tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
35893 commits 1 branch 0 tags 50 MiB
Commit graph

35893 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sal Savage
a529796057 Update LE Audio profile names to be in line with spec and implementation 
Bug: 217448211
Test: atest BluetoothInstrumentationTests
Merged-In: If27874ca20be1db032519b2168631c3b651a0522
Change-Id: If27874ca20be1db032519b2168631c3b651a0522
 2022-04-22 22:57:56 +00:00
Treehugger Robot
91574cceb9 Merge "Add vibrator and power HALs to Watchdog dumps" am: 2f666d5fc0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2073787

Change-Id: I26845c612519a78c1963a9245e4ce48b590f07c9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-22 18:01:08 +00:00
Treehugger Robot
2f666d5fc0 Merge "Add vibrator and power HALs to Watchdog dumps" 2022-04-22 17:39:58 +00:00
Inseob Kim
4196403c36 Replace se_filegroup to se_build_files 
se_build_files is a replacement for se_filegroup module. se_build_files
can be used with the normal Soong convention ":module_name{.tag}" by
implementing android.OutputFileProducer. It's better than implementing
ad-hoc logics across various modules, which is the case for se_filegroup
module.

Test: build and boot
Change-Id: Ic0e34549601eb043145e433055f5a030eaf4347e
 2022-04-23 01:47:40 +09:00
Jaegeuk Kim
3a45ffec11 Allow shutdown /data 
Bug: 229406072
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I7bdd9acd2e85311ecb59b3f0eb1f503a93e240ef
 2022-04-22 09:34:02 -07:00
Felipe Leme
d221f197c2 Merge "Allow apps to read system_user_mode_emulation_prop." am: c696791a7f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2072574

Change-Id: I4ac97ab72f5ec49087b6dcc3f10efeb34b1ab7bc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-22 15:43:11 +00:00
Felipe Leme
c696791a7f Merge "Allow apps to read system_user_mode_emulation_prop." 2022-04-22 15:25:13 +00:00
Michael Wright
d5d2f60795 Add vibrator and power HALs to Watchdog dumps 
Test: adb shell am hang --allow-restart, check Last ANR for stacks
Fixes: 211998169
Change-Id: I7cad1e57caed5eb8a5c0092548362fd0a6b1d98d
 2022-04-22 14:32:14 +00:00
Treehugger Robot
3ce006199b Merge "Add sensor multi-HAL AIDL sepolicy" am: c6275b4b73 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2059451

Change-Id: Ia5c40e34e81f93a44a86ce531bd109c93bab60d0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-22 06:16:38 +00:00
Treehugger Robot
c6275b4b73 Merge "Add sensor multi-HAL AIDL sepolicy" 2022-04-22 05:58:11 +00:00
Joe Bolinger
97db8c0c4d Add virtual fingerprint instance to policy. am: 197b314b4b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2072070

Change-Id: Ic8950a745599d17d61996a797f7f8afbe2af69a1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-22 04:57:23 +00:00
Rick Chen
8cb9f4385d Add sensor multi-HAL AIDL sepolicy 
Bug: 228525902
Test: Device can boot to home.
Change-Id: I9d27967213df83b20cb49014317dcfb7afac1880
 2022-04-22 01:49:26 +00:00
Felipe Leme
b85242c00f Allow apps to read system_user_mode_emulation_prop. 
As it's used by UserManager...

Test: sesearch --allow -s appdomain -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927

Change-Id: I1134a9e0b8ae758e3ebef054b96f9e3237a2401f
 2022-04-21 18:49:12 -07:00
Joe Bolinger
197b314b4b Add virtual fingerprint instance to policy. 
Bug: 228638448
Change-Id: Id9cd3565d731ba98f18e91c50fc19b6820bf3172
Test: N/A
 2022-04-21 22:57:01 +00:00
Mitch Phillips
e3256e3d21 Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it." am: 800e948e61 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2040964

Change-Id: I1e2b9edd633ef294e1a3b017f8ff0e1f685331ea
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-21 18:32:15 +00:00
Mitch Phillips
800e948e61 Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it." 2022-04-21 18:12:43 +00:00
Seth Moore
6252da2cd1 Merge "Allow the remote provisioner app to set rkp_only properties" am: 222e99e26f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2069269

