Commit graph

35393 commits

Author SHA1 Message Date
Treehugger Robot
b289dc4d1d Merge "Grant system_app permission to access cgroup_v2 directories" 2022-02-04 19:26:00 +00:00
Christine Franks
639c48d146 Add uhid_device to system_server
Bug: 217275682
Change-Id: I1ae74868344da290727df2474712b8b6ad2efdd7
Test: n/a
2022-02-04 15:13:43 +00:00
Treehugger Robot
eb03dcc59c Merge "Allow VM clients access to hypervisor capability" am: 391f2b26fc
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970590

Change-Id: I4de2693ef001b522132f393ffe9c970fa8c652c3
2022-02-04 09:50:49 +00:00
Treehugger Robot
391f2b26fc Merge "Allow VM clients access to hypervisor capability" 2022-02-04 09:37:19 +00:00
Treehugger Robot
713984514c Merge "bluetooth.device.class_of_device should be type string" am: 7b7a42e6cf
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969420

Change-Id: I6acf3397d7b922943f8ce144e95375bf1a66a001
2022-02-04 01:00:51 +00:00
Treehugger Robot
7b7a42e6cf Merge "bluetooth.device.class_of_device should be type string" 2022-02-04 00:38:52 +00:00
Kevin Han
641d56be3f Merge "Extend visibility of hibernation service for CTS" am: 4d81dc33f8
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966099

Change-Id: I39ef4366bb10c73dfab63b73599e653ea9d3d288
2022-02-04 00:01:09 +00:00
Kevin Han
4d81dc33f8 Merge "Extend visibility of hibernation service for CTS" 2022-02-03 23:43:03 +00:00
Seth Moore
10ec76f621 Add remotely provisioned key pool se policy am: a75cad0d0a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969539

Change-Id: If71da72859fb454be505d02c40de2bcbf34bca97
2022-02-03 23:13:55 +00:00
Alan Stokes
3864ea8e4a Allow VM clients access to hypervisor capability
Clients of virtualization service use these properties to
determine whether normal and protected VMs are supported and tailor
their VM requests accordingly.

Bug: 217687661
Test: adb unroot; adb shell getprop | grep ro.boot.hypervisor
Change-Id: Ia1c017c2346217dbc45973cbfb5adbecabedf050
2022-02-03 12:18:11 +00:00
Seth Moore
a75cad0d0a Add remotely provisioned key pool se policy
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.

Add a new service context and include it in the keystore services.

Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.

Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
2022-02-02 15:07:26 -08:00
Sal Savage
724381a97a bluetooth.device.class_of_device should be type string
Bug: 217452259
Test: Manual, set property in system.prop, build, flash, make sure value
is reflected in getprop | grep bluetooth.device

Change-Id: Id4bfebb4da5bcd64ea4bac8e3c9e9754c96256c6
2022-02-02 14:13:41 -08:00
Bart Van Assche
be3ff9b93a Grant system_app permission to access cgroup_v2 directories
Without this change, the migration of the blkio controller to the cgroup
v2 hierarchy triggers the following denials:

01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0

Bug: 213617178
Test: Booted Android in the Cuttlefish emulator.
Change-Id: I20f136d5cd58fa4ebabbb5a328fc6001b11110d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2022-02-02 17:37:45 +00:00
Andrew Scull
e1a1607e1b Merge changes I82f0c2ef,I013894de am: 7e07941d3d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966617

Change-Id: Ia20dfb636599a2e0ab2d46efd8df46c9dcc3f8d8
2022-02-02 14:13:55 +00:00
Jonas 5 Persson
aa9d421655 Allow policy tests to support space in file names
Though libsepol supports it since selinux commit 644c5bbb,
test code couldn't handle whitespace in file name in policy
database.

Solved by splitting string once from left and then once
from right to avoid split of whitespace in file name.

