tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
43894 commits 1 branch 0 tags 50 MiB
Commit graph

879 commits

Author SHA1 Message Date
Yu-Ting Tseng
f3e2bf3bc2 Merge "Revert "Revert "SELinux policy changes for uprobe.""" into main am: 7a9e87c4dc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762026

Change-Id: I8bc9096be89bea5d84e63e5f040a4ee170171676
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-27 16:26:11 +00:00
Yu-Ting Tseng
7a9e87c4dc Merge "Revert "Revert "SELinux policy changes for uprobe.""" into main 2023-09-27 15:17:44 +00:00
Yu-Ting Tseng
3e8e8eac08 Revert "Revert "SELinux policy changes for uprobe."" 
This reverts commit e2bd44d48d.

Reason for revert: 2nd attempt to add the policy change

Test: m selinux_policy
Change-Id: I5b9a102879a65917d496ba2194187ddd2b4545d1
 2023-09-25 13:30:34 -07:00
Qais Yousef
2376f09b33 Merge "Revert "SELinux policy changes for uprobe."" into main am: e11729f825 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2759328

Change-Id: I6756e4cf2038bcc8ff67e547ff6368e7dcf8cbc7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-25 09:59:24 +00:00
Qais Yousef
e11729f825 Merge "Revert "SELinux policy changes for uprobe."" into main 2023-09-25 09:24:47 +00:00
Inseob Kim
075c18b495 Remove remaining APEX sepolicy types am: 2f0bcc1b0a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2761425

Change-Id: Id60354d0340ccd4be990c99b9a58d0eea01e1ebc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-25 09:06:41 +00:00
Inseob Kim
2f0bcc1b0a Remove remaining APEX sepolicy types 
Bug: 297794885
Test: boot cuttlefish
Change-Id: I2ff465217adcf1bb0267ea6d487a9a46b6584458
 2023-09-25 11:19:44 +09:00
Yu-Ting Tseng
e2bd44d48d Revert "SELinux policy changes for uprobe." 
This reverts commit c69343fea9.

Reason for revert: b/301700965

Change-Id: Id858e82398cb6dc65be355ce27f3c9d56f889cfa
 2023-09-23 04:13:14 +00:00
Yu-Ting Tseng
4bad805071 Merge "SELinux policy changes for uprobe." into main am: fcc90e8af2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2645793

Change-Id: I90e001b5dc22282010ea0f29f98c9b079139d759
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-22 20:51:11 +00:00
Yu-Ting Tseng
c69343fea9 SELinux policy changes for uprobe. 
Test: m selinux_policy
Change-Id: I56565c05b6337ecd5ec20fb11443c13daaef1ad8
 2023-09-21 14:50:13 -07:00
Treehugger Robot
bf807744ad Merge "[service-vm] Adjust sepolicy for running service VM" into main am: 3e4b7bf2ce 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2735894

Change-Id: Ia0868d86d649329f40122b3d51d521bcdd4aa5c6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-04 17:30:47 +00:00
Treehugger Robot
3e4b7bf2ce Merge "[service-vm] Adjust sepolicy for running service VM" into main 2023-09-04 17:10:03 +00:00
Alice Wang
40519f79dc [service-vm] Adjust sepolicy for running service VM 
Bug: 278858244
Test: Runs the ServiceVmClientApp in VM
Test: atest MicrodroidHostTests
Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d
 2023-09-04 13:01:53 +00:00
Devin Moore
402260249c Merge "Moving hwservicemanager and allocator to system_ext" into main am: 424c64de83 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2608419

Change-Id: If98df98c42019a9c8d59798eeabd9818d792d66c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-31 16:22:41 +00:00
Devin Moore
424c64de83 Merge "Moving hwservicemanager and allocator to system_ext" into main 2023-08-31 15:51:14 +00:00
Xin Li
e07dbe0a63 Merge Android U (ab/10368041) 
Bug: 291102124
Merged-In: Id2cc5dbbafffb4633706e5cc728cb44abd417340
Change-Id: I77e68f17a1273958bcdc32b5a4b6a0ff3ffdfd2a
 2023-08-23 17:20:59 -07:00
Alfred Piccioni
ee7e77ba63 Merge "Revert ntfs file context changes" into main 2023-08-23 12:47:58 +00:00
Alfred Piccioni
33ebe0ef1b Revert ntfs file context changes 
Partial revert of:

commit 3e1dc57bf4

commit 30ae427ed0

The current file contexts could break potential implementations of NTFS
by partners in future. I am not rolling back the adjoining
fuseblkd_exec andfuseblkd_untrusted_exec code, because secure
implementations of fuseblk drivers should still endeavour to use the
more compartmentalised policies.

However, as we don't support NTFS officially, we should give
implementors the choices whether to use it or not, even if it will open
the door to potentially less secure implementations.

