tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38685 commits 1 branch 0 tags 50 MiB
Commit graph

38685 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
22f508a58e Merge "Don't disallow vendor app hal_service_type" am: 9617447817 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2153808

Change-Id: Ica4bf13a474751efe61c5073165390a15d394338
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-19 18:39:53 +00:00
Treehugger Robot
9617447817 Merge "Don't disallow vendor app hal_service_type" 2022-07-19 18:18:45 +00:00
Maciej Żenczykowski
e65c35282a allow bpfloader to create symbolic links in /sys/fs/bpf am: d5098f99a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2154891

Change-Id: I3d282bde16f20a11d341b43640960a9c38b54645
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-19 07:36:43 +00:00
Maciej Żenczykowski
d5098f99a9 allow bpfloader to create symbolic links in /sys/fs/bpf 
(this is to allow /sys/fs/bpf/tethering -> net_shared/tethering
 for InProcessTethering, ie. Android Go devices)

Bug: 190523685
Bug: 236925089
Test: TreeHugger, manually on aosp_cf_x86_go_phone-userdebug
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifa52429f958b0af80f91af6bfb064c1cdf9cd070
 2022-07-18 05:14:44 -07:00
Steven Moreland
0ce7b3c92a Don't disallow vendor app hal_service_type 
Currently, vendor_service is excluded from this neverallow
for the same reason. However, the current plan is to remove
vendor_service. Since some vendor HAL services are not
marked as hal_service_type, this part of the change needs
to be submitted independently in order to clean them up.

Bug: 237115222
Test: build
Change-Id: I7893184c4d1011881b721d0b851e07c17f73732b
 2022-07-15 19:44:21 +00:00
Jooyung Han
507b641085 Merge "Allow (hw)servicemanager use bootstrap bionic" am: 8fe0b28bf1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152734

Change-Id: Ie004a6d7c7e284baf4cf20f057a91cbe649ce6e9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-15 00:34:25 +00:00
Jooyung Han
8fe0b28bf1 Merge "Allow (hw)servicemanager use bootstrap bionic" 2022-07-15 00:12:55 +00:00
Treehugger Robot
3b61b61c5a Merge "Allow system_server to signal InputProcessor HAL" am: 674d3e7822 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152242

Change-Id: I8156dd48981a76ed08e68ed548b4cdd47b92e89c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 23:25:46 +00:00
Treehugger Robot
674d3e7822 Merge "Allow system_server to signal InputProcessor HAL" 2022-07-14 23:06:38 +00:00
Siarhei Vishniakou
4cb2d3c13d Allow system_server to signal InputProcessor HAL 
This is needed for Watchdog to be able to dump InputProcessor HAL.
Watchdog can be triggered locally for testing by patching
InputDispatcher.cpp:

 void InputDispatcher::monitor() {
     // Acquire and release the lock to ensure that the dispatcher has not deadlocked.
     std::unique_lock _l(mLock);
+    std::this_thread::sleep_for(std::chrono::minutes(40));
     mLooper->wake();
     mDispatcherIsAlive.wait(_l);

Bug: 237322365
Test: adb bugreport (after triggering watchdog)
Change-Id: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
Merged-In: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
 2022-07-14 22:05:07 +00:00
Inseob Kim
992bfbcd27 Merge "Allow microdroid_manager to stop tombstoned" am: 9dd70bc942 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152733

Change-Id: I82db292f1e72f5fceed4f60f845e065e0873bef5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 16:27:47 +00:00
Inseob Kim
9dd70bc942 Merge "Allow microdroid_manager to stop tombstoned" 2022-07-14 16:09:23 +00:00
Nikita Ioffe
fb3df6dc4a Merge "Add apexd.config.loop_wait.attempts sysprop to sepolicy" am: 5dd9e3a320 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152793

Change-Id: I6161cbd8f80aa3a2cb17c2af364ee6df9d5354f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 10:34:05 +00:00
Nikita Ioffe
5dd9e3a320 Merge "Add apexd.config.loop_wait.attempts sysprop to sepolicy" 2022-07-14 10:15:56 +00:00
Jooyung Han
133ca4ea6b Allow (hw)servicemanager use bootstrap bionic 
Bug: 237672865
Test: m && boot
Change-Id: I436cf97c4c8e852e36cd1faa9da646c9f8a4d0a4
 2022-07-14 11:31:03 +09:00
Inseob Kim
1b570bde90 Merge changes from topics "microdroid_early_kernel_log", "no_logcat_on_microdroid_tests" am: 2bcdf84b6c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147820

