tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
40514 commits 1 branch 0 tags 50 MiB
Commit graph

40514 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
92018d4150 Merge "Add a sysprop for initiating PHYs in LE create ext connection" 2022-12-14 04:07:33 +00:00
Pomai Ahlo
0824aff623 Merge "[ISap hidl2aidl] Update ISap in sepolicy" am: ab3a546000 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2339122

Change-Id: I549e97f1e4f9662c579f9c4724bbc009a4ab84bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 20:58:30 +00:00
Mohi Montazer
c7eba19ef9 Merge "SEPolicy updates for camera HAL" am: 3bbdd15ece 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2338242

Change-Id: I62c50e53633bf00dde787fe7fb7f6ee9dc372a1a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 20:58:17 +00:00
Treehugger Robot
e68c0a72a9 Merge "Selinux label for /mnt/encryptedstore" am: f1e8772660 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2335488

Change-Id: Icbb8b4bdd4bbf85baf3bf3a474dcb904565220c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 20:57:41 +00:00
Pomai Ahlo
ab3a546000 Merge "[ISap hidl2aidl] Update ISap in sepolicy" 2022-12-13 20:57:24 +00:00
Mohi Montazer
3bbdd15ece Merge "SEPolicy updates for camera HAL" 2022-12-13 20:37:59 +00:00
Treehugger Robot
f1e8772660 Merge "Selinux label for /mnt/encryptedstore" 2022-12-13 20:16:12 +00:00
Automerger Merge Worker
6bddf9f9e0 Merge "Merge "Add all supported instance names for audio IModule" am: ffae136437" into stage-aosp-master 2022-12-13 19:38:52 +00:00
Treehugger Robot
30f6614f80 Merge "Add all supported instance names for audio IModule" am: ffae136437 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2336911

Change-Id: I2bcffbc78aea12494a0a688baff4891a992aaf67
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 19:38:44 +00:00
Treehugger Robot
7ea2e57cb2 Merge "Add all supported instance names for audio IModule" am: ffae136437 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2336911

Change-Id: I898f0faf7b59dfd2b76f898809241138e4e9dcd6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 19:38:42 +00:00
Jiakai Zhang
1afdbf5357 Merge changes Iec586c55,Iccb97b19 am: 9acfabbe12 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2345246

Change-Id: I31409ca70b94ec4ed653429dc1a8954a20e8d060
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 19:36:43 +00:00
Treehugger Robot
ffae136437 Merge "Add all supported instance names for audio IModule" 2022-12-13 19:30:00 +00:00
Jiakai Zhang
9acfabbe12 Merge changes Iec586c55,Iccb97b19 
* changes:
  Allow artd to access files for restorecon.
  Allow artd to read symlinks for secondary dex files.
 2022-12-13 19:06:18 +00:00
Treehugger Robot
920af49203 Merge "sepolicy: Add Bluetooth AIDL" am: 8cce74d7e0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2238140

Change-Id: If43caf1b19a3d0c26567930ad15702c6325ab3a8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 18:59:48 +00:00
David Brazdil
5fcfbe49da Create virtmgr domain and initial policy 
Start a new security domain for virtmgr - a child proces of an app that
manages its virtual machines.

Add permissions to auto-transition to the virtmgr domain when the client
fork/execs virtmgr and to communicate over UDS and pipe.

Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: I7624700b263f49264812e9bca6b83a003cc929be
 2022-12-13 18:40:05 +00:00
Treehugger Robot
8cce74d7e0 Merge "sepolicy: Add Bluetooth AIDL" 2022-12-13 18:26:03 +00:00
Mohi Montazer
ad059403ad SEPolicy updates for camera HAL 
Updates SEPolicy files to give camera HAL permission to access
Android Core Experiment flags.

Example denials:
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.244  1027  1027 W 3AThreadPool:  type=1400 audit(0.0:9): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0

Bug: 259433722
Test: m
Change-Id: I11165b56d7b7e38130698cf86d9739f878580a14
 2022-12-13 09:52:04 -08:00
Chris Weir
5bc1652307 binder_call should be binder_use 
aosp/2291528 should have had the `binder_call` macro in hal_can.te be a
`binder_use` macro instead. This fixes that.

