tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
43256 commits 1 branch 0 tags 50 MiB
Commit graph

280 commits

Author SHA1 Message Date
Nikita Ioffe
2db2ef7074 Merge "Reland "Change the stem name to microdroid_precompiled_s..."" am: d16d7d17e5 am: 4eb36f4615 am: c41885d19c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2627369

Change-Id: I71474499b330e978abfd83392a1cfcc02425932c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-15 13:14:18 +00:00
Nikita Ioffe
d16d7d17e5 Merge "Reland "Change the stem name to microdroid_precompiled_s..."" 2023-06-15 10:27:39 +00:00
Nikita Ioffe
4e6839e677 Reland "Change the stem name to microdroid_precompiled_s..." 
Bug: 285855150
Test: presubmit
Change-Id: I3343b7cf22165541f880fd1c88b27b0204c94c4b
 2023-06-14 20:31:29 +00:00
Pawan Wagh
bd2b6d181a Merge "Revert "Change the stem name to microdroid_precompiled_sepolicy"" am: 899f6c0537 am: b23a691e10 am: 3d5b12e5e8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2626909

Change-Id: I38d84ca00f8e30e42b4392ed53509040345e84a2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 20:05:48 +00:00
Pawan Wagh
899f6c0537 Merge "Revert "Change the stem name to microdroid_precompiled_sepolicy"" 2023-06-14 18:40:59 +00:00
Pawan Wagh
8f2923421e Revert "Change the stem name to microdroid_precompiled_sepolicy" 
Revert submission 2625691

Reason for revert: b/287283650

Reverted changes: /q/submissionid:2625691

Change-Id: I775d07a388556796d25b4f5d99135d5878489ce8
 2023-06-14 18:28:17 +00:00
Nikita Ioffe
714fc2abf1 Merge "Change the stem name to microdroid_precompiled_sepolicy" am: 437f31c328 am: 789c5a3430 am: 2d78078ee0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617776

Change-Id: I5f21a403fecf288f36b3f6cbc1234a5834a3c87b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 16:37:50 +00:00
Nikita Ioffe
437f31c328 Merge "Change the stem name to microdroid_precompiled_sepolicy" 2023-06-14 15:20:18 +00:00
Inseob Kim
367845c850 Add missing properties to microdroid am: deaa8b9f4a am: 20a9d569d2 am: 54ba7286ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2106044

Change-Id: If9cedd91479d5ea33bb986dd880d42f11bf8f7ff
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 06:32:49 +00:00
Inseob Kim
deaa8b9f4a Add missing properties to microdroid 
The main motivation is to reduce log spams.

Bug: 268333203
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Idffdcd7d543590d8c580b2282098d3abd8214f86
 2023-06-09 11:30:24 +09:00
Nikita Ioffe
31d82c0dcd Change the stem name to microdroid_precompiled_sepolicy 
Bug: 285855150
Test: m
Change-Id: I112ef67a7804f91e2a7c6b0998c8bbb436c57566
 2023-06-08 00:00:06 +01:00
Steven Moreland
0bb95dd4fd Merge "strengthen proc_type neverallows" am: fd92d967ee am: 12523b02c3 am: 79190c4da7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599509

Change-Id: I210c48f15715cb5c4f808341d39beefc996e30c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 20:14:29 +00:00
Steven Moreland
fd92d967ee Merge "strengthen proc_type neverallows" 2023-05-24 18:01:14 +00:00
Steven Moreland
8634a88595 strengthen proc_type neverallows 
These were unnecessarily lax. Some additional places
additionally exclude only the generic proc type, but
we don't care about those places.

Bug: 281877578
Test: boot
Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0
 2023-05-22 22:59:08 +00:00
David Anderson
465859abb7 Merge "Allow ueventd to access device-mapper." am: 73d18c2bfe am: 5f2482d0dd am: d223637c8a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2591728

Change-Id: I76ff312e6d37a2abaf5b5144a6d13fcfc9c9421a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 21:34:43 +00:00
David Anderson
e09c0eee36 Allow ueventd to access device-mapper. 
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.

Bug: 270183812
Test: libdm_test, treehugger
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
 2023-05-17 11:07:19 -07:00
Treehugger Robot
e0339e83fd Merge "Fix dalvik property attribute for Microdroid" am: f850317561 am: 2325d5b92f am: d63c987ca2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2519481

Change-Id: Ibbaa84dc3ffc65db06e22ea8c2de7e9aa3cde916
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-04-05 11:01:49 +00:00
Alan Stokes
f85f298b2f Fix dalvik property attribute for Microdroid 
Commit 22fb5c7d24 migrated from property
types to attributes in some Microdroid rules, but omitted to
associated the attribute with the relevant types. So we fix that.

