tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
34523 commits 1 branch 0 tags 50 MiB
Commit graph

7967 commits

Author SHA1 Message Date
Treehugger Robot
3c03397821 Merge "Allow composd to delete ART staging files" am: 3a7e19c3d4 am: 87e317d603 am: b8386e1027 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1925960

Change-Id: I7a1fdfc7b86f8b3da065f4ce6a6faabf9edc396b
 2022-01-04 11:43:29 +00:00
Andrew Walbran
3d0e9e4857 Merge "Add comment explaining why crosvm shouldn't be allowed to open files." am: d020fc05f3 am: 0ae5a68417 am: 9508489a72 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1925961

Change-Id: Ia8cea576cc80d5dbdc00e53f40308143f847c379
 2022-01-04 11:43:20 +00:00
Treehugger Robot
3a7e19c3d4 Merge "Allow composd to delete ART staging files" 2022-01-04 11:13:55 +00:00
Andrew Walbran
d020fc05f3 Merge "Add comment explaining why crosvm shouldn't be allowed to open files." 2022-01-04 10:40:23 +00:00
Alan Stokes
ce6e2987de Allow composd to delete ART staging files 
If the directory is non-empty when we start we need to delete
everything in it, but didn't have enough access:

avc: denied { getattr } for
path="/data/misc/apexdata/com.android.art/staging/boot-framework.art"
dev="dm-37" ino=57755 scontext=u:r:composd:s0
tcontext=u:object_r:apex_art_staging_data_file:s0 tclass=file
permissive=0

Bug: 205750213
Test: create files in staging/, composd_cmd test-compile
Change-Id: I3a66db7f5fbff82abcf547cb1c2b24e9c53ab158
 2022-01-04 09:14:05 +00:00
Jiyong Park
2ce78c5735 Merge "Allow virtualizationservice to check for PKVM extension" am: 0878ac4c47 am: 32c7795f17 am: d06a7c1749 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1934161

Change-Id: Ic3f7eca0ad39e1d56017314ab29abcc4074c86fa
 2022-01-03 09:51:24 +00:00
Jiyong Park
0878ac4c47 Merge "Allow virtualizationservice to check for PKVM extension" 2022-01-03 09:30:05 +00:00
Jiyong Park
2dd48d0400 Allow virtualizationservice to check for PKVM extension 
Bug: 210803811
Test: watch TH for all our tests
Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43
 2022-01-03 14:59:58 +09:00
Maciej Żenczykowski
389fc497d0 Merge "[NC#3] clatd: remove raw and packet socket creation privs" am: 0f1b55ee24 am: 7d517a3712 am: b2425a8e56 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903467

Change-Id: I2b3b6af74e202b53dbf3c9c343b83576511d81bb
 2021-12-30 20:06:44 +00:00
Maciej Żenczykowski
0f1b55ee24 Merge "[NC#3] clatd: remove raw and packet socket creation privs" 2021-12-30 19:50:00 +00:00
Inseob Kim
9d7e9a3491 Merge "Allow app to get dck_prop" 2021-12-28 01:55:30 +00:00
Treehugger Robot
8bf0d2c1dc Merge "Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF" am: 96c5222c94 am: 6cd97931e3 am: be132f1e8a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1931900

Change-Id: If86a0c21131caf2fe880f82ee514e2da969639b6
 2021-12-28 01:41:32 +00:00
Treehugger Robot
96c5222c94 Merge "Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF" 2021-12-28 00:54:22 +00:00
Matt Buckley
964c68b02d Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF 
Test: manual
Bug: b/195990840
Change-Id: Icb758c48a1faa8901a1d2c2c442451c42fc3b5b1
 2021-12-27 18:24:12 +00:00
Andrew Walbran
8191dc07cc Add comment explaining why crosvm shouldn't be allowed to open files. 
Bug: 192453819
Test: No code change
Change-Id: Iebaa1db2e8eed81122e64999ef58b728e1bf95cc
 2021-12-24 13:13:53 +00:00
Thierry Strudel
aa383c8bd3 Allow app to get dck_prop am: f4e3b06683 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/16530469

