tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
37768 commits 1 branch 0 tags 50 MiB
Commit graph

7368 commits

Author SHA1 Message Date
Jaegeuk Kim
0c79bd6255 Merge "Allow shutdown /data" am: 9ca36ec91b am: 41e521a784 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2072141

Change-Id: Ifa0403b3ab683731fbf5edeba1d1c73e44513641
Ignore-AOSP-First: this is an automerge
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-25 17:50:13 +00:00
Jaegeuk Kim
3a45ffec11 Allow shutdown /data 
Bug: 229406072
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I7bdd9acd2e85311ecb59b3f0eb1f503a93e240ef
 2022-04-22 09:34:02 -07:00
Felipe Leme
ba498b48bc Merge "Allow apps to read system_user_mode_emulation_prop." am: c696791a7f am: d221f197c2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2072574

Change-Id: I8e01bac1b7708cee593163c65bb64164059826f0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-22 16:02:28 +00:00
Felipe Leme
b85242c00f Allow apps to read system_user_mode_emulation_prop. 
As it's used by UserManager...

Test: sesearch --allow -s appdomain -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927

Change-Id: I1134a9e0b8ae758e3ebef054b96f9e3237a2401f
 2022-04-21 18:49:12 -07:00
Mitch Phillips
a4e951b3bf Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it." am: 800e948e61 am: e3256e3d21 am: 41949ce19f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2040964

Change-Id: I93cc3b9a1ff2fe74bea47ed0e7898daf7fef4a4e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-21 19:18:20 +00:00
Mitch Phillips
800e948e61 Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it." 2022-04-21 18:12:43 +00:00
Alistair Delva
ce19c41b8f Merge "Adds GPU sepolicy to support devices with DRM gralloc/rendering" 2022-04-21 04:21:45 +00:00
Eric Biggers
02fbbfda85 Merge "vold.te: stop allowing use of keymaster HAL directly" am: 39b27b87ba am: 60ac375f3a am: bbbe7065ff 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065468

Change-Id: I9608f3e7740358e5bc276596f6f2c793c40aa3b7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 19:33:12 +00:00
Treehugger Robot
ab3bbb8f39 Merge "Remove obsolete rule allowing installd to use fsverity ioctls" am: 12399e945e am: 7fd8710e46 am: 765d9cbd6e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065527

Change-Id: I8bb8dcc11ed364acf78ad34bc5e70e09b5f22d45
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 06:21:10 +00:00
Eric Biggers
20dcec9d16 Merge "Remove some FDE rules and update comments" am: b83a6d1168 am: fa1f9cb2b8 am: 1eacebf142 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065887

Change-Id: I98e0e9f1c6131617119aa966bb88d7ec229b1d66
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 06:14:22 +00:00
Eric Biggers
bf717e18f1 vold.te: stop allowing use of keymaster HAL directly 
Since Android 12, vold goes through the keystore daemon instead of using
the keymaster HAL directly.  Therefore, the SELinux rules that allow
vold to use the keymaster HAL directly are no longer needed.

Bug: 181910578
Change-Id: I8ecc47530cba82128c869ffd2fed9009dd7d5e05
 2022-04-19 21:57:18 +00:00
Treehugger Robot
12399e945e Merge "Remove obsolete rule allowing installd to use fsverity ioctls" 2022-04-19 20:49:43 +00:00
Jason Macnak
a93398051c Adds GPU sepolicy to support devices with DRM gralloc/rendering 
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
 2022-04-18 17:30:56 -07:00
Jason Macnak
365024e53f Adds GPU sepolicy to support devices with DRM gralloc/rendering 
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Ignore-AOSP-First: must be submitted in internal as a topic first to
                   avoid having duplicate definitions of sysfs_gpu
                   in projects that are only available in internal

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
 2022-04-18 12:56:38 -07:00
Eric Biggers
9bf0a0c141 Remove some FDE rules and update comments 
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it.  Remove two rules that are no longer
needed.  Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons.  Finally, fix some outdated documentation links.

Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
 2022-04-15 21:06:51 +00:00
Eric Biggers
7be3e86f48 Remove obsolete rule allowing installd to use fsverity ioctls 
The code that needed this was removed by https://r.android.com/1977357.

