tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
30159 commits 1 branch 0 tags 50 MiB
Commit graph

30159 commits

This branch
This branch
All branches
Author SHA1 Message Date
David Anderson
08a08ab21f Fix fastbootd denials when using /proc/bootconfig. 
Bug: 189493387
Test: fastboot flashall on device using bootconfig
Change-Id: Ibfb7c8a2861f61803a449a4b0ec9ed92ded5c4de
 2021-06-07 18:40:24 -07:00
Inseob Kim
31db274078 Call SkipInstall before InstallFile 
InstallFile skips install only if SkipInstall is called before
InstallFile.

Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
 2021-06-08 10:31:09 +09:00
Inseob Kim
bf48ef246a Merge "Remove microdroid specific rules and files" am: af2697a452 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1728032

Change-Id: Ibd151eca327f00cc04f85c655631301d7cbe00e2
 2021-06-08 01:04:31 +00:00
Tej Singh
8bd5ea7e60 Merge "Make *-apex-info-list.xml readable by shell" am: 6550adcaed 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729178

Change-Id: I5a04e0a0fa7230f77bfcfc1399fc0528ccfc9210
 2021-06-08 01:03:49 +00:00
Inseob Kim
af2697a452 Merge "Remove microdroid specific rules and files" 2021-06-08 00:53:26 +00:00
Tej Singh
6550adcaed Merge "Make *-apex-info-list.xml readable by shell" 2021-06-08 00:47:33 +00:00
Tej Singh
75385efd27 Make *-apex-info-list.xml readable by shell 
Enables CTS testing of the bootstrap apexes.

Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
 2021-06-07 21:39:34 +00:00
Treehugger Robot
b6f2c42245 Merge "Add a new SF property for setting uclamp.min" am: 6a94b64583 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729630

Change-Id: I961a5dc9085f2324f961659b8b453b31452dc7bd
 2021-06-07 21:15:31 +00:00
Treehugger Robot
6a94b64583 Merge "Add a new SF property for setting uclamp.min" 2021-06-07 20:55:10 +00:00
Nikita Ioffe
14215d4b74 Allow apexd to write to /apex/apex-info-list.xml am: 5b4e13f73f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729392

Change-Id: I930d1d27d983d6dbca4089148a3d023905f446e5
 2021-06-07 19:08:30 +00:00
Wei Wang
7dc88f080b Add a new SF property for setting uclamp.min 
Bug: 190137562
Test: boot and check uclamp.min of SF
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I2acca834f6257f5e718413b831b78c487520b0cd
 2021-06-07 11:51:56 -07:00
Nikita Ioffe
5b4e13f73f Allow apexd to write to /apex/apex-info-list.xml 
After non-staged install apexd needs to be update apex-info-list.xml.

Test: m
Bug: 187864524
Bug: 188713178
Change-Id: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6
Merged-In: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6
(cherry picked from commit 894657bea3)
 2021-06-07 18:05:16 +01:00
Treehugger Robot
0302d30cb2 Merge "Revert "priv_app: use per-app selinux contexts"" am: c9b4286e05 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729111

Change-Id: I785693defc9ef5c11531f221f7e468746ddfeba3
 2021-06-07 15:30:19 +00:00
Treehugger Robot
c9b4286e05 Merge "Revert "priv_app: use per-app selinux contexts"" 2021-06-07 15:09:32 +00:00
Jeff Vander Stoep
538e0d6d0e Revert "priv_app: use per-app selinux contexts" 
There's some fragility in how selinux contexts are assigned
to apps with sharedUserId. As a result, some apps which share
a UID can end up in separate selinux domains. This causes bugs
when part of the app has the levelFrom=all categories set, and
other parts only have levelFrom=user resulting in an mls category
mismatch. Until this is fixed, revert back to using levelFrom=user
for priv_app.

