tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
26804 commits 1 branch 0 tags 50 MiB
Commit graph

26804 commits

This branch
This branch
All branches
Author SHA1 Message Date
David Anderson
55967665b4 Add sepolicy for the new Virtual A/B feature flag. 
ro.virtual_ab.compression.enabled is the flag gating Virtual A/B
compression-related features.

Bug: 168257347
Test: adb shell getprop
Change-Id: Ied0bda0f3ea963e9d4010adf36ed0dfaf0b97d1c
 2020-09-22 13:02:00 -07:00
Chris Gross
12c0b247ad Only require compat mapping files if they exist. 
Call build_policy when determing which compat mapping files should be
included for a given partition.

Bug: 168637766
Test: Built aosp_bonito-userdebug and saw that the compat mapping files
in product/etc/sepolicy/mapping were no longer present.
Test: Added a test 30.0.cil file to bonito's product private compat
directory and saw that it was present at product/etc/sepolicy/mapping.

Change-Id: I83cc28a159b24c0a2c0717dae461983250ab6c25
 2020-09-22 11:55:40 -07:00
Aleks Rozman
a1ba5a9f5a Revert "Add GNSS AIDL interfaces (system/sepolicy)" 
This reverts commit d5f59b1b77.

Reason for revert: b/169150373

Change-Id: I3d5e20400ea8ee0e9ae439497245c09a13aaa716
 2020-09-22 18:25:48 +00:00
Collin Fijalkovich
1d09d895c5 Merge "Cleanup mechanism for enabling perfetto daemon." am: cf792edcbd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1321886

Change-Id: Ia5cab5b3f7fc020b62be28433763d2ce64820055
 2020-09-22 17:57:42 +00:00
Collin Fijalkovich
cf792edcbd Merge "Cleanup mechanism for enabling perfetto daemon." 2020-09-22 17:41:16 +00:00
John Stultz
17460d2111 sepolicy: mediaserver.te: Add read permission to dmabuf_system_heap_device am: 83ae7e71f9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1431706

Change-Id: Ifa8885fb5ffd267c139228facf0cff3cc598b67a
 2020-09-22 17:36:16 +00:00
Alan Stokes
f41d4d72de Remove app_data_file:dir access from dexoptanalyzer. 
It only accesses already-open file handles since b/67111829, so has no
need for any access to the directories, not even search access.

Fixes: 161960094
Bug: 141677108
Test: boot, install app
Test: cmd package force-dex-opt <package>
Test: cmd package bg-dexopt-job
Test: No denials seen.
Change-Id: I23dca1f038351be759dd16dff18d16d158604c3c
 2020-09-22 15:54:02 +01:00
John Stultz
83ae7e71f9 sepolicy: mediaserver.te: Add read permission to dmabuf_system_heap_device 
Following Hridya's patches, I found one more place where
dmabuf system heap access is needed in order to play back video
without ION

Audit error:
09-22 05:34:36.545   478   478 W NPDecoder-CL: type=1400 audit(0.0:65): avc: denied { read } for name="system" dev="tmpfs" ino=631 scontext=u:r:mediaserver:
s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0

Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I016a260b936a343a29f0e3bbb565b52bbcb0133a
 2020-09-22 05:35:37 +00:00
Treehugger Robot
4185424048 Merge "Add ro.cdma.home.operator. properties" am: 9ce62543d8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1429867

Change-Id: I20195f7fb0701372dbcc2077b07ae10d89498e02
 2020-09-22 02:50:14 +00:00
Kelvin Zhang
3e8d768463 Merge "Grant gmscore permission to read virtual ab properties" am: 995b11d3be 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1423368

Change-Id: I9de9437ac781eb5a9aa1e6ca1bd70890ee4e0e0a
 2020-09-22 02:49:44 +00:00
Treehugger Robot
9ce62543d8 Merge "Add ro.cdma.home.operator. properties" 2020-09-22 02:24:42 +00:00
Kelvin Zhang
995b11d3be Merge "Grant gmscore permission to read virtual ab properties" 2020-09-22 01:56:29 +00:00
Steven Moreland
d704bb61f6 Merge "Clarify comments on 3rd party app attributes." am: ab6d3eb06c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1430051

Change-Id: I06ed91428a7983918d81956986f69dc2cb80b3f5
 2020-09-21 23:08:12 +00:00
Steven Moreland
ab6d3eb06c Merge "Clarify comments on 3rd party app attributes." 2020-09-21 22:28:50 +00:00
Yu-Han Yang
08cd49a47a Merge "Add GNSS AIDL interfaces (system/sepolicy)" am: 7c7b41715e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1428936

Change-Id: I644e66575fa6545fbc1268a135526a5fd9f3d74a
 2020-09-21 21:12:37 +00:00
Yu-Han Yang
7c7b41715e Merge "Add GNSS AIDL interfaces (system/sepolicy)" 2020-09-21 20:24:37 +00:00
Treehugger Robot
1de718747b Merge changes If936c556,Ief48165c am: 714e134b25 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1425994

