tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
45451 commits 1 branch 0 tags 50 MiB
Commit graph

614 commits

Author SHA1 Message Date
Jeff Pu
3c79af1f7c Face Virtual HAL lockout support 
Bug: 294254230
Test: atest android.hardware.biometrics.face.FakeLockoutTrackerTest
Change-Id: If7fb024b2ab5d017f5255edf484c487f5406bb9b
 2023-12-19 13:28:25 -05:00
Avichal Rakesh
728e475da0 Allow more AIDL Camera Provider versions 
The current sepolicy only allows V1 of AIDL CameraProvider
services. This CL updates the regex to allow for future
versions as well.

Bug: 314912354
Test: Verified by vendor
Change-Id: I80351a8bb7c2538c4ad1e0d418ea7a718d60be05
 2023-12-12 09:37:28 -08:00
Chienyuan Huang
2e19c7632e Add bluetooth ranging hal 
Bug: 310941161
Test: make
Change-Id: I9b2bc9d945b016361f44a5600c61ed2795c00622
 2023-12-08 09:37:17 +00:00
kuanyuhuang
8826540b4b Add bluetooth finder service sepolicy 
Bug: 314360499
Test: atest vts_treble_vintf_vendor_test
Change-Id: Ie15b2bfcd488b215d197be685a4a7571aff639e5
 2023-12-07 00:51:43 +00:00
Shikha Panwar
2838e84381 Merge "Secretkeeper/Sepolicy: Create required domains" into main 2023-11-21 17:56:46 +00:00
Shikha Panwar
59c970703b Secretkeeper/Sepolicy: Create required domains 
Add sepolicies rules for Secretkeeper HAL & nonsecure service
implementing the AIDL.

Test: atest VtsHalSkTargetTest & check for Selinux denials
Bug: 293429085
Change-Id: I907cf326e48e4dc180aa0d30e644416d4936ff78
 2023-11-21 12:29:18 +00:00
Kiyoung Kim
6149e5238f Correct path of android.hidl.memory@1.0-impl.so 
Current sepolicy expects the library located under /vendor/lib(64), but
the actual location of the library is /vendor/lib(64)/hw, as it defines
relative path 'hw'. This change corrects location of
android.hidl.memory@1.0-impl.so, so it can be labeled with
same_process_hal_file as expected.

Bug: 311298012
Test: Failing test passed over ABTD
Change-Id: Ib84dbde0742716d399f04ce8ec11a0c4f24be8b0
 2023-11-17 09:41:40 +09:00
Keith Mok
df794b4590 SEPolicy for AIDL MACSEC HAL 
Bug: 254108688
Test: AIDL MACSEC HAL VTS
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fba6480fa08001a36faf524d0a6952f29d916a6b)
Change-Id: I5ccaa24c6b9600713bbc0e4c523822567b64c662
 2023-11-03 21:29:48 +00:00
Hasini Gunasinghe
daa1cec849 Merge "Add sepolicy for non-secure AuthGraph impl" into main 2023-11-01 16:27:51 +00:00
Treehugger Robot
cbe6fed87f Merge "To allow drm_clear_key_aidl hal to access mediacodec" into main 2023-10-27 18:45:24 +00:00
David Drysdale
c4ab01baad Add sepolicy for non-secure AuthGraph impl 
Bug: 284470121
Bug: 291228560
Test: hal_implementation_test
Test: VtsAidlAuthGraphSessionTest
Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d
 2023-10-26 02:00:43 +00:00
Arun Johnson
dae1783848 To allow drm_clear_key_aidl hal to access mediacodec 
Bug: 305163559
Change-Id: Iad16fd34c0b8f7071b43ae7fc19215319c8c9d82
 2023-10-23 17:10:28 +00:00
Changyeon Jo
561930c06b Update hal_evs_default policy 
- Allow to access writable graphics properties.
- Allow to perform binder IPC.

