tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
47509 commits 1 branch 0 tags 50 MiB
Commit graph

1156 commits

Author SHA1 Message Date
Motomu Utsumi
993e3a6b1e Merge "Add sepolicy config for tethering_u_or_later_native namespace" into udc-dev am: 682b2421d1 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23214698

Change-Id: Ica65b79fe2934516eb115e6330fe65a17194ca1b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 10:40:19 +00:00
Motomu Utsumi
de2f06a569 Merge "Add sepolicy config for tethering_u_or_later_native namespace" into udc-dev am: 682b2421d1 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23214698

Change-Id: I65906f9aedc8d7f92455c206779792b260c9ad2e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 10:23:20 +00:00
Motomu Utsumi
682b2421d1 Merge "Add sepolicy config for tethering_u_or_later_native namespace" into udc-dev 2023-06-02 10:22:00 +00:00
Treehugger Robot
5f6cc3ca81 Merge "Set up sepolicy for drmserver64" into udc-dev am: a4e8a5bc6a am: d81c18283e 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23297144

Change-Id: I038996d3769e22048beb187f49ca92dc82a022f8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 00:59:36 +00:00
Treehugger Robot
d81c18283e Merge "Set up sepolicy for drmserver64" into udc-dev am: a4e8a5bc6a 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23297144

Change-Id: I635d21b95c8fcaea4f63c1fb567f7ebf597f3ac0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 00:14:26 +00:00
Treehugger Robot
8a30fb3b9b Merge "Set up sepolicy for drmserver64" into udc-dev am: a4e8a5bc6a 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23297144

Change-Id: I87c9884bf51c394e2248a7923974bd5dcc88cbc5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 00:13:44 +00:00
Treehugger Robot
a4e8a5bc6a Merge "Set up sepolicy for drmserver64" into udc-dev 2023-06-01 23:22:31 +00:00
SzuWei Lin
90e295c513 Set up sepolicy for drmserver64 
Add drmserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for drmserver(32|64).

Bug: 282603373
Test: make gsi_arm64-user; Check the sepolicy
Ignore-AOSP-First: depend on an internal project
Change-Id: If8451de8120372b085de1977ea8fd1b28e5b9ab0
 2023-06-01 08:41:54 +00:00
Rhed Jao
ae77a1c4cf Merge "Create sepolicy for allowing system_server rw in /metadata/repair-mode" into udc-qpr-dev 2023-06-01 04:55:57 +00:00
Motomu Utsumi
2473262434 Add sepolicy config for tethering_u_or_later_native namespace 
Setup tethering_u_or_later_native namespace

Test: adb shell device_config put tethering_u_or_later_native test 1
Test: Read persist.device_config.tethering_u_or_later_native.test property
Test: from system server and Tethering.apk
Ignore-AOSP-First: topic has CL that updates DeviceConfig
Bug: 281944942
Change-Id: I2862974dc1a15f6768a34763bb9e2bad93eaf4ca
 2023-06-01 00:34:59 +09:00
Gavin Corkery
73a8f6d8c8 Merge "Sync API 34 prebuilts" into udc-dev-plus-aosp 2023-05-31 14:19:48 +00:00
Treehugger Robot
aebdf7bef1 Merge "Allow media server configurable flags to be read from anywhere" into udc-dev am: ed183c86a9 am: 57a4904e2b 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23382984

Change-Id: I68586a62e713009d9304cfeb45fbf19080332cbe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-30 22:31:05 +00:00
Treehugger Robot
57a4904e2b Merge "Allow media server configurable flags to be read from anywhere" into udc-dev am: ed183c86a9 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23382984

Change-Id: Ie7b61e0f3bf87d97b68a658797542ae4455dc8e3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-30 21:51:18 +00:00
Treehugger Robot
8e448cbbfc Merge "Allow media server configurable flags to be read from anywhere" into udc-dev am: ed183c86a9 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23382984

Change-Id: I222304b6b75c5a92e08689fc8abb319ddefea00f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-30 21:48:19 +00:00
Treehugger Robot
ed183c86a9 Merge "Allow media server configurable flags to be read from anywhere" into udc-dev 2023-05-30 21:11:18 +00:00
Brian Lindahl
3c818406c4 Allow media server configurable flags to be read from anywhere 
The majority of code for media encoding and decoding occurs within the
context of client app processes via linking with libstagefright. This
code needs access to server-configurable flags to configure
codec-related features.

Bug: 234833109
Test: manual test with 'adb shell device_config' commands
Ignore-AOSP-First: cherry pick from AOSP
Change-Id: I95aa6772a40599636d109d6960c2898e44648c9b
 2023-05-26 22:53:40 +00:00
Rhed Jao
52da303807 Create sepolicy for allowing system_server rw in /metadata/repair-mode 
Bug: 277561275
Test: ls -all -Z /metadata/repair-mode
Ignore-AOSP-First: This change targets in udc-qpr-dev. Will cherry-pick
  to AOSP later
Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123
 2023-05-25 07:04:17 +00:00
Jin Jeong
99324e0d2f Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..."" into udc-dev am: 7b646790c5 am: f95904e9a7 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201116

Change-Id: I47923ed8c0650149ffea42838861851eba5292b6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 02:30:02 +00:00
Jin Jeong
63c2056f81 Merge "Revert "Fix selinux denial for setupwizard_esim_prop"" into udc-dev am: a93b7daef3 am: 93252e4871 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23167567

Change-Id: I6bc3151e88da2fdb1c1fa203390f96691734c1b5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 02:29:56 +00:00
Jin Jeong
f95904e9a7 Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..."" into udc-dev am: 7b646790c5 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201116

Change-Id: I0a6bb0acf6dcaeba93658630c6bf53892650ee51
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 01:47:07 +00:00
Jin Jeong
93252e4871 Merge "Revert "Fix selinux denial for setupwizard_esim_prop"" into udc-dev am: a93b7daef3 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23167567

