tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
41239 commits 1 branch 0 tags 50 MiB
Commit graph

1997 commits

Author SHA1 Message Date
Karthik Mahesh
52e5914ca4 Add sepolicy for ODP system server service. 
Bug: 236174677
Test: build
Change-Id: Ief208b795dd05ddaa406f50a5fa91f46fe52fd71
 2023-02-01 22:27:36 -08:00
Florian Mayer
e17c5905a6 Merge "[MTE] Add memory_safety_native_boot namespace" am: cbeec8f821 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411338

Change-Id: I68c6e7830b622bcbd6d9f10527378183a53044ae
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 22:21:23 +00:00
Florian Mayer
cbeec8f821 Merge "[MTE] Add memory_safety_native_boot namespace" 2023-02-01 21:41:45 +00:00
Charles Chen
5317542847 Merge changes from topic "iso_compute" am: b36ecf6caa 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390967

Change-Id: Ib84377f876f96dfcbac94bcee9a4a9c7cf408eed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 18:29:18 +00:00
Charles Chen
b36ecf6caa Merge changes from topic "iso_compute" 
* changes:
  Add isolated_compute_app domain
  Share isolated properties across islolated apps
 2023-02-01 17:33:59 +00:00
Alex Hong
1abf80e5c1 Allow vendor_init to set properties for recovery/fastbootd USB IDs 
Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Test: Enter recovery/fastbootd mode
      $ lsusb -d 18d1:
Change-Id: Ibee1210c1a70a3165e70f9b3b57e11949e412c97
 2023-02-01 17:49:32 +08:00
Treehugger Robot
a2cb810593 Merge "Add selinux permissions for ro.usb.uvc.enabled" am: 11eb002e83 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410787

Change-Id: Ie38aa8c6a5be43b53cd72214cd6f4fe16f872407
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 07:43:58 +00:00
Florian Mayer
94926f51df [MTE] Add memory_safety_native_boot namespace 
Bug: 267234468
Change-Id: I248fdf58a744f0c70a26d6a8f7d4caa0a6ce8edb
 2023-01-31 15:48:40 -08:00
Avichal Rakesh
a12d3103be Add selinux permissions for ro.usb.uvc.enabled 
This CL the selinux rules for the property ro.usb.uvc.enabled which will
be used to toggle UVC Gadget functionality on the Android Device.

Bug: 242344221
Bug: 242344229
Test: Manually tested that the property can only be read at runtime,
      not written to.
Change-Id: I0fd6051666d9554037acc68fa81226503f514a45
 2023-01-31 11:17:50 -08:00
Charles Chen
3d4a6b7474 Add isolated_compute_app domain 
Provides a new domain to enable secure sensitive data processing. This
allows processing of sensitive data, while enforcing necessary privacy
restrictions to prevent the egress of data via network, IPC or file
system.

Bug: 255597123
Test: m &&  manual - sample app with IsolatedProcess=True can use camera
service

Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
 2023-01-31 15:24:55 +00:00
Inseob Kim
1dba2f058a Merge "Add comments on compat files" am: beee8849a6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2405373

Change-Id: I09be668bc0fe182d1a87c046c1002a865f7b9342
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-31 07:32:10 +00:00
Inseob Kim
338f81baac Add comments on compat files 
To prevent further confusion.

Bug: 258029505
Test: manual
Change-Id: Iaa145e4480833a224b1a07fc68adb7d3e8a36e4b
 2023-01-31 09:57:26 +09:00
Yuyang Huang
32788d6842 Blocks untrusted apps to access /dev/socket/mdnsd from U am: cfdea5f4f3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2388478

Change-Id: I9cee4d4b5d13612b02f63b377d32efae99d3ca67
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-20 10:09:07 +00:00
Yuyang Huang
cfdea5f4f3 Blocks untrusted apps to access /dev/socket/mdnsd from U 
The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.

Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
 2023-01-20 15:25:46 +09:00
Jiakai Zhang
1373154885 Explicitly list "pm.dexopt." sysprops. am: 9bbc1c0e72 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2388479

Change-Id: Ia273f78fc603757969b4678767c2ea3b08f30520
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-19 06:27:43 +00:00
Jiakai Zhang
9bbc1c0e72 Explicitly list "pm.dexopt." sysprops. 
Bug: 256639711
Test: m
Change-Id: I5e6bd4fd8ec516a23f4e3a5658a651f04d40412c
 2023-01-19 12:07:25 +08:00
Alistair Delva
4b3d6db075 Merge "Add missing permissions for default bluetooth hal" am: e7fc603518 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2376448

Change-Id: Ib3ddc8e777f012d839e7881b9a383dddc99d67d7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-18 22:26:05 +00:00
Alistair Delva
e7fc603518 Merge "Add missing permissions for default bluetooth hal" 2023-01-18 22:16:06 +00:00
Treehugger Robot
e6b7e8aebf Merge "Allow mkfs/fsck for zoned block device" am: 9b69f0de58 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390134

Change-Id: Ib7a44a32ce2ec9cc66c74b48e1c5566a6f35e349
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-18 16:12:04 +00:00
Jaegeuk Kim
b5f16b2392 Allow mkfs/fsck for zoned block device 
Zoned block device will be used along with userdata_block_device
for /data partition.

Bug: 197782466
Change-Id: I777a8b22b99614727086e72520a48dbd8306885b
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
 2023-01-17 17:59:28 -08:00
Lorenzo Colitti
d842a85d44 Merge "Update SEPolicy for Tetheroffload AIDL" am: b8194ca7fb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2355402

Change-Id: Ie4aad80ff32164a962fa5f140db97be9c51776fe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-18 00:13:12 +00:00
Lorenzo Colitti
b8194ca7fb Merge "Update SEPolicy for Tetheroffload AIDL" 2023-01-18 00:04:51 +00:00
Henri Chataing
9ff3423527 Add missing permissions for default bluetooth hal 
Test: launch_cvd
Bug: 205758693
Change-Id: Ie55352bbe48c5eef281a293bedc5aa057f5dcdad
Merged-In: Ie55352bbe48c5eef281a293bedc5aa057f5dcdad
 2023-01-12 19:02:57 +00:00
Xin Li
0ba8f8934a Merge tm-qpr-dev-plus-aosp-without-vendor@9467136 
Bug: 264720040
Merged-In: Id5f052116834034a9e4fd5c3adf17d3d7ef6610a
Change-Id: I84e152300ba7ece94e47e270eba1d7280a72343a
 2023-01-11 22:47:37 -08:00
Nathalie Le Clair
98e20da831 Merge "HDMI: Refactor HDMI packages" 2023-01-10 17:05:17 +00:00
Bill Yi
15ee6d11bc Merge TQ1A.230105.002 to aosp-master - DO NOT MERGE 
Merged-In: I9acac60411da6eee86246a9e375b35dfb61691d1
Merged-In: If343dba5dae2821fa345135abafb891e85be5574
Change-Id: Ia868a5a11f13d47bf11fbb21b3d5cee12d7c8c99
 2023-01-06 07:13:50 -08:00
Treehugger Robot
5efaa62b95 Merge "EARC: Add Policy for EArc Service" am: 6baccc1d8e am: 1791ca2220 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2320410

Change-Id: I7945e5044d54ba6a5f00524512c9153f0229242b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-04 04:27:27 +00:00
Treehugger Robot
6baccc1d8e Merge "EARC: Add Policy for EArc Service" 2023-01-04 03:30:47 +00:00
KH Shi
8ae99b5e5f Update SEPolicy for Tetheroffload AIDL 
Bug: b/205762647
Test: m
Change-Id: Iaf87e8a64a4a1af20f54e3c09c31d051acf549a1
 2023-01-04 11:28:47 +08:00
Venkatarama Avadhani
5a86d5f3f3 HDMI: Refactor HDMI packages 
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.

Bug: 261729059
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
 2022-12-27 18:15:26 +05:30
Venkatarama Avadhani
0f0861af8f EARC: Add Policy for EArc Service 
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Bug: 240388105
Change-Id: I561f647a68553fa0134f2e1bd65b0f18dd1785f1
 2022-12-27 18:11:36 +05:30
Calvin Pan
2a53d04c95 Merge "Add grammatical_inflection service" am: f56dfeb2d4 am: ecdc4715bc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2352743

Change-Id: I8a2a4412d17d6a044e9925ed35a287eb75f04a03
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-15 09:04:12 +00:00
Calvin Pan
f56dfeb2d4 Merge "Add grammatical_inflection service" 2022-12-15 07:38:01 +00:00
Avichal Rakesh
062567b1b3 Merge "cameraservice: Add selinux policy for vndk cameraservice." am: 95ecfc2f33 am: 5e5c23595e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2346843

Change-Id: Ifa44e738457c8e8f3d4365804a87e690cca94da4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-15 00:01:04 +00:00
Avichal Rakesh
95ecfc2f33 Merge "cameraservice: Add selinux policy for vndk cameraservice." 2022-12-14 22:49:47 +00:00
Avichal Rakesh
0febfbd952 cameraservice: Add selinux policy for vndk cameraservice. 
This CL adds a new cameraservice type to allow vendor clients of
cameraservice to query and find the stable cameraservice
implementation.

