tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
47241 commits 1 branch 0 tags 50 MiB
Commit graph

47241 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tej Singh
4ed39a7a6e Merge "stats_service: only disallow untrusted access" into main am: aebd92592a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2962926

Change-Id: I8aa5df2f2472046ebc59a76df5bfc3c49a491476
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-15 09:20:12 +00:00
Tej Singh
aebd92592a Merge "stats_service: only disallow untrusted access" into main 2024-02-15 08:30:19 +00:00
Tej Singh
000b251c7d stats_service: only disallow untrusted access 
Allow device-specific domains to access stats_service. All access must
be done over proper APIs (StatsManager, AStatsManager) instead of
accessing the AIDL interfaces directly.

Test: build
Bug: 318788254
Change-Id: I98ddc1900350daf755372be7249f25a462e3242d
 2024-02-14 15:07:21 -08:00
Brandon Liu
dbf77ceff6 Merge "Revert "[res] Allow accessing idmap files in all zygotes"" into main am: 37c4c7c500 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2962104

Change-Id: I65b5d1e3048828d13cb63653c965ca54b5af0d3b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-14 21:37:09 +00:00
Brandon Liu
37c4c7c500 Merge "Revert "[res] Allow accessing idmap files in all zygotes"" into main 2024-02-14 20:49:22 +00:00
Patrick Baumann
7ee66a0391 Revert "[res] Allow accessing idmap files in all zygotes" 
This reverts commit 1195b5eb14.

Reason for revert: b/325161357

Change-Id: I7e6846791020938fb732311105e0f692c648a0f1
 2024-02-14 16:24:59 +00:00
Changyeon Jo
31a94f218a [automerger skipped] [RESTRICT AUTOMERGE] Allow dumpstate to make binder IPC to automotive display service am: d16bdc461f -s ours am: 41f83574eb -s ours 
am skip reason: skipped by inseob

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960075

Change-Id: Icc415475c4be9d6024dfdfa02eb70e99760fd6ba
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-14 06:27:24 +00:00
Changyeon Jo
41f83574eb [automerger skipped] [RESTRICT AUTOMERGE] Allow dumpstate to make binder IPC to automotive display service am: d16bdc461f -s ours 
am skip reason: skipped by inseob

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960075

Change-Id: I44f8d2b6ad20f33521b363781a843a5aa1d5cfed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-14 05:03:04 +00:00
Yurii Zubrytskyi
940443d4df [res] Allow accessing idmap files in all zygotes am: 1195b5eb14 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2962670

Change-Id: I7eb51708ceca8b3dafdaf9dd65c0595cf801f432
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-14 04:20:01 +00:00
Yurii Zubrytskyi
1195b5eb14 [res] Allow accessing idmap files in all zygotes 
Resources now cache open idmap fds to speed up the up-to-date
checks, and this requires zygote processes to be able to access
them

Bug: 282215580
Test: atest android.text.cts.EmojiTest
Change-Id: I808be8a5d321a01193e7f76e316f5f64d4235753
 2024-02-14 02:04:55 +00:00
Seungjae Yoo
ec2735ac6a Allow appdomain to read dir and files under vendor_microdroid_file am: 01c4f57431 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960542

Change-Id: Idd6fae593bbe92fd7b15500aa0ce3c3ff1bb0013
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-14 01:31:41 +00:00
Inseob Kim
ee509ccd48 Merge changes from topic "revert-2954994-revert-2952245-vfrc_as_tot_sepolicy-AMFGMLDWQF-IIRWTIICIK" into main am: d88d8959a8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960346

Change-Id: Ifcee813c4dcbbe3ec133737e8532586e71a41f8e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-13 13:55:31 +00:00
Inseob Kim
ed15451e78 Revert^2 "Fix freeze test condition to board api" am: e28eb52f4e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960345

Change-Id: Ifbc4f013eea02d908efdce8666057391fc3fcf30
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-13 13:55:25 +00:00
Seungjae Yoo
01c4f57431 Allow appdomain to read dir and files under vendor_microdroid_file 
For testing purpose, now we need to use microdroid vendor image for the
production due to vendor hashtree digest value comes from the
bootloader. In the past, we've used distinguished image file for testing
purpose, but we can't now.

Bug: 323768068
Test: atest MicrodroidTests#bootsWithVendorPartition
Test: atest MicrodroidBenchmarks#testMicrodroidDebugBootTime_withVendorPartition
Change-Id: Ic58e51466da0273cf27219d9228f33000e0ecb88
 2024-02-13 05:44:15 +00:00
Changyeon Jo
d16bdc461f [RESTRICT AUTOMERGE] Allow dumpstate to make binder IPC to automotive display service 
Bug: 280837170
Bug: 313360015
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I8239ba23bb60b95e7dd07a4c8a99167f1e08192b
(cherry picked from commit 152a2f1755)
 2024-02-13 05:16:32 +00:00
Inseob Kim
d88d8959a8 Merge changes from topic "revert-2954994-revert-2952245-vfrc_as_tot_sepolicy-AMFGMLDWQF-IIRWTIICIK" into main 
* changes:
  Revert^2 "Add 1000000.0 mapping file temporarily"
  Revert^2 "Fix freeze test condition to board api"
 2024-02-13 04:02:36 +00:00
Inseob Kim
e28eb52f4e Revert^2 "Fix freeze test condition to board api" 
f3fad1a66b

