tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
33906 commits 1 branch 0 tags 50 MiB
Commit graph

33906 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
2379b4582c Merge "Fix se_policy_conf file output stem" am: 099b15ea2e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978386

Change-Id: I7ad40cc5750a49f77ff015d979e140d357c1892d
 2022-02-10 03:24:26 +00:00
Treehugger Robot
099b15ea2e Merge "Fix se_policy_conf file output stem" 2022-02-10 03:08:30 +00:00
Yabin Cui
4906441dc5 Merge "profcollectd: allow to call callbacks registered by system_server." am: c30b45e242 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1973763

Change-Id: Id7138581429d7a7a4d03e8df35cd6d5e6f669490
 2022-02-09 18:21:42 +00:00
Yabin Cui
c30b45e242 Merge "profcollectd: allow to call callbacks registered by system_server." 2022-02-09 18:09:59 +00:00
Steven Moreland
4e83d24871 Merge "Allow BPF programs from vendor." am: 2536bf9dac 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1189663

Change-Id: I71bbd8460727eff793dd59d5c5b1d8dcc963fdde
 2022-02-09 17:45:41 +00:00
Steven Moreland
2536bf9dac Merge "Allow BPF programs from vendor." 2022-02-09 17:28:16 +00:00
Inseob Kim
6c5fa54a8b Fix se_policy_conf file output stem 
OutputFileProducer interface has been returning "conf", not the
designated stem.

Test: try including se_policy_conf module as other module's srcs
Change-Id: I17de5e10ed9bd1d45dc9a8b1be11ea6f5290c179
 2022-02-09 23:35:43 +09:00
Jayant Chowdhary
4c51fa993e Merge "System wide sepolicy changes for aidl camera hals." am: b00bf9d282 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1975831

Change-Id: Ie9b95c5b231a014d0123271b5cfd63f20b9519db
 2022-02-09 03:23:54 +00:00
Jayant Chowdhary
b00bf9d282 Merge "System wide sepolicy changes for aidl camera hals." 2022-02-09 03:08:37 +00:00
Steven Moreland
c27d24c37c Allow BPF programs from vendor. 
Who needs all those context switches?

bpfloader controls which types of vendor programs can be used.

Bug: 140330870
Bug: 162057235
Test: successfully load bpf programs from vendor
Change-Id: I36e4f6550da33fea5bad509470dfd39f301f13c8
 2022-02-08 22:46:54 +00:00
Thiébaud Weksteen
d41e2add90 Merge "Allow policy tests to support space in file names" am: c3ae0ceaee 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1968402

Change-Id: I0b73db62b9b83efd02f65e0bada75695a47a7447
 2022-02-08 22:00:19 +00:00
Thiébaud Weksteen
c3ae0ceaee Merge "Allow policy tests to support space in file names" 2022-02-08 21:48:17 +00:00
Treehugger Robot
5d45c0bc91 Merge "Add rule to allow servicemanager to call the hostapd service." am: 14db21eafa 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1975506

Change-Id: Ic364766d3356c3d0936215f06ab119fd30412ea7
 2022-02-08 20:33:59 +00:00
Treehugger Robot
14db21eafa Merge "Add rule to allow servicemanager to call the hostapd service." 2022-02-08 20:17:15 +00:00
Christine Franks
bdb8275788 Merge "Add uhid_device to system_server" am: c98bde94c4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1972819

Change-Id: I7faf091b6ac4d6dddafaaf30e035d097ba8dd444
 2022-02-08 18:48:19 +00:00
Treehugger Robot
c6530c9486 Merge "Rename property for default MTE mode." am: 0fc6fae857 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1975306

Change-Id: I55a2c07b0d45df1a7ed3d3f03308a123a8812910
 2022-02-08 18:41:06 +00:00
Gabriel Biren
d59d96c476 Add rule to allow servicemanager to call 
the hostapd service.

Needed in order to allow hostapd to
receive a callback from servicemanager
when the active service count changes.

