tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
32884 commits 1 branch 0 tags 50 MiB
Commit graph

32884 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
44cff45716 Merge "Allow microdroid_manager to write instance.img" am: c5cc2e9730 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1811876

Change-Id: Ie0c61c582b4ab934d213044e2f7719cf6aa4ebff
 2021-09-01 09:49:53 +00:00
Treehugger Robot
c5cc2e9730 Merge "Allow microdroid_manager to write instance.img" 2021-09-01 09:38:41 +00:00
Jiyong Park
ee3661ef2b Allow microdroid_manager to write instance.img 
Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: Icac8aa7e1badc90d2725c81e3c0f9594b7e18608
 2021-08-31 17:14:09 +09:00
Tianjie
ade005f8dd Set context for partition.*.verified.root_digest properties. 
This is requested by the partner engineer team to uniquely identify
a partition.

Bug: 197973981
Test: boot the device
Change-Id: Id0393698d730391eb8e438e424e527451f54d4ea
 2021-08-30 17:13:51 -07:00
Roshan Pius
d5b3963233 Mark uwb apex data directory as system_server_data_dir am: 0f98b1c6bb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1813957

Change-Id: I46e8c558d2a6a8ed350911e45045c4972df2e577
 2021-08-30 21:27:03 +00:00
Roshan Pius
0f98b1c6bb Mark uwb apex data directory as system_server_data_dir 
UWB stack needs to persist state inside it's apex directory.

Denial logs:
08-30 19:44:53.670  1635  1635 W queued-work-loo: type=1400 audit(0.0:9):
avc: denied { write } for name="com.android.uwb" dev="dm-40" ino=206
scontext=u:r:system_server:s0 tcontext=u:object_r:apex_module_data_file:s0
tclass=dir permissive=0

Bug: 197963882
Test: Verified shared preferences file creation/write under uwb
apex data directory.

Change-Id: Ic4925822ca7e01cd23aea6805c80720f2a3db9d7
 2021-08-30 13:03:08 -07:00
Roshan Pius
fbfb4a8b89 Allow uwb HAL client/server to talk to service manager am: 3015324460 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1811079

Change-Id: Ia652e5350fd0cf86ad8648a04c4d27f50bd06c50
 2021-08-28 00:26:44 +00:00
Roshan Pius
3015324460 Allow uwb HAL client/server to talk to service manager 
Denial logs:
08-27 21:43:18.716   801   801 W android.hardwar: type=1400 audit(0.0:4): avc:
denied { call } for scontext=u:r:hal_uwb_default:s0 tcontext=u:r:servicemanager:s0
tclass=binder permissive=0

Bug: 195308730
Test: Bootup default UWB HAL implementation on cuttlefish & verify UCI stack
can talk to the HAL.

Change-Id: I493af52513fd5b8f89d1375f80226ffa10c34f48
 2021-08-28 00:01:59 +00:00
Ankita Vyas
e0d6c3604f Merge "Add selinux changes for Locale Manager Service" am: 7ac013be94 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1810459

Change-Id: Idd51d097ffd18b7e0f4c47e4e83221d24b787b94
 2021-08-27 04:13:38 +00:00
Ankita Vyas
7ac013be94 Merge "Add selinux changes for Locale Manager Service" 2021-08-27 03:59:42 +00:00
Treehugger Robot
209b78ab83 Merge "sepolicy: Change UWB HAL from HIDL to versioned AIDL" am: d7fc7bd30b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1809163

Change-Id: I423431ce2bee07fd3c2a968f4c59799b17fa71c6
 2021-08-27 01:55:54 +00:00
Treehugger Robot
d7fc7bd30b Merge "sepolicy: Change UWB HAL from HIDL to versioned AIDL" 2021-08-27 01:45:00 +00:00
Roshan Pius
7076dfaa4f Merge "sepolicy: Add UWB HAL interface in AOSP" am: ea6c84b560 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1808158

Change-Id: I8168654bf875acbec024e8a2d144cbfb0486ef17
 2021-08-27 00:37:05 +00:00
Roshan Pius
cd8333b53a sepolicy: Change UWB HAL from HIDL to versioned AIDL 
No new HIDL HAL's are allowed in Android T. UWB HAL converted to
versioned AIDL interface to be compliant.

