tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
41660 commits 1 branch 0 tags 50 MiB
Commit graph

41660 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jooyung Han
1f47660fb4 Merge "Introduce vendor_apex_metadata_file" am: 94dc202954 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2606717

Change-Id: If60331ca4fed494c06a2e1d4bffb1ae7a684d342
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 00:30:01 +00:00
Jooyung Han
94dc202954 Merge "Introduce vendor_apex_metadata_file" 2023-06-07 23:59:59 +00:00
Steven Moreland
4f8749fb39 Merge "sepolicy: take sepolicy split in .mk" am: 394de71b25 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2608418

Change-Id: I9ae6b75996509cecc2ea272c8af4ef9d63087a69
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-05 23:19:09 +00:00
Steven Moreland
394de71b25 Merge "sepolicy: take sepolicy split in .mk" 2023-06-05 23:08:24 +00:00
Jooyung Han
b6211b88cf Introduce vendor_apex_metadata_file 
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
 2023-06-05 17:17:51 +09:00
Jooyung Han
3d4795888e Fix apex_sepolicy_tests_test am: 3e592f2eb6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2614829

Change-Id: I00d9962fc6b941c0c79cbe7af1c5760d5e705077
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-05 03:21:32 +00:00
Jooyung Han
3e592f2eb6 Fix apex_sepolicy_tests_test 
check_rule() should collect errors and return them. The previous fix was
early returing when there's a successful case.

Bug: 285225556
Test: atest apex_sepolicy_tests_test
Change-Id: I71c207210c565ab280f8794d201c074812b49acb
 2023-06-05 01:52:14 +00:00
Steven Moreland
721f5af6a3 sepolicy: take sepolicy split in .mk 
This value is always set to true in the core build
system. Removing reads of it so we can mark it as
obsolete.

Bug: 257176017
Test: build
Change-Id: Ie7a72496bd4712583944ed833cd4364c5e3c520b
 2023-06-02 16:14:17 +00:00
Brian Lindahl
94a092c7d0 Move allow rule out of the neverallow section am: abbd8aeefd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611889

Change-Id: I42ef4633a4a99e6cef4ee0099644fc72f5114b44
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 01:23:06 +00:00
Treehugger Robot
52322051d2 Merge changes from topic "artsrv-experiment-flag" am: 30c25de59d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2591925

Change-Id: I49eca7dfe3862ba4c6da27f4cab4c678ae934701
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-01 18:59:29 +00:00
Martin Stjernholm
0508eb7321 Allow the ART boot oneshot service to configure ART config properties. am: e1ac267ddd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2590148

Change-Id: Ifa49b047d4febfd8c5c7594d8e7a47ab8a171517
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-01 18:59:27 +00:00
Brian Lindahl
abbd8aeefd Move allow rule out of the neverallow section 
Resovles comment from aosp/2605806

Bug: 234833109
Test: build
Change-Id: I248613ed2d9a7f26d404df8552c2dfc74694754a
 2023-06-01 12:36:55 -06:00
Treehugger Robot
30c25de59d Merge changes from topic "artsrv-experiment-flag" 
* changes:
  Give art_boot explicit access to experiment flags.
  Allow the ART boot oneshot service to configure ART config properties.
 2023-06-01 18:21:50 +00:00
Jooyung Han
a7e2e1a229 Merge "Fix apex_sepolicy_tests_test" am: 370d741453 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2606716

Change-Id: Ieeb02885d17d975d006f0ff8dbdbdf43880d3129
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-01 02:48:17 +00:00
Jooyung Han
370d741453 Merge "Fix apex_sepolicy_tests_test" 2023-06-01 02:05:55 +00:00
Pawan Wagh
0e74d4e69e Add media extractor service fuzzer to bindings am: 7f90d50ae0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2600804

Change-Id: I93e6bd14348c61ac75adba21f9d9f92567837e16
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-31 09:48:31 +00:00
Jooyung Han
61b46b6159 Fix apex_sepolicy_tests_test 
In QueryTERule(), scontext argument works like OR-set while the test
rules should treat them as AND-set.

Bug: 285075529
Test: apex_sepolicy_tests_test
Change-Id: Ie33b8dd6bf62db67ad3762835c1500c81d975707
 2023-05-31 17:41:28 +09:00
Pawan Wagh
7f90d50ae0 Add media extractor service fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I660c54df153993056668b6774d177072d8eadc3b
 2023-05-31 01:19:21 +00:00
Steven Moreland
5b0dad1c2a Merge "strengthen app_data_file neverallows" am: 46288c6b97 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599511

Change-Id: I9588b6ca25d90b6faf2e7c6f994e1d0f13423011
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-26 16:59:47 +00:00
Steven Moreland
46288c6b97 Merge "strengthen app_data_file neverallows" 2023-05-26 15:32:15 +00:00
Brian Lindahl
7975447205 Allow media server configurable flags to be read from anywhere am: ffeb680417 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605806

Change-Id: I11ebd0146487c21f95661756da8c780e96ec88dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-26 07:29:31 +00:00
Brian Lindahl
ffeb680417 Allow media server configurable flags to be read from anywhere 
The majority of code for media encoding and decoding occurs within the
context of client app processes via linking with libstagefright. This
code needs access to server-configurable flags to configure
codec-related features.

