tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Steven Moreland	5043c02262	Merge "hidl2aidl: conversion of gatekeeper hidl to aidl"	2022-09-21 21:26:01 +00:00
Reema Bajwa	396d34b7c8	Merge "Add SELinux changes for Credential Manager Service in system server Test: Built & Deployed on device locally."	2022-09-21 17:34:09 +00:00
Anna Zhuravleva	2864a66331	Add sepolicy for Health Connect system service. Add selinux policy so the healthconnect system service can be accessed by other processes. Bug: 246961138 Test: build Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850	2022-09-20 17:14:35 +00:00
Pawan Wagh	f73797f50d	Merge "sepolicy : Updating error message with doc link"	2022-09-20 02:06:40 +00:00
Reema Bajwa	5b57bfaf7e	Add SELinux changes for Credential Manager Service in system server Test: Built & Deployed on device locally. Change-Id: I892107ed528e0ca7435aa29a0fa1e6dbf4f225c5	2022-09-19 17:51:06 +00:00
Subrahmanyaman	1d2a3fedcc	hidl2aidl: conversion of gatekeeper hidl to aidl Conversion of the gatekeeper hidl interface to stable aidl interface. Bug: 205760843 Test: run vts -m VtsHalGatekeeperTarget Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c	2022-09-19 17:43:26 +00:00
Jiyong Park	c4f84bcb37	Don't let ro.log.file_logger.path to be set ro.log.file_logger.path is a system property that liblog uses to determine if file_logger should be used (instead of logd) and what file the logs should be emitted to. It is primarily meant for non-Android environment like Microdroid, and doesn't need to be set in Android. In fact, setting it to a wrong value can break the system logging functionality. This change prevents such a problem by assigning a dedicated property context (log_file_logger_prop) to the property and making it non-writable. (Note that it still has to be readable because liblog reads it and liblog can be loaded in any process) Bug: 222592894 Test: try to set ro.log.file_logger.path Change-Id: Ic6b527327f5bd4ca70a58b6e45f7be382e093318	2022-09-18 23:39:41 +09:00
Treehugger Robot	7c4f837e40	Merge "Microdroid: remove logd and logcat"	2022-09-17 13:03:08 +00:00
Sophie Zheng	baf2379288	Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: `a31ea3eb0c` am: `c7b828e56c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095 Change-Id: I1fd7f830a51d7dd504062dd9db82d8f58fd9dcfe Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-15 23:09:30 +00:00
Florian Mayer	4eb6456501	Update prebuilts to fix sepolicy_freeze_test am: `5de1b2096d` am: `c84be7da03` am: `96b242efa2` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642 Change-Id: I8e2b7d566aaa440d563e0166542a3707d9f619ec Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-15 23:08:21 +00:00
Florian Mayer	7c3e25a3fb	Update prebuilts to fix sepolicy_freeze_test am: `f99eeb6bd9` am: `6f2280dba9` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137 Change-Id: I20238a581ac22098c8584bfc10e46e6c8bcbe65c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-15 23:06:53 +00:00
Sophie Zheng	c7b828e56c	Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: `a31ea3eb0c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095 Change-Id: I25e42e75635e6b5757ae0eba0068827b6e38fe40 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-15 22:36:57 +00:00
Florian Mayer	96b242efa2	Update prebuilts to fix sepolicy_freeze_test am: `5de1b2096d` am: `c84be7da03` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642 Change-Id: Ie0e54d81155920f8e5a8d98b777c69850066c242 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-15 22:36:06 +00:00
Florian Mayer	6f2280dba9	Update prebuilts to fix sepolicy_freeze_test am: `f99eeb6bd9` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137 Change-Id: I2848699e579daefe2ef542c6f01b81c9471c6a88 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-15 22:34:03 +00:00
Pawan	588ebd5e74	sepolicy : Updating error message with doc link Updating error message with aidl fuzzing link. Test: m Bug: 242104782 Change-Id: I96ffc8f55319da6d3acb2deffd4717bfd9727346	2022-09-14 23:34:05 +00:00
Treehugger Robot	3ef5831b8d	Merge "Add bluetooth LE inquiry scan parameters"	2022-09-14 22:29:10 +00:00
