Commit graph

8261 commits

Author SHA1 Message Date
John Reck
22903f0435 Add IAllocator stable-aidl
Test: Builds & boots; no sepolicy errors logged
Bug: 193558894
Change-Id: I11e162310548b67addc032ccc0d499cbf391e7f9
2022-01-18 19:40:26 -05:00
Seth Moore
7e95d22296 Add keystore2 permission to get attestation keys
Contexts must have this permission to fetch remotely provisioned
attestation key blobs. It is expected that only credstore will have
this permission.

Test: manual, build and run cuttlefish
Bug: 194696876
Change-Id: Ieebd552129bc8be6b8831ec2e38eb6bda522b216
2022-01-18 16:17:45 -08:00
John Wu
ce225f8bfb Merge "Add keystore2 LIST permission to system_server" 2022-01-19 00:05:29 +00:00
Victor Hsieh
88d93b984a Remove odrefresh privileges no longer needed for CompOS
Bug: 210998077
Test: m; TH
Change-Id: I4188a52c42ede9fb248b889596b91c965696fb2d
2022-01-18 12:56:27 -08:00
Victor Hsieh
6f6815efde Remove compos_internal_service
Bug: 210998077
Test: m; TH
Change-Id: Id3c7fcab56de5f71b00e21bd53829b2471e07d77
2022-01-18 12:51:55 -08:00
Paul Thomson
4c834adc0a Add additional sepolicy rules for gpuservice
Allow gpuservice to access read/write BPF maps.

Bug: b/213577594
Change-Id: I487754c008a53819715a6bfc5da10182d87de413
2022-01-17 16:34:03 +00:00
Andrew Walbran
a0b12be876 Merge "Allow crosvm to mlock VM memory." 2022-01-17 11:58:08 +00:00
Hungming Chen
7f4a2ab9fe clatd: remove spurious privs
Since the clatd has some code cleanup, these privs are not required
anymore.

Bug: 212345928
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Change-Id: Ib801a190f9c14ee488bc77a43ac59c78c44773ab
2022-01-16 14:28:57 +08:00
Yabin Cui
f17fb4270c Add sepolicy for simpleperf_boot.
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.

Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
2022-01-15 16:12:51 -08:00
Treehugger Robot
e646c94505 Merge "Add sepolicy for logd and logcat services" am: d6a5b604ce am: 47f5daf227 am: 75852fc484
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1948849

Change-Id: I88b72c854112c6ef91cb4c08f997e03bb818fabc
2022-01-14 21:31:45 +00:00
Treehugger Robot
d6a5b604ce Merge "Add sepolicy for logd and logcat services" 2022-01-14 20:44:35 +00:00
Nikita Ioffe
f2814d13d9 Merge "Move allow rules from public/app.te to private/app.te" am: 52e44e8022 am: b5e83ea3cf am: a30e3c50df
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1949596

Change-Id: I20dfbdee289aa328219b1a7f20caad386f6898ff
2022-01-14 18:37:09 +00:00
Nikita Ioffe
52e44e8022 Merge "Move allow rules from public/app.te to private/app.te" 2022-01-14 17:47:29 +00:00
Andrew Walbran
ed82cc82be Allow crosvm to mlock VM memory.
Bug: 204298056
Change-Id: I5b00273ffa37d4c1ea2f26bb40822abd0d094d90
2022-01-14 13:47:05 +00:00
Akilesh Kailash
20cc7e22c7 Merge "New property to control Async I/O for snapuserd" am: 9de6ad61ff am: f3262f89ef am: 5a333c328c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1936919

Change-Id: Iafd1a572298d93c5c050d1a1ccfd2e2cc986f81d
2022-01-14 00:58:34 +00:00
Akilesh Kailash
9de6ad61ff Merge "New property to control Async I/O for snapuserd" 2022-01-14 00:06:23 +00:00
Nikita Ioffe
269e7cfc51 Move allow rules from public/app.te to private/app.te
Allow rules in public/*.te can only reference types defined in
public/*.te files. This can be quite cumbersome in cases a rule needs to
be updated to reference a type that is only defined in private/*.te.

This change moves all the allow rules from public/app.te to
private/app.te to make it possible to reference private types in the
allow rules.

Bug: 211761016
Test: m
Test: presubmit
Change-Id: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
Merged-In: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
2022-01-13 22:56:14 +00:00
John Wu
cd5cf383f1 Add keystore2 LIST permission to system_server
This is required for listing all key aliases of other APP domains' keys
in order to migrate keys on behalf of the updated app by PMS.

Test: builds
Bug: 211665859
Change-Id: I541fb81e6186288a1e852ce60882651f838e36dc
2022-01-13 14:26:28 -08:00
Wenhao Wang
6a656c0b67 Add sepolicy for logd and logcat services
The logd binder service is on logd side.
The logcat binder service is on system_server side.
These two binder services facilitate the binder RPC
between logd and system_server.

Bug: 197901557
Test: manual
Change-Id: I5f08bbb44a88dc72302331ab11c7d54f94db16ac
2022-01-13 11:38:43 -08:00
Akilesh Kailash
5c5fd255d2 New property to control Async I/O for snapuserd
io_uring_setup() system call requires ipc_lock.

(avc: denied { ipc_lock } for comm="snapuserd" capability=14 scontext=u:r:snapuserd:s0 tcontext=u:r:snapuserd:s0 tclass=capability permissive=0)

Add selinux policy.

Bug: 202784286
Test: OTA tests
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I806714c7ade0a5d4821b061396c9f064ee5ed8b6
2022-01-13 06:27:46 +00:00
Jeremy Meyer
81670747b9 Merge "Add resources_manager_service" am: 0f72360b2f am: bebb429e43 am: 4833a09ba8
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1944288

Change-Id: I87d82d23a76eb297cc797d6a451e97acb27b0f1e
2022-01-12 21:35:19 +00:00
Jeremy Meyer
0f72360b2f Merge "Add resources_manager_service" 2022-01-12 20:41:28 +00:00
Yabin Cui
f09314ba84 Restrict write access to etm sysfs interface. am: 927d7a752b am: f288523c0c am: f8a7b98ff6
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1945414

Change-Id: Ic0d7cb272cd972b85632d071a800d403986c6b1a
2022-01-12 18:51:24 +00:00
Yabin Cui
927d7a752b Restrict write access to etm sysfs interface.
Bug: 213519191
Test: boot device
Change-Id: I40d110baea5593a597efa3c14fd0adecee23fc0f
2022-01-11 14:12:52 -08:00
Jeremy Meyer
d8a3c2b156 Add resources_manager_service
Test: manual, calling the service with `adb shell cmd` works
Bug: 206615535
Change-Id: I8d3b945f6abff352991446e5d88e5a535a7f9ccf
2022-01-10 23:03:42 +00:00
Michael Rosenfeld
f964ce2aeb Merge "Allow the shell to disable charging." am: 30aace3ebe am: bd58116534 am: dea57851db
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1899603

Change-Id: I9a31175cface1004efc6c6c4797533b142395b5a
2022-01-10 22:53:37 +00:00
Florian Mayer
26f18902d4 Merge "[MTE] Allow system_app to write memtag property." am: 11db93a15b am: 4cb849bc8f am: b59cf00842
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1931217

Change-Id: Iddfe8df9b46bb85ddc489cb7ba1f06d7214e2e8e
2022-01-10 22:53:13 +00:00
Michael Rosenfeld
30aace3ebe Merge "Allow the shell to disable charging." 2022-01-10 22:18:49 +00:00
Florian Mayer
11db93a15b Merge "[MTE] Allow system_app to write memtag property." 2022-01-10 21:12:02 +00:00
Michael Rosenfeld
5425c870f9 Allow the shell to disable charging.
Bug: 204184680
Test: manual and through instrumentation
Change-Id: I1fe9b35d51140eccba9c05c956875c512de447b1
2022-01-10 10:36:01 -08:00
Florian Mayer
39f29f758e [MTE] Allow system_app to write memtag property.
Bug: 206895651
Change-Id: I6463965c094b9b3c4f3f70929a09e109ee9c84b9
2022-01-07 11:39:10 -08:00
Treehugger Robot
77297a2015 Merge "Allow VS to run derive_classpath" am: 46680d001f am: a3723d7061 am: 7c16b6a2c7
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1934974

Change-Id: I91d7abce3155575dc5b811c40aa0043a305d8d21
2022-01-07 09:52:35 +00:00
Treehugger Robot
46680d001f Merge "Allow VS to run derive_classpath" 2022-01-07 09:11:08 +00:00
Xinyi Zhou
38da50d9ba Merge "Allow system app to find NearbyManager" am: b6a6ff20ef am: ee85803987 am: 82606f8c6b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1937217

Change-Id: Ie56ef6e1598d3c733584db6c7c4cda56ffa7f4c5
2022-01-06 20:22:21 +00:00
Xinyi Zhou
b6a6ff20ef Merge "Allow system app to find NearbyManager" 2022-01-06 19:28:05 +00:00
Alan Stokes
3fad86bb8a Allow VS to run derive_classpath
We run it in our domain since it requires fairly minimal access.