Bug: 195308730
Test: Compiles
Change-Id: I35cf8edd244baa02778ee8eff46840ae26424869
 2021-08-27 00:28:56 +00:00
Roshan Pius
ea6c84b560 Merge "sepolicy: Add UWB HAL interface in AOSP" 2021-08-27 00:25:17 +00:00
Treehugger Robot
b99ff7ee1b [automerger skipped] Merge "sepolicy: Rename hal_uwb -> hal_uwb_vendor" am: 0e88c8807f -s ours 
am skip reason: Merged-In I7bf4794232604372134ea299c8e2a6ba14a801d3 with SHA-1 37ee61f663 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1808157

Change-Id: I91c8a1ba4b33a915380d3dc6d358ebe0642cdd76
 2021-08-26 16:02:27 +00:00
Treehugger Robot
0e88c8807f Merge "sepolicy: Rename hal_uwb -> hal_uwb_vendor" 2021-08-26 15:51:45 +00:00
“Ankita
623ece0386 Add selinux changes for Locale Manager Service 
Test: build and booted device

Bug: 194094788

Change-Id: Ic3c1f135985a5003ed07a8da9dbd7a3f8b61ae71
 2021-08-26 14:33:24 +00:00
Roshan Pius
37ee61f663 sepolicy: Rename hal_uwb -> hal_uwb_vendor 
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.

Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware

Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware

Ignore-AOSP-First: Dependent changes in internal-only projects.

Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
(cherry picked from commit 40465250e4)
(cherry picked from commit 27ab309fad)
 2021-08-26 05:20:39 +00:00
Treehugger Robot
28515dd083 Merge "sepolicy: Add new crypto type ro.crypto.type=managed" am: aedbe31acb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1802147

Change-Id: I0e8e1faed5cc0cb92a4cae6debeb6d67a7430049
 2021-08-26 04:51:40 +00:00
Treehugger Robot
aedbe31acb Merge "sepolicy: Add new crypto type ro.crypto.type=managed" 2021-08-26 04:37:37 +00:00
Treehugger Robot
43a5bb124a Merge "Allow Bluetooth to access system config" am: 2ce33d50bc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1804066

Change-Id: I812dd99f043b63ddf8405bc19a76b78b58c95305
 2021-08-25 13:52:20 +00:00
Treehugger Robot
2ce33d50bc Merge "Allow Bluetooth to access system config" 2021-08-25 13:40:12 +00:00
wescande
4b6a6aa861 Allow Bluetooth to access system config 
The removing of getSystemConfigEnabledProfilesForPackage
hidden api for mainline project triggered a SEDenial:
```
avc: denied { read } for comm="droid.bluetooth" name="u:object_r:incremental_prop:s0" dev="tmpfs" ino=20229 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0
avc: denied { open } for comm="droid.bluetooth" path="/dev/__properties__/u:object_r:incremental_prop:s0" dev="tmpfs" ino=180 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0
avc: denied { getattr } for comm="droid.bluetooth" path="/dev/__properties__/u:object_r:incremental_prop:s0" dev="tmpfs" ino=180 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0
avc: denied { map } for comm="droid.bluetooth" path="/dev/__properties__/u:object_r:incremental_prop:s0" dev="tmpfs" ino=180 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0

avc: denied { read } for comm="droid.bluetooth" name="filesystems" dev="proc" ino=4026532079 scontext=u:r:bluetooth:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
avc: denied { open } for comm="droid.bluetooth" path="/proc/filesystems" dev="proc" ino=4026532079 scontext=u:r:bluetooth:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
avc: denied { getattr } for comm="droid.bluetooth" path="/proc/filesystems" dev="proc" ino=4026532079 scontext=u:r:bluetooth:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
```

Bug: 190440540
Test: Manual
Tag: #refactor
Change-Id: I86c77e540d783a4286a15cdf66b083aae1a55589
 2021-08-25 12:33:00 +00:00
Roshan Pius
8a5370c5e4 sepolicy: Add UWB HAL interface in AOSP 
Adding sepolicy rules for the AOSP HAL interface.

