tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15828 commits 1 branch 0 tags 50 MiB
Commit graph

15828 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tom Cherry
68e5088cf3 [automerger skipped] Merge "Finer grained permissions for ctl. properties" am: a5db154ece 
am: 176bc442a4  -s ours

Change-Id: Ibb90d44a81d4ef80cc73c0176e70d4bc1ffb1dfd
 2018-05-24 11:35:31 -07:00
Tom Cherry
176bc442a4 Merge "Finer grained permissions for ctl. properties" 
am: a5db154ece

Change-Id: I35ee29d0db1a7385a1ae7765aca6f4604a180dc2
 2018-05-24 11:24:18 -07:00
Tom Cherry
a5db154ece Merge "Finer grained permissions for ctl. properties" 2018-05-24 16:28:24 +00:00
Joel Galenson
24b6158118 Hide bpfloader sys_admin denials. 
am: d65f26f1b0

Change-Id: I0435b600f5a163089650c02417646109a97e3e56
 2018-05-23 14:28:48 -07:00
Joel Galenson
d65f26f1b0 Hide bpfloader sys_admin denials. 
Bug: 79524845
Test: Boot device and see no denials.
Change-Id: I9316bfd0e3718818a7613a421aedff7da8c87108
 2018-05-23 08:36:40 -07:00
Tri Vo
6f5a6287be Merge "Account for multiple BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR dirs" am: 35c9537b64 
am: c9355c5197

Change-Id: Idf27b945c2f77ac34c2a91c062fa4486941f4cb6
 2018-05-22 16:07:12 -07:00
Tri Vo
c9355c5197 Merge "Account for multiple BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR dirs" 
am: 35c9537b64

Change-Id: I797608d735bf8cf3a554ff4ea9fc391b46d5fe4f
 2018-05-22 16:02:26 -07:00
Treehugger Robot
35c9537b64 Merge "Account for multiple BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR dirs" 2018-05-22 22:50:59 +00:00
Jordan Liu
6c5908a1d0 [automerger skipped] Merge "Setup policy for downloaded apns directory" into pi-dev 
am: 7af4a1f110  -s ours

Change-Id: I01865bcdbf8724dbfc64f90256a86edc4cc0d549
 2018-05-22 14:32:48 -07:00
Niklas Lindgren
751a16186c [automerger skipped] Setup policy for downloaded apns directory 
am: 780cd6df4b  -s ours

Change-Id: I8c11ee2cd6090ecc8a2fa1753c7c8bb14b8394e6
 2018-05-22 14:22:38 -07:00
Jordan Liu
7af4a1f110 Merge "Setup policy for downloaded apns directory" into pi-dev 2018-05-22 21:12:31 +00:00
Tom Cherry
7b8be35ddf Finer grained permissions for ctl. properties 
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
 2018-05-22 13:47:16 -07:00
Tom Cherry
e21e9e6373 Merge "Finer grained permissions for ctl. properties" into pi-dev 
am: 0e403c8242

Change-Id: I778a16ae2bcc5713ba3ca1c81fd90c97b0a5d64d
 2018-05-22 13:26:42 -07:00
Tom Cherry
0e403c8242 Merge "Finer grained permissions for ctl. properties" into pi-dev 2018-05-22 20:15:07 +00:00
Joel Galenson
7d90706a96 Exclude bug_map from the sepolicy_freeze_test. am: 98f83b67cc 
am: b827679256

Change-Id: I20e21172ecc08125b958712d1da6aa57cec40e95
 2018-05-22 11:30:51 -07:00
Joel Galenson
b827679256 Exclude bug_map from the sepolicy_freeze_test. 
am: 98f83b67cc

Change-Id: Iea6b2fc54f01b06f97d94ac1996b59f816b646f2
 2018-05-22 11:26:18 -07:00
Alan Stokes
491a095435 Remove fixed bug from bug_map. 
am: c8711592ad

Change-Id: Ib622f35e8adb682c5a2b0eef9ae02857d028597c
 2018-05-22 10:52:15 -07:00
Tri Vo
111cdce6ac Account for multiple BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR dirs 
After https://android-review.googlesource.com/688488
BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR can now specify multiple
directories.