Change-Id: I19b36342de003a32a2c76fb513382f1b34cf5a7e
 2024-02-13 02:19:48 +00:00
Inseob Kim
e41e95e0ea Revert^2 "Add 1000000.0 mapping file temporarily" 
82126e9d77

Change-Id: Ia2ef237d9918532f24cd00688ae2bc15196123e9
 2024-02-13 02:19:24 +00:00
Treehugger Robot
5ce39158f3 Merge "Add rules for Perfetto to be used from system_server" into main am: f80a830b32 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2958867

Change-Id: Ie3a299620a9aa99c92bde99bd27ea72fdade9a69
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-12 20:59:08 +00:00
Nate Myren
0980c27aef Merge "Remove mounton from app and web zygote" into main am: a8f2bbf7c2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2947925

Change-Id: I4143393154c2850cd4891420d0dc0eddcca0e3ab
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-12 20:58:29 +00:00
Treehugger Robot
f80a830b32 Merge "Add rules for Perfetto to be used from system_server" into main 2024-02-12 20:51:16 +00:00
Nate Myren
a8f2bbf7c2 Merge "Remove mounton from app and web zygote" into main 2024-02-12 20:13:33 +00:00
Carmen Jackson
28b811df1c Add rules for Perfetto to be used from system_server 
This includes rules for starting Perfetto as well as rules for
communicating over stdio between Perfetto and system_server.

Bug: 293957254
Test: Presubmit & tested in conjunction with internal change
Change-Id: I7e4c044a6a2afb48c33d65cc421e797d77aacc12
 2024-02-12 18:33:32 +00:00
Yisroel Forta
f86fab0d6d Merge "SELinux permissions for ProfilingService" into main am: e510cb8696 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2955343

Change-Id: Id393a7cdbcbb82d767b2457c33daf2c96c5bead7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-12 14:51:42 +00:00
Yisroel Forta
e510cb8696 Merge "SELinux permissions for ProfilingService" into main 2024-02-12 14:22:31 +00:00
Håkan Kvist
a0787ed434 remount: allow bootanimation to run animation from oem am: e38af22c5e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2953101

Change-Id: Iba084fd08b2d1312d39a21970cccc2894a6e9a1c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-12 12:23:27 +00:00
Yisroel Forta
aa9d0bf24c SELinux permissions for ProfilingService 
Test: Presubmit, manually confirm service accessible
Bug: 293957254
Change-Id: I7103be95ff49eb87b4c7164a38a481034d72a9aa
 2024-02-09 19:25:32 +00:00
Håkan Kvist
e38af22c5e remount: allow bootanimation to run animation from oem 
Grant bootanimation all read permissions on oem using
r_dir_file macro instead of specifying individual permissions.

This prevents failure to read the bootanimation on oem if
partition has been remounted.

After remount, bootanimation will log violation for the
/oem/media directory when reading an existing file (boot animation can
is still played).
avc:  denied  { read } for  pid=2820 comm="bootanimation" name="media"
   dev="sda75" ino=152 scontext=u:r:bootanim:s0
   tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0

After remount, if modifying/adding file in /oem/media directory,
bootanimation will fail to read the bootanimation zip, now with
violation:
avc:  denied  { read } for  pid=2838 comm="bootanimation" name="media"
   dev="dm-8" ino=70 scontext=u:r:bootanim:s0 tcontext=u:object_r:oemfs:s0
   tclass=dir permissive=0

Bug: 324437684
Test: adb remount
      replace /oem/media/bootanimation.zip with custom animation
      adb reboot
      confirm that expected bootanimation is played
      confirm no selinux violations are seen in logcat
Change-Id: Iaafdeeacaf88d8f5c1214700edc8eec2824b0159
 2024-02-09 16:09:05 +01:00
Jiakai Zhang
59bb9008fd Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main am: 95d371bcfd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2939419

Change-Id: I75166873b4baa3d781ebb0b7055f9f42b8a5dd1e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-09 03:29:50 +00:00
Jiakai Zhang
95d371bcfd Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main 2024-02-09 02:52:58 +00:00
mrulhania
faaec9dd3a Add SELinux policy for ContentProtectionManagerService am: 9a7700cd46 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952703

Change-Id: Ib8beac88752e6c4576bc177553c33c82df5b1026
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-09 00:41:43 +00:00
mrulhania
9a7700cd46 Add SELinux policy for ContentProtectionManagerService 
Bug: 324348549
Test: build
Change-Id: Ieb319ed033d2fdb18cf76107c44cd6357221ecc4
 2024-02-08 19:56:49 +00:00
Ikjoon Jang
b1019e8d42 Merge changes from topic "revert-2952245-vfrc_as_tot_sepolicy-AMFGMLDWQF" into main am: 1c9aa0cb18 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2954993

