tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Alice Wang	8bbd637329	Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" am: `e79bbf9cf8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828234 Change-Id: Icf926e78100ec48014ca24e6a51b51c5ea93f7c1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-22 10:03:25 +00:00
Alice Wang	e79bbf9cf8	Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK Reason for revert: Relands the original topic: https://r.android.com/q/topic:%22expose-avf-rkp-hal%22 Changes from the reverted cl aosp/2812455: - The AIDL service type has been renamed from avf_* to hal_* to be consistent with the others. - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service, for the IRPC/avf service, has been set up with the server/client model for AIDL Hal. The virtualizationservice is declared as server and RKPD is declared as client to access the service instead of raw service permission setup as in the reverted cl. This is aligned with the AIDL Hal configuration recommendation. - Since the existing type for IRPC hal_remotelyprovisionedcomponent is already associated with keymint server/client and has specific permission requirements, and some of the keymint clients might not need the AVF Hal. We decided to create a new AIDL service type instead of reusing the exisiting keymint service type. Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK Bug: 312427637 Bug: 310744536 Bug: 299257581 Test: atest MicrodroidHostTests librkp_support_test Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad	2023-11-22 08:21:27 +00:00
Ahmad Khalil	a6c6bf0889	Add fwk_vibrator_control_service am: `95ee9ea719` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2824730 Change-Id: Ic05d0a548a76ee70c2f8377afe2b3a087355870b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-21 23:20:27 +00:00
Ahmad Khalil	95ee9ea719	Add fwk_vibrator_control_service Convert vibrator_control to a framework service (fwk_vibrator_control_service) in system_server. Bug: 305961689 Test: N/A Change-Id: I5f3aba2c58a3166593a11034a8d21dfd12311c2e	2023-11-21 20:59:48 +00:00
Matías Hernández	b58ddfddee	Merge "Make color_display app_api_service in addition to system_api_service" into main am: `e2e44c0156` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2841713 Change-Id: I3386f10c848e5acee1a5313bf9c64b8dfc1293ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-21 20:18:38 +00:00
Matías Hernández	e2e44c0156	Merge "Make color_display app_api_service in addition to system_api_service" into main	2023-11-21 19:52:44 +00:00
Shikha Panwar	67d30d0d61	Merge "Secretkeeper/Sepolicy: Create required domains" into main am: `2838e84381` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2719356 Change-Id: Ia9c31d6b68999da467613bc25185e0a1123082ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-21 18:05:34 +00:00
Shikha Panwar	2838e84381	Merge "Secretkeeper/Sepolicy: Create required domains" into main	2023-11-21 17:56:46 +00:00
Matías Hernández	b8762f78b2	Make color_display app_api_service in addition to system_api_service This makes the service available for CTS tests (specifically NotificationManagerZenTest). Test: m -j Bug: 308673540 Change-Id: I45917abd0c0dd3f2c5365b2780ac3ab5e28f2580	2023-11-21 18:51:56 +01:00
Shikha Panwar	59c970703b	Secretkeeper/Sepolicy: Create required domains Add sepolicies rules for Secretkeeper HAL & nonsecure service implementing the AIDL. Test: atest VtsHalSkTargetTest & check for Selinux denials Bug: 293429085 Change-Id: I907cf326e48e4dc180aa0d30e644416d4936ff78	2023-11-21 12:29:18 +00:00
Thiébaud Weksteen	fa2999a627	Revert^2 "Add permission for VFIO device binding" This reverts commit `c6227550f7`. Reason for revert: Faulty merging paths have been removed Change-Id: Icf56c2e977c5517af63e206a0090159e43dd71eb Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272	2023-11-21 02:18:30 +00:00
Shubang Lu	26e47c1bd9	Merge "Add SE policy for tv_ad_service" into main am: `0d65502e9e` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2831310 Change-Id: Icf09548281fd42d35c3f6878a717424d38a6d4e9 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-20 19:49:58 +00:00
Shubang Lu	0d65502e9e	Merge "Add SE policy for tv_ad_service" into main	2023-11-20 19:08:50 +00:00
Jeongik Cha	e113739003	Merge "declare setupwizard_mode_prop as system_vendor_config_prop" into main am: `bfb5615f52` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2832590 Change-Id: I95e2d32c59af119280a637a7691649729522aff1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-20 02:02:27 +00:00
Jeongik Cha	bfb5615f52	Merge "declare setupwizard_mode_prop as system_vendor_config_prop" into main	2023-11-20 01:22:22 +00:00
Seungjae Yoo	a43ef400f7	Merge "Introduce vendor_microdroid_file for microdroid vendor image" into main am: `e95f3f5bd3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2831710 Change-Id: If1708562153d678a7d5a816977a44a0faea368a2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-17 02:42:39 +00:00
