tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
33882 commits 1 branch 0 tags 50 MiB
Commit graph

33882 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
0b2fe7bba9 Merge "Allow reading hypervisor capabilities" am: e335de9aeb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1974460

Change-Id: I0fd8a7a9f35ed63f78bea52028935705750c0a7a
 2022-02-08 11:54:28 +00:00
Treehugger Robot
e335de9aeb Merge "Allow reading hypervisor capabilities" 2022-02-08 11:49:33 +00:00
Treehugger Robot
46f9d2ebc4 Merge "bpfloader: use kernel logs" am: 2e468b48c5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1975407

Change-Id: Ica35494fc1df34ebb9ccfd82c2aa1d5e658e4463
 2022-02-08 11:48:26 +00:00
Treehugger Robot
2e468b48c5 Merge "bpfloader: use kernel logs" 2022-02-08 10:51:39 +00:00
Treehugger Robot
5b2f49942b Merge "Allow priv-app to report off body events to keystore." am: d83aba62f6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1973028

Change-Id: I9b990153f44fb93b4ee09b25e4efb6bd492d7fc0
 2022-02-07 23:57:28 +00:00
Shubang Lu
04a33ef734 Merge "SE policy: rename iapp -> interactive_app" am: 3885ab88c5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1956658

Change-Id: I6e469662688bb7d91af5c7070063763b49dc0900
 2022-02-07 23:57:01 +00:00
Treehugger Robot
d83aba62f6 Merge "Allow priv-app to report off body events to keystore." 2022-02-07 23:46:05 +00:00
Shubang Lu
3885ab88c5 Merge "SE policy: rename iapp -> interactive_app" 2022-02-07 23:45:28 +00:00
Steven Moreland
233d4aabf6 bpfloader: use kernel logs 
Boots early. logd no workie!

Bug: 210919187
Test: see bpfloader logs
Change-Id: I313f55b0a6e1164fdffeb2d07952988d5e560ae7
 2022-02-07 23:16:55 +00:00
Josh Yang
8be76c8e5c Allow priv-app to report off body events to keystore. 
Bug: 183564407
Test: the selinux error is gone.
Change-Id: I6783528a0ca6c94781b6c12d96ffebbfe8b25594
Merged-In: If40c2883edd39bee8e49e8e958eb12e9b29a0fe0
 2022-02-07 22:42:51 +00:00
Treehugger Robot
2f94a92cdc Merge "Allow microdroid_manager to BLKFLSBUF on the instance disk" am: 03b3b18c70 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1974319

Change-Id: I3065a65bd2c5bb4f780dfac95c9e5143f0990883
 2022-02-07 11:59:23 +00:00
Treehugger Robot
03b3b18c70 Merge "Allow microdroid_manager to BLKFLSBUF on the instance disk" 2022-02-07 11:44:54 +00:00
Alan Stokes
55803ca572 Allow reading hypervisor capabilities 
System server needs to do this to know whether a suitable VM for
CompOS can be created. System server does not need the ability to
actually start a VM, so we don't grant that.

Bug: 218276733
Test: Presubmits
Change-Id: Ibb198ad55819aa924f1bfde68ce5b22c89dca088
 2022-02-07 11:33:18 +00:00
shubang
a1b9f186fb SE policy: rename iapp -> interactive_app 
Bug: 205738783
Test: cuttlefish

Change-Id: I15fd60a2dba79dd5e2a3cf57ed542e5a930680f1
Merged-In: I15fd60a2dba79dd5e2a3cf57ed542e5a930680f1
 2022-02-07 07:54:32 +00:00
Treehugger Robot
7defe78f93 Merge "Implement compat file generator" am: f7a825bc46 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1958842

Change-Id: I9f8cad39e2d14999c1afd1d4e2b1c88994c20a99
 2022-02-07 06:29:06 +00:00
Treehugger Robot
f7a825bc46 Merge "Implement compat file generator" 2022-02-07 06:15:18 +00:00
Jiyong Park
30c416a4bd Allow microdroid_manager to BLKFLSBUF on the instance disk 
Microdroid_manager uses the ioctl to flush data to the block device.

Bug: 208639280
Test: atest MicrodroidTestApp
Change-Id: Icd708702618850e1f003b16bdc8a1698c45f6442
 2022-02-07 15:13:22 +09:00
Inseob Kim
9eadc83220 Implement compat file generator 
sepolicy_generate_compat is a binary that creates a new compat file when
freezing sepolicy API.