Change-Id: I04f844254e44c6262d9651554d44bd8c464e0482
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 01:47:01 +00:00
Jin Jeong
ae80e8cffa Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..."" into udc-dev am: 7b646790c5 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201116

Change-Id: I272af89efc194c111a0cb0c3955e2e37ff82b763
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 01:42:43 +00:00
Jin Jeong
cec9a99b28 Merge "Revert "Fix selinux denial for setupwizard_esim_prop"" into udc-dev am: a93b7daef3 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23167567

Change-Id: Ia1cc228b66bea6510ca4b649fa9d4c1adfa0900f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 01:42:35 +00:00
Jin Jeong
7b646790c5 Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..."" into udc-dev 2023-05-24 01:07:12 +00:00
Jin Jeong
a93b7daef3 Merge "Revert "Fix selinux denial for setupwizard_esim_prop"" into udc-dev 2023-05-24 01:07:12 +00:00
Anoush Khazeni
ad40691149 Merge "Adding a property entry for the assistant volume." into udc-dev am: 1e1a425a9b am: 38b5b0804b 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23214185

Change-Id: I87eccc8ddc7f8ed46991b4159fdf658c06073118
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-22 19:24:33 +00:00
Anoush Khazeni
38b5b0804b Merge "Adding a property entry for the assistant volume." into udc-dev am: 1e1a425a9b 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23214185

Change-Id: I42a23d2afa814d8ddbe331b433084c0f9eafb204
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-22 19:03:15 +00:00
Anoush Khazeni
15875fa311 Merge "Adding a property entry for the assistant volume." into udc-dev am: 1e1a425a9b 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23214185

Change-Id: Ib3a830112f4b6cdd2c3e346443bbdf0fdf324699
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-22 19:00:54 +00:00
Anoush Khazeni
1e1a425a9b Merge "Adding a property entry for the assistant volume." into udc-dev 2023-05-22 18:58:43 +00:00
Gavin Corkery
97fc74e8c6 Sync API 34 prebuilts 
Ignore-AOSP-First: Cherrypick
Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
Merged-In: I73f79b6566ed3e3d8491db6bed011047d5a650ce
 2023-05-22 12:09:36 +00:00
Suren Baghdasaryan
248cb36db3 allow modprobe to load modules from /system/lib/modules/ am: 8a6f45d363 am: 67036eb3a7 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23351624

Change-Id: Iedae70c32829c4c7c6de67ea63dc524b2b073a7c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-22 03:51:09 +00:00
Suren Baghdasaryan
67036eb3a7 allow modprobe to load modules from /system/lib/modules/ am: 8a6f45d363 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23351624

Change-Id: I280596a0a0f68e7ef7befd51b5be32527c9c54c0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-22 02:56:58 +00:00
Suren Baghdasaryan
8a6f45d363 allow modprobe to load modules from /system/lib/modules/ 
This is needed to load GKI leaf modules like zram.ko.

Bug: 279227085
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8a8205e50aa00686f478aba5336299e03490bbb5
Merged-In: I8a8205e50aa00686f478aba5336299e03490bbb5
 2023-05-19 19:03:17 +00:00
Peiyong Lin
ccfc06a30d Merge "Revert "Add "ro.hardware.egl_legacy" for ANGLE system driver"" into udc-dev am: 8fde7b737b am: a1ff69b2f0 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23338256

Change-Id: Ia10647e6bfdd632c0cb96ea1891a7e78e32e04a4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 11:24:10 +00:00
Peiyong Lin
a1ff69b2f0 Merge "Revert "Add "ro.hardware.egl_legacy" for ANGLE system driver"" into udc-dev am: 8fde7b737b 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23338256

Change-Id: I4dfa3097b465226fb09113fb69783f76e0a2ee62
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 10:41:54 +00:00
Peiyong Lin
505ddee411 Merge "Revert "Add "ro.hardware.egl_legacy" for ANGLE system driver"" into udc-dev am: 8fde7b737b 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23338256

Change-Id: I55dc1f86af4d3d05a2910288a77ee08aff1dde05
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 10:37:43 +00:00
Peiyong Lin
8fde7b737b Merge "Revert "Add "ro.hardware.egl_legacy" for ANGLE system driver"" into udc-dev 2023-05-19 09:57:00 +00:00
Peiyong Lin
98ec998136 Revert "Add "ro.hardware.egl_legacy" for ANGLE system driver" 
This reverts commit 92251f5d15.

Reason for revert: Remove deferred list functionality now that the shape
of ANGLE shipping form is binaries. Applications on the list are broken
with ANGLE due to the lack of YUV support, this is currently being
worked on.

Ignore-AOSP-First: Cherry-pick revert.
Bug: 280450222
Change-Id: Ied92e6f482fe77e045139b4b0531b1db1a7ffb13
Test: atest CtsAngleIntegrationHostTestCases
 2023-05-19 00:41:17 +00:00
Gavin Corkery
44ef0774ea Merge "Allow apps and SDK sandbox to access each others' open FDs" into udc-dev am: 0461233b7a am: 3438cb6403 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23208520

Change-Id: Ia6fc96b327eff0736b4cdad8d1a9f04a99832a14
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-18 09:07:47 +00:00
Gavin Corkery
3438cb6403 Merge "Allow apps and SDK sandbox to access each others' open FDs" into udc-dev am: 0461233b7a 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23208520

Change-Id: I043ff1c38dc14b2ebc93ee7bfd5905c128d32509
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-18 08:26:18 +00:00
Gavin Corkery
0461233b7a Merge "Allow apps and SDK sandbox to access each others' open FDs" into udc-dev 2023-05-18 07:51:32 +00:00
Anoush Khazeni
87da0af704 Adding a property entry for the assistant volume. 
Ignore-AOSP-First: confidential feature

Adding a system property to be read by AudioService
to override the minimum volume setting for the
assistant stream.