Bug: 234833109
Test: manual test with 'adb shell device_config' commands
Change-Id: I95aa6772a40599636d109d6960c2898e44648c9b
 2023-05-25 20:48:00 -06:00
Treehugger Robot
b7185cb58e Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions" am: cd69d35a5e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2597146

Change-Id: I62f9713ec4965b709d3ff38d20bad629538281f0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-25 11:38:08 +00:00
Treehugger Robot
cd69d35a5e Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions" 2023-05-25 11:14:40 +00:00
Treehugger Robot
4ee23573de Merge "Set up sepolicy for drmserver64" am: 8a676d0a4c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2588745

Change-Id: Ie4492ca6077731143c26f3431546503e9491850a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-25 02:46:47 +00:00
Treehugger Robot
8a676d0a4c Merge "Set up sepolicy for drmserver64" 2023-05-25 02:22:45 +00:00
Treehugger Robot
4774a44073 Merge "Allow ueventd to read apexd property" am: d16bf50b26 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1933081

Change-Id: Id718a1c924686618b2154f158b7ab8134fd03b11
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-25 02:22:10 +00:00
Treehugger Robot
d16bf50b26 Merge "Allow ueventd to read apexd property" 2023-05-25 01:40:11 +00:00
Kelvin Zhang
60456bd47e Add sepolicy for ro.build.ab_update.ab_ota_partitions 
Bug: 283042235
Test: th
Change-Id: Ie2296b75c91fbeb83cb0f3e61d5013b106fb78d0
 2023-05-24 18:26:12 -07:00
Pawan Wagh
cf26f9e29b Merge "Add media metrics aidl fuzzer to bindings" am: 144cad1b19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2601825

Change-Id: Ibe6ec501030cd0999d307a0c3709c46325c6ca9f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 23:39:51 +00:00
Pawan Wagh
144cad1b19 Merge "Add media metrics aidl fuzzer to bindings" 2023-05-24 23:01:42 +00:00
Treehugger Robot
863fea7e62 Merge "strengthen debugfs neverallows" am: 4f36bd15ac 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599510

Change-Id: Iebd1d30d6fd58a68f369d2d25c55038bab32acdc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 21:22:44 +00:00
Treehugger Robot
4f36bd15ac Merge "strengthen debugfs neverallows" 2023-05-24 20:30:34 +00:00
Steven Moreland
12523b02c3 Merge "strengthen proc_type neverallows" am: fd92d967ee 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599509

Change-Id: Id85e2319971b1be4924dc68b6becfb1c6ceac901
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 18:41:12 +00:00
Steven Moreland
fd92d967ee Merge "strengthen proc_type neverallows" 2023-05-24 18:01:14 +00:00
Jin Jeong
8da5ffe780 Merge "Revert "Fix selinux denial for setupwizard_esim_prop"" am: f21abea1b7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2602191

Change-Id: I5e659ea7ac65f4680cd7702e24236aabcd01bc3a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 09:12:46 +00:00
Jin Jeong
ce817552f5 Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore"" am: d7558db004 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2588746

Change-Id: Ic4796f40dfb4e24a726aba37377d2bd6e9e95809
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 09:12:43 +00:00
Jin Jeong
f21abea1b7 Merge "Revert "Fix selinux denial for setupwizard_esim_prop"" 2023-05-24 08:21:54 +00:00
Jin Jeong
d7558db004 Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore"" 2023-05-24 08:21:54 +00:00
Jin Jeong
0a9cd6f0e7 Revert "Fix selinux denial for setupwizard_esim_prop" 
This reverts commit 3bb2411564.

Reason for revert:  b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Change-Id: I4a3ed3c4f00e9bee88608e7d393ded204d922ee2
Merged-In: I00cac36ac2f2a23d02c99b9ad9df57061d1ae61c
 2023-05-24 07:08:05 +00:00
Pawan Wagh
d25d64796d Add media metrics aidl fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I6c645bf89fdded1dffdba8d40889eeb20b0734e1
 2023-05-23 22:55:15 +00:00
Suchang Woo
6b4c45393b Allow ueventd to read apexd property 
To run external firmware handler, ueventd should wait for apexd activation
by reading 'apexd.status' property.

Test: loading firmware from vendor apex using external firmware handler
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Ic2057ab2d014540ce5eeb26bcac35d39294b5dc9
 2023-05-23 14:12:40 +09:00
Steven Moreland
0109e51f62 Merge "strengthen vendor_file neverallows" am: e1b3e925c6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2594975

Change-Id: I364f7f30f34e4dd28085e8ce53b37c1ea282a126
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-23 00:38:11 +00:00
Steven Moreland
f3722d5a71 strengthen app_data_file neverallows 
There are more types of apps now.

Bug: 281877578
Test: boot
Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd
 2023-05-23 00:01:27 +00:00
Steven Moreland
e1b3e925c6 Merge "strengthen vendor_file neverallows" 2023-05-22 23:56:11 +00:00
Steven Moreland
b56bf68763 strengthen debugfs neverallows 
The comments here suggest they intended to put stronger
rules in place.

Bug: 281877578
Test: boot
Change-Id: I4c837c2e0f86f648c212fa7915275cd75319e663
 2023-05-22 23:02:24 +00:00
Steven Moreland
8634a88595 strengthen proc_type neverallows 
These were unnecessarily lax. Some additional places
additionally exclude only the generic proc type, but
we don't care about those places.

Bug: 281877578
Test: boot
Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0
 2023-05-22 22:59:08 +00:00
Treehugger Robot
ff97fdff7e Merge "Parallelize singleton execution." am: bcb0e13831 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2593085

Change-Id: I18a98d9c720e8a5c4b98a8dccd878e3dd55158bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-22 17:11:27 +00:00
Treehugger Robot
bcb0e13831 Merge "Parallelize singleton execution." 2023-05-22 16:40:16 +00:00
Steven Moreland
3bf96325d7 Merge "strengthen system_file neverallows" am: 9a184232d7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2594974

Change-Id: Icdba587658c91e27f35f6862869c45d1f74ddec9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 21:57:55 +00:00