tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Daniel Norman	4245d0413b	Allow system_server access to hidraw devices. This allows AccessibilityManagerService in system_server to interact with a HID-supported Braille Display. Bug: 303522222 Test: ls -z /dev/hidraw0 Test: plat_file_contexts_test Test: Open FileInputStream and FileOutputStream on this device path from AccessibilityManagerService (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db) Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c	2023-11-30 23:33:55 +00:00
Seungjae Yoo	d2a0892121	Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a	2023-11-16 16:44:15 +09:00
Thiébaud Weksteen	aead1ae441	Document the file_contexts evaluation Remove a duplicate entry with its comment as the sorting logic is not applied since commit `dfa4a48b`. Bug: 299839280 Test: m selinux_policy Change-Id: I4fa556c2ff8f114b56bba7ab32fac1d17373ef8b	2023-11-09 15:23:13 +11:00
Nate Myren	0e15f2d9c5	Add appcompat override files and contexts to SELinux This also allows the zygote to bind mount the system properties Bug: 291814949 Test: manual Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434	2023-10-23 18:34:12 +00:00
Thiébaud Weksteen	a8bcaec228	Merge changes I3a6f9db9,Ifb4453d0,I33d88b42 into main * changes: Refactor contextsTestModule Fix private/file_contexts entry order checkfc: validate that all rules are matching	2023-10-23 04:06:09 +00:00
Rhed Jao	ebe1316695	Create sepolicy for allowing system_server rw in /metadata/repair-mode Bug: 277561275 Test: ls -all -Z /metadata/repair-mode Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123	2023-10-23 13:38:38 +11:00
Thiébaud Weksteen	9c2a967114	Fix private/file_contexts entry order Add test entries for property_service_for_system and virtual_camera. Re-order file_contexts so that /data/vendor/tombstones/wifi and /data/misc/perfetto-traces/bugreport are labelled correctly. Bug: 299839280 Test: checkfc -t ./private/file_contexts ./contexts/plat_file_contexts_test pass Change-Id: Ifb4453d02327b5cf678e6a4cd927b5df0960086b	2023-10-23 10:51:11 +11:00
Treehugger Robot	c5509a8ea0	Merge "Policy for virtual_camera native service" into main	2023-10-18 15:55:42 +00:00
Vadim Caen	f6e88ec70a	Policy for virtual_camera native service Change-Id: Id0c582f9259ffd056b22f111d7e81bc061c2371d	2023-10-13 16:42:11 +02:00
Treehugger Robot	57056e5249	Merge "Fix context for mapping/xx.yy.compat.cil files" into main	2023-10-11 03:18:57 +00:00
Maciej Żenczykowski	834447d058	file_contexts: remove btfloader, add netbpfload btfloader is dead. bpfloader is being split in twain. (it will eventually get it's own context, but for now this works) Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I7577e777545a0fa77a6467fb425aefc99a6e68d0	2023-10-09 18:46:07 +00:00
Thiébaud Weksteen	6bf1581f1c	Fix context for mapping/xx.yy.compat.cil files The current file_contexts regular expression did not include the .compat part of the policy. Before: # ls -alZ /system/etc/selinux/mapping drwxr-xr-x 2 root root u:object_r:system_file:s0 332 2009-01-01 00:00 . drwxr-xr-x 3 root root u:object_r:system_file:s0 376 2009-01-01 00:00 .. -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 224062 2009-01-01 00:00 10000.0.cil -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 112668 2009-01-01 00:00 29.0.cil -rw-r--r-- 1 root root u:object_r:system_file:s0 1003 2009-01-01 00:00 29.0.compat.cil -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 125916 2009-01-01 00:00 30.0.cil -rw-r--r-- 1 root root u:object_r:system_file:s0 1059 2009-01-01 00:00 30.0.compat.cil After: # ls -alZ /system/etc/selinux/mapping drwxr-xr-x 2 root