Bug: 243593375
Test: Manually tested that cameraservice can register a vendor facing
      instance.
Change-Id: I61499406d4811c898719abcb89c51b4b8a29f4a7
 2022-12-14 20:46:43 +00:00
Calvin Pan
a9b1c2299c Add grammatical_inflection service 
This new service is exposed by system_server and available to all apps.

Bug: 259175720
Test: atest and check the log
Change-Id: I522a3baab1631589bc86fdf706af745bb6cf9f03
 2022-12-14 05:22:53 +00:00
Mohi Montazer
da142c0d8b Merge "SEPolicy updates for camera HAL" am: 3bbdd15ece am: c7eba19ef9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2338242

Change-Id: I6179821368e204896226970fab356577ca3f0699
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 21:29:50 +00:00
Mohi Montazer
3bbdd15ece Merge "SEPolicy updates for camera HAL" 2022-12-13 20:37:59 +00:00
Treehugger Robot
f97fd45474 Merge "sepolicy: Add Bluetooth AIDL" am: 8cce74d7e0 am: 920af49203 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2238140

Change-Id: Iccc5ae27c6e9c7320ac168e28e239ca6f250847c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 19:31:30 +00:00
Treehugger Robot
8cce74d7e0 Merge "sepolicy: Add Bluetooth AIDL" 2022-12-13 18:26:03 +00:00
Mohi Montazer
ad059403ad SEPolicy updates for camera HAL 
Updates SEPolicy files to give camera HAL permission to access
Android Core Experiment flags.

Example denials:
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.244  1027  1027 W 3AThreadPool:  type=1400 audit(0.0:9): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0

Bug: 259433722
Test: m
Change-Id: I11165b56d7b7e38130698cf86d9739f878580a14
 2022-12-13 09:52:04 -08:00
Treehugger Robot
f2183a72f4 Merge "Deprecate proc_fs_verity from API 33" am: 63b666d403 am: 2e61576bb0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2334064

Change-Id: Ib2cf6c73645c285f8b07f4e18c25d2d562cb465b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-13 03:18:10 +00:00
Treehugger Robot
63b666d403 Merge "Deprecate proc_fs_verity from API 33" 2022-12-13 02:01:30 +00:00
Chris Weir
448cfc4fb0 Merge "SEPolicy for AIDL CAN HAL" am: caf905ff3c am: e640405f81 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2291528

Change-Id: I183f80e365e87aff1b5b5b21b59137b99984a8bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-10 01:17:51 +00:00
Chris Weir
caf905ff3c Merge "SEPolicy for AIDL CAN HAL" 2022-12-09 22:09:12 +00:00
Chris Weir
eee59458c2 SEPolicy for AIDL CAN HAL 
CAN HAL moving to AIDL, SEPolicy will need to be adjusted.

Bug: 170405615
Test: AIDL CAN HAL VTS
Change-Id: I0d238d38aebb5895ae27fcb52cf43cd481327421
 2022-12-09 11:00:10 -08:00
Victor Hsieh
90fa43e395 Deprecate proc_fs_verity from API 33 
Bug: 249158715
Test: lunch aosp_cf_x86_64_phone-eng; m
Test: TH
Change-Id: I29e4e0a4beb44b0ba66a4dd14266d04dae588df2
 2022-12-08 13:15:27 -08:00
Treehugger Robot
e3df03bc24 Merge "Add permissions for remote_provisioning service" am: 61d823f9c7 am: aeaf422fe5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2263548

Change-Id: I3f9a414795d52f29fb436d80b9beb2911fda34a0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-12-07 18:36:16 +00:00
Seth Moore
3accea479a Add permissions for remote_provisioning service 
Bug: 254112668
Test: manual + presubmit
Change-Id: I54d56c34ad4a8199b8aa005742faf9e1e12583c3
 2022-12-06 08:46:20 -08:00
Myles Watson
671a0c3bda sepolicy: Add Bluetooth AIDL 
Bug: 205758693
Test: manual - boot local image with Cuttlefish
Change-Id: Ic0c5408d83f8c352b72f79e9024212c7ff0c84c1
 2022-12-02 13:08:26 -08:00
Steven Moreland
48b2b2e79b Merge "sepolicy for SE HAL" am: c3802445d0 am: ab6bb503e9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2285333