Bug: 274530433
Bug: 275469579
Bug: 276895565
Test: Will schedule a test run
Change-Id: I11194be9d1e352fa456c24a3b5784c18ccc03a69
 2023-04-04 15:29:40 +01:00
Jiakai Zhang
2d0d80ae7f Merge "Allow system server to set dynamic ART properties." am: 326d35c04b am: 1502d1e604 am: afd4aee92d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2513825

Change-Id: Ibe28079aa1641ee7503d2de375eb41b1c4b81e45
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-31 15:37:27 +00:00
Jiakai Zhang
22fb5c7d24 Allow system server to set dynamic ART properties. 
This change gives a new type (dalvik_dynamic_config_prop) to some ART
properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to
allow system server to set them.

Bug: 274530433
Test: Locally added some code to set those properties and saw it being
  successfull.
Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089
 2023-03-31 11:46:05 +01:00
Nikita Ioffe
8c6c971b75 Merge "Add domain level neverallow to restrict access to ptrace" am: 1b4e9393d3 am: 41d6edd0e7 am: e63a597a47 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505897

Change-Id: I9a6eb11e53ee60de60db6e6fc7fd9349c03f9540
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-29 13:05:22 +00:00
Nikita Ioffe
1b4e9393d3 Merge "Add domain level neverallow to restrict access to ptrace" 2023-03-29 11:46:26 +00:00
Treehugger Robot
982f5c6d29 Merge "microdroid: allow microdroid_manager to read AVF debug policy" am: 35a1bb8e32 am: d395216ffc am: aabbb5c6ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505675

Change-Id: I1f7fb57a0f0476fcec64656a30ef29366f7a2b7f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 16:16:58 +00:00
Treehugger Robot
35a1bb8e32 Merge "microdroid: allow microdroid_manager to read AVF debug policy" 2023-03-27 14:48:13 +00:00
Nikita Ioffe
4bfda5ba89 Add domain level neverallow to restrict access to ptrace 
Bug: 271562015
Test: m
Change-Id: I48f9a0fc5e708e15dd103d6ed369c8fe43d70495
 2023-03-27 14:45:33 +01:00
Alan Stokes
5f7af06cb8 Remove policy for non-existent devices am: 4f92d5bd99 am: 1d33d118a5 am: cd10974d13 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506240

Change-Id: Ibe1b923b0168ed58d75539626bb0714c4b65edf3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-27 09:27:33 +00:00
Jaewan Kim
867bc33ede microdroid: allow microdroid_manager to read AVF debug policy 
Bug: 272752814
Test: atest on devices without AVF debug policy
Change-Id: I3fdbdd49f0e775b4b054328dc25c5f2ba1f9712f
 2023-03-27 03:52:27 +00:00
Alan Stokes
4f92d5bd99 Remove policy for non-existent devices 
We still had policy for devices which do not currently exist in
Microdroid. Remove the unused types and all references to them in the
policy, since they have no effect and just bloat the policy.

While I'm here, delete all the bug_map entries. We don't use the
bug_map in Microdroid, and this is just an outdated snapshot from host
policy.

Bug: 274752167
Test: atest MicrodroidTests
Test: composd-cmd test-compile
Change-Id: I3ab90f8e3517c41eff0052a0c8f6610fa35ccdcb
 2023-03-24 18:13:18 +00:00
Shikha Panwar
590598e469 Merge "Microdroid sepolicy changes to handle crash export" am: 9d34facd25 am: 5517c11a15 am: 71e6ad2e2b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2422867

Change-Id: I894f06542bae2d29228bcbae1b687357628eabe1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 19:05:14 +00:00
Shikha Panwar
9d34facd25 Merge "Microdroid sepolicy changes to handle crash export" 2023-03-21 18:14:12 +00:00
Nikita Ioffe
7955a327ee Merge "Add selinux rules for perfetto daemones" am: 103794c43c am: b164310273 am: ca0aad6185 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2468440

Change-Id: Ib606ac7f86ec4cc5c8328cf3aa83dd97f16d5695
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-15 00:29:33 +00:00
Nikita Ioffe
6069e7c8f2 Add selinux rules for perfetto daemones 
Note: this is a somewhat minimal set of rules required to be able to
capture traces on Microdroid. After the trace is captured I still see a
bunch of SELinux denials. We might need to add more allow rules in the
follow up changes.

Bug: 249050813
Test: boot Microdroid VM, capture traces with record_android_traces
Change-Id: I62098fb79a8db65706a5bb28c8acce7ff3821f15
 2023-03-14 15:07:54 +00:00
Shikha Panwar
cf5d5051ff Microdroid sepolicy changes to handle crash export 
Change1# Add property export_tombstones.enabled - This is set by
microdroid_manager to indicate that tombstones in Microdroid be exported
out to host. This read by crash_dump (specifically tombstone_handler).

Change2# allow crash_dump to create/connect/write on vsock.

Change3# Deleting rules/domain related to tombstoned &
tombstone_transmit in Microdroid.