Shubang Lu	98dddde9f0	Add SE policy for tv_ad_service Bug: 303506816 Bug: 311074646 Test: cuttlefish; Change-Id: I5dea6d65cf374392bb9b079dda9aa90fb63a4bbd	2023-11-16 23:10:15 +00:00
Jeongik Cha	6cb91a086e	declare setupwizard_mode_prop as system_vendor_config_prop 1. declare setupwizard_mode_prop for ro.setupwizard.mode 2. that prop could be set during vendor_init, so changed prop type Bug: 310208141 Test: boot and check if there is no sepolicy issue Change-Id: I89246ab2c686db139cad48550b860d69a41106ff	2023-11-17 01:22:37 +09:00
Seungjae Yoo	d2a0892121	Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a	2023-11-16 16:44:15 +09:00
Inseob Kim	c6227550f7	Revert "Add permission for VFIO device binding" This reverts commit `901385f711`. Reason for revert: breaking build Change-Id: Ib936ca7c347b657b94bb44692cd0e9ceee5db55a Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272	2023-11-14 08:41:48 +00:00
Treehugger Robot	fc06236fcc	Merge "Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..."" into main am: `3f92c1beb3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829351 Change-Id: I7a498e1911a666539ae6eeef9fd5040ecf4c34fa Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-14 03:10:27 +00:00
Treehugger Robot	3f92c1beb3	Merge "Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..."" into main	2023-11-14 02:41:56 +00:00
Inseob Kim	901385f711	Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Bug: 308058980 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272 Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272 (cherry picked from commit `825056de9a`)	2023-11-14 01:56:24 +00:00
Alan Stokes	18bcf12fbb	Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..." Revert submission 2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT Reason for revert: SELinux denials: b/310744536 Reverted changes: /q/submissionid:2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT Change-Id: I88b5f03dccb1b4ab906afde7d66853e816cce7f1	2023-11-14 01:40:53 +00:00
Alice Wang	9f1f416b17	Merge "Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL"" into main am: `dd034824b1` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2812455 Change-Id: Ided47a6c565f8153868e717f14a70a5650cc5ff2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-13 22:11:40 +00:00
Alice Wang	dd034824b1	Merge "Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL"" into main	2023-11-13 21:33:49 +00:00
Kelvin Zhang	2012f906e9	Merge "Allow update_engine to read /proc/filesystems" into main am: `f5877aafe2` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2736859 Change-Id: Ie71f2b1d2a626c43518b0cd94784a3ecbb89af45 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-08 19:24:30 +00:00
Kelvin Zhang	f5877aafe2	Merge "Allow update_engine to read /proc/filesystems" into main	2023-11-08 18:40:26 +00:00
Kelvin Zhang	f7e9111376	Allow update_engine to read /proc/filesystems During OTA install, update_engine needs to read this file to determine if overlayfs is enabled, as OTA requires overlayfs to be disabled. The selinux denial looks like audit(0.0:242): avc: denied { read } for name="filesystems" dev="proc" ino=4026532076 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0 Bug: 309812002 Test: th Change-Id: I10903ced21e79c90dec45fb40ecd169d98c94e89	2023-11-08 18:40:12 +00:00
Keith Mok	e4fee01bfc	Merge "SEPolicy for AIDL MACSEC HAL" into main am: `4bd043ca67` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2816915 Change-Id: I15f64ed6b9d6de08af90822dc4858e9e6131a8ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-07 22:07:35 +00:00
Keith Mok	4bd043ca67	Merge "SEPolicy for AIDL MACSEC HAL" into main	2023-11-07 21:40:41 +00:00
Shashwat Razdan	218266ac57	Changes in SELinux Policy for CSS API Bug: 309657924 Change-Id: If8717cdf4483c3b116053c952b9da1ad4670244a Test: manual verification ($ adb shell service list)	2023-11-07 20:08:46 +00:00
Treehugger Robot	1515bd7382	Merge "add percpu_pagelist_high_fraction type" into main am: `6f789851e9` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2817160 Change-Id: I7c2fa400ca25ca5b0ae3ab78e5aa6e4dc48eac1c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-07 14:01:22 +00:00
Martin Liu	52aa5039ba	add percpu_pagelist_high_fraction type Bug: 309409009 Test: boot Change-Id: I04db2ab3a95a5427e6d89cf128ed953fdc823107 Signed-off-by: Martin Liu <liumartin@google.com>	2023-11-07 11:36:00 +08:00
Keith Mok	df794b4590	SEPolicy for AIDL MACSEC HAL Bug: 254108688 Test: AIDL MACSEC HAL VTS (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fba6480fa08001a36faf524d0a6952f29d916a6b) Change-Id: I5ccaa24c6b9600713bbc0e4c523822567b64c662	2023-11-03 21:29:48 +00:00
