tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
42574 commits 1 branch 0 tags 50 MiB
Commit graph

42574 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
982f5c6d29 Merge "microdroid: allow microdroid_manager to read AVF debug policy" am: 35a1bb8e32 am: d395216ffc am: aabbb5c6ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505675

Change-Id: I1f7fb57a0f0476fcec64656a30ef29366f7a2b7f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 16:16:58 +00:00
Hector Dearman
c9ff8d010b Merge "Allow traced_probes to subscribe to statsd atoms" 2023-03-27 16:04:42 +00:00
Andy Hung
87c666527f [automerger skipped] Merge "sepolicy: Add spatial audio tuning properties." am: bd89baaecf am: 5a3972f7bc -s ours 
am skip reason: Merged-In Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b with SHA-1 574369e474 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504836

Change-Id: I84152780671d288973b8920764626f913893e812
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 15:46:37 +00:00
Treehugger Robot
aabbb5c6ca Merge "microdroid: allow microdroid_manager to read AVF debug policy" am: 35a1bb8e32 am: d395216ffc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505675

Change-Id: I112b694b83a92248c6b79ada9cee231583bca5b9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 15:46:14 +00:00
Andy Hung
5a3972f7bc Merge "sepolicy: Add spatial audio tuning properties." am: bd89baaecf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504836

Change-Id: Ie06653fcfba7ef4fc6bb258cc29e56a338574318
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 15:31:47 +00:00
Andy Hung
bd89baaecf Merge "sepolicy: Add spatial audio tuning properties." 2023-03-27 15:22:49 +00:00
Treehugger Robot
d395216ffc Merge "microdroid: allow microdroid_manager to read AVF debug policy" am: 35a1bb8e32 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505675

Change-Id: Idc96080a11029f2c89d498013f489df0fd4bcc23
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 15:16:57 +00:00
Treehugger Robot
35a1bb8e32 Merge "microdroid: allow microdroid_manager to read AVF debug policy" 2023-03-27 14:48:13 +00:00
Nikita Ioffe
4bfda5ba89 Add domain level neverallow to restrict access to ptrace 
Bug: 271562015
Test: m
Change-Id: I48f9a0fc5e708e15dd103d6ed369c8fe43d70495
 2023-03-27 14:45:33 +01:00
Jeffrey Vander Stoep
8c7932d539 Merge "Audit use of watch and watch_reads on apk_data_file" into udc-dev 2023-03-27 12:54:27 +00:00
Jeff Vander Stoep
3fbb177016 Audit use of watch and watch_reads on apk_data_file 
This can be used as a side channel observe when an application
is launched.

Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: I8434d9e3093ddc3109ac67d0870b7f664fb6f08e
 2023-03-27 12:30:15 +02:00
Treehugger Robot
f121440661 Merge "Grant execute on toolbox_exec for isolated_compute_app" am: e105f468d7 am: e968fdb082 am: 249397458d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505639

Change-Id: I35eaf087bf64b73507db8afee6f86677a896777b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 09:28:04 +00:00
Treehugger Robot
3632ed565e Merge "Allow CompOS to read VM config properties" am: 42f1cad645 am: 36717942d2 am: 4f957f610c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501960

Change-Id: Iaa1eb37cb618d30e9a9396cd3ede75a10ab05c61
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 09:27:46 +00:00
Alan Stokes
5f7af06cb8 Remove policy for non-existent devices am: 4f92d5bd99 am: 1d33d118a5 am: cd10974d13 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506240

Change-Id: Ibe1b923b0168ed58d75539626bb0714c4b65edf3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 09:27:33 +00:00
Treehugger Robot
249397458d Merge "Grant execute on toolbox_exec for isolated_compute_app" am: e105f468d7 am: e968fdb082 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505639

Change-Id: I8ec3df2cb163bc8422ad44c076abc50d0b5aef96
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 08:59:11 +00:00
Treehugger Robot
4f957f610c Merge "Allow CompOS to read VM config properties" am: 42f1cad645 am: 36717942d2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501960

Change-Id: I6ffea9c7f54b7c3f71f4324cb1740322739ba69a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 08:58:56 +00:00
Alan Stokes
cd10974d13 Remove policy for non-existent devices am: 4f92d5bd99 am: 1d33d118a5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506240

Change-Id: If1742a881b7f0efcc75673ae2ea3c1e5e598180a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 08:58:41 +00:00
Treehugger Robot
e968fdb082 Merge "Grant execute on toolbox_exec for isolated_compute_app" am: e105f468d7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505639

Change-Id: I33364277c3273aad6887ea1c460c08310fa2a321
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 08:32:54 +00:00
Treehugger Robot
36717942d2 Merge "Allow CompOS to read VM config properties" am: 42f1cad645 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501960