Change-Id: I370a76b2d5f5e5f61fa3ce2d7a4deb5de944bd59
 2020-09-21 18:29:20 +00:00
Treehugger Robot
714e134b25 Merge changes If936c556,Ief48165c 
* changes:
  Add permissions required for new DMA-BUF heap allocator
  Define a new selinux label for DMABUF system heap
 2020-09-21 17:59:16 +00:00
Kelvin Zhang
84105de0ef Grant gmscore permission to read virtual ab properties 
Bug: 168059475
Test: Serve an update over gmscore
Change-Id: Iefd88f4189b50ee68ee09bcb5a20556ba4ea3e1a
 2020-09-21 10:27:20 -04:00
Inseob Kim
18cbb77b5c Add ro.cdma.home.operator. properties 
vendor_init writes ro.cdma.home.operator. properties, and framework
codes reads the properties. This adds them to telephony_config_prop to
explicitly allow it.

Bug: 157958356
Test: boot
Change-Id: I3bd515bd7adcc01ec268e4d2b5a6a2f1fbca7deb
 2020-09-21 12:59:11 +09:00
Jooyung Han
368f352a65 Allow ueventd to read apex mount directories. am: 68c1986c21 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1429857

Change-Id: I3a3df195c6c980f9904da2c36277868b2cfb8cb9
 2020-09-19 23:18:51 +00:00
Jooyung Han
68c1986c21 Allow ueventd to read apex mount directories. 
ueventd now scans /apex/*/firmware/ directories to find firmwares.

Bug: 167942098
Test: loading firmware from vibrator apex (sunfish)
Change-Id: I76e32e3c290fa07307377bc6fbea41c1783e40a6
 2020-09-18 15:21:37 +09:00
Yu-Han Yang
d5f59b1b77 Add GNSS AIDL interfaces (system/sepolicy) 
Bug: 159467682
Test: on cuttlefish
Change-Id: Iae7ceefe985096bcf9140e2a3592aade7ad70407
 2020-09-17 13:31:29 -07:00
Steven Moreland
826b92fe34 Clarify comments on 3rd party app attributes. 
Certain classes of 3rd party apps aren't untrusted_app_domain, but
some comments surrounding this are either outdated or wrong.

Bug: 168753404
Test: N/A
Change-Id: I019c16e26a3778536132f22c37fbea5ae7781af4
 2020-09-17 17:15:26 +00:00
Marco Ballesio
c6f93be51b Merge "sepolicy: allow system server for BINDER_GET_FROZEN_INFO" am: 7be9e9e372 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1426049

Change-Id: I95d9f703df8b5f76b0b64fb0407f8833d9d3c0d2
 2020-09-17 16:24:20 +00:00
Marco Ballesio
7be9e9e372 Merge "sepolicy: allow system server for BINDER_GET_FROZEN_INFO" 2020-09-17 15:54:46 +00:00
Treehugger Robot
02a2899f22 Merge "Add media.resource_observer to service contexts" am: e0e91016e9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1429368

Change-Id: I02e740543e79b10a47110af6e3a0d201ce44d817
 2020-09-17 13:39:22 +00:00
Treehugger Robot
e0e91016e9 Merge "Add media.resource_observer to service contexts" 2020-09-17 12:41:04 +00:00
Steven Moreland
f8162a1801 Merge "Remove thermalcallback_hwservice." am: 9a4c8d3043 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1428935

Change-Id: I25a56b45bbce73d60885bf993cf7bef208f577a2
 2020-09-17 01:03:32 +00:00
Steven Moreland
9a4c8d3043 Merge "Remove thermalcallback_hwservice." 2020-09-17 00:37:28 +00:00
Chong Zhang
cc09dc79c5 Add media.resource_observer to service contexts 
bug: 168307955
bug: 154733526
Change-Id: I0099688d1c5f151a715f4bdb7b1c2108492a8b72
 2020-09-16 16:47:10 -07:00
Yifan Hong
9a3d8f47cf Merge "Revert "Add modules partition"" am: b8e0f11986 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1427712

Change-Id: Ibc2ef9fe0706742f3be8465037c7e0220e03d1eb
 2020-09-16 23:23:13 +00:00
Yifan Hong
b8e0f11986 Merge "Revert "Add modules partition"" 2020-09-16 22:45:55 +00:00
Steven Moreland
19deb1f856 Remove thermalcallback_hwservice. 
There is no need for this type to be declared because it is never
registered with hwservicemanager.

This has been removed in the past but it seems it didn't automerge.