Test: atest MicrodroidHostTests#testTombstonesAreGeneratedUponUserspaceCrash
Test: Look for selinux denials in log
Bug: 243494912
Change-Id: Ibd607eb11202d492bcb0c4ba40a6888683420fb9
 2023-03-09 16:01:35 +00:00
Jaewan Kim
49b8fa9d49 Merge "microdroid: allow init_debug_policy.sh to handle AVF debug policy" am: 11feefd839 am: 7a942187a1 am: 154e678fe8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2439933

Change-Id: If8e75c9cfa8ff597549a84708a9b90411561ccfa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-07 12:06:49 +00:00
Jaewan Kim
11feefd839 Merge "microdroid: allow init_debug_policy.sh to handle AVF debug policy" 2023-03-07 10:23:51 +00:00
Jaewan Kim
dc8ce5f8dc microdroid: allow init_debug_policy.sh to handle AVF debug policy 
Test: Boot microdroid with no issue
Bug: 2437372
Change-Id: I485228864cce58922e7e3b3eed4b9bd1c5cce306
 2023-03-07 08:27:34 +09:00
Alice Wang
4a8ab250c8 [dice] Remove all the sepolicy relating the hal service dice am: 5e94b1698c am: 13e58cf7b1 am: a9a8c0cb93 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2426073

Change-Id: Ia58829024a4eec19239f71fb93aa01649f08b192
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-24 21:23:06 +00:00
Alice Wang
5e94b1698c [dice] Remove all the sepolicy relating the hal service dice 
As the service is not used anywhere for now and in the near future.

Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
 2023-02-24 08:34:26 +00:00
Treehugger Robot
697cadd955 Merge "Allow dex2oat access to relevant properties" am: ce230383ae am: 6fb804af4e am: ae7f49678b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2412099

Change-Id: I5c3357387272f738f4930a7c281e609e28828dc6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-03 10:17:04 +00:00
Treehugger Robot
ce230383ae Merge "Allow dex2oat access to relevant properties" 2023-02-03 08:57:34 +00:00
Alan Stokes
8b40e907f4 Allow dex2oat access to relevant properties 
I noticed a bunch of denials in the logs like this:

avc: denied { read } for pid=187 comm="dex2oat64"
name="u:object_r:device_config_runtime_native_boot_prop:s0"
dev="tmpfs" ino=76 scontext=u:r:dex2oat:s0
tcontext=u:object_r:device_config_runtime_native_boot_prop:s0
tclass=file permissive=0

But we actually want to be able to access these properties.

Bug: 264496291
Test: atest android.compos.test.ComposTestCase#testOdrefreshSpeed
Change-Id: I6ce8ee74a1024a9ddd6ef91e73111d68da878899
 2023-02-02 11:46:12 +00:00
Shikha Panwar
20830f7568 Merge "Allow MM to open/syncfs/close encryptedstore dir" am: 2d91b6fc97 am: db1018c3ff am: b13ccd0a35 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2376232

Change-Id: I7d7de50a1427279ac32bb0b05c8b51dfa8de25f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 12:35:13 +00:00
Shikha Panwar
2d91b6fc97 Merge "Allow MM to open/syncfs/close encryptedstore dir" 2023-02-01 11:13:01 +00:00
Inseob Kim
416338ac16 Add property_service_for_system on microdroid 
Bug: 262237198
Test: boot microdroid
Ignore-AOSP-First: Security fix
Change-Id: I6ddeff2962f723abc10e25f768e7507fd620e274
 2023-01-30 12:42:50 +09:00
Alan Stokes
7e754a1c56 Remove references to asan_extract 
This type doesn't exist in Microdroid.

Bug: 266871002
Test: m SANITIZE_TARGET=address com.android.virt
Change-Id: I2ca6db9669eafc4037bbf87bdcff60935893d93f
 2023-01-27 10:42:45 +00:00
Inseob Kim
ebc4742480 microdroid: Add prop to wait for /data/tombstones 
Bug: 266470759
Test: atest MicrodroidHostTestCases MicrodroidTestApp
Change-Id: Ie9992e105e57f1088a6016f0179c7dc3d285a7ed
 2023-01-26 22:16:28 +09:00
Inseob Kim
ef0328cf94 Add tombstone_transmit init property to microdroid 
Bug: 265594221
Test: atest MicrodroidHostTestCases
Change-Id: I5138e91cd53821fa9ab26e17e19123e55f89ae63
 2023-01-20 17:37:47 +09:00
Shikha Panwar
992245d1b2 Allow MM to open/syncfs/close encryptedstore dir 
Microdroid Manager needs these permissions to sync the encryptedstore
filesystem.

Test: Builds
Test: Check selinux denials in logs
Change-Id: Iee020ae653f5d42af086ca91068e3df52c992305
 2023-01-06 08:57:02 +00:00
Jiyong Park
bce697f3c5 Merge "prng_seeder is a bootstrap process in microdroid" 2022-12-23 03:31:18 +00:00
Jiyong Park
c4cf20a146 prng_seeder is a bootstrap process in microdroid 
It is started very early before linker namespaces are configured, thus
making it a bootstrap process.

Bug: 263398430
Test: watch boottime benchmark
Change-Id: I60411601a6be78f8401e43d136b567615002797c
 2022-12-22 10:24:26 +09:00