Bug: 303581276
Test: m -j selinux_policy
Change-Id: I02c8ccd416172e5f6c17eff6573137dd4a8147c7
 2023-10-12 20:31:07 +00:00
Wonsik Kim
a981983e70 C2 AIDL sepolicy update 
Bug: 251850069
Test: presubmit
Change-Id: Ica39920472de154aa01b8e270297553aedda6782
 2023-09-06 14:30:26 -07:00
Yu Shan
df5cd6fe19 Allow remoteaccess V2 and VHAL v2/v3. 
Test: None
Bug: 297271235
Change-Id: Icc6dbb007c50db6d8adf492726365fdc34a60e78
 2023-08-23 17:20:15 -07:00
Kangping Dong
fce4ea7adf [Thread] add missing ioctl permission for ot_rcp 
Otherwise, it throws permission denied error:
```
avc:  denied  { ioctl } for  path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=u:r:ot_rcp:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
```

Test: locally tested that this can fix the denied issue
Bug: 296969044
Change-Id: Ica28214693794b969138212ddb3d19f0dcc34bcf
 2023-08-22 07:46:35 +00:00
Devika Krishnadas
d4908949ef Merge "Add label for allocator 2 service" into main 2023-07-20 18:36:23 +00:00
Devika Krishnadas
c850a596b9 Add label for allocator 2 service 
Bug: 287353739

Change-Id: Ia78237361acac4b668d87ec94746e43945f58bbf
Signed-off-by: Devika Krishnadas <kdevika@google.com>
 2023-07-19 20:20:52 +00:00
Kiyoung Kim
0c3a3fd799 Label former VNDK-SP libraries in vendor as sphal 
When VNDK is being deprecated, former VNDK-SP libraries should be loaded
from vendor when system process uses SP-HAL, but this currently fails
because all former VNDK-SP libraries will be marked as vendor library.
This change labels former VNDK-SP libraries installed in the vendor
partition as same labels with SP-HAL libraries so it can be loaded from
system processes.

Bug: 291673098
Test: aosp_cf boot succeded with KEEP_VNDK=false build flag.
Change-Id: I2601ae8e7acd5bbd16fdbe6cee078dfcaa1a5aa2
 2023-07-19 14:13:06 +09:00
Zhanglong Xia
b2d1fbb7b2 Add sepolicy rules for Thread Network HAL 
Bug: b/283905423
Test: Build and run the Thread Network stack in Cuttlefish.
Change-Id: I783022c66b80274069f8f3c292d84918f41f8221
 2023-06-30 10:56:38 +08:00
Jeff Pu
1e09f2ebf7 Allow hal_fingerprint_default to have pipe read access 
Bug: 284488745
Test: atest BiometricsE2eTests:BiometricPromptAuthSuccessTest
Change-Id: Ie69193964232b1a6b97877c650182fcdcd5b2cea
 2023-06-09 13:56:28 +00:00
Peiyong Lin
54229d8157 Allow graphics_config_writable_prop to be modified. 
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.

Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
 2023-05-04 15:56:33 +00:00
Yu Shan
9eb72464b5 Define sepolicy for ivn HAL. 
Test: manually verify ivn HAL on gcar_emu.
Bug: 274139217
Change-Id: Ie12dccb723078d83b561c152cc4458e52c0f8090
 2023-04-10 17:42:51 -07:00
Changyeon Jo
89380c19c8 Allow EVS HAL to access graphics related properties 
EVS Display HAL needs to access graphics related properties to configure
a pipeline to render the contents of graphics buffers.

Bug: 274695271
Test: m -j selinux_policy
Change-Id: I97a8a3f35f7118325cff9a8ae69485c0f73fe17f
 2023-03-23 22:26:42 +00:00
Alice Wang
5e94b1698c [dice] Remove all the sepolicy relating the hal service dice 
As the service is not used anywhere for now and in the near future.

Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
 2023-02-24 08:34:26 +00:00
Treehugger Robot
22d25dcae4 Merge "Map AIDL Gatekeeper to same policy as HIDL version" 2023-02-14 17:48:17 +00:00
Cody Northrop
e4e43ebad8 Allow camera HAL to read EGL vendor properties 
Test: TreeHugger
Bug: b/267752967
Change-Id: I174420a3ef1f0059007616b4bee3091a888b1999
 2023-02-09 17:55:03 +00:00
David Drysdale
c9529ff336 Map AIDL Gatekeeper to same policy as HIDL version 
Bug: 268342724
Test: VtsHalGatekeeperTargetTest
Change-Id: Ifa90247753ae558f7bdb70cb4b4e494466cc457b
 2023-02-08 18:42:17 +00:00
Alistair Delva
e7fc603518 Merge "Add missing permissions for default bluetooth hal" 2023-01-18 22:16:06 +00:00
Lorenzo Colitti
b8194ca7fb Merge "Update SEPolicy for Tetheroffload AIDL" 2023-01-18 00:04:51 +00:00
Henri Chataing
9ff3423527 Add missing permissions for default bluetooth hal 
Test: launch_cvd
Bug: 205758693
Change-Id: Ie55352bbe48c5eef281a293bedc5aa057f5dcdad
Merged-In: Ie55352bbe48c5eef281a293bedc5aa057f5dcdad
 2023-01-12 19:02:57 +00:00
Nathalie Le Clair
98e20da831 Merge "HDMI: Refactor HDMI packages" 2023-01-10 17:05:17 +00:00
Treehugger Robot
6baccc1d8e Merge "EARC: Add Policy for EArc Service" 2023-01-04 03:30:47 +00:00
KH Shi
8ae99b5e5f Update SEPolicy for Tetheroffload AIDL 
Bug: b/205762647
Test: m
Change-Id: Iaf87e8a64a4a1af20f54e3c09c31d051acf549a1
 2023-01-04 11:28:47 +08:00
Venkatarama Avadhani
5a86d5f3f3 HDMI: Refactor HDMI packages 
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.