Minimal reproducing example:
$ echo '(genfscon sysfs "/s/p a/ce" (USER ROLE TYPE ((SENS) (SENS))))' > s.cil
$ secilc -m -o s.db external/selinux/secilc/test/minimum.cil s.cil
$ searchpolicy --libpath out/host/linux-x86/lib64/libsepolwrap.so -sX --allow s.db
Traceback (most recent call last):
  File "/tmp/Soong.python_ra9it1nk/searchpolicy.py", line 52, in <module>
    pol = policy.Policy(args.policy, None, args.libpath)
  File "/tmp/Soong.python_ra9it1nk/policy.py", line 460, in __init__
    self.__InitGenfsCon()
  File "/tmp/Soong.python_ra9it1nk/policy.py", line 419, in __InitGenfsCon
    self.__GenfsDictAdd(self.__GenfsDict, buf.value.decode("ascii"))
  File "/tmp/Soong.python_ra9it1nk/policy.py", line 399, in __GenfsDictAdd
    fs, path, context = buf.split(" ")
ValueError: too many values to unpack (expected 3)

Test: manual, as described above
Test: cts SELinuxHostTest with spaces in a genfscon path
Change-Id: I7c74292513a63819ee7dc03ab4977ce9363589a4
2022-02-02 15:12:43 +01:00
Andrew Scull
7e07941d3d Merge changes I82f0c2ef,I013894de
* changes:
  Let VirtualizationService access hypervisor properties
  Tag new hypervisor properties
2022-02-02 13:54:11 +00:00
Andrew Scull
792b03ddb5 Let VirtualizationService access hypervisor properties
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.

Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
2022-02-02 13:53:50 +00:00
Lalit Maganti
139cce7cc7 Merge "sepolicy: Allow system domains to be profiled" am: fb9d097d03
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966610

Change-Id: I53c4ae3c26dcc5579391e7a9319c939e75086a70
2022-02-02 12:21:46 +00:00
Lalit Maganti
fb9d097d03 Merge "sepolicy: Allow system domains to be profiled" 2022-02-02 12:04:38 +00:00
Andrew Walbran
7e78484d39 Merge "virtualizationservice no longer tries to check for pKVM extension." am: 48cf9591f6
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965102

Change-Id: I901ae736b9e79507248f78def350af7ba21534d3
2022-02-02 09:25:26 +00:00
Andrew Walbran
48cf9591f6 Merge "virtualizationservice no longer tries to check for pKVM extension." 2022-02-02 09:08:18 +00:00
Roopa Sattiraju
dd862e57ee Changing sepolicy file to the right apex name am: 89556c69df
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1967166

Change-Id: Ib38c787a25ced135ff427eb7345247f1e239dcc4
2022-02-02 05:34:27 +00:00
Roopa Sattiraju
89556c69df Changing sepolicy file to the right apex name
Bug: 216476895
Test: Compile
Change-Id: I31a5534bad0f5c01ee163f109fa5dd0b54835ea8
2022-02-01 15:59:30 -08:00
Andrew Scull
87ac3c3f80 Tag new hypervisor properties
The properties that report hypervisor capabilities are grouped with the
other hypervisor properties for sepolicy.

Bug: 216639283
Test: buid
Change-Id: I013894de637bb7e40a450df6439ebbd5cba28c2b
2022-02-01 18:17:10 +00:00
Andrew Walbran
2f27f96022 virtualizationservice no longer tries to check for pKVM extension.
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400.

Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
2022-02-01 16:37:13 +00:00
Lalit Maganti
bb197bba02 sepolicy: Allow system domains to be profiled
Bug: 217368496
Doc: go/field-tracing-t
Change-Id: Ie95c0cc2b1f9e8fa03f6112818936af692edf584
2022-02-01 16:27:26 +00:00
Andrew Scull
50094d86cf Merge "Allow the microdroid app to use diced" am: 4bbfaa6a2d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965106

Change-Id: Ic340f816742ca2ad713521012a7d42279b660f99
2022-02-01 13:39:02 +00:00
Andrew Scull
4bbfaa6a2d Merge "Allow the microdroid app to use diced" 2022-02-01 13:23:20 +00:00
Treehugger Robot
8a96be8df9 Merge "Adds selinux rules for ICarDisplayProxy service" am: 108fdbc5f7
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965562

Change-Id: I4954e05e2c8e7ce34f09120c137102fe134d1227
2022-01-31 22:09:21 +00:00
Treehugger Robot
108fdbc5f7 Merge "Adds selinux rules for ICarDisplayProxy service" 2022-01-31 21:52:46 +00:00
Changyeon Jo
66eba13833 Adds selinux rules for ICarDisplayProxy service
Bug: 170401743
Test: m -j selinux_policy
Change-Id: Idf3f09d0bcf24de18d6eddb05e51991b4c5edbe8
2022-01-31 19:40:20 +00:00
Treehugger Robot
d2eabdb5a0 Merge "Build precompiled_sepolicy.apex_sepolicy.sha256" am: d0120eb4ac
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965099

