tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
37832 commits 1 branch 0 tags 50 MiB
Commit graph

37832 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
24dec744ab Merge "Allow deleting old virtualization files" am: 25a665ded7 am: fd3e4b1a32 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2080182

Change-Id: I6c5dbd3bec4f30b802278d172a51f03ad86500f2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 13:42:11 +00:00
Treehugger Robot
fd3e4b1a32 Merge "Allow deleting old virtualization files" am: 25a665ded7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2080182

Change-Id: I9df8a19c96d624be03bb2ff62fde0d71927f006c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 13:22:40 +00:00
Treehugger Robot
25a665ded7 Merge "Allow deleting old virtualization files" 2022-05-03 09:28:57 +00:00
Treehugger Robot
d7aa0ba939 Merge "[MS82.3] Add sepolicy to access connectivity apex directory" am: 1d79fd5071 am: 470e54c22f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2069127

Change-Id: I8466efd278cecb7ff9e0c144c2459afe6dfa8885
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 09:11:46 +00:00
Richard Chang
1b95e83cb0 Merge "Allow vendor services to access vendor_system_native_prop" am: 0b25ca45cf am: 31260126a0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083463

Change-Id: I1d3d7b9b69096a76a4c5ff33fc0a806a11f63767
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 09:11:03 +00:00
Jiyong Park
2e44a773ea [automerger skipped] Allow untrusted app to use virtualizationservice - even on user builds am: 8a5c1598ca am: 1c2f9f14ab -s ours 
am skip reason: Merged-In Ie0b1b9801dd7726633f97456a38bc0ea349013db with SHA-1 0dda188cad is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083946

Change-Id: I1e21f1e3d53975a963f36ff34b14991a1164cb80
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 09:10:20 +00:00
Treehugger Robot
470e54c22f Merge "[MS82.3] Add sepolicy to access connectivity apex directory" am: 1d79fd5071 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2069127

Change-Id: Iabf13e810cb556e4e370f4b1e372bf5a6a042660
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 08:45:35 +00:00
Richard Chang
31260126a0 Merge "Allow vendor services to access vendor_system_native_prop" am: 0b25ca45cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083463

Change-Id: Ia1b76616ece8b8a99d48c6fa10cea2aa1f240dc5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 08:45:14 +00:00
Jiyong Park
1c2f9f14ab Allow untrusted app to use virtualizationservice - even on user builds am: 8a5c1598ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083946

Change-Id: I65c66a87f354425fa4f7ead44f2c2729e893bcef
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 08:44:50 +00:00
Treehugger Robot
1d79fd5071 Merge "[MS82.3] Add sepolicy to access connectivity apex directory" 2022-05-03 08:00:18 +00:00
Richard Chang
0b25ca45cf Merge "Allow vendor services to access vendor_system_native_prop" 2022-05-03 07:48:51 +00:00
Jiyong Park
ef7ddf7ef1 Allow untrusted app to use virtualizationservice - even on user builds am: 0dda188cad 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/18118024

Change-Id: I18a60c9f61f4681c65ad6448d581873158066e5e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 05:58:36 +00:00
Jiyong Park
8a5c1598ca Allow untrusted app to use virtualizationservice - even on user builds 
This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.

Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.

Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Merged-In: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
 2022-05-03 14:38:28 +09:00
Treehugger Robot
3ac98ee208 Merge "Allow microdroid_manager to set dev.bootcomplete" am: 0d66aff97f am: 97569d867d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2084003

Change-Id: I389c6de99d38e17b501cf6a98e0ad27cd3ba2657
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 05:24:25 +00:00
Treehugger Robot
a45377df52 Merge changes from topic "33.0_sepolicy_mapping_file" am: 4410dab4de am: 9c142ddafc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083164