Bug: 170405615
Test: AIDL CAN HAL starts up and configures
Change-Id: I7b18c25afef5a243bf0bba7c77a682f7cff092a3
 2022-12-13 17:38:33 +00:00
Jiakai Zhang
d7f811913b Allow artd to access files for restorecon. 
Otherwise, we will get SELinux denials like:
W binder:5750_1: type=1400 audit(0.0:133): avc: denied { read } for name="plat_file_contexts" dev="dm-1" ino=979 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
W binder:5750_1: type=1400 audit(0.0:134): avc: denied { read } for name="system_ext_file_contexts" dev="dm-3" ino=92 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iec586c554fa2dc33f0a428321bada484add620ed
 2022-12-13 16:03:22 +00:00
Treehugger Robot
b7ca038df4 Merge "Add ro.fuse.bpf.is_running" am: 71ed34c341 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2346802

Change-Id: Ieaaf08642cd5da03eb57936f4ecf2ee881b17ad2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 15:56:11 +00:00
Treehugger Robot
71ed34c341 Merge "Add ro.fuse.bpf.is_running" 2022-12-13 15:22:48 +00:00
Jiakai Zhang
6834597a41 Allow artd to read symlinks for secondary dex files. 
Otherwise, we will encounter SELinux denials like:
W binder:6200_7: type=1400 audit(0.0:327): avc: denied { read } for name="PrebuiltGmsCoreNext_DynamiteLoader.apk" dev="dm-51" ino=2576 scontext=u:r:artd:s0 tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=lnk_file permissive=0

Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iccb97b1973f8efbe859b59e729f7a0194d05ba5e
 2022-12-13 14:49:20 +00:00
Treehugger Robot
e5c6d9bae8 Merge "Don't crash_dump crosvm" am: bc9ce78119 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2338047

Change-Id: If2cb11d6a99ff311e46efdd68a9fc40c29c6f314
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 13:20:56 +00:00
Treehugger Robot
bc9ce78119 Merge "Don't crash_dump crosvm" 2022-12-13 12:48:11 +00:00
Alan Stokes
6ed1bd9dee Don't crash_dump crosvm 
Parts of its memory map are donated to guest VMs, which crashes the
kernel when it tries to touch them.

Ideally we would fix crash_dump to skip over such memory, but in
the meantime this would avoid the kernel crash.

Bug: 236672526
Bug: 238324526
Bug: 260707149
Test: Builds
Change-Id: I6c1eb2d49263ccc391101c588e2a3e87c3f17301
 2022-12-13 09:27:52 +00:00
Yi-Yo Chiang
d59c75884d overlayfs: Rules for mounting overlays from second stage init 
Overlayfs failed to mount during second stage init because init is
lacking these permissions.
These permissions are asserted by the overlayfs driver during mount
operation, see fs/overlayfs/super.c:ovl_check_rename_whiteout
(https://source.corp.google.com/kernel-upstream/fs/overlayfs/super.c;l=1182;bpv=1;bpt=1)

Bug: 243501054
Test: adb remount && check that overlay is active after reboot
Change-Id: I258646b65a49487e6f22a6742ff59e9a0d57b5c0
 2022-12-13 15:53:10 +08:00
Vikram Gaur
c25e37bf4d Merge "Add Google specific module for RKPD for sepolicy." am: aa4667290b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2341511

Change-Id: I5c0b036e297556eaa4475197e0bf63053d50ab96
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 07:04:51 +00:00
Vikram Gaur
aa4667290b Merge "Add Google specific module for RKPD for sepolicy." 2022-12-13 06:45:32 +00:00
Jaewan Kim
a4bb5477a2 Merge "Allow crosvm to open test artifacts in shell_data_file" am: 730c1cdd59 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2331903

Change-Id: I4fa6b53a7102d7f20e5ad3f9d263536edd561eff
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 02:46:57 +00:00
Treehugger Robot
2e61576bb0 Merge "Deprecate proc_fs_verity from API 33" am: 63b666d403 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2334064

Change-Id: I33d759dbff9a82229cf0de566b097a76af17ab73
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 02:46:18 +00:00
Jaewan Kim
730c1cdd59 Merge "Allow crosvm to open test artifacts in shell_data_file" 2022-12-13 02:17:02 +00:00
Treehugger Robot
63b666d403 Merge "Deprecate proc_fs_verity from API 33" 2022-12-13 02:01:30 +00:00
Ying Hsu
4a7cc656ff Add a sysprop for initiating PHYs in LE create ext connection 
This patch adds a sysprop to configure whether LE 1M PHY is the
only one used as initiating PHY in a LE Extended Create Connection
request.

Bug: 260677740
Tag: #floss
Test: Manual test - pairing with BLE mouse
Change-Id: I33dbf4093390015a17bffb25eed841d2cc2ad20a
 2022-12-13 01:54:41 +00:00
Mikhail Naganov
2293f5eb0b Add all supported instance names for audio IModule 
In AIDL, there is no 'factory' interface for retrieving
modules, instead each module is registered individually
with the ServiceManager.

