tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Vadim Caen	45f1ecee7a	Allow system_server to communicate with virtual_camera and consitently name service and process as "virtual_camera" (with underscore) Test: Cts VirtalCameraTest Bug: 270352264 Change-Id: I2c6c0c03aab47aa1795cbda19af25e6661a0bf4a	2023-11-14 15:27:57 +01:00
Treehugger Robot	e84d547758	Merge "Added entries for audioflinger and audiopolicy aidl fuzzer" into main	2023-11-09 05:30:49 +00:00
Maciej Żenczykowski	899fdae61f	Merge "system_server dontaudit key_socket getopt" into main	2023-11-08 20:21:38 +00:00
Kelvin Zhang	f5877aafe2	Merge "Allow update_engine to read /proc/filesystems" into main	2023-11-08 18:40:26 +00:00
Kelvin Zhang	f7e9111376	Allow update_engine to read /proc/filesystems During OTA install, update_engine needs to read this file to determine if overlayfs is enabled, as OTA requires overlayfs to be disabled. The selinux denial looks like audit(0.0:242): avc: denied { read } for name="filesystems" dev="proc" ino=4026532076 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0 Bug: 309812002 Test: th Change-Id: I10903ced21e79c90dec45fb40ecd169d98c94e89	2023-11-08 18:40:12 +00:00
Maciej Żenczykowski	70be64b77c	system_server dontaudit key_socket getopt 11-08 07:52:43.776 1469 1469 I auditd : type=1400 audit(0.0:4): avc: denied { getopt } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=key_socket permissive=0 11-08 07:52:44.360 1469 1469 I auditd : type=1400 audit(0.0:5): avc: denied { getopt } for comm="NetworkStats" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=key_socket permissive=0 11-08 07:52:44.508 1469 1469 I auditd : type=1400 audit(0.0:7): avc: denied { getopt } for comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=key_socket permissive=0 Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I6799c6fcfed0454f32607150320c0ed12301071c	2023-11-08 08:28:16 +00:00
Treehugger Robot	2ac4d112b8	Merge "Allow bootanimation to access vendor apex" into main	2023-11-08 06:30:38 +00:00
Keith Mok	4bd043ca67	Merge "SEPolicy for AIDL MACSEC HAL" into main	2023-11-07 21:40:41 +00:00
Treehugger Robot	6f789851e9	Merge "add percpu_pagelist_high_fraction type" into main	2023-11-07 13:30:15 +00:00
Martin Liu	52aa5039ba	add percpu_pagelist_high_fraction type Bug: 309409009 Test: boot Change-Id: I04db2ab3a95a5427e6d89cf128ed953fdc823107 Signed-off-by: Martin Liu <liumartin@google.com>	2023-11-07 11:36:00 +08:00
Sebastian Pickl	c6132a2ae7	bugmap selinux failure Bug:308043377 Change-Id: Ieb5f41be6b73bf8d6f07e2ae7fab4dd671adf9a0	2023-11-06 12:39:11 +00:00
Jooyung Han	87889b6af2	Allow bootanimation to access vendor apex Bootanimation needs access to EGL/GLES libraries. When they are in a vendor apex, it should be able to read its mount point at least. Bug: 205618237 Test: launch CF and check logcat # bootanimation works with EGL Change-Id: I6f0727916dd8f69fbfc02bb33ff27c9f11ec9388	2023-11-06 18:26:27 +09:00
Sebastian Pickl	c6c36a4130	Merge "bugmap selinux failure" into main	2023-11-06 08:47:38 +00:00
Treehugger Robot	41f36eda49	Merge "Revert^2 "Use Soong-processed files for file_contexts.bin"" into main	2023-11-06 02:20:59 +00:00
Keith Mok	df794b4590	SEPolicy for AIDL MACSEC HAL Bug: 254108688 Test: AIDL MACSEC HAL VTS (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fba6480fa08001a36faf524d0a6952f29d916a6b) Change-Id: I5ccaa24c6b9600713bbc0e4c523822567b64c662	2023-11-03 21:29:48 +00:00