Ignore-AOSP-First: Dependent changes in internal-only projects.

Bug: 195308730
Test: Compiles
Change-Id: I56302b570a749f7d72b6fe8f4f4a8767ea4785c1
Merged-In: I56302b570a749f7d72b6fe8f4f4a8767ea4785c1
 2021-08-24 20:10:21 -07:00
Roshan Pius
65e938e539 sepolicy: Rename hal_uwb -> hal_uwb_vendor 
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.

Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware

Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware

Ignore-AOSP-First: Dependent changes in internal-only projects.

Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
 2021-08-24 20:10:06 -07:00
Satoshi Niwa
dd9d2871d8 sepolicy: Add new crypto type ro.crypto.type=managed 
This type is used when device encryption is managed by the host system.
(e.g. ARC++)
Please see b/136127632#comment10 for the reason why we introduce this.

Bug: 169207445
Test: m
Change-Id: I8c4eaa57389e591b2c520b59bb95408d43daf22c
 2021-08-25 10:40:57 +09:00
Treehugger Robot
c71412f25d Merge "Add /dev/vsock permissions to microdroid" am: 037a21ba15 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1803958

Change-Id: Ifaa515ed48f079c80469b19ec94d43fd4dacfc1f
 2021-08-24 23:50:22 +00:00
Treehugger Robot
037a21ba15 Merge "Add /dev/vsock permissions to microdroid" 2021-08-24 23:35:34 +00:00
Treehugger Robot
8f2d97beef Merge "Remove unnecessary privileges from dex2oat in VM" am: 56c495fca8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1803110

Change-Id: I81244f58870f6eafedd5be3bfa10ed020854cd66
 2021-08-24 20:40:01 +00:00
Treehugger Robot
56c495fca8 Merge "Remove unnecessary privileges from dex2oat in VM" 2021-08-24 20:23:09 +00:00
Inseob Kim
2e0fb00f22 Add /dev/vsock permissions to microdroid 
microdroid_manager needs to know its own CID until the full RPC binder
support is landed.

Bug: 191845268
Test: run MicrodroidDemoApp
Test: atest MicrodroidHostTestCases
Change-Id: I8f6c667f0827d1089baa21417c2b0ba382d94d26
 2021-08-24 14:23:18 +09:00
Keith Mok
e3ace79b18 Merge "Revert "crash_dump: supress denials for files in /proc"" am: 97935f4898 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1789807

Change-Id: Ic2f8920b0c49fb19e70184395da7afb7e55d1f8e
 2021-08-23 16:27:48 +00:00
Keith Mok
97935f4898 Merge "Revert "crash_dump: supress denials for files in /proc"" 2021-08-23 16:15:20 +00:00
Android Build Coastguard Worker
c444292203 Merge cherrypicks of [15633344, 15633345, 15633457, 15633423, 15633424, 15633425, 15633095, 15633401, 15632569, 15633426, 15633427, 15633402, 15633346, 15633347, 15633403, 15633458] into sc-release 
Change-Id: Ifba61ca3ac9c60d426b3e24d096b8064102bf954
 2021-08-20 00:34:44 +00:00
Orion Hodson
51bd92505b odrefresh: add permission to sigkill child processes 
(cherry picked from commit 522bcbe9e6)
Ignore-AOSP-First: cherry-pick from aosp
Bug: 177432913
Bug: 196969404
Test: manually decrease odrefresh compilation timeout, no avc denied
Change-Id: I7dec0a3d82c82b5dea4b5f3f38d9170bb1f40840
(cherry picked from commit 86477d7933)
 2021-08-20 00:34:06 +00:00
Victor Hsieh
dedb4909c3 Remove unnecessary privileges from dex2oat in VM 
With a change in dex2oat to avoid opening /proc/self/fd, this change
removes open and a few other privileges from dex2oat.

