tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
41777 commits 1 branch 0 tags 50 MiB
Commit graph

41777 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
d947550b6f Merge "Remove flatten_apex: property" am: 7f7e8d79a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2628996

Change-Id: I89a052032341990256d608d6708b6d1ac8aceda9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-21 05:24:50 +00:00
Treehugger Robot
7f7e8d79a9 Merge "Remove flatten_apex: property" 2023-06-21 04:52:41 +00:00
Hongguang Chen
b34240136c Allow mediatuner to get tuner.server.enable am: 8dd58bffd9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2631349

Change-Id: I3549a333a811c73948e918c2c98946e66b48d834
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-21 01:19:15 +00:00
Pawan Wagh
9f118c8d62 Add MediaPlayerService fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I669c427279ce43fa614c68a02a468c3e64002537
 2023-06-20 22:50:45 +00:00
Hongguang Chen
8dd58bffd9 Allow mediatuner to get tuner.server.enable 
Bug: 287520719
Test: start mediatuner
Change-Id: I582aac593e2419b6cae37522e6493744fe58240a
 2023-06-20 17:24:51 +00:00
Brian Lindahl
73c779e5fd Force HALs to explicitly enable legacy method for clearing buffer caches am: 612ab8588f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2627815

Change-Id: I05655dff7c72d64498eb9c34e026542967f1431d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-20 14:17:12 +00:00
Jooyung Han
804e234ced Remove flatten_apex: property 
We no longer have targets using flattened apexes. Flattened apexes will
be removed from the build system.

Bug: 278826656
Test: m
Change-Id: I657e01dbfd2525b07c29a234277062d5ac2fab9f
 2023-06-20 15:41:05 +09:00
Brian Lindahl
612ab8588f Force HALs to explicitly enable legacy method for clearing buffer caches 
Some HAL implementations can't support setLayerBuffer multiple times to
clear the per-layer buffer caches. Therefore, default this behavior to
disabled, and allow HALs to explcitily enable this behavior to obtain
the necessary memory savings.

Test: play videos with both true and false on both HIDL and AIDL
Bug: 285561686
Change-Id: I928cef25e35cfc5337db4ceb8581bf5926b4fbe3
 2023-06-15 14:30:07 -06:00
Nikita Ioffe
4eb36f4615 Merge "Reland "Change the stem name to microdroid_precompiled_s..."" am: d16d7d17e5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2627369

Change-Id: I56600eae4e2ba33c56a5d4827db882388cdae97a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-15 11:45:31 +00:00
Nikita Ioffe
d16d7d17e5 Merge "Reland "Change the stem name to microdroid_precompiled_s..."" 2023-06-15 10:27:39 +00:00
Dimitry Ivanov
6c61a71e33 Merge "Allow app_zygote to map memfd backed memeory as PROT_EXEC" am: c01d3fb36c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2623093

Change-Id: I6e6457337d66ba4e7c5590799c565af05b99e363
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-15 09:51:00 +00:00
Dimitry Ivanov
c01d3fb36c Merge "Allow app_zygote to map memfd backed memeory as PROT_EXEC" 2023-06-15 08:44:16 +00:00
Nikita Ioffe
4e6839e677 Reland "Change the stem name to microdroid_precompiled_s..." 
Bug: 285855150
Test: presubmit
Change-Id: I3343b7cf22165541f880fd1c88b27b0204c94c4b
 2023-06-14 20:31:29 +00:00
Pawan Wagh
b23a691e10 Merge "Revert "Change the stem name to microdroid_precompiled_sepolicy"" am: 899f6c0537 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2626909

Change-Id: I69ec0b39693293176b40fb8f9702b8d001c013d7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 18:57:21 +00:00
Pawan Wagh
899f6c0537 Merge "Revert "Change the stem name to microdroid_precompiled_sepolicy"" 2023-06-14 18:40:59 +00:00
Pawan Wagh
8f2923421e Revert "Change the stem name to microdroid_precompiled_sepolicy" 
Revert submission 2625691