Bug: 213475388
Test: atest VtsHalHostapdTargetTest
Change-Id: I3a5ec8219d23227fab85325f90d8b4aee6c76973
 2022-02-08 18:00:15 +00:00
Christine Franks
c98bde94c4 Merge "Add uhid_device to system_server" 2022-02-08 17:13:32 +00:00
Treehugger Robot
0fc6fae857 Merge "Rename property for default MTE mode." 2022-02-08 16:47:32 +00:00
Treehugger Robot
0b2fe7bba9 Merge "Allow reading hypervisor capabilities" am: e335de9aeb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1974460

Change-Id: I0fd8a7a9f35ed63f78bea52028935705750c0a7a
 2022-02-08 11:54:28 +00:00
Treehugger Robot
e335de9aeb Merge "Allow reading hypervisor capabilities" 2022-02-08 11:49:33 +00:00
Treehugger Robot
46f9d2ebc4 Merge "bpfloader: use kernel logs" am: 2e468b48c5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1975407

Change-Id: Ica35494fc1df34ebb9ccfd82c2aa1d5e658e4463
 2022-02-08 11:48:26 +00:00
Treehugger Robot
2e468b48c5 Merge "bpfloader: use kernel logs" 2022-02-08 10:51:39 +00:00
Jayant Chowdhary
e3019be3db System wide sepolicy changes for aidl camera hals. 
Bug: 196432585

Test: Camera CTS

Change-Id: I0ec0158c9cf82937d6c00841448e6e42f6ff4bb0
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
 2022-02-08 09:37:17 +00:00
Treehugger Robot
5b2f49942b Merge "Allow priv-app to report off body events to keystore." am: d83aba62f6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1973028

Change-Id: I9b990153f44fb93b4ee09b25e4efb6bd492d7fc0
 2022-02-07 23:57:28 +00:00
Shubang Lu
04a33ef734 Merge "SE policy: rename iapp -> interactive_app" am: 3885ab88c5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1956658

Change-Id: I6e469662688bb7d91af5c7070063763b49dc0900
 2022-02-07 23:57:01 +00:00
Treehugger Robot
d83aba62f6 Merge "Allow priv-app to report off body events to keystore." 2022-02-07 23:46:05 +00:00
Shubang Lu
3885ab88c5 Merge "SE policy: rename iapp -> interactive_app" 2022-02-07 23:45:28 +00:00
Steven Moreland
233d4aabf6 bpfloader: use kernel logs 
Boots early. logd no workie!

Bug: 210919187
Test: see bpfloader logs
Change-Id: I313f55b0a6e1164fdffeb2d07952988d5e560ae7
 2022-02-07 23:16:55 +00:00
Josh Yang
8be76c8e5c Allow priv-app to report off body events to keystore. 
Bug: 183564407
Test: the selinux error is gone.
Change-Id: I6783528a0ca6c94781b6c12d96ffebbfe8b25594
Merged-In: If40c2883edd39bee8e49e8e958eb12e9b29a0fe0
 2022-02-07 22:42:51 +00:00
Florian Mayer
6020c42f2b Rename property for default MTE mode. 
This was requested in aosp/1959650.

Change-Id: I96f8771a39606b0934e4455991a6a34aea40235b
 2022-02-07 11:27:20 -08:00
Treehugger Robot
2f94a92cdc Merge "Allow microdroid_manager to BLKFLSBUF on the instance disk" am: 03b3b18c70 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1974319

Change-Id: I3065a65bd2c5bb4f780dfac95c9e5143f0990883
 2022-02-07 11:59:23 +00:00
Treehugger Robot
03b3b18c70 Merge "Allow microdroid_manager to BLKFLSBUF on the instance disk" 2022-02-07 11:44:54 +00:00
Alan Stokes
55803ca572 Allow reading hypervisor capabilities 
System server needs to do this to know whether a suitable VM for
CompOS can be created. System server does not need the ability to
actually start a VM, so we don't grant that.

Bug: 218276733
Test: Presubmits
Change-Id: Ibb198ad55819aa924f1bfde68ce5b22c89dca088
 2022-02-07 11:33:18 +00:00
shubang
a1b9f186fb SE policy: rename iapp -> interactive_app 
Bug: 205738783
Test: cuttlefish

Change-Id: I15fd60a2dba79dd5e2a3cf57ed542e5a930680f1
Merged-In: I15fd60a2dba79dd5e2a3cf57ed542e5a930680f1
 2022-02-07 07:54:32 +00:00
Treehugger Robot
7defe78f93 Merge "Implement compat file generator" am: f7a825bc46 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1958842

Change-Id: I9f8cad39e2d14999c1afd1d4e2b1c88994c20a99
 2022-02-07 06:29:06 +00:00
Treehugger Robot
f7a825bc46 Merge "Implement compat file generator" 2022-02-07 06:15:18 +00:00
Jiyong Park
30c416a4bd Allow microdroid_manager to BLKFLSBUF on the instance disk 
Microdroid_manager uses the ioctl to flush data to the block device.