root u:object_r:system_file:s0 332 2023-10-06 03:40 . drwxr-xr-x 3 root root u:object_r:system_file:s0 376 2023-10-06 03:40 .. -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 224062 2023-10-04 22:58 10000.0.cil -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 112668 2023-10-04 22:58 29.0.cil -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 1003 2023-09-06 01:51 29.0.compat.cil -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 125916 2023-10-04 22:58 30.0.cil -rw-r--r-- 1 root root u:object_r:sepolicy_file:s0 1059 2023-09-06 01:51 30.0.compat.cil Test: boot cf & inspect new labels Bug: 299839280 Change-Id: Ic833ccf59a6c75b0757df9de6e3fed0992839c74	2023-10-06 15:20:35 +11:00
Yu-Ting Tseng	f3e2bf3bc2	Merge "Revert "Revert "SELinux policy changes for uprobe.""" into main am: `7a9e87c4dc` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762026 Change-Id: I8bc9096be89bea5d84e63e5f040a4ee170171676 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-27 16:26:11 +00:00
Yu-Ting Tseng	7a9e87c4dc	Merge "Revert "Revert "SELinux policy changes for uprobe.""" into main	2023-09-27 15:17:44 +00:00
Yu-Ting Tseng	3e8e8eac08	Revert "Revert "SELinux policy changes for uprobe."" This reverts commit `e2bd44d48d`. Reason for revert: 2nd attempt to add the policy change Test: m selinux_policy Change-Id: I5b9a102879a65917d496ba2194187ddd2b4545d1	2023-09-25 13:30:34 -07:00
Qais Yousef	2376f09b33	Merge "Revert "SELinux policy changes for uprobe."" into main am: `e11729f825` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2759328 Change-Id: I6756e4cf2038bcc8ff67e547ff6368e7dcf8cbc7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-25 09:59:24 +00:00
Qais Yousef	e11729f825	Merge "Revert "SELinux policy changes for uprobe."" into main	2023-09-25 09:24:47 +00:00
Inseob Kim	075c18b495	Remove remaining APEX sepolicy types am: `2f0bcc1b0a` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2761425 Change-Id: Id60354d0340ccd4be990c99b9a58d0eea01e1ebc Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-25 09:06:41 +00:00
Inseob Kim	2f0bcc1b0a	Remove remaining APEX sepolicy types Bug: 297794885 Test: boot cuttlefish Change-Id: I2ff465217adcf1bb0267ea6d487a9a46b6584458	2023-09-25 11:19:44 +09:00
Yu-Ting Tseng	e2bd44d48d	Revert "SELinux policy changes for uprobe." This reverts commit `c69343fea9`. Reason for revert: b/301700965 Change-Id: Id858e82398cb6dc65be355ce27f3c9d56f889cfa	2023-09-23 04:13:14 +00:00
Yu-Ting Tseng	4bad805071	Merge "SELinux policy changes for uprobe." into main am: `fcc90e8af2` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2645793 Change-Id: I90e001b5dc22282010ea0f29f98c9b079139d759 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-22 20:51:11 +00:00
Yu-Ting Tseng	c69343fea9	SELinux policy changes for uprobe. Test: m selinux_policy Change-Id: I56565c05b6337ecd5ec20fb11443c13daaef1ad8	2023-09-21 14:50:13 -07:00
Treehugger Robot	bf807744ad	Merge "[service-vm] Adjust sepolicy for running service VM" into main am: `3e4b7bf2ce` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2735894 Change-Id: Ia0868d86d649329f40122b3d51d521bcdd4aa5c6 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-09-04 17:30:47 +00:00
Treehugger Robot	3e4b7bf2ce	Merge "[service-vm] Adjust sepolicy for running service VM" into main	2023-09-04 17:10:03 +00:00
Alice Wang	40519f79dc	[service-vm] Adjust sepolicy for running service VM Bug: 278858244 Test: Runs the ServiceVmClientApp in VM Test: atest MicrodroidHostTests Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d	2023-09-04 13:01:53 +00:00