Bug: 277829235
Test: Build only
Change-Id: I08c500c0a3bb040559ca99d1817b7b848deee8c6
 2023-05-17 11:44:26 -07:00
Gavin Corkery
a707712813 Allow apps and SDK sandbox to access each others' open FDs 
An app may wish to pass an open FD for the SDK sandbox
to consume, and vice versa. Neither party will be
permitted to write to the other's open FD.

Ignore-AOSP-First: Cherrypick
Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
Merged-In: I73f79b6566ed3e3d8491db6bed011047d5a650ce
 2023-05-17 14:28:40 +00:00
Treehugger Robot
49e5ad5cbf Merge "Add canary restrictions for sdk_sandbox" into udc-dev am: 9b7ea76a8d am: 5bc4d481f2 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23153643

Change-Id: Ic91ca234bd0001295465f2347b9dc9310cdb47a5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-13 00:47:18 +00:00
Treehugger Robot
5bc4d481f2 Merge "Add canary restrictions for sdk_sandbox" into udc-dev am: 9b7ea76a8d 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23153643

Change-Id: I9eccd1a4e90831ce2306e15bd7b132cf368fe620
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-13 00:04:15 +00:00
Mugdha Lakhani
d44c51e017 Add canary restrictions for sdk_sandbox 
Add sdk_sandbox_next and apply it if a new input selector,
isSdkSandboxNext, is applied. This is set to true by libselinux
if a flag is set in the seInfo passed to it.

This enables some testers to test out the set of restrictions
we're planning for the next SDK version.
sdk_sandbox_next is not the final set of restrictions of the next SDK
version.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
Merged-In: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
 2023-05-12 20:06:31 +00:00
Mugdha Lakhani
0dde99d720 Add canary restrictions for sdk_sandbox 
Add sdk_sandbox_next and apply it if a new input selector,
isSdkSandboxNext, is applied. This is set to true by libselinux
if a flag is set in the seInfo passed to it.

This enables some testers to test out the set of restrictions
we're planning for the next SDK version.
sdk_sandbox_next is not the final set of restrictions of the next SDK
version.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
Merged-In: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
 2023-05-12 19:05:34 +00:00
Treehugger Robot
4069aa56ef Merge "Grant system_server the permission to create its own profile." into udc-dev am: 62037d3f93 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201106

Change-Id: Ib54115b1e04cc4342d5c57886c7e220404f9d85b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 11:57:21 +00:00
Treehugger Robot
adac570c2d Merge "Grant system_server the permission to create its own profile." into udc-dev am: 62037d3f93 am: 23b4d83e79 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201106

Change-Id: Icaf1a59866d1e6332852f9885bcb1dad59ec80ac
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 11:41:14 +00:00
Martin Stjernholm
693eb182d0 Merge "Allow the ART boot oneshot service to configure ART config properties." into udc-dev am: 4f2b8ce361 am: f82b6d2c1c 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23131204

Change-Id: Ia96628706fd7361d18ab6db209b584a2538e651b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 11:40:47 +00:00
Treehugger Robot
23b4d83e79 Merge "Grant system_server the permission to create its own profile." into udc-dev am: 62037d3f93 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201106

Change-Id: Ie3782edae7942fadf78814e784bf72fd570ca2d0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 11:19:44 +00:00
Treehugger Robot
62037d3f93 Merge "Grant system_server the permission to create its own profile." into udc-dev 2023-05-12 11:11:03 +00:00
Martin Stjernholm
f82b6d2c1c Merge "Allow the ART boot oneshot service to configure ART config properties." into udc-dev am: 4f2b8ce361 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23131204

Change-Id: If7f7a7b10eddf86c6a7501c00263cfe9a4dd011c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 10:58:26 +00:00
Martin Stjernholm
5557ec5583 Merge "Allow the ART boot oneshot service to configure ART config properties." into udc-dev am: 4f2b8ce361 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23131204

Change-Id: Idb0edb8c39f038d7d21e8c1c41c486d0b34a5e99
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 10:54:04 +00:00
Martin Stjernholm
4f2b8ce361 Merge "Allow the ART boot oneshot service to configure ART config properties." into udc-dev 2023-05-12 10:28:21 +00:00
Jiakai Zhang
bdfc175e1e Grant system_server the permission to create its own profile. 
When ART Service is enabled, the runtime uses a different strategy to
write profiles: it first creates a temp profile file, and then moves it
to the final location, instead of mutating the file in place. This new
strategy requires the permission to create files. While apps have this
permission, unfortunately, system_server didn't. This CL fixes this
problem.

Bug: 282019264
Test: -
  1. Enable boot image profiling
     (https://source.android.com/docs/core/runtime/boot-image-profiles#configuring-devices)
  2. Snapshot the boot image profile
     (adb shell pm snapshot-profile android)
  3. Dump the boot image profile
     (adb shell profman --dump-only --profile-file=/data/misc/profman/android.prof)
  4. See profile data for services.jar
Ignore-AOSP-First: This change requires updating the 34.0 prebuilt,
  which doesn't exist on AOSP. Will cherry-pick to AOSP later.
Change-Id: Ie24a51f2d40d752164ce14725f122c73432d50c9
 2023-05-12 10:51:38 +01:00
Jin Jeong
9627dc5c78 Revert "Fix selinux denial for setupwizard_esim_prop" 
Revert submission 22955599-euicc_selinux_fix2

Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Reverted changes: /q/submissionid:22955599-euicc_selinux_fix2

Change-Id: I00cac36ac2f2a23d02c99b9ad9df57061d1ae61c
 2023-05-12 04:18:33 +00:00
Jin Jeong
ec4fe33a6a Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..." 
Revert submission 22899490-euicc_selinux_fix

Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Reverted changes: /q/submissionid:22899490-euicc_selinux_fix

Change-Id: I0c2bfe55987949ad52f62e468c84df954f39a4ad
 2023-05-12 04:17:35 +00:00
Treehugger Robot
740bba657c Merge "Allow camera service to access "ro.camera.disableJpegR" property" into udc-dev am: 1d32d9af19 am: 5fa5ae78d2 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23148868

Change-Id: I02ca17e1a5a127d6af49a5ef98b4eeac6166a0d0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-11 19:07:25 +00:00
Treehugger Robot
5b5bd68861 Merge "Allow camera service to access "ro.camera.disableJpegR" property" into udc-dev am: 1d32d9af19 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23148868

Change-Id: Ic37531e3493098a6d935eb27aef6a4d50591177b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-11 18:44:07 +00:00
Treehugger Robot
5fa5ae78d2 Merge "Allow camera service to access "ro.camera.disableJpegR" property" into udc-dev am: 1d32d9af19 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23148868

Change-Id: I4cbc1cc0319b022f0eb6710e2c3e9c3865b2191d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-11 18:42:05 +00:00
Treehugger Robot
1d32d9af19 Merge "Allow camera service to access "ro.camera.disableJpegR" property" into udc-dev 2023-05-11 18:12:35 +00:00
Mugdha Lakhani
1a87c7750d Merge "Create sdk_sandbox_all." into udc-dev am: f21942129a am: 47899e2afb 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23061001

Change-Id: I338b999f90b6b873288c2ed905e28a2ef10fa134
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-11 15:29:28 +00:00
Mugdha Lakhani
47899e2afb Merge "Create sdk_sandbox_all." into udc-dev am: f21942129a 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23061001

Change-Id: Ib2ad91d15d7a5ceb79729a6a4bef2a13aa0286f2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-11 14:47:54 +00:00
Martin Stjernholm
3d7093fd7b Allow the ART boot oneshot service to configure ART config properties. 
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
      (ag/23125728)
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
 2023-05-11 13:38:57 +01:00
Emilian Peev
9e505e2ee7 Allow camera service to access "ro.camera.disableJpegR" property 
Additionally enable access to 'ro.camera.enableCompositeAPI0JpegR'

Ignore-AOSP-First: Cherrypick
Bug: 262265296
Test: Manual using adb shell dumpsys media.camera with
property enabled and disabled

Change-Id: I8ae75d06eb7f2a5fff03fb9f8ffda94079f287e7
 2023-05-10 16:44:19 -07:00
Mugdha Lakhani
9304b8a6cc Create sdk_sandbox_all. 
Rename sdk_sandbox to sdk_sandbox_34.
Additionally, Extract out parts of sdk_sandbox_34 to
sdk_sandbox_all.te that will be shared with all sdk_sandbox domains.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest

Change-Id: I36e0c8795148de83c81dfe12559452812aa2b25e
Merged-In: I36e0c8795148de83c81dfe12559452812aa2b25e
 2023-05-10 17:54:07 +00:00
Treehugger Robot
9515104698 Merge "Relax sdk sandbox sepolicy." into udc-dev am: 2079ab2f28 am: c76e2b4b91 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23061000

Change-Id: I91e80cb857886bdb37604ae5b615736e70c9d2f0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-10 11:28:04 +00:00
Treehugger Robot
c76e2b4b91 Merge "Relax sdk sandbox sepolicy." into udc-dev am: 2079ab2f28 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23061000

Change-Id: I4377e8617fd1e9d97a0b28f88536ace2b9a4b12b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-10 10:47:16 +00:00
Treehugger Robot
2079ab2f28 Merge "Relax sdk sandbox sepolicy." into udc-dev 2023-05-10 09:51:25 +00:00
Gavin Corkery
5e22766f47 Merge "Allow mediaprovider and mediaserver to read sdk_sandbox_data_file" into udc-dev am: fefe81b685 am: 868227b663 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21931719

Change-Id: I14bb602b1de39f74034026ae190c6df84920af7b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-09 16:57:39 +00:00
Gavin Corkery
868227b663 Merge "Allow mediaprovider and mediaserver to read sdk_sandbox_data_file" into udc-dev am: fefe81b685 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21931719

Change-Id: Ia024858f4192ebeccfe6b86b16aafa19cd31b6ad
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-09 16:18:25 +00:00
Gavin Corkery
28db930df3 Merge "Allow mediaprovider and mediaserver to read sdk_sandbox_data_file" into udc-dev am: fefe81b685 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21931719

Change-Id: I057951e491c883dfd3beb784d76a920246f349ae
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-09 16:13:54 +00:00
Gavin Corkery
fefe81b685 Merge "Allow mediaprovider and mediaserver to read sdk_sandbox_data_file" into udc-dev 2023-05-09 15:41:32 +00:00
Gavin Corkery
10417857ea Allow mediaprovider and mediaserver to read sdk_sandbox_data_file 
Context: go/videoview-local-sandbox. This change is required to
play local files in a VideoView in the SDK sandbox.

Ignore-AOSP-First: Cherrypick

Test: Manual steps described in doc
Bug: 266592086
Change-Id: I940609d5dff4fc73d0376489646488c7b96eebb8
 2023-05-09 13:10:01 +00:00
Peiyong Lin
3f1f851297 Allow graphics_config_writable_prop to be modified. 
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.

