tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
40514 commits 1 branch 0 tags 50 MiB
Commit graph

40514 commits

This branch
This branch
All branches
Author SHA1 Message Date
Miguel Aranda
301f24028d Merge "Add SEPolicy tags for concrypt cacerts." am: 7394ea85d2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2362479

Change-Id: Iaa0bec8e86431d7fd2df1e544c40dceccde9cfeb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-21 23:58:15 +00:00
Miguel Aranda
7394ea85d2 Merge "Add SEPolicy tags for concrypt cacerts." 2022-12-21 23:20:38 +00:00
Jiyong Park
2053d9c986 Merge "Add rules for prng_seeder" am: f59f5d2eba 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2364952

Change-Id: I3665fbd4ffa736fc25b3b4ba0d8533af64a85ede
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-21 12:32:40 +00:00
Jiyong Park
f59f5d2eba Merge "Add rules for prng_seeder" 2022-12-21 12:15:32 +00:00
Miguel
f63164a474 Add SEPolicy tags for concrypt cacerts. 
Test: booting
Change-Id: I53815eb272fcdff739ba596cc1dd6bcca57c7d12
 2022-12-21 06:42:21 +00:00
Treehugger Robot
b839e55d39 Merge "Allow system_server to enable fs-verity." am: 3ca356b7df 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2364635

Change-Id: I5d5f1a9855a087c2fd40756c8657515f4952bb36
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-21 02:14:43 +00:00
Treehugger Robot
3ca356b7df Merge "Allow system_server to enable fs-verity." 2022-12-21 01:24:43 +00:00
Alex Buynytskyy
ff577a00b8 Allow system_server to enable fs-verity. 
Bug: 253568736
Test: atest PackageManagerSettingsTests
Change-Id: I2fc59d6441eca95b349aebaa633a15584c7ef744
 2022-12-20 15:36:26 -08:00
Devin Moore
9810a58453 Merge changes Id416cc2f,I6b0871bb,I7a1569b8 am: b6066c2261 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2363265

Change-Id: Idf325b75b76bbef130c5d859c4cace9e0bc57ba1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-20 21:02:53 +00:00
Devin Moore
b6066c2261 Merge changes Id416cc2f,I6b0871bb,I7a1569b8 
* changes:
  Allow biometrics hals to talk to the new AIDL sensorservice
  Allow audio HAL to talk to the new AIDL sensorservice
  Allow camera to talk to the new AIDL sensorservice
 2022-12-20 20:38:02 +00:00
Florian Mayer
05cb03323a Merge "Allow system_server to set arm64 memtag property" am: c7c6d49939 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2361257

Change-Id: I392db9a4c7c1fecc8ad2725cf97f35911533c7a1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-20 19:38:02 +00:00
Florian Mayer
c7c6d49939 Merge "Allow system_server to set arm64 memtag property" 2022-12-20 19:04:03 +00:00
Jiyong Park
02df74af6d Add rules for prng_seeder 
The process has the exclusive access to /dev/hw_random. It instead opens
provides a socket (/dev/prng_seeder/socket) which any process can
connect to to get random numbers.

This CL is basically a Microdroid version of aosp/2215051

Bug: 247781653
Test: same as aosp/I0a7e339115a2cf6b819730dcf5f8b189a339c57d
    * Verify prng_seeder daemon is running and has the
      correct label (via ps -Z)
    * Verify prng_seeder socket present and has correct
      label (via ls -Z)
    * Verify no SELinux denials
    * strace a libcrypto process and verify it reads seeding
      data from prng_seeder (e.g. strace bssl rand -hex 1024)
    * strace seeder daemon to observe incoming connections
      (e.g. strace -f -p `pgrep prng_seeder`)

Change-Id: I3483132ead0f5d101b5b3365f78cc36d89528f0e
 2022-12-20 22:01:57 +09:00
Nikita Ioffe
315760c133 Merge "Allow microdroid_manager to drop capabilities from it's bounding set" am: 682d9917c7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2361861

Change-Id: Ida90dd9b09d6f4ea76064b75cd048823defabe43
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-20 12:34:51 +00:00
Nikita Ioffe
682d9917c7 Merge "Allow microdroid_manager to drop capabilities from it's bounding set" 2022-12-20 12:08:46 +00:00
David Brazdil
b5a4f52de7 Merge "Create virtmgr domain and initial policy" am: 3e61a33df5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2317789

Change-Id: Idf0ae233e4ddb32038721929d953a5306e957053
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-20 09:01:43 +00:00
David Brazdil
3e61a33df5 Merge "Create virtmgr domain and initial policy" 2022-12-20 08:17:05 +00:00
Treehugger Robot
25dbb36b21 Merge "Add usbd servicemanager permission" am: 9c3f194032 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2361854

