug: 154233512
Change-Id: I27bcbcd5d839e59a1dca0e87e2f4ae107201654c
Test: build, verify vmstat can be read
 2021-06-08 14:24:26 +00:00
Ricky Wai
f07dcee430 Isolate app profile ref data 
Due to aosp/1708274, ref data directory is now world accessible.
We need to fix ref data directory so that it does not leak app
visibility information.

Bug: 189787375
Test: AppDataIsolationTests
Change-Id: I4170bbe2eed672c765ee6a28bbc29ab683f67a0a
 2021-06-08 12:19:46 +01:00
Wei Wang
f362d255a2 Merge "Rename surfaceflinger uclamp.min property" am: 0e139d0a3a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729184

Change-Id: I03e8409d231961768a60a273a4cac7010412a371
 2021-06-08 06:15:32 +00:00
Wei Wang
0e139d0a3a Merge "Rename surfaceflinger uclamp.min property" 2021-06-08 05:54:57 +00:00
Inseob Kim
3ed8e90369 Call SkipInstall before InstallFile am: 31db274078 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1730150

Change-Id: I109b5cae8bfac408d73b4834ff95e14019183d10
 2021-06-08 04:33:45 +00:00
Ray Chi
07bb5d076a Add sys.usb.mtp.batchcancel to usb_config_prop 
Add sys.usb.mtp.batchcancel to usb_config_prop to allow
mediaprovider to read this property.

Bug: 181729410
Test: boot the device, and confirm the property could be read
Change-Id: I44b2d9c36bfa439cdbf8b8a874ead424381e3e50
 2021-06-08 02:32:20 +00:00
Wei Wang
4d9438808e Rename surfaceflinger uclamp.min property 
Bug: 190137562
Test: boot and check uclamp.min of SF
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I058c72012a28cebe09f001688a35fb4c6839e6cc
 2021-06-07 18:52:50 -07:00
David Anderson
08a08ab21f Fix fastbootd denials when using /proc/bootconfig. 
Bug: 189493387
Test: fastboot flashall on device using bootconfig
Change-Id: Ibfb7c8a2861f61803a449a4b0ec9ed92ded5c4de
 2021-06-07 18:40:24 -07:00
Inseob Kim
31db274078 Call SkipInstall before InstallFile 
InstallFile skips install only if SkipInstall is called before
InstallFile.

Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
 2021-06-08 10:31:09 +09:00
Inseob Kim
bf48ef246a Merge "Remove microdroid specific rules and files" am: af2697a452 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1728032

Change-Id: Ibd151eca327f00cc04f85c655631301d7cbe00e2
 2021-06-08 01:04:31 +00:00
Tej Singh
8bd5ea7e60 Merge "Make *-apex-info-list.xml readable by shell" am: 6550adcaed 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729178

Change-Id: I5a04e0a0fa7230f77bfcfc1399fc0528ccfc9210
 2021-06-08 01:03:49 +00:00
Inseob Kim
af2697a452 Merge "Remove microdroid specific rules and files" 2021-06-08 00:53:26 +00:00
Tej Singh
6550adcaed Merge "Make *-apex-info-list.xml readable by shell" 2021-06-08 00:47:33 +00:00
Tej Singh
75385efd27 Make *-apex-info-list.xml readable by shell 
Enables CTS testing of the bootstrap apexes.

Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
 2021-06-07 21:39:34 +00:00
Treehugger Robot
b6f2c42245 Merge "Add a new SF property for setting uclamp.min" am: 6a94b64583 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729630

Change-Id: I961a5dc9085f2324f961659b8b453b31452dc7bd
 2021-06-07 21:15:31 +00:00
Treehugger Robot
6a94b64583 Merge "Add a new SF property for setting uclamp.min" 2021-06-07 20:55:10 +00:00