Change-Id: Ie15a61b54416f9b0b38b7a108e1b76a724dcc505
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-21 17:29:29 +00:00
Seth Moore
222e99e26f Merge "Allow the remote provisioner app to set rkp_only properties" 2022-04-21 17:23:11 +00:00
Maciej Żenczykowski
25192167a1 Merge "Grants clatd privs since forked by system server" am: 1ebfb867a8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1951036

Change-Id: Id5a3158b63aa2d0a5e5e0776e0d35e5cd606d077
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-21 14:04:05 +00:00
Maciej Żenczykowski
1ebfb867a8 Merge "Grants clatd privs since forked by system server" 2022-04-21 14:00:23 +00:00
Treehugger Robot
0bd269a7c8 Merge "Track sys_module permission for system_server" am: bd3e8d9520 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2063148

Change-Id: I20f877611275635eff7de29353b09eb82dd1d6ae
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-21 07:38:31 +00:00
Treehugger Robot
bd3e8d9520 Merge "Track sys_module permission for system_server" 2022-04-21 07:20:26 +00:00
Alistair Delva
f54bcca352 Merge "Adds GPU sepolicy to support devices with DRM gralloc/rendering" am: ce19c41b8f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1999610

Change-Id: I7e7ed07eaaededa0e42c48884be50d5c09a334fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-21 04:43:58 +00:00
Alistair Delva
ce19c41b8f Merge "Adds GPU sepolicy to support devices with DRM gralloc/rendering" 2022-04-21 04:21:45 +00:00
Seth Moore
8bfdd82123 Allow the remote provisioner app to set rkp_only properties 
The properties for rkp_only are no longer read only.

This allows remote provisioner unit tests to enable/disable the remote
provisioning only mode, which is required to fully verify functionality.

Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I8006712a49c4d0605f6268068414b49714bbd939
 2022-04-20 17:15:20 -07:00
Treehugger Robot
a8176be752 Merge "Adds system_user_mode_emulation_prop property." am: 7c9e7bbb11 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2069890

Change-Id: Id0d7a9d11f99b49d8ff68d7e70d4fbbbc972dbb4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 23:12:35 +00:00
Treehugger Robot
7c9e7bbb11 Merge "Adds system_user_mode_emulation_prop property." 2022-04-20 22:51:45 +00:00
Felipe Leme
9a385b2112 Adds system_user_mode_emulation_prop property. 
It will be used by system_server only (i.e., not even Shell) to let
developers change the system user mode (to be headless or full).

Test: sesearch --allow -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy

Bug: 226643927

Change-Id: Iaba42fd56dce0d8d794ef129634df78f9599260f
 2022-04-20 13:28:01 -07:00
Eric Biggers
60ac375f3a Merge "vold.te: stop allowing use of keymaster HAL directly" am: 39b27b87ba 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065468

Change-Id: Ifc25cc95d76b9bc8cb05cb2a5ce14b39a402f21a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 18:21:47 +00:00
Eric Biggers
39b27b87ba Merge "vold.te: stop allowing use of keymaster HAL directly" 2022-04-20 17:42:28 +00:00
Shikha Panwar
be9fea3b8b Merge "Allow microdroid to start tombstone_transmit service" am: 8feef80fab 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2063853

Change-Id: Iea79abd91d9f3ca7dd30755f4a415fb916246ce9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 11:17:30 +00:00
Shikha Panwar
8feef80fab Merge "Allow microdroid to start tombstone_transmit service" 2022-04-20 11:08:23 +00:00
Treehugger Robot
af42eee34c Merge "crosvm can access data_shell_file on user builds" am: d222ea676b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2064912

Change-Id: Icb55aca23bde8f9024a6790eb72440e2ed8c0878
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 05:47:51 +00:00
Treehugger Robot
e5defcf3d4 Merge "/apex/com.android.art/bin/dex2oat is a symlink, so allow reading it from the shell." am: b87591b7c6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2063854

Change-Id: Iaee281b32e3100b8cfa1a94119580acbd897602a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-20 05:47:42 +00:00
Treehugger Robot
d222ea676b Merge "crosvm can access data_shell_file on user builds" 2022-04-20 05:32:32 +00:00
Treehugger Robot
b87591b7c6 Merge "/apex/com.android.art/bin/dex2oat is a symlink, so allow reading it from the shell." 2022-04-20 05:19:16 +00:00
Jiyong Park
cdd5e07956 crosvm can access data_shell_file on user builds 
Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.