Change-Id: Ica7c23a256f9ee99c2f4a19cc00b4f0496297f84
2022-01-31 09:29:38 +00:00
Treehugger Robot
d0120eb4ac Merge "Build precompiled_sepolicy.apex_sepolicy.sha256" 2022-01-31 09:11:05 +00:00
Andrew Scull
248e8a998f Allow the microdroid app to use diced
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I9672d678c7b698d15a0efa8dab567dbc2696ca81
2022-01-30 22:42:38 +00:00
Thiébaud Weksteen
0603b86049 Merge "Split sepolicy_neverallow rule" am: 080a201dee
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1962379

Change-Id: Iaa5cf554b34902865b0a5c7f09a9c198d97354a3
2022-01-30 22:23:39 +00:00
Thiébaud Weksteen
080a201dee Merge "Split sepolicy_neverallow rule" 2022-01-30 22:16:35 +00:00
Thiébaud Weksteen
5dec00e247 Merge "Grant getpgid to system_server on zygote" am: 79ff061802
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1963561

Change-Id: Ie4afeda8caebf6cbd4be30a0b772715d8c3dc3e2
2022-01-30 22:14:58 +00:00
Thiébaud Weksteen
79ff061802 Merge "Grant getpgid to system_server on zygote" 2022-01-30 21:59:04 +00:00
Huihong Luo
270ddf48d0 Merge "Migrate screenshot methods to AIDL" am: 9b82051367
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1954716

Change-Id: I67bfa6d8d94bcb2406fcdb3e6bf99fa4630af55c
2022-01-29 21:35:33 +00:00
Huihong Luo
9b82051367 Merge "Migrate screenshot methods to AIDL" 2022-01-29 21:17:18 +00:00
Kevin Han
4ef3178e8c Extend visibility of hibernation service for CTS
Expand the visibility of the app hibernation service so that CTS can
actually test the APIs.

Bug: 216383448
Test: atest AppHibernationIntegrationTest
Change-Id: Ibde79c9b7e2d863a7c8f4f311ec008cd72962d45
2022-01-28 18:48:56 -08:00
Daniel Norman
2d1c5129d9 Expose the APEX multi-install props to non-root getprop.
Used for *TS testing to ensure that user devices do not multi-install
APEXes.

Bug: 216852347
Test: (non root) getprop | grep ro.boot.vendor.apex
Change-Id: Ibc670fefbf89c4a4c1fa5d2ab9d7784c04946690
2022-01-28 16:16:12 -08:00
Android Build Coastguard Worker
44c1ccff68 Merge cherrypicks of [16745824] into sc-v2-release.
Change-Id: Id6133d5ad3443aa91bb82f285194986abbe16b7f
2022-01-28 22:50:42 +00:00
Zim
c38b81ce4f Allow MediaProvider to access the media metrics service
This allows MediaProvider call certain MediaCodec APIs

Also update prebuilts for API 32.

Test: atest TranscodeTest
Bug: 190422448
Merged-In: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
Change-Id: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
(cherry picked from commit 57401bc71f)
Merged-In:Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
2022-01-28 22:46:54 +00:00
Etienne Ruffieux
ecac410d40 Merge "Bluetooth boot time start service" am: f3acf42a4c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965101

Change-Id: I116996cf7b5e1d9b94b8f76119fb91d2eaf52a9b
2022-01-28 20:26:41 +00:00
Etienne Ruffieux
f3acf42a4c Merge "Bluetooth boot time start service" 2022-01-28 20:13:35 +00:00
Treehugger Robot
6093f3febf Merge "Move pf_key socket creation permission to system_server" am: d3d214482f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1964902

Change-Id: I5a17509a858aa1fd7b068943a5cfd457518ddb27
2022-01-28 19:07:14 +00:00
Treehugger Robot
d3d214482f Merge "Move pf_key socket creation permission to system_server" 2022-01-28 19:01:36 +00:00
Robert Shih
0de1ba742a Merge "Add sepolicy for DRM AIDL HAL" am: d70f0af2bf
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1918837

Change-Id: I34ff7ea1a6cbb6e8f0c11759b4ceb7366b8e2992
2022-01-28 19:01:02 +00:00
Robert Shih
d70f0af2bf Merge "Add sepolicy for DRM AIDL HAL" 2022-01-28 18:40:53 +00:00