Bug: 208639280
Test: atest MicrodroidTestApp
Change-Id: Icd708702618850e1f003b16bdc8a1698c45f6442
 2022-02-07 15:13:22 +09:00
Inseob Kim
9eadc83220 Implement compat file generator 
sepolicy_generate_compat is a binary that creates a new compat file when
freezing sepolicy API.

Suppose that we are adding {ver} compat file, after freezing {ver}
sepolicy. Then the workflow would be:

1) copy prebuilts to system/sepolicy/prebuilts/api/{ver}
2) add {ver} to PLATFORM_SEPOLICY_COMPAT_VERSIONS under
   build/make/core/config.mk
3) touch the following three files
  - system/sepolicy/private/compat/{ver}/{ver}.cil
  - system/sepolicy/private/compat/{ver}/{ver}.compat.cil
  - system/sepolicy/private/compat/{ver}/{ver}.ignore.cil
  - system/sepolicy/prebuilts/api/{ver}/vendor_sepolicy.cil
  - system/sepolicy/prebuilts/api/{ver}/plat_pub_versioned.cil
  * This step is to build base compat files, and won't be needed in the
    future.
4) add compat module files (won't be needed in the future)
  - {ver}.cil
  - {ver}.compat.cil
  - {ver}.ignore.cil
  * This step is to build base compat files, and won't be needed in the
    future.
5) run the following command to update above three files:
  $ source build/envsetup.sh && lunch aosp_arm64-userdebug
  $ m sepolicy_generate_compat
  $ sepolicy_generate_compat --branch=(branch_for_ver) \
        --build latest --target-version {ver} \
        --latest-version {ver-1}
6) upload build/make and system/sepolicy changes.

This script still lacks:
- handling of plat_pub_versioned.cil
- test cases
We will tackle such problems with follow-up changes.

Bug: 214336258
Test: manual
Change-Id: I21723a0832e5adadae7c22797c5aba867dc0174e
 2022-02-07 13:06:49 +09:00
Inseob Kim
c02f7c6cf8 Neverallow domains other than VS from executing VM am: b20cb78404 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970460

Change-Id: I80f29ae146dd8dae40cbae9be13a4ffe5a05238d
 2022-02-07 03:53:41 +00:00
Inseob Kim
b20cb78404 Neverallow domains other than VS from executing VM 
Bug: 216610937
Test: atest MicrodroidTests
Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
 2022-02-07 09:42:21 +09:00
Yabin Cui
c1fdafdb6c profcollectd: allow to call callbacks registered by system_server. 
Bug: 213519191
Test: On oriole, profcollectd can call callbacks registered by
Test: ProfcollectForwardingService in system_server.
Change-Id: I8531a6e57e5e5c12033d5e8c7651ccff9a1d976a
 2022-02-05 12:59:11 -08:00
Treehugger Robot
fb52b5754e Merge "Grant system_app permission to access cgroup_v2 directories" am: b289dc4d1d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966048

Change-Id: Ia0fee0a8ac12689bf2bc562b3fdab63a250e3d59
 2022-02-04 19:39:02 +00:00
Treehugger Robot
b289dc4d1d Merge "Grant system_app permission to access cgroup_v2 directories" 2022-02-04 19:26:00 +00:00
Christine Franks
639c48d146 Add uhid_device to system_server 
Bug: 217275682
Change-Id: I1ae74868344da290727df2474712b8b6ad2efdd7
Test: n/a
 2022-02-04 15:13:43 +00:00
Treehugger Robot
eb03dcc59c Merge "Allow VM clients access to hypervisor capability" am: 391f2b26fc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970590

Change-Id: I4de2693ef001b522132f393ffe9c970fa8c652c3
 2022-02-04 09:50:49 +00:00
Treehugger Robot
391f2b26fc Merge "Allow VM clients access to hypervisor capability" 2022-02-04 09:37:19 +00:00
Treehugger Robot
713984514c Merge "bluetooth.device.class_of_device should be type string" am: 7b7a42e6cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969420

Change-Id: I6acf3397d7b922943f8ce144e95375bf1a66a001
 2022-02-04 01:00:51 +00:00
Treehugger Robot
7b7a42e6cf Merge "bluetooth.device.class_of_device should be type string" 2022-02-04 00:38:52 +00:00
Kevin Han
641d56be3f Merge "Extend visibility of hibernation service for CTS" am: 4d81dc33f8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966099

Change-Id: I39ef4366bb10c73dfab63b73599e653ea9d3d288
 2022-02-04 00:01:09 +00:00