Bug: 120629632
Change-Id: I771a0f93b28c9b44715c718eaf534a8a65f2ae30
 2022-04-15 01:03:28 +00:00
Xinyi Zhou
2c05b69417 Change nearby from system_api_service to app_api_service am: 791567ece6 am: 4bf6ea7727 am: 223c2b078b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2064652

Change-Id: I2dc8d8ceb3d4e5d82b81d1980579c63ca3ca5fff
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-14 18:23:57 +00:00
Xinyi Zhou
791567ece6 Change nearby from system_api_service to app_api_service 
This fixes CTS tests where NearbyManager is null because of SELinux is
in enforcing mode. Detailed explanation: https://docs.google.com/document/d/1CiGn7Vg6LYwrMFvWonuK3fhNDCG5Sm4uCvefkvqpDcY/edit?usp=sharing

NearbyManager APIs are using BLUETOOTH_PRIVILEDGED permission so only System apps can use them.

Fix: 228273869
Test: -m
Change-Id: I091fbea408cea52e934cb6a3917226fb1b2adbc4
 2022-04-13 21:18:47 -07:00
Mitch Phillips
8cd32cd93e [GWP-ASan] Add sysprop, allow shell and system apps to set it. 
Bug: 219651032
Test: atest bionic-unit-tests

Change-Id: Ic4804ce0e4f3b6ba8eb8d82aca11b400b45c03dc
 2022-04-12 13:20:05 -07:00
Kalesh Singh
ae50165897 Merge changes from topic "mglru-exp" am: 6ba41462d5 am: 65164b314d am: 0c82758926 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2056411

Change-Id: I319daa2c5e8b58e67eb3f5685dfba87836cf5f20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-12 14:43:26 +00:00
Kalesh Singh
6ba41462d5 Merge changes from topic "mglru-exp" 
* changes:
  Add sepolicy for Multi-Gen LRU sysfs control
  Add sepolicy for mglru_native flag namespace
 2022-04-12 13:48:48 +00:00
Kalesh Singh
98f63495b2 Add sepolicy for Multi-Gen LRU sysfs control 
init is allowed to enable/disable MG-LRU.

Bug: 227651406
Bug: 228525049
Test: setprop persist.device_config.mglru_native.lru_gen_config
Test: verify no avc denials in logcat
Change-Id: I20223f3628cb6909c3fd2eb2b821ff2d52202dd2
 2022-04-08 13:37:50 -07:00
Lorenzo Colitti
ce493bd00d Merge "Connectivity Native AIDL interface Sepolicy" am: bf8af42bf5 am: 5ef1893f50 am: 4d7cd06a40 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1943988

Change-Id: I330642784c6fddd6949a55156d1fa6b198425a4a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-01 22:36:20 +00:00
Lorenzo Colitti
bf8af42bf5 Merge "Connectivity Native AIDL interface Sepolicy" 2022-04-01 21:46:37 +00:00
Neha Pattan
1838513cca Merge "Sepolicy changes for adding new system service for AdServices." am: dcb324bdb3 am: e5d6614096 am: c5c329718a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2046744

Change-Id: I6f1d6ee7b30e7d6a5f26282268b4a56fa57cb873
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-01 19:33:33 +00:00
Neha Pattan
dcb324bdb3 Merge "Sepolicy changes for adding new system service for AdServices." 2022-04-01 18:38:07 +00:00
Andy Yu
1055581f7a Merge "Add label and permission for game_mode_intervention.list" am: 6a10d563ea am: e4e8932d22 am: 7c187abfea 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2045643

Change-Id: Iad6e7ea44a3c98823c7121e554764b64130cb620
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-30 20:27:27 +00:00
Andy Yu
6a10d563ea Merge "Add label and permission for game_mode_intervention.list" 2022-03-30 19:35:59 +00:00
Andy Yu
8337d04202 Add label and permission for game_mode_intervention.list 
Bug: 219543620
Doc: go/game-dashboard-information-to-perfetto
Test: TBD
Change-Id: Ic6622aadef05e22c95d4ba739beed0e6fa1f3a38
 2022-03-29 14:12:14 -07:00
Adam Shih
7357fdc82d Merge "suppress su behavior when running lsof" am: 8296a542fe am: 213d717fc4 am: 19863ea4df 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2044870

Change-Id: Ia4ec5d797c84663f5d772d170236173756f6f151
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-29 06:25:03 +00:00
Neha Pattan
64ef8be1de Sepolicy changes for adding new system service for AdServices. 
Test: build
Bug: 216375107
Change-Id: I238ac3f8966ce05768aef17bd05217a9772cf2f3
 2022-03-28 19:26:50 +00:00
Adam Shih
ae4dbf54d8 suppress su behavior when running lsof 
Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);