Bug: 261729059
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
 2022-12-27 18:15:26 +05:30
Venkatarama Avadhani
0f0861af8f EARC: Add Policy for EArc Service 
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Bug: 240388105
Change-Id: I561f647a68553fa0134f2e1bd65b0f18dd1785f1
 2022-12-27 18:11:36 +05:30
Devin Moore
e632fc098a Allow biometrics hals to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: atest CtsCameraTestCases && adb logcat | grep avc
Bug: 205764765
Change-Id: Id416cc2f92ba82d4068376a5f4d076137aab086a
 2022-12-19 19:51:55 +00:00
Devin Moore
a2765f212f Allow audio HAL to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: m
Bug: 205764765
Change-Id: I6b0871bbcdff920d1d9dc9b66ec1236405f90fd8
 2022-12-19 19:50:57 +00:00
Devin Moore
2a724dd853 Allow camera to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: atest CtsCameraTestCases && adb logcat | grep avc
Bug: 205764765
Change-Id: I7a1569b8b4e2a21961f3950fa3947b5e20fc674b
 2022-12-19 19:50:31 +00:00
Yu Shan
aa3f997dcc Merge "Allow wider remote access names." 2022-12-15 01:51:46 +00:00
Mohi Montazer
3bbdd15ece Merge "SEPolicy updates for camera HAL" 2022-12-13 20:37:59 +00:00
Mohi Montazer
ad059403ad SEPolicy updates for camera HAL 
Updates SEPolicy files to give camera HAL permission to access
Android Core Experiment flags.

Example denials:
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.244  1027  1027 W 3AThreadPool:  type=1400 audit(0.0:9): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0

Bug: 259433722
Test: m
Change-Id: I11165b56d7b7e38130698cf86d9739f878580a14
 2022-12-13 09:52:04 -08:00
Chris Weir
800a2c9f66 Merge "Add permissions to allow iface up/down" 2022-12-13 00:18:00 +00:00
Chris Weir
1bcbc0b667 Add permissions to allow iface up/down 
I need SIOCGIFFLAGS and SIOCSIFFLAGS in order to bring up/down
interfaces with AIDL CAN HAL.

Bug: 260592449
Test: CAN HAL can bring up interfaces
Change-Id: I67edaa857cffdf3c3fc9f3b17aad5879e09c6385
 2022-12-12 14:30:15 -08:00
Chris Weir
caf905ff3c Merge "SEPolicy for AIDL CAN HAL" 2022-12-09 22:09:12 +00:00
Chris Weir
eee59458c2 SEPolicy for AIDL CAN HAL 
CAN HAL moving to AIDL, SEPolicy will need to be adjusted.

Bug: 170405615
Test: AIDL CAN HAL VTS
Change-Id: I0d238d38aebb5895ae27fcb52cf43cd481327421
 2022-12-09 11:00:10 -08:00
Gabriel Biren
52b5ff67b9 Update file_contexts for WiFi Vendor HAL 
AIDL service.

Bug: 205044134
Test: Manual test - check that AIDL service
      starts successfully on Cuttlefish
Change-Id: If6dbb20ca982b998485257e212aa4aa82749d23d
 2022-12-05 23:53:30 +00:00
Yu Shan
96c3b41113 Allow wider remote access names. 
Test: local test @v1-tcu-test-service.
Bug: 254547153
Change-Id: I82ed9e9e439913602e26042e357b5fa33338ef97
 2022-11-30 17:07:49 -08:00
Steven Moreland
c3802445d0 Merge "sepolicy for SE HAL" 2022-11-29 22:30:40 +00:00
Treehugger Robot
299ee9fb24 Merge "Add IAllocator-V2" 2022-11-15 23:13:42 +00:00