Ignore-AOSP-First: Cherry-pick
Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
(cherry picked from commit 194abd16cb)
 2023-05-08 00:25:29 +00:00
Mugdha Lakhani
30cf7bbf28 Relax sdk sandbox sepolicy. 
auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ic4ce690e82b09ed176495f3b55be6069ffc074ac
Merged-In: Ic4ce690e82b09ed176495f3b55be6069ffc074ac
 2023-05-06 19:25:40 +00:00
Peiyong Lin
bceecf2bd0 Merge "Allow graphics_config_writable_prop to be modified." into udc-dev am: 82e2aa6c61 am: 747e54326e 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22993902

Change-Id: Ibf257e1ffbcbb0ae1df14ce7c2393138999a8145
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-05 17:07:17 +00:00
Peiyong Lin
747e54326e Merge "Allow graphics_config_writable_prop to be modified." into udc-dev am: 82e2aa6c61 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22993902

Change-Id: I0546c4468dfbfb017c3c288c83883f99e5cb8c7b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-05 16:54:26 +00:00
Peiyong Lin
82e2aa6c61 Merge "Allow graphics_config_writable_prop to be modified." into udc-dev 2023-05-05 16:24:26 +00:00
Treehugger Robot
568be11492 Merge "Add neverallow rules to protect SDK's private data" into udc-dev am: b7146a9e58 am: e114c652a0 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22907484

Change-Id: I3c16dfe139609be098ebc781aecc8dbe332bafdf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-05 16:03:38 +00:00
Treehugger Robot
e114c652a0 Merge "Add neverallow rules to protect SDK's private data" into udc-dev am: b7146a9e58 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22907484

Change-Id: I245c4c12dff2028abfe1c7a3002c3a3b5e7b4e47
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-05 15:22:00 +00:00
Treehugger Robot
b7146a9e58 Merge "Add neverallow rules to protect SDK's private data" into udc-dev 2023-05-05 14:38:12 +00:00
Howard Chen
f0de156722 Merge "Allow gsid to create alternative installation directory" into udc-qpr-dev 2023-05-05 03:08:06 +00:00
Jay Civelli
ec3e029174 Merge "Add 2 new system properties for Quick Start" into udc-dev am: 5fd77a4e68 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22872879

Change-Id: I4da2eaa71f26a8a632e6749290bf94facb1237c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-04 17:13:08 +00:00
Jay Civelli
8212b528ce Merge "Add 2 new system properties for Quick Start" into udc-dev am: 5fd77a4e68 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22872879

Change-Id: I4ed8cb09feae9b4f3b8990b82296332d2039d8da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-04 17:08:35 +00:00
Mugdha Lakhani
2d9b9f2b31 Add neverallow rules to protect SDK's private data 
SDK's data should not be accessible directly by other domains, including
system server. Added neverallow to ensure that.

Bug: b/279885689
Test: make and boot device
Change-Id: If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2
Merged-In:  If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2
 2023-05-04 16:38:40 +00:00
Jay Civelli
5fd77a4e68 Merge "Add 2 new system properties for Quick Start" into udc-dev 2023-05-04 16:35:59 +00:00
Peiyong Lin
194abd16cb Allow graphics_config_writable_prop to be modified. 
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.

Ignore-AOSP-First: Cherry-pick
Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
Merged-In: I2f47c1048aad4565cb13d4289b9a018734d18c07
 2023-05-04 16:04:44 +00:00
Howard Chen
de62e955e3 Allow gsid to create alternative installation directory 
Bug: 275484855
Test: adb shell gsi_tool install -n -w \
  --gsi-size $(du -b system.raw|cut -f1) \
  --install-dir /data/gsi/oem --userdata-size 8589934592 < system.raw
Change-Id: I46aa48fafec2f3845fa1a5139afb8c03db6b0d4e
 2023-05-04 13:52:44 +08:00
Jay Civelli
c97b3a244f Add 2 new system properties for Quick Start 
Test: Manually validated that GmsCore can access the properties, but not a test app.
Ignore-AOSP-First: Change is targeted at Google devices.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
 2023-05-03 04:04:15 +00:00
Kalesh Singh
f11e0af5c6 Merge "16k: Add sepolicy for max page size prop" into udc-dev am: ad3183676c 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22935830

Change-Id: Ie0232a428d0ecbea5c10de26206bb4f7bc64d3af
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 16:45:55 +00:00
Kalesh Singh
ad3183676c Merge "16k: Add sepolicy for max page size prop" into udc-dev 2023-05-02 16:11:59 +00:00
Jinyoung Jeong
8eaded4bc4 Fix selinux denial for setupwizard_esim_prop am: e52a8f2a47 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22955599

Change-Id: I5a52a063ffaba2f4063ff2865172e6bc85bafd1f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 14:57:35 +00:00
Jinyoung Jeong
e52a8f2a47 Fix selinux denial for setupwizard_esim_prop 
Bug: 280336861
Test: no denial logs found
Ignore-AOSP-First: will merge in AOSP aosp/2573840
Change-Id: Ieedf8343f55f047b3fd33cc1cd2c759400dce2b4
 2023-05-02 10:40:07 +00:00
Weilin Xu
c3a887cee6 Merge "Make broadcastradio_service accessible from CTS" into udc-dev am: 07767709c9 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22634562

Change-Id: I43c6be19b771098bda3c9b84d96b72b754c4c7aa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 10:26:08 +00:00
Weilin Xu
07767709c9 Merge "Make broadcastradio_service accessible from CTS" into udc-dev 2023-05-02 05:05:55 +00:00
Treehugger Robot
f46c87d2d1 Merge "Allow fastbootd set boottime property" into udc-d1-dev 2023-05-02 04:54:37 +00:00
Jayden Kim
5462a6501b Merge "Add sepolicy for new bluetooth le radio path loss compensation sysprops" into udc-dev 2023-05-02 01:01:14 +00:00
Kalesh Singh
58cefa04ab 16k: Add sepolicy for max page size prop 
Devices can select their max supported with PRODUCT_MAX_PAGE_SIZE_SUPPORTED.
This is exposed as ro.product.cpu.pagesize.max to VTS tests.

Add the required sepolicy labels for the new property.