Change-Id: I87df425d523b3ed82abf5560cb63543287471222
 2021-12-24 06:51:28 +00:00
Thierry Strudel
195149fcf8 Allow app to get dck_prop 
Bug: 208742539
Test: gts-tradefed run gts -m GtsDckTestCases --log-level-display DEBUG
Merged-In: Ie3f7c54805b9947fd43fe5118fd4808b4744664d
Signed-off-by: Thierry Strudel <tstrudel@google.com>
Change-Id: Ie3f7c54805b9947fd43fe5118fd4808b4744664d
 2021-12-24 06:50:53 +00:00
Thierry Strudel
f4e3b06683 Allow app to get dck_prop 
Ignore-AOSP-First: Touches prebuilts/api/32.0/private/app.te
Bug: 208742539
Test: gts-tradefed run gts -m GtsDckTestCases --log-level-display DEBUG
Signed-off-by: Thierry Strudel <tstrudel@google.com>
Change-Id: Ie3f7c54805b9947fd43fe5118fd4808b4744664d
 2021-12-24 06:22:31 +00:00
Devin Moore
6026ac4077 Merge "Add policy for new AIDL IR hal" am: 4f85138c08 am: 4e044e5893 am: 570c442620 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1886401

Change-Id: Id1f7af95e63981f4ae420e9ffe8959411dfb6a44
 2021-12-22 22:20:10 +00:00
Devin Moore
4f85138c08 Merge "Add policy for new AIDL IR hal" 2021-12-22 21:44:17 +00:00
Hui Wu
82f06faacd Merge "Changes in SELinux Policy for cloudsearch API" am: c66fb7aefc am: 39e16393b7 am: 9f75793c0f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927577

Change-Id: I209b092bc400731a61847c5aa3852815888a6a1d
 2021-12-17 04:06:19 +00:00
Hui Wu
c66fb7aefc Merge "Changes in SELinux Policy for cloudsearch API" 2021-12-17 03:04:08 +00:00
Treehugger Robot
5fe9254482 Merge "zygote: Add setattr permission to cgroup" am: d831f2a2f5 am: ea5fa49446 am: 334d3c7c85 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927857

Change-Id: I6c3858322dcac0ab8a738179aea6780e469dc639
 2021-12-17 01:13:21 +00:00
Treehugger Robot
d831f2a2f5 Merge "zygote: Add setattr permission to cgroup" 2021-12-17 00:10:25 +00:00
Greg Kaiser
ed71842c6d zygote: Add setattr permission to cgroup 
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.

Like we do with cgroup_v2, we set attribute permission to cgroup
as well.

Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 211037424
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
Merged-In: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
 2021-12-16 22:55:34 +00:00
Victor Hsieh
19ec555037 Merge "Allow composd to delete odrefresh target files" am: 5601d70743 am: e642210a9a am: 969b41347c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927358

Change-Id: Id416af36683f735562b74122ee27af9357ced964
 2021-12-16 22:40:40 +00:00
Greg Kaiser
f62ef0d798 zygote: Add setattr permission to cgroup 
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.

Like we do with cgroup_v2, we set attribute permission to cgroup
as well.

Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 209933729
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
 2021-12-16 14:14:29 -08:00
Victor Hsieh
5601d70743 Merge "Allow composd to delete odrefresh target files" 2021-12-16 21:45:43 +00:00
Treehugger Robot
01aca6282a Merge "Add apexd_payload_metadata_prop" am: a6d6b6aee8 am: a4e0ed83dc am: ebd1ff5b25 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1885013

Change-Id: I04921eee21ea7a5f1020c83ed560dd811d0562d4
 2021-12-16 20:46:04 +00:00
Devin Moore
978b9e5d1c Add policy for new AIDL IR hal 
IR interface is converted to AIDL and this contains the necessary
permissions for the default service to serve the interface.

Test: atest VtsHalIrTargetTest hal_implementation_test
Test: check for permission issues after tests
Bug: 205000342
Change-Id: I8d9d81d957bf6ef3c6d815ce089549f8f5337555
 2021-12-16 20:24:27 +00:00
Hui Wu
f3e29c7066 Changes in SELinux Policy for cloudsearch API 
Bug: 210528288
Test: Presubmit Tests

Change-Id: I344d28a95bf7d466620fced9cc85b50bbfcd1947
 2021-12-16 19:31:53 +00:00
Alan Stokes
2914610f17 Allow composd to delete odrefresh target files 
We need to remove any existing files (and the directory) to allow
odrefresh in the VM to re-create them via authfs.

But we don't need, and shouldn't have, any other access to them.