Ahmad Khalil	ac754f9f4e	Merge "Add new vibrator control service to system_server" into main am: `70b7a8c76d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2810415 Change-Id: I99ee24b82fac6ff833eec1d7bd7b895efa2d9f6a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-03 14:39:03 +00:00
Ahmad Khalil	70b7a8c76d	Merge "Add new vibrator control service to system_server" into main	2023-11-03 14:03:19 +00:00
Ahmad Khalil	7c22e8b3cd	Add new vibrator control service to system_server Bug: 305961689 Test: N/A Change-Id: Ia4f061d6ae7656fce4c01f5acc2a1314f8ba4ac4	2023-11-03 12:09:04 +00:00
Kyle Zhang	5fddc6a386	Merge "Add system property persist.drm.forcel3.enabled" into main am: `dcf977ac99` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2806495 Change-Id: I9064851c7c19d0a8447869945ca1f5fe1b0d61c1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-02 17:47:37 +00:00
Kyle Zhang	dcf977ac99	Merge "Add system property persist.drm.forcel3.enabled" into main	2023-11-02 17:16:42 +00:00
Hasini Gunasinghe	2e63cca5d7	Merge "Add sepolicy for non-secure AuthGraph impl" into main am: `daa1cec849` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2786255 Change-Id: I60e60866831801d876bbac7fa4b14134ceef3ca1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-11-01 17:10:38 +00:00
Hasini Gunasinghe	daa1cec849	Merge "Add sepolicy for non-secure AuthGraph impl" into main	2023-11-01 16:27:51 +00:00
Alice Wang	0407c993d8	Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL" Revert submission 2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ Reason for revert: This change relands the topic https://r.android.com/q/topic:%22expose-avf-rkp-hal%22 The SELinux denial has been fixed in system/sepolicy Reverted changes: /q/submissionid:2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ Bug: 308596709 Bug: 274881098 Change-Id: Ib23ac4680b0f37b760bff043e1f42ce61a58c3e2	2023-10-31 20:06:23 +00:00
Alice Wang	d4a966612b	Merge "Revert "[avf][rkp] Allow virtualizationservice to register RKP H..."" into main am: `072d8fc0db` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2812436 Change-Id: I02e135aa763020746d1687cc2309eb0d22a95a31 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-31 15:41:43 +00:00
Alice Wang	072d8fc0db	Merge "Revert "[avf][rkp] Allow virtualizationservice to register RKP H..."" into main	2023-10-31 15:13:01 +00:00
Alice Wang	ece557dc7a	Revert "[avf][rkp] Allow virtualizationservice to register RKP H..." Revert submission 2778549-expose-avf-rkp-hal Reason for revert: SELinux denial avc: denied { find } for pid=3400 uid=10085 name=android.hardware.security.keymint.IRemotelyProvisionedComponent/avf scontext=u:r:rkpdapp:s0:c85,c256,c512,c768 tcontext=u:object_r:avf_remotelyprovisionedcomponent_service:s0 tclass=service_manager permissive=0 Reverted changes: /q/submissionid:2778549-expose-avf-rkp-hal Bug: 308596709 Change-Id: If8e448e745f2701cf00e7757d0a079d8700d43c0	2023-10-31 15:01:18 +00:00
Alice Wang	3df9e4901a	Merge "[avf][rkp] Allow virtualizationservice to register RKP HAL service" into main am: `7109a31496` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2738393 Change-Id: Ic4552c6a6bf2feb76b0918332edafe0612419450 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-31 12:56:49 +00:00
Alice Wang	7109a31496	Merge "[avf][rkp] Allow virtualizationservice to register RKP HAL service" into main	2023-10-31 12:21:41 +00:00
Treehugger Robot	d8667e1699	Merge "Add appcompat override files and contexts to SELinux" into main am: `12665a9787` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2786963 Change-Id: I501dd4436deedc3c9756173409ebea079447ad02 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-31 02:54:00 +00:00
Treehugger Robot	12665a9787	Merge "Add appcompat override files and contexts to SELinux" into main	2023-10-31 02:29:57 +00:00
Alex Xu	55f133ee5c	Merge "Add sepolicy for security_state service." into main am: `f82b6897cf` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2803335 Change-Id: Ib3c443cfb4ab4a43f345053348de66182d6b4249 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-27 19:47:13 +00:00
Alex Xu	f82b6897cf	Merge "Add sepolicy for security_state service." into main	2023-10-27 19:20:58 +00:00
Alice Wang	104626ca99	[avf][rkp] Allow virtualizationservice to register RKP HAL service Bug: 274881098 Test: atest MicrodroidHostTests Change-Id: Ib0953fa49f27719be63bb244071b132bc385dca3	2023-10-27 09:26:42 +00:00
Kyle Zhang	12c42b5f50	Add system property persist.drm.forcel3.enabled Bug: 299987160 Change-Id: Icf945a2bfb7e25225f30630c5d24bf13a8960a01	2023-10-26 22:16:49 +00:00
Xin Li	67d58f5f39	Merge "Merge android14-tests-dev" into main	2023-10-26 20:11:39 +00:00
Xin Li	522f0a9ef2	Merge android14-tests-dev Bug: 263910020 Merged-In: If027337f7e703fe5b80e18ecddeabbac29011c5f Change-Id: Ic7943d9afe12602f3e4289a7aa6ad0c5d340ed81	2023-10-26 10:31:12 -07:00