Bug: 210472252
Test: atest virtualizationservice_device_test
Test: composd_cmd test-compile
Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b
2022-01-06 15:58:59 +00:00
Josh Yang
12daae5d79 Merge "Label /data/bootanim with bootanim_data_file." am: 0d721a105f am: 85cb406b59 am: 3e9883668f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1933017

Change-Id: I0cec046e72cf1f8c331f270425d73c5c385c4819
2022-01-06 04:01:28 +00:00
Josh Yang
0d721a105f Merge "Label /data/bootanim with bootanim_data_file." 2022-01-06 03:17:58 +00:00
Treehugger Robot
f5fb14c0be Merge "Allow untrusted apps to access incidentcompanion" am: f650c54ee1 am: 5e310aa786 am: 9edd7274c4
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1913754

Change-Id: I3fd2066ddd912a8b03c3bc2eb715e050c508837f
2022-01-05 22:08:12 +00:00
Treehugger Robot
f650c54ee1 Merge "Allow untrusted apps to access incidentcompanion" 2022-01-05 21:10:55 +00:00
Xinyi Zhou
e9857ab5cf Allow system app to find NearbyManager
Bug: 189954300
Test: -build, flash, boot
Change-Id: Ia21b10213311b0639f320b559e78963d562f30a3
2022-01-05 11:57:44 -08:00
Lalit Maganti
b549e2d837 sepolicy: add permissions for trace reporting
Bug: 205892741
Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2022-01-04 14:02:20 +00:00
Treehugger Robot
3c03397821 Merge "Allow composd to delete ART staging files" am: 3a7e19c3d4 am: 87e317d603 am: b8386e1027
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1925960

Change-Id: I7a1fdfc7b86f8b3da065f4ce6a6faabf9edc396b
2022-01-04 11:43:29 +00:00
Andrew Walbran
3d0e9e4857 Merge "Add comment explaining why crosvm shouldn't be allowed to open files." am: d020fc05f3 am: 0ae5a68417 am: 9508489a72
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1925961

Change-Id: Ia8cea576cc80d5dbdc00e53f40308143f847c379
2022-01-04 11:43:20 +00:00
Treehugger Robot
3a7e19c3d4 Merge "Allow composd to delete ART staging files" 2022-01-04 11:13:55 +00:00
Andrew Walbran
d020fc05f3 Merge "Add comment explaining why crosvm shouldn't be allowed to open files." 2022-01-04 10:40:23 +00:00
Alan Stokes
ce6e2987de Allow composd to delete ART staging files
If the directory is non-empty when we start we need to delete
everything in it, but didn't have enough access:

avc: denied { getattr } for
path="/data/misc/apexdata/com.android.art/staging/boot-framework.art"
dev="dm-37" ino=57755 scontext=u:r:composd:s0
tcontext=u:object_r:apex_art_staging_data_file:s0 tclass=file
permissive=0

Bug: 205750213
Test: create files in staging/, composd_cmd test-compile
Change-Id: I3a66db7f5fbff82abcf547cb1c2b24e9c53ab158
2022-01-04 09:14:05 +00:00
Jiyong Park
2ce78c5735 Merge "Allow virtualizationservice to check for PKVM extension" am: 0878ac4c47 am: 32c7795f17 am: d06a7c1749
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1934161

Change-Id: Ic3f7eca0ad39e1d56017314ab29abcc4074c86fa
2022-01-03 09:51:24 +00:00
Jiyong Park
0878ac4c47 Merge "Allow virtualizationservice to check for PKVM extension" 2022-01-03 09:30:05 +00:00
Jiyong Park
2dd48d0400 Allow virtualizationservice to check for PKVM extension
Bug: 210803811
Test: watch TH for all our tests
Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43
2022-01-03 14:59:58 +09:00
Maciej Żenczykowski
389fc497d0 Merge "[NC#3] clatd: remove raw and packet socket creation privs" am: 0f1b55ee24 am: 7d517a3712 am: b2425a8e56
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903467

Change-Id: I2b3b6af74e202b53dbf3c9c343b83576511d81bb
2021-12-30 20:06:44 +00:00
Maciej Żenczykowski
0f1b55ee24 Merge "[NC#3] clatd: remove raw and packet socket creation privs" 2021-12-30 19:50:00 +00:00
Inseob Kim
9d7e9a3491 Merge "Allow app to get dck_prop" 2021-12-28 01:55:30 +00:00
Treehugger Robot
8bf0d2c1dc Merge "Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF" am: 96c5222c94 am: 6cd97931e3 am: be132f1e8a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1931900

Change-Id: If86a0c21131caf2fe880f82ee514e2da969639b6
2021-12-28 01:41:32 +00:00
Treehugger Robot
96c5222c94 Merge "Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF" 2021-12-28 00:54:22 +00:00
Matt Buckley
964c68b02d Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF
Test: manual
Bug: b/195990840
Change-Id: Icb758c48a1faa8901a1d2c2c442451c42fc3b5b1
2021-12-27 18:24:12 +00:00
Andrew Walbran
8191dc07cc Add comment explaining why crosvm shouldn't be allowed to open files.
Bug: 192453819
Test: No code change
Change-Id: Iebaa1db2e8eed81122e64999ef58b728e1bf95cc
2021-12-24 13:13:53 +00:00
Thierry Strudel
aa383c8bd3 Allow app to get dck_prop am: f4e3b06683
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/16530469

Change-Id: I87df425d523b3ed82abf5560cb63543287471222
2021-12-24 06:51:28 +00:00
Thierry Strudel
195149fcf8 Allow app to get dck_prop
Bug: 208742539
Test: gts-tradefed run gts -m GtsDckTestCases --log-level-display DEBUG
Merged-In: Ie3f7c54805b9947fd43fe5118fd4808b4744664d
Signed-off-by: Thierry Strudel <tstrudel@google.com>
Change-Id: Ie3f7c54805b9947fd43fe5118fd4808b4744664d
2021-12-24 06:50:53 +00:00
Thierry Strudel
f4e3b06683 Allow app to get dck_prop
Ignore-AOSP-First: Touches prebuilts/api/32.0/private/app.te
Bug: 208742539
Test: gts-tradefed run gts -m GtsDckTestCases --log-level-display DEBUG
Signed-off-by: Thierry Strudel <tstrudel@google.com>
Change-Id: Ie3f7c54805b9947fd43fe5118fd4808b4744664d
2021-12-24 06:22:31 +00:00
Josh Yang
1d967dd697 Label /data/bootanim with bootanim_data_file.
Bug: 16529906
Test: /data/bootanim is labeled correctly. BootAnimation can access this
folder.

Change-Id: Ic6a438d7a139b4864c4795dcac613cb819a81631
2021-12-23 15:00:31 -08:00
Devin Moore
6026ac4077 Merge "Add policy for new AIDL IR hal" am: 4f85138c08 am: 4e044e5893 am: 570c442620
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1886401

Change-Id: Id1f7af95e63981f4ae420e9ffe8959411dfb6a44
2021-12-22 22:20:10 +00:00
Devin Moore
4f85138c08 Merge "Add policy for new AIDL IR hal" 2021-12-22 21:44:17 +00:00
Hui Wu
82f06faacd Merge "Changes in SELinux Policy for cloudsearch API" am: c66fb7aefc am: 39e16393b7 am: 9f75793c0f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927577

Change-Id: I209b092bc400731a61847c5aa3852815888a6a1d
2021-12-17 04:06:19 +00:00
Hui Wu
c66fb7aefc Merge "Changes in SELinux Policy for cloudsearch API" 2021-12-17 03:04:08 +00:00
Treehugger Robot
5fe9254482 Merge "zygote: Add setattr permission to cgroup" am: d831f2a2f5 am: ea5fa49446 am: 334d3c7c85
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927857

Change-Id: I6c3858322dcac0ab8a738179aea6780e469dc639
2021-12-17 01:13:21 +00:00
Treehugger Robot
d831f2a2f5 Merge "zygote: Add setattr permission to cgroup" 2021-12-17 00:10:25 +00:00
Greg Kaiser
ed71842c6d zygote: Add setattr permission to cgroup
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.

Like we do with cgroup_v2, we set attribute permission to cgroup
as well.

Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 211037424
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
Merged-In: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
2021-12-16 22:55:34 +00:00
Victor Hsieh
19ec555037 Merge "Allow composd to delete odrefresh target files" am: 5601d70743 am: e642210a9a am: 969b41347c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927358

Change-Id: Id416af36683f735562b74122ee27af9357ced964
2021-12-16 22:40:40 +00:00
Greg Kaiser
f62ef0d798 zygote: Add setattr permission to cgroup
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.

Like we do with cgroup_v2, we set attribute permission to cgroup
as well.

Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 209933729
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
2021-12-16 14:14:29 -08:00
Victor Hsieh
5601d70743 Merge "Allow composd to delete odrefresh target files" 2021-12-16 21:45:43 +00:00
Treehugger Robot
01aca6282a Merge "Add apexd_payload_metadata_prop" am: a6d6b6aee8 am: a4e0ed83dc am: ebd1ff5b25
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1885013

Change-Id: I04921eee21ea7a5f1020c83ed560dd811d0562d4
2021-12-16 20:46:04 +00:00
Devin Moore
978b9e5d1c Add policy for new AIDL IR hal
IR interface is converted to AIDL and this contains the necessary
permissions for the default service to serve the interface.

Test: atest VtsHalIrTargetTest hal_implementation_test
Test: check for permission issues after tests
Bug: 205000342
Change-Id: I8d9d81d957bf6ef3c6d815ce089549f8f5337555
2021-12-16 20:24:27 +00:00
Hui Wu
f3e29c7066 Changes in SELinux Policy for cloudsearch API
Bug: 210528288
Test: Presubmit Tests

Change-Id: I344d28a95bf7d466620fced9cc85b50bbfcd1947
2021-12-16 19:31:53 +00:00
Alan Stokes
2914610f17 Allow composd to delete odrefresh target files
We need to remove any existing files (and the directory) to allow
odrefresh in the VM to re-create them via authfs.

But we don't need, and shouldn't have, any other access to them.

Bug: 210460516
Test: composd_cmd async-odrefresh
Change-Id: Iaafe33934146a6b8dda7c28cc1239c2eed167379
2021-12-16 16:24:56 +00:00
Ramji Jiyani
dec6b44ee4 Merge "Add selinux context for /system_dlkm" am: e3f20ee1e6 am: aaa5919f26 am: 5efbce0fa1
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1899605

Change-Id: Ia23423b9cc4e45ff8fc65e9b1ac987a945bd5896
2021-12-16 03:39:05 +00:00
Richard Fung
0c7c2679b0 Add apexd_payload_metadata_prop
This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
2021-12-16 03:00:06 +00:00
Ramji Jiyani
e3f20ee1e6 Merge "Add selinux context for /system_dlkm" 2021-12-16 02:41:25 +00:00
Etienne Ruffieux
6b40b2a548 Merge "Adding Bluetooth module sysprop" am: ac45ef86f5 am: b24560a1a3 am: 409e13a954
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1924341

Change-Id: I90173e9518b4c9ca9197e943bad3d97fd6604798
2021-12-15 20:33:32 +00:00
Etienne Ruffieux
ac45ef86f5 Merge "Adding Bluetooth module sysprop" 2021-12-15 19:14:41 +00:00
Etienne Ruffieux
9203c915d1 Adding Bluetooth module sysprop
Added Bluetooth sysprop to be able to remove calls to
SystemProperty.set in Bluetooth module.

