tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
24395 commits 1 branch 0 tags 50 MiB
Commit graph

24395 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
4c5220c2bc Merge "Support GKI updates" 2020-08-28 21:24:34 +00:00
Steven Moreland
6ced6ff339 Merge "Remove binder_in_vendor_violators." 2020-08-28 17:04:07 +00:00
Steven Moreland
5c0a0a8190 Remove binder_in_vendor_violators. 
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.

Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
 2020-08-27 00:00:35 +00:00
Gavin Corkery
df9d784e6d Merge "Selinux policy for new userspace reboot logging dir" 2020-08-26 21:47:19 +00:00
Gavin Corkery
ed62b31812 Selinux policy for new userspace reboot logging dir 
Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.

Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211
 2020-08-26 21:00:09 +01:00
Treehugger Robot
e30e8a7cc4 Merge "sepolicy: allow system_server to write to cgroup_v2" 2020-08-26 16:15:22 +00:00
Hiroki Sato
09882d209c Replace hal_dumpstate with hal_dumpstate_server 
After change Ia7437b8297794502d496e9bd9998dddfdcb747ef, some build
targets are broken. This change fixes it.

Bug: 166334688
Test: build
Change-Id: Iaf6ca1ae5c461bd3c5059b27a148c7858679f795
 2020-08-26 10:23:05 +00:00
Marco Ballesio
95aa74d6cd sepolicy: allow system_server to write to cgroup_v2 
During boot, system_server will need to write to files under
/sys/fs/cgroup/freezer. Change the cgroup_v2 policy to allow this
operation.

Test: booted device with change, verified that files are properly
accessed.
Bug: 154548692

Change-Id: I2ccc112c8870129cb1b8312023b54268312efcca
 2020-08-25 18:12:24 -07:00
Jeff Vander Stoep
21e31aa106 Refer to hal_dumpstate_server in neverallow rules am: 684d25b75a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1409808

Change-Id: I774bc0e8a6f2113b0cfd5033eb19b6261056a667
 2020-08-25 16:07:47 +00:00
Jeff Vander Stoep
684d25b75a Refer to hal_dumpstate_server in neverallow rules 
hal_dumpstate gets optimized away by the policy compiler causing
a CTS failure:
neverallow {   -init   -dumpstate   -hal_dumpstate   -vendor_init } hal_dumpstate_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
Warning!  Type or attribute hal_dumpstate used in neverallow undefined in policy being checked

Fixes: 166168257
Test: build policy
Change-Id: Ia7437b8297794502d496e9bd9998dddfdcb747ef
 2020-08-25 11:41:00 +02:00
Treehugger Robot
a7189abd95 Merge "Fix product property type macros" am: dab50ef0a3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1409727

Change-Id: I2b4df7b5d0e0403345fb560e4f50bde6ee76af5a
 2020-08-25 09:40:38 +00:00
Treehugger Robot
dab50ef0a3 Merge "Fix product property type macros" 2020-08-25 08:50:18 +00:00
Inseob Kim
c9610def68 Fix product property type macros 
Bug: N/A
Test: build with product_*_prop(...)
Change-Id: Iac906b41ec69023abd41881462f09e268944816b
 2020-08-25 16:38:13 +09:00
Benjamin Schwartz
70710e378c Revert "Create Power Stats AIDL interface" am: 6b5deb1e3f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1407072

Change-Id: Iaa57ddfce9f477449faadd00cc732a4fe9dd158a
 2020-08-21 16:02:50 +00:00
Benjamin Schwartz
6b5deb1e3f Revert "Create Power Stats AIDL interface" 
Revert "Fix sepolicy for con_monitor"

Revert submission 1404976-bs_ps_aidl

Reason for revert: Caused build breakages b/165908363
Reverted Changes:
I17883a16f:Fix sepolicy for con_monitor
Icd029f58a:Create Power Stats AIDL interface

Change-Id: Iab2a7ef6fcef40c59275db37b6fca090b304e9da
 2020-08-21 15:35:25 +00:00
Benjamin Schwartz
bab245dde9 Create Power Stats AIDL interface am: ba876ef1b3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1404976

Change-Id: Ic98ab844c925d9889015bbdaf4095b5d1b6b8e1e
 2020-08-21 14:28:37 +00:00
Benjamin Schwartz
ba876ef1b3 Create Power Stats AIDL interface 
Bug: 162472196
Test: m
Merged-In: I948ef2959b25d776d3b01985fea5eb695fd4fc1e
(cherry picked from commit 550e376769)
Change-Id: Icd029f58a7babee0ad8249087b76683d104736d5
 2020-08-20 23:25:55 +00:00
Songchun Fan
8af2dcd05c Merge "[selinux] allow system_server to call INCFS_IOC_GET_FILLED_BLOCKS ioctl" am: 1d4f2221cd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1404978

Change-Id: Id571d508cb5f699f2970d1d53225c106cac8234c
 2020-08-20 17:16:43 +00:00
Songchun Fan
1d4f2221cd Merge "[selinux] allow system_server to call INCFS_IOC_GET_FILLED_BLOCKS ioctl" 2020-08-20 17:07:40 +00:00
Songchun Fan
4be0afbfb7 [selinux] allow system_server to call INCFS_IOC_GET_FILLED_BLOCKS ioctl 
This allows Incremental Service (part of system_server) to query the
filled blocks of files on Incremental File System.