Bug: 277360995
Test: atest -c vendor_elf_alignment_test -s <serial>
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:0a66ea359f6751741f8100a9d934ae8d2e53d120)
Merged-In: Ibe01e301dbcc3392201dffd3bba845700ee2a5e8
Change-Id: Ibe01e301dbcc3392201dffd3bba845700ee2a5e8
 2023-05-01 09:13:39 -07:00
Evgenii Stepanov
f666700fa9 Merge "Relax sepolicy for device_config_runtime_native_*." into udc-dev 2023-04-30 18:29:18 +00:00
Evgenii Stepanov
11ce6894e8 Relax sepolicy for device_config_runtime_native_*. 
This change allows vendor init scripts to react to the MTE bootloader
override device_config. It extends the domain for runtime_native and
runtime_native_boot configs from "all apps", which is already very
permissive, to "everything".

Ignore-AOSP-First: UpsideDownCake/34 does not exist in AOSP
Bug: 239832365
Test: none
Change-Id: I66aa1492f929f43f937b4ab0780f7753c1f4b92e
 2023-04-28 14:37:18 -07:00
Jayden Kim
0e228763e1 Add sepolicy for new bluetooth le radio path loss compensation sysprops 
Bug: 277676657
Test: make -j; atest BluetoothInstrumentationTests
Change-Id: I94f8d9d18b9c4659703edb773dd29870430e40b7
Ignore-AOSP-First: This is a cherry-pick from AOSP
 2023-04-28 16:31:09 +00:00
Jinyoung Jeong
fa95e8c591 Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore 
bug: 279548423
Test:  http://fusion2/b7c803be-2dca-4195-b91f-6c4939746b5b, http://fusion2/bb76429b-7d84-4e14-b127-8458abb3e2ed
Ignore-AOSP-First: will merge in AOSP aosp/2571810
Change-Id: I4b190fca2f3825a09d27cfc74e8a528831f4f15b
 2023-04-28 16:25:26 +00:00
Wilson Sung
97af7582a1 Allow fastbootd set boottime property 
Bug: 264489957
Test: flash and no related avc error
Change-Id: Ia9a6d4918aa78e6b3e7df39496d786921192c8af
Ignore-AOSP-First: master need the prebuilt upadte
Signed-off-by: Wilson Sung <wilsonsung@google.com>
 2023-04-28 08:12:50 +00:00
Weilin Xu
85b94c7c49 Make broadcastradio_service accessible from CTS 
When CTS test app tries to get broadcastradio_service from context, it
is considered as untrusted app by sepolicy since broadcastradio_service
is not app_api_service. Made it as app_api_service so that CTS for
broadcastradio can be ran on devices.

Bug: 262191898
Test: atest CtsBroadcastRadioTestCase
Ignore-AOSP-First: fix CTS issue
Change-Id: I0583f549eb5b781ff23f81b2073baa0390009f9e
 2023-04-27 23:40:33 +00:00
Parth Sane
f6f4205d50 Merge "Add SysProp to set the number of threads in Apexd bootstrap" into udc-dev 2023-04-26 12:31:14 +00:00
Parth Sane
daf8bbe7e4 Add SysProp to set the number of threads in Apexd bootstrap 
Test: Manual. Tested on device
Bug: 265019048
Change-Id: I1d559b4398c2e91f50da48dc6d5ccbef63fb9d18
(cherry picked from commit e8a2001086)
Ignore-AOSP-First: This is a cherry-pick from AOSP
 2023-04-25 17:40:39 +00:00
Jeff Vander Stoep
f9a774f1ae Disallow watch and watch_reads on apk_data_file for apps 
This can be used as a side channel to observe when an application
is launched.

Gate this restriction on the application's targetSdkVersion to
avoid breaking existing apps. Only apps targeting 34 and above will
see the new restriction.

Remove duplicate permissions from public/shell.te. Shell is
already appdomain, so these permissions are already granted to it.

Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: Ic7577884e9d994618a38286a42a8047516548782
 2023-04-25 15:20:45 +02:00
Alex Buynytskyy
9c6c988bad UpsideDownCake/34 is now REL 
Ignore-AOSP-First: UpsideDownCake Finalization
Bug: 275409981
Test: build
Change-Id: I15bf3817a8a6867d52f7963a04a69e543a9801e9
Merged-In: I15bf3817a8a6867d52f7963a04a69e543a9801e9
 2023-04-21 19:36:02 +00:00
Inseob Kim
d781909856 Merge "Remove 28.0 compat support" am: 1174fcf338 am: 9cf125cb34 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2519755

Change-Id: Idc225a85b5b95d770e6367bc2d0c606225c5b8a4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-04-07 02:00:23 +00:00
Inseob Kim
d16612cd8a Remove 28.0 compat support 
Treble doesn't support U system + P vendor, so removing P (28.0)
prebuilts and compat files.

Bug: 267692547
Test: build
Change-Id: I3734a3d331ba8071d00cc196a2545773ae6a7a60
 2023-04-03 15:17:03 +09:00
Andy Hung
bd89baaecf Merge "sepolicy: Add spatial audio tuning properties." 2023-03-27 15:22:49 +00:00
Andy Hung
789c2937a5 sepolicy: Add spatial audio tuning properties. am: 574369e474 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22241161

Change-Id: I00a6e7937068ee8a3006223ba6d320c90a73321e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:22:53 +00:00
Andy Hung
16a79f885d sepolicy: Add spatial audio tuning properties. 
audio.spatializer.pose_predictor_type
audio.spatializer.prediction_duration_ms

Test: compiles
Test: adb shell setprop with invalid enum fails.
Bug: 274849680
Merged-In: Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b
Change-Id: Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b
 2023-03-23 20:56:59 -07:00
Andy Hung
574369e474 sepolicy: Add spatial audio tuning properties. 
audio.spatializer.pose_predictor_type
audio.spatializer.prediction_duration_ms

Ignore-AOSP-First: will land in AOSP later.
Test: compiles
Test: adb shell setprop with invalid enum fails.
Bug: 274849680
Change-Id: Ie7e656acbdd3fe101ecbd2cc9dfb6c8a440a6a8b
 2023-03-23 18:01:42 -07:00
Andy Hung
64a1d36e3d Merge "sepolicy: Add spatial audio configuration properties" into tm-qpr-dev am: 816d7372d3 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22142639

Change-Id: I0f164623b16f992ca90a10c07d86781934b29775
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 12:55:52 +00:00
Andy Hung
03c348df74 sepolicy: Add spatial audio configuration properties 
Controls default enable or disable for binaural and transaural.

