tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
33649 commits 1 branch 0 tags 50 MiB
Commit graph

7824 commits

Author SHA1 Message Date
Jiyong Park
16c1ae3a3d Add use_bionic_libs macro 
... to dedupe rules for allowing access to bootstrap bionic libraries.

Bug: N/A
Test: m
Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4
 2022-01-25 09:47:56 +09:00
Yabin Cui
40d41f7639 Merge "Add sepolicy for simpleperf_boot." 2022-01-25 00:29:09 +00:00
Treehugger Robot
9acd00484b Merge "Fix virtualizationservice denials" 2022-01-25 00:26:11 +00:00
Treehugger Robot
7423beb1bd Merge "Remove system/bin/clatd from clatd_exec" 2022-01-23 13:25:16 +00:00
George Chang
95113bbbed Merge "Add hal_nfc_service" 2022-01-22 01:46:41 +00:00
Sharon Su
0cd7ba7617 Merge "Change in SELinux Policy for wallpaper effects generation API. Test: presubmit tests" 2022-01-22 00:06:00 +00:00
Treehugger Robot
c23930818d Merge "Add sepolicy for IInputProcessor HAL" 2022-01-21 22:45:52 +00:00
Kathy Chen
082263f3bc SELinux policy changes for AmbientContext system API. 
Context about this is on ag/16302285

Test: Ensure no build failures, ensure no SecurityException on boot
Bug: 192476579
Change-Id: If5ba2fa41975acf91c0002a0f301da11eaebd6d2
 2022-01-21 20:12:54 +00:00
Treehugger Robot
158927ed5c Merge "Add selinux policy for new BinaryTransparencyService" 2022-01-21 19:10:31 +00:00
Hungming Chen
740b0669f0 Remove system/bin/clatd from clatd_exec 
Since clatd is shipped by mainline module, remove the following privs
/system/bin/clatd      u:object_r:clatd_exec:s0

Test: build
Change-Id: Id98470fc5e641acc7e5635af02a520d2ed531cd8
 2022-01-21 18:19:05 +00:00
Florian Mayer
06337c4260 Merge "Add policy for command line tool to control MTE boot state." 2022-01-21 18:11:00 +00:00
Treehugger Robot
439f17558c Merge "Allow system_server read and open access to sys/class/net." 2022-01-21 14:47:52 +00:00
Treehugger Robot
f53bb875bb Merge "Add Bluetooth Audio HAL rules" 2022-01-21 14:40:12 +00:00
Alan Stokes
8a881c14bf Fix virtualizationservice denials 
Allow logging to statsd - see
commit 3ffa832c6325bc9640baea66192e4e2c64349bc8.

Allow ioctl on /dev/kvm (allowxperm isn't enough) - see
commit 2dd48d0400.

Ignore spurious errors on /proc/fd/1 when running derive_classpath - see
commit 3fad86bb8a.

This fixes these denials:
avc: denied { write } for name="statsdw" dev="tmpfs" ino=984 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0
avc: denied { ioctl } for path="/dev/kvm" dev="tmpfs" ino=766 ioctlcmd=0xae03 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:kvm_device:s0 tclass=chr_file permissive=0
avc: denied { write } for name="fd" dev="proc" ino=63285 scontext=u:r:virtualizationservice:s0 tcontext=u:r:virtualizationservice:s0 tclass=dir permissive=0

Bug: 209008347
Bug: 210472252
Bug: 210803811
Test: Start VM, don't see denials.
Change-Id: I4c67746c1312553ee1155098ac27fc0d46c6f521
 2022-01-21 13:44:38 +00:00
Treehugger Robot
e939178d89 Merge "clatd: remove spurious privs" 2022-01-21 11:46:55 +00:00
Sharon Su
cedde105ae Change in SELinux Policy for wallpaper effects generation API. 
Test: presubmit tests

Change-Id: I02f9545376534d1570cfa270dfe15c9df6f81d47
 2022-01-21 09:28:49 +00:00
Wayne Ma
27abad0dc8 Allow system_server read and open access to sys/class/net. 
system_server needs search/read/open access to the directory.
This change gives system_server permissions to fetching the
information from sys/class/net.