Change-Id: I76128d8c0e3255140ca97fa2599c89c9c49dfb07
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-20 04:51:48 +00:00
Treehugger Robot
9c3f194032 Merge "Add usbd servicemanager permission" 2022-12-20 03:56:11 +00:00
Treehugger Robot
f6872e0ea8 Merge "Add SELinux policy for sound dose HAL" am: 62894399c3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2361860

Change-Id: Iac3d977899859a4411486daeb7f252c2390b9d07
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-19 19:59:00 +00:00
Devin Moore
e632fc098a Allow biometrics hals to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: atest CtsCameraTestCases && adb logcat | grep avc
Bug: 205764765
Change-Id: Id416cc2f92ba82d4068376a5f4d076137aab086a
 2022-12-19 19:51:55 +00:00
Devin Moore
a2765f212f Allow audio HAL to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: m
Bug: 205764765
Change-Id: I6b0871bbcdff920d1d9dc9b66ec1236405f90fd8
 2022-12-19 19:50:57 +00:00
Devin Moore
2a724dd853 Allow camera to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: atest CtsCameraTestCases && adb logcat | grep avc
Bug: 205764765
Change-Id: I7a1569b8b4e2a21961f3950fa3947b5e20fc674b
 2022-12-19 19:50:31 +00:00
Treehugger Robot
62894399c3 Merge "Add SELinux policy for sound dose HAL" 2022-12-19 19:07:32 +00:00
Ricky Niu
6da445b0c8 Add usbd servicemanager permission 
[   46.850950][  T561] type=1400 audit(1670831200.996:262): avc: denied { call } for comm="usbd" scontext=u:r:usbd:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

Bug: 263070284
Test: error message disappear
Signed-off-by: Ricky Niu <rickyniu@google.com>
Change-Id: I5d0c309238b0454198b7e24d91bfc57829a8bfc1
 2022-12-19 16:16:17 +08:00
Nikita Ioffe
f8ece0f19e Allow microdroid_manager to drop capabilities from it's bounding set 
In the other change in the same topic microdroid_manager starts to drop
the capabilities before execve'ing the payload binary.

Test: m
Bug: 243633980
Change-Id: Ia70d15db413c822b174a708dedfa5557c8abde65
 2022-12-17 02:36:49 +00:00
Florian Mayer
152f832904 Allow system_server to set arm64 memtag property 
Bug: 262763327
Bug: 244290023
Test: atest MtePolicyTest on user build
Test: manually with TestDPC
Change-Id: If1ed257fede6fa424604eed9775eb3a3b8365afe
 2022-12-16 16:58:36 -08:00
Vlad Popa
48dd5f7ac4 Add SELinux policy for sound dose HAL 
Note that this HAL is meant only as a workaround until the OEMs will
switch to the AIDL audio HAL.

Test: bluejay-userdebug
Bug: 257937004
Change-Id: Id01da9606f73354a01a94aace8a8966a09038fda
 2022-12-16 21:42:06 +01:00
Treehugger Robot
f1aa72efbd Merge "Remove dalvik.vm.usejitprofiles system property." am: a0f59cffe2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2327464

Change-Id: I7804258d2646116d8073f9c0ef6b1cd94b9405a9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-16 19:25:03 +00:00
Treehugger Robot
a0f59cffe2 Merge "Remove dalvik.vm.usejitprofiles system property." 2022-12-16 18:51:08 +00:00
Vikram Gaur
24a4882a1d Merge "Fix permission issue for widevine mediaservices." am: ebe25efd66 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2357882

Change-Id: Icd54cd9fadaa0bdfc3634a271a1587112bdd74e1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-15 20:03:22 +00:00
Vikram Gaur
ebe25efd66 Merge "Fix permission issue for widevine mediaservices." 2022-12-15 19:13:12 +00:00
Vikram Gaur
91f5c53adf Fix permission issue for widevine mediaservices. 
Widevine provisioning was causing SELinux policy issues since we need to
provision Widevine through MediaDrm framework.