Jiyong Park	75e8c1f461	Microdroid: remove logd and logcat Previously in Microdroid, processes send log messages to logd over socket and then logcat ran to hand the message to the host side over the serial console. That has changed. Now, the liblog library which processes use to emit logs directly sends the given message to the serial console. Liblog does this by reading a new system property ro.log.file_logger.path. When this is set, liblog doesn't use the logd logger, but opens the file that the sysprop refers to and writes logs there. This change implments sepolicy side of the story. * logd and logcat types are removed since they no longer are needed. * existing references to those types are removed as well. * a new property type `log_prop` is introduced and the two system properties are labaled as log_prop * all processes have read access to the system properties * all processes have append access to /dev/hvc2 Bug: 222592894 Test: run microdroid, see log is still emitted. Change-Id: I4c4f3f4fd0e7babeab28ddf39471e914445ef4da	2022-09-14 14:27:26 +00:00
Pawan	0ecf99def5	sepolicy : Recommend fuzzers for new services Adding soong module and tool to check if there is fuzzer present for every service in private/service_contexts. Whenever a service is added, its is recommended to update $ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go with service name and its corresponding fuzzer. Test: m Bug: 242104782 Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd	2022-09-13 18:18:46 +00:00
Xin Li	6b09c56a6a	Merge android12L-tests-dev@8941410 am: `cba09e2963` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2189100 Change-Id: I8a6bb1872cd6e2d15fff0115d43afc9d5272a5a9 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-12 18:28:36 +00:00
Katherine Lai	e3398210b8	Add bluetooth LE inquiry scan parameters Bug: 233119457 Tag: #floss Test: Manual Change-Id: I4d0b505b761ad49832ef1d5e5097f6aad7a472e7	2022-09-09 20:48:36 +00:00
Suren Baghdasaryan	2d390e5094	Merge "Add policies for ro.kernel.watermark_scale_factor property"	2022-09-09 16:55:25 +00:00
Treehugger Robot	5384619c62	Merge "Allow reading process info from /proc."	2022-09-09 16:48:05 +00:00
Jiakai Zhang	88e5583eac	Allow reading process info from /proc. This is needed for getting CPU time and wall time spent on subprocesses. Otherwise, the following denials will occur: 09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { read } for scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1 09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { search } for name="6157" dev="proc" ino=57917 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=dir permissive=1 09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { open } for path="/proc/6157/stat" dev="proc" ino=57954 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1 Bug: 245380798 Test: - 1. adb shell pm art optimize-package -m speed -f \ com.google.android.youtube 2. See CPU time and wall time in the output. No denial occured. Change-Id: I9c8c98a31e1ac0c9431a721938c7a9c5c3ddc42b	2022-09-09 15:13:45 +00:00
Suren Baghdasaryan	9fdb29826f	Add policies for ro.kernel.watermark_scale_factor property New ro.kernel.watermark_scale_factor property is used to store the original value read from /proc/sys/vm/watermark_scale_factor before extra_free_kbytes.sh changes it. The original value is necessary to use the same reference point in case the script is invoked multiple times. The property is set by init the first time script is invoked and should never be changed afterwards. Bug: 242837506 Signed-off-by: Suren Baghdasaryan <surenb@google.com> Change-Id: I7760484854a41394a2efda9445cff8cb61587514	2022-09-08 19:35:34 +00:00
Alessandra Loro	6ecd2077bc	Merge "Drop back-compatibility for hiding ro.debuggable and ro.secure"	2022-09-08 09:51:22 +00:00
Sandro Montanari	f4943f510e	Merge "Rename apex_sepolicy-decompiled.cil target"	2022-09-08 08:36:42 +00:00
Sophie Zheng	3c91a33774	Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: `a31ea3eb0c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095 Change-Id: I02d49c1617ec086df8817dbe3c144e9f1d6c1269 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-08 00:31:17 +00:00
Sophie Zheng	a31ea3eb0c	Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev	2022-09-08 00:14:55 +00:00
Sandro	3f5c18c213	Rename apex_sepolicy-decompiled.cil target For symmetry with the apex_sepolicy-33.cil target Bug: 218672709 Test: atest SeamendcHostTest Change-Id: Iaec6eb4d5186ed0c7e872ef210ff572655e263b6	2022-09-07 15:04:59 +00:00