Devin Moore	402260249c	Merge "Moving hwservicemanager and allocator to system_ext" into main am: `424c64de83` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2608419 Change-Id: If98df98c42019a9c8d59798eeabd9818d792d66c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-08-31 16:22:41 +00:00
Devin Moore	424c64de83	Merge "Moving hwservicemanager and allocator to system_ext" into main	2023-08-31 15:51:14 +00:00
Xin Li	e07dbe0a63	Merge Android U (ab/10368041) Bug: 291102124 Merged-In: Id2cc5dbbafffb4633706e5cc728cb44abd417340 Change-Id: I77e68f17a1273958bcdc32b5a4b6a0ff3ffdfd2a	2023-08-23 17:20:59 -07:00
Alfred Piccioni	ee7e77ba63	Merge "Revert ntfs file context changes" into main	2023-08-23 12:47:58 +00:00
Alfred Piccioni	33ebe0ef1b	Revert ntfs file context changes Partial revert of: commit `3e1dc57bf4` commit `30ae427ed0` The current file contexts could break potential implementations of NTFS by partners in future. I am not rolling back the adjoining fuseblkd_exec andfuseblkd_untrusted_exec code, because secure implementations of fuseblk drivers should still endeavour to use the more compartmentalised policies. However, as we don't support NTFS officially, we should give implementors the choices whether to use it or not, even if it will open the door to potentially less secure implementations. NTFS Context: http://b/254407246, https://docs.google.com/document/d/1b5RjdhN2wFFqmLCK0P_chVyiEhiYqNlTn52TFBMNwxk Bug: 294925212 Test: Builds and boot. Change-Id: I6d3858517e797b3f7388f9d3f18dd4a11770d5bc	2023-08-23 11:42:20 +00:00
Seigo Nonaka	d570a5c30f	Make font_fallback.xml unreadable Bug: 281769620 Test: atest CtsGraphicsTestCases Test: atest CtsTextTestCases Change-Id: I05011c9313fa3818ec50d9884227512ef1b0fda9	2023-08-14 07:46:19 +09:00
Jooyung Han	04462f3010	Merge "Revert^2 "Add /bootstrap-apex"" into main	2023-08-10 02:38:30 +00:00
Jooyung Han	8677587245	Revert^2 "Add /bootstrap-apex" `aca291806e` Change-Id: I99d9ba6e804ded5d2fd983e42f143f562c32ce58	2023-08-09 07:05:31 +00:00
Inseob Kim	825056de9a	Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272	2023-08-02 15:06:51 +09:00
Jooyung Han	aca291806e	Revert "Add /bootstrap-apex" Revert submission 2666915-share-bootstrap Reason for revert: b/293949266 vold_prepare_subdirs fails to create apexdata directories. Reverted changes: /q/submissionid:2666915-share-bootstrap Change-Id: Idab6db691c1130a1f5d596f5e05783cab7fdde05	2023-08-01 09:06:42 +00:00
Yunkai Lim	486fa9fb0a	Revert "Remove fsverity_init SELinux rules" Revert submission 2662658-fsverity-init-cleanup Reason for revert: Culprit for test breakage b/293232766 Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3	2023-07-26 06:21:37 +00:00
Lee George Thomas	407e1cf1a4	Label /data/misc/bootanim with bootanim_data_file. /data/bootanim location is changed to /data/misc/bootanim as a follow up change to aosp/q/topic:"bootanim_data_folder". The label is updated for the new file location. Bug: 210757252 Test: /data/misc/bootanim is labeled correctly. BootAnimation can access this folder. Change-Id: I9a54cf0dba470302df4180fb17fb104fb483b23d	2023-07-25 23:33:30 +00:00
Jooyung Han	1c846df3b0	Add /bootstrap-apex It will be used to mount bootstrap APEXes. (with bind-mount to /apex) Bug: 290148078 Test: atest VendorApexHostTestCases Change-Id: I1a82af37db368a0eb2bf3a002a47439fb1f8b61d	2023-07-22 20:44:00 +09:00
Eric Biggers	306f510611	Remove fsverity_init SELinux rules Since the fsverity_init binary is being removed, remove the corresponding SELinux rules too. For now, keep the rule "allow domain kernel:key search", which existed to allow the fsverity keyring to be searched. It turns out to actually be needed for a bit more than that. We should be able to replace it with something more precise, but we need to be careful. Bug: 290064770 Test: Verified no SELinux denials when booting Cuttlefish Change-Id: I992b75808284cb8a3c26a84be548390193113668	2023-07-20 17:57:23 +00:00
