tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
20524 commits 1 branch 0 tags 50 MiB
Commit graph

20524 commits

This branch
This branch
All branches
Author SHA1 Message Date
Anton Hansson
0e2d985d50 resolve merge conflicts of b5b796adcd to qt-dev-plus-aosp 
Test: presubmit
Bug: None
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Change-Id: I8c40cfba7b06cf3b431528eb94957022278edbbe
 2019-05-01 13:15:22 +01:00
TreeHugger Robot
b5b796adcd Merge "Sepolicy: add dynamic_system_prop" into qt-dev 2019-05-01 10:32:28 +00:00
Jack Yu
b62d8a9b99 [automerger skipped] Merge "Add sepolicy for nfc hal v1.2" into qt-dev 
am: e1757623ee -s ours
am skip reason: change_id If54884f76a32705d11f2085f66fe83b9e0354f79 with SHA1 58329f6536 is in history

Change-Id: Ica971505a9a9f491c629afe698c68e0787afe08a
 2019-04-30 16:44:41 -07:00
Steven Moreland
4584574f06 Merge "Use explicit whitelist for HIDL app neverallows." am: 6acaea456f 
am: 3bd7f13c54

Change-Id: I68c3adcadad9d24fec9cf7341cfb21da1cb21b86
 2019-04-30 15:34:26 -07:00
Steven Moreland
3bd7f13c54 Merge "Use explicit whitelist for HIDL app neverallows." 
am: 6acaea456f

Change-Id: I0500b302e676cf20387917925ddb63838ec73a8a
 2019-04-30 15:29:22 -07:00
Steven Moreland
6acaea456f Merge "Use explicit whitelist for HIDL app neverallows." 2019-04-30 22:16:12 +00:00
Jack Yu
73d44f2f5d [automerger skipped] Add sepolicy for nfc hal v1.2 
am: 58329f6536 -s ours
am skip reason: change_id If54884f76a32705d11f2085f66fe83b9e0354f79 with SHA1 a5dde796b5 is in history

Change-Id: I4762f0ac9a58d9cc54b303ce81b0331b059584b2
 2019-04-30 14:17:11 -07:00
TreeHugger Robot
e1757623ee Merge "Add sepolicy for nfc hal v1.2" into qt-dev 2019-04-30 20:33:35 +00:00
Jim Blackler
e2d75a50f0 lmkd: grant access to /proc/lowmemorykiller am: 3cfad10c04 
am: f560f0b63f

Change-Id: I3fe640306bfd57bdd57618ae260997115bfffb8d
 2019-04-30 03:28:29 -07:00
Jim Blackler
f560f0b63f lmkd: grant access to /proc/lowmemorykiller 
am: 3cfad10c04

Change-Id: Ib4ea7224ded802edf0ac693c6570985e62132ef5
 2019-04-30 03:24:18 -07:00
Carmen Jackson
c67677af46 Merge "Add selinux rule to allow Traceur to enable the traced daemon." into qt-dev 
am: f546fd8ee5

Change-Id: I4bd45ddc4c0884d2b239e891c141daa0fbe8eb08
 2019-04-29 23:06:24 -07:00
Luke Huang
e239131a34 [automerger skipped] Sepolicy for netutils_wrapper to use binder call 
am: 2cdbd3a38c -s ours
am skip reason: change_id I346520c47b74fde5137ad7c777f0a9eca50a06d7 with SHA1 554b334d7b is in history

Change-Id: Ie92fd4b8934e39fec75c54741abc49c5cb65fc9d
 2019-04-29 22:52:46 -07:00
Hung-ying Tyan
dea144c1e5 Sepolicy: add dynamic_system_prop 
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.

Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
      adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1

Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
 2019-04-30 05:36:19 +00:00
Paul Crowley
744a2c5ce8 Add /data/vendor_ce/0/facedata alongside its vendor_de relation 
am: 1739bceaab

Change-Id: Id64f3dbe6272ad89e317895b0ee3fb6899002093
 2019-04-29 22:28:44 -07:00
Mikhail Naganov
6e09e481a3 [automerger skipped] Merge "Allow mediaserver to find "audio" service" into qt-dev 
am: 4ac9186958 -s ours
am skip reason: change_id Iaa3651c692fd550f72e7ce6eafbf3386ee07a0c0 with SHA1 afcdbefb43 is in history

Change-Id: I780a18a10b9bedc6f46e05b1fcacea3595d3db5d
 2019-04-29 22:28:05 -07:00
Mikhail Naganov
8ae5f5edc5 [automerger skipped] Allow mediaserver to find "audio" service 
am: afcdbefb43 -s ours
am skip reason: change_id Iaa3651c692fd550f72e7ce6eafbf3386ee07a0c0 with SHA1 dc38720cfb is in history

Change-Id: I6b7f9ae2b3d1790c16c982e6e24540bab8b335ed
 2019-04-29 14:01:28 -07:00
Steven Moreland
68b6f805c9 Use explicit whitelist for HIDL app neverallows. 
There were three separate neverallows here. Simplifying it to one
with only a small number of exceptions.