Tag: #feature
Bug: 197210455
Test: set/get sysprop with SystemProperties
Merged-In: I8070a493fa082ddaa16cd793ed25ad99971950c0
Change-Id: Ia390bd8b3bb064fcae252edb6307e26f07bd53e7
2021-12-15 13:44:33 +00:00
Treehugger Robot
bd22ea499a Merge "Allow compos_fd_server to create artifacts" am: afc596f8f8 am: 29a90d33cb am: 3ad3f0b50c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1922442

Change-Id: If6cea92ebaccb027cab762722b8fd3351ca73dbe
2021-12-15 12:08:07 +00:00
Treehugger Robot
afc596f8f8 Merge "Allow compos_fd_server to create artifacts" 2021-12-15 11:09:24 +00:00
Treehugger Robot
497884ce80 Merge "Add rule for new gesture_prop." am: ac9f469ff0 am: 29be9a0edf am: f3ece72da2
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1918579

Change-Id: I95521666de397326e70f296aa8abaf71ba77d388
2021-12-15 05:53:21 +00:00
Treehugger Robot
ac9f469ff0 Merge "Add rule for new gesture_prop." 2021-12-15 05:03:42 +00:00
Super Liu
078141a921 Add rule for new gesture_prop.
Bug: 209713977
Bug: 193467627
Test: local build and manual check.
Signed-off-by: Super Liu <supercjliu@google.com>
Change-Id: Ib1d2d6dcc7d6ddc6243c806a883d9252d7c081af
2021-12-15 09:32:01 +08:00
Jeff Vander Stoep
13fb51ea0b Policy for using Apex sepolicy am: bc0fa66cbe am: 00573254ac am: f8dfd28b19
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1907858

Change-Id: Iaa5cbfb4efa17e048fd93167e6da9a77ef20b43e
2021-12-14 19:03:58 +00:00
Alan Stokes
8dc7800578 Allow compos_fd_server to create artifacts
Previously this was always done by odrefresh. But now we are running
odrefresh in the VM we need to allow FD server to do it as its proxy.

Bug: 209572241
Bug: 209572296
Test: composd_cmd forced-oderefresh
Change-Id: I4bc10d6a3ec73789721a0541f04dd7e3865fe826
2021-12-14 16:06:31 +00:00
Jeff Vander Stoep
bc0fa66cbe Policy for using Apex sepolicy
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
2021-12-14 13:54:03 +01:00
Treehugger Robot
9412cfc810 Merge "[NC#2] clatd: allow clatd access raw and packet socket inherited from netd" am: 7c5faaf3d2 am: 8d35437e6a am: f419c0e3a4
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903466

Change-Id: I12e337664f09b7661ad63f9824f0918a37c7b9de
2021-12-13 09:01:54 +00:00
Treehugger Robot
7c5faaf3d2 Merge "[NC#2] clatd: allow clatd access raw and packet socket inherited from netd" 2021-12-13 08:16:26 +00:00
Treehugger Robot
2880a5cd82 Merge "Add hal_vehicle_service for AIDL VHAL service." am: 885bc3ca66 am: e197d7519c am: 908395f200
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1914197

Change-Id: I255ad9d053d2a217ec03d06b48229d2c337adfd8
2021-12-11 01:58:30 +00:00
Treehugger Robot
885bc3ca66 Merge "Add hal_vehicle_service for AIDL VHAL service." 2021-12-11 00:49:12 +00:00
Hungming Chen
e544438399 [NC#3] clatd: remove raw and packet socket creation privs
Don't need these permission anymore because the raw and packet
socket setup are moved from clatd to netd.

Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Change-Id: I07d890df2d1b8d9c1736aa5e6dc36add4f46345b
2021-12-10 20:42:27 +08:00
Hungming Chen
cef08e5d58 [NC#2] clatd: allow clatd access raw and packet socket inherited from netd
Needed because the raw and packet socket setup are moved from
clatd to netd. Netd pass the configured raw and packet sockets
to clatd. clatd needs the permission to access inherited
objects.

Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Test:
Change-Id: If6479f815a37f56715d7650c714202fcc1ec466b
2021-12-10 20:42:00 +08:00
Joanne Chung
89a1a242a9 Add rule for new system service am: eed1918f7f am: f9637630c6 am: 025b236f3b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1891636

Change-Id: I1352ed54f8968e191e25a2a40b291d111d691a89
2021-12-10 09:46:02 +00:00
Joanne Chung
eed1918f7f Add rule for new system service
Update policy for new system service, used for Apps to present the
toolbar UI.

Bug: 190030331
Bug: 205822301
Test: manual. Can boot to home and get manager successfully.

Change-Id: Iee88681a93ae272a90896ccd2a6b64c26c809e82
2021-12-10 13:30:55 +08:00
Treehugger Robot
12ac324619 Merge "[NC#1] netd: allow netd to setup packet socket for clatd" am: f128becfa4 am: 14c5d92e83 am: ac796a4553
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903465

Change-Id: I265b83cb1e900cbf69a60bd00f79aec731efa621
2021-12-10 05:24:11 +00:00
Treehugger Robot
f128becfa4 Merge "[NC#1] netd: allow netd to setup packet socket for clatd" 2021-12-10 04:33:13 +00:00
Yi-yo Chiang
a01429ce0b Merge "Add system_ext_userdebug_plat_sepolicy.cil for GSI" into sc-v2-dev 2021-12-10 04:05:11 +00:00
Treehugger Robot
e1a8cb87f1 Merge "Add charger_vendor type" am: 0ce3e70c84 am: 9f386d408d am: 246b50221e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1870393

Change-Id: I4730ed60e8eff5bbf29400a5be15d8c921c32953
2021-12-10 03:17:56 +00:00
Treehugger Robot
0ce3e70c84 Merge "Add charger_vendor type" 2021-12-10 02:16:55 +00:00
Treehugger Robot
bad60fa933 Merge "sepolicy: Fix potential avc denials" am: 69faf0b8d1 am: 0dda08cf20 am: 1a22e0fc5b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903290

Change-Id: I1df09ecb1ff7fac41ca0e1965b30b29d828d5741
2021-12-08 08:16:08 +00:00
Yu Shan
78be3081e7 Add hal_vehicle_service for AIDL VHAL service.
Add selinux policy for AIDL Vehicel HAL service.
This CL mostly follows https://android-review.googlesource.com/c/platform/system/sepolicy/+/1541205/.

Test: Manually test on emulator, verify AIDL VHAL service is up and
accessible by client.
Bug: 209718034

Change-Id: Icad92e357dacea681b8539f6ebe6110a8ca8b357
2021-12-07 22:23:50 -08:00
Rick Yiu
8cb0bb81f0 sepolicy: Fix potential avc denials
Bug: 206970384
Test: make selinux_policy pass
Change-Id: I2516987ea609b4328951b519f437405bef7a78d5
2021-12-08 10:24:30 +08:00
Treehugger Robot
7598aae806 Merge changes I81ab0a73,Ia66015b7 am: 9a93d79a92 am: b7b5c14e40 am: 71f5e42ae0
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1908178

Change-Id: Icd9048dfe4b1f8288b95589c3d038de3316f18fe
2021-12-08 01:22:01 +00:00
Yifan Hong
035ce4b7f4 Add charger_vendor type
This is the context when health HAL runs in offline
charging mode.

This has the same permissions as the health HAL, but
is also able to do charger specific things.

Also restrict neverallow rules in charger_type.

Test: manual in offline charging mode
Bug: 203246116
Change-Id: I6034853c113dff95b26461153501ad0528d10279
2021-12-07 16:24:23 -08:00
Jeffrey Huang
d93b2e18c3 Allow untrusted apps to access incidentcompanion
Bug: 206548410
Test: m -j
Change-Id: I93b9e983149ab5b303bc34e3de094c1481c35dc9
2021-12-07 12:20:11 -08:00
Victor Hsieh
90b7b00391 Allow composd to run fd_server
Besides the basic execution that is similar to the (deprecating)
odrefresh case, fd_server also needs to be able to create and change
files in the output directory.

Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
      # Saw composd started the fd_server and the VM
Change-Id: Ia66015b72c4bd232c623604be326c7d7145c0a38
2021-12-07 08:07:50 -08:00
Treehugger Robot
e6651d2589 Merge "Allow composd to create odrefresh staging directory" am: edf5fa0091 am: 9cdacff2aa am: 081892a97d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1910491

Change-Id: Ife93def4025b5993c6306ba26c627a808f193232
2021-12-07 01:59:47 +00:00
Alessio Balsini
658439fe02 mediaprovider_app can access BPF resources am: fd3e9d838e am: 27b2b6d8f5 am: 42216b5975
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1907857

Change-Id: I3a798c37a5200f90f55367ccddeb29404c170cb3
2021-12-07 01:19:32 +00:00
Treehugger Robot
edf5fa0091 Merge "Allow composd to create odrefresh staging directory" 2021-12-07 01:07:08 +00:00
Alessio Balsini
fd3e9d838e mediaprovider_app can access BPF resources
The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.

Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
2021-12-06 19:12:55 +00:00
Victor Hsieh
33aa1a3c52 Allow composd to create odrefresh staging directory
composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.

Bug: 205750213
Test: No denials

Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
2021-12-06 08:41:31 -08:00
Victor Hsieh
9a2f1760cd Allow composd to read ART's properties am: 1f117c26c6 am: 7b8647e628 am: dac35aea0c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1908176

Change-Id: I24e150c61ae4ada129c3e94f262f37c19f3c5c53
2021-12-03 21:13:19 +00:00
Victor Hsieh
1f117c26c6 Allow composd to read ART's properties
Only ro.zygote is currently used, though we'll need to a few others of
the same property context.

Bug: 205750213
Test: composd_cmd forced-odrefresh # less SELinux denial
Change-Id: I2efbbc1637142f522a66c47bdd17471c4bde227a
2021-12-02 17:58:23 -08:00
Treehugger Robot
471829bb7b Merge "Remove 26.0 and 27.0 compat support" am: 26950bb361 am: f4d3471aac am: cc93d7690f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903972

Change-Id: I6608f3a2e3cda124893e42aef86e7c63783b6853
2021-12-02 07:18:15 +00:00
Treehugger Robot
26950bb361 Merge "Remove 26.0 and 27.0 compat support" 2021-12-02 06:26:58 +00:00
Treehugger Robot
20b9fca8e9 Merge "Add logd.ready" am: f5646ff42b am: 9a922c3ce2 am: cfc47ad673
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1895329

Change-Id: Id40bcdff34faf77ccd910f46281a8df4d003c304
2021-12-02 04:24:44 +00:00
Treehugger Robot
f5646ff42b Merge "Add logd.ready" 2021-12-02 03:34:00 +00:00
Inseob Kim
6303d4df9d Merge "Add hal_dumpstate_service to ignore" am: 7182b2e56b am: ae574d77d3 am: f91a52bc59
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1908650

Change-Id: I11fdbe81c2bfc2ab62cc047a44c482ed4c6bc1e8
2021-12-02 01:36:57 +00:00
Inseob Kim
9dc6d70044 Remove 26.0 and 27.0 compat support
Treble doesn't support T system + O vendor, so removing 26.0 (N) and
27.0 (O) prebuilts and compat files.