Change-Id: I2f259455750223b84731cd14b37671e5759373db
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-29 23:33:05 +00:00
Steven Moreland
c3802445d0 Merge "sepolicy for SE HAL" 2022-11-29 22:30:40 +00:00
Keir Fraser
901a778340 Merge "Adjust policy for hypervisor system properties" am: 255de93341 am: 6aea0833a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2314862

Change-Id: I3510f7513fe450c21099fa9cdac6606f5726fb34
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-24 13:40:18 +00:00
Keir Fraser
84bb5eeccb Adjust policy for hypervisor system properties 
1. Allow them to be configured by vendor_init.
2. Introduce a new system property
   hypervisor.memory_reclaim.supported, which is configured by
   vendor_init and accessed only by virtualizationservice, and is not
   as widely accessible as the existing hypervisor sysprops.

Bug: 235579465
Test: atest MicrodroidTests
Change-Id: I952432568a6ab351b5cc155ff5eb0cb0dcddf433
 2022-11-24 10:23:58 +00:00
Devin Moore
34ef290b1e Merge "Add sepolicy for new AIDL sensorservice" am: 45d8baf70d am: dce4fb0d63 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2292579

Change-Id: I8ecdfc673b39f53f2d21990c18066cf1016ad92c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-18 20:04:23 +00:00
Devin Moore
45d8baf70d Merge "Add sepolicy for new AIDL sensorservice" 2022-11-18 19:21:47 +00:00
Seth Moore
2cface3262 Merge "Add new appdomain for RKPD mainline app" am: dcef71f890 am: 121ad0534e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2276971

Change-Id: I2f63a743771dd01b732a4bfe53e2de4ef856271c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-17 16:23:09 +00:00
Seth Moore
dcef71f890 Merge "Add new appdomain for RKPD mainline app" 2022-11-17 15:45:18 +00:00
Seth Moore
71fa94edae Add new appdomain for RKPD mainline app 
This app talks to the remote provisioning HALs, and therefore requires
access to the tee_device domain.

Bug: 254112668
Test: Manually verify rkpd can run and find remote provisioning hals
Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56
 2022-11-16 12:55:31 -08:00
Chris Paulo
d22ef9a1ae system/sepolicy: Update prebuilts for adaptive haptics system prop am: 272f84ebb5 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/20469962

Change-Id: I45394ed8306e8654034bbcb201bde437bab2744d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-16 20:52:17 +00:00
Chris Paulo
272f84ebb5 system/sepolicy: Update prebuilts for adaptive haptics system prop 
Update prebuilts and api compat for the adaptive haptics restricted
system property.

Bug: 198239103
Test: Verified functionality
Ignore-AOSP-First: Prebuilts on top of aosp/2300027
Change-Id: I2e299053cc2ebdb5d69aa8d3551e602609daaeaf
Signed-off-by: Chris Paulo <chrispaulo@google.com>
 2022-11-16 17:12:30 +00:00
Steven Moreland
4c6586817a sepolicy for SE HAL 
Bug: 205762050
Test: N/A
Change-Id: I76cd5ebc4d0e456a3e4f1aa22f5a932fb21f6a23
 2022-11-15 22:41:09 +00:00
Pete Bentley
1ce5ed5d46 Update sepolicy prebuilts for PRNG seeder changes. 
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev.  If needed we can add this to
AOSP later.

Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
(cherry picked from commit ff0cf6f2a8)
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
 2022-11-15 01:50:27 +00:00
Devin Moore
e714ba95ed Add sepolicy for new AIDL sensorservice 
Test: boot cuttlefish and check for avc denials
Bug: 205764765
Change-Id: Ie9d02b43250ca3c5f642b2d87d2a5b532a9b5195
 2022-11-14 17:26:24 +00:00
Chris Paulo
ad2f883271 Add adaptive haptics restricted system property 
Create adaptive haptics system property to store adaptive haptics enable
state.

Bug: 198239103
Test: Verified system property usage
Change-Id: I5d4f0a5c8ec4a5b0ce18bc03a6d30879dd76d58b
Signed-off-by: Chris Paulo <chrispaulo@google.com>
 2022-11-14 09:20:56 +00:00
Sandeep Dhavale
d64fb55474 Merge "Fastboot AIDL Sepolicy changes" 2022-11-10 18:29:00 +00:00
Sandeep Dhavale
f0ea953e60 Fastboot AIDL Sepolicy changes 
Bug: 205760652
Test: Build & flash
Change-Id: I2709c5cc2ca859481aac6fecbc99fe30a52a668b
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
 2022-11-09 22:21:27 +00:00
Lakshman Annadorai
4d277b7baa Revert "Add sepolicies for CPU HAL." 
This reverts commit f4ab6c9f3c.

Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.

Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
 2022-11-09 16:47:07 +00:00
Lakshman Annadorai
f4ab6c9f3c Add sepolicies for CPU HAL. 
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
      and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
 2022-11-04 18:13:00 +00:00
Alfred Piccioni
3e1dc57bf4 Add NTFS support in sepolicy. 
This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.

Bug: 254407246

Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
 2022-11-03 16:02:51 +01:00
Andrew Scull
2c818d9b32 Merge "Revert "Allow vendors to set remote_prov_prop properties"" 2022-11-01 13:11:03 +00:00
Andrew Scull
edba76d514 Revert "Allow vendors to set remote_prov_prop properties" 
This reverts commit a87c7be419.

Reason for revert: I was mistaken and this isn't a property that the vendor should set, but the OEM should override from the product partition. That doesn't require sepolicy changes.

Bug: 256109167
Change-Id: Idebfb623dce960b2b595386ade1e4c4b92a6e402
 2022-10-31 18:27:29 +00:00
Andrew Scull
c347dc28fa Merge "Allow vendors to set remote_prov_prop properties" 2022-10-28 11:35:49 +00:00
Andrew Scull
a87c7be419 Allow vendors to set remote_prov_prop properties 
Vendors should be able to set the `remote_provisioning.tee.rkp_only` and
`remote_provisioning.strongbox.rkp_only` properties via
PRODUCT_VENDOR_PROPERTIES so grant `vendor_init` the permission to set
them.

The property wasn't able to use `system_vendor_config_prop()` as
`remote_prov_app` has tests which override the properties.

Bug: 256109167
Test: manual test setting the property from device.mk for cuttlefish
Change-Id: I174315b9c0b53929f6a11849efd20bf846f8ca29
 2022-10-28 10:07:54 +00:00
Treehugger Robot
e6a43ec4c9 Merge "Add selinux rules for android.hardware.usb.gadget.IUsbGadget AIDL migration" 2022-10-27 14:03:48 +00:00
Ricky Niu
fc1463c164 Add selinux rules for android.hardware.usb.gadget.IUsbGadget AIDL migration 
Covers the rules needed for the default AIDL implementation.

10-26 10:22:42.408   448   448 I auditd  : type=1400 audit(0.0:95): avc: denied { read } for comm="android.hardwar" name="interrupts" dev="proc" ino=4026531995 scontext=u:r:hal_usb_gadget_default:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0

Bug: 218791946
Test: reboot and check if AIDL service is running.

Signed-off-by: Ricky Niu <rickyniu@google.com>
Change-Id: I8bdab3a682398f3c7e825a8894f45af2a9b6c199
 2022-10-27 15:42:56 +08:00
Gabriel Biren
b7e21bcfe7 Merge "Add SeLinux policy for WiFi Vendor HAL AIDL service." 2022-10-25 17:03:10 +00:00
Henry Fang
0c3f615602 Merge "Allow CAS AIDL sample HAL" 2022-10-25 16:38:20 +00:00
Gabriel Biren
e310ef8163 Add SeLinux policy for WiFi Vendor HAL AIDL service. 
Bug: 205044134
Test: Manual - reboot phone and check if AIDL
      service is running.
Change-Id: I242e6ef860d2defdb0ab0a3d649b2a4e3f0de5a6
 2022-10-19 16:34:56 +00:00
Shraddha Basantwani
bacf949002 Allow CAS AIDL sample HAL 
Bug: 230377377, 227673974
Test: manual
Change-Id: Ied6822d8114404b85dbed56ae4806de1bfb43e54
 2022-10-12 19:42:20 +05:30
Venkatarama Avadhani
38ff3b4115 Add policies for new services HDMI and HDMICEC 
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Change-Id: Ic2c0525368218e207be236d073a3fe736151c43f
 2022-10-10 15:40:42 +05:30
Peiyong Lin
33e03e09b4 Merge "Update SEPolicy for Thermal AIDL" 2022-10-07 04:00:17 +00:00
Peiyong Lin
4a5d0f13c4 Update SEPolicy for Thermal AIDL 
Bug: b/205762943
Test: build and boot
Change-Id: I301b85dafbf8fbb1c4be388aa0291e22f4717c99
 2022-10-05 00:55:20 +00:00
Pete Bentley
ff0cf6f2a8 Update sepolicy prebuilts for PRNG seeder changes. 
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev.  If needed we can add this to
AOSP later.

Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
 2022-10-04 15:02:53 +01:00
Steven Moreland
07c5387324 Merge "hidl2aidl: sepolicy changes for confirmationui aidl" 2022-10-03 19:10:31 +00:00
Neil Fuller
b9f8aad52c Merge changes I20b40cbe,Iac1bc330,I8d818342 
* changes:
  Limit processes that can change settings sysprops
  Add new type for system settings metadata
  Reduce use of exported_system_prop
 2022-09-27 23:01:26 +00:00
Neil Fuller
bbb00fa4cf Add new type for system settings metadata 
Add a new selinux type for a system property used to hold metadata about
the time zone setting system property. Although system settings are
world readable, the associated metadata only needs to be readable by the
system server (currently).

Bug: 236612872
Test: treehugger
Change-Id: Iac1bc3301a049534ea5f69edf27cd85443e6a92e
 2022-09-27 16:06:57 +00:00
Neil Fuller
0c4d8fff64 Reduce use of exported_system_prop 
Reduce use of "exported_system_prop" by defining 2 new (currently
identical) "locale_prop" and "timezone_prop" types for the system
properties that are for "global system settings". See the comments in
private/property_contexts for details.

Initially the rights of the new types should be identical to
exported_system_prop but they will be reduced with a follow-up commit to
enable easier rollback / progress to be made on related work.

Bug: 236612872
Test: treehugger
Change-Id: I8d818342023bc462376c091b8a522532ccaf15d3
 2022-09-27 16:05:54 +00:00
Subrahmanyaman
745efb4ced hidl2aidl: sepolicy changes for confirmationui aidl 
Sepolicy changes for confirmationui while converting from hidl
to aidl.

Bug: b/205760172
Test: run vts -m VtsHalConfirmationUIV1_0Target
Change-Id: Ib21038fd89789755b978489f5293725b221d86c4
 2022-09-23 19:00:15 +00:00
Amos Bianchi
3189fafa2a Add sepolicy for new module. 
Bug: b/241442337
Test: TH
Change-Id: Ia58e2d4b205638509545a0a2c356cd68862beb1f
 2022-09-23 10:40:47 -07:00
Pete Bentley
e6da3b80d1 Add SEPolicy for PRNG seeder daemon. 
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
  correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
  label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
  data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
  (e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance

Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
 2022-09-22 15:13:20 +00:00
Yu Shan
e799e9284c Merge "Create selinux policy for remoteaccess HAL." 2022-09-22 01:17:00 +00:00
Weilin Xu
52546635b2 Applying new IBroadcastRadio AIDL 
Update Sepolicy for AIDL broadcast radio HAL. Ignore
fuzzer default AIDL implementation for now.

Bug: 170336130
Test: m -j
Change-Id: Ie55c08c6a721de1f8dc40acc81de68565f99f7d7
 2022-09-21 23:17:20 +00:00
Steven Moreland
5043c02262 Merge "hidl2aidl: conversion of gatekeeper hidl to aidl" 2022-09-21 21:26:01 +00:00
Reema Bajwa
396d34b7c8 Merge "Add SELinux changes for Credential Manager Service in system server Test: Built & Deployed on device locally." 2022-09-21 17:34:09 +00:00
Yu Shan
05a7389aa9 Create selinux policy for remoteaccess HAL. 
Will add fuzzer once the service is implemented.

Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
 2022-09-20 18:09:49 -07:00
Anna Zhuravleva
2864a66331 Add sepolicy for Health Connect system service. 
Add selinux policy so the healthconnect system service
can be accessed by other processes.

Bug: 246961138
Test: build
Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850
 2022-09-20 17:14:35 +00:00
Reema Bajwa
5b57bfaf7e Add SELinux changes for Credential Manager Service in system server 
Test: Built & Deployed on device locally.

Change-Id: I892107ed528e0ca7435aa29a0fa1e6dbf4f225c5
 2022-09-19 17:51:06 +00:00
Subrahmanyaman
1d2a3fedcc hidl2aidl: conversion of gatekeeper hidl to aidl 
Conversion of the gatekeeper hidl interface to stable aidl interface.

Bug: 205760843
Test: run vts -m VtsHalGatekeeperTarget
Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c
 2022-09-19 17:43:26 +00:00