Alex Xu	902a010aaa	Add sepolicy for security_state service. security_state service manages security state (e.g. SPL) information across partitions, modules, etc. Bug: 307819014 Test: Manual Change-Id: I4ebcd8431c11b41f7e210947b32cf64c2adf3901	2023-10-26 06:11:58 +00:00
David Drysdale	c4ab01baad	Add sepolicy for non-secure AuthGraph impl Bug: 284470121 Bug: 291228560 Test: hal_implementation_test Test: VtsAidlAuthGraphSessionTest Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d	2023-10-26 02:00:43 +00:00
Steven Moreland	012b954125	Merge "binderfs neverallows" into main	2023-10-26 00:07:44 +00:00
Steven Moreland	0365329dad	binderfs neverallows Add neverallow reading these files because this came up in a review recently, and they contain information about processes which is important for security, so we'd like to avoid accidentally granted these permissions. Fixes: 306036348 Test: build (is build time change) Change-Id: I8b8917dacd2a65b809b7b6fb7c1869a3db94156b	2023-10-25 00:41:25 +00:00
Nate Myren	0e15f2d9c5	Add appcompat override files and contexts to SELinux This also allows the zygote to bind mount the system properties Bug: 291814949 Test: manual Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434	2023-10-23 18:34:12 +00:00
Rhed Jao	ebe1316695	Create sepolicy for allowing system_server rw in /metadata/repair-mode Bug: 277561275 Test: ls -all -Z /metadata/repair-mode Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123	2023-10-23 13:38:38 +11:00
Li Li	0b3f585a63	Allow system server read binderfs stats When receiving the binder transaction errors reported by Android applications, AMS needs a way to verify that information. Currently Linux kernel doesn't provide such an API. Use binderfs instead until kernel binder driver adds that functionality in the future. Bug: 199336863 Test: send binder calls to frozen apps and check logcat Test: take bugreport and check binder stats logs Change-Id: I3bab3d4f35616b4a7b99d6ac6dc79fb86e7f28d4	2023-10-20 13:22:24 -07:00
Eric Biggers	cc5cb431ee	Stop granting permissions on keystore_key class When keystore was replaced with keystore2 in Android 12, the SELinux class of keystore keys was changed from keystore_key to keystore2_key. However, the rules that granted access to keystore_key were never removed. This CL removes them, as they are no longer needed. Don't actually remove the class and its permissions from private/security_classes and private/access_vectors. That would break the build because they're referenced by rules in prebuilts/. Bug: 171305684 Test: atest CtsKeystoreTestCases Flag: exempt, removing obsolete code Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3	2023-10-16 22:22:54 +00:00
Vladimir Komsiyski	6e07de8088	Merge "Policy for virtualdevice_native service." into main	2023-10-06 14:20:09 +00:00
Vladimir Komsiyski	31facf0677	Policy for virtualdevice_native service. A parallel implementation of certain VDM APIs that need to be exposed to native framework code. Similar to package_native_service. Not meant to be used directly by apps but should still be available in the client process via the corresponding native manager (e.g. SensorManager). Starting the service: ag/24955732 Testing the service: ag/24955733 Bug: 303535376 Change-Id: I90bb4837438de5cb964d0b560585b085cc8eabef Test: manual	2023-10-06 12:52:42 +00:00
Steve Muckle	bd24038bb1	Merge "allow writes to /sys/power/sync_on_suspend from init" into main am: `a4c440948b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2771125 Change-Id: I45a1841088438d19052353bab114b2d28006d103 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-10-04 14:05:29 +00:00
Steve Muckle	75603e3ccd	allow writes to /sys/power/sync_on_suspend from init When suspend.disable_sync_on_suspend is set init must write to /sys/power/sync_on_suspend. Bug: 285395636 Change-Id: Ica1b039c3192f08ec84aa07d35c2d0c61e7449c0	2023-10-04 07:44:33 +00:00
Brian Lindahl	1b32bccc1a	Allow for server-side configuration of libstagefright Relaxation of SELinux policies to allow users of libstagefright and MediaCodec to be able to query server-side configurable flags. Bug: 301372559 Bug: 301250938 Test: run cts -m CtsSecurityHostTestCases Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b	2023-09-27 16:15:23 +00:00
Treehugger Robot	d281acf1b5	Merge "hal_dumpstate service is now AIDL service" into main am: `ae071b717b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2756129 Change-Id: I44fcc2c033df089e86ecd8bda6e5d5d8dd701522 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-22 01:51:01 +00:00
Treehugger Robot	ae071b717b	Merge "hal_dumpstate service is now AIDL service" into main	2023-09-22 01:16:28 +00:00
Carlos Galo	ecb23b6ccb	Merge "system_server: allow access to proc/memhealth/*" into main am: `a8e1fe01da` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2754950 Change-Id: Ia3a154eda9673c605505d5440715cbb726f9c26b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-20 06:03:53 +00:00