NTFS Context: http://b/254407246,
https://docs.google.com/document/d/1b5RjdhN2wFFqmLCK0P_chVyiEhiYqNlTn52TFBMNwxk

Bug: 294925212
Test: Builds and boot.
Change-Id: I6d3858517e797b3f7388f9d3f18dd4a11770d5bc
 2023-08-23 11:42:20 +00:00
Seigo Nonaka
d570a5c30f Make font_fallback.xml unreadable 
Bug: 281769620
Test: atest CtsGraphicsTestCases
Test: atest CtsTextTestCases
Change-Id: I05011c9313fa3818ec50d9884227512ef1b0fda9
 2023-08-14 07:46:19 +09:00
Jooyung Han
04462f3010 Merge "Revert^2 "Add /bootstrap-apex"" into main 2023-08-10 02:38:30 +00:00
Jooyung Han
8677587245 Revert^2 "Add /bootstrap-apex" 
aca291806e

Change-Id: I99d9ba6e804ded5d2fd983e42f143f562c32ce58
 2023-08-09 07:05:31 +00:00
Inseob Kim
825056de9a Add permission for VFIO device binding 
vfio_handler will bind platform devices to VFIO driver, and then
return a file descriptor containing DTBO. This change adds
permissions needed for that.

Bug: 278008182
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
      --devices /sys/bus/platform/devices/16d00000.eh --protected
Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
 2023-08-02 15:06:51 +09:00
Jooyung Han
aca291806e Revert "Add /bootstrap-apex" 
Revert submission 2666915-share-bootstrap

Reason for revert: b/293949266 vold_prepare_subdirs fails to create apexdata directories.

Reverted changes: /q/submissionid:2666915-share-bootstrap

Change-Id: Idab6db691c1130a1f5d596f5e05783cab7fdde05
 2023-08-01 09:06:42 +00:00
Yunkai Lim
486fa9fb0a Revert "Remove fsverity_init SELinux rules" 
Revert submission 2662658-fsverity-init-cleanup

Reason for revert: Culprit for test breakage b/293232766

Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup

Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3
 2023-07-26 06:21:37 +00:00
Lee George Thomas
407e1cf1a4 Label /data/misc/bootanim with bootanim_data_file. 
/data/bootanim location is changed to /data/misc/bootanim as a follow up
change to aosp/q/topic:"bootanim_data_folder". The label is updated for the new file location.

Bug: 210757252
Test: /data/misc/bootanim is labeled correctly. BootAnimation can access this folder.

Change-Id: I9a54cf0dba470302df4180fb17fb104fb483b23d
 2023-07-25 23:33:30 +00:00
Jooyung Han
1c846df3b0 Add /bootstrap-apex 
It will be used to mount bootstrap APEXes. (with bind-mount to /apex)

Bug: 290148078
Test: atest VendorApexHostTestCases
Change-Id: I1a82af37db368a0eb2bf3a002a47439fb1f8b61d
 2023-07-22 20:44:00 +09:00
Eric Biggers
306f510611 Remove fsverity_init SELinux rules 
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.

For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched.  It turns out to actually
be needed for a bit more than that.  We should be able to replace it
with something more precise, but we need to be careful.

Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
 2023-07-20 17:57:23 +00:00
Kangping Dong
f946b06074 Merge "add sepolicy rules for Thread network" am: aa83af5c3b am: ff6ae919c2 am: 498a752dd7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2612795

Change-Id: Iaf8e6d654eb9fbb7d2b2b17ef16468b0eb7f6ce1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 14:50:57 +00:00
Yakun Xu
07429e39ee add sepolicy rules for Thread network 
bug: 257371610
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0fd52fd521b8167b0ec8836dac3765a16fd6863b)
Merged-In: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f
Change-Id: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f
 2023-06-07 07:04:19 +00:00
Devin Moore
300e0b54cf Moving hwservicemanager and allocator to system_ext 
We want to remove these by default from Android V+ devices and still
allow some devices to add them back. So they are moved to system_ext.

Test: m && launch_cvd # check for hwservicemanager running
Bug: 218588089
Change-Id: I67611c8759b82750de829a38b857b3dffd6da83a
 2023-05-31 23:35:42 +00:00
Treehugger Robot
c684d3919a Merge "Set up sepolicy for drmserver64" am: 8a676d0a4c am: 4ee23573de am: cd18eb9883 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2588745

Change-Id: I0a50a888cdcf2a64752c9c2e3bf096306e97936b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-25 03:50:01 +00:00
SzuWei Lin
9ea325facc Set up sepolicy for drmserver64 
Add drmserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for drmserver(32|64).

Bug: 282603373
Test: make gsi_arm64-user; Check the sepolicy
Change-Id: If8451de8120372b085de1977ea8fd1b28e5b9ab0
Merged-In: If8451de8120372b085de1977ea8fd1b28e5b9ab0
 2023-05-17 05:01:28 +00:00
Treehugger Robot
f39f800139 Merge "Allow snapuserd to write log files to /data/misc" am: 5ab4239bfb am: caced74f2c am: b0cc16407d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2573077

Change-Id: Iae5fff7a7afdc217852ae2d0e984a5ab9a15677a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 07:55:04 +00:00
Kelvin Zhang
dbe230a193 Allow snapuserd to write log files to /data/misc 
snapuserd logs are important when OTA failures happen. To make debugging
easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs ,
and capture these logs in bugreport.

