tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
37519 commits 1 branch 0 tags 50 MiB
Commit graph

37519 commits

This branch
This branch
All branches
Author SHA1 Message Date
Bram Bonné
6c71ebdc64 Merge "Restrict sandbox access to drmservice" am: 11b691844f am: dabf511c2e am: 6af1a00c41 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038304

Change-Id: Ibf0c435ef45c8bb66338e959284f3cc79bd20a0d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-25 09:03:57 +00:00
Bram Bonné
6af1a00c41 Merge "Restrict sandbox access to drmservice" am: 11b691844f am: dabf511c2e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038304

Change-Id: I1fd9c39ae89432b3267d2fb4296078f8bdd9e4ea
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-25 08:42:08 +00:00
Bram Bonné
dabf511c2e Merge "Restrict sandbox access to drmservice" am: 11b691844f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038304

Change-Id: I54b7b5180669a55e581208839a6cb5b5150e4eac
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-03-25 08:25:49 +00:00
Bram Bonné
11b691844f Merge "Restrict sandbox access to drmservice" 2022-03-25 08:07:24 +00:00
Treehugger Robot
0809b5e7e9 Merge "microdroid: dont audit access to event-log-tags" am: c2b73ca1b2 am: 99462a5894 am: 15edd98f16 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2032564

Change-Id: Ia4bd6af6a4ea7da21b5374b1f3f775f8839d1753
Signed-off-by: Automerger Merge Worker
 2022-03-24 23:11:15 +00:00
Treehugger Robot
15edd98f16 Merge "microdroid: dont audit access to event-log-tags" am: c2b73ca1b2 am: 99462a5894 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2032564

Change-Id: I57bf4dd588f5f1c3237a320ae3bf8693316b9e7a
Signed-off-by: Automerger Merge Worker
 2022-03-24 22:49:41 +00:00
Treehugger Robot
99462a5894 Merge "microdroid: dont audit access to event-log-tags" am: c2b73ca1b2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2032564

Change-Id: I6c3eade3f964aacea6a05c5cd9d343f0abb304ec
Signed-off-by: Automerger Merge Worker
 2022-03-24 22:34:42 +00:00
Treehugger Robot
c2b73ca1b2 Merge "microdroid: dont audit access to event-log-tags" 2022-03-24 22:16:47 +00:00
Victor Hsieh
1059b9ad19 Merge "Allow odrefresh to use userfaultfd" am: e82248bcb0 am: 73dbe7b5e8 am: 9b23dcb4af 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2040965

Change-Id: I1f0a568116ac7309d6bc90938c227fa97d05ec48
 2022-03-24 16:44:42 +00:00
Victor Hsieh
9b23dcb4af Merge "Allow odrefresh to use userfaultfd" am: e82248bcb0 am: 73dbe7b5e8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2040965

Change-Id: I0a5e28e7b207e2008024f2f219d35f394cee665a
 2022-03-24 15:57:54 +00:00
Victor Hsieh
73dbe7b5e8 Merge "Allow odrefresh to use userfaultfd" am: e82248bcb0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2040965

Change-Id: I1a571ae2eda151b3dbc037fbe1d1a2f11d004eb9
 2022-03-24 15:30:56 +00:00
Alan Stokes
243c96cabf Remove redundant neverallow am: f69f5a6512 am: e9ef3f1f1e am: 6df330038b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2041703

Change-Id: I76ebd3b60720a6e5fc92fe5e3707f761b4ca06fc
 2022-03-24 15:16:14 +00:00
Victor Hsieh
e82248bcb0 Merge "Allow odrefresh to use userfaultfd" 2022-03-24 15:15:17 +00:00
Alan Stokes
6df330038b Remove redundant neverallow am: f69f5a6512 am: e9ef3f1f1e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2041703

Change-Id: Iddc6f3aefc50590dc42147e01f14261817ab25c6
 2022-03-24 15:02:00 +00:00
Alan Stokes
e9ef3f1f1e Remove redundant neverallow am: f69f5a6512 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2041703

Change-Id: Ia730da91bf826bfe4465a9e287ee2db07781991a
 2022-03-24 14:32:22 +00:00
Bram Bonne
85dfe313e5 Restrict sandbox access to drmservice 
Bug: 226390597
Test: atest SdkSandboxRestrictionsTest

Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3
 2022-03-24 14:09:46 +01:00
Treehugger Robot
c97d76e491 Merge "Remove media crash neverallow exception." am: 34f4ca820f am: a5003227d3 am: a7b911daf6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2027103

Change-Id: I1635dcb6ffd32050fa9f18f3f0163f4dda2d86b2
 2022-03-24 12:21:29 +00:00
Treehugger Robot
a7b911daf6 Merge "Remove media crash neverallow exception." am: 34f4ca820f am: a5003227d3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2027103

Change-Id: I6608b57c17c3f82cb5e99d8d00ac6280ba23b409
 2022-03-24 12:06:59 +00:00
Alan Stokes
f69f5a6512 Remove redundant neverallow 
commit 7fd8933f0c removed this from host
sepolicy. It's redundant here as well.

