Commit graph

47369 commits

Author SHA1 Message Date
Yisroel Forta
f86fab0d6d Merge "SELinux permissions for ProfilingService" into main am: e510cb8696
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2955343

Change-Id: Id393a7cdbcbb82d767b2457c33daf2c96c5bead7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-12 14:51:42 +00:00
Yisroel Forta
e510cb8696 Merge "SELinux permissions for ProfilingService" into main 2024-02-12 14:22:31 +00:00
Håkan Kvist
a0787ed434 remount: allow bootanimation to run animation from oem am: e38af22c5e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2953101

Change-Id: Iba084fd08b2d1312d39a21970cccc2894a6e9a1c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-12 12:23:27 +00:00
Yisroel Forta
aa9d0bf24c SELinux permissions for ProfilingService
Test: Presubmit, manually confirm service accessible
Bug: 293957254
Change-Id: I7103be95ff49eb87b4c7164a38a481034d72a9aa
2024-02-09 19:25:32 +00:00
Håkan Kvist
e38af22c5e remount: allow bootanimation to run animation from oem
Grant bootanimation all read permissions on oem using
r_dir_file macro instead of specifying individual permissions.

This prevents failure to read the bootanimation on oem if
partition has been remounted.

After remount, bootanimation will log violation for the
/oem/media directory when reading an existing file (boot animation can
is still played).
avc:  denied  { read } for  pid=2820 comm="bootanimation" name="media"
   dev="sda75" ino=152 scontext=u:r:bootanim:s0
   tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0

After remount, if modifying/adding file in /oem/media directory,
bootanimation will fail to read the bootanimation zip, now with
violation:
avc:  denied  { read } for  pid=2838 comm="bootanimation" name="media"
   dev="dm-8" ino=70 scontext=u:r:bootanim:s0 tcontext=u:object_r:oemfs:s0
   tclass=dir permissive=0

Bug: 324437684
Test: adb remount
      replace /oem/media/bootanimation.zip with custom animation
      adb reboot
      confirm that expected bootanimation is played
      confirm no selinux violations are seen in logcat
Change-Id: Iaafdeeacaf88d8f5c1214700edc8eec2824b0159
2024-02-09 16:09:05 +01:00
Jiakai Zhang
59bb9008fd Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main am: 95d371bcfd
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2939419

Change-Id: I75166873b4baa3d781ebb0b7055f9f42b8a5dd1e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-09 03:29:50 +00:00
Jiakai Zhang
95d371bcfd Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main 2024-02-09 02:52:58 +00:00
mrulhania
faaec9dd3a Add SELinux policy for ContentProtectionManagerService am: 9a7700cd46
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952703

Change-Id: Ib8beac88752e6c4576bc177553c33c82df5b1026
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-09 00:41:43 +00:00
mrulhania
9a7700cd46 Add SELinux policy for ContentProtectionManagerService
Bug: 324348549
Test: build
Change-Id: Ieb319ed033d2fdb18cf76107c44cd6357221ecc4
2024-02-08 19:56:49 +00:00
Ikjoon Jang
b1019e8d42 Merge changes from topic "revert-2952245-vfrc_as_tot_sepolicy-AMFGMLDWQF" into main am: 1c9aa0cb18
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2954993

Change-Id: I881e04fb8c0b6195846f35c37b62ae4b5be0e123
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-08 04:50:50 +00:00
Ikjoon Jang
f0f530be1f Revert "Add 1000000.0 mapping file temporarily" am: 82126e9d77
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2954992

Change-Id: I0b34dc883d9a87e38f6a9932b52cbbd5cf39a7b6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-08 04:50:47 +00:00
Ikjoon Jang
1c9aa0cb18 Merge changes from topic "revert-2952245-vfrc_as_tot_sepolicy-AMFGMLDWQF" into main
* changes:
  Revert "Fix freeze test condition to board api"
  Revert "Add 1000000.0 mapping file temporarily"
2024-02-08 04:47:21 +00:00
Ikjoon Jang
f3fad1a66b Revert "Fix freeze test condition to board api"
Revert submission 2952245-vfrc_as_tot_sepolicy

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_main&target=mainline_modules_arm64-mainline-userdebug&lkgb=11421838&lkbb=11421957&fkbb=11421841, b/324335916

Reverted changes: /q/submissionid:2952245-vfrc_as_tot_sepolicy

Bug: 324335916
Change-Id: Iada55b1298872ae2f2ff4112726dcbcd089597f1
2024-02-08 04:45:26 +00:00
Ikjoon Jang
82126e9d77 Revert "Add 1000000.0 mapping file temporarily"
Revert submission 2952245-vfrc_as_tot_sepolicy

Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_main&target=mainline_modules_arm64-mainline-userdebug&lkgb=11421838&lkbb=11421957&fkbb=11421841, b/324335916

Reverted changes: /q/submissionid:2952245-vfrc_as_tot_sepolicy

Bug: 324335916
Change-Id: I9375f4d467596bc961527216b3f68c0f21016ca3
2024-02-08 02:54:29 +00:00
Jiakai Zhang
817c49f74c Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot.
Bug: 311377497
Test: manual - Call
  getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
  getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
2024-02-08 10:13:27 +08:00
Jooyung Han
92e41b06dc Merge "Check if ./bin entries are not vendor_file" into main am: 41e786ae48
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2953009

Change-Id: I5fa1c0c34ab2b39e220415ca607d0cc6e87a24d2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-08 01:59:00 +00:00
Jooyung Han
41e786ae48 Merge "Check if ./bin entries are not vendor_file" into main 2024-02-08 01:33:07 +00:00
Inseob Kim
f5394252fe Merge changes from topic "vfrc_as_tot_sepolicy" into main am: 569241f82f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2912752

Change-Id: I42a8d4ca624df3b6d93dfc95d64712cbb80d728e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-08 01:22:42 +00:00
Inseob Kim
34a3196557 Fix freeze test condition to board api am: 7a235a4d9d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2912751

Change-Id: Iaab712286501ca99607f7543dd891c246c293cbb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-08 01:22:38 +00:00
Inseob Kim
569241f82f Merge changes from topic "vfrc_as_tot_sepolicy" into main
* changes:
  Add 1000000.0 mapping file temporarily
  Fix freeze test condition to board api
2024-02-08 01:12:47 +00:00
Robert Shih
0f486059b0 Allow dumpsys on user builds
Bug: 320403913
Test: adb shell dumpsys android.hardware.drm.IDrmFactory/clearkey
Change-Id: Ibc8214dac63558b5bbf886b25607f36e293d3e8d
2024-02-07 18:35:51 +00:00
Nikhil Bhanu
c7b99fbf76 Merge "Add property for enabling stereo spatialization" into main am: 67c12aa98d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2951223

Change-Id: Iedb7747a9d0fd1818abc161b2e6d545434c56450
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-07 17:09:10 +00:00
Nikhil Bhanu
67c12aa98d Merge "Add property for enabling stereo spatialization" into main 2024-02-07 16:41:01 +00:00
Jooyung Han
c945a104c0 Check if ./bin entries are not vendor_file
This can detect a common mistake of not labeling binaries in APEX.

Note - we can't simply check if the lable has exec_type attribute
because there're many exceptions.

Bug: 324005965
Test: atest apex_sepolicy_tests_test
Change-Id: Ib643e8b73fac1a3b8851804e58e69b19d32b997d
2024-02-07 16:26:25 +09:00
Treehugger Robot
ef4bd550ee Merge "Changes in SELinux Policy for CSS API" into main am: 49a519234b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2819838

Change-Id: I4cfa495bdeae5c048a6f5bf6b308de21c2e40ca7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-06 21:05:13 +00:00
Treehugger Robot
49a519234b Merge "Changes in SELinux Policy for CSS API" into main 2024-02-06 20:28:45 +00:00
Nikhil Bhanu
977260767a Add property for enabling stereo spatialization
Bug: 323223919
Test: manual
Change-Id: I49d12bfc878ec63d8fe036880033e1c309961430
2024-02-06 08:52:42 -08:00
Justin Yun
d6a43bcb89 Set ro.llndk.api_level as a system prop am: 385d5099cf
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952405

Change-Id: I29fca56cdb6fe33c2b302be5859dbe86713aef18
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-06 07:24:46 +00:00
Justin Yun
385d5099cf Set ro.llndk.api_level as a system prop
ro.llndk.api_level is included in system/build.prop.
It must have the system build_prop context instead of the vendor prop.

Bug: 312098788
Test: TH
Change-Id: I223ae2cd56490a2cfd6f6454ad685d23d90d9329
2024-02-06 13:55:52 +09:00
David Dai
ef608892b8 Merge "Allow CAP_SYS_NICE for crosvm" into main am: 8a216be443
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2945565

Change-Id: I5bf6d0890878da75a9ae77566b1f9d1ff6a3fcdb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-05 23:10:10 +00:00
David Dai
8a216be443 Merge "Allow CAP_SYS_NICE for crosvm" into main 2024-02-05 22:20:13 +00:00
Jooyung Han
786f91880a Merge "Add hal_graphics_mapper_service type" into main am: d4ae4c1165
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2928071

Change-Id: I5de03cbe4546badfabadce7861ef9b757999153f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-05 21:44:48 +00:00
Jooyung Han
d4ae4c1165 Merge "Add hal_graphics_mapper_service type" into main 2024-02-05 21:02:15 +00:00
David Dai
7066a961bd Allow CAP_SYS_NICE for crosvm
Open up CAP_SYS_NICE policies so that crosvm can adjust uclamp on its
vCPU threads to provide a boost in performance.