Bug: 280127810
Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0
 2023-05-01 17:15:17 -07:00
Treehugger Robot
68e237aa8c Merge changes from topic "b268128589" am: d073bd4209 am: cf5963c6a8 am: cfe9c14ada 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2529324

Change-Id: I149c1a56de8f4bd11738832cc18d19aca41c4b6f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-04-18 23:43:59 +00:00
Changyeon Jo
63c301ac62 Revert "Modify the automotive display service file context" 
This reverts commit edf5420830.

Bug: 268128589
Test: Treehugger
Change-Id: I3961148239831f41423b03d65de0b9b1b4a47724
 2023-04-08 00:14:14 +00:00
Changyeon Jo
916ad0da24 Revert "Move cardisplayproxyd to system_ext" 
This reverts commit fc0b3da21f.

Bug: 268128589
Test: Treehugger
Change-Id: I562b78d2f7550ee9e15be049f9db3fd1eeb491d8
 2023-04-08 00:13:59 +00:00
Treehugger Robot
a6a5b67a6f Merge "Move cardisplayproxyd to system_ext" am: a5dbf64602 am: eb879ba0b1 am: e8776c20b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2486580

Change-Id: Ic8d2d952a6e1ada0c799d9279824f7333de844b7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-15 07:21:48 +00:00
Changyeon Jo
fc0b3da21f Move cardisplayproxyd to system_ext 
Bug: 218588089
Bug: 273324345
Test: 1. m -j selinux_policy
      2. Build cf_x86_64_auto lunch target.
      3. Launch cvd in the accelerated graphics mode.
      4. Run evs_app and confirm the color bar pattern is shown on the
         display.
         > adb root && adb shell evs_app --test
      6. Do the same on sdk_car_x86_64 lunch target.
Change-Id: I1f570e7d43981ce2f5a7ae0d78ee3d5bfa8c7576
 2023-03-14 14:28:28 +00:00
Alice Wang
4a8ab250c8 [dice] Remove all the sepolicy relating the hal service dice am: 5e94b1698c am: 13e58cf7b1 am: a9a8c0cb93 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2426073

Change-Id: Ia58829024a4eec19239f71fb93aa01649f08b192
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-24 21:23:06 +00:00
Alice Wang
5e94b1698c [dice] Remove all the sepolicy relating the hal service dice 
As the service is not used anywhere for now and in the near future.

Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
 2023-02-24 08:34:26 +00:00
Treehugger Robot
ad165b80c0 Merge "Allow dumpstate to read /data/system/shutdown-checkpoints/" am: 863cedfae6 am: c82b062d97 am: c1b762046b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2422419

Change-Id: Idd7e706e1b8655fcdba53374a996a079187cf52c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-22 14:10:12 +00:00
Treehugger Robot
863cedfae6 Merge "Allow dumpstate to read /data/system/shutdown-checkpoints/" 2023-02-22 10:21:25 +00:00
Alfred Piccioni
700b8d2ced Merge "Adds support for fuseblk binaries." am: dd4c5fa93b am: 89cd736d8d am: 14de90550b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2393296

Change-Id: Ie06c83f0f628e4aba4f84e9fd948fc4c64743b5d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-17 18:36:24 +00:00
Alfred Piccioni
dd4c5fa93b Merge "Adds support for fuseblk binaries." 2023-02-17 15:15:31 +00:00
Woody Lin
35541e183f Allow dumpstate to read /data/system/shutdown-checkpoints/ 
Bug: 260366497
Bug: 264600011
Test: Take bugreport and check dmesg for avc error
Test: Reboot and check shutdown-checkpoints
Change-Id: Ifcc7de30ee64e18f78af147cd3da39d7c6dc6f5f
 2023-02-16 14:23:33 +08:00
Akilesh Kailash
959a886b33 Merge "Set sepolicy for ublk control device and block device" am: a3c0ca4e67 am: 12e344b7de am: 782a9dd2d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2433673

Change-Id: I6bb7907b4904e5bcd9ce45a789efaae001509f52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-14 06:28:18 +00:00
Akilesh Kailash
a3c0ca4e67 Merge "Set sepolicy for ublk control device and block device" 2023-02-14 03:59:06 +00:00
Jeffrey Huang
5c1b962965 Merge "Restrict system server from reading statsd data" am: 01fd5eb907 am: e53a5b25b6 am: 6788ed4f1c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410783

Change-Id: Ie7c7bc680c96aab593f115303a9c1b85664877ed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-14 00:51:35 +00:00
Akilesh Kailash
63a21044f2 Set sepolicy for ublk control device and block device 
ublk-control device: /dev/ublk-control
ublk-block device: /dev/block/ublkbN where N is 0,1,2..

Bug: 269144965
Test: Verify sepolicy changes through kernel logs when user-space daemon
communicates with ublk driver

Change-Id: I10de557566e3c0628ea72fbbda4cff21e7cda68f
Signed-off-by: Akilesh Kailash <akailash@google.com>
 2023-02-13 16:30:40 -08:00