Carlos Galo	a8e1fe01da	Merge "system_server: allow access to proc/memhealth/*" into main	2023-09-20 05:04:44 +00:00
Jooyung Han	309065bb5b	hal_dumpstate service is now AIDL service Bug: 301079572 Test: VtsHalDumpstateTargetTest Change-Id: I86e80cadcfa51557efad58d854880b9d421e9df9	2023-09-20 10:53:03 +09:00
Carlos Galo	004cc8c21c	system_server: allow access to proc/memhealth/* Libmemevents requires read-access to the attribute files exposed by the memhealth driver. Test: build Test: no denials to /proc/memhealth/oom_victim_list from libmemevents Bug: 244232958 Change-Id: I617c75ab874ad948af37d3e345e5202e46781f3f Signed-off-by: Carlos Galo <carlosgalo@google.com>	2023-09-20 00:30:13 +00:00
Treehugger Robot	35feb11562	Merge "Revert^3 "Start tracking vendor seapp coredomain violations"" into main am: `531e26d991` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2754249 Change-Id: I9bdf9240ad963a39882c75d76bf69ba2afd69af5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-18 06:16:58 +00:00
Treehugger Robot	531e26d991	Merge "Revert^3 "Start tracking vendor seapp coredomain violations"" into main	2023-09-18 05:06:32 +00:00
Inseob Kim	8bc8b75f95	Revert^3 "Start tracking vendor seapp coredomain violations" This reverts commit `b193c80986`. Reason for revert: Fix is merged Change-Id: Ia2dcd6584ee763c6da3f3b7fdd9f4710ffde9bfc	2023-09-18 04:08:19 +00:00
Inseob Kim	76d5f36905	Merge "Revert^2 "Start tracking vendor seapp coredomain violations"" into main am: `5d94d75e38` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2752267 Change-Id: Ic7857eca04d3ad375735f9676b0cf17d1c667849 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-15 04:01:08 +00:00
Treehugger Robot	7a921e30f0	Merge "Revert "Start tracking vendor seapp coredomain violations"" into main am: `430c93557f` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2750383 Change-Id: Idb97d60610296a2af52d503a2b7a597beab5498e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-15 04:00:27 +00:00
Inseob Kim	5d94d75e38	Merge "Revert^2 "Start tracking vendor seapp coredomain violations"" into main	2023-09-15 03:59:23 +00:00
Inseob Kim	b193c80986	Revert^2 "Start tracking vendor seapp coredomain violations" This reverts commit `6ec4e5f048`. Reason for revert: breaking build Change-Id: If99f309fd8d5dd5b42a871259451c10530e1769d	2023-09-15 03:58:00 +00:00
Treehugger Robot	430c93557f	Merge "Revert "Start tracking vendor seapp coredomain violations"" into main	2023-09-15 03:06:00 +00:00
Inseob Kim	6ec4e5f048	Revert "Start tracking vendor seapp coredomain violations" This reverts commit `292f22a33b`. Reason for revert: removed all attribute usages; no need Change-Id: Iab489f1a94733438ba0c552fb9e3eb354423a156	2023-09-14 15:57:04 +00:00
Dennis Shen	71f389016f	Merge "Update SELinux to allow vendor process access" into main am: `b7052688e3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746856 Change-Id: I2e20f23460e111cee6c9333480cc5b1644cef32a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-12 12:56:06 +00:00
Dennis Shen	b7052688e3	Merge "Update SELinux to allow vendor process access" into main	2023-09-12 12:19:14 +00:00
Dennis Shen	584852eaa7	Update SELinux to allow vendor process access Bug: b/298934058, b/295379636 Change-Id: I2521ae27a88d471263ba4bff69947b2ce28b4b4e	2023-09-11 14:30:29 +00:00
Jeff Pu	2b22cd44e4	Accept binder calls from servicemanger am: `3778cd4765` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746858 Change-Id: Ie4c08f7b8d88fec9283aa31da9442f556253007a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-08 22:06:18 +00:00
Jeff Pu	3778cd4765	Accept binder calls from servicemanger Bug: 228638448 Test: Manual Change-Id: Iaa64d252417ffeda7c07365c5ecd1b517b07314b	2023-09-08 16:02:05 -04:00
Treehugger Robot	d065d025ed	Merge "C2 AIDL sepolicy update" into main am: `8342def00a` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2721424 Change-Id: I096e99c403f513a203040cf97e199392dc794177 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-07 19:52:25 +00:00
Wonsik Kim	a981983e70	C2 AIDL sepolicy update Bug: 251850069 Test: presubmit Change-Id: Ica39920472de154aa01b8e270297553aedda6782	2023-09-06 14:30:26 -07:00
Daeho Jeong	6bac935581	Merge "compress logcat files" into main am: `e7a31d52c7` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2726765 Change-Id: I46214a920ef0bd94e42f170e5e370211e8dc7dfc Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-08-31 23:04:32 +00:00
Daeho Jeong	e7a31d52c7	Merge "compress logcat files" into main	2023-08-31 22:46:43 +00:00
Thiébaud Weksteen	a0075f40c6	Merge "Update documentation on binderservicedomain" into main am: `69a9189ddf` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2728813 Change-Id: Ic44e49d612ef2fd1eff36068d345cf426e8f11f5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-08-30 00:01:57 +00:00