Change-Id: I0b34e1514aea1ea188dfe3cd93f6e4a95eecf0ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 08:32:39 +00:00
Alan Stokes
1d33d118a5 Remove policy for non-existent devices am: 4f92d5bd99 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506240

Change-Id: If60fc206454e6d234993aff5abfb8e51cc198bdd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 08:30:58 +00:00
Treehugger Robot
e105f468d7 Merge "Grant execute on toolbox_exec for isolated_compute_app" 2023-03-27 08:03:36 +00:00
Treehugger Robot
42f1cad645 Merge "Allow CompOS to read VM config properties" 2023-03-27 07:58:18 +00:00
Jaewan Kim
867bc33ede microdroid: allow microdroid_manager to read AVF debug policy 
Bug: 272752814
Test: atest on devices without AVF debug policy
Change-Id: I3fdbdd49f0e775b4b054328dc25c5f2ba1f9712f
 2023-03-27 03:52:27 +00:00
Thiébaud Weksteen
e9ac9ce0f3 Grant execute on toolbox_exec for isolated_compute_app 
In commit 7ba4801, the execute permission for all isolated_app was
removed. Grant access to isolated_compute_app which requires it.

The new treble test TestIsolatedAttributeConsistency is updated to
capture the new permission. See b/275263760.

Bug: 265960698
Bug: 275024392
Bug: 275263760
Test: atest CtsVoiceInteractionTestCases:android.voiceinteraction.cts.VoiceInteractionServiceTest
Change-Id: Ide27a7e351e8f53b0f5b1ad918a508d04ef515a1
 2023-03-27 12:44:03 +11:00
Alan Stokes
4f92d5bd99 Remove policy for non-existent devices 
We still had policy for devices which do not currently exist in
Microdroid. Remove the unused types and all references to them in the
policy, since they have no effect and just bloat the policy.

While I'm here, delete all the bug_map entries. We don't use the
bug_map in Microdroid, and this is just an outdated snapshot from host
policy.

Bug: 274752167
Test: atest MicrodroidTests
Test: composd-cmd test-compile
Change-Id: I3ab90f8e3517c41eff0052a0c8f6610fa35ccdcb
 2023-03-24 18:13:18 +00:00
Treehugger Robot
66cb4aa928 Merge "Don't run ComposHostTestCases in presubmit" am: 1b382aa8b0 am: e7fc28b43f am: e21262c1a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506475

Change-Id: I4bd3c33063b9909369b16ffa6fbd90a6ace5ab62
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 13:57:42 +00:00
Treehugger Robot
e21262c1a9 Merge "Don't run ComposHostTestCases in presubmit" am: 1b382aa8b0 am: e7fc28b43f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506475

Change-Id: I83b62401ed89a5cc89f8589c8a7ed3ff5b0a288b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 13:27:46 +00:00
Treehugger Robot
e7fc28b43f Merge "Don't run ComposHostTestCases in presubmit" am: 1b382aa8b0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506475

Change-Id: I67b0c4763bc1c5dd8ec2d3efbc64c41a40b1641c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 12:59:12 +00:00
Treehugger Robot
1b382aa8b0 Merge "Don't run ComposHostTestCases in presubmit" 2023-03-24 12:35:10 +00:00
Thiébaud Weksteen
c3f9e415d9 Merge "Remove implicit access for isolated_app" am: 8ac5737d42 am: 065a7de2f9 am: e9fa1b60a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494689

Change-Id: I29b4ace8388b325375eb3a0e261b2cd0a8973982
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:53:02 +00:00
Andy Hung
3f71b6c9ad sepolicy: Add spatial audio tuning properties. am: 574369e474 am: 789c2937a5 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22241161

Change-Id: I77da89be388992dbf5030a51edcb8d2108867b1a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:52:52 +00:00
Thiébaud Weksteen
e9fa1b60a1 Merge "Remove implicit access for isolated_app" am: 8ac5737d42 am: 065a7de2f9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494689

Change-Id: I0be0c322a5cefa55a8119e3bc8ca568805ce5f05
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:36:43 +00:00
Andy Hung
789c2937a5 sepolicy: Add spatial audio tuning properties. am: 574369e474 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22241161

Change-Id: I00a6e7937068ee8a3006223ba6d320c90a73321e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:22:53 +00:00
Thiébaud Weksteen
065a7de2f9 Merge "Remove implicit access for isolated_app" am: 8ac5737d42 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494689

Change-Id: I8bab40e1f1a034e65bc531a99cbc4db3021f6582
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:09:19 +00:00
Andy Hung
16a79f885d sepolicy: Add spatial audio tuning properties. 
audio.spatializer.pose_predictor_type
audio.spatializer.prediction_duration_ms