Reason for revert: b/287283650

Reverted changes: /q/submissionid:2625691

Change-Id: I775d07a388556796d25b4f5d99135d5878489ce8
 2023-06-14 18:28:17 +00:00
Pawan Wagh
02c84cec70 Merge "Add update service fuzzer to bindings" am: b4f463824c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619905

Change-Id: I3221bc020b8400a6a1e9f0ccf556527e39e71146
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 18:10:07 +00:00
Pawan Wagh
b4f463824c Merge "Add update service fuzzer to bindings" 2023-06-14 17:33:23 +00:00
Nikita Ioffe
789c5a3430 Merge "Change the stem name to microdroid_precompiled_sepolicy" am: 437f31c328 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617776

Change-Id: I323e7da1e2a963068e5efbb91fe4372925adaf0f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 15:30:48 +00:00
Nikita Ioffe
437f31c328 Merge "Change the stem name to microdroid_precompiled_sepolicy" 2023-06-14 15:20:18 +00:00
dimitry
97f7775743 Allow app_zygote to map memfd backed memeory as PROT_EXEC 
Binary translation maps these regions to install translated code,
see linked bug for more context.

Bug: http://b/189502716
Test: run cts -m CtsExternalServiceTestCases -t android.externalservice.cts.ExternalServiceTest#testBindExternalServiceWithZygote
      in binary translated enviroment.
Change-Id: I3bc978b9013e9fc5cf700d1efca769331ec395b0
 2023-06-14 12:24:12 +02:00
Eric Biggers
0038d8f822 Merge "Allow vold to rename system_data_file directories" am: 8b703551d8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619901

Change-Id: I66f26b92e4b1aad9f086d19249f60aa1d596909b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-13 22:40:36 +00:00
Eric Biggers
8b703551d8 Merge "Allow vold to rename system_data_file directories" 2023-06-13 22:11:39 +00:00
Pawan Wagh
e0f268a982 Merge "Add credstore service fuzzer to bindings" am: 767dc6be06 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619904

Change-Id: I80ca6ebfadea23dc48a9d018f1efe6adafef5e52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-13 16:39:25 +00:00
Eric Biggers
95930cf6a7 Allow vold to rename system_data_file directories 
To fully close a race condition where processes can access per-user
directories before an encryption policy has been assigned, vold is going
to start creating these directories under temporary names and moving
them into place once fully prepared.  To make this possible, give vold
permission to rename directories with type system_data_file.

Bug: 156305599
Bug: 285239971
Change-Id: Iae2c8f7d2dc343e7d177e6fb2e893ecca1796f7f
 2023-06-13 16:22:03 +00:00
Pawan Wagh
767dc6be06 Merge "Add credstore service fuzzer to bindings" 2023-06-13 15:30:53 +00:00
Treehugger Robot
53931795c0 Merge "Allow app_process to link /data/asan/system_ext/lib/*" am: 06d79cdc4e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2620909

Change-Id: I54cc818c3cbd8318dbd23c7ac57c358803f8ac5a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-12 11:37:15 +00:00
Treehugger Robot
06d79cdc4e Merge "Allow app_process to link /data/asan/system_ext/lib/*" 2023-06-12 10:54:27 +00:00
Jeff Pu
80dec42b4b Merge "Allow hal_fingerprint_default to have pipe read access" am: f19025e663 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605987

Change-Id: I25ce105f8eeaa2b6199c7e7f017fd6f93620b413
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 19:42:10 +00:00
Jeff Pu
f19025e663 Merge "Allow hal_fingerprint_default to have pipe read access" 2023-06-09 19:09:58 +00:00
Jeff Pu
1e09f2ebf7 Allow hal_fingerprint_default to have pipe read access 
Bug: 284488745
Test: atest BiometricsE2eTests:BiometricPromptAuthSuccessTest
Change-Id: Ie69193964232b1a6b97877c650182fcdcd5b2cea
 2023-06-09 13:56:28 +00:00
Treehugger Robot
0fa23e0be1 Merge "Allow VMs to log to shell pts" am: 550f10eaeb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617777

Change-Id: I9737b5d4a1ca946b6aed006dfb5a14dcb472b2b1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 09:29:49 +00:00
Treehugger Robot
550f10eaeb Merge "Allow VMs to log to shell pts" 2023-06-09 09:03:29 +00:00
Jooyung Han
cef75edc33 Merge "Allow vendor_overlay_file from vendor apex" am: ad08877b4d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618632