Bug: 131177459
Bug: 37226359
Test: m sepolicy (checks neverallows)

Change-Id: I93045c9f698f28675c634643a827a1cd513f215e
 2019-04-29 13:11:38 -07:00
Jim Blackler
3cfad10c04 lmkd: grant access to /proc/lowmemorykiller 
lmkd needs to read /proc/lowmemorykiller to send statslog events in response to
applications being killed.

Bug: 130017100
Change-Id: I929d5a372e1b2f63b7b5ed421f1898ebddaec01c
 2019-04-29 10:49:58 +00:00
Carmen Jackson
9b7d527efb Add selinux rule to allow Traceur to enable the traced daemon. am: 2798b5fc93 
am: deeac71a51

Change-Id: I4ef66fab73929dad5ef1f29c2d52a350027e8937
 2019-04-28 17:37:40 -07:00
Carmen Jackson
deeac71a51 Add selinux rule to allow Traceur to enable the traced daemon. 
am: 2798b5fc93

Change-Id: Ibeaccc1a98209301645e2ca4bcc1277e60358d36
 2019-04-28 17:32:34 -07:00
Carmen Jackson
2798b5fc93 Add selinux rule to allow Traceur to enable the traced daemon. 
Bug: 130784724
Test: manual
Change-Id: Ic1903e273f5a136b3e0b14a901a60d8d0a81b211
Merged-In: Ic1903e273f5a136b3e0b14a901a60d8d0a81b211
 2019-04-26 16:18:56 -07:00
Winson Chiu
6a8b5a0fe5 Merge "DO NOT MERGE: Allow idmap1 to read vmdl*.tmp APK install files" into qt-dev 
am: 019037a810

Change-Id: I0cb1e2f2edde71381851dadc576da55339136bb2
 2019-04-26 14:58:58 -07:00
Miao Wang
b21a10db4c Allow NNAPI HAL services access model files provided by privapp. 
am: aa568e1c79

Change-Id: I67c12cd4275ff8a974af67d22dfa565c86a61e06
 2019-04-26 14:58:29 -07:00
Wei Wang
a0442115f0 Merge "Allow signals to power/thermal HAL from dumpstate" into qt-dev 
am: 5f30c238ec

Change-Id: Iab8bc504e4fdf88bd61ca05f29123dcb7c4ad58a
 2019-04-26 14:38:23 -07:00
TreeHugger Robot
f546fd8ee5 Merge "Add selinux rule to allow Traceur to enable the traced daemon." into qt-dev 2019-04-26 19:18:20 +00:00
Carmen Jackson
ac55fe955f Add selinux rule to allow Traceur to enable the traced daemon. 
Bug: 130784724
Test: manual
Change-Id: Ic1903e273f5a136b3e0b14a901a60d8d0a81b211
 2019-04-25 23:59:06 -07:00
Luke Huang
2cdbd3a38c Sepolicy for netutils_wrapper to use binder call 
Bug: 65862741
Test: built, flashed, booted

Merged-In: I346520c47b74fde5137ad7c777f0a9eca50a06d7
(cherry picked from commit 554b334d7b)

Change-Id: I0a03b88369bd2eca6593d252c4dff3ce7745b6cc
 2019-04-26 02:46:39 +00:00
Paul Crowley
1739bceaab Add /data/vendor_ce/0/facedata alongside its vendor_de relation 
Bug: 131084614
Test: Modify vold_prepare_subdirs to match and test on Crosshatch.
Change-Id: Id5402e6b5da3f1e5549f49f8273dd9f052c348d7
 2019-04-25 19:26:32 +00:00
TreeHugger Robot
4ac9186958 Merge "Allow mediaserver to find "audio" service" into qt-dev 2019-04-25 18:01:02 +00:00
Winson Chiu
019037a810 Merge "DO NOT MERGE: Allow idmap1 to read vmdl*.tmp APK install files" into qt-dev 2019-04-25 15:56:18 +00:00
Winson Chiu
4b33d68d35 DO NOT MERGE: Allow idmap1 to read vmdl*.tmp APK install files 
When upgrading a package, PackageParser acts on the temporary
APK file copied from the install location. This is passed to
idmap, which doesn't have read access because it's missing an
SELinux rule.

This is needed to fix a bug with manifest overlaying on updating
an app, a feature kept alive for Q.