Bug: n/a
Test: build sepolicy
Change-Id: Ie2af81a4f9462cd05352db71fd1e515531d42334
 2018-05-22 09:25:07 -07:00
Joel Galenson
98f83b67cc Exclude bug_map from the sepolicy_freeze_test. 
The bug_map file is only used whitelisting known test failures.  It
needs to change fairly often to fix new failures and it doesn't affect
users, so it shouldn't matter if it diverges from prebuilts.

Test: Enable this test and build with and without different bug_maps.
Change-Id: I9176a6c7e9f7852a0cd7802fd121b1e86b216b22
 2018-05-22 09:22:41 -07:00
Tom Cherry
2208f96e9e Finer grained permissions for ctl. properties 
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions

Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
 2018-05-22 09:13:16 -07:00
Alan Stokes
c8711592ad Remove fixed bug from bug_map. 
Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af
(cherry picked from commit 62913dbfd2)
 2018-05-22 08:41:23 -07:00
Tom Cherry
bab2435a06 Merge "neverallow coredomain from writing vendor properties" into pi-dev 
am: e5cc744d18

Change-Id: I66f2965200090a4ded857c6eb9ac6b79ee5b596c
 2018-05-21 22:10:10 -07:00
TreeHugger Robot
e5cc744d18 Merge "neverallow coredomain from writing vendor properties" into pi-dev 2018-05-22 05:04:40 +00:00
Logan Chien
ac05755694 [automerger skipped] Merge "Add ro.vndk.lite to property_contexts" am: 60227ea7c0 
am: 9deac4f8a7  -s ours

Change-Id: I328e81b89e14fcffadec3f034c607182076ac041
 2018-05-21 21:16:52 -07:00
Logan Chien
9deac4f8a7 Merge "Add ro.vndk.lite to property_contexts" 
am: 60227ea7c0

Change-Id: I09c42f8992b912089458e1426f14434d7568b845
 2018-05-21 21:07:38 -07:00
Logan Chien
60227ea7c0 Merge "Add ro.vndk.lite to property_contexts" 2018-05-22 04:04:07 +00:00
Bowgo Tsai
eb2ff1cbdd Merge "ueventd: allow reading kernel cmdline" into pi-dev 
am: fd00fd123d

Change-Id: I9421816a71b08b24f652f61dec994a153354e2df
 2018-05-21 16:28:37 -07:00
Carmen Jackson
59b08ee9ac [automerger skipped] Merge "Add sync and fence tracepoints to user-visible list of tracepoints." am: cfaaa9f42d 
am: 2e22f88dc5  -s ours

Change-Id: I5750ca03dd2851b1a194d129acaa9ac3513c44c1
 2018-05-21 16:21:33 -07:00
Carmen Jackson
2e22f88dc5 Merge "Add sync and fence tracepoints to user-visible list of tracepoints." 
am: cfaaa9f42d

Change-Id: Id15a4518ee6d9a64c815a115e8f68a90e1052626
 2018-05-21 16:15:40 -07:00
TreeHugger Robot
fd00fd123d Merge "ueventd: allow reading kernel cmdline" into pi-dev 2018-05-21 23:14:38 +00:00
Treehugger Robot
cfaaa9f42d Merge "Add sync and fence tracepoints to user-visible list of tracepoints." 2018-05-21 23:09:30 +00:00
Niklas Lindgren
780cd6df4b Setup policy for downloaded apns directory 
apns downloaded will enter a new directory that
TelephonyProvider can access.

Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
Merged-In: I1e7660adf020dc7052da94dfa03fd58d0386ac55
 2018-05-21 15:58:16 -07:00
Jordan Liu
05497ede82 Merge "Setup policy for downloaded apns directory" am: fdb38fa6d0 
am: a968e32d7c

Change-Id: Ia7aa0f73ef36ec9c8f992a8e1412585ab54a10be
 2018-05-21 14:49:22 -07:00
Jordan Liu
a968e32d7c Merge "Setup policy for downloaded apns directory" 
am: fdb38fa6d0

Change-Id: I2304c445ffa2192609570f08c8214ea9fa33dd6c
 2018-05-21 14:21:14 -07:00
Carmen Jackson
e22f04c975 Add sync and fence tracepoints to user-visible list of tracepoints. 
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.

Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.

Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
Merged-In: I793c6f54cd9364f33853983f8c5dfb28b98c2708
 2018-05-21 14:18:46 -07:00
Carmen Jackson
8640cffa1e Merge "Add sync and fence tracepoints to user-visible list of tracepoints." into pi-dev 
am: 09648d9ae3

Change-Id: I1821400703aa5dc41a485d3430946345978045c0
 2018-05-21 14:12:20 -07:00
TreeHugger Robot
09648d9ae3 Merge "Add sync and fence tracepoints to user-visible list of tracepoints." into pi-dev 2018-05-21 21:06:39 +00:00
Carmen Jackson
f47f0c3869 Add sync and fence tracepoints to user-visible list of tracepoints. 
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.

Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.

Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
 2018-05-21 12:18:18 -07:00
Jordan Liu
fdb38fa6d0 Merge "Setup policy for downloaded apns directory" 2018-05-21 19:06:54 +00:00
Paul Crowley
c9e9b326d0 Merge "Move more metadata policy from device to here" into pi-dev 
am: 5252ad93e2

Change-Id: I591f253f82a91b1e953f46ff2c29e48e4929665b
 2018-05-21 10:46:45 -07:00
TreeHugger Robot
5252ad93e2 Merge "Move more metadata policy from device to here" into pi-dev 2018-05-21 17:36:12 +00:00
Tri Vo
87cd58bb33 Merge "audioserver: add access to wake locks." am: 7710647a65 
am: 68760afb6c

Change-Id: I7695e7d5f20eda1820ff31663f74c72613f62c82
 2018-05-21 10:33:12 -07:00
Tri Vo
68760afb6c Merge "audioserver: add access to wake locks." 
am: 7710647a65

Change-Id: Ia731204c3bb8b47d4740eb08b10a4d5be757788d
 2018-05-21 10:24:48 -07:00
Niklas Lindgren
f3626f3a86 Setup policy for downloaded apns directory 
apns downloaded will enter a new directory that
TelephonyProvider can access.

Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
 2018-05-21 18:45:50 +02:00
Tri Vo
7710647a65 Merge "audioserver: add access to wake locks." 2018-05-21 16:28:10 +00:00
Bowgo Tsai
282fc3e48e ueventd: allow reading kernel cmdline 
This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.

Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
(cherry picked from commit 98ef2abb12)
 2018-05-21 09:55:41 +08:00
Frank Salim
956b93623a Merge "Add ro.hardware.keystore_desede" into pi-dev 
am: a0f9509908

Change-Id: I8fed87b5514516d2dcb8d1796ee42ca081ee490d
 2018-05-18 16:04:36 -07:00
Frank Salim
a0f9509908 Merge "Add ro.hardware.keystore_desede" into pi-dev 2018-05-18 22:49:00 +00:00
Paul Crowley
bb3ba3e5d9 Move more metadata policy from device to here 
Test: booted metadata-encrypted device
Bug: 79781913
Change-Id: Ib4cb4a04145e5619994083da055f06fe7ae0137a
 2018-05-18 14:12:40 -07:00
Frank Salim
6fe4ef7e8c Add ro.hardware.keystore_desede 
This allows Android Keystore to statically register support for 3DES
during zygote initialization based on the device's support for hardware
backed 3DES keys.

Bug: b/79986680
Test: keystore CTS
Change-Id: Ic9a6653cdd623a3ab10e0efbcdb37c437e6c59b9
 2018-05-18 18:25:44 +00:00