Change-Id: I762e8a8848868268804b2d9d2012246e5fcc0707
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 06:31:34 +00:00
Jooyung Han
ad08877b4d Merge "Allow vendor_overlay_file from vendor apex" 2023-06-09 05:56:20 +00:00
Inseob Kim
20a9d569d2 Add missing properties to microdroid am: deaa8b9f4a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2106044

Change-Id: I847ae3fac14c423243f9e113c1ba1a44bd294aa5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 05:01:04 +00:00
Weiwei.Zhang
0179ede5a4 Allow app_process to link /data/asan/system_ext/lib/* 
app_process couldn't map /data/asan/system_ext/lib/libgpud_sys.so
avc:  denied  { execute } for  path="/data/asan/system_ext/lib/libgpud_sys.so"
dev="dm-43" ino=784 scontext=u:r:zygote:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=0

Bug: 286479817
Test: bootup, app_process can work well with asan enabled.
Change-Id: I577105fe1b0c4cb7fa98ccb33eac0f59a0e645f6
 2023-06-09 04:43:52 +00:00
Jooyung Han
7c4f8a87d3 Allow vendor_overlay_file from vendor apex 
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.

Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
 2023-06-09 13:43:11 +09:00
Inseob Kim
deaa8b9f4a Add missing properties to microdroid 
The main motivation is to reduce log spams.

Bug: 268333203
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Idffdcd7d543590d8c580b2282098d3abd8214f86
 2023-06-09 11:30:24 +09:00
Treehugger Robot
e930e1de6b Merge "Allow app_zygote to open vendor_overlay_file from vendor apex" am: 9f254ba368 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618492

Change-Id: I8bef8ca004f5dce791cdfe83b2308ea495cd6c1a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 01:55:30 +00:00
Treehugger Robot
9f254ba368 Merge "Allow app_zygote to open vendor_overlay_file from vendor apex" 2023-06-09 01:06:38 +00:00
Pawan Wagh
21f6f52922 Add update service fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I9532d1d473d3b053f464df48169dc9b23951a095
 2023-06-09 00:01:54 +00:00
Thiébaud Weksteen
e5705ebae0 Merge "Grant signal permission for dumpstate on app_zygote" am: 4ba0198325 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616609

Change-Id: Ifaaa76353fac36d8e880ae9684fae0de125aff53
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 23:57:12 +00:00
Thiébaud Weksteen
4ba0198325 Merge "Grant signal permission for dumpstate on app_zygote" 2023-06-08 23:22:42 +00:00
Jooyung Han
f108164ddf Allow app_zygote to open vendor_overlay_file from vendor apex 
To read overlay from vendor apex, app_zygote needs to have access to
vendor_apex_metadata_file:dir with {getattr,search} permissions.

Bug: 286320150
Test: atest
CtsExternalServiceTestCases: android.externalservice.cts.ExternalServiceTest#testBindExternalServiceWithZygote
Change-Id: Icef716e6d238936d04c5813c23042ec4b0e28541
 2023-06-09 08:16:16 +09:00
Pawan Wagh
38cfa74af2 Add credstore service fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: Ie47e0e7a479f130935ada52a28d4e26e3bf07041
 2023-06-08 21:28:46 +00:00
Treehugger Robot
5ed2584008 Merge "Add wificond service fuzzer to bindings" am: 34814e6d48 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611796

Change-Id: I809ad3e0d4176ccc5f78bb582af6bdc08d64083c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 19:04:58 +00:00
Treehugger Robot
34814e6d48 Merge "Add wificond service fuzzer to bindings" 2023-06-08 18:30:49 +00:00
Treehugger Robot
e300b61a6e Merge "atrace: don't audit debugfs access" am: b61d353551 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619892

Change-Id: I6e97c5950ed76ff25246bed2977d69ff56891633
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 17:41:15 +00:00
Treehugger Robot
b61d353551 Merge "atrace: don't audit debugfs access" 2023-06-08 17:05:47 +00:00