Bug: 109802374
Test: N/A
Change-Id: Id9bbc5762b6dcc8066c8543cb93db937cc4fc858
 2020-09-16 21:57:05 +00:00
Steven Moreland
b5487800d4 Merge "Make AIDL HAL client attribute an exclusive client." am: 3c0939f08e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1425011

Change-Id: Ib8d3a7e0caeda7753c1144d81bdd6732e34bbc88
 2020-09-16 20:56:43 +00:00
Steven Moreland
3c0939f08e Merge "Make AIDL HAL client attribute an exclusive client." 2020-09-16 20:32:47 +00:00
Hridya Valsaraju
a0e1be0fd3 Add permissions required for new DMA-BUF heap allocator 
avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379
scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system" dev="tmpfs" ino=379 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read }
for comm="HwBinder:413_3" name="system" dev="tmpfs" ino=379 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 avc: denied { ioctl }
for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system" dev="tmpfs" ino=379
ioctlcmd=0x4800 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0
tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui it(0.0:83): avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui

Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162
Change-Id: If936c5561ebf891e4b687a2c18760d16e0d31275
 2020-09-16 13:21:50 -07:00
Bram Bonné
e40bc723c1 Merge "Re-audit SELinux denials for external storage." am: bcf2a6cf80 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1424791

Change-Id: I73d23b4b250476d542eb71923d8707ccb41ef632
 2020-09-16 12:18:37 +00:00
Bram Bonné
bcf2a6cf80 Merge "Re-audit SELinux denials for external storage." 2020-09-16 11:13:29 +00:00
Treehugger Robot
f462d946af Merge "Set expandattribute false for property attributes" am: c5bb4e5744 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1427748

Change-Id: I4529eb30b0538153721ad7fd1f32652cef4e4286
 2020-09-16 02:27:42 +00:00
Treehugger Robot
c5bb4e5744 Merge "Set expandattribute false for property attributes" 2020-09-16 02:03:52 +00:00
Yifan Hong
38a901df56 Revert "Add modules partition" 
Revert submission 1413808-modules_partition

Reason for revert: modules partition no longer needed
Reverted Changes:
Iceafebd85:Add modules partition
I2fa96199a:rootdir: Add modules directory
Ie397b9ec6:Add modules partition.
I4200d0cf5:fastboot: add modules partition

Bug: 163543381

Change-Id: I613d4efa346b217e0131b14424bc340ad643e1d6
 2020-09-15 19:08:24 +00:00
Benjamin Schwartz
7fb5037d5a Merge "Create Power Stats AIDL interface" am: dc505c51ea 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1425013

Change-Id: Idb234570e23bbadcd740debf1b805ebd2bb7d97c
 2020-09-15 17:34:34 +00:00
Benjamin Schwartz
dc505c51ea Merge "Create Power Stats AIDL interface" 2020-09-15 16:39:36 +00:00
Inseob Kim
2eb0396cb4 Set expandattribute false for property attributes 
To prevent these from being optimized away.

Bug: 161083890
Test: m selinux_policy
Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
 2020-09-15 12:22:44 +09:00
Neil Fuller
cce6cc701e Add location_time_zone_manager_service am: dbc1ccac14 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1426890

Change-Id: I8e9bc5948a4f6204823a37f483e2e20ecee5483d
 2020-09-14 18:32:50 +00:00
Neil Fuller
dbc1ccac14 Add location_time_zone_manager_service 
The LocationTimeZoneManagerService is being added as a "true" service so
that it can be invoked by a shell command (i.e. adb shell cmd). This
also means it will be dumped as part of dumpsys.

Test: Build only
Bug: 149014708
Change-Id: Ie60c4bea3af27a89b88ed753f9cf6e74aab04cd3
 2020-09-14 15:19:02 +01:00
Marco Ballesio
9e7e3fd55f sepolicy: allow system server for BINDER_GET_FROZEN_INFO 
the new ioctl allows system server to verfiry the state of a frozen
binder inderface before unfreezing a process.

Bug: 143717177
Test: verified ActivityManager could access the ioctl
Change-Id: Id9d90d072ce997ed20faa918ec68f1110e2bac8f
 2020-09-11 15:41:31 -07:00
Hridya Valsaraju
a7cd26e664 Define a new selinux label for DMABUF system heap 
Define the label dmabuf_system_heap_device for /dev/dma_heap/system.
This the default DMA-BUF heap that Codec2 will use one ION is
deprecated.
Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162

Change-Id: Ief48165cd804bde00e1881a693b5eb44a45b633b
 2020-09-11 14:27:41 -07:00
Benjamin Schwartz
4e9bdf1c19 [automerger skipped] Merge "Define power.battery_input.suspended property" am: e3055f979c -s ours 
am skip reason: Change-Id I4692d84d5c137d11c6f648d15083614e707fdd07 with SHA-1 8cad90e5f9 is in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1425409

Change-Id: I734f7fbaa460c3393b9a3e6f7d3f23eca5fb06df
 2020-09-11 16:49:21 +00:00