tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
33748 commits 1 branch 0 tags 50 MiB
Commit graph

7883 commits

Author SHA1 Message Date
Florian Mayer
360ddf5583 [MTE] Add property to specify default MTE mode for apps. 
Bug: 216305376
Change-Id: I9374c8681510037279deaf3e5ae011e8f9111f17
 2022-02-09 22:13:59 +00:00
Christine Franks
c98bde94c4 Merge "Add uhid_device to system_server" 2022-02-08 17:13:32 +00:00
Treehugger Robot
0fc6fae857 Merge "Rename property for default MTE mode." 2022-02-08 16:47:32 +00:00
Treehugger Robot
e335de9aeb Merge "Allow reading hypervisor capabilities" 2022-02-08 11:49:33 +00:00
Treehugger Robot
2e468b48c5 Merge "bpfloader: use kernel logs" 2022-02-08 10:51:39 +00:00
Treehugger Robot
d83aba62f6 Merge "Allow priv-app to report off body events to keystore." 2022-02-07 23:46:05 +00:00
Steven Moreland
233d4aabf6 bpfloader: use kernel logs 
Boots early. logd no workie!

Bug: 210919187
Test: see bpfloader logs
Change-Id: I313f55b0a6e1164fdffeb2d07952988d5e560ae7
 2022-02-07 23:16:55 +00:00
Josh Yang
8be76c8e5c Allow priv-app to report off body events to keystore. 
Bug: 183564407
Test: the selinux error is gone.
Change-Id: I6783528a0ca6c94781b6c12d96ffebbfe8b25594
Merged-In: If40c2883edd39bee8e49e8e958eb12e9b29a0fe0
 2022-02-07 22:42:51 +00:00
Florian Mayer
6020c42f2b Rename property for default MTE mode. 
This was requested in aosp/1959650.

Change-Id: I96f8771a39606b0934e4455991a6a34aea40235b
 2022-02-07 11:27:20 -08:00
Alan Stokes
55803ca572 Allow reading hypervisor capabilities 
System server needs to do this to know whether a suitable VM for
CompOS can be created. System server does not need the ability to
actually start a VM, so we don't grant that.

Bug: 218276733
Test: Presubmits
Change-Id: Ibb198ad55819aa924f1bfde68ce5b22c89dca088
 2022-02-07 11:33:18 +00:00
shubang
a1b9f186fb SE policy: rename iapp -> interactive_app 
Bug: 205738783
Test: cuttlefish

Change-Id: I15fd60a2dba79dd5e2a3cf57ed542e5a930680f1
Merged-In: I15fd60a2dba79dd5e2a3cf57ed542e5a930680f1
 2022-02-07 07:54:32 +00:00
Inseob Kim
b20cb78404 Neverallow domains other than VS from executing VM 
Bug: 216610937
Test: atest MicrodroidTests
Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
 2022-02-07 09:42:21 +09:00
Treehugger Robot
b289dc4d1d Merge "Grant system_app permission to access cgroup_v2 directories" 2022-02-04 19:26:00 +00:00
Christine Franks
639c48d146 Add uhid_device to system_server 
Bug: 217275682
Change-Id: I1ae74868344da290727df2474712b8b6ad2efdd7
Test: n/a
 2022-02-04 15:13:43 +00:00
Treehugger Robot
7b7a42e6cf Merge "bluetooth.device.class_of_device should be type string" 2022-02-04 00:38:52 +00:00
Seth Moore
a75cad0d0a Add remotely provisioned key pool se policy 
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.

Add a new service context and include it in the keystore services.

Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.

Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
 2022-02-02 15:07:26 -08:00
Sal Savage
724381a97a bluetooth.device.class_of_device should be type string 
Bug: 217452259
Test: Manual, set property in system.prop, build, flash, make sure value
is reflected in getprop | grep bluetooth.device

Change-Id: Id4bfebb4da5bcd64ea4bac8e3c9e9754c96256c6
 2022-02-02 14:13:41 -08:00
Bart Van Assche
be3ff9b93a Grant system_app permission to access cgroup_v2 directories 
Without this change, the migration of the blkio controller to the cgroup
v2 hierarchy triggers the following denials:

01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0

Bug: 213617178
Test: Booted Android in the Cuttlefish emulator.
Change-Id: I20f136d5cd58fa4ebabbb5a328fc6001b11110d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
 2022-02-02 17:37:45 +00:00
Andrew Scull
7e07941d3d Merge changes I82f0c2ef,I013894de 
* changes:
  Let VirtualizationService access hypervisor properties
  Tag new hypervisor properties
 2022-02-02 13:54:11 +00:00
Andrew Scull
792b03ddb5 Let VirtualizationService access hypervisor properties 
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.

Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
 2022-02-02 13:53:50 +00:00
Lalit Maganti
fb9d097d03 Merge "sepolicy: Allow system domains to be profiled" 2022-02-02 12:04:38 +00:00
Andrew Walbran
48cf9591f6 Merge "virtualizationservice no longer tries to check for pKVM extension." 2022-02-02 09:08:18 +00:00
Andrew Scull
87ac3c3f80 Tag new hypervisor properties 
The properties that report hypervisor capabilities are grouped with the
other hypervisor properties for sepolicy.

Bug: 216639283
Test: buid
Change-Id: I013894de637bb7e40a450df6439ebbd5cba28c2b
 2022-02-01 18:17:10 +00:00
Andrew Walbran
2f27f96022 virtualizationservice no longer tries to check for pKVM extension. 
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400.

Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
 2022-02-01 16:37:13 +00:00
Lalit Maganti
bb197bba02 sepolicy: Allow system domains to be profiled 
Bug: 217368496
Doc: go/field-tracing-t
Change-Id: Ie95c0cc2b1f9e8fa03f6112818936af692edf584
 2022-02-01 16:27:26 +00:00
Treehugger Robot
108fdbc5f7 Merge "Adds selinux rules for ICarDisplayProxy service" 2022-01-31 21:52:46 +00:00
Changyeon Jo
66eba13833 Adds selinux rules for ICarDisplayProxy service 
Bug: 170401743
Test: m -j selinux_policy
Change-Id: Idf3f09d0bcf24de18d6eddb05e51991b4c5edbe8
 2022-01-31 19:40:20 +00:00
Thiébaud Weksteen
79ff061802 Merge "Grant getpgid to system_server on zygote" 2022-01-30 21:59:04 +00:00
Huihong Luo
9b82051367 Merge "Migrate screenshot methods to AIDL" 2022-01-29 21:17:18 +00:00
Etienne Ruffieux
f3acf42a4c Merge "Bluetooth boot time start service" 2022-01-28 20:13:35 +00:00
Treehugger Robot
d3d214482f Merge "Move pf_key socket creation permission to system_server" 2022-01-28 19:01:36 +00:00
Robert Shih
d70f0af2bf Merge "Add sepolicy for DRM AIDL HAL" 2022-01-28 18:40:53 +00:00
Ken Chen
1aed006a77 Move pf_key socket creation permission to system_server 
Allow system_server to trigger the kernel synchronize rcu with open and
close pf_key socket. This action was previously done by netd but now
it need to be done by system_server instead because the handling code in
netd are moved to mainline module which will be loaded by system_server
in JNI mode.

Note: the permission will be removed from netd once all bpf interactions
have moved out of netd.

Bug: 202086915
Test: android.app.usage.cts.NetworkUsageStatsTest
      android.net.cts.TrafficStatsTest
Change-Id: I440e0c87193775115a9b9ffb19270c47b01b082e
 2022-01-28 17:12:51 +01:00
Etienne Ruffieux
cdd0c11743 Bluetooth boot time start service 
Added new sysprops to retrieve Bluetooth configs

Tag: #feature
Test: manual
Bug: 216497194
Change-Id: I94c771f87fdeb5497b81d2098193b4cd230654b6
 2022-01-28 14:44:15 +00:00
Lalit Maganti
34fb0d8933 Merge "sepolicy: add permissions for trace reporting" 2022-01-28 12:15:57 +00:00
Thiébaud Weksteen
6390b3f090 Grant getpgid to system_server on zygote 
Should system_server kill zygote on crashes, it will attempt to kill any
process in the same process group. This ensures that no untracked
children are left.

Bug: 216097542
Test: m selinux_policy
Change-Id: Ie16074f76e351d80d9f17be930a731f923f99835
 2022-01-28 13:47:20 +11:00
Treehugger Robot
27416257f3 Merge "Changes in SELinux Policy for cloudsearch API naming" 2022-01-28 01:45:02 +00:00
Hui Wu
42d24fd59d Changes in SELinux Policy for cloudsearch API naming 
Bug: 216507592
Test: Presubmit Tests
Change-Id: I5aa647d146cfea0b44efb4c247d9856e0666ea86
 2022-01-27 13:42:17 -08:00
Robert Shih
4968374205 Add sepolicy for DRM AIDL HAL 
Bug: 208486736
Test: atest VtsAidlHalDrmTargetTest
Change-Id: Ia2b1488a564d94384d183d30291fbf5a6d2df4ab
 2022-01-27 01:51:05 -08:00
Sal Savage
568662f953 Add sepolicy for new bluetooth device/profile sysprops 
Bug: 215225542
Test: make -j; atest BluetoothInstrumentationTests
Change-Id: Ia532eca413a778b46ea392586d7affc2fd43b90b
 2022-01-26 13:09:17 -08:00
Treehugger Robot
6003019fa8 Merge "Move mtectrl to private" 2022-01-26 09:30:59 +00:00
Inseob Kim
3bd63cc206 Move mtectrl to private 
Because mtectrl is a system internal domain, and we don't need to expose
the type to vendor.

Test: build and boot
Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476
 2022-01-26 08:59:55 +09:00
Florian Mayer
0f30f3d8ff Merge "[mte] add property to globally enable mte." 2022-01-25 23:59:01 +00:00
Treehugger Robot
fabaac131a Merge "Delete more unused policies by CompOS" 2022-01-25 20:54:41 +00:00
Florian Mayer
be3197c996 [mte] add property to globally enable mte. 
Bug: 216305376

Change-Id: I25d0b3c9d0e7e6bba14eedf9b833c5e07786ec71
 2022-01-25 17:21:58 +00:00
Victor Hsieh
ea38d6925d Delete more unused policies by CompOS 
Bug: 205750213
Test: TH
Change-Id: Ie08465e8801a74d61f85715e85a856293c4232d5
 2022-01-25 08:40:46 -08:00
Etienne Ruffieux
0a19dbdcd3 Merge "Added new context declaration for Bluetooth configs" 2022-01-25 14:00:08 +00:00
Seth Moore
883c50c443 Merge "Add keystore2 permission to get attestation keys" 2022-01-25 13:11:34 +00:00
Treehugger Robot
d9befdb685 Merge "Add use_bionic_libs macro" 2022-01-25 04:37:07 +00:00
Paul Hu
415a2f9b58 Merge "Add sepolicy for mdns service" 2022-01-25 02:35:42 +00:00