Bug: 207815515
Test: build
Change-Id: I98d5972221a8e77f3c45fc48ff50bb2b8eb94275
2021-12-02 10:22:10 +09:00
Inseob Kim
a00439e69a Add hal_dumpstate_service to ignore
Bug: 208705795
Test: build
Change-Id: I211e6e0b98c964ba34db5ffd4bcf7a3cf959a8b5
2021-12-02 09:23:06 +09:00
Treehugger Robot
5397c5e66d Merge "Add 32.0 mapping files" am: 6cf460c45e am: b5bf051407 am: 7bab865c6e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1906312

Change-Id: Id2a2afbf3798fcf786fb105641dbf02d1b3b57d7
2021-12-02 00:01:05 +00:00
Treehugger Robot
6cf460c45e Merge "Add 32.0 mapping files" 2021-12-01 23:10:38 +00:00
Kedar Chitnis
3f32fe230b Merge "Update sepolicy to add dumpstate device service for AIDL HAL" am: bb0315bab9 am: 3591bd6749 am: e09c5cdd49
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1895075

Change-Id: I852de6b372cad65c2efee3bfe0cfaca1c9ad4f8f
2021-12-01 12:59:46 +00:00
Kedar Chitnis
bb0315bab9 Merge "Update sepolicy to add dumpstate device service for AIDL HAL" 2021-12-01 12:16:33 +00:00
Inseob Kim
bee558e4bb Add 32.0 mapping files
Steps taken to produce the mapping files:

1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil
as an empty file.

When adding plat_pub_versioned.cil, leave only type and typeattribute
statements, removing the other statements: allow, neverallow, role, etc.

2. Add new file private/compat/32.0/32.0.cil by doing the following:
- copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev
aosp_arm64-eng device to private/compat/32.0/32.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 32 sepolicy.
Find all such types using treble_sepolicy_tests_32.0 test.
- for all these types figure out where to map them by looking at
31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_32.0 and installs
32.0.cil mapping file onto the device.

Bug: 206330997
Test: m treble_sepolicy_tests_32.0
Test: m 32.0_compat_test
Test: m selinux_policy
Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
2021-12-01 10:58:25 +09:00
Treehugger Robot
e6099835f2 Merge "Restrict system_server_startup domain" am: 825936c473 am: 5607594999 am: 137cf89a16
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903593

Change-Id: I4807f343da9b75ce9abaf169add70f5e16d3963a
2021-11-30 11:18:54 +00:00
Treehugger Robot
825936c473 Merge "Restrict system_server_startup domain" 2021-11-30 10:29:10 +00:00
Ramji Jiyani
32646fe4c7 Add selinux context for /system_dlkm
Bug: 200082547
Test: Manual
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I2207e0b3d508f9a97374724e72fd428a0eae480c
2021-11-30 06:20:47 +00:00
Jiyong Park
ff3048349a Add logd.ready
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.

Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
2021-11-30 15:10:53 +09:00
Inseob Kim
212e65cbe8 Make 31.0 compat files up to date
Bug: 208126864
Test: m selinux_policy 31.0_compat_test treble_sepolicy_tests_31.0
Merged-In: Ic97d17b39f7307ed5af200c97c8c09ca0511c216
Change-Id: I75d139412686ae13dddf5b99c505becc8638558a
2021-11-30 10:13:34 +09:00
Treehugger Robot
fea7cd0639 Merge "Grant BetterBug access ot WM traces attributes" am: 53b6de0642 am: 2c95edf2af am: af4b21ef5b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903230

Change-Id: I030d720d48ada6d4c377e193c0bbcf081e4388a0
2021-11-29 19:28:02 +00:00
Treehugger Robot
53b6de0642 Merge "Grant BetterBug access ot WM traces attributes" 2021-11-29 18:38:12 +00:00
Nataniel Borges
6b624a5a0c Grant BetterBug access ot WM traces attributes
Currently BetterBug (privileged app) cannot access the details form
/data/misc/wmtrace.

Test: access a trace from /data/misc/wmtrace/ in betterbug
Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
2021-11-29 18:22:58 +01:00
Paul Lawrence
4f319f3e0a Merge "Allow bpfloader to read fuse's bpf_prog number" am: 04cddf8af2 am: b669669504 am: 139264aea6
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1894198

Change-Id: Ie0405e68732848529bb6b043b831b3d915a0102e
2021-11-29 16:58:46 +00:00
Paul Lawrence
04cddf8af2 Merge "Allow bpfloader to read fuse's bpf_prog number" 2021-11-29 16:18:42 +00:00
Treehugger Robot
14daffc5e8 Merge "Make 31.0 prebuilts and compat files up to date" am: 906797a9bc am: 7d68e1e458 am: 15dfe5051d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903979

Change-Id: Iac623c1979233f1b39ab7e024ce204b17040b7f1
2021-11-29 13:53:26 +00:00
Treehugger Robot
906797a9bc Merge "Make 31.0 prebuilts and compat files up to date" 2021-11-29 13:03:45 +00:00
sunliang
514cb3c5af Change the label of /product/overlay to u:object_r:system_file:s0 am: e8d1e97ef2 am: fd0be879cc am: 254815456a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903975

Change-Id: Iebce589d1c1ace4d2b73101f83db51bb95f1a321
2021-11-29 12:10:41 +00:00
Inseob Kim
5a8afdcfa6 Make 31.0 prebuilts and compat files up to date
Bug: 208126864
Test: m selinux_policy 31.0_compat_test treble_sepolicy_tests_31.0
Change-Id: Ic97d17b39f7307ed5af200c97c8c09ca0511c216
2021-11-29 19:40:59 +09:00
sunliang
e8d1e97ef2 Change the label of /product/overlay to u:object_r:system_file:s0
Overlayfs product/overlay in init first stage is allowed in AndroidS.
product/overlay directory contains RRO apks, it is plausible to allow
dumpstate to access it since dumpstate will call df command.
Or there will be an avc denial:
01-01 07:09:37.234 13582 13582 W df : type=1400 audit(0.0:1717): avc: denied { getattr } for path="/product/overlay"
dev="overlay" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Actually, it is more reasonable to set /product/overlay to u:object_r:system_file:s0 since
there already had definiitions releated to /product/overlay
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/.*          u:object_r:vendor_file:s0

Bug: https://b.corp.google.com/u/0/issues/186342252

Signed-off-by: sunliang <sunliang@oppo.com>
Change-Id: I493fab20b5530c6094bd80767a24f3250d7117a8
2021-11-29 08:24:37 +00:00
Hungming Chen
ffa08bbd21 [NC#1] netd: allow netd to setup packet socket for clatd
Needed because the packet socket setup has been moved from clatd
to netd.

Test: manual test
    1. Connect to ipv6-only wifi.
    2. Try IPv4 traffic.
       $ ping 8.8.8.8
Change-Id: If6c3ba70cd7b3a44a31b8deab088303c22838da8
2021-11-26 20:28:29 +08:00
Alan Stokes
665c295efc Restrict system_server_startup domain
This seems like an oversight when system_server_startup was
introduced (commit caf42d615d).

Test: Presubmits
Change-Id: Ia371caa8dfc2c250d6ca6f571cf002e25703e793
2021-11-26 11:41:51 +00:00
Jiyong Park
a177fa560c Merge "app_data_file is the only app_data_file_type that is allowed for crosvm" am: cc82a6ae89 am: 7dec0b50f6 am: 874c8fb416
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903450

Change-Id: Ib0f3f03a12c951391c38fd8bc5435203b5ee80da
2021-11-26 06:57:44 +00:00
Jiyong Park
cc82a6ae89 Merge "app_data_file is the only app_data_file_type that is allowed for crosvm" 2021-11-26 06:11:03 +00:00
Jiyong Park
028e722934 app_data_file is the only app_data_file_type that is allowed for crosvm
Bug: 204852957
Test: monitor TH
Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-26 01:20:20 +09:00
Kedar Chitnis
a465cbc194 Update sepolicy to add dumpstate device service for AIDL HAL
- Add hal_dumpstate_service AIDL service to hal_dumpstate.te,
  service.te
- Add default example hal_dumpstate service to file_contexts,
  service_contexts
- Adde hal_dumpstate_service to API level 31 compatibility
  ignore list (31.0.ignore.cil)

Bug: 205760700
Test: VtsHalDumpstateTargetTest, dumpstate, dumpstate_test, dumpsys
Change-Id: If49fa16ac5ab1d3a1930bb800d530cbd32c5dec1
2021-11-25 07:52:32 +00:00
Navinprashath
e7fae4b66b sepolicy: Add badge for gsm properties
Add badge for gsm.operator.iso-country and gsm.sim.operator.iso-country.

Test: Manual test
Bug: 205807505
Ignore-AOSP-First: already merged in AOSP; this is a reland
Change-Id: If4f399cd97b2297094ef9431450f29e0a91e5300
Merged-In: If4f399cd97b2297094ef9431450f29e0a91e5300
2021-11-25 14:04:56 +08:00
Navinprashath
98e74881cf sepolicy: Add badge for gsm properties am: d35bd44109 am: f924bd13f9 am: c8f99840b8
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1901412

Change-Id: I12da2746152a44f133f4aaca79642f0cd5fca847
2021-11-24 11:59:41 +00:00
Navinprashath
d35bd44109 sepolicy: Add badge for gsm properties
Add badge for gsm.operator.iso-country and gsm.sim.operator.iso-country.

Test: Manual test
Bug: 205807505
Change-Id: If4f399cd97b2297094ef9431450f29e0a91e5300
2021-11-24 16:46:55 +08:00
Yi-Yo Chiang
0b240d0270 Add system_ext_userdebug_plat_sepolicy.cil for GSI
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.

*Unclean cherry-pick* prebuilts/api/32.0/private/file_contexts is
updated in this change, which is not in the original change.

Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
  gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883
Merged-In: I43adc6adad5e08dcc8e106d18fdacef962310883
(cherry picked from commit 814f3deb94)
2021-11-24 14:43:03 +08:00
Jack Yu
256bb6d01c Merge changes from topic "OMAPI_VNTF" am: b25774f53c am: 55cd3d5260 am: 9c4918ca8d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1897109

Change-Id: I71bf639469f71051409a39fc4729ac69e6b1291c
2021-11-23 05:41:56 +00:00
Jack Yu
b25774f53c Merge changes from topic "OMAPI_VNTF"
* changes:
  Added sepolicy rule for vendor uuid mapping config
  Support for OMAPI Vendor stable interface
2021-11-23 04:54:02 +00:00
Richard Fung
636a591f9c Merge "Support reading block apexes from system_server" am: 6d3bc08dbb am: 4ead13bfc9 am: 4412c7d16f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1899604

Change-Id: I1d50c4ce6f15acebcafd0bde19461cd5c46a7408
2021-11-23 04:06:30 +00:00
Richard Fung
6d3bc08dbb Merge "Support reading block apexes from system_server" 2021-11-23 03:19:05 +00:00
Richard Fung
d34435c257 Support reading block apexes from system_server
This relaxes the neverallow so that it is possible to write a new
SELinux allow for system_server to read /dev/block/vd*. It still isn't
possible unless a vendor enables it.