Change-Id: I41cb1bccb4c06b9c6cd78003d73e55925acef521
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 01:35:58 +00:00
Inseob Kim
f1c1db1eff Make logd and logcat bootstrappable am: 3f0ea4ffde 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2145763

Change-Id: Ia09f809f9395f46eaec61b5f7c02060e846fbec3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 01:35:52 +00:00
Inseob Kim
2bcdf84b6c Merge changes from topics "microdroid_early_kernel_log", "no_logcat_on_microdroid_tests" 
* changes:
  microdroid: Remove redundant dontaudit from shell
  Make logd and logcat bootstrappable
 2022-07-14 01:19:32 +00:00
SzuWei Lin
b540e93de2 Merge "Set up sepolicy for mediaserver64" am: 5d24b9a14d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2144720

Change-Id: I7a144eb156c3247102f47ce24d707ed882021d24
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 00:38:17 +00:00
SzuWei Lin
5d24b9a14d Merge "Set up sepolicy for mediaserver64" 2022-07-14 00:20:03 +00:00
Nikita Ioffe
0fd6e24297 Add apexd.config.loop_wait.attempts sysprop to sepolicy 
Also mark all apexd.config. properties to be apexd_config_prop

Bug: 237955261
Test: m
Change-Id: I93a9e1b450426ebe7cd11c87a9586697dc76a70e
 2022-07-13 12:31:18 +01:00
Inseob Kim
fa4c5bff42 Allow microdroid_manager to stop tombstoned 
If export_tombstones is false, leaving tombstoned running has no
meaning. However, we still can't selectively start tombstoned, because
post-fs-data happens eariler than config parsing. Thus, this change
allows microdroid_manager to stop tombstoned on demand.

Bug: 236588647
Test: atest MicrodroidTests
Change-Id: I813fe667f3394bdd234e204f3d35a27f3a182cb2
 2022-07-13 18:59:50 +09:00
Treehugger Robot
c383817add Merge "Added properties for rebootless apex install" am: be031287e4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147819

Change-Id: Iac6f20e59f2924248892657c74525034ce1b3c95
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-13 04:20:59 +00:00
Treehugger Robot
be031287e4 Merge "Added properties for rebootless apex install" 2022-07-13 04:04:20 +00:00
Xin Li
e4d55178d5 DO NOT MERGE - Merge TP1A.220624.013 
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
Change-Id: Id8badc87768f66197ccaf2642f34fb2dc69e23df
 2022-07-11 21:47:46 -07:00
Siarhei Vishniakou
5fc093f370 Allow dumping of InputProcessor HAL am: 889d8aa9a7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147322

Change-Id: I35913c59f0c1708ab59676534e964b26a798b9fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-11 19:26:56 +00:00
Siarhei Vishniakou
889d8aa9a7 Allow dumping of InputProcessor HAL 
In order to see the HAL state in bugreports, we need to allow the HAL to
write to file where the dump is going.

Bug: 237233372
Test: adb shell dumpsys android.hardware.input.processor.IInputProcessor/default
Change-Id: Idf78269e4ee9798c078ac3b7ee4f375515d7aadc
 2022-07-11 18:33:54 +00:00
sandrom
105435e426 Add seamendc binary am: b246b1dc35 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2104345

Change-Id: Ibff2cb00ee19bce4b9ab68909e51564c51cf9f9a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-11 11:30:19 +00:00
sandrom
b246b1dc35 Add seamendc binary 
Bug: 236691128
Test: adb shell seamendc -b <binary_policy> -o <output_policy> <test.cil> <test-redefinitions.cil>

Change-Id: Id51271e89261a2a612cf25e7b56147d5931c76f9
 2022-07-11 09:23:52 +00:00
SzuWei Lin
994195359f Set up sepolicy for mediaserver64 
Add mediaserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for mediaserver(32|64).

Bug: 236664614
Test: make gsi_arm64-user; Check the sepolicy
Change-Id: I61c69588b84305b9863a72b5a466d4185f7f1958
 2022-07-11 16:18:55 +08:00
Siarhei Vishniakou
a50b672979 Allow dumpstate to get traces in api 33.0 am: 1579b37a19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147164

Change-Id: I04ac37c45b645ef51d0b04f321de743db932f3cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-08 16:05:54 +00:00
Inseob Kim
202fe3c2d6 microdroid: Remove redundant dontaudit from shell 
Bug: 238135989
Test: atest MicrodroidHostTestCases
Change-Id: Ia74ee40e952ffc3bf18e1ff890efcff5219ef33a
 2022-07-08 08:56:16 +00:00
Siarhei Vishniakou
1579b37a19 Allow dumpstate to get traces in api 33.0 
In order to debug the HAL getting stuck, dumpstate needs permission to
dump its traces. In this CL, we update the api 33.0 accordingly.