Bug: 205884982
Test: atest VtsHalAudioCoreTargetTest
Change-Id: I55cdae0640171379cda33de1534a8dc887583197
 2022-12-13 01:17:46 +00:00
Paul Lawrence
b39cbc0856 Add ro.fuse.bpf.is_running 
is_running flag signals to tests whether fuse-bpf is running

Test: Builds, runs, ro.fuse.bpf.is_running is correct, fuse-bpf works
Bug: 202785178
Change-Id: I0b02e20ab8eb340733de1138889c8f618f7a17fa
 2022-12-12 17:08:13 -08:00
Chris Weir
affeb27854 Merge "Add permissions to allow iface up/down" am: 800a2c9f66 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2337704

Change-Id: I94e792fe126635083de056a7561d4b0e2a9d5194
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 01:05:40 +00:00
Chris Weir
800a2c9f66 Merge "Add permissions to allow iface up/down" 2022-12-13 00:18:00 +00:00
Chris Weir
1bcbc0b667 Add permissions to allow iface up/down 
I need SIOCGIFFLAGS and SIOCSIFFLAGS in order to bring up/down
interfaces with AIDL CAN HAL.

Bug: 260592449
Test: CAN HAL can bring up interfaces
Change-Id: I67edaa857cffdf3c3fc9f3b17aad5879e09c6385
 2022-12-12 14:30:15 -08:00
Akilesh Kailash
25f93bebf8 Merge "Virtual_ab: Add property to control batch writes" am: 64711e9de5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2319231

Change-Id: Ied9880d6fe1e8c3e29693e5a6f2e804ba7b11d62
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-12 17:03:30 +00:00
Jiakai Zhang
36dc423a33 Merge "Allow artd to access primary dex'es in external and vendor partitions." am: 7269c1bfe9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2345244

Change-Id: I4a54353c80cb8708d4ca5d494651031fbf58b312
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-12 17:02:46 +00:00
Akilesh Kailash
64711e9de5 Merge "Virtual_ab: Add property to control batch writes" 2022-12-12 16:39:00 +00:00
Jiakai Zhang
7269c1bfe9 Merge "Allow artd to access primary dex'es in external and vendor partitions." 2022-12-12 16:32:37 +00:00
Jiakai Zhang
5e531051b6 Allow artd to access primary dex'es in external and vendor partitions. 
Otherwise, we will get SELinux denials like:
W binder:6098_5: type=1400 audit(0.0:138): avc: denied { search } for name="framework" dev="dm-6" ino=478 scontext=u:r:artd:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir permissive=0

Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Ic31fdabb16341c51466531c88ca040698331b248
 2022-12-12 14:28:40 +00:00
Seungjae Yoo
dcd7053835 Merge "Cleanup ro.boot.microdroid.app_debuggable" am: 2ca7ebd8a2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2337083

Change-Id: I1b97d2756311f8bfd739f685d354a444e4755b78
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-12 00:52:59 +00:00
Seungjae Yoo
2ca7ebd8a2 Merge "Cleanup ro.boot.microdroid.app_debuggable" 2022-12-12 00:16:58 +00:00
Akilesh Kailash
5fa04f20f5 Virtual_ab: Add property to control batch writes 
Bug: 254188450
Test: OTA
Change-Id: I43c35859e98e449a45164b4d55db43b63ddbaba8
Signed-off-by: Akilesh Kailash <akailash@google.com>
 2022-12-11 16:14:47 +00:00
Vikram Gaur
d7a1aaf108 Add Google specific module for RKPD for sepolicy. 
Google is added to the package names to differentiate the Google
specific modules from AOSP modules. This causes RKPD Google module to
not get proper permissions since we permit only AOSP module currently.

Test: Tested on Pixel 7 device
Change-Id: Ia7c39ef85cedf20f705c27a5944b6f87f786cc1b
 2022-12-11 09:49:08 +00:00
Treehugger Robot
b8d9f90195 Merge "Remove netdomain from Microdroid" am: d838f6443e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2329716

Change-Id: I766fea3d336f3c825fa58d2b048bf94acab0cb72
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-10 07:28:07 +00:00
Treehugger Robot
d838f6443e Merge "Remove netdomain from Microdroid" 2022-12-10 06:57:54 +00:00
Jaewan Kim
7b843d4ebf Allow crosvm to open test artifacts in shell_data_file 
Test: Try open /data/local/tmp/a from crovm
Bug: 260802656, Bug: 243672257
Change-Id: I90e2fe892f1028ea5add91a41389e2f7e812f988
 2022-12-10 11:34:42 +09:00