tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
35342 commits 1 branch 0 tags 50 MiB
Commit graph

35342 commits

This branch
This branch
All branches
Author SHA1 Message Date
Stephane Lee
68e028b731 Merge "Add sepolicies to allow hal_health_default to load BPFs." 2022-03-22 15:29:20 +00:00
Ocean Chen
bcd0bd7976 Correct the definition sequences of sdk_sandbox_service 
It fixs the auto merger conflict

Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799
Change-Id: I6afc59633ee4f729a86ab5f24c39ebd46d591549
 2022-03-22 06:40:43 +00:00
Yi-yo Chiang
bc3f8b3486 Merge "Add proc_cmdline read permission to read_fstab" 2022-03-22 02:37:15 +00:00
Stephane Lee
52862a32c1 Add sepolicies to allow hal_health_default to load BPFs. 
Bug: 203462310
Test: Ensure that the BPF filter can be loaded
Change-Id: Ib507d4c1718dd56fb336501ed7598de7b44a687b
 2022-03-21 12:54:49 -07:00
Yi-Yo Chiang
f505b3cbc5 Add dynamic_system service properties 
Bug: 225310919
Test: adb shell setprop \
  dynamic_system.data_transfer.shared_memory.size 4096
Test: start a Dynamic System installation and verify the
  shared memory size override is effective.
Change-Id: Id0b29aa9c2332613c07e005b6091ceb824e2f129
 2022-03-21 11:49:01 +08:00
Yi-Yo Chiang
cdd95be894 Add proc_cmdline read permission to read_fstab 
ReadDefaultFstab() calls fs_mgr_get_boot_config() which could read
/proc/bootconfig and /proc/cmdline.

Bug: 225310919
Test: TH presubmit
Change-Id: Ibe66a41d0d74d7b71dc70436af68b7a7eed721b6
 2022-03-20 16:35:19 +08:00
Bram Bonne
b93f26fd89 Move sdk_sandbox sepolicy to AOSP. 
Bug: 224796470
Bug: 203670791
Bug: 204989872
Bug: 211761016
Bug: 217543371
Bug: 217559719
Bug: 215105355
Bug: 220320098
Test: make, ensure device boots

Change-Id: Ia96ae5407f5a83390ce1b610da0d49264e90d7e2
Merged-In: Ib085c49f29dab47268e479fe5266490a66adaa87
Merged-In: I2215ffe74e0fa19ff936e90c08c4ebfd177e5258
Merged-In: I478c9a16032dc1f1286f5295fc080cbe574f09c9
Merged-In: Ibf478466e5d6ab0ee08fca4da3b4bae974a82db0
Merged-In: I5d519605d9fbe80c7b4c9fb6572bc72425f6e90a
Merged-In: I05d2071e023d0de8a93dcd111674f8d8102a21ce
Merged-In: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145
Merged-In: I1b6d1a778cb658bdfd930b684e4ba0640031b226
Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799
 2022-03-17 10:22:33 +01:00
Jaegeuk Kim
be66c59171 SELinux policy for /dev/sys/block/by-name/rootdisk 
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I550dfb5649ccb5ca61ea5abbf730bd84756f047e
 2022-03-16 11:04:39 -07:00
Alan Stokes
7bde36e94e Remove redundant sepolicy 
We don't use MLS in Microdroid, so we don't need MLS rules, nor
mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy
checkpolicy.)

A lot of attributes are unused in Microdroid, so we can remove their
declarations and any references to them. (That may not make the
compiled policy smaller, since hopefully they get optimised out
anyway, but it means there is less policy for humans to deal with.)

Remove labels that relate only to apps, which we don't have - MAC
permissions, run-as, seapp_contexts.

In passing, fix a comment snafu in both system & microdroid policy.

Bug: 223596375
Test: Run staged-apex-compile & compos_verify, no denials
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
 2022-03-15 15:43:50 +00:00
Sal Savage
45b7782c2b Merge "Add sepolicy for Battery Service client role sysprop" 2022-03-15 01:31:07 +00:00
Andrew Scull
629e12499a Merge "Define access to AVF chosen node properties" 2022-03-14 17:06:24 +00:00
Andrew Scull
2dba72540c Define access to AVF chosen node properties 
Give microdroid_manager and the DICE HAL access to the AVF chosen node
properties that are used to indicate that the VM is booting in strict
more and that the current boot is provisioning a new VM instance.