This reverts commit 4e7769e040.
Bug: 188141923
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest#testPendingSystemUpdate

Change-Id: Ic4256f9056f2c218ca94628d0707eb893f83fa5a
 2021-06-07 14:28:34 +02:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files 
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
 2021-06-07 19:22:18 +09:00
Calin Juravle
7cf5f0c41e Allow system_server_startup to read ART config am: cf6a7e9821 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1726492

Change-Id: I170585f6ecc39103f60e62c2ef6e1f9824048505
 2021-06-03 19:50:49 +00:00
Calin Juravle
cf6a7e9821 Allow system_server_startup to read ART config 
Denial:

06-03 14:18:31.491   691   691 I auditd  : type=1400 audit(0.0:88): avc:
denied { read } for comm="system_server"
name="u:object_r:device_config_runtime_native_prop:s0" dev="tmpfs"
ino=140 scontext=u:r:system_server_startup:s0
tcontext=u:object_r:device_config_runtime_native_prop:s0 tclass=file
permissive=0

Test: DeviceBootTest.DeviceBootTest#SELinuxUncheckedDenialBootTest
Bug: 181748174
Change-Id: I5e7624e2410e6c533e7ef238a0c3cc38ff6e368a
 2021-06-03 08:17:21 -07:00
Calin Juravle
e6bf8c1409 Merge "Enable ART properties modularization" am: c4efcbdc06 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1710967

Change-Id: I40cb9f712f70a78e312e5cd8e0e9ee59088d849a
 2021-06-02 14:41:08 +00:00
Treehugger Robot
deacec1387 Merge "Allow adb to pull jar files from /vendor/framework/." am: 7188696c6d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1724710

Change-Id: I31c08d35b0888ee5dd69d181f853c3939d0f308a
 2021-06-02 14:40:32 +00:00
Calin Juravle
c4efcbdc06 Merge "Enable ART properties modularization" 2021-06-02 14:39:36 +00:00
Treehugger Robot
7188696c6d Merge "Allow adb to pull jar files from /vendor/framework/." 2021-06-02 14:23:50 +00:00
Andrew Walbran
eb21b41c90 Allow init to clear VirtualizationService data directory. 
Bug: 184131523
Bug: 189725484
Test: mm
Change-Id: Ie4f38266e32c64b52f55da2c6d3fc9e4c1a4c572
 2021-06-02 14:05:28 +00:00
Treehugger Robot
ede6e56f73 Merge "Add permissions for microdroid vold and keymint" am: bab54f92e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1718975

Change-Id: Iff02b8760c61fcfa366b3cede0f4b223b5e49bdc
 2021-06-02 13:30:31 +00:00
satayev
e3571ab94d Allow adb to pull jar files from /vendor/framework/. 
Bug: 187823488
Bug: 189417875
Test: atest GtsEdiHostTestCases in sc-dev
Change-Id: I8e1fa1682fb042d995585b4841cff97f32c4a09f
 2021-06-02 14:18:56 +01:00
Treehugger Robot
bab54f92e3 Merge "Add permissions for microdroid vold and keymint" 2021-06-02 13:13:21 +00:00
Treehugger Robot
dd539387a5 Merge "uncrypt: allow reading /proc/bootconfig" am: 17a5e930cb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1723311

Change-Id: I0068f78afd33c85a769545bf1b0d223f900c7fdd
 2021-06-02 10:52:28 +00:00
Jooyung Han
b7a9b2bcb3 Merge "Allow microdroid_manager to execute shell, etc." am: f90484c205 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1722692

Change-Id: I8d47e815bb08960f82d42f6bf180851d2d3332b7
 2021-06-02 10:52:04 +00:00
Treehugger Robot
17a5e930cb Merge "uncrypt: allow reading /proc/bootconfig" 2021-06-02 10:35:28 +00:00
Jooyung Han
f90484c205 Merge "Allow microdroid_manager to execute shell, etc." 2021-06-02 10:28:19 +00:00
Thiébaud Weksteen
bc040ed697 Merge "Add tweek@ to OWNERS" am: cf09580dc7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1723312

Change-Id: I34dd13cff4990ad91b01c5031fcfeca0ef1e75ef
 2021-06-02 09:18:36 +00:00
Thiébaud Weksteen
cf09580dc7 Merge "Add tweek@ to OWNERS" 2021-06-02 08:59:04 +00:00
Thiébaud Weksteen
51a115c0fc Add tweek@ to OWNERS 
Change-Id: If18014ae5a94de2381ac5f01c4b8583fb04f1f92
 2021-06-02 09:22:40 +02:00
Jeff Vander Stoep
e4116b4e44 uncrypt: allow reading /proc/bootconfig 
It's needed when calling ReadDefaultFstab.