This is an intended behavior and the log is useless for debugging so I
suppress them.
Bug: 226717429
Test: do bugreport with relevant error gone.
Change-Id: Ide03315c1189ae2cbfe919566e6b97341c5991bb
 2022-03-28 05:55:41 +00:00
Mikhail Naganov
d08f5c240f Merge "Add AIDL audio HAL service to SEPolicy" am: 1704f61dcf am: ba497daa6c am: 3cb68e23a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2040968

Change-Id: Ice3516fe2dc57fd35c0b2c67b8cf9e397e2d3018
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-25 23:24:33 +00:00
Mikhail Naganov
1704f61dcf Merge "Add AIDL audio HAL service to SEPolicy" 2022-03-25 22:23:40 +00:00
Treehugger Robot
ba6b6196ff Merge "Add search in bpf directory for bpfdomains" am: d796c9eb6c am: 383b9f8467 am: ffb744699e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2034669

Change-Id: I9f0fe5f591f8195b96eb84a570507760581c2af8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-25 21:23:39 +00:00
Treehugger Robot
d796c9eb6c Merge "Add search in bpf directory for bpfdomains" 2022-03-25 20:32:15 +00:00
Treehugger Robot
c97d76e491 Merge "Remove media crash neverallow exception." am: 34f4ca820f am: a5003227d3 am: a7b911daf6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2027103

Change-Id: I1635dcb6ffd32050fa9f18f3f0163f4dda2d86b2
 2022-03-24 12:21:29 +00:00
Treehugger Robot
34f4ca820f Merge "Remove media crash neverallow exception." 2022-03-24 11:22:39 +00:00
Mikhail Naganov
676da7273f Add AIDL audio HAL service to SEPolicy 
This adds the two top interfaces: IConfig and IModule
to service context, allows the HAL service to call
Binder, and registers the example implementation
service executable.

Bug: 205884982
Test: m
Change-Id: I322e813c96123167ea29b6c25a08ec9677c9b4d1
 2022-03-24 01:39:29 +00:00
Gary Jian
1527fda402 Merge "Allow system_app to access radio_config system properties" am: ee0b51e099 am: c19e667cbd am: b3c40d2a23 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2024724

Change-Id: Ia43175b3e4073a065c7ea7515216f5a1cc8e202d
 2022-03-23 06:56:18 +00:00
Adam Shih
f3c203bd9f Merge "suppress su behavior when running lsof" am: 92f87ac0b9 am: 052730e12c am: f7de4bd498 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038023

Change-Id: I6613f2d8da09ecbbe49052d95f1cb31837e0156b
 2022-03-23 05:52:50 +00:00
Gary Jian
ee0b51e099 Merge "Allow system_app to access radio_config system properties" 2022-03-23 05:46:22 +00:00
Treehugger Robot
5f8eb928e9 Merge "Allow init to relabelto console_device" am: 3a8977155c am: 5cc5fc4d31 am: aecb8dbfb6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2035646

Change-Id: Ie53faddd95bdd5aa268d83f2cb31cf701d535710
 2022-03-23 05:18:51 +00:00
Adam Shih
92f87ac0b9 Merge "suppress su behavior when running lsof" 2022-03-23 05:03:02 +00:00
Treehugger Robot
3a8977155c Merge "Allow init to relabelto console_device" 2022-03-23 04:29:53 +00:00
Adam Shih
643d2439c2 suppress su behavior when running lsof 
Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);

This is an intended behavior and the log is useless for debugging so I
suppress them.

Bug: 225767289
Test: do bugreport with no su related avc errors
Change-Id: I0f322cfc8a461da9ffb17f7493c6bbdc58cce7b6
 2022-03-23 10:52:00 +08:00
Ocean Chen
7eae0544a4 Merge "Add persist.device_config.storage_native_boot.smart_idle_maint_enabled property policies" am: b299b79473 am: eeeb06a4ee am: 1739c39853 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030532

Change-Id: Ib7cf6da50ce19e543e10cd4c76be28f2190d5798
 2022-03-23 02:47:01 +00:00
Ocean Chen
b299b79473 Merge "Add persist.device_config.storage_native_boot.smart_idle_maint_enabled property policies" 2022-03-23 01:51:08 +00:00
Shikha Malhotra
3a0a549d44 Merge "Added permission to allow for ioctl to be added to install_data_file" am: b00341ad1e am: 9e7c0e6ead am: 14218bf4d3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030123

Change-Id: I02c2e50b2cc02dc5107643bb07d564dc3f214f25
 2022-03-22 17:05:46 +00:00
Shikha Malhotra
b00341ad1e Merge "Added permission to allow for ioctl to be added to install_data_file" 2022-03-22 16:32:40 +00:00