Test: see bug
Bug: 270980127
Merged-In: I190644e88a520cf13ee2b56066d5afd258460b9e
Change-Id: I190644e88a520cf13ee2b56066d5afd258460b9e
 2023-03-21 15:08:27 -07:00
Andy Hung
816d7372d3 Merge "sepolicy: Add spatial audio configuration properties" into tm-qpr-dev 2023-03-21 17:53:50 +00:00
Ioannis Ilkos
865d0883ac Merge changes from topic "tm-qpr-oome-perfetto" into tm-qpr-dev am: 37883b47f8 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21986580

Change-Id: I66f23e61f789b8a18f44f6a68af9f399e9d06be0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-20 11:02:24 +00:00
Ioannis Ilkos
ad1c3e4200 Merge changes from topic "tm-qpr-syssrv-perfetto" into tm-qpr-dev am: a6494f6163 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21986577

Change-Id: I37e9725ed27177234f34357ebacd27e1c648dfec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-20 11:01:53 +00:00
Ioannis Ilkos
37883b47f8 Merge changes from topic "tm-qpr-oome-perfetto" into tm-qpr-dev 
* changes:
  update api=33 sepolicy prebuilts for perfetto oome heap dumps
  Fix incorrect domain used in system_server.te
  Sysprop for the count of active OOME tracing sessions
 2023-03-20 10:35:12 +00:00
Ioannis Ilkos
a6494f6163 Merge changes from topic "tm-qpr-syssrv-perfetto" into tm-qpr-dev 
* changes:
  update api=33 sepolicy prebuilts for perfetto profiling of system_server and sys/platform apps
  tm-qpr backport: allow perfetto profiling of system_server and sys/platform apps
 2023-03-20 10:31:50 +00:00
Andy Hung
3b7b6c3b30 sepolicy: Add spatial audio configuration properties 
Controls default enable or disable for binaural and transaural.

Ignore-AOSP-First: will land in AOSP afterwards
Test: see bug
Bug: 270980127
Change-Id: I190644e88a520cf13ee2b56066d5afd258460b9e
 2023-03-17 14:58:36 -07:00
Nathan Huckleberry
7878f968fe Allow vold to use FS_IOC_GET_ENCRYPTION_KEY_STATUS am: 7bedb9d1a0 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21649283

Change-Id: I553546da822bb3880b3b325382409f63f5e47b85
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 00:26:48 +00:00
Ioannis Ilkos
c3fa8c0d82 update api=33 sepolicy prebuilts for perfetto oome heap dumps 
Bug: 272719059
Ignore-AOSP-First: tm-qpr-dev backports
Change-Id: I7e0703ce8fb8fb46217f67046c19fb71653bc86e
 2023-03-13 17:48:46 +00:00
Ryan Savitski
be99ac546a update api=33 sepolicy prebuilts for perfetto profiling of system_server and sys/platform apps 
Bug: 272719059
Ignore-AOSP-First: tm-qpr-dev backports
Change-Id: Iadee4b1a04d032e901b58bc76a0b658782fe027f
 2023-03-13 17:14:04 +00:00
Nathan Huckleberry
7bedb9d1a0 Allow vold to use FS_IOC_GET_ENCRYPTION_KEY_STATUS 
This ioctl can be used to avoid a race condition between key
reinstallation and busy files clean up.

Test: Trigger busy file clean-up and ensure that the ioctl succeeds
Bug: 140762419

Change-Id: I153c2e7b2d5eb39e0f217c9ef8b9dceba2a5a487
(cherry picked from commit ffb9f8855a)
Ignore-AOSP-First: Prebuilts needed to be updated when cherry-picking.
 2023-03-10 18:58:42 +00:00
David Duarte
1d17625658 Update prebuilt to add bluetooth_prop to system_server sepolicy. am: c9530bbdfd 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21359400

Change-Id: Idadf25b8631d21ab7eaa3834c500419253a7edb9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-15 07:23:13 +00:00
David Duarte
c9530bbdfd Update prebuilt to add bluetooth_prop to system_server sepolicy. 
Ignore-AOSP-First: Update after cherry-pick from AOSP
Fix: 268537356
Test: None
Change-Id: I72ad993e73b31045ce529e108b143e890955a167
 2023-02-10 00:27:32 +00:00
Hongwei Wang
95f1221fc1 Allow platform_app:systemui to write protolog file 
This is enabled on debuggable builds only, includes
- Grant mlstrustedobject typeattribute to wm_trace_data_file
- Grant platform_app (like systemui) the write access to
  wm_trace_data_file

Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
      WMShell protolog [start | stop]
Ignore-AOSP-First: cherry-pick of aosp/2397593
Merged-In: I9f77f8995e4bf671616ce6c49eeb93720e31430e
Change-Id: I9f77f8995e4bf671616ce6c49eeb93720e31430e
 2023-02-08 18:30:30 +00:00
Hongwei Wang
7476ab79ff Merge "Allow platform_app:systemui to write protolog file" am: f4979adab7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2397593