Bug: 221051866
Bug: 217376291
Test: atest MicrodroidTests
Change-Id: Ie8451fc80671557086f8d825ad01600f9cb4557a
 2022-03-14 11:38:45 +00:00
Inseob Kim
aaf65c2d65 Merge changes Iace4a45c,I007d3bab 
* changes:
  microdroid: Set mls_cats to 1
  Add mls_cats property to se_policy_conf
 2022-03-14 04:59:27 +00:00
Treehugger Robot
2c905846fa Merge "system_dlkm: allow dumpstate/bugreport to getattr" 2022-03-13 22:22:54 +00:00
Sal Savage
73fdf668af Add sepolicy for Battery Service client role sysprop 
Bug: 224176587
Test: Build, this change only defines the sysprop policy
Change-Id: I27fe872955e45e241948e966b3b10834cfd36135
 2022-03-12 15:10:48 -08:00
Ramji Jiyani
3b59a537fc system_dlkm: allow dumpstate/bugreport to getattr 
Bug: 223332748
Bug: 223755339
Test: atest SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: Ic0bd8f641cd47cc13df8ec9384e44a7e22e1431e
 2022-03-11 21:21:57 +00:00
Frank
711fee7dd0 Add file contexts for OnDevicePersonalization. 
Test: build
Change-Id: I7fc206f06ca1dad52772211abef50407437a79dc
 2022-03-11 08:31:41 +00:00
Robert Shih
b40bf2faff Merge "clearkey aidl file_contexts: update path regex" 2022-03-10 19:17:07 +00:00
Lokesh Gidra
f8d3a6b9a1 Merge "Add userfaultfd selinux policy for app_zygote" 2022-03-10 15:16:34 +00:00
Lokesh Gidra
b016e51150 Add userfaultfd selinux policy for app_zygote 
Like zygote, webview_zygote, add userfaultfd policy for app_zygote as
well.

Bug: 160737021
Test: manual (use userfaultfd in an app-zygote)
Change-Id: I42f558c5b646bb0bd83b81fddfb608567f95c811
 2022-03-09 21:50:52 -08:00
Carlos Llamas
82a5ceb80c Merge "sepolicy: allow access to binderfs feature files" 2022-03-10 05:14:52 +00:00
Inseob Kim
35e87367b8 microdroid: Set mls_cats to 1 
Because MLS isn't really used in microdroid, setting it to 1 may help
improve performance a bit.

Bug: 223596384
Test: atest MicrodroidTests
Change-Id: Iace4a45ccda98e34fbf82b16ff2096a53b543132
 2022-03-10 13:16:13 +09:00
Inseob Kim
6e384f3a4b Add mls_cats property to se_policy_conf 
To support overriding mls_num_cats for devices which don't need MLS

Bug: 223596384
Test: build
Change-Id: I007d3bab51e0aa67b14c2af1e92bee1d644ef4c7
 2022-03-10 13:15:05 +09:00
Robert Shih
ec7f4244e8 clearkey aidl file_contexts: update path regex 
Bug: 221078453
Change-Id: Ic7c0e5a68554f254afb7fbe886fce106c34056ff
 2022-03-09 22:57:12 +00:00
Victor Hsieh
e29df1ec4a Merge "Allow dex2oat to use userfaultfd in microdroid" 2022-03-09 17:48:05 +00:00
Carlos Llamas
75821321c7 sepolicy: allow access to binderfs feature files 
The binder driver now advertises the features it supports through
individual files under /dev/binderfs/features/*. Let all domains have
access to these files to determine how to interact with the driver.

Bug: 191910201
Tested: clients are able to read feature files via libbinder
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: Ice5de9efee74e571ef0a23ce093af162fc3b276e
 2022-03-09 08:55:10 -08:00
Alan Stokes
b02ac32420 Allow piping VM failure reason 
Allow crosvm to write a VM failure reason to virtualizationservice via the pipe provided.

Fixes this denial: avc: denied { write } for path="pipe:[95872]"
dev="pipefs" ino=95872 scontext=u:r:crosvm:s0
tcontext=u:r:virtualizationservice:s0 tclass=fifo_file

Bug: 220071963
Test: Run VM, no denial.
Change-Id: I3beedc5e715aa33209d3df0cae05f45f31e79e66
 2022-03-09 14:32:50 +00:00
Shikha Malhotra
2df2acd1e8 Merge "Adding more permission for selinux to some attributes and flags" 2022-03-09 08:19:09 +00:00
Victor Hsieh
2a017b61a6 Allow dex2oat to use userfaultfd in microdroid 
Bug: 209488862
Test: Follow instructions in b/209488862#comment12, compilation can
      only succeed with this patch
Change-Id: I6475a1be0db635de96b9f8fdbf9dd3a76c3a759b
 2022-03-08 22:29:43 +00:00
Xin Li
631f68045e Merge "Merge Android 12L" 2022-03-08 06:53:24 +00:00
Evan Rosky
bd4cd1ac70 Merge "Add a persist.wm.debug property type and associated permissions" 2022-03-08 01:42:55 +00:00
Christopher Morin
e65a7b3e2b Merge "Allow dumpstate to create tmpfs files" 2022-03-08 00:34:42 +00:00
Xin Li
6875b8a827 Merge Android 12L 
Bug: 222710654
Merged-In: Ia6c46f2de07731b0e423da6bb32a27b8c1bbe171
Change-Id: Ia65e634d559b9ddc3eb9d4dccec9b9358648dddb
 2022-03-08 00:21:27 +00:00
Evan Rosky
5cfdf2bd6e Add a persist.wm.debug property type and associated permissions 
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.

Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
 2022-03-07 19:44:59 +00:00
Treehugger Robot
071a0a1d17 Merge "Allow EVS HAL to access data from surfaceflinger" am: b774b141dc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2010133

Change-Id: Ia6c46f2de07731b0e423da6bb32a27b8c1bbe171
 2022-03-07 17:57:06 +00:00
Treehugger Robot
b774b141dc Merge "Allow EVS HAL to access data from surfaceflinger" 2022-03-07 17:31:17 +00:00
Michael Eastwood
b7c5fe9d56 Allow vendor domain to communicate with traced. am: 670b38baa9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2009117

Change-Id: I87a0933db89b416a50072fbad8f21884f327d554
 2022-03-07 15:55:11 +00:00
Changyeon Jo
8c4ebe21f5 Allow EVS HAL to access data from surfaceflinger 
Bug: 216727303
Test: m -j selinux_policy
Change-Id: Id89a99372e334c87cd1c80c06b5b695e5c8d69e6
 2022-03-07 15:42:17 +00:00
Michael Eastwood
670b38baa9 Allow vendor domain to communicate with traced. 
This is necessary for vendor code to be able to send trace packets to
Perfetto, which we are doing as part of an effort to provide more
detailed profiling of some vendor code.

Bug: 222684359
Test: (with downstream policy updates) m selinux_policy
Change-Id: I5ab1c04290f69e391d66a76c262d75cadb794f8d
 2022-03-04 08:30:29 -08:00
Bob Badour
bad80e1490 Move comment to license_note am: 97bef10ca6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2008274

Change-Id: I728a46cbcb6466a466a38dcc24edb8fabd556fef
 2022-03-04 08:30:09 +00:00
Bob Badour
97bef10ca6 Move comment to license_note 
Comments not preserved during refresh.

Test: m nothing
Change-Id: Ifb0356ca49796b89446a50918bae95069b9c5fb4
 2022-03-03 14:58:45 -08:00
Inseob Kim
9acadc754d Merge changes from topic "sepolicy_test" am: 4891dbefad 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2000471

Change-Id: I865886016a9e02c6d53ff775c8b87746dae69a4a
 2022-03-03 04:29:57 +00:00
Inseob Kim
4891dbefad Merge changes from topic "sepolicy_test" 
* changes:
  Build vndservice_contexts with Android.bp
  Move sepolicy_test to Android.bp
 2022-03-03 04:02:25 +00:00
Inseob Kim
c7596c4e61 Build vndservice_contexts with Android.bp 
Bug: 33691272
Test: boot a device which uses vndservice_contexts
Change-Id: I28c36b74d4176954099f3b7e80a4869b7c44640f
 2022-03-02 17:26:44 +09:00
Inseob Kim
61257ca545 Move sepolicy_test to Android.bp 
Bug: 33691272
Test: m selinux_policy triggers sepolicy_test
Change-Id: I1618c2a35b3ce9d747db3955788427dc422fd532
 2022-03-02 17:25:52 +09:00
sandrom
6bfe9b9115 Allow apexd to enable fsverity on /metadata am: 6446490287 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1979766

Change-Id: I8bed12a4fe8145d50edf9b2425f1bf97d3b21772
 2022-03-02 08:21:21 +00:00
sandrom
6446490287 Allow apexd to enable fsverity on /metadata 
Bug: 218672709
Test: manual tests

Change-Id: Idaead3ecd3f3488512908febbdc368e184b7bca9
 2022-03-01 16:33:55 +00:00
Thiébaud Weksteen
3886aa5237 Merge "Remove bug_map for hal_wifi_default" am: 8ce2e156d0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2001830

Change-Id: I1e1a6e65af7e4b4cfd4db5f5a6af3f66b970e793
 2022-03-01 09:40:38 +00:00
Thiébaud Weksteen
8ce2e156d0 Merge "Remove bug_map for hal_wifi_default" 2022-03-01 09:06:30 +00:00
Thiébaud Weksteen
b8abcadd5b Remove bug_map for hal_wifi_default 
Bug: 220258444
Test: build & boot cuttlefish
Change-Id: I3b5c0ad1b9cbdca5f86e7615d243192163b99aaf
 2022-02-28 14:30:22 +11:00