Note that the open access is still disallowed in user builds.

Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
 2022-04-20 08:35:19 +09:00
Eric Biggers
bf717e18f1 vold.te: stop allowing use of keymaster HAL directly 
Since Android 12, vold goes through the keystore daemon instead of using
the keymaster HAL directly.  Therefore, the SELinux rules that allow
vold to use the keymaster HAL directly are no longer needed.

Bug: 181910578
Change-Id: I8ecc47530cba82128c869ffd2fed9009dd7d5e05
 2022-04-19 21:57:18 +00:00
Treehugger Robot
7fd8710e46 Merge "Remove obsolete rule allowing installd to use fsverity ioctls" am: 12399e945e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065527

Change-Id: I972ea99ec473463f77ee1f85cec32ccf1ca5923c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-19 21:11:16 +00:00
Treehugger Robot
12399e945e Merge "Remove obsolete rule allowing installd to use fsverity ioctls" 2022-04-19 20:49:43 +00:00
Eric Biggers
fa1f9cb2b8 Merge "Remove some FDE rules and update comments" am: b83a6d1168 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065887

Change-Id: Ib41b61ff06a839653c3608708be382ea0ca65e49
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-19 17:03:35 +00:00
Eric Biggers
b83a6d1168 Merge "Remove some FDE rules and update comments" 2022-04-19 16:47:27 +00:00
Treehugger Robot
672b6a1776 Merge "apkdmverity: use LOOP_CONFIGURE" am: 10ea55472c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2063894

Change-Id: I8d0da7af0c1365566c3f81c3c1d4b547ce994bfe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-19 06:01:44 +00:00
Treehugger Robot
10ea55472c Merge "apkdmverity: use LOOP_CONFIGURE" 2022-04-19 05:43:56 +00:00
Jason Macnak
a93398051c Adds GPU sepolicy to support devices with DRM gralloc/rendering 
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
 2022-04-18 17:30:56 -07:00
Xin Li
753b87fbc5 Empty merge of sc-v2-dev-plus-aosp-without-vendor@8433047 
Bug: 226662282
Merged-In: Ic64ce88e137976149813888a0d6d2910fda359e7
Change-Id: Id90adb99bf00db32bdd14e20d0ffd02424da5ef0
 2022-04-18 20:43:42 +00:00
Roshan Pius
0bad2ae587 sepolicy: Allow uwb module access to CE directories for UWB am: 47bddcd065 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065410

Change-Id: Ie9402b41ea605b158cf02e0e833c7b1eda22337b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-04-16 02:27:15 +00:00
Jooyung Han
0b3d56d35f apkdmverity: use LOOP_CONFIGURE 
LOOP_CONFIGURE is more efficient than LOOP_SET_FD/SET_STATUS64.

apkdmverity has used the latter because LOOP_CONFIGURE didn't work for
loop-mounting IDSIG file.

apkdmverity can use LOOP_CONFIGURE and enabling DIRECT_IO only when
necessary.

Bug: 191344832
Test: atest MicrodroidTestApp
Change-Id: I9503f17a689e2447acee1f6ef9c2aac53cf3c457
 2022-04-16 00:07:39 +00:00
Eric Biggers
9bf0a0c141 Remove some FDE rules and update comments 
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it.  Remove two rules that are no longer
needed.  Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons.  Finally, fix some outdated documentation links.

Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
 2022-04-15 21:06:51 +00:00
Roshan Pius
47bddcd065 sepolicy: Allow uwb module access to CE directories for UWB 
Denial logs:
04-15 17:02:48.616  1811  1811 W binder:1811_6: type=1400 audit(0.0:7): avc: denied { write } for name="com.android.uwb" dev="dm-41" ino=6916 scontext=u:r:system_server:s0 tcontext=u:object_r:apex_module_data_file:s0 tclass=dir permissive=0

Bug: 229410097
Change-Id: I86df5f20dda483aa0579a55e1b040c277906db1b
Test: Manual tests
 2022-04-15 20:37:24 +00:00