Bug: 202086915
Test: build, flash, boot
Change-Id: I7b245510efbc99427f3491c9234c45c8cc18fea1
 2022-01-21 03:20:10 +00:00
Siarhei Vishniakou
c655bece6a Add sepolicy for IInputProcessor HAL 
This sepolicy is needed so that the vendor can launch a new HAL process,
and then this HAL process could join the servicemanager as an impl for
IInputProcessor. This HAL will be used to contain the previous impl of
InputClassifier and also new features that we are going to add.

Bug: 210158587
Test: use together with a HAL implementation, make sure HAL runs
Change-Id: I476c215ad622ea18b4ce5cba9c07ae3257a65817
 2022-01-20 23:40:05 +00:00
Badhri Jagan Sridharan
c887ea3965 Add selinux rules for android.hardware.usb.IUsb AIDL migration 
Covers the rules needed for the default AIDL implementation.

Bug: 200993386
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: Ib152d12686e225e3c1074295a70c624a5115e9bd
 2022-01-20 23:03:26 +00:00
Treehugger Robot
85387aa219 Merge "Remove odrefresh privileges no longer needed for CompOS" 2022-01-20 20:45:43 +00:00
Florian Mayer
23173455ab Add policy for command line tool to control MTE boot state. 
Bug: 206895651

Change-Id: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16
 2022-01-20 17:30:09 +00:00
John Reck
423f4c7e93 Merge "Add IAllocator stable-aidl" 2022-01-20 17:05:56 +00:00
George Chang
0ddfebb4e1 Add hal_nfc_service 
Bug: 204868826
Test: atest VtsAidlHalNfcTargetTest
Change-Id: If01d1d0a74f5c787805d3744772d40a7aa7db9cb
 2022-01-20 03:48:57 +00:00
Billy Lau
8bb3ed7451 Add selinux policy for new BinaryTransparencyService 
Bug: 197684182

Test: Manually verified that BinaryTransparencyService is correctly
started and running.

Change-Id: I4eaf5698dd2edb428205afcd57c22502d56d2ec2
 2022-01-19 14:45:45 -08:00
Victor Hsieh
2413e27cc6 Merge "Remove compos_internal_service" 2022-01-19 21:53:03 +00:00
Josh Wu
759b4ef0df Add Bluetooth Audio HAL rules 
Test: manual
Bug: 203490261
Change-Id: Ic9994cdb8ed690996d83b46cfefbc228e35d34c3
 2022-01-19 01:32:42 -08:00
John Reck
22903f0435 Add IAllocator stable-aidl 
Test: Builds & boots; no sepolicy errors logged
Bug: 193558894
Change-Id: I11e162310548b67addc032ccc0d499cbf391e7f9
 2022-01-18 19:40:26 -05:00
John Wu
ce225f8bfb Merge "Add keystore2 LIST permission to system_server" 2022-01-19 00:05:29 +00:00
Victor Hsieh
88d93b984a Remove odrefresh privileges no longer needed for CompOS 
Bug: 210998077
Test: m; TH
Change-Id: I4188a52c42ede9fb248b889596b91c965696fb2d
 2022-01-18 12:56:27 -08:00
Victor Hsieh
6f6815efde Remove compos_internal_service 
Bug: 210998077
Test: m; TH
Change-Id: Id3c7fcab56de5f71b00e21bd53829b2471e07d77
 2022-01-18 12:51:55 -08:00
Paul Thomson
4c834adc0a Add additional sepolicy rules for gpuservice 
Allow gpuservice to access read/write BPF maps.

Bug: b/213577594
Change-Id: I487754c008a53819715a6bfc5da10182d87de413
 2022-01-17 16:34:03 +00:00
Andrew Walbran
a0b12be876 Merge "Allow crosvm to mlock VM memory." 2022-01-17 11:58:08 +00:00
Hungming Chen
7f4a2ab9fe clatd: remove spurious privs 
Since the clatd has some code cleanup, these privs are not required
anymore.

Bug: 212345928
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Change-Id: Ib801a190f9c14ee488bc77a43ac59c78c44773ab
 2022-01-16 14:28:57 +08:00
Yabin Cui
f17fb4270c Add sepolicy for simpleperf_boot. 
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.

Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
 2022-01-15 16:12:51 -08:00
Treehugger Robot
d6a5b604ce Merge "Add sepolicy for logd and logcat services" 2022-01-14 20:44:35 +00:00
Nikita Ioffe
52e44e8022 Merge "Move allow rules from public/app.te to private/app.te" 2022-01-14 17:47:29 +00:00
Andrew Walbran
ed82cc82be Allow crosvm to mlock VM memory. 
Bug: 204298056
Change-Id: I5b00273ffa37d4c1ea2f26bb40822abd0d094d90
 2022-01-14 13:47:05 +00:00
Akilesh Kailash
9de6ad61ff Merge "New property to control Async I/O for snapuserd" 2022-01-14 00:06:23 +00:00
Nikita Ioffe
269e7cfc51 Move allow rules from public/app.te to private/app.te 
Allow rules in public/*.te can only reference types defined in
public/*.te files. This can be quite cumbersome in cases a rule needs to
be updated to reference a type that is only defined in private/*.te.

This change moves all the allow rules from public/app.te to
private/app.te to make it possible to reference private types in the
allow rules.

Bug: 211761016
Test: m
Test: presubmit
Change-Id: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
Merged-In: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
 2022-01-13 22:56:14 +00:00
John Wu
cd5cf383f1 Add keystore2 LIST permission to system_server 
This is required for listing all key aliases of other APP domains' keys
in order to migrate keys on behalf of the updated app by PMS.

Test: builds
Bug: 211665859
Change-Id: I541fb81e6186288a1e852ce60882651f838e36dc
 2022-01-13 14:26:28 -08:00
Wenhao Wang
6a656c0b67 Add sepolicy for logd and logcat services 
The logd binder service is on logd side.
The logcat binder service is on system_server side.
These two binder services facilitate the binder RPC
between logd and system_server.

Bug: 197901557
Test: manual
Change-Id: I5f08bbb44a88dc72302331ab11c7d54f94db16ac
 2022-01-13 11:38:43 -08:00
Akilesh Kailash
5c5fd255d2 New property to control Async I/O for snapuserd 
io_uring_setup() system call requires ipc_lock.

(avc: denied { ipc_lock } for comm="snapuserd" capability=14 scontext=u:r:snapuserd:s0 tcontext=u:r:snapuserd:s0 tclass=capability permissive=0)

Add selinux policy.

Bug: 202784286
Test: OTA tests
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I806714c7ade0a5d4821b061396c9f064ee5ed8b6
 2022-01-13 06:27:46 +00:00
Jeremy Meyer
0f72360b2f Merge "Add resources_manager_service" 2022-01-12 20:41:28 +00:00
Yabin Cui
927d7a752b Restrict write access to etm sysfs interface. 
Bug: 213519191
Test: boot device
Change-Id: I40d110baea5593a597efa3c14fd0adecee23fc0f
 2022-01-11 14:12:52 -08:00
Jeremy Meyer
d8a3c2b156 Add resources_manager_service 
Test: manual, calling the service with `adb shell cmd` works
Bug: 206615535
Change-Id: I8d3b945f6abff352991446e5d88e5a535a7f9ccf
 2022-01-10 23:03:42 +00:00
Michael Rosenfeld
30aace3ebe Merge "Allow the shell to disable charging." 2022-01-10 22:18:49 +00:00
Florian Mayer
11db93a15b Merge "[MTE] Allow system_app to write memtag property." 2022-01-10 21:12:02 +00:00
Michael Rosenfeld
5425c870f9 Allow the shell to disable charging. 
Bug: 204184680
Test: manual and through instrumentation
Change-Id: I1fe9b35d51140eccba9c05c956875c512de447b1
 2022-01-10 10:36:01 -08:00
Florian Mayer
39f29f758e [MTE] Allow system_app to write memtag property. 
Bug: 206895651
Change-Id: I6463965c094b9b3c4f3f70929a09e109ee9c84b9
 2022-01-07 11:39:10 -08:00
Treehugger Robot
46680d001f Merge "Allow VS to run derive_classpath" 2022-01-07 09:11:08 +00:00