Thiébaud Weksteen	5c20e61a92	Merge "Grant dumpstate access to artd service" into main am: `9432227844` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2724933 Change-Id: I4734d816e4946470b9368a2972894eedab236808 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-08-30 00:01:20 +00:00
Thiébaud Weksteen	69a9189ddf	Merge "Update documentation on binderservicedomain" into main	2023-08-29 23:27:50 +00:00
Xin Li	80690d5086	Merge "Merge Android U (ab/10368041)" into aosp-main-future	2023-08-28 22:13:48 +00:00
Thiébaud Weksteen	5e9b88f739	Update documentation on binderservicedomain The binderservicedomain attribute grants further permissions than its name suggests. Update the documentation to avoid its usage. Bug: 297785784 Test: build, documentation update only. Change-Id: I41bc6f32cf4d56bde320261fe221c3653cda945a	2023-08-28 12:22:17 +10:00
Thiébaud Weksteen	8a250b9099	Grant dumpstate access to artd service The artd daemon is not always active. When running, it exposes a binder service which may be dumped when a bug report is triggered. The current policy did not fully grant access which resulted in spurious denials if a bugreport was triggered when the daemon was running. Test: Run bugreport; observe correct dump of artd service Bug: 282614147 Bug: 192197221 Change-Id: Ie0986d7716de33ec38ae09cfee14c629f5a414a6	2023-08-28 10:53:58 +10:00
Daeho Jeong	6ac8e4cf00	compress logcat files Change selinux policy to compress logcat files. Test: check whether logcat files are compressed Bug: 295175795 Change-Id: Ib120700c6dab4b1d0e29f0e19e55793bfb7a1675 Signed-off-by: Daeho Jeong <daehojeong@google.com>	2023-08-25 15:02:34 -07:00
Kangping Dong	5e82983ee4	Merge "[Thread] add sepolicy rules for Thread system service" into main	2023-08-24 06:42:08 +00:00
Xin Li	e07dbe0a63	Merge Android U (ab/10368041) Bug: 291102124 Merged-In: Id2cc5dbbafffb4633706e5cc728cb44abd417340 Change-Id: I77e68f17a1273958bcdc32b5a4b6a0ff3ffdfd2a	2023-08-23 17:20:59 -07:00
Kangping Dong	45efca84e5	[Thread] add sepolicy rules for Thread system service Add SEPolicy for the ThreadNetworkService Add Fuzzer exception, thread_network service is java only FR: b/235016403 Test: build and start thread_network service bug: 262683651 Change-Id: Ifa2e9500dd535b0b4f2ad9af006b8dddaea900db	2023-08-23 17:08:58 +08:00
Eric Biggers	448bd57181	Remove all module_request rules Starting in Android 11, Android unconditionally disables kernel module autoloading (https://r.android.com/1254748) in such a way that even the SELinux permission does not get checked. Therefore, all the SELinux rules that allow or dontaudit the module_request permission are no longer necessary. Their presence or absence makes no difference. Bug: 130424539 Test: Booted Cuttlefish, no SELinux denials. Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57	2023-08-22 16:56:04 +00:00
Treehugger Robot	6d6183a709	Merge "Add rules for reading VM DTBO by vfio_handler" into main	2023-08-18 08:56:17 +00:00
Inseob Kim	292f22a33b	Start tracking vendor seapp coredomain violations As part of Treble, enforce that vendor's seapp_contexts can't label apps using coredomains. Apps installed to system/system_ext/product should be labeled with platform side sepolicy. This change adds the violators attribute that will be used to mark violating domains that need to be fixed. Bug: 280547417 Test: manual Change-Id: I64f3bb2880bd19e65450ea3d3692d1b424402d92	2023-08-18 15:24:59 +09:00
Seungjae Yoo	1b2d9de08d	Add rules for reading VM DTBO by vfio_handler Bug: 291191362 Test: m Merged-In: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd Change-Id: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd	2023-08-18 01:17:23 +00:00
Victor Hsieh	1020cada2d	Remove shell from neverallow of frp_block_device access Since shell doesn't have any frp_block_device rule anyway. Bug: None Test: m Change-Id: I5aeb54969359500f9473bc08cb1fd42e3470b428	2023-08-16 11:17:31 -07:00
Alfred Piccioni	cbb3ddd15f	Revert "Add rules for reading VM DTBO by vfio_handler" This reverts commit `70d70e6be4`. Reason for revert: See internal bug for clarification: http://b/291191362 Change-Id: If37670f7d71635314c618f7ac88802bfbc6fa007	2023-08-14 13:04:00 +00:00
Seungjae Yoo	70d70e6be4	Add rules for reading VM DTBO by vfio_handler Bug: 291191362 Test: m Change-Id: If93ca63324679aa1d65b3bb6bf792f8745184132	2023-08-14 10:46:44 +09:00
Jooyung Han	c30e7cdce3	Merge "Revert "Allow vold_prepare_subdirs to use apex_service"" into main	2023-08-11 23:23:18 +00:00
Jooyung Han	701a0dab5c	Revert "Allow vold_prepare_subdirs to use apex_service" Revert submission 2685449-apexdata-dirs Reason for revert: b/295345486 performance regression. Reverted changes: /q/submissionid:2685449-apexdata-dirs Change-Id: Iceb277cd8a291fb008b45310cc03b5df2057f08c	2023-08-11 15:34:44 +00:00
Jooyung Han	1158a1559e	Merge "Allow vold_prepare_subdirs to use apex_service" into main	2023-08-09 06:37:02 +00:00