Change-Id: Id077867308be1b610fd4b12ed50e87908bd5e8d2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-31 20:58:01 +00:00
Alessandra Loro
bad245a5e2 Hide ro.debuggable and ro.secure from ephemeral and isolated applications am: 09effc0d78 am: 968d385d37 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402006

Change-Id: I2a95f2f80f90de603a2029ec1d7026876c883137
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-27 20:07:43 +00:00
Alessandra Loro
968d385d37 Hide ro.debuggable and ro.secure from ephemeral and isolated applications am: 09effc0d78 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402006

Change-Id: I068d5585305d8715d8ff081869d785fb07dedb4a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-27 19:23:38 +00:00
Alessandra Loro
09effc0d78 Hide ro.debuggable and ro.secure from ephemeral and isolated applications 
Bug: 193912100
Bug: 265874811
Test: N/A

Ignore-AOSP-First: cherry-pick for tm-qpr
Change-Id: I916c9795d96e4a4a453f9aed5e380f11981804e9
Merged-In: I916c9795d96e4a4a453f9aed5e380f11981804e9
 2023-01-26 16:56:40 +00:00
Kalesh Singh
eb1a50003c suspend: Allow access to /sys/power/wake_[un]lock 
This is needed to prevent autosuspend when the framework is restarting
See: go/no-suspend-deadlocks

Bug: 255898234
Bug: 265513788
Bug: 266077359
Test: Check logcat for avc denials
Change-Id: I6313e28d0f2e4bc553881fcc3742dc74ca319b44
Merged-In: I6313e28d0f2e4bc553881fcc3742dc74ca319b44
 2023-01-25 16:39:05 -08:00
Alessandra Loro
d4858ae25a Drop back-compatibility for hiding ro.debuggable and ro.secure am: c6aec92b7c am: 60673b7437 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399373

Change-Id: I5c4220e15342bbe9d1442107661f5c78cfc5fd1b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-25 19:34:16 +00:00
Alessandra Loro
6b354f6a92 Disallow untrusted apps to read ro.debuggable and ro.secure am: 0d68fc3525 am: ea182aa198 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399372

Change-Id: I7b2c1ade72e3d8aeb52f6034e56990cf3abbea6c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-25 19:34:14 +00:00
Pete Bentley
e3adcf5f10 Update sepolicy prebuilts for PRNG seeder changes. am: e635929f6f am: ea49ed9381 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2300079

Change-Id: I34bbb44dee5120f30d74d9c2a0cc463afb1705ed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-25 19:30:22 +00:00
Alessandra Loro
60673b7437 Drop back-compatibility for hiding ro.debuggable and ro.secure am: c6aec92b7c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399373

Change-Id: Ib75355b064ebabe725f48accc0605f662fd28fb0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-25 18:46:53 +00:00
Alessandra Loro
ea182aa198 Disallow untrusted apps to read ro.debuggable and ro.secure am: 0d68fc3525 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399372

Change-Id: I3a4319a2431fab9ae492a606d431370674bf44a6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-25 18:46:51 +00:00
Pete Bentley
ea49ed9381 Update sepolicy prebuilts for PRNG seeder changes. am: e635929f6f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2300079

Change-Id: I0df17dc2b6a0e341365e6484c8a855c5d8c68adc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-25 18:38:20 +00:00
Hongwei Wang
9372026ad2 Allow platform_app:systemui to write protolog file 
This is enabled on debuggable builds only, includes
- Grant mlstrustedsubject typeattribute to wm_trace_data_file
- Grant platform_app (like systemui) the write access to
  wm_trace_data_file

Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
      WMShell protolog [start | stop]
Change-Id: I9f77f8995e4bf671616ce6c49eeb93720e31430e
 2023-01-24 16:30:57 -08:00
Alessandra Loro
c6aec92b7c Drop back-compatibility for hiding ro.debuggable and ro.secure 
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Test: N/A for cherry-pick
Change-Id: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
Merged-In: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
 2023-01-23 12:06:37 +00:00
Alessandra Loro
0d68fc3525 Disallow untrusted apps to read ro.debuggable and ro.secure 
ro.secure and ro.debuggable system properties are not intended
to be visible via Android SDK. This change blocks untrusted
apps from reading these properties.

Test: n/a  for cherry-pick
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
Merged-In: I40ac5d43da5778b5fa863b559c28e8d72961f831
 2023-01-23 12:06:14 +00:00
Samip Garg
d6b358c112 Snap tm-dev to android13-tests-dev am: 5f2509a85a am: afc97a7c5e 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/20514546

Change-Id: I15bbe1635d1d5d3b2436cbef2e5fa5e9e5f54f55
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-16 04:00:08 +00:00
Samip Garg
afc97a7c5e Snap tm-dev to android13-tests-dev am: 5f2509a85a 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/20514546

Change-Id: I612593c17d4e88d8e8671f0c4ecc33914771f1a1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-01-11 15:14:48 +00:00
Kalesh Singh
3316353002 Merge "Allow update_verifier to connect to snapuserd daemon" into tm-qpr-dev 2023-01-10 17:08:09 +00:00
Akilesh Kailash
abeeb42d0f Allow update_verifier to connect to snapuserd daemon 
Bug: 193863442
Bug: 261913544
Test: OTA
Signed-off-by: Akilesh Kailash <akailash@google.com>
Merged-In: I10cb900466078930c9124fc381ba2adfc50ffcd4
Change-Id: I10cb900466078930c9124fc381ba2adfc50ffcd4
 2023-01-09 13:19:20 -08:00
Bill Yi
15ee6d11bc Merge TQ1A.230105.002 to aosp-master - DO NOT MERGE 
Merged-In: I9acac60411da6eee86246a9e375b35dfb61691d1
Merged-In: If343dba5dae2821fa345135abafb891e85be5574
Change-Id: Ia868a5a11f13d47bf11fbb21b3d5cee12d7c8c99
 2023-01-06 07:13:50 -08:00