Test: atest service.incremental_test
BUG: 165799231
Change-Id: Id63f8f325d92fef978a1ad75bd6eaa8aa5e9e68b
 2020-08-20 16:00:00 +00:00
Yo Chiang
3d0ebdc97c Merge "Add ioctl FS_IOC_GETFLAGS access for gsid" am: 36370e8242 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1403273

Change-Id: I54724cebccf7fa14f3e1ba20ba5bca1ca20d3ccb
 2020-08-20 04:42:37 +00:00
Yo Chiang
36370e8242 Merge "Add ioctl FS_IOC_GETFLAGS access for gsid" 2020-08-20 04:09:03 +00:00
Yo Chiang
a5d256282e Add ioctl FS_IOC_GETFLAGS access for gsid 
gsid needs this to check if the underlying F2FS filesystem supports
file pinning.

Bug: 164988795
Test: Install a DSU package on CF
Test: avc denial goes away
Change-Id: Idc2456d7576cf61f6f891c082228c5143378d733
 2020-08-19 07:56:17 +00:00
Inseob Kim
b64494b67f Reland "Add persist.dumpstate.verbose_logging.enabled to system/..." am: 46dd4be366 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1402517

Change-Id: I9fe4eae6ac856d54686bed1f619ef68d03ccadde
 2020-08-18 04:52:04 +00:00
Bonian Chen
528843bb9b Merge "Revert "Add persist.dumpstate.verbose_logging.enabled to system/..."" am: e4d26aef3e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1403129

Change-Id: I7e05f91fe1bf7ba620bf33f54f2c354176e66e71
 2020-08-18 02:33:41 +00:00
Inseob Kim
46dd4be366 Reland "Add persist.dumpstate.verbose_logging.enabled to system/..." 
This reverts commit 409c038d3c.

Reason for revert: fixed breakage

Bug: 163759751
Test: lunch sdk; m selinux_policy
Change-Id: I59d170cd3a764209d353d77372387fdc8719ea7f
 2020-08-18 11:31:42 +09:00
Bonian Chen
e4d26aef3e Merge "Revert "Add persist.dumpstate.verbose_logging.enabled to system/..."" 2020-08-18 02:21:32 +00:00
Roman Kiryanov
409c038d3c Revert "Add persist.dumpstate.verbose_logging.enabled to system/..." 
Revert submission 1401269-dumpstate-prop

Reason for revert: build break, "Failed to build policydb".
Reverted Changes:
I058100eac:Add persist.dumpstate.verbose_logging.enabled to s...
Ia0656a3cb:Move hal_dumpstate's property from goldfish

Change-Id: I3a49545d3ee69fdae54ad66e44ec28b6cbfb4b87
 2020-08-18 01:41:13 +00:00
Treehugger Robot
e21c57db87 Merge "Add persist.dumpstate.verbose_logging.enabled to system/sepolicy" am: 1a25123361 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1401269

Change-Id: I0766a9105c4eb55d0d3954bdd6dfa828da2641eb
 2020-08-18 01:11:16 +00:00
Treehugger Robot
1a25123361 Merge "Add persist.dumpstate.verbose_logging.enabled to system/sepolicy" 2020-08-18 01:00:14 +00:00
Roman Kiryanov
dc2f9a86f0 Add persist.dumpstate.verbose_logging.enabled to system/sepolicy 
hardware/interfaces/dumpstate/1.1 refers to this property,
so it must be defined in system/sepolicy.

Bug: 163759751
Test: atest VtsHalDumpstateV1_1TargetTest
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I058100eacd05e32de56e0ff9de465625a2e71e9c
 2020-08-17 16:45:47 -07:00
Marco Ballesio
11f7f38284 sepolicy support for cgroup v2 am: 8f280b0847 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1322006

Change-Id: Ic7157a2cebd629e83f977fa29ae1f8ffbce688db
 2020-08-17 19:01:40 +00:00
Marco Ballesio
8f280b0847 sepolicy support for cgroup v2 
cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy
will be mounted by init under /sys/fs/cgroup hence proper access rights
are necessary for sysfs. After mounting, the cgroup v2 kernfs will use
the label cgroup_v2 and system_manager will handle the freezer

Bug: 154548692
Test: verified that files undes sysfs and cgroup v2 kernfs are accessed
as required to allow proper functioning for the freezer.

Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960
 2020-08-17 09:49:10 -07:00
Chris Weir
4d4ae7246a Merge "Enable CAN HAL Configuration Service" am: f5f23b7e03 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1239831

Change-Id: I738a9b38441a4a25b7b2aad149884207cd4419ae
 2020-08-13 16:33:58 +00:00
Chris Weir
f5f23b7e03 Merge "Enable CAN HAL Configuration Service" 2020-08-13 16:18:27 +00:00
Martijn Coenen
df9dc40e9b Merge "Add policy for LOOP_CONFIGURE ioctl." am: cdecd3ca4c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1396648

Change-Id: Ie44ce55eaad8484ac1bbd019ac452f57a249d9a4
 2020-08-12 07:03:40 +00:00
Martijn Coenen
cdecd3ca4c Merge "Add policy for LOOP_CONFIGURE ioctl." 2020-08-12 06:38:37 +00:00
Treehugger Robot
232c15cb90 Merge "Revert "gmscore_app is attempting to access /dev/ashmem"" am: 5b1f0808b7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1394238

Change-Id: Id0e4b7fdc6809ba6d0ad9666b0888bdf620c7b9a
 2020-08-11 23:23:45 +00:00
Treehugger Robot
5b1f0808b7 Merge "Revert "gmscore_app is attempting to access /dev/ashmem"" 2020-08-11 23:04:28 +00:00
Martijn Coenen
47f61db25e Add policy for LOOP_CONFIGURE ioctl. 
This is a new ioctl for configuring loop devices, and is used by apexd.

Bug: 148607611
Bug: 161575393
Test: boot on device with/without LOOP_CONFIGURE
Change-Id: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Merged-In: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
 2020-08-11 13:22:09 +00:00
Treehugger Robot
fab591d17c Merge "Revert "sepolicy: remove hal_light_severice exception"" am: 05a25295c1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1396229

Change-Id: I063f6de40640e9d3938700207de205a0fc2ffb27
 2020-08-11 08:32:13 +00:00
Treehugger Robot
05a25295c1 Merge "Revert "sepolicy: remove hal_light_severice exception"" 2020-08-11 08:15:58 +00:00
Nelson Li
ea973db671 Revert "sepolicy: remove hal_light_severice exception" 
This reverts commit e83da12576.

Reason for revert: It cause build break

Bug: 163434807
Change-Id: I756d313c52d243f37294aa57d31c43b0a14bc05f
 2020-08-11 05:46:20 +00:00
Treehugger Robot
8f04003ad0 Merge "sepolicy: remove hal_light_severice exception" am: cfa9edcbfd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1393370

Change-Id: I46d626b09d6def62dde7e6d6a25ec09d230f4bed
 2020-08-11 04:30:44 +00:00
Treehugger Robot
cfa9edcbfd Merge "sepolicy: remove hal_light_severice exception" 2020-08-11 04:11:29 +00:00
Treehugger Robot
6149cc6fcd Merge "Prepare sepolicy for launching Keystore 2.0 service" am: 8cd90a5d20 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1395528

Change-Id: I34d80e17ee3487bbbc765f6b0fceca68a0cb36d5
 2020-08-11 00:44:18 +00:00
Treehugger Robot
8cd90a5d20 Merge "Prepare sepolicy for launching Keystore 2.0 service" 2020-08-11 00:33:47 +00:00
Yifan Hong
8ac37f025f Support GKI updates 
Adds proper file_contexts and domains for pre/postinstall hooks.
Allow the pre/postinstall hooks to communicate with update_engine stable
service.

Bug: 161563386
Test: apply a GKI update

Change-Id: I4437aab8e87ccbe55858150b95f67ec6e445ac1f
 2020-08-10 16:10:38 -07:00
Janis Danisevskis
ff98459989 Prepare sepolicy for launching Keystore 2.0 service 
This patch labels /system/bin/keystore2 as a keystore executable and
allows keystore to register "system.security.keystore2" with the service
manager.

Bug: 160623310
Test: None
Change-Id: I1812e565438c2b8ae55c8d10bcc8450d27717697
 2020-08-10 14:40:20 -07:00
Hridya Valsaraju
efd277f8a7 Revert "gmscore_app is attempting to access /dev/ashmem" 
Test: build, boot
Change-Id: Id7bff6db07ab7aa0695e132a9d9ffae4912f401c
 2020-08-10 17:07:52 +00:00