Change-Id: I881e04fb8c0b6195846f35c37b62ae4b5be0e123
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-08 04:50:50 +00:00
Ikjoon Jang
f0f530be1f Revert "Add 1000000.0 mapping file temporarily" am: 82126e9d77 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2954992

Change-Id: I0b34dc883d9a87e38f6a9932b52cbbd5cf39a7b6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-08 04:50:47 +00:00
Ikjoon Jang
1c9aa0cb18 Merge changes from topic "revert-2952245-vfrc_as_tot_sepolicy-AMFGMLDWQF" into main 
* changes:
  Revert "Fix freeze test condition to board api"
  Revert "Add 1000000.0 mapping file temporarily"
 2024-02-08 04:47:21 +00:00
Ikjoon Jang
f3fad1a66b Revert "Fix freeze test condition to board api" 
Revert submission 2952245-vfrc_as_tot_sepolicy

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_main&target=mainline_modules_arm64-mainline-userdebug&lkgb=11421838&lkbb=11421957&fkbb=11421841, b/324335916

Reverted changes: /q/submissionid:2952245-vfrc_as_tot_sepolicy

Bug: 324335916
Change-Id: Iada55b1298872ae2f2ff4112726dcbcd089597f1
 2024-02-08 04:45:26 +00:00
Ikjoon Jang
82126e9d77 Revert "Add 1000000.0 mapping file temporarily" 
Revert submission 2952245-vfrc_as_tot_sepolicy

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_main&target=mainline_modules_arm64-mainline-userdebug&lkgb=11421838&lkbb=11421957&fkbb=11421841, b/324335916

Reverted changes: /q/submissionid:2952245-vfrc_as_tot_sepolicy

Bug: 324335916
Change-Id: I9375f4d467596bc961527216b3f68c0f21016ca3
 2024-02-08 02:54:29 +00:00
Jiakai Zhang
817c49f74c Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot. 
Bug: 311377497
Test: manual - Call
  getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
  getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
 2024-02-08 10:13:27 +08:00
Jooyung Han
92e41b06dc Merge "Check if ./bin entries are not vendor_file" into main am: 41e786ae48 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2953009

Change-Id: I5fa1c0c34ab2b39e220415ca607d0cc6e87a24d2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-08 01:59:00 +00:00
Jooyung Han
41e786ae48 Merge "Check if ./bin entries are not vendor_file" into main 2024-02-08 01:33:07 +00:00
Inseob Kim
f5394252fe Merge changes from topic "vfrc_as_tot_sepolicy" into main am: 569241f82f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2912752

Change-Id: I42a8d4ca624df3b6d93dfc95d64712cbb80d728e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-08 01:22:42 +00:00
Inseob Kim
34a3196557 Fix freeze test condition to board api am: 7a235a4d9d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2912751

Change-Id: Iaab712286501ca99607f7543dd891c246c293cbb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-08 01:22:38 +00:00
Inseob Kim
569241f82f Merge changes from topic "vfrc_as_tot_sepolicy" into main 
* changes:
  Add 1000000.0 mapping file temporarily
  Fix freeze test condition to board api
 2024-02-08 01:12:47 +00:00
Nikhil Bhanu
c7b99fbf76 Merge "Add property for enabling stereo spatialization" into main am: 67c12aa98d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2951223

Change-Id: Iedb7747a9d0fd1818abc161b2e6d545434c56450
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-07 17:09:10 +00:00
Nikhil Bhanu
67c12aa98d Merge "Add property for enabling stereo spatialization" into main 2024-02-07 16:41:01 +00:00
Jooyung Han
c945a104c0 Check if ./bin entries are not vendor_file 
This can detect a common mistake of not labeling binaries in APEX.

Note - we can't simply check if the lable has exec_type attribute
because there're many exceptions.

Bug: 324005965
Test: atest apex_sepolicy_tests_test
Change-Id: Ib643e8b73fac1a3b8851804e58e69b19d32b997d
 2024-02-07 16:26:25 +09:00
Treehugger Robot
ef4bd550ee Merge "Changes in SELinux Policy for CSS API" into main am: 49a519234b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2819838

Change-Id: I4cfa495bdeae5c048a6f5bf6b308de21c2e40ca7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-06 21:05:13 +00:00
Treehugger Robot
49a519234b Merge "Changes in SELinux Policy for CSS API" into main 2024-02-06 20:28:45 +00:00
Nikhil Bhanu
977260767a Add property for enabling stereo spatialization 
Bug: 323223919
Test: manual
Change-Id: I49d12bfc878ec63d8fe036880033e1c309961430
 2024-02-06 08:52:42 -08:00
Justin Yun
d6a43bcb89 Set ro.llndk.api_level as a system prop am: 385d5099cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952405

Change-Id: I29fca56cdb6fe33c2b302be5859dbe86713aef18
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-06 07:24:46 +00:00