Bug: 196965847
Test: m -j
local_test_runner arc.Boot.vm

Change-Id: Idad79284778cf02066ff0b982480082828f24e19
2021-11-22 21:18:54 +00:00
Akilesh Kailash
fb1cf1f0c1 Merge "New property to control virtual a/b user-space snapshots" am: b295d44694 am: ec750298c3 am: 328ce9cccb
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1885106

Change-Id: Ib77dd526257fa5b399adeaccd3cc412e916a36c6
2021-11-22 20:59:46 +00:00
Akilesh Kailash
b295d44694 Merge "New property to control virtual a/b user-space snapshots" 2021-11-22 20:16:06 +00:00
Treehugger Robot
cb8e5617b2 Merge "Mark safety_center_service as app_api_service in SELinux Policy." am: 441be957ca am: db3248e228 am: addafb6515
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1899011

Change-Id: I74a8268dfb9f230241110a5985c07ea88b27586d
2021-11-22 13:32:51 +00:00
Treehugger Robot
441be957ca Merge "Mark safety_center_service as app_api_service in SELinux Policy." 2021-11-22 12:54:32 +00:00
Inseob Kim
451eeed439 Add 31.0 mapping files
Steps taken to produce the mapping files:

1. Add prebuilts/api/31.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/31.0/vendor_sepolicy.cil
as an empty file.

2. Add new file private/compat/31.0/31.0.cil by doing the following:
- copy /system/etc/selinux/mapping/31.0.cil from sc-dev aosp_arm64-eng
device to private/compat/31.0/31.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 31 sepolicy.
Find all such types using treble_sepolicy_tests_31.0 test.
- for all these types figure out where to map them by looking at
30.0.[ignore.]cil files and add approprite entries to 31.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_31.0 and installs
31.0.cil mapping file onto the device.

Bug: 189161483
Bug: 207344718
Test: m treble_sepolicy_tests_31.0
Test: m 31.0_compat_test
Test: m selinux_policy
Change-Id: I6264b9cf77b80543dfea93157b45b864157e2b14
Merged-In: I6264b9cf77b80543dfea93157b45b864157e2b14
(cherry picked from commit 4f20ff73ee)
2021-11-22 12:11:07 +00:00
Treehugger Robot
f619dc9cc5 Merge "Split composd's service in two" am: 6d485dfd89 am: c995fd7ac3 am: 3ecbd02bf9
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1897594

Change-Id: I8c054f8ea596cd147149651c0616b32b3f5978e7
2021-11-22 11:52:47 +00:00
Treehugger Robot
6d485dfd89 Merge "Split composd's service in two" 2021-11-22 11:19:40 +00:00
Alan Stokes
8788f7afe2 Split composd's service in two
They are served by the same process but have different clients:
- the main interface is exposed to system server;
- the internal interface is called by odrefresh when spawned by composd.

Test: compos_cmd forced-compile-test
Bug: 199147668
Change-Id: Ie1561b7700cf633d7d5c8df68ff58797a8d8bced
2021-11-22 09:36:45 +00:00
Treehugger Robot
fec2a2166f Merge "recovery init domain_trans to health HAL." am: d6c57bb99d am: 5d0c815440 am: 49675e8a82
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1893225

Change-Id: Iea81757ee48aba67f1d1ed10b61a621e7afbb075
2021-11-20 02:31:48 +00:00
Rajesh Nyamagoud
ce542660c9 Added sepolicy rule for vendor uuid mapping config
New type added in sepolicy to restrict Vendor defined uuid mapping
config file access to SecureElement.

Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: I81d715fa5d5a72c893c529eb542ce62747afcd03
2021-11-20 01:08:11 +00:00
Rajesh Nyamagoud
453dcf6752 Support for OMAPI Vendor stable interface
Label defined for OMAPI Vendor Stable Interface

Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: Ifa67a22c85ffb38cb377a6e347b0e1f18af1d0f8
2021-11-20 01:05:07 +00:00
Elliot Sisteron
6703102c79 Mark safety_center_service as app_api_service in SELinux Policy.
This is to make the SafetyCenterManager usable in CTS tests.
Test: SafetyCenterManager CTS test in ag/16284943
Bug: 203098016

Change-Id: I28a42da32f1f7f93c45294c7e984e6d1fd2cdd8d
2021-11-20 00:14:50 +00:00
Akilesh Kailash
8a9ec2a496 New property to control virtual a/b user-space snapshots
Bug: 193863443
Test: OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I89e5d105071c2529c9ceb661c04588ff88ffdd76
2021-11-19 23:35:32 +00:00
Treehugger Robot
d6c57bb99d Merge "recovery init domain_trans to health HAL." 2021-11-19 21:25:33 +00:00
Elliot Sisteron
04b94a68d0 SELinux policy changes for SafetyCenter APIs. am: 67cedde1fe am: 1e50a0757d am: 752ac29b40
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1897505

Change-Id: I23683c633511d58ad3484ce21a89474524f79874
2021-11-19 16:52:16 +00:00
Elliot Sisteron
67cedde1fe SELinux policy changes for SafetyCenter APIs.
Context about this is on ag/16182563.

Test: Ensure no build failures, ensure no SecurityException on boot when
SafetyCenterService is added as boot phase
Bug: 203098016

Change-Id: I4c20980301a3d0f53e6d8cba0b56ae0992833c30
2021-11-19 14:32:11 +00:00
Yifan Hong
705db2b7e8 recovery init domain_trans to health HAL.
Test: run health HAL in recovery
Bug: 177269435
Bug: 170338625
Change-Id: Iac800463d4d29c56466a6671929a51139ca3fde7
2021-11-18 18:16:09 -08:00
Paul Lawrence
e3e26b7bea Allow bpfloader to read fuse's bpf_prog number
Bug: 202785178
Test: Along with rest of topic, file
/sys/fs/bpf/prog_fuse_media_fuse_media
appears on boot with fuse-bpf in kernel

Merged-In: Ibccdf177c75fef0314c86319be3f0b0f249ce59d
Change-Id: Ibccdf177c75fef0314c86319be3f0b0f249ce59d
2021-11-19 01:43:58 +00:00
Treehugger Robot
3b5dd9e542 Merge "Sepolicy for StatsBootstrapAtomService" am: b8f39c49f5 am: ad9ebec821 am: eb4e7c5aeb
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1885105

Change-Id: Ic0a86828349a7136cb2401538465cc4b9eeed8c9
2021-11-19 00:22:12 +00:00
Treehugger Robot
b8f39c49f5 Merge "Sepolicy for StatsBootstrapAtomService" 2021-11-18 23:25:21 +00:00
Treehugger Robot
9242d55513 Merge "Allow system server to access composd." am: c1ebd11f2c am: 5446b99782 am: 60f40b146d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1892440

Change-Id: I3d35edec6323a54afcf716115803e19514513d48
2021-11-18 13:41:32 +00:00
Treehugger Robot
c1ebd11f2c Merge "Allow system server to access composd." 2021-11-18 13:03:01 +00:00
Yifan Hong
2d0724d76f Add recovery service_contexts files. am: d6b2901748 am: 546678089a am: a22b1f5d79
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1891582

Change-Id: If501cab99ec8d3bbd1d5f8a62516da60c4fdbaf5
2021-11-18 05:34:45 +00:00
Yifan Hong
546678089a Add recovery service_contexts files. am: d6b2901748
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1891582

Change-Id: If557854b35b9ab49176add91938d0aee4d2b61f3
2021-11-18 05:01:37 +00:00
Yifan Hong
28f9b97646 Merge changes from topic "servicemanager-recovery"
* changes:
  servicemanager: recovery write to kmsg.
  Add recovery service_contexts files.
2021-11-18 04:39:15 +00:00
Treehugger Robot
ed61968975 Merge changes I74797b13,I5d0b06e3 am: 1b0415fcb0 am: e58de1b17a am: 22c1952033
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1887529

Change-Id: Ibbcae1d31e72b1b2bff44c87d554d31a0f00d7ad
2021-11-18 00:47:47 +00:00
Treehugger Robot
1b0415fcb0 Merge changes I74797b13,I5d0b06e3
* changes:
  Dice HAL: Add policy for dice HAL.
  Diced: Add policy for diced the DICE daemon.
2021-11-17 23:56:14 +00:00
Daniel Norman
7fdcce2f15 Merge "Revert "Revert "Adds a new prop context for choosing between mul..."" am: 0dd5118c74 am: a8570d7e9c am: 8d50c9d1a9
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1894203

Change-Id: I7291a7bf46690584bba8a0963399423e51947eee
2021-11-17 21:48:20 +00:00
Janis Danisevskis
bc7a33ece9 Dice HAL: Add policy for dice HAL.
And allow diced to talk to the dice HAL.

Bug: 198197213
Test: N/A
Change-Id: I74797b13656b38b50d7cd28a4c4c6ec4c8d1d1aa
2021-11-17 13:36:18 -08:00
Janis Danisevskis
2b6c6063ae Diced: Add policy for diced the DICE daemon.
Bug: 198197213
Test: N/A
Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d
2021-11-17 13:36:18 -08:00
Daniel Norman
0dd5118c74 Merge "Revert "Revert "Adds a new prop context for choosing between mul..."" 2021-11-17 21:24:28 +00:00
Ashwini Oruganti
1ba0deb013 Merge "Define and add the migrate_any_key permission to system_server" am: ed7ebb867e am: 362701c156 am: e6bc568653
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1892955

Change-Id: I0f1c60c53bd14c205dbd5d71482bcebd287ec103
2021-11-17 19:00:31 +00:00
Ashwini Oruganti
ed7ebb867e Merge "Define and add the migrate_any_key permission to system_server" 2021-11-17 17:55:13 +00:00
Alan Stokes
9f0d24c590 Merge "Add type and mapping for /metadata/sepolicy" am: ca83dcce15 am: a1cd519e25 am: 811be459f9
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1895135

Change-Id: I9aa6a7d76960c48f22f1c3164dc52c5f40ce68fd
2021-11-17 14:52:53 +00:00
Alan Stokes
ca83dcce15 Merge "Add type and mapping for /metadata/sepolicy" 2021-11-17 14:11:14 +00:00
Jeff Vander Stoep
5aa5e5e845 Add type and mapping for /metadata/sepolicy
Test: make -j; launch_cvd; adb shell ls -laZ /metadata
Bug: 199914227
Change-Id: I573af0949d92f401589238dab8c3e9fbe2ee7efe
2021-11-17 10:45:24 +00:00
Yifan Hong
d6b2901748 Add recovery service_contexts files.
This allows binder services to run in recovery.