igorzas	7489e93613	Add RemoteAuthService Add SEPolicy for the RemoteAuth Manager/Service Add Fuzzer exception, remote_auth service is going to be in Java and Rust only Design doc: go/remote-auth-manager-fishfood-design Test: loaded on device. Bug: 290092977 Change-Id: I4decb29b863170aed5e7c85da9c4b50c0675d3bd	2023-08-04 17:55:14 +00:00
Jakob Schneider	09916a69c9	Merge "Add SEPolicy for the ArchiveManager/Service." into main	2023-08-04 16:10:01 +00:00
Jakob Schneider	5c5a6af643	Add SEPolicy for the ArchiveManager/Service. Test: boots - CTS coming in a future change Change-Id: Ia42bc21e1523c7b225b7c84c3a3f18dd3ed1a54f	2023-08-04 14:13:03 +01:00
Kangping Dong	9d965761ca	Merge "add sepolicy rules for OT daemon binder service" into main	2023-08-03 14:13:21 +00:00
Kangping Dong	0b3e8c62ee	add sepolicy rules for OT daemon binder service Bug: 262681784 Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c	2023-08-03 13:31:53 +08:00
Kelvin Zhang	0e7babefee	Merge "Give vold permission to wipe a block device" into main	2023-08-02 23:31:50 +00:00
Kelvin Zhang	2b413622ce	Give vold permission to wipe a block device During mountFstab call, vold might need to wipe and re-format a device. See code in system/vold/model/PublicVolume.cpp , PublicVolume::doFormat Allow IOCTLs such as BLKDISCARDZEROES for wiping. Test: th Bug: 279808236 Change-Id: I0bebf850aa45ece6227fa5c3e9c3fdb38164f79e	2023-08-02 14:27:08 -07:00
Inseob Kim	825056de9a	Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272	2023-08-02 15:06:51 +09:00
Jooyung Han	0ce8184bed	Allow vold_prepare_subdirs to use apex_service to get the list of active APEXes. Bug: 293949266 Bug: 293546778 Test: CtsPackageSettingHostTestCases Change-Id: I86f58158b97463206fb76a0c31f29b78874f4c35	2023-08-01 10:46:03 +00:00
Vadim Caen	d64cf75c48	Policy for virtual_camera Adds a policy to run the virtual_camera process which: - registers a service implementing the camera HAL - registers a service to reveive communicate with virtual cameras via system_server Bug: 253991421 Test: CTS test android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b	2023-07-25 19:27:48 +00:00
Zhanglong Xia	b2d1fbb7b2	Add sepolicy rules for Thread Network HAL Bug: b/283905423 Test: Build and run the Thread Network stack in Cuttlefish. Change-Id: I783022c66b80274069f8f3c292d84918f41f8221	2023-06-30 10:56:38 +08:00
Jay Civelli	a574060586	Add 2 new system properties for Quick Start Test: Manually validated that GmsCore can access the properties, but not a test app. Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912 Bug: 280330984 (cherry picked from commit `c97b3a244f`)	2023-06-23 10:43:11 +00:00
Steven Moreland	edd361bf2e	Merge "Give serial number access to drm hal server not client" am: `ca5f06cdb9` am: `659dd24ae5` am: `c74231dfa3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616969 Change-Id: Id2cc5dbbafffb4633706e5cc728cb44abd417340 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-21 23:52:00 +00:00
Steven Moreland	ca5f06cdb9	Merge "Give serial number access to drm hal server not client"	2023-06-21 21:27:09 +00:00
Eric Biggers	9cb04c4dbc	Merge "Allow vold to rename system_data_file directories" am: `8b703551d8` am: `0038d8f822` am: `122d3f0d20` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619901 Change-Id: I372c6c155928c9772f8d9aa8ba9e82affb12d6cb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-14 00:08:32 +00:00
Eric Biggers	8b703551d8	Merge "Allow vold to rename system_data_file directories"	2023-06-13 22:11:39 +00:00
Eric Biggers	95930cf6a7	Allow vold to rename system_data_file directories To fully close a race condition where processes can access per-user directories before an encryption policy has been assigned, vold is going to start creating these directories under temporary names and moving them into place once fully prepared. To make this possible, give vold permission to rename directories with type system_data_file. Bug: 156305599 Bug: 285239971 Change-Id: Iae2c8f7d2dc343e7d177e6fb2e893ecca1796f7f	2023-06-13 16:22:03 +00:00
Jooyung Han	2b60a575e1	Merge "Allow vendor_overlay_file from vendor apex" am: `ad08877b4d` am: `cef75edc33` am: `a34197f152` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618632 Change-Id: If0392eee00457c2e41d3f2c214405c8ca12f9f04 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-09 08:02:14 +00:00
Jooyung Han	7c4f8a87d3	Allow vendor_overlay_file from vendor apex Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586	2023-06-09 13:43:11 +09:00
Thiébaud Weksteen	1fb3d3fa7f	Merge "Grant signal permission for dumpstate on app_zygote" am: `4ba0198325` am: `e5705ebae0` am: `3657ef0c2d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616609 Change-Id: Icf1e64e86a1003732068d3512b0442e219cf934d Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-09 01:33:32 +00:00
Thiébaud Weksteen	4ba0198325	Merge "Grant signal permission for dumpstate on app_zygote"	2023-06-08 23:22:42 +00:00