Change-Id: I1cda80d8cb93269f944ab913f9bf916f29e74a5e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 05:23:57 +00:00
Yurii Zubrytskyi
dbeebda0fa platform/system/sepolicy - SEPolicy Prebuilts for Tiramisu am: 9d9c730f1c am: ac14146a95 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083163

Change-Id: I80b96eae8b7af2bd872f2245c63862dc6a1ae439
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 05:23:52 +00:00
Treehugger Robot
97569d867d Merge "Allow microdroid_manager to set dev.bootcomplete" am: 0d66aff97f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2084003

Change-Id: Ia5154c7c853f195507272f94ce54a6961343c85d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 05:22:28 +00:00
Richard Chang
af8fac1c56 Allow vendor services to access vendor_system_native_prop 
Bug: 226456604
Test: Build
Change-Id: Icc11b9bf06fd0fb8069388ca5a32e8aedf1743a8
 2022-05-03 04:19:07 +00:00
Treehugger Robot
0d66aff97f Merge "Allow microdroid_manager to set dev.bootcomplete" 2022-05-03 02:43:35 +00:00
Treehugger Robot
9c142ddafc Merge changes from topic "33.0_sepolicy_mapping_file" am: 4410dab4de 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083164

Change-Id: Ib87df883bca1c7a81cf9270609f888769418d971
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 02:21:52 +00:00
Yurii Zubrytskyi
ac14146a95 platform/system/sepolicy - SEPolicy Prebuilts for Tiramisu am: 9d9c730f1c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2083163

Change-Id: I82afd93fc40e78a7ea4026c591e8bbaff320ec9b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-03 02:21:49 +00:00
Treehugger Robot
4410dab4de Merge changes from topic "33.0_sepolicy_mapping_file" 
* changes:
  Add 33.0 mapping files
  platform/system/sepolicy - SEPolicy Prebuilts for Tiramisu
 2022-05-03 00:32:17 +00:00
TreeHugger Robot
cf03e40221 Merge "Allow deleting old virtualization files" into tm-dev am: e8d8d4cb89 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/17983437

Change-Id: I172b3c74b108a7fe9a3142d58e81541d498dbb95
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 21:26:46 +00:00
Treehugger Robot
26a1ecf3c4 Merge "Add "ro.hardware.egl_legacy" for ANGLE system driver" am: fe1ad47b3b am: 4a0b80879a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2078298

Change-Id: I8f3a24dfef0715a5a9ea7b86a9ca4928850c78b3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 19:25:09 +00:00
Yu Shan
e4ddf119a1 Allow vehicle_binding_util to access AIDL VHAL. am: d5af7b7cea am: 565699bc61 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2082539

Change-Id: I0154b6776d80d0876d7a935af1c8024e521462be
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 19:24:57 +00:00
Eric Biggers
cffbd065d7 Merge "zygote.te: clean up and tighten app data isolation rules" am: a77c2963e9 am: cf064c32a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2078007

Change-Id: Ic4a68cfd4f7e110ac5f185514ce42da234540622
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 19:24:48 +00:00
Treehugger Robot
4a0b80879a Merge "Add "ro.hardware.egl_legacy" for ANGLE system driver" am: fe1ad47b3b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2078298

Change-Id: Ie03cf3b98f9f295f57fcd012dcc94c8abb0e1108
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 18:59:27 +00:00
Yu Shan
565699bc61 Allow vehicle_binding_util to access AIDL VHAL. am: d5af7b7cea 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2082539

Change-Id: If60eb04fc41df3ce30212bb0763590f2b69f4edd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 18:58:42 +00:00
Eric Biggers
cf064c32a1 Merge "zygote.te: clean up and tighten app data isolation rules" am: a77c2963e9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2078007

Change-Id: Ia6806138f6c09c885a61f98799828e4fd3477690
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-02 18:57:58 +00:00
Treehugger Robot
fe1ad47b3b Merge "Add "ro.hardware.egl_legacy" for ANGLE system driver" 2022-05-02 18:41:39 +00:00
Victor Hsieh
a62b3ff58a Allow microdroid_manager to set dev.bootcomplete 
... and shell to get the same property for testing.