Suppose that we are adding {ver} compat file, after freezing {ver}
sepolicy. Then the workflow would be:

1) copy prebuilts to system/sepolicy/prebuilts/api/{ver}
2) add {ver} to PLATFORM_SEPOLICY_COMPAT_VERSIONS under
   build/make/core/config.mk
3) touch the following three files
  - system/sepolicy/private/compat/{ver}/{ver}.cil
  - system/sepolicy/private/compat/{ver}/{ver}.compat.cil
  - system/sepolicy/private/compat/{ver}/{ver}.ignore.cil
  - system/sepolicy/prebuilts/api/{ver}/vendor_sepolicy.cil
  - system/sepolicy/prebuilts/api/{ver}/plat_pub_versioned.cil
  * This step is to build base compat files, and won't be needed in the
    future.
4) add compat module files (won't be needed in the future)
  - {ver}.cil
  - {ver}.compat.cil
  - {ver}.ignore.cil
  * This step is to build base compat files, and won't be needed in the
    future.
5) run the following command to update above three files:
  $ source build/envsetup.sh && lunch aosp_arm64-userdebug
  $ m sepolicy_generate_compat
  $ sepolicy_generate_compat --branch=(branch_for_ver) \
        --build latest --target-version {ver} \
        --latest-version {ver-1}
6) upload build/make and system/sepolicy changes.

This script still lacks:
- handling of plat_pub_versioned.cil
- test cases
We will tackle such problems with follow-up changes.

Bug: 214336258
Test: manual
Change-Id: I21723a0832e5adadae7c22797c5aba867dc0174e
 2022-02-07 13:06:49 +09:00
Inseob Kim
c02f7c6cf8 Neverallow domains other than VS from executing VM am: b20cb78404 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970460

Change-Id: I80f29ae146dd8dae40cbae9be13a4ffe5a05238d
 2022-02-07 03:53:41 +00:00
Inseob Kim
b20cb78404 Neverallow domains other than VS from executing VM 
Bug: 216610937
Test: atest MicrodroidTests
Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
 2022-02-07 09:42:21 +09:00
Treehugger Robot
fb52b5754e Merge "Grant system_app permission to access cgroup_v2 directories" am: b289dc4d1d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966048

Change-Id: Ia0fee0a8ac12689bf2bc562b3fdab63a250e3d59
 2022-02-04 19:39:02 +00:00
Treehugger Robot
b289dc4d1d Merge "Grant system_app permission to access cgroup_v2 directories" 2022-02-04 19:26:00 +00:00
Treehugger Robot
eb03dcc59c Merge "Allow VM clients access to hypervisor capability" am: 391f2b26fc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970590

Change-Id: I4de2693ef001b522132f393ffe9c970fa8c652c3
 2022-02-04 09:50:49 +00:00
Treehugger Robot
391f2b26fc Merge "Allow VM clients access to hypervisor capability" 2022-02-04 09:37:19 +00:00
Treehugger Robot
713984514c Merge "bluetooth.device.class_of_device should be type string" am: 7b7a42e6cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969420

Change-Id: I6acf3397d7b922943f8ce144e95375bf1a66a001
 2022-02-04 01:00:51 +00:00
Treehugger Robot
7b7a42e6cf Merge "bluetooth.device.class_of_device should be type string" 2022-02-04 00:38:52 +00:00
Kevin Han
641d56be3f Merge "Extend visibility of hibernation service for CTS" am: 4d81dc33f8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966099

Change-Id: I39ef4366bb10c73dfab63b73599e653ea9d3d288
 2022-02-04 00:01:09 +00:00
Kevin Han
4d81dc33f8 Merge "Extend visibility of hibernation service for CTS" 2022-02-03 23:43:03 +00:00
Seth Moore
10ec76f621 Add remotely provisioned key pool se policy am: a75cad0d0a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969539

Change-Id: If71da72859fb454be505d02c40de2bcbf34bca97
 2022-02-03 23:13:55 +00:00
Alan Stokes
3864ea8e4a Allow VM clients access to hypervisor capability 
Clients of virtualization service use these properties to
determine whether normal and protected VMs are supported and tailor
their VM requests accordingly.

Bug: 217687661
Test: adb unroot; adb shell getprop | grep ro.boot.hypervisor
Change-Id: Ia1c017c2346217dbc45973cbfb5adbecabedf050
 2022-02-03 12:18:11 +00:00
Seth Moore
a75cad0d0a Add remotely provisioned key pool se policy 
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.

Add a new service context and include it in the keystore services.

Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.

Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
 2022-02-02 15:07:26 -08:00
Sal Savage
724381a97a bluetooth.device.class_of_device should be type string 
Bug: 217452259
Test: Manual, set property in system.prop, build, flash, make sure value
is reflected in getprop | grep bluetooth.device

Change-Id: Id4bfebb4da5bcd64ea4bac8e3c9e9754c96256c6
 2022-02-02 14:13:41 -08:00
Bart Van Assche
be3ff9b93a Grant system_app permission to access cgroup_v2 directories 
Without this change, the migration of the blkio controller to the cgroup
v2 hierarchy triggers the following denials:

01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0

Bug: 213617178
Test: Booted Android in the Cuttlefish emulator.
Change-Id: I20f136d5cd58fa4ebabbb5a328fc6001b11110d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
 2022-02-02 17:37:45 +00:00
Andrew Scull
e1a1607e1b Merge changes I82f0c2ef,I013894de am: 7e07941d3d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966617

Change-Id: Ia20dfb636599a2e0ab2d46efd8df46c9dcc3f8d8
 2022-02-02 14:13:55 +00:00
Andrew Scull
7e07941d3d Merge changes I82f0c2ef,I013894de 
* changes:
  Let VirtualizationService access hypervisor properties
  Tag new hypervisor properties
 2022-02-02 13:54:11 +00:00
Andrew Scull
792b03ddb5 Let VirtualizationService access hypervisor properties 
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.

Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
 2022-02-02 13:53:50 +00:00
Lalit Maganti
139cce7cc7 Merge "sepolicy: Allow system domains to be profiled" am: fb9d097d03 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966610

Change-Id: I53c4ae3c26dcc5579391e7a9319c939e75086a70
 2022-02-02 12:21:46 +00:00
Lalit Maganti
fb9d097d03 Merge "sepolicy: Allow system domains to be profiled" 2022-02-02 12:04:38 +00:00
Andrew Walbran
7e78484d39 Merge "virtualizationservice no longer tries to check for pKVM extension." am: 48cf9591f6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965102

Change-Id: I901ae736b9e79507248f78def350af7ba21534d3
 2022-02-02 09:25:26 +00:00
Andrew Walbran
48cf9591f6 Merge "virtualizationservice no longer tries to check for pKVM extension." 2022-02-02 09:08:18 +00:00
Roopa Sattiraju
dd862e57ee Changing sepolicy file to the right apex name am: 89556c69df 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1967166

Change-Id: Ib38c787a25ced135ff427eb7345247f1e239dcc4
 2022-02-02 05:34:27 +00:00
Roopa Sattiraju
89556c69df Changing sepolicy file to the right apex name 
Bug: 216476895
Test: Compile
Change-Id: I31a5534bad0f5c01ee163f109fa5dd0b54835ea8
 2022-02-01 15:59:30 -08:00
Andrew Scull
87ac3c3f80 Tag new hypervisor properties 
The properties that report hypervisor capabilities are grouped with the
other hypervisor properties for sepolicy.

Bug: 216639283
Test: buid
Change-Id: I013894de637bb7e40a450df6439ebbd5cba28c2b
 2022-02-01 18:17:10 +00:00
Andrew Walbran
2f27f96022 virtualizationservice no longer tries to check for pKVM extension. 
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400.

Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
 2022-02-01 16:37:13 +00:00
Lalit Maganti
bb197bba02 sepolicy: Allow system domains to be profiled 
Bug: 217368496
Doc: go/field-tracing-t
Change-Id: Ie95c0cc2b1f9e8fa03f6112818936af692edf584
 2022-02-01 16:27:26 +00:00
Andrew Scull
50094d86cf Merge "Allow the microdroid app to use diced" am: 4bbfaa6a2d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965106

Change-Id: Ic340f816742ca2ad713521012a7d42279b660f99
 2022-02-01 13:39:02 +00:00
Andrew Scull
4bbfaa6a2d Merge "Allow the microdroid app to use diced" 2022-02-01 13:23:20 +00:00
Treehugger Robot
8a96be8df9 Merge "Adds selinux rules for ICarDisplayProxy service" am: 108fdbc5f7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965562

Change-Id: I4954e05e2c8e7ce34f09120c137102fe134d1227
 2022-01-31 22:09:21 +00:00
Treehugger Robot
108fdbc5f7 Merge "Adds selinux rules for ICarDisplayProxy service" 2022-01-31 21:52:46 +00:00
Changyeon Jo
66eba13833 Adds selinux rules for ICarDisplayProxy service 
Bug: 170401743
Test: m -j selinux_policy
Change-Id: Idf3f09d0bcf24de18d6eddb05e51991b4c5edbe8
 2022-01-31 19:40:20 +00:00