Ahmad Khalil	70b7a8c76d	Merge "Add new vibrator control service to system_server" into main	2023-11-03 14:03:19 +00:00
Sebastian Pickl	6aa75739d5	bugmap selinux failure Bug:308043377 Change-Id: I880567e2756b1605b7bf692f75dc20f50013bb25	2023-11-03 12:58:13 +00:00
Ahmad Khalil	7c22e8b3cd	Add new vibrator control service to system_server Bug: 305961689 Test: N/A Change-Id: Ia4f061d6ae7656fce4c01f5acc2a1314f8ba4ac4	2023-11-03 12:09:04 +00:00
Inseob Kim	8ecc1b8372	Revert^2 "Use Soong-processed files for file_contexts.bin" This reverts commit `32a83de069`. Reason for revert: fixed breakage, relanding Change-Id: I3f9e4258418dd60acca4cda90ad34a2116689a0f	2023-11-03 06:02:30 +00:00
Treehugger Robot	0057599d35	Merge "Don't fc_sort on platform file contexts" into main	2023-11-03 03:40:20 +00:00
Sebastian Pickl	fe4b397451	Merge "bug_map selinux test failure" into main	2023-11-02 22:09:05 +00:00
James Willcox	f70225771d	Merge "Add new keystore2 permission get_last_auth_time." into main	2023-11-02 21:09:20 +00:00
Kyle Zhang	dcf977ac99	Merge "Add system property persist.drm.forcel3.enabled" into main	2023-11-02 17:16:42 +00:00
Sebastian Pickl	7a8028bbb4	bug_map selinux test failure Bug:308043377 Change-Id: Idca147ac558d68d09d69844fdb382d0ad90d0261	2023-11-02 15:29:28 +00:00
Victor Hsieh	807cd72034	Merge "Allow system_server to read sepolicy from sysfs" into main	2023-11-02 14:47:30 +00:00
Inseob Kim	dfa4a48b1c	Don't fc_sort on platform file contexts Sorting algorithm of fc_sort is not perfect and often causes unexpected behaviors. We are moving from fc_sort to manual ordering of platform file_contexts files. In addition, this sets remove_comment as true by default, as fc_sort has been removing comments / empty lines. Bug: 299839280 Test: TH Change-Id: Ic8a02b64fc70481234467a470506580d2e6efd94	2023-11-02 17:30:39 +09:00
Victor Hsieh	5d102ffeb1	Allow system_server to read sepolicy from sysfs Bug: 308471499 Test: let system server hash the policy Change-Id: I8fc171e25636698d787be029c00471e0768f4c7a	2023-11-01 15:02:53 -07:00
Hasini Gunasinghe	daa1cec849	Merge "Add sepolicy for non-secure AuthGraph impl" into main	2023-11-01 16:27:51 +00:00
James Willcox	038f859db2	Add new keystore2 permission get_last_auth_time. This is checked when getting the time of last successful authentication from keystore2. The auth_service is the only expected caller. Bug: 303839446 Test: manual Change-Id: Idf222e69c0553a7be94206b519a95a4006e69507	2023-10-31 20:28:43 +00:00
Alice Wang	072d8fc0db	Merge "Revert "[avf][rkp] Allow virtualizationservice to register RKP H..."" into main	2023-10-31 15:13:01 +00:00
Alice Wang	ece557dc7a	Revert "[avf][rkp] Allow virtualizationservice to register RKP H..." Revert submission 2778549-expose-avf-rkp-hal Reason for revert: SELinux denial avc: denied { find } for pid=3400 uid=10085 name=android.hardware.security.keymint.IRemotelyProvisionedComponent/avf scontext=u:r:rkpdapp:s0:c85,c256,c512,c768 tcontext=u:object_r:avf_remotelyprovisionedcomponent_service:s0 tclass=service_manager permissive=0 Reverted changes: /q/submissionid:2778549-expose-avf-rkp-hal Bug: 308596709 Change-Id: If8e448e745f2701cf00e7757d0a079d8700d43c0	2023-10-31 15:01:18 +00:00