Bug: 230774156
Test: atest MicrodroidTestCase
Change-Id: Iaf04072c2b394d44ef1253fd048d5ccf757a8b89
 2022-05-02 10:33:49 -07:00
Inseob Kim
4ae05118c1 Add 33.0 mapping files 
Steps taken to produce the mapping files:

0. Add 33.0 prebuilts to prebuilts/api/33.0/.

1. Add the following Android.bp modules.

    33.0.board.compat.map
    33.0.board.compat.cil
    33.0.board.ignore.map
    plat_33.0.cil
    system_ext_33.0.cil
    product_33.0.cil
    33.0.ignore.cil
    system_ext_33.0.ignore.cil
    product_33.0.ignore.cil
    33.0.compat.cil
    system_ext_33.0.compat.cil

2. Touch the following three files.

    private/compat/33.0/33.0.cil
    private/compat/33.0/33.0.compat.cil
    private/compat/33.0/33.0.ignore.cil

3. Add 33.0 to PLATFORM_SEPOLICY_COMPAT_VERSIONS on
build/make/core/config.mk. Note that we don't update
sepolicy_major_vers to 33, but just update compat versions.

4. Run the following command.

    $ source build/make/rbesetup.sh && lunch aosp_arm64-userdebug
    $ m sepolicy_generate_compat
    $ sepolicy_generate_compat --branch=tm-dev \
        --build latest --target-version 33.0 \
        --latest-version 32.0

This change also enables treble_sepolicy_tests_33.0 and installs
33.0.cil mapping file onto the device.

Test: m treble_sepolicy_tests_33.0
Test: m 33.0_compat_test
Test: m slinux_policy
Change-Id: Ie969ff0372ff1268776165cee5cb5b07d303453c
 2022-05-02 14:12:28 +09:00
Yurii Zubrytskyi
9d9c730f1c platform/system/sepolicy - SEPolicy Prebuilts for Tiramisu 
Bug: 225745567
Test: Build
Change-Id: I49fb91c7a60fb1e871bdf3553d978bb16c476fd7
Merged-In: I49fb91c7a60fb1e871bdf3553d978bb16c476fd7
(cherry picked from commit f9a00364c8)
 2022-05-02 13:24:45 +09:00
Jiyong Park
0dda188cad Allow untrusted app to use virtualizationservice - even on user builds 
This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.

Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.

Ignore-AOSP-First: will cherry-pick to AOSP

Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
 2022-05-02 13:00:06 +09:00
Ian Elliott
92251f5d15 Add "ro.hardware.egl_legacy" for ANGLE system driver 
This supports the ability to switch between ANGLE and a legacy GLES
driver in cases when transitioning from a legacy GLES driver to ANGLE
as the system driver.  With ANGLE as the GLES system driver, the
platform needs a way to identify the legacy GLES driver, so that it
can be used for particular applications.

Test: CtsAngleDeveloperOptionHostTest
Bug: 224558229
Change-Id: I359b37daa96eb6f8424bde530bb1ac79affd1b04
 2022-04-29 18:35:16 -06:00
Yu Shan
d5af7b7cea Allow vehicle_binding_util to access AIDL VHAL. 
AIDL service requires binder_use not hwbinder_use.

Test: None
Bug: None
Change-Id: Ic2245c4b1961cc3a5bbd61a1cb6134d92b8752c1
 2022-04-29 16:39:03 -07:00
Alan Stokes
c88f0efe3e Allow deleting old virtualization files 
Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice.

Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Change-Id: I4a31e437344974597fc5280d898f23780a820f16
(cherry picked from commit 8e06fb4109)
 2022-04-29 10:56:34 +00:00
TreeHugger Robot
e8d8d4cb89 Merge "Allow deleting old virtualization files" into tm-dev 2022-04-29 08:09:25 +00:00
Eric Biggers
a77c2963e9 Merge "zygote.te: clean up and tighten app data isolation rules" 2022-04-28 17:51:53 +00:00
Treehugger Robot
086bcf57db Merge "Revert "Fix bootchart on android12"" am: 4fe6bd16f3 am: 57cd703d00 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2075861

Change-Id: If0bde253716827ddbf0ea5d212a40077ef19a6c9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-28 17:08:39 +00:00
Treehugger Robot
57cd703d00 Merge "Revert "Fix bootchart on android12"" am: 4fe6bd16f3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2075861

Change-Id: I33318773873ec9c65c411f8ca17c09317d266538
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-28 16:38:35 +00:00
Treehugger Robot
4fe6bd16f3 Merge "Revert "Fix bootchart on android12"" 2022-04-28 15:52:46 +00:00
Alan Stokes
8e06fb4109 Allow deleting old virtualization files 
Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice.

Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Ignore-AOSP-First: Needed in T, will CP to aosp
Change-Id: I4a31e437344974597fc5280d898f23780a820f16
 2022-04-28 10:58:43 +01:00
Treehugger Robot
53e47a50b5 Merge "Prevent sandbox executing from sdk_sandbox_data_file" am: 8594b156af am: 1e4a761436 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2074904

Change-Id: I82c73d4949d5e369e08c0d37bc7636ee68ea9656
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-28 08:19:10 +00:00
Treehugger Robot
1e4a761436 Merge "Prevent sandbox executing from sdk_sandbox_data_file" am: 8594b156af 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2074904

Change-Id: I48719514d3666d4177aa18643b0e4af7f1f34a41
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-28 07:33:07 +00:00
Treehugger Robot
8594b156af Merge "Prevent sandbox executing from sdk_sandbox_data_file" 2022-04-28 06:28:08 +00:00
Eric Biggers
9f07ea5442 zygote.te: clean up and tighten app data isolation rules 
Group together the rules for setting up app data isolation and get all
the comments up-to-date.  Also remove some parts that aren't needed:

- 'allow zygote mnt_expand_file:dir mounton;' -- not needed.  It might
  have been thought that this was needed for mounting tmpfs on
  /mnt/expand/$volume/user{,_de}, but those have type system_data_file.

- 'allow zygote mnt_expand_file:dir relabelto;' -- not needed, as
  nothing is ever relabeled to this type.

- 'allow zygote media_rw_data_file:dir getattr;' -- not needed to create
  bind mounts.  The similar rules for user_profile_* don't include this.

- 'allow zygote mirror_data_file:dir r_dir_perms;' -- tighten to just
  the required search permission.

- 'allow zygote system_data_file:dir getattr;' -- redundant with 'allow
  zygote system_data_file:dir r_dir_perms;', and not needed for the
  stated reason of "Get inode of directories for app data isolation".

Test: booted Cuttlefish, no denials seen.
Change-Id: Id77b8c81625fd785a5d0d88c37d7c85b8fff7244
 2022-04-27 21:59:27 +00:00
Eric Biggers
39b18f6963 Merge "toolbox.te: remove unneeded FS_IOC_FS[GS]ETXATTR permission" am: 74e65cb878 am: 4cc45b3537 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2077301

Change-Id: Ida13a7a627603ffdcdc6b7f1770a92ff04e17e26
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-27 20:27:50 +00:00
Eric Biggers
4cc45b3537 Merge "toolbox.te: remove unneeded FS_IOC_FS[GS]ETXATTR permission" am: 74e65cb878 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2077301

Change-Id: Ia5b75b1be2a09d5872b12eb3f0208382c436cb8a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-27 19:59:43 +00:00
Eric Biggers
74e65cb878 Merge "toolbox.te: remove unneeded FS_IOC_FS[GS]ETXATTR permission" 2022-04-27 19:24:57 +00:00