Bug: 196404749
Test: ComposHostTestCases
Change-Id: I822c7ef3886a1cde8601e71afa2eb79973cd573c
 2021-08-19 14:01:59 -07:00
Android Build Coastguard Worker
5e88614793 Merge cherrypicks of [15617994, 15618969, 15618970, 15617995, 15618032, 15618033, 15618190, 15620097, 15618565, 15620098, 15617967, 15619902, 15620257, 15619392] into sc-release 
Change-Id: I93eb084990631cfbc74aab8c513af84c3de0ef9d
 2021-08-19 03:22:21 +00:00
Eric Biggers
0fc214e291 Restore permission for shell to list /sys/class/block 
As a side effect, commit ec50aa5180 ("Allow the init and apexd
processes to read all block device properties") removed permission for
the shell context to list the /sys/class/block directory.  There is a
CTS test that relies on this (CtsNativeEncryptionTestCases), so grant
permission to do this again.

Bug: 196521739
Bug: 194450129
Test: Before this change, 'adb shell ls /sys/class/block' fails.
      After this change, 'adb shell ls /sys/class/block' succeeds.
Change-Id: I87cb90880f927db1385887b35c84f4dd7f95021b
Merged-In: I87cb90880f927db1385887b35c84f4dd7f95021b
(cherry picked from commit ff53c4d16e)
 2021-08-19 03:22:01 +00:00
Orion Hodson
716a987065 Merge "odrefresh: add permission to sigkill child processes" am: 26d95ebaab 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1798214

Change-Id: Id1cc74aa030b6e1a3543b75dd474e666f4a55042
 2021-08-18 10:38:44 +00:00
Orion Hodson
26d95ebaab Merge "odrefresh: add permission to sigkill child processes" 2021-08-18 10:24:37 +00:00
Suren Baghdasaryan
a3152de04d Merge "Allow init to execute extra_free_kbytes.sh script" am: ce8e066761 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1782248

Change-Id: I53559bd04d3e65dec4ee2187636677e91ededc27
 2021-08-17 19:24:23 +00:00
Suren Baghdasaryan
ce8e066761 Merge "Allow init to execute extra_free_kbytes.sh script" 2021-08-17 19:17:59 +00:00
Eric Biggers
2b7e9943d9 Merge "Restore permission for shell to list /sys/class/block" am: cc0f64416f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1797007

Change-Id: I60b12f2a7cb088b8e648149d9356f9b00f97adbe
 2021-08-17 19:17:07 +00:00
Eric Biggers
cc0f64416f Merge "Restore permission for shell to list /sys/class/block" 2021-08-17 18:22:55 +00:00
Xin Li
92b6511572 Merge "Merge sc-dev-plus-aosp-without-vendor@7634622" into stage-aosp-master 2021-08-17 18:14:48 +00:00
Orion Hodson
522bcbe9e6 odrefresh: add permission to sigkill child processes 
Bug: 177432913
Bug: 196969404
Test: manually decrease odrefresh compilation timeout, no avc denied
Change-Id: Ic89dcdb64974ac00c83504d876a94d8b5c6b2a29
 2021-08-17 19:08:08 +01:00
Suren Baghdasaryan
6988677f22 Allow init to execute extra_free_kbytes.sh script 
extra_free_kbytes.sh is used by init to set /sys/vm/watermark_scale_factor
value. Allow init to execute extra_free_kbytes.sh and the script to access
/proc/sys/vm/watermark_scale_factor and /proc/sys/vm/extra_free_kbytes
files.

Bug: 109664768
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I55ec07e12a1cc5322cfdd4a48d0bdc607f45d832
 2021-08-17 17:02:38 +00:00
Keun young Park
d577958598 allow installd to kill dex2oat and dexoptanalyzer 
Bug: 179094324
Bug: 156537504

Test: confirm that installd killing those processes are not brininging
      selinux violation
Change-Id: Icac3f5acc3d4d398bbe1431bb02140f3fe9cdc45
 2021-08-17 09:48:47 -07:00
Rick Yiu
6ea5f2d083 Merge "Move mediaprovider_app to common code" am: 16c9c6a557 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1794168

Change-Id: I5f2b05279f469a609f851cd288b8d088f227f7b0
 2021-08-17 08:08:17 +00:00