tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38299 commits 1 branch 0 tags 50 MiB
Commit graph

38299 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sanjana Sunil
709b339420 Merge "Allow zygote to relabel sdk_sandbox_system_data_file" into tm-dev 2022-05-25 15:06:14 +00:00
Rubin Xu
6f73a02792 Merge "Allow Bluetooth stack to read security log sysprop" am: ab73c8f1c8 am: b7a8225fd8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2096793

Change-Id: Ia80bbd0c59b6cec578cc46eabc40e6a4c69c6ffe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-25 12:20:46 +00:00
Rubin Xu
b7a8225fd8 Merge "Allow Bluetooth stack to read security log sysprop" am: ab73c8f1c8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2096793

Change-Id: Iae1a538a9112569421c87de5ca082e066b6991f2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-25 12:01:57 +00:00
Rubin Xu
ab73c8f1c8 Merge "Allow Bluetooth stack to read security log sysprop" 2022-05-25 11:43:49 +00:00
Treehugger Robot
8e6f91863f Merge "Allow zoned device support in f2fs" am: a98ea3d8cf am: 32d64b7b82 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2103273

Change-Id: I0d7e16bacdf9406d4fe1cb15b71875c8f774aefc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-25 02:05:23 +00:00
Treehugger Robot
0f12b12c8c Merge "Add xfrm netlink permissions for system server" am: f2b91a0199 am: 5cb7ed06e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2101798

Change-Id: I6114c0a707d7117711f183ee9ce9a56299af8c99
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-25 02:04:54 +00:00
Treehugger Robot
32d64b7b82 Merge "Allow zoned device support in f2fs" am: a98ea3d8cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2103273

Change-Id: I357bb6304b15ebba4038e8f98ba65c0815634a11
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-25 01:46:19 +00:00
Treehugger Robot
a98ea3d8cf Merge "Allow zoned device support in f2fs" 2022-05-25 01:40:24 +00:00
Treehugger Robot
5cb7ed06e3 Merge "Add xfrm netlink permissions for system server" am: f2b91a0199 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2101798

Change-Id: Ia0d409991b1c03c62f6ef8ee930f7a47fae06c46
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-25 01:37:50 +00:00
Treehugger Robot
f2b91a0199 Merge "Add xfrm netlink permissions for system server" 2022-05-25 01:14:25 +00:00
Jaegeuk Kim
b0f5998f1d Allow zoned device support in f2fs 
This patch allows ioctls() to support zoned device.

Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I69b322ceffd45c7e191d3a37e67ac7324c5b7ee2
 2022-05-25 00:33:57 +00:00
Benedict Wong
b25b4bf53f Add xfrm netlink permissions for system server 
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.

Bug: 233392908
Test: Compiled
Change-Id: I25539dc579f21d6288fa962d1fad9b51573f017d
 2022-05-25 00:02:33 +00:00
Treehugger Robot
2a00925335 Merge "Allow sysfs_dm in fsck.f2fs" am: c53f08e3b3 am: 21db6b734f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2096867

Change-Id: I40166baf11dac05dcf8524aa4e9fb50752b514aa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-24 20:56:55 +00:00
Treehugger Robot
21db6b734f Merge "Allow sysfs_dm in fsck.f2fs" am: c53f08e3b3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2096867

Change-Id: I1c1b5dd8a3f39559c634261a3b96a7d488da32e4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-24 20:27:02 +00:00
Treehugger Robot
c53f08e3b3 Merge "Allow sysfs_dm in fsck.f2fs" 2022-05-24 20:03:57 +00:00
Mohamad Mahmoud
c49d582df6 Allow system_server to read io and cpu pressure data 
Test: tested on device
Bug: b/233036368

Change-Id: Ied90327f97abb771f10ec2efb659bb9090ffa88a
 2022-05-24 17:24:54 +00:00
Sanjana Sunil
898723d045 Allow zygote to relabel sdk_sandbox_system_data_file 
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Ignore-AOSP-First: Already merged in aosp

Change-Id: Ie8fd1f478fd12141bd6240cee96d0c3da55ba7a0
Merged-In: I28d1709ab4601f0fb1788435453ed19d023dc80b
 2022-05-24 14:11:50 +00:00
Jaegeuk Kim
74a884b23f Allow sysfs_dm in fsck.f2fs 
Commit ea9921f4f5b9 ("f2fs-tools: support zoned device in Android") in
f2fs-tools supports zoned device in Android. When detecting the disk
supports zoned device with proper types, we need to access its sysfs
entry. Note that, we need to check sysfs entries by default for
non-zoned disks in general as well.