Fixes: 189509028
Test: build
Change-Id: I0d4bac7f2e3a25faa921c8d77cbf92f7808f0ab7
 2021-06-02 08:46:59 +02:00
Jooyung Han
9562d7083e Add rules for microdroid_manager am: d470ed7b47 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1720671

Change-Id: Id2955bad90a74ce35598ccc04a57872dea7cdc53
 2021-06-02 01:56:03 +00:00
Jooyung Han
55393cc42b Allow microdroid_manager to execute shell, etc. 
Microdroid_manager should execute a command passed via a VM payload
config. Ideally, the spawned process should be in a dedicated domain
which has the right set of permissions.

For now, it is allowed to execute shell/toybox for testing/debuging. And
also it is allowed to access fusefs to load a library or a config file.

Bug: 189301496
Test: MicrodroidHostTestCases
Change-Id: I7872514b40a9e23bbbed2b3e1ccd322f4e9cf832
 2021-06-02 09:54:12 +09:00
Jooyung Han
d470ed7b47 Add rules for microdroid_manager 
Microdroid_manager is an executable in microdroid. It's role is to manage tasks
in microdroid and communicate with host's virtualizationservice.

To execute a task in microdroid, microdroid_manager should
- read "metadata" partition
- read VM payload config
- exec a command

Bug: 189301496
Test: atest MicrodroidHostTestCases
Change-Id: Iabbe0d3c8832f00df5c545e6b13fc55afa820b33
 2021-06-02 09:50:54 +09:00
Calin Juravle
0b2ca6c22c Enable ART properties modularization 
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:

- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART

Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
 2021-06-01 16:14:55 -07:00
Todd Kennedy
87674f0532 Merge "sepolicy: allow to play f2fs-compression for apk files" am: 7e7b6ab054 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1719991

Change-Id: I5c7436ac0348f511e774f95adc2f2140b905dea1
 2021-06-01 15:04:40 +00:00
Todd Kennedy
7e7b6ab054 Merge "sepolicy: allow to play f2fs-compression for apk files" 2021-06-01 14:37:41 +00:00
Inseob Kim
91889d3d6c Add permissions for microdroid vold and keymint 
vold uses tune2fs and e2fsck.

Bug: 185767624
Test: boot microdroid
Change-Id: Ie10448c444f80aae9a1d34a6f7f32ffeac03c608
 2021-06-01 20:32:42 +09:00
Tianjie Xu
8a58939f11 Merge "Add ro.vendor.build.fingerprint_has_digest to property context" am: 3b71803647 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1717076

Change-Id: I98e4bd4d51b3ed468b6a0f2f74ae0a6d912e74ad
 2021-06-01 04:46:16 +00:00
Tianjie Xu
3b71803647 Merge "Add ro.vendor.build.fingerprint_has_digest to property context" 2021-06-01 04:31:07 +00:00
Jaegeuk Kim
1a15808dc0 sepolicy: allow to play f2fs-compression for apk files 
This patch adds some ioctls for apk files and allows
shell to query for f2fs features.

Bug: 189169940
Test: Manual. Code runs.
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ia8bccf1bf663404b902703326a1853947b64e5ab
 2021-05-27 20:31:17 -07:00
Alexander Dorokhine
9eeb72826c Merge "Allow the appsearch apex access to the apexdata misc_ce dir." am: 73854e626d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1715470

Change-Id: I83643659cd918f9570ae6a827e6ef65f80eb3b87
 2021-05-27 21:08:10 +00:00
Alexander Dorokhine
73854e626d Merge "Allow the appsearch apex access to the apexdata misc_ce dir." 2021-05-27 20:39:03 +00:00
Michael Ayoubi
98c9e96324 Merge "Change dck properties to int" am: 880e0ee101 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1718111

Change-Id: Ia950113f257197d4a97ae55b044cf4f9f2ece92b
 2021-05-27 01:01:30 +00:00
Michael Ayoubi
880e0ee101 Merge "Change dck properties to int" 2021-05-27 00:35:30 +00:00
Andrew Walbran
899b1fe7d7 Merge "Rename VirtManager to VirtualizationService." am: 04e6256c94 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1715889

Change-Id: I661248e3d0ae4b5cec3b8765fcd4cf7a4ae7c952
 2021-05-26 21:58:36 +00:00
Andrew Walbran
04e6256c94 Merge "Rename VirtManager to VirtualizationService." 2021-05-26 21:43:54 +00:00