Bug: 237347585
Bug: 237322365
Test: m sepolicy_freeze_test
Change-Id: I5096f52358880e3c10657e5aae9ead1723cc9fa9
Merged-In: I5096f52358880e3c10657e5aae9ead1723cc9fa9
 2022-07-08 06:55:44 +00:00
Jooyung Han
ccfb0ef146 Added properties for rebootless apex install 
When apexd installs an apex without reboot, init also need to do some
work around the installation (e.g. terminating services from the apex
and remove data read from the apex and updating linker configuration
etc)

Apexd sets control properties to unload and load apex and init notifies
the completion with state properties.

These new properties are supposed to be used by apexd/init interaction.

Bug: 232114573
Bug: 232173613
Test: CtsStagedInstallHostTestCases
Test: CtsInitTestCases
Change-Id: I5af6b36310f3c81f1cd55537473e54756541d347
 2022-07-08 12:12:45 +09:00
Android Build Coastguard Worker
6f6029407a Merge cherrypicks of [19149566] into tm-release. 
Change-Id: If83579ef0c9dbe3bfefc10d6af77ec60642b2833
 2022-07-08 00:19:45 +00:00
Jeff Vander Stoep
e1189a7aa7 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Ignore-AOSP-First: It's a CP of aosp/2143512
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
(cherry picked from commit 6ae09a4609)
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-08 00:19:26 +00:00
Treehugger Robot
163fb597fd Merge "crash_dump: Update prebuilts for API 33" am: 355ecc995e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2145179

Change-Id: I916144a02848d952d70b6fd25889c4d5ff48084b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 16:47:36 +00:00
Treehugger Robot
355ecc995e Merge "crash_dump: Update prebuilts for API 33" 2022-07-07 16:33:48 +00:00
David Brazdil
707cad8692 crash_dump: Update prebuilts for API 33 
Bug: 236672526
Test: n/a
Merged-In: I49571dcfdd9c194101cc929772fa15463609fa8c
Change-Id: I49571dcfdd9c194101cc929772fa15463609fa8c
 2022-07-07 15:17:20 +00:00
Thiébaud Weksteen
5ce2e0e243 Merge "Revert "Remove key migration related changes"" am: febedf5a42 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147821

Change-Id: Ib0679d31928a4c09300cdfbe0dd03dd08ff084db
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 09:01:59 +00:00
Thiébaud Weksteen
febedf5a42 Merge "Revert "Remove key migration related changes"" 2022-07-07 08:43:54 +00:00
Thiébaud Weksteen
f412c13a02 Revert "Remove key migration related changes" 
This reverts commit 65dcdf2921.

Reason for revert: broken internal target 

Change-Id: Idf57285d95f5466dfa3af08230af4c8f9d76326c
 2022-07-07 08:40:23 +00:00
Thiébaud Weksteen
3d242f752a Merge "Remove key migration related changes" am: c3cb5a25e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2134299

Change-Id: I79a4e7aeaa3a5f05a40332c1cbff8bda093529f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 04:32:15 +00:00
Thiébaud Weksteen
c3cb5a25e3 Merge "Remove key migration related changes" 2022-07-07 04:13:22 +00:00
Android Build Coastguard Worker
0930ade2ea Merge cherrypicks of [19143810, 19133814] into tm-release. 
Change-Id: I570c7d844c90c1b2bb7cb1086829c93d7a88c665
 2022-07-07 03:05:58 +00:00
Ryan Savitski
e1c2d9941e Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: redfin-user and barbet-userdebug: build+flash+boot;
        manual test of typical profiling (heap and perf);
        atest CtsPerfettoTestCases.
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
(cherry picked from commit babba5e83b)
(cherry picked from commit c592577fb2)
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-07 03:05:00 +00:00
Thiébaud Weksteen
a089864e82 Ignore access to /sys for dumpstate 
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 5e8a384f5a)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 2e23fa2c99)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
 2022-07-07 03:04:54 +00:00
Treehugger Robot
e36b5af694 Merge "Allow dumpstate to get InputProcessor traces" am: 2a3c76f09f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147021

Change-Id: I3e975e341d719997c4d1e269e8159534babc62fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-06 19:14:02 +00:00
Treehugger Robot
2a3c76f09f Merge "Allow dumpstate to get InputProcessor traces" 2022-07-06 18:58:22 +00:00
Siarhei Vishniakou
c982ef878d Allow dumpstate to get InputProcessor traces 
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.

In the future, we will also add a 'dump' facility to this HAL.

Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
 2022-07-06 08:28:50 -07:00