tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
48054 commits 1 branch 0 tags 50 MiB
Commit graph

48054 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
10171d408d Merge "Cleanup ImageInterface.SetImageVariation" into main am: 7c2d9978c1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3131517

Change-Id: I310ed3c3876ee1018f6318521d924480e9642334
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-14 04:29:12 +00:00
Treehugger Robot
7c2d9978c1 Merge "Cleanup ImageInterface.SetImageVariation" into main 2024-06-14 04:26:52 +00:00
Treehugger Robot
7c9ac69a60 Merge "SELinux: allow gms core write to aconfigd socket" into main am: 3115b03d9e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3132573

Change-Id: I2ee1d7a39e326cec8d51e23f17339deb5eb3b274
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-14 00:27:51 +00:00
Treehugger Robot
3115b03d9e Merge "SELinux: allow gms core write to aconfigd socket" into main 2024-06-14 00:22:03 +00:00
Jihoon Kang
8298ae56e6 Cleanup ImageInterface.SetImageVariation 
This change modifies the interface method of
ImageInterface.SetImageVariation so that the image variation is set
directly at the caller image variation module, instead of passing the
pointer to set the image variation.

Test: m nothing
Change-Id: Ice92b2496dbe9e342edf5542946620ae409f7d4f
 2024-06-13 21:47:41 +00:00
Dennis Shen
182b19b51c SELinux: allow gms core write to aconfigd socket 
Bug: b/312459182
Test: m
Change-Id: If59a1c8bdf98274b9dac33a2125780a3c43910db
 2024-06-13 18:45:49 +00:00
Satoshi Niwa
1649ae652c Merge "Add /system/bin/traced_relay to file_contexts" into main am: 3c4364447d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3127574

Change-Id: Id099746839932f72a593173f12429d97057a83d9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-13 08:58:58 +00:00
Satoshi Niwa
3c4364447d Merge "Add /system/bin/traced_relay to file_contexts" into main 2024-06-13 08:53:29 +00:00
Satoshi Niwa
56a5c1c0db Add /system/bin/traced_relay to file_contexts 
traced_relay is a service that takes the place of traced
in a guest VM and relays the producer connections to the
host tracing service. (aosp/2646664)

The service requires the same permissions as traced.

Bug: 333835162
Bug: 340402999
Test: Run traced_relay in a guest VM
Change-Id: Ifc7854e0d3ebaf0f9021cf455a2433037525a0bc
 2024-06-13 04:17:37 +00:00
Seungjae Yoo
6a28c726c4 Merge "Grant TUNGETIFF ioctl and revoke SIOCGIFFLAGS ioctl to vmnic" into main am: 5a77925214 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3120132

Change-Id: I0e5ff9a9bb667d43027641cad61da692c0fe7415
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-13 01:44:15 +00:00
Seungjae Yoo
5a77925214 Merge "Grant TUNGETIFF ioctl and revoke SIOCGIFFLAGS ioctl to vmnic" into main 2024-06-13 01:38:54 +00:00
Jeffrey Huang
970d43eaab Merge "Allow statsd to read file descriptors from any app" into main am: bfcc43e84e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3107057

Change-Id: I046583d19a6772fbb4f91e27de56a6280dc27e43
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-12 21:33:08 +00:00
Jeffrey Huang
bfcc43e84e Merge "Allow statsd to read file descriptors from any app" into main 2024-06-12 21:14:37 +00:00
Treehugger Robot
a4ffe3b38d Merge "Compatibility for vendor_hidraw_device" into main am: 1327971c7c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3116384

Change-Id: I34fb224ac84cf888527ad166b9ebd6cf13b6c1dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-11 10:34:00 +00:00
Treehugger Robot
1327971c7c Merge "Compatibility for vendor_hidraw_device" into main 2024-06-11 10:12:02 +00:00
Seungjae Yoo
a217b1f191 Grant TUNGETIFF ioctl and revoke SIOCGIFFLAGS ioctl to vmnic 
To delete TAP interface in vmnic, it should retrieve libc::ifreq struct
object from file descriptor of TAP interface, to execute SIOCSIFFLAGS
and TUNSETIFF ioctls.

On the other hand, we can reuse libc::ifreq struct for executing
SIOCSIFFLAGS ioctl constructed for executing TUNSETIFF and TUNSETPERSIST
ioctls. So we don't need to grant SIOSGIFFLAGS ioctl anymore, to get
libc::ifreq struct.