Kangping Dong	f946b06074	Merge "add sepolicy rules for Thread network" am: `aa83af5c3b` am: `ff6ae919c2` am: `498a752dd7` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2612795 Change-Id: Iaf8e6d654eb9fbb7d2b2b17ef16468b0eb7f6ce1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-06-08 14:50:57 +00:00
Yakun Xu	07429e39ee	add sepolicy rules for Thread network bug: 257371610 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0fd52fd521b8167b0ec8836dac3765a16fd6863b) Merged-In: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f Change-Id: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f	2023-06-07 07:04:19 +00:00
Devin Moore	300e0b54cf	Moving hwservicemanager and allocator to system_ext We want to remove these by default from Android V+ devices and still allow some devices to add them back. So they are moved to system_ext. Test: m && launch_cvd # check for hwservicemanager running Bug: 218588089 Change-Id: I67611c8759b82750de829a38b857b3dffd6da83a	2023-05-31 23:35:42 +00:00
Treehugger Robot	c684d3919a	Merge "Set up sepolicy for drmserver64" am: `8a676d0a4c` am: `4ee23573de` am: `cd18eb9883` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2588745 Change-Id: I0a50a888cdcf2a64752c9c2e3bf096306e97936b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-05-25 03:50:01 +00:00
SzuWei Lin	9ea325facc	Set up sepolicy for drmserver64 Add drmserver(32\|64) for supporting 64-bit only devices. The patch is for setting up the sepolicy for drmserver(32\|64). Bug: 282603373 Test: make gsi_arm64-user; Check the sepolicy Change-Id: If8451de8120372b085de1977ea8fd1b28e5b9ab0 Merged-In: If8451de8120372b085de1977ea8fd1b28e5b9ab0	2023-05-17 05:01:28 +00:00
Treehugger Robot	f39f800139	Merge "Allow snapuserd to write log files to /data/misc" am: `5ab4239bfb` am: `caced74f2c` am: `b0cc16407d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2573077 Change-Id: Iae5fff7a7afdc217852ae2d0e984a5ab9a15677a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-05-02 07:55:04 +00:00
Kelvin Zhang	dbe230a193	Allow snapuserd to write log files to /data/misc snapuserd logs are important when OTA failures happen. To make debugging easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs , and capture these logs in bugreport. Bug: 280127810 Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0	2023-05-01 17:15:17 -07:00
Treehugger Robot	68e237aa8c	Merge changes from topic "b268128589" am: `d073bd4209` am: `cf5963c6a8` am: `cfe9c14ada` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2529324 Change-Id: I149c1a56de8f4bd11738832cc18d19aca41c4b6f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-04-18 23:43:59 +00:00
Changyeon Jo	63c301ac62	Revert "Modify the automotive display service file context" This reverts commit `edf5420830`. Bug: 268128589 Test: Treehugger Change-Id: I3961148239831f41423b03d65de0b9b1b4a47724	2023-04-08 00:14:14 +00:00
Changyeon Jo	916ad0da24	Revert "Move cardisplayproxyd to system_ext" This reverts commit `fc0b3da21f`. Bug: 268128589 Test: Treehugger Change-Id: I562b78d2f7550ee9e15be049f9db3fd1eeb491d8	2023-04-08 00:13:59 +00:00
Treehugger Robot	a6a5b67a6f	Merge "Move cardisplayproxyd to system_ext" am: `a5dbf64602` am: `eb879ba0b1` am: `e8776c20b6` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2486580 Change-Id: Ic8d2d952a6e1ada0c799d9279824f7333de844b7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-03-15 07:21:48 +00:00

1 2 3 4 5 ...

891 commits