Bug: 322197421
Test: Booted device and processes that checked that the correct
capabilites are given with no sepolicy denials.

Change-Id: I089bf26caf862c32e85440575800bb095bb9087b
Signed-off-by: David Dai <davidai@google.com>
2024-02-05 11:14:53 -08:00
Alan Stokes
dc589e9e66 Merge "Suppress spurious ipc_lock denials" into main am: e01e8d5595
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2944165

Change-Id: I43a7872c74237b3d7a734a26b4cab2c705ddc3aa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-05 10:19:30 +00:00
Alan Stokes
e01e8d5595 Merge "Suppress spurious ipc_lock denials" into main 2024-02-05 09:37:52 +00:00
Jooyung Han
952673da5b Add hal_graphics_mapper_service type
This is used for mapper sphal library which is defined in VINTF and
queried via servicemanager.

Bug: 317178925
Test: cuttlefish loads mapper.minigbm
Change-Id: Ibddc0239e52065a89c656f885f34835406665009
2024-02-05 18:14:53 +09:00
Nate Myren
ef856207af Remove mounton from app and web zygote
These aren't necessary for app compat overrides

Change-Id: Ie210a6487a80ef4fa618beedef0d957d79c7d38a
Fixes: 319616964
Test: presubmit
2024-02-02 22:29:55 +00:00
Harshit Mahajan
48c1888db7 Merge "Revert^2 "Adding sepolicy rules for CrashRecoveryProperties"" into main am: d02643a3ed
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2943945

Change-Id: I34af98e454e3f87b553c96dd7920d79df6a62853
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-02 17:01:02 +00:00
Harshit Mahajan
d02643a3ed Merge "Revert^2 "Adding sepolicy rules for CrashRecoveryProperties"" into main 2024-02-02 16:24:56 +00:00
Hansen Kurli
00ceacf706 Merge "Remove all sepolicy relating to ppp/mtp." into main am: 34ee0b5da3
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2849358

Change-Id: Ib1e0f836c448abfc872e4e6d93ea5333ff744bcb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-02 05:34:56 +00:00
Hansen Kurli
34ee0b5da3 Merge "Remove all sepolicy relating to ppp/mtp." into main 2024-02-02 05:16:37 +00:00
Carlos Galo
e7c0b7d7fa Merge "system_server: remove access to proc/memhealth/*" into main am: 878f7f1795
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2945507

Change-Id: Ice66b2aa79d2095a4061ed8455a179b43b633e46
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-02 05:14:08 +00:00
Carlos Galo
878f7f1795 Merge "system_server: remove access to proc/memhealth/*" into main 2024-02-02 04:26:54 +00:00
Peter Lee
038885a77c Modify SELinux rules to allow vold to use the keymaster HAL directly. am: b1c857c824 am: 769bbce026 am: d3db89de5b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2929772

Change-Id: Ib0af68b1877fd3e4a49fa5ce71b8d57ce1f3645c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-01 23:48:34 +00:00
Carlos Galo
4a9f07fe21 system_server: remove access to proc/memhealth/*
Memhealth driver has been removed from all android kernels.

Test: m
Bug: 315560026
Change-Id: Ia4f91bde3a999a490b42b57abcd521ff9cc94633
Signed-off-by: Carlos Galo <carlosgalo@google.com>
2024-02-01 23:40:25 +00:00
Peter Lee
d3db89de5b Modify SELinux rules to allow vold to use the keymaster HAL directly. am: b1c857c824 am: 769bbce026
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2929772

Change-Id: I6d9e77b0889fad22a6006972a1ba90ecd87fba8f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-01 23:08:23 +00:00
Dan Shi
f6477f4f03 Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main am: b230f4f10c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2944648

Change-Id: I0ebc9160853d628eb184c53ffff580717fca2137
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-01 22:25:09 +00:00
Peter Lee
769bbce026 Modify SELinux rules to allow vold to use the keymaster HAL directly. am: b1c857c824
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2929772

Change-Id: I89c192fc02b8bb215cc52b8a4091930896595b21
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-01 22:24:27 +00:00
Dan Shi
b230f4f10c Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main 2024-02-01 21:57:51 +00:00