If a product doesn't use metadata encryption which sets a device mapper, vendor
selinux needs to allow sysfs entries for raw disks such as sysfs_scsi_devices or
sysfs_devices_block.

avc: denied { search } for comm="fsck.f2fs" name="dm-44" dev="sysfs" ino=82102 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=dir permissive=0
avc: denied { read } for comm="fsck.f2fs" name="zoned" dev="sysfs" ino=82333 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=file permissive=0

Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Iaa4dc9826b614b71b928c33ebc207afab96e586a
 2022-05-23 15:05:12 -07:00
Jason Macnak
e902c95f7d Merge "Add gpu_device access to hal_neuralnetworks" am: b947c73850 am: 77e360b673 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2097238

Change-Id: I4c99bd8b3853df5ae819d6378f018ba46cd4ecd6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-23 20:21:45 +00:00
Jason Macnak
77e360b673 Merge "Add gpu_device access to hal_neuralnetworks" am: b947c73850 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2097238

Change-Id: I620bf349a8c1662a664d1d21fb5326f1904cb7c8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-23 19:42:43 +00:00
Jason Macnak
b947c73850 Merge "Add gpu_device access to hal_neuralnetworks" 2022-05-23 19:20:42 +00:00
Sanjana Sunil
79f75ae826 Merge "Allow zygote to relabel sdk_sandbox_system_data_file" am: 26750b9a0c am: 8f37c1b762 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2101653

Change-Id: Id33dbed2e2a956c4f82054a06148ba0509cc70cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 22:54:13 +00:00
Sanjana Sunil
8f37c1b762 Merge "Allow zygote to relabel sdk_sandbox_system_data_file" am: 26750b9a0c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2101653

Change-Id: I0762945569e84d4a9cb6f98553c4e641812955c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 22:34:10 +00:00
Sanjana Sunil
26750b9a0c Merge "Allow zygote to relabel sdk_sandbox_system_data_file" 2022-05-20 21:59:25 +00:00
Treehugger Robot
d21c185410 [automerger skipped] Merge "Remove "@1.0-" from android.system.suspend service's name" am: 488da4d9f2 am: 5600902320 -s ours 
am skip reason: Merged-In I8699daf48599f9dd913821911702408acc650de9 with SHA-1 a405b140f7 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2098077

Change-Id: I6f4eab7473259aef2c95fa5b943c0889963a5b11
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 19:56:27 +00:00
Treehugger Robot
5600902320 Merge "Remove "@1.0-" from android.system.suspend service's name" am: 488da4d9f2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2098077

Change-Id: Icd38c32849d1e2f90f5025abc98d5ab11010e0b6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 19:24:34 +00:00
Treehugger Robot
488da4d9f2 Merge "Remove "@1.0-" from android.system.suspend service's name" 2022-05-20 18:49:39 +00:00
Samiul Islam
fed8d2ea63 [automerger skipped] Merge "Create a separate label for sandbox root directory" am: 61bd67072c am: 6b309bd4e3 -s ours 
am skip reason: Merged-In Id8771b322d4eb5532eaf719f203ca94035e2a8ed with SHA-1 ef1698a878 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2098133

Change-Id: I6d626adef6cd96b176ed1ab154522de9ba1af47a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 13:15:29 +00:00
Samiul Islam
6b309bd4e3 Merge "Create a separate label for sandbox root directory" am: 61bd67072c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2098133

Change-Id: I667c2888a2c4f82cd3a891c03b273b477ccd79d6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 12:48:30 +00:00
Sanjana Sunil
563016314c Allow zygote to relabel sdk_sandbox_system_data_file 
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
 2022-05-20 11:24:32 +00:00
Samiul Islam
61bd67072c Merge "Create a separate label for sandbox root directory" 2022-05-20 07:21:19 +00:00
Patrick Rohr
ab02397814 Fix system server and network stack netlink permissions 
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.

Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99
 2022-05-19 22:07:49 -07:00
Thiébaud Weksteen
a6355c36e5 Merge "Ignore access from system_app to sysfs_zram" am: 9b12638488 am: 23fbdc809e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2097197

Change-Id: Idc115f2e1a51d2c147d65d29c95cf9eeec0e65b5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 00:30:05 +00:00
Thiébaud Weksteen
23fbdc809e Merge "Ignore access from system_app to sysfs_zram" am: 9b12638488 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2097197

Change-Id: I66683bc86835345db101e4b4f38a090a11fdbebc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-20 00:01:09 +00:00
Thiébaud Weksteen
9b12638488 Merge "Ignore access from system_app to sysfs_zram" 2022-05-19 23:35:21 +00:00
Nicolas Geoffray
d2992d8dc4 [automerger skipped] sysfs_fs_f2fs for zygote. am: 36c1ef6672 am: c90a5313a7 -s ours 
am skip reason: Merged-In I163c343d8af9c578c840d7c710854fce15c29903 with SHA-1 d68b089d59 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2100138

Change-Id: I93090c62a37a5ccadccb7cb1965c0f661c0e53ff
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 18:47:10 +00:00
Nicolas Geoffray
c90a5313a7 sysfs_fs_f2fs for zygote. am: 36c1ef6672 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2100138

Change-Id: I0afc1d81d4d485c88fee6e2d4a99fe3abf93d9da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 18:03:17 +00:00
Nicolas Geoffray
36c1ef6672 sysfs_fs_f2fs for zygote. 
Test: boot
Bug: 223366272

(cherry picked from commit d68b089d59)

Merged-In: I163c343d8af9c578c840d7c710854fce15c29903
Change-Id: Ia67bbe89d61e8badb128d4c13570d8049f91d7a2
 2022-05-19 16:53:41 +01:00
Mohammad Samiul Islam
d2ffd35cc0 Create a separate label for sandbox root directory 
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.

By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.

Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
 2022-05-19 16:01:15 +01:00
Nicolas Geoffray
e8d4a6077b Merge "sysfs_fs_f2fs for zygote." into tm-dev am: 5c8171c478 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/18437090

Change-Id: I873b65d3fa0a409d4010e0c09e8f1f78296eeb7a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 14:10:06 +00:00
Nicolas Geoffray
5c8171c478 Merge "sysfs_fs_f2fs for zygote." into tm-dev 2022-05-19 13:39:17 +00:00
Samiul Islam
d8ffd4cdd8 Merge "Create a separate label for sandbox root directory" into tm-dev am: 7accd9ad70 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/18344445

Change-Id: I07313fb72cd13e9ae2ab24e1b72e0b211f353468
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 13:24:36 +00:00
Samiul Islam
7accd9ad70 Merge "Create a separate label for sandbox root directory" into tm-dev 2022-05-19 13:11:37 +00:00
Treehugger Robot
3e78ff7f5d Merge "Iorapd and friends have been removed" am: f6fefa9d61 am: 74607b608e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2098987

Change-Id: I6582ca6634d76a54e73900d76b9f3534cb04c192
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 09:57:40 +00:00
Treehugger Robot
74607b608e Merge "Iorapd and friends have been removed" am: f6fefa9d61 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2098987

Change-Id: Id85646ccfd9c972671e48a4c3e71df6be492c38b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 09:29:41 +00:00
Treehugger Robot
f6fefa9d61 Merge "Iorapd and friends have been removed" 2022-05-19 08:58:37 +00:00
Treehugger Robot
bb8bab1ff1 [automerger skipped] Merge "Allow vendor_init to read device config vendor_system_native properties" am: 1fa1ef4e0d am: 3b660a7982 -s ours 
am skip reason: Merged-In If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e with SHA-1 5eca1a0bf7 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2099111

Change-Id: Ic1f6d7329886b0d81f8856b8c5a4f79c973ecdfc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 08:54:02 +00:00
Treehugger Robot
3b660a7982 Merge "Allow vendor_init to read device config vendor_system_native properties" am: 1fa1ef4e0d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2099111

Change-Id: I73fbfddbc4658b8aafca11645f114d3a4111e4d1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 08:34:15 +00:00
Treehugger Robot
1fa1ef4e0d Merge "Allow vendor_init to read device config vendor_system_native properties" 2022-05-19 08:05:16 +00:00
TreeHugger Robot
7467534c2c Merge "Allow vendor_init to read device config vendor_system_native properties" into tm-dev am: 3669484abd 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/18400350

Change-Id: Ife1dbb50f5c07a1ee12bd9ec327dfe73e2cbeeaf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-05-19 07:55:22 +00:00