Test: build them
Bug: 170338625
Change-Id: If8580c3fc1b3add87178365c58288126e61345b4
2021-11-16 20:54:17 -08:00
Daniel Norman
2f8ce0d9c1 Revert "Revert "Adds a new prop context for choosing between mul..."
Revert "Revert "Adds multi_install_skip_symbol_files field (defa..."

Revert submission 1893459-revert-1869814-vapex-multi-config-VKODFOVCWY

Reason for revert: Fix-forward in https://r.android.com/1894088
Reverted Changes:
I087bfe0dc:Revert "Adds a new prop context for choosing betwe...
I27a498506:Revert "Load persist props before starting apexd."...
Ib5344edc0:Revert "Allow users to choose between multi-instal...
If09bf590e:Revert "Adds multi_install_skip_symbol_files field...
I905dac14c:Revert "Demonstrate multi-installed APEXes."

Change-Id: I03fb124d4e7044f236539a132816fd96cb814775
2021-11-16 20:28:29 +00:00
Ashwini Oruganti
41843731cc Define and add the migrate_any_key permission to system_server
This change adds a permission migrate_any_key that will help the system
server in migrating keys for an app that wants to leave a sharedUserId.

Bug: 179284822
Test: compiles
Change-Id: I2f35a1335092e69f5b3e346e2e27284e1ec595ec
2021-11-16 10:18:19 -08:00
Treehugger Robot
edf285ba5a Merge "Add camera.disable_preview_scheduler property" am: a594876cfe am: 1b4714c8e8 am: 1d36f66a48
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1887227

Change-Id: I1141daf446b8205621adb8d8e92a33c8b5850b5f
2021-11-16 15:55:54 +00:00
Treehugger Robot
a594876cfe Merge "Add camera.disable_preview_scheduler property" 2021-11-16 15:16:25 +00:00
Owen Kim
29e1bf186a Merge "Revert "Adds a new prop context for choosing between multi-insta..."" am: 95d7aaa339 am: a6bd8d83f0 am: 755dee1782
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1893458

Change-Id: I49c519594590927e560fc3cdf5b0f0e2e397cd0f
2021-11-16 09:34:00 +00:00
Alan Stokes
9112c9aa6d Allow system server to access composd.
Also allow composd to kill odrefresh (it execs it); this is necessary
for cancel() to work.

Bug: 199147668
Test: manual
Change-Id: I233cac50240130da2f4e99f452697c1162c10c40
2021-11-16 09:29:58 +00:00
Owen Kim
95d7aaa339 Merge "Revert "Adds a new prop context for choosing between multi-insta..."" 2021-11-16 08:39:27 +00:00
Owen Kim
780cd02d52 Revert "Adds a new prop context for choosing between multi-insta..."
Revert "Adds multi_install_skip_symbol_files field (default fals..."

Revert submission 1869814-vapex-multi-config

Bug: 206551398
Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.googleplex.com/builds/tests/view?invocationId=I55600009996329947&testResultId=TR93527797572038984, bug b/206551398
Reverted Changes:
I0cd9d748d:Adds multi_install_skip_symbol_files field (defaul...
I5912a18e3:Demonstrate multi-installed APEXes.
I0e6881e3a:Load persist props before starting apexd.
I932442ade:Adds a new prop context for choosing between multi...
I754ecc3f7:Allow users to choose between multi-installed vend...

Change-Id: I087bfe0dcf8d6ab38d861b82196bac4e9147e8e6
2021-11-16 07:08:15 +00:00
Daniel Norman
bdb51edfe3 Merge "Adds a new prop context for choosing between multi-installed APEXes." am: 8e276eae6b am: d6746bd67a am: bee9f24f08
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1869814

Change-Id: I65f054653bd0337cd9f3348b9a160c19315ce4a2
2021-11-16 01:31:11 +00:00
Daniel Norman
8e276eae6b Merge "Adds a new prop context for choosing between multi-installed APEXes." 2021-11-16 00:45:32 +00:00
Jiyong Park
949dc6d24b Merge "Fix bootchart on android12" am: 5d0397047d am: e646809295 am: a7d1c52585
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1888457

Change-Id: If61c3311772455516323a6f93a9e00f42dfc1e08
2021-11-15 07:42:35 +00:00
Jiyong Park
5d0397047d Merge "Fix bootchart on android12" 2021-11-15 07:04:06 +00:00
Daniel Norman
6b0049dcf0 Adds a new prop context for choosing between multi-installed APEXes.
Bug: 199290365
Test: see https://r.android.com/1872018
Change-Id: I932442adefc7ad10d7cd81e61e95efd41f8cf379
2021-11-11 19:11:11 +00:00
Maciej Żenczykowski
b08a6e4cf0 introduce new 'proc_bpf' for bpf related sysctls am: 3702f3385e am: 127f77ff8c am: aed3c394e8 am: 0b4cec93d8
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1888379

Change-Id: I9b9384c43d193ee46ca247ecb7fc843df6e5e115
2021-11-11 13:18:54 +00:00
Maciej Żenczykowski
3702f3385e introduce new 'proc_bpf' for bpf related sysctls
What to tag chosen based on output of:
  find /proc 2>/dev/null | egrep bpf
on a 5.10 kernel.

Tagged with prefixes to be more likely not require changes in the future

  $ adb root
  $ adb shell 'ls -lZ /proc/sys/net/core/bpf_* /proc/sys/kernel/*bpf*'

Before:
  -rw-r--r-- 1 root root u:object_r:proc:s0      0 2021-11-11 02:11 /proc/sys/kernel/bpf_stats_enabled
  -rw-r--r-- 1 root root u:object_r:proc:s0      0 2021-11-11 02:11 /proc/sys/kernel/unprivileged_bpf_disabled
  -rw-r--r-- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_enable
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_harden
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_kallsyms
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_limit

After:
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/kernel/bpf_stats_enabled
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/kernel/unprivileged_bpf_disabled
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_enable
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_harden
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_kallsyms
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_limit

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46ea81ff42d3b915cf7a96735dc2636d9808ead6
2021-11-11 02:54:21 -08:00
Ji Luo
d338d0ef55 Fix bootchart on android12
Access denial of Apexd would cause runtime abort and the
bootchart is not working on Android 12:
  ...
  F nativeloader: Error finding namespace of apex: no namespace called com_android_art
  F zygote64: runtime.cc:669] Runtime aborting...
  F zygote64: runtime.cc:669] Dumping all threads without mutator lock held
  F zygote64: runtime.cc:669] All threads:
  F zygote64: runtime.cc:669] DALVIK THREADS (1):
  F zygote64: runtime.cc:669] "main" prio=10 tid=1 Runnable (still starting up)
  F zygote64: runtime.cc:669]   | group="" sCount=0 ucsCount=0 flags=0 obj=0x0 self=0xb4000072de0f4010
  ...

Bug: 205880718
Test: bootchart test.

Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ia7d166605cd0b58849cb44d9a16dc3c73e1d4353
2021-11-11 16:53:24 +08:00
David Brazdil
f0b05fb88c Merge "Allow control of AVF experiments" am: f7d7c22115 am: 2322e6d63d am: 56e948959a am: dd97ff8b89
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1875377

Change-Id: Ic30ca518b8eff2ecfed2a2e9e37f51b8d09674c9
2021-11-10 21:50:38 +00:00
Jaegeuk Kim
c304030cf0 Merge "sepolicy: allow to play f2fs-compression for odex/vdex files" am: 6065b053ff am: 4e964bf2b8 am: 39b360df2f am: 8af7cf410d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1883728

Change-Id: I49aff528fcb749d3165ad339b7340000cdb07136
2021-11-10 21:16:06 +00:00
David Brazdil
f7d7c22115 Merge "Allow control of AVF experiments" 2021-11-10 20:42:25 +00:00
Shuzhen Wang
73be025636 Add camera.disable_preview_scheduler property
Test: Build and boot
Bug: 200306379
Change-Id: I7d0b40de33a2d19c88322eacefe9d7342d55a6f4
2021-11-10 12:22:57 -08:00
Jaegeuk Kim
6065b053ff Merge "sepolicy: allow to play f2fs-compression for odex/vdex files" 2021-11-10 19:56:57 +00:00
Andrew Scull
d7bed7733e Allow control of AVF experiments
Grant system_server and flags_health_check permission to set the
properties that correspond to the AVF experiments.

Bug: 192819132
Test: m
Change-Id: I0e6fa73187abb4412d07ecfd42c1074b8afa5346
2021-11-10 10:42:47 +00:00
Maciej Żenczykowski
4ec89372ba Merge "remove spurious clat selinux privs" am: d43e99bed1 am: 85a1557fd2 am: c7601254e3 am: d3ba540041
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1322108

Change-Id: I8a3be1167e605a7ee7abdf5f3264de7fab985045
2021-11-10 04:41:45 +00:00
Maciej Żenczykowski
d43e99bed1 Merge "remove spurious clat selinux privs" 2021-11-10 03:46:52 +00:00
Yifan Hong
e298ede30b Merge "Add charger_type." am: 4b326c0d3f am: 53b4269ce8 am: d0ee3b0bed am: 5ecebfa046
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1870071

Change-Id: Ib397ce4374ace6501cd11418674f5070842a1555
2021-11-10 01:30:57 +00:00
Yifan Hong
4b326c0d3f Merge "Add charger_type." 2021-11-10 00:06:55 +00:00
Maciej Żenczykowski
e397503f80 remove spurious clat selinux privs
Test: ran on flame with ipv6 only wifi network
Bug: 144642337
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5610b5e446ed1f2288edb12c665a5bddd69d6dae
2021-11-09 19:26:13 +00:00
Kalesh Singh
01b5b44d67 Merge "sepolicy: Allow creating synthetic trace events" am: 9e6dcd74fc am: 5c3c020bbf am: 4862013e38 am: 466cb7f796
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1881642

Change-Id: I53d865fa9faa6ada449d6c4529e80f4d702413b2
2021-11-09 15:50:24 +00:00
Kalesh Singh
9e6dcd74fc Merge "sepolicy: Allow creating synthetic trace events" 2021-11-09 14:26:19 +00:00
Sarah Chin
72798396a1 Merge "Sepolicy for IRadio modules" am: 0185fc6e12 am: 703e69e517 am: 45849ee180 am: 1214fbd0bb
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1883570

Change-Id: I74d10019470cf4f54ade158284d92b690b8dc67d
2021-11-09 10:05:17 +00:00
Sarah Chin
0185fc6e12 Merge "Sepolicy for IRadio modules" 2021-11-09 08:39:34 +00:00
Tej Singh
980ea0bed3 Sepolicy for StatsBootstrapAtomService
This is the selinux changes required to create
StatsBootstrapAtomService, a lightweight proxy service in system server
to allow processes in the bootstrap namespace to log atoms to statsd.