Alice Wang	7109a31496	Merge "[avf][rkp] Allow virtualizationservice to register RKP HAL service" into main	2023-10-31 12:21:41 +00:00
Treehugger Robot	adbef0cf37	Merge "Revert "Suppress a denial on VM boot"" into main	2023-10-31 02:29:57 +00:00
Treehugger Robot	12665a9787	Merge "Add appcompat override files and contexts to SELinux" into main	2023-10-31 02:29:57 +00:00
Alex Xu	f82b6897cf	Merge "Add sepolicy for security_state service." into main	2023-10-27 19:20:58 +00:00
Treehugger Robot	cbe6fed87f	Merge "To allow drm_clear_key_aidl hal to access mediacodec" into main	2023-10-27 18:45:24 +00:00
Alice Wang	104626ca99	[avf][rkp] Allow virtualizationservice to register RKP HAL service Bug: 274881098 Test: atest MicrodroidHostTests Change-Id: Ib0953fa49f27719be63bb244071b132bc385dca3	2023-10-27 09:26:42 +00:00
Inseob Kim	45b3123bf0	Merge "Revert "Use Soong-processed files for file_contexts.bin"" into main	2023-10-27 04:18:21 +00:00
Bob Yang	32a83de069	Revert "Use Soong-processed files for file_contexts.bin" This reverts commit `d1401b7a2f`. Reason for revert: DroidMonitor-triggered revert due to breakage, bug 308055894 Change-Id: Ic22a37a6d32662344da80fb28751e8c34803a82e	2023-10-27 04:17:02 +00:00
Treehugger Robot	521d9385ee	Merge "Add sepolicy to allow OT daemon to write to statsd" into main	2023-10-27 03:16:16 +00:00
Treehugger Robot	3bd20095a5	Merge "Use Soong-processed files for file_contexts.bin" into main	2023-10-27 00:42:16 +00:00
Kyle Zhang	12c42b5f50	Add system property persist.drm.forcel3.enabled Bug: 299987160 Change-Id: Icf945a2bfb7e25225f30630c5d24bf13a8960a01	2023-10-26 22:16:49 +00:00
Xin Li	67d58f5f39	Merge "Merge android14-tests-dev" into main	2023-10-26 20:11:39 +00:00
Xin Li	522f0a9ef2	Merge android14-tests-dev Bug: 263910020 Merged-In: If027337f7e703fe5b80e18ecddeabbac29011c5f Change-Id: Ic7943d9afe12602f3e4289a7aa6ad0c5d340ed81	2023-10-26 10:31:12 -07:00
Sandro Montanari	4db0e27a50	Introduce sdk_sandbox_audit SELinux domain Bug: 295861450 Test: atest CtsSdkSandboxInprocessTests and adb shell ps -Z Change-Id: I9c5873181c925c6b8ebb411328d30aa519053acf	2023-10-26 08:50:26 +00:00
Alex Xu	902a010aaa	Add sepolicy for security_state service. security_state service manages security state (e.g. SPL) information across partitions, modules, etc. Bug: 307819014 Test: Manual Change-Id: I4ebcd8431c11b41f7e210947b32cf64c2adf3901	2023-10-26 06:11:58 +00:00
Tony Zhou	4ed6a0d834	Add sepolicy to allow OT daemon to write to statsd Bug: 230565248 Test: push data to statsd_testdrive and it works now Change-Id: I48c3affdd1fbd62df5b8eaff9908c5f3bbeda4d8	2023-10-26 05:47:01 +00:00
David Drysdale	c4ab01baad	Add sepolicy for non-secure AuthGraph impl Bug: 284470121 Bug: 291228560 Test: hal_implementation_test Test: VtsAidlAuthGraphSessionTest Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d	2023-10-26 02:00:43 +00:00
Steven Moreland	012b954125	Merge "binderfs neverallows" into main	2023-10-26 00:07:44 +00:00
Inseob Kim	d1401b7a2f	Use Soong-processed files for file_contexts.bin This should be no-op but will be useful when we implement Trunk Stable aware contexts. Also this removes complexity from Android.mk. Bug: 306563735 Test: build Change-Id: Ie7e2c2c8c1e813af0ea617a2e29589b660c1bdaf	2023-10-25 23:51:44 +09:00

1 2 3 4 5 ...

44019 commits