Relevant logs when updating a target:
[  550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1

Bug: 130559507

Test: manual adb push /system/product/app/TestApp.apk with
/system/product/overlay/TestOverlay.apk enabling disabled launcher
Activity in TestApp; adb install -r TestApp.apk keeps enabled state
with changes

Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
(cherry picked from commit 7e7291a763)
 2019-04-25 11:05:07 +00:00
Ady Abraham
53c096d1aa Merge "Add new surfaceflinger ro props" into qt-dev 
am: 58a9b10bb2

Change-Id: I0ba71694212a74f0c9304e8c8270b1cbeae4907f
 2019-04-25 02:45:35 -07:00
Inseob Kim
c096bd0506 Merge "Build contexts files with Soong" am: b60155aeac 
am: 478b4440e5

Change-Id: I3c5824d2436efbc9b681ae5aca0f5543546997da
 2019-04-25 00:56:26 -07:00
Inseob Kim
478b4440e5 Merge "Build contexts files with Soong" 
am: b60155aeac

Change-Id: Ibd2952538a3f587738a951ac135678d4d1d46882
 2019-04-25 00:51:26 -07:00
Treehugger Robot
b60155aeac Merge "Build contexts files with Soong" 2019-04-25 07:46:19 +00:00
Miao Wang
3f0eb7134f Allow NNAPI HAL services access model files provided by privapp. am: 8c2f4babee 
am: 381b055fe4

Change-Id: I6cdde48c8448166154d102305628f0bae108cfb1
 2019-04-25 00:36:19 -07:00
Miao Wang
381b055fe4 Allow NNAPI HAL services access model files provided by privapp. 
am: 8c2f4babee

Change-Id: I0ca4f11ddef992bfcac55c5a8fdc1b4b1d83c915
 2019-04-25 00:31:12 -07:00
Miao Wang
8c2f4babee Allow NNAPI HAL services access model files provided by privapp. 
Bug: 131169221
Test: mm
Change-Id: I1004821bd30e2a0586b14178e352e885cabfc002
(cherry picked from commit aa568e1c79)
 2019-04-24 21:15:45 -07:00
Miao Wang
aa568e1c79 Allow NNAPI HAL services access model files provided by privapp. 
Bug: 131169221
Test: mm
Change-Id: I1004821bd30e2a0586b14178e352e885cabfc002
 2019-04-24 21:14:32 -07:00
Luke Huang
91491ed107 Merge "Sepolicy for netutils_wrapper to use binder call" am: 75b25384bb 
am: a35b8cc42b

Change-Id: Ic567cf288fc4f8362d6580204bc8fb69573a6bf4
 2019-04-24 20:27:21 -07:00
Luke Huang
a35b8cc42b Merge "Sepolicy for netutils_wrapper to use binder call" 
am: 75b25384bb

Change-Id: Ib1dcfba93b5ba2fad7eec4ac9665e0486f6562be
 2019-04-24 20:21:25 -07:00
Luke Huang
75b25384bb Merge "Sepolicy for netutils_wrapper to use binder call" 2019-04-25 03:09:30 +00:00
Inseob Kim
b554e594ca Build contexts files with Soong 
This is to migrate sepolicy Makefiles into Soong. For the first part,
file_contexts, hwservice_contexts, property_contexts, and
service_contexts are migrated. Build-time tests for contexts files are
still in Makefile; they will also be done with Soong after porting the
module sepolicy.

The motivation of migrating is based on generating property_contexts
dynamically: if we were to amend contexts files at build time in the
future, it would be nicer to manage them in Soong. To do that, building
contexts files with Soong can be very helpful.

Bug: 127949646
Bug: 129377144
Test: 1) Build blueline-userdebug, flash, and boot.
Test: 2) Build blueline-userdebug with TARGET_FLATTEN_APEX=true, flash,
and boot.
Test: 3) Build aosp_arm-userdebug.

Change-Id: I576f6f20686f6f2121204f76657274696d652121
 2019-04-25 09:59:28 +09:00
Jooyung Han
dd57671b44 Merge "Adding vendor_apex_file for /vendor/apex" am: 91c35aeab6 
am: 37985b73c4

Change-Id: I9df7fa96c38686fb59d244de243fdf6fd01a7494
 2019-04-24 16:57:07 -07:00
Jooyung Han
37985b73c4 Merge "Adding vendor_apex_file for /vendor/apex" 
am: 91c35aeab6

Change-Id: I64f45f0861ce213a464a8900699e906cdde888cb
 2019-04-24 16:52:04 -07:00
Treehugger Robot
91c35aeab6 Merge "Adding vendor_apex_file for /vendor/apex" 2019-04-24 23:32:56 +00:00
TreeHugger Robot
5f30c238ec Merge "Allow signals to power/thermal HAL from dumpstate" into qt-dev 2019-04-24 20:18:26 +00:00
Winson Chiu
8ef4d78fbb Merge "Allow idmap1 to read vmdl*.tmp APK install files" am: e4af840db6 
am: 8d18a3bd51

Change-Id: I968d485072128b4f3263e26f068b8ffa889279b1
 2019-04-24 13:16:21 -07:00
Winson Chiu
8d18a3bd51 Merge "Allow idmap1 to read vmdl*.tmp APK install files" 
am: e4af840db6

Change-Id: I568001cc07d9aa8079ceb665d3d1695d0fcb3302
 2019-04-24 13:06:16 -07:00
Treehugger Robot
e4af840db6 Merge "Allow idmap1 to read vmdl*.tmp APK install files" 2019-04-24 19:56:48 +00:00