Test: statsbootstrap is successfully published
Bug: 204889815
Change-Id: I5e44f7a65b98b8eebd8da6d35ae6094ce5e177f2
2021-11-08 23:28:21 -08:00
Ken
851c11b2cb sepolicy: allow to play f2fs-compression for odex/vdex files
This patch adds some ioctls for odex/vdex files.

Bug: 205257122
Test: Manual. Code runs.
Signed-off-by: Ken Bian <kenjc.bian@rock-chips.com>
Change-Id: Ibf7890f0910ed04e0355bef9c0bfb21b406fb7eb
2021-11-09 03:13:46 +00:00
Kalesh Singh
fab8e1c1cc sepolicy: Allow creating synthetic trace events
rss_stat will be throttled using histogram triggers and synthetic trace
events. Add genfs context labels for the synthetic tracefs files.

Bug: 145972256
Test: Check log cat for avc denials
Change-Id: I7e183aa930bb6ee79613d011bed7174d553f9c1a
2021-11-08 09:13:51 -08:00
Yi-Yo Chiang
37f868f131 Merge "Add remount.te to allow adb remount-related operations" am: 635f273be5 am: a60b99fef5 am: ebcd21ec37 am: 65fa67a250
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1878144

Change-Id: I064a06365c9db3ddc54ae8ccb91d639e185b35c9
2021-11-08 07:43:20 +00:00
Yi-Yo Chiang
635f273be5 Merge "Add remount.te to allow adb remount-related operations" 2021-11-08 06:43:36 +00:00
Yifan Hong
4238b0e15d Add charger_type.
This is the common type for domains that executes charger's
functionalities, including setting and getting necessary properties,
permissions to maintain the health loop, writing to kernel log, handling
inputs and drawing screens, etc.

Permissions specific to the system charger is not moved.

Also enforce stricter neverallow rules on charger_{status,config}_prop.

For charger_config_prop, only init / vendor_init can set.
For charger_status_prop, only init / vendor_init / charger / health HAL
  can set.
For both, only init / vendor_init / charger / dumpstate / health HAL
  can get.

(Health HAL is determined by the intersection of charger_type and
hal_health_server.)

A follow up CL will be added to add charger_type to hal_health_default,
the default domain for health HAL servers. Vendors may add charger_type
to their domains that serves the health AIDL HAL as well.

Test: manual
Bug: 203246116
Change-Id: I0e99b6b68d381b7f73306d93ee4f8c5c8abdf026
2021-11-05 18:44:04 -07:00
Sarah Chin
e3dfbdb52d Sepolicy for IRadio modules
Test: build and flash
Bug: 198331673
Change-Id: I06513050252874400bcd81fb5735d6790f6e2ac1
2021-11-05 17:00:28 -07:00
Bart Van Assche
0d0b0d667c Merge "Stop using the bdev_type and sysfs_block_type SELinux attributes" am: 5e016c1721 am: df2c2457dc am: 46cbeedd02 am: 89a0a01910
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1875763

Change-Id: Id1950132fb6268e2fa44f6af53c30add15e6df89
2021-11-05 21:38:56 +00:00
Bart Van Assche
5e016c1721 Merge "Stop using the bdev_type and sysfs_block_type SELinux attributes" 2021-11-05 20:36:02 +00:00
Treehugger Robot
a3b021024d Merge "Remove references to nonplat sepolicy" am: 37919f5b87 am: 012a7d8166 am: 91850c27fb am: 61682bd7da
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1882149

Change-Id: I940432d7a42159aeda789f738b288945e46a361c
2021-11-05 16:16:45 +00:00
Treehugger Robot
37919f5b87 Merge "Remove references to nonplat sepolicy" 2021-11-05 15:25:54 +00:00
Jeff Vander Stoep
f098071ac7 Remove references to nonplat sepolicy
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.

We're now outside of the compatbility window for these devices so
it can safely be removed.

Test: atest treble_sepolicy_tests
Change-Id: Iaa22af41a07b13adb7290f570db7a9d43b6e85cc
2021-11-05 15:07:57 +01:00
Yi-Yo Chiang
ae670cc301 Merge "gsid: Allow reading the size of super block device" am: 92eeceafd3 am: 04b0095861 am: c5ba3e32b6 am: d44b25c751
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1879536

Change-Id: I44b713b110700b96049226309d7c557f0d34bfd7
2021-11-04 10:54:08 +00:00
Yi-Yo Chiang
92eeceafd3 Merge "gsid: Allow reading the size of super block device" 2021-11-04 09:06:01 +00:00
Treehugger Robot
4b01084cab Merge "Grant permission for mediatranscoding hal_allocator for GSI image" am: c791b0f1ca am: ae3a974604 am: 25756c9f09 am: 797e77e332
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1874094

Change-Id: I2b0ba3677e67feda92da1ac2e690f3642a4747df
2021-11-04 00:19:10 +00:00
Treehugger Robot
c791b0f1ca Merge "Grant permission for mediatranscoding hal_allocator for GSI image" 2021-11-03 23:21:34 +00:00
Serik Beketayev
67fc343b0e [IRadioConfig] Applying new IRadioConfig AIDL am: 1862a52750 am: bb2ef83dcb am: db1fcf0f66 am: 6229fb8e9c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1879936

Change-Id: I2ce3cdcf8d710882bc1e07fcaf010ca4e8ae9374
2021-11-03 18:18:19 +00:00
Serik Beketayev
1862a52750 [IRadioConfig] Applying new IRadioConfig AIDL
Bug: 198332054
Test: m -j
Change-Id: I7558a7488c41aac6cd9cae1f0ccf777045909f85
2021-11-03 09:18:49 -07:00
Gabriel Biren
f06cc37d10 Add SeLinux policy for supplicant AIDL service. am: 4a0673e369 am: 9229edf01d am: 9961b167c1 am: 1a9729ea1c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1845631

Change-Id: I0a8974b6812c2fff7ac7ab1d3ce709e987797c2a
2021-11-03 15:51:44 +00:00
Yi-Yo Chiang
ae736f91cb gsid: Allow reading the size of super block device
Bug: 204963821
Test: Presubmit
Change-Id: Ic079a8a557af676c8cda2f1d4ed972b72d86e2ed
2021-11-03 20:42:48 +08:00
Gabriel Biren
4a0673e369 Add SeLinux policy for supplicant AIDL service.
Bug: 196235436
Test: Manual - connect to WiFi
Change-Id: I613a2e7eac620543872a1af7ed477b8d36713b45
2021-11-02 22:24:39 +00:00
Yabin Cui
9119543a23 Merge "Add persist properties for app profiling itself." am: c1a51d1400 am: 4d053aa5b6 am: eb0ea30ebb am: 76bc699869
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1877597

Change-Id: I1cbf9ece16af9306a5f581db8005d841c1031284
2021-11-02 20:19:33 +00:00
Chris Weir
10dea2d98e Merge "SEPolicy for Netlink Interceptor" am: 07fcb348fa am: d93b30412c am: edeca7b9c2 am: 6fb43d86b4
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1845629

Change-Id: I08edb857f18a9035755dfafb935164da41e3eebc
2021-11-02 19:27:08 +00:00
Yabin Cui
c1a51d1400 Merge "Add persist properties for app profiling itself." 2021-11-02 19:03:37 +00:00
Chris Weir
07fcb348fa Merge "SEPolicy for Netlink Interceptor" 2021-11-02 18:02:45 +00:00
Yi-Yo Chiang
8638a44a2d Add remount.te to allow adb remount-related operations
* init_daemon_domain because clean_scratch_files is executed by init
* gsid related plumbing for libfs_mgr_binder

Bug: 204836146
Test: Presubmit
Change-Id: Idd7eacd577f538d194252174ab1e3d8396f08fb1
2021-11-02 22:10:05 +08:00
Jooyung Han
4a3b291642 Merge "remove unnecessary right from virtualizationservice" am: effe33f20d am: 3728a2fe9a am: a1072d3195 am: cd84829900
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1878083

Change-Id: Id7ac83b5e188a1684dd614749e94322c80315720
2021-11-02 10:43:26 +00:00
Mohammad Islam
ac980b28c4 Merge "Allow apexd to call derive_classpath binary" am: 15a5b178fe am: 10e5730c40 am: 0c5bd5448e am: 8fd5a997ca
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1849427

Change-Id: I233f6e67551af70fa593a78bda1cc33703c6f6c5
2021-11-02 10:34:41 +00:00
Jooyung Han
effe33f20d Merge "remove unnecessary right from virtualizationservice" 2021-11-02 09:10:25 +00:00
Mohammad Islam
15a5b178fe Merge "Allow apexd to call derive_classpath binary" 2021-11-02 08:51:01 +00:00
Jooyung Han
33b21f0c91 remove unnecessary right from virtualizationservice
Bug: n/a
Test: MicrodroidTestCases
Change-Id: I14580d89d03dd90498f665913d00484ff643ee6a
2021-11-02 16:01:04 +09:00
Treehugger Robot
a6e5a53a98 Merge "Allow init to write to /proc/cpu/alignment" am: 54bd8438b1 am: c9c4f7fab2 am: 44b7ff808f am: f1be036c13
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1874738

Change-Id: I01cd3b6566312c7bc171c0ea420585435130cce0
2021-11-01 23:45:05 +00:00
Yabin Cui
ee7f40a2a2 Add persist properties for app profiling itself.
Bug: 204601121
Test: build and boot.
Change-Id: If731c77dd6f2b587178b4f6b8a908df2d96e5d9a
2021-11-01 16:42:08 -07:00
Treehugger Robot
54bd8438b1 Merge "Allow init to write to /proc/cpu/alignment" 2021-11-01 22:33:09 +00:00
Alistair Delva
6092d633b0 Allow init to write to /proc/cpu/alignment
The root init.rc does "write /proc/cpu/alignment 4", but we don't
actually allow this write in core sepolicy. This seems to be a 32-bit
ARM only proc file.

Noticed when booting 32-bit ARM Cuttlefish.

Bug: 145371497
Change-Id: Ic099395708f7236bcc2fc5c561809a7e129786de
2021-11-01 10:17:26 -07:00
Bart Van Assche
4374a1fd83 Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.

The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.