Bug: 210460516
Test: composd_cmd async-odrefresh
Change-Id: Iaafe33934146a6b8dda7c28cc1239c2eed167379
 2021-12-16 16:24:56 +00:00
Ramji Jiyani
dec6b44ee4 Merge "Add selinux context for /system_dlkm" am: e3f20ee1e6 am: aaa5919f26 am: 5efbce0fa1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1899605

Change-Id: Ia23423b9cc4e45ff8fc65e9b1ac987a945bd5896
 2021-12-16 03:39:05 +00:00
Richard Fung
0c7c2679b0 Add apexd_payload_metadata_prop 
This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
 2021-12-16 03:00:06 +00:00
Ramji Jiyani
e3f20ee1e6 Merge "Add selinux context for /system_dlkm" 2021-12-16 02:41:25 +00:00
Etienne Ruffieux
6b40b2a548 Merge "Adding Bluetooth module sysprop" am: ac45ef86f5 am: b24560a1a3 am: 409e13a954 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1924341

Change-Id: I90173e9518b4c9ca9197e943bad3d97fd6604798
 2021-12-15 20:33:32 +00:00
Etienne Ruffieux
ac45ef86f5 Merge "Adding Bluetooth module sysprop" 2021-12-15 19:14:41 +00:00
Etienne Ruffieux
9203c915d1 Adding Bluetooth module sysprop 
Added Bluetooth sysprop to be able to remove calls to
SystemProperty.set in Bluetooth module.

Tag: #feature
Bug: 197210455
Test: set/get sysprop with SystemProperties
Merged-In: I8070a493fa082ddaa16cd793ed25ad99971950c0
Change-Id: Ia390bd8b3bb064fcae252edb6307e26f07bd53e7
 2021-12-15 13:44:33 +00:00
Treehugger Robot
bd22ea499a Merge "Allow compos_fd_server to create artifacts" am: afc596f8f8 am: 29a90d33cb am: 3ad3f0b50c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1922442

Change-Id: If6cea92ebaccb027cab762722b8fd3351ca73dbe
 2021-12-15 12:08:07 +00:00
Treehugger Robot
afc596f8f8 Merge "Allow compos_fd_server to create artifacts" 2021-12-15 11:09:24 +00:00
Treehugger Robot
497884ce80 Merge "Add rule for new gesture_prop." am: ac9f469ff0 am: 29be9a0edf am: f3ece72da2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1918579

Change-Id: I95521666de397326e70f296aa8abaf71ba77d388
 2021-12-15 05:53:21 +00:00
Treehugger Robot
ac9f469ff0 Merge "Add rule for new gesture_prop." 2021-12-15 05:03:42 +00:00
Super Liu
078141a921 Add rule for new gesture_prop. 
Bug: 209713977
Bug: 193467627
Test: local build and manual check.
Signed-off-by: Super Liu <supercjliu@google.com>
Change-Id: Ib1d2d6dcc7d6ddc6243c806a883d9252d7c081af
 2021-12-15 09:32:01 +08:00
Jeff Vander Stoep
13fb51ea0b Policy for using Apex sepolicy am: bc0fa66cbe am: 00573254ac am: f8dfd28b19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1907858

Change-Id: Iaa5cbfb4efa17e048fd93167e6da9a77ef20b43e
 2021-12-14 19:03:58 +00:00
Alan Stokes
8dc7800578 Allow compos_fd_server to create artifacts 
Previously this was always done by odrefresh. But now we are running
odrefresh in the VM we need to allow FD server to do it as its proxy.

Bug: 209572241
Bug: 209572296
Test: composd_cmd forced-oderefresh
Change-Id: I4bc10d6a3ec73789721a0541f04dd7e3865fe826
 2021-12-14 16:06:31 +00:00
Jeff Vander Stoep
bc0fa66cbe Policy for using Apex sepolicy 
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
 2021-12-14 13:54:03 +01:00
Treehugger Robot
9412cfc810 Merge "[NC#2] clatd: allow clatd access raw and packet socket inherited from netd" am: 7c5faaf3d2 am: 8d35437e6a am: f419c0e3a4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903466

Change-Id: I12e337664f09b7661ad63f9824f0918a37c7b9de
 2021-12-13 09:01:54 +00:00
Treehugger Robot
7c5faaf3d2 Merge "[NC#2] clatd: allow clatd access raw and packet socket inherited from netd" 2021-12-13 08:16:26 +00:00
Treehugger Robot
2880a5cd82 Merge "Add hal_vehicle_service for AIDL VHAL service." am: 885bc3ca66 am: e197d7519c am: 908395f200 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1914197

Change-Id: I255ad9d053d2a217ec03d06b48229d2c337adfd8
 2021-12-11 01:58:30 +00:00
Treehugger Robot
885bc3ca66 Merge "Add hal_vehicle_service for AIDL VHAL service." 2021-12-11 00:49:12 +00:00