Test: compiles
Test: adb shell setprop with invalid enum fails.
Bug: 274849680
Merged-In: Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b
Change-Id: Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b
 2023-03-23 20:56:59 -07:00
Thiébaud Weksteen
8ac5737d42 Merge "Remove implicit access for isolated_app" 2023-03-24 03:46:00 +00:00
Andy Hung
943d0bd852 [automerger skipped] Merge "sepolicy: Add spatial audio configuration properties" am: 2e206f8cc9 am: ea5100f1ad -s ours am: 19a6c09576 -s ours 
am skip reason: Merged-In I190644e88a520cf13ee2b56066d5afd258460b9e with SHA-1 3b7b6c3b30 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501016

Change-Id: Iac6625585152738bdd1a37251096d194b3f0604f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 01:42:56 +00:00
Andy Hung
19a6c09576 [automerger skipped] Merge "sepolicy: Add spatial audio configuration properties" am: 2e206f8cc9 am: ea5100f1ad -s ours 
am skip reason: Merged-In I190644e88a520cf13ee2b56066d5afd258460b9e with SHA-1 3b7b6c3b30 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501016

Change-Id: Ib913959a4c3ed95e2e689dce8bb5c7c28493caf8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 01:40:18 +00:00
Andy Hung
ea5100f1ad Merge "sepolicy: Add spatial audio configuration properties" am: 2e206f8cc9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501016

Change-Id: I61805a44c4f3d91d7921c8d48617915f498247fa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 01:16:44 +00:00
Andy Hung
574369e474 sepolicy: Add spatial audio tuning properties. 
audio.spatializer.pose_predictor_type
audio.spatializer.prediction_duration_ms

Ignore-AOSP-First: will land in AOSP later.
Test: compiles
Test: adb shell setprop with invalid enum fails.
Bug: 274849680
Change-Id: Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b
 2023-03-23 18:01:42 -07:00
Andy Hung
2e206f8cc9 Merge "sepolicy: Add spatial audio configuration properties" 2023-03-24 00:41:02 +00:00
Changyeon Jo
89380c19c8 Allow EVS HAL to access graphics related properties 
EVS Display HAL needs to access graphics related properties to configure
a pipeline to render the contents of graphics buffers.

Bug: 274695271
Test: m -j selinux_policy
Change-Id: I97a8a3f35f7118325cff9a8ae69485c0f73fe17f
 2023-03-23 22:26:42 +00:00
Alan Stokes
26dcfc5416 Don't run ComposHostTestCases in presubmit 
They're flaky on cuttlefish. Move to postsubmit instead.

Bug: 264496291
Test: N/A
Change-Id: I19b0357632be5a89e096fd1d9ce8d47dd865d245
 2023-03-23 15:45:24 +00:00
Alan Stokes
a45646c024 Allow CompOS to read VM config properties 
We want to allow both the VM and ART to contribute to the VM config
(e.g. memory size), so define labels for 2 sets of properties and
grant the necessary access.

Bug: 274102209
Test: builds
Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568
 2023-03-23 15:40:14 +00:00
Satoshi Niwa
6c32aa519c sepolicy: Add apex/com.android.tethering.inprocess-file_contexts am: 80cd0acd64 am: 6fa337fef5 am: dcbde45b66 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504898

Change-Id: I3cddfbef5290c5898ebd218a258f4571370bb4ea
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 08:42:12 +00:00
Satoshi Niwa
dcbde45b66 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts am: 80cd0acd64 am: 6fa337fef5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504898

Change-Id: I299e97e89c38500e6804589e50c57045443e1fea
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 08:03:53 +00:00
Satoshi Niwa
6fa337fef5 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts am: 80cd0acd64 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504898

Change-Id: I285ec1c77b57652e4ae18b12a93e90000362b21c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 07:27:20 +00:00
Satoshi Niwa
80cd0acd64 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts 
Needed when using com.android.tethering.inprocess with
flattened APEX.

Bug: 273821347
Test: trybot
Change-Id: Iae6d9547922575398c634433dc07b2e46fbffd8e
 2023-03-23 12:43:48 +09:00
Thiébaud Weksteen
7ba4801b6e Remove implicit access for isolated_app 
Bug: 265960698
Test: flash, boot and use Chrome; no denials related to isolated_app
Test: crash Chrome using chrome://crash; no new denials from
      isolated_app
Test: atest CtsWebkitTestCases
Change-Id: I0b9e433eb973a5e99741fc88be5e13e9704c9c9e
 2023-03-23 12:59:21 +11:00
Charles Chen
693c4352d9 Merge "Compliance test added for isolated_app_all" am: 3e86cee7c4 am: 3503d2ade9 am: c038c59be9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491881

Change-Id: Id41394d840c47aa14d50f461da52fe2e9dca5bbe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 00:37:47 +00:00