Bug: 340376951
Test: Presubmit
Change-Id: I448c8ca5366c0e27d5d5fe09bcb366c5f23650ac
 2024-06-11 13:27:36 +09:00
Karuna Wadhera
c91f365902 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main am: e357df7504 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3122031

Change-Id: Ic45ddce19ccc5d3ba42c7c7c4e40e3c883d81351
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 19:31:14 +00:00
Karuna Wadhera
e357df7504 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main 2024-06-10 19:06:35 +00:00
Zi Wang
2baa88a1b4 Merge changes Ib9972bcd,I87d18451 into main am: f5f05c1f9f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3118318

Change-Id: I39d4edc62894f10149fcc382058934d5d26f0681
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 16:53:54 +00:00
Zi Wang
f5f05c1f9f Merge changes Ib9972bcd,I87d18451 into main 
* changes:
  Use OutputFilesProvider on certain module types
  Use OutputFilesProvider on certain module types
 2024-06-10 16:33:43 +00:00
Karuna Wadhera
fb728ac3af Untrack keystore SELinux denial on AVF RKP Hal 
With the dontaudit line in keystore.te commented out on an otherwise clean build, I was unable to see the SELinux denial on boot. So, it seems like this denial may not be occurring anymore and it’s safe to remove the dontaudit line.

Bug: 312427637
Test: manual
Change-Id: Ib8887f0593ea984e3c011b76a81b7bf99cff2a44
 2024-06-10 14:32:19 +00:00
Alan Stokes
8a6bb3ef84 Compatibility for vendor_hidraw_device 
Older vendor policy may apply the label vendor_hidraw_device to the
HID device.

From 202404 we use the new label hidraw_device for this.

Fix the compatibility rules to allow new system policy to work with
older vendor policy by adding specific compat logic.

Note that the original 34.0 system policy didn't mention hidraw_device
at all, so the more normal compatibility mechanisms don't really work.

Bug: 340923653
Test: Builds, boots, no new denials
Change-Id: I358118b217c82b5f8111f3e05d35aa16c464b941
 2024-06-10 14:59:04 +01:00
Alice Wang
94148a33fe Merge "Add system property to disable avf remote attestation" into main am: 97091293b7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3117519

Change-Id: Ia99358fe9e6c4dcacc2814c96268ec47f9884db9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 12:09:00 +00:00
Alice Wang
97091293b7 Merge "Add system property to disable avf remote attestation" into main 2024-06-10 11:31:52 +00:00
Alice Wang
3d9ce1a965 Add system property to disable avf remote attestation 
Introduce a new system property
avf.remote_attestation.enabled to allow vendors
to disable the feature in vendor init.

Bug: 341598459
Test: enable/disable the feature and check VmAttestationTestApp
Change-Id: I809e4c62a8590822eef70093e33854ab79757835
 2024-06-10 09:16:24 +00:00
Treehugger Robot
e6618432f9 Merge "system_app.te: fix misleading comment" into main am: 104099ef21 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3120251

Change-Id: Ia49f4b47e4d08da7195812dd01b7df456c7e9025
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 08:24:21 +00:00
Treehugger Robot
104099ef21 Merge "system_app.te: fix misleading comment" into main 2024-06-10 08:03:10 +00:00
Nick Kralevich
c8ac77735e system_app.te: fix misleading comment 
A comment within system_app.te implies that system_apps can read/write
the /data/data directory (and all subdirectories). The comment is
misleading. Fix the comment.

Test: comment only change. No test needed
Change-Id: I51b95f8b55ac89730a866d2a829326b276b11824
 2024-06-07 10:20:18 -07:00
Ellen Arteca
949db99e7c Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main am: c628579730 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3095418

Change-Id: I0a019e1b6054825929fadd320036991e3979778c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-06 23:36:22 +00:00
Ellen Arteca
c628579730 Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main 2024-06-06 23:16:13 +00:00
mrziwang
dc268a72fb Use OutputFilesProvider on certain module types 
se_build_files, se_cil_compat_map and sepolicy_vers will be using
OutputFilesProvider for output files inter-module-communication.

