tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29113 commits 1 branch 0 tags 50 MiB
Commit graph

11 commits

Author SHA1 Message Date
Hai Zhang
86e10ef55d Allow PermissonController to find app_api_service and system_api_service. 
PermissionController is updatable, so we may need to call new APIs in newer versions.

Change-Id: I0a6657ad1f27e1e2fdc320184268966009d3a4fc
 2020-12-09 11:10:06 +00:00
Hai Zhang
04db97a72d Add SELinux policy for legacy permission service. 
The updatable and non-updatable permission manager cannot share one
AIDL, so we need to create a new system service for the non-updatable
legacy one, and add the SELinux policy for it.

Bug: 158736025
Test: presubmit
Change-Id: Ief8da6335e5bfb17d915d707cf48f4a43332f6ae
 2020-12-04 14:43:33 -08:00
Evan Severson
1d69ca740e Allow permission controller to use radio service 
Test: Observe denial go away
Bug: 153997991
Change-Id: I9a11e226867a5d68f2490f5143963cc66bd09538
 2020-05-08 23:49:06 +00:00
Ashwini Oruganti
7d54f0367f Don't run permissioncontroller_app in permissive mode 
Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Green builds, no new selinux denials.
Change-Id: Idaaf2f7aa88b2981f9fab2f74350a934fe415d71
 2020-01-06 09:41:22 -08:00
Ashwini Oruganti
6570d6d3c7 permissioncontroller_app: add a rule for IProxyService_service 
Noticed denials in go/sedenials. This permission is currently granted to
priv_app via app_api_service.

Bug: 142672293
Test: TH
Change-Id: I9834044b2ba13b12694e88ae5cec8eb5c38c658c
 2019-12-26 15:34:00 -08:00
Ashwini Oruganti
73e1229c96 Allow PermissionController app to to request and collect incident reports 
This change adds rules related to incidentd and incident_service.

Bug: 142672293
Test: TH
Change-Id: I578ad5f1d893b9f640983d44eed770d0933ebf60
 2019-12-09 16:38:20 -08:00
Ashwini Oruganti
5064189c23 Update permissioncontroller_app domain rules 
This adds permissions for content_capture_service,
incidentcompanion_service, media_session_service, and telecom_service.
These were observed via sedenials on dogfood builds.

Bug: 142672293
Bug: 144677148
Test: Green builds, no more denials show up for these services.
Change-Id: Ifd93c54fb3ca3f0da781cd2038217a29e812a40f
 2019-11-21 12:59:33 -08:00
Ashwini Oruganti
6f795f3dc6 Revert "Don't run permissioncontroller_app in permissive mode" 
This reverts commit 9076b9c541.

This is breaking incidentcompanion_service and preventing taking bug
reports from work profile.

Bug: 144677148
Bug: 142672293
Test: Green builds.
Change-Id: I7a82522a5bb21c05fbabd3f3f1c05d4a8c6ca8f4
 2019-11-20 22:47:22 +00:00
Ashwini Oruganti
9076b9c541 Don't run permissioncontroller_app in permissive mode 
Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Build successfully, flashed a phone and basic usage of Permission Manager seemed to work well.

Change-Id: I3fb9cfaa216ddbd865b56e72124374eb1c75dea8
 2019-11-13 16:37:49 -08:00
Ashwini Oruganti
c557ca61dd Update permissioncontroller_app domain rules 
Add some rules based on the SELinux denials observed.

Bug: 143905061
Bug: 142672293
Test: Green builds, no more denials for the 7 services added.
Change-Id: I27e4634cb1df03166e734f6c12c8cb9147568d72
 2019-11-04 16:03:54 -08:00
Ashwini Oruganti
9bc81125ef Create a separate domain for permissioncontroller 
This creates an SELinux domain for permissioncontroller and moves it out of the
priv_app SELinux domain.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller runs in the
permissioncontroller_app domain.
Change-Id: Ieb2e4cb806d18aaeb2e5c458e138975d1d5b64fe
 2019-10-30 14:59:12 -07:00