Jooyung Han	aa33b4a079	Merge "Introduce vendor_apex_metadata_file" am: `94dc202954` am: `1f47660fb4` am: `3f9a296855` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2606717 Change-Id: I98af12c69db65fada6ee659a9066ba14996bd2fc Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-08 01:58:18 +00:00
David Anderson	ae8817dc1e	Allow ueventd to access device-mapper. ueventd needs access to device-mapper to fix a race condition in symlink creation. When device-mapper uevents are received, we historically read the uuid and name from sysfs. However it turns out sysfs may not be fully populated at that time. It is more reliable to read this information directly from device-mapper. Bug: 286011429 Test: libdm_test, treehugger (cherry picked from https://android-review.googlesource.com/q/commit:e09c0eee36d58894bb0d30b9af4e33ee7dd7011c) Merged-In: I36b9b460a0fa76a37950d3672bd21b1c885a5069 Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069 Change-Id: I1197d0051a9ce96b7edd87347b5db266b1643d30	2023-06-07 08:06:12 -07:00
Robert Shih	1bd70df43b	Give serial number access to drm hal server not client Bug: 284812208 Change-Id: I489feba47f9eb0d9a4ea483cd55aa3a8bbfd389e	2023-06-06 08:33:19 +00:00
Thiébaud Weksteen	ae39ba7068	Grant signal permission for dumpstate on app_zygote Bug: 282614147 Bug: 238263438 Bug: 238263561 Bug: 238263942 Bug: 264483390 Bug: 279680264 Test: TreeHugger Change-Id: I8b74fec0ea855e244e218fdeb43a57407fe77388	2023-06-06 10:29:57 +10:00
Jooyung Han	b6211b88cf	Introduce vendor_apex_metadata_file A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf	2023-06-05 17:17:51 +09:00
Brian Lindahl	ccc0033ce2	Move allow rule out of the neverallow section am: `abbd8aeefd` am: `94a092c7d0` am: `9933bee328` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611889 Change-Id: I0808bb2bde69adbadfbf9d790736eba2bd86029e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-02 02:57:08 +00:00
Brian Lindahl	abbd8aeefd	Move allow rule out of the neverallow section Resovles comment from aosp/2605806 Bug: 234833109 Test: build Change-Id: I248613ed2d9a7f26d404df8552c2dfc74694754a	2023-06-01 12:36:55 -06:00
Treehugger Robot	30c25de59d	Merge changes from topic "artsrv-experiment-flag" * changes: Give art_boot explicit access to experiment flags. Allow the ART boot oneshot service to configure ART config properties.	2023-06-01 18:21:50 +00:00
Brian Lindahl	da80fcc173	Allow media server configurable flags to be read from anywhere am: `ffeb680417` am: `7975447205` am: `9d16f70010` am: `35ea33c233` am: `94e54d5eb0` am: `6e6229bb73` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605806 Bug: 234833109 Test: manual test with 'adb shell device_config' commands Ignore-AOSP-First: cherry pick from AOSP Change-Id: I4d9de68549de6f1664711c5da1bed3dfc034a21b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> (cherry picked from commit `1d2f8fa03f`)	2023-05-26 23:49:29 +00:00
Steven Moreland	4f70ae5aa6	Merge "strengthen app_data_file neverallows" am: `46288c6b97` am: `5b0dad1c2a` am: `1989332545` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599511 Change-Id: I61e512562c3db401cdaaed373b97b2dc1580fe20 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-05-26 20:20:08 +00:00
Steven Moreland	46288c6b97	Merge "strengthen app_data_file neverallows"	2023-05-26 15:32:15 +00:00
Brian Lindahl	35ea33c233	Allow media server configurable flags to be read from anywhere am: `ffeb680417` am: `7975447205` am: `9d16f70010` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605806 Change-Id: I699cab1755fee0c02ff74a62245238d51328b61b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-05-26 09:01:44 +00:00
Brian Lindahl	ffeb680417	Allow media server configurable flags to be read from anywhere The majority of code for media encoding and decoding occurs within the context of client app processes via linking with libstagefright. This code needs access to server-configurable flags to configure codec-related features. Bug: 234833109 Test: manual test with 'adb shell device_config' commands Change-Id: I95aa6772a40599636d109d6960c2898e44648c9b	2023-05-25 20:48:00 -06:00
Treehugger Robot	d3fe5e76f3	Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions" am: `cd69d35a5e` am: `b7185cb58e` am: `ed859c9fd8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2597146 Change-Id: I55e7784d8efbea27201df09ddf08702ddcf810d1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-05-25 13:06:21 +00:00
Treehugger Robot	cd69d35a5e	Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions"	2023-05-25 11:14:40 +00:00
Treehugger Robot	23e8e00690	Merge "Allow ueventd to read apexd property" am: `d16bf50b26` am: `4774a44073` am: `f3dfb131e3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1933081 Change-Id: I5bb9c934dd8bb34f9f209a9153a50942c58351ef Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-05-25 03:49:14 +00:00

1 2 3 4 5 ...

7975 commits