Test: presubmits
Change-Id: Ia9d070309e84599ed614bbf5ba35eed558f4d463
 2022-12-15 17:14:04 +00:00
Sandro
50b3258e72 Allow sdk_sandbox to read files/directory in /data/local/tmp am: f7894fc62e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2346004

Change-Id: I2151fc7adbf56d64139d432a89c4f166575974c4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-15 16:18:25 +00:00
Sandro
f7894fc62e Allow sdk_sandbox to read files/directory in /data/local/tmp 
The /data/local/tmp directory is used by the CTS tests infrastructure to
store various data, like the list of tests to include/exclude after
failures
http://cs/android-internal/tools/tradefederation/core/test_framework/com/android/tradefed/testtype/AndroidJUnitTest.java;l=333-347;rcl=bbd3902197b7de1a99aef4c22db8e14e4dbf1157

Without this CL, CTS modules that attempt to re-execute failures will
get a '[INSTRUMENTATION_CRASH|SYSTEM_UNDER_TEST_CRASHED]' error.

Test results before/after this CL:
Before: http://ab/I04600010115474754
After: http://ab/I65000010115426482
Note the absence of "Module error" in the second case
https://screenshot.googleplex.com/C6Ui3GdfgQBt8bp
https://screenshot.googleplex.com/BDHKFfKJjnqVYpj

Bug: 261864298
Test: atest CtsBluetoothTestCases --retry-any-failure -- --enable-optional-parameterization --enable-parameterized-modules --module-parameter run_on_sdk_sandbox
Change-Id: Ibbb196f8c0ef1df320885ed8c56f20172f83d583
 2022-12-15 10:29:36 +00:00
Calvin Pan
ecdc4715bc Merge "Add grammatical_inflection service" am: f56dfeb2d4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2352743

Change-Id: Id395bbf82119e19bb0af5a24c03c74ba1653aef2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-15 08:33:34 +00:00
Calvin Pan
f56dfeb2d4 Merge "Add grammatical_inflection service" 2022-12-15 07:38:01 +00:00
Yu Shan
eb528ca882 Merge "Allow wider remote access names." am: aa3f997dcc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2320744

Change-Id: Ia6b61d1510f8038c97296c4fa4177a964ae87a8a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-15 02:43:32 +00:00
Yu Shan
aa3f997dcc Merge "Allow wider remote access names." 2022-12-15 01:51:46 +00:00
Avichal Rakesh
5e5c23595e Merge "cameraservice: Add selinux policy for vndk cameraservice." am: 95ecfc2f33 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2346843

Change-Id: I4e185ca35ead0c03abf04c3304fa836804a78308
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-14 23:29:49 +00:00
Avichal Rakesh
95ecfc2f33 Merge "cameraservice: Add selinux policy for vndk cameraservice." 2022-12-14 22:49:47 +00:00
Avichal Rakesh
0febfbd952 cameraservice: Add selinux policy for vndk cameraservice. 
This CL adds a new cameraservice type to allow vendor clients of
cameraservice to query and find the stable cameraservice
implementation.

Bug: 243593375
Test: Manually tested that cameraservice can register a vendor facing
      instance.
Change-Id: I61499406d4811c898719abcb89c51b4b8a29f4a7
 2022-12-14 20:46:43 +00:00
Treehugger Robot
3e7c437abc Merge "Add more zipfuse mount done props" am: 3997a8fff0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2335486

Change-Id: I93a814e53363df46c67e593b4bacbf3918b16760
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-14 11:16:56 +00:00
Treehugger Robot
3997a8fff0 Merge "Add more zipfuse mount done props" 2022-12-14 10:51:40 +00:00
Yi-yo Chiang
6dd7125da7 Merge "overlayfs: Rules for mounting overlays from second stage init" am: 3419d11207 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2346222

Change-Id: I396b32b9ef6faab3d5020afac09410786a68282b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-14 07:35:18 +00:00
Yi-yo Chiang
3419d11207 Merge "overlayfs: Rules for mounting overlays from second stage init" 2022-12-14 07:18:06 +00:00
Calvin Pan
a9b1c2299c Add grammatical_inflection service 
This new service is exposed by system_server and available to all apps.

Bug: 259175720
Test: atest and check the log
Change-Id: I522a3baab1631589bc86fdf706af745bb6cf9f03
 2022-12-14 05:22:53 +00:00
Chris Weir
00a22a3888 Merge "binder_call should be binder_use" am: bdd2fe9a26 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2344838

Change-Id: If5644076ac8bddb55502ae445fd3da7986d39c9b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-14 05:04:06 +00:00
Chris Weir
bdd2fe9a26 Merge "binder_call should be binder_use" 2022-12-14 04:46:22 +00:00
Treehugger Robot
16d0242532 Merge "Add a sysprop for initiating PHYs in LE create ext connection" am: 92018d4150 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2335542

Change-Id: I4a6d59a519b40d44a169fce1743d7664c0aa58e2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-14 04:27:29 +00:00