Sandro Montanari	3b94a3f3bc	Revert^2 "Move allow rules of sdk_sandbox to apex policy" Next attempt at rolling forward aosp/2200430. It appears the first-stage-init did not create the /dev/selinux folder on GSI instances, resulting in breakages when selinux.cpp tries to copy files to that folder. To verify these changes for b/244793900, follow gpaste/4922166775644160 Bug: 243923977 Test: atest SeamendcHostTest Change-Id: I2bc630cfaad697d44053adcfd639a06e3510cc72	2022-09-07 08:22:59 +00:00
sophiez	db3507dffc	Update prebuilts to fix sepolicy_freeze_test Bug: 243820875 Test: refactoring CL. Existing unit tests still pass. Change-Id: I516aed92ad1c7cb4de796844402b3456dc625f94	2022-09-06 18:08:31 +00:00
Treehugger Robot	090f957d65	Merge "Fix io_uring permission denial for snapuserd"	2022-09-06 17:15:45 +00:00
Kelvin Zhang	aa3ac9fafd	Fix io_uring permission denial for snapuserd Starting with `91a9ab7c94` , calling io_uring_setup will need selinux permission to create anon inodes. Test: th Bug: 244785938 Change-Id: I351983fefabe0f6fdaf9272506ea9dd24bc083a9	2022-09-06 17:11:54 +00:00
Kelvin Zhang	d87c1eb663	Merge "Fix selinux denials for fastbootd"	2022-09-06 05:50:57 +00:00
Kelvin Zhang	853085bd65	Fix selinux denials for fastbootd Test: flash on O6, flash an image using git_master system + mainline kernel Bug: 244785938 Change-Id: I1b0e1ea0f1937abd2ad96a606b565812ee8096e1	2022-09-05 17:41:07 +00:00
Samiul Islam	b8650e82db	Merge "Revert "Move allow rules of sdk_sandbox to apex policy""	2022-09-05 11:45:44 +00:00
Sandro Montanari	8cce5b2ffb	Revert "Move allow rules of sdk_sandbox to apex policy" Revert "Add seamendc tests for sdk_sandbox in apex sepolicy" Revert submission 2201484-sdk_sandbox Note: this is not a clean revert, I kept the changes in aosp/2199179 and the changes to system/sepolicy/Android.mk. Those changes are already part of internal, I do not want to put those files out of sync again. Test: atest SeamendcHostTest Reason for revert: b/244793900 Reverted Changes: Ib14b14cbc:Add seamendc tests for sdk_sandbox in apex sepolic... I27ee933da:Move allow rules of sdk_sandbox to apex policy Change-Id: If225cdd090248e050d1f0b42f547a4b073bbafc6	2022-09-05 09:39:15 +00:00
Treehugger Robot	1896c039dd	Merge "crosvm: dontaudit netlink perms for acpi"	2022-09-02 22:00:45 +00:00
Treehugger Robot	6eecd0a00c	Merge "Allow installd delete staging folders."	2022-09-02 22:00:02 +00:00
Steven Moreland	fd59a2d46e	crosvm: dontaudit netlink perms for acpi Currently experiencing these neverallows, but they're intentional. Fixes: 228077254 Test: N/A Change-Id: I79f8caaf1695e91d695b8cecbc5f01df09e4e2d2	2022-09-02 20:41:56 +00:00
Alex Buynytskyy	37a0dcbbbc	Allow installd delete staging folders. Apparently readdir uses getattr and skips a folder if denied. Bug: 244638667 Test: adb root; adb shell mkdir -p /data/app-staging/session_917335144/lib; adb reboot; adb logcat \| grep session_917335144, check if the folder was removed Change-Id: I39de49c77d3bf3428d75f0cf4d4c603ea7e03ed5	2022-09-02 13:16:24 -07:00
Treehugger Robot	455ae8adca	Merge "Allow init to launch BootControlHAL in recovery"	2022-09-02 19:25:28 +00:00
Treehugger Robot	33a74d6881	Merge "Allow system_server to obtain verity root hash for install files."	2022-09-02 18:08:04 +00:00
Kelvin Zhang	19a5785522	Allow init to launch BootControlHAL in recovery Test: install OTA with data wipe, reboot Bug: 227536004 Change-Id: I3b76b054e67dcaee83ad330f9fcbcbd98bb6f1f7	2022-09-02 17:50:10 +00:00
Treehugger Robot	d7dfa043ab	Merge "Rename migrate_legacy_obb_data.sh"	2022-09-02 17:38:43 +00:00
Alex Buynytskyy	aad4ae8a74	Allow system_server to obtain verity root hash for install files. Bug: 160605420 Test: atest ChecksumsTest, check for selinux denials Change-Id: I33b60d86317c37ef58a1be691d6a90dfef637db1	2022-09-02 09:30:21 -07:00
Treehugger Robot	3047b2ca12	Merge "Set apex. property as "system_restricted""	2022-09-02 12:46:03 +00:00
Sandro Montanari	536babd22b	Merge "Move allow rules of sdk_sandbox to apex policy"	2022-09-02 09:29:06 +00:00
Jooyung Han	cae2368d2d	Set apex. property as "system_restricted" Since the property is supposed to be used by vendor-side .rc file as read-only (especially by vendor apex), it should be "system_restricted". Also allow vendor_init to read the property. Bug: 232172382 Test: boot cuttlefish (with vendor apex using the property) Change-Id: I502388e550e0a3c961a51af2e2cf11335a45b992	2022-09-02 18:11:33 +09:00
Jooyung Han	ba80cd59a7	Merge changes from topics "apex-ready-prop", "apex-update-prop" * changes: Modifed sepolicy for new apex ready prop Remove init.apex.<apex-name>.load/unload property	2022-09-02 06:46:54 +00:00

1 2 3 4 5 ...

38891 commits