Test: CI
Bug: 339477385
Change-Id: Ib9972bcdea4850508cb9070903af53973bff9f66
 2024-06-06 14:42:10 -07:00
Steven Moreland
57061954d2 more vm socket isolation am: 378ed74529 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3114226

Change-Id: Ib8605365b1823611b41183bdfc548c6abc913ec8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-06 18:47:07 +00:00
Jeffrey Huang
288cbd7409 Allow statsd to read file descriptors from any app 
Bug: 343243378
Test: m -j
Change-Id: I11d7e0222bec3c02e200b9f675939261738d0390
 2024-06-06 11:12:09 -07:00
mrziwang
cb3f550b59 Use OutputFilesProvider on certain module types 
The module types below no longer implement OutputFileProducer, but
use OutputFilesProvider for output files inter-module-communication.

se_policy_conf
se_policy_cil
se_policy_binary
se_compat_cil
se_versioned_policy

Test: CI
Bug: 339477385
Change-Id: I87d1845162f91065acd7d2f6c27fd7583cc8b5e0
 2024-06-06 10:49:47 -07:00
Ellen Arteca
aa898dc541 Modify permissions to move encryption policy assignment to vold_prepare_subdirs 
We have moved the encryption policy assignment from vold to
vold_prepare_subdirs. This CL removes some permissions from vold
over storage areas that are no longer needed due to this change,
and adds some permissions to vold_prepare_subdirs.

Bug: 325129836
Test: atest StorageAreaTest
Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
 2024-06-06 17:48:43 +00:00
Steven Moreland
378ed74529 more vm socket isolation 
Bugs: me
Test: build
Change-Id: Ie34ac041f1234891043098a4decf05ec7a9e6761
 2024-06-05 23:45:44 +00:00
Dennis Shen
1f2eea0c7a Merge "selinux: allow everybody to read flags from RO flag storage file" into main am: 0467d14618 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3112421

Change-Id: I948458b771e030fb4b7ef31f5a5c38a854f7db2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 17:22:58 +00:00
Dennis Shen
0467d14618 Merge "selinux: allow everybody to read flags from RO flag storage file" into main 2024-06-04 17:11:18 +00:00
Dennis Shen
33bc92dab5 selinux: allow everybody to read flags from RO flag storage file 
Bug: b/312459182
Test: m and avd
Change-Id: Ie5ce92b299ce2434256c9f963865b9d626b400fa
 2024-06-04 15:02:56 +00:00
Treehugger Robot
23ce6a536b Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main am: c6a554f200 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111559

Change-Id: I130c9ac4848eda54b134faef7f49676017dd9b47
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 14:20:41 +00:00
Treehugger Robot
c6a554f200 Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main 2024-06-04 13:54:51 +00:00
Treehugger Robot
e0a8a9fa19 Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main am: 8d9a89ed9e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111602

Change-Id: I7be81be6650996bf85b9c6bc77368f0b7521353e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 13:05:30 +00:00
Jiakai Zhang
413f44d5c4 Allow dexopt_chroot_setup to mount/unmount debugfs. 
Some old devices use debugfs for /sys/kernel/debug.

Bug: 311377497
Change-Id: Ib9958b5cfdd85c37acd27ff6e637efdbd2a068e3
Test: adb shell pm art pr-dexopt-job --test
 2024-06-04 12:54:25 +00:00
Treehugger Robot
8d9a89ed9e Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main 2024-06-04 12:48:49 +00:00
Treehugger Robot
28b66e2893 Merge "testNoBugreportDenials fix on user" into main am: 8ebc2aa055 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111766

Change-Id: Iaf7772fc912f0a247ac835e32d6eb76deae7a3f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 01:24:39 +00:00
Treehugger Robot
8ebc2aa055 Merge "testNoBugreportDenials fix on user" into main 2024-06-04 01:20:02 +00:00
Jooyung Han
9a441ba91c Merge "installd renames dirs in /data/app-staging" into main am: 672143fa6a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111259

Change-Id: I8ec24a3754acfac90b6a417ca6c768c0f8678f18
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 01:15:59 +00:00
Jooyung Han
672143fa6a Merge "installd renames dirs in /data/app-staging" into main 2024-06-04 01:12:49 +00:00
Jiakai Zhang
0a49ac3dbd Allow dexopt_chroot_setup to bind-mount dirs for incremental apps. 
Bug: 311377497
Test: adb shell pm art pr-dexopt-job --test
Change-Id: I8da90876191eadfea77d34c7441d0e4bdb377d31
 2024-06-03 20:43:25 +01:00
Steven Moreland
496f08d378 testNoBugreportDenials fix on user 
Bug: 343635916
Test: N/A
Change-Id: I2f73cc8429f87e9b7ada8e7c9a3fabcc9eb3d7ee
 2024-06-03 19:30:04 +00:00