This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block").  That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-29 15:22:09 -07:00
Shubang Lu
65d709e7f0 Merge "Add SE policy for tv_iapp" am: 69a7983d31 am: 6dcca98eac am: 0befb376c5 am: 537eae743a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1867710

Change-Id: I1b8ee267c2609353cad52129e4ca03b44b3ac406
2021-10-29 20:51:06 +00:00
Shubang Lu
69a7983d31 Merge "Add SE policy for tv_iapp" 2021-10-29 19:44:18 +00:00
Yabin Cui
c256926233 Merge "Revert "Revert "allow simpleperf to profile more app types.""" am: d6ab03f8d0 am: d67a8be8cd am: e13957f864 am: f9a9d72e90
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1872134

Change-Id: I456894f20cee2650672fa48e410d28f3db03af45
2021-10-29 18:00:15 +00:00
Jeffrey Huang
331c371eb3 Merge "Allow statsd to write to priv app FDs" am: 47ff63e60e am: 6a13e5bbce am: 6c4251d006 am: 2855cfa52a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1786611

Change-Id: I501f87b00c53efcde3df09d00c9cce8139b61995
2021-10-29 17:33:25 +00:00
Yabin Cui
d6ab03f8d0 Merge "Revert "Revert "allow simpleperf to profile more app types.""" 2021-10-29 16:28:59 +00:00
Jeffrey Huang
47ff63e60e Merge "Allow statsd to write to priv app FDs" 2021-10-29 16:06:33 +00:00
Steven Moreland
6e9f47f5de Merge "Remove bufferhub HAL policy." am: f15d7e3ff5 am: 569c2a67cc am: d1b2eab8a3 am: 49249f7b53
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1872133

Change-Id: I8cf08b0460bedbc32defe4d7f4664c5cbb7cddaa
2021-10-28 22:17:44 +00:00
Steven Moreland
f15d7e3ff5 Merge "Remove bufferhub HAL policy." 2021-10-28 21:12:45 +00:00
Jeffrey Huang
5d5e539bbf Allow statsd to write to priv app FDs
Bug: 160810755
Test: manual
Change-Id: Idc033ca206855424affa04351f946dda42d087a8
2021-10-28 13:07:19 -07:00
brycelee
887bc57334 Merge "Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"" am: 1a6fbe3dfe am: 773e881fe8 am: c6738e359e am: 3a981f0f4e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1873981

Change-Id: I9c20e672ad79831d3a56cd834cb113ec8bd588c9
2021-10-28 19:41:21 +00:00
brycelee
1a6fbe3dfe Merge "Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"" 2021-10-28 18:31:01 +00:00
Bart Van Assche
e3cfa9e1d3 Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
This reverts commit 63930d3850.

Reason for revert: Broken build (https://android-build.googleplex.com/builds/submitted/7863094/aosp_raven-userdebug/latest/view/logs/error.log)

Change-Id: I1742d69d471e9b00359a2e7e654aa752513990df
2021-10-28 18:03:49 +00:00
Bart Van Assche
f3c3c05d72 Merge "Remove the bdev_type and sysfs_block_type SELinux attributes" am: 187ffea5b8 am: 81f861e9fc am: b602e2e510 am: 27c8e3fabc
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919

Change-Id: I2bc03021167e7d8e35f4bf92fe54f09271323597
2021-10-28 17:53:33 +00:00
Kilyoung Shin
1578320fa7 Grant permission for mediatranscoding hal_allocator for GSI image
Bug: 203839961
Test: run cts -m CtsMediaTranscodingTestCases -t
android.media.mediatranscoding.cts.MediaTranscodingManagerTest#testAddingClientUids

Signed-off-by: Kilyoung Shin <gilbert.shin@samsung.com>
Change-Id: If44653f436d4e5dcbd040af24f03b09ae8e7ac05
2021-10-28 17:46:57 +00:00
Bart Van Assche
187ffea5b8 Merge "Remove the bdev_type and sysfs_block_type SELinux attributes" 2021-10-28 16:45:54 +00:00
Samiul Islam
9237163c26 Allow apexd to call derive_classpath binary
This will allow apexd to determine if a staged apex contributes to
classpath or not.

Bug: 187444679
Test: atest ApexTestCases
Test: atest StagedInstallInternalTest
Change-Id: I336001ef1dab3aa45835662eecc02d63645b5980
2021-10-28 16:27:09 +01:00
Treehugger Robot
ae198a288a Merge "Add the property context for ro.lmk.use_minfree_levels" am: b754ebe4d9 am: 4b144d6a21 am: f4abed157b am: a718092cd3
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1871573

Change-Id: I66ade200fbbc916629e18e6bceef1ae0e22773e3
2021-10-28 01:33:02 +00:00
Yabin Cui
3696a20b11 Revert "Revert "allow simpleperf to profile more app types.""
This reverts commit dd2079d7f0.

Bug: 199086135
Test: run simpleperf to record systemui.
Change-Id: Ibc6017d53a9835a2f8ff5409c825c0d70ef23e25
2021-10-27 11:05:01 -07:00
Steven Moreland
cc7de177ec Remove bufferhub HAL policy.
The bufferhub daemon policy still remains, since it still needs to be
deleted. However, since the HAL no longer exists, removing policy
related to this.

Bug: 204068144
Test: build only
Change-Id: I96b96c77a39e2ba2024680ebaf3067283d0cfc65
2021-10-27 10:54:45 -07:00
Robin Lee
0b0dd684e7 Add the property context for ro.lmk.use_minfree_levels
This is not settable by vendor init at the moment, which appears to be a mistake
because it is often used as a board-level configuration.

Change-Id: I7a49d55712e9606446b3e6307627a208657d5da2
Test: adb shell getprop -Z | grep lmk
Bug: 184041905
2021-10-27 13:17:54 +00:00
Yifan Hong
20694c593e Add health AIDL HAL. am: 388bbbccb3 am: c0451e34e9 am: ecbbe81647 am: 156e621273
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1865954

Change-Id: Ic96248d6c2574985a0e29607d75d771e2fbca6cf
2021-10-27 06:35:18 +00:00
Yifan Hong
388bbbccb3 Add health AIDL HAL.
Test: pass
Bug: 177269435
Change-Id: I755d5158715b38a89a28af753ad4c27cdfa93546
2021-10-26 19:34:34 -07:00
Chris Weir
4ac3d74a70 SEPolicy for Netlink Interceptor
Make Netlink Interceptor work when SELinux is enforcing

Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
2021-10-26 10:03:14 -07:00
Bart Van Assche
63930d3850 Remove the bdev_type and sysfs_block_type SELinux attributes
Remove these SELinux attributes since the apexd and init SELinux policies
no longer rely on these attributes.

The only difference between a previous version of this patch and the
current patch is that the current patch moves these attributes to the
'compat' policy. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.

This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Change-Id: Id7d32a914e48bc74da63d87ce6a09f11e323c186
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-25 16:26:07 -07:00
shubang
9fa7dc9c7b Add SE policy for tv_iapp
Bug: 203730671
Test: cuttlefish;
Change-Id: I533f2004343aafe5660e4018e73111880dfa647f
2021-10-22 00:02:05 -07:00
Yifan Hong
9cb30538a7 Merge "Remove healthd." am: 48732e041c am: a0f7f4c30a am: aae18739b5 am: 562cde497b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1865953

Change-Id: Icc8e02c7ffebbe47cf70f4d0658d4f2eb72c0c46
2021-10-22 00:58:01 +00:00
Yifan Hong
48732e041c Merge "Remove healthd." 2021-10-22 00:06:39 +00:00
Treehugger Robot
88d8ddfc92 Merge "Move mediatranscoding type to public" am: 5b1dc1693a am: ff87e8825b am: 00de344da1 am: f727139298
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1866453

Change-Id: Ia38ab23acc57fccdac4d98badd3ce40a8c9e3870
2021-10-21 12:01:09 +00:00
Bowgo Tsai
7a7e88bddc Set context for partition.odm.verified[.*] properties. am: ef1f630c69 am: b986f376ce am: 44d3ea4ae9 am: 992f7fbe90
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1864479

Change-Id: I1107a7515d4db25a25f4537053700a88c177c8f9
2021-10-21 11:22:34 +00:00
Treehugger Robot
5b1dc1693a Merge "Move mediatranscoding type to public" 2021-10-21 11:06:22 +00:00
Bowgo Tsai
ef1f630c69 Set context for partition.odm.verified[.*] properties.
Some devices might have the ODM partition so set those properties
as well.

Bug: 203720638
Test: Presubmit
Change-Id: I50ee65e21c471f0691f4c1dfc93be8eb1677ad1b
2021-10-21 16:38:06 +08:00
Jeff Vander Stoep
1b2a0b4dab Move mediatranscoding type to public
Move type to public so that it can be vendor customized. This
can be necessary if (for example) the gralloc/gpu same-process-HAL
requires additional permissions.

Bug: 199581284
Test: build
Change-Id: I61a5a3ad96112d4293fd4bf6d55f939c974643ce
2021-10-21 09:10:45 +02:00
Yifan Hong
aabea20d89 Remove healthd.
Test: pass
Bug: 203245871
Change-Id: I4eb0b4333d7fde2096c4c75b7655baf897900005
2021-10-20 18:47:41 -07:00
Ady Abraham
71b0300e4a Composer stable AIDL HAL sepolicy am: 7ed18e6d66 am: 5ffad8d9dc am: 1854578f75 am: 4c07b5561b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1863914

Change-Id: I1319dc8dbef58b49bd1d25bc41fe8afda7f50a18
2021-10-20 05:57:42 +00:00
Ady Abraham
3a24ede36f Remove vrflinger am: df28371462 am: 05553287d1 am: 15fca4224b am: 1b9f2a662c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1863913

Change-Id: Ic2a878cf1442467be05f1535acf7e9a875777b18
2021-10-20 05:57:39 +00:00
Ady Abraham
7ed18e6d66 Composer stable AIDL HAL sepolicy
Test: build + presubmit
Bug: 198690444
Change-Id: I6a26823c4ad363d137526c96580b05363d0ac894
2021-10-20 02:58:20 +00:00
Ady Abraham
df28371462 Remove vrflinger
Not used anymore.

Test: build + presubmit
Bug: 170681929
Change-Id: I3ac9b842f89acf620e9f08516e44977d83064f2f
2021-10-20 02:02:57 +00:00
Michał Brzeziński
59bde4dd30 Merge "Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"" am: 04e3a05fde am: f397a21ab0 am: 87a048be81 am: adc7f5e015
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862217

Change-Id: I6b9d768b825c2d2a827c734451ce300c4fbc6fb3
2021-10-19 14:23:05 +00:00