Bug: 223596375
Test: Builds
Change-Id: I39d7432c6e31f49de5eb8dca8acc7e9c5d190617
 2022-03-24 11:56:20 +00:00
Treehugger Robot
a5003227d3 Merge "Remove media crash neverallow exception." am: 34f4ca820f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2027103

Change-Id: I9a079ac63a7145d0cd2699d351886dc56fd64b7e
 2022-03-24 11:43:51 +00:00
Treehugger Robot
34f4ca820f Merge "Remove media crash neverallow exception." 2022-03-24 11:22:39 +00:00
Alessio Balsini
371dd6a90c FUSE-BPF: vold and MediaProvider access to ro.fuse.bpf.enabled am: bf729fdcf6 am: 193b5f9e72 am: 2d2cc2c0c2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2039324

Change-Id: Ied6af0356e66dd27043b407a82922796494cc8a9
 2022-03-24 11:09:26 +00:00
Alessio Balsini
2d2cc2c0c2 FUSE-BPF: vold and MediaProvider access to ro.fuse.bpf.enabled am: bf729fdcf6 am: 193b5f9e72 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2039324

Change-Id: I7491aa07ea7c94b1b47d389dae9f4e8bffd40a2e
 2022-03-24 10:37:38 +00:00
Alessio Balsini
193b5f9e72 FUSE-BPF: vold and MediaProvider access to ro.fuse.bpf.enabled am: bf729fdcf6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2039324

Change-Id: If4f9481d6600cbadff7d12a949041f998db97d01
 2022-03-24 09:59:41 +00:00
Victor Hsieh
6c874fb295 Allow odrefresh to use userfaultfd 
This isn't really used at the moment, but since the decision was to keep
the capability for future ART change, we should also allow it in CompOS
for consistency.

While I'm on in, rearrange the policy to group mirrored policies
together.

Bug: 209488862
Test: None
Change-Id: Id6afafc42005e711127a1e0831d4dd03e48959eb
 2022-03-23 17:21:22 -07:00
Alessio Balsini
bf729fdcf6 FUSE-BPF: vold and MediaProvider access to ro.fuse.bpf.enabled 
This system property is going to be used by vold and MediaProvider to
enable/disable the FUSE-BPF feature in dogfood.
This is a simple way to quickly turn the feature off is breakages are
detected.

Bug: 202785178
Test: adb logcat | grep "FuseDaemon" | grep BPF
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I65ae60b6a505db52b30232b9e5a504eccaafa1eb
 2022-03-23 20:58:32 +00:00
Oleg Matcovschi
f21542906d microdroid: dont audit access to event-log-tags 
Bug: 225223271
Test: run microdroid, confirm no denial messages
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I505402c5ff886c18c06133825f9a7ced84c17c1f
 2022-03-23 08:55:19 -07:00
Gary Jian
1527fda402 Merge "Allow system_app to access radio_config system properties" am: ee0b51e099 am: c19e667cbd am: b3c40d2a23 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2024724

Change-Id: Ia43175b3e4073a065c7ea7515216f5a1cc8e202d
 2022-03-23 06:56:18 +00:00
Gary Jian
b3c40d2a23 Merge "Allow system_app to access radio_config system properties" am: ee0b51e099 am: c19e667cbd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2024724

Change-Id: Iae4a861267716bfd6cf72adb0c05ee071b682d2c
 2022-03-23 06:34:56 +00:00
Gary Jian
c19e667cbd Merge "Allow system_app to access radio_config system properties" am: ee0b51e099 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2024724

Change-Id: I8e7596c9cd89ce43023820b1decc9a0b68d6d602
 2022-03-23 06:11:42 +00:00
Adam Shih
f3c203bd9f Merge "suppress su behavior when running lsof" am: 92f87ac0b9 am: 052730e12c am: f7de4bd498 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038023

Change-Id: I6613f2d8da09ecbbe49052d95f1cb31837e0156b
 2022-03-23 05:52:50 +00:00
Gary Jian
ee0b51e099 Merge "Allow system_app to access radio_config system properties" 2022-03-23 05:46:22 +00:00
Adam Shih
f7de4bd498 Merge "suppress su behavior when running lsof" am: 92f87ac0b9 am: 052730e12c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038023

Change-Id: I564f5d4dc351fd29a90f2a22fe9ce74174eede76
 2022-03-23 05:40:50 +00:00
Treehugger Robot
5f8eb928e9 Merge "Allow init to relabelto console_device" am: 3a8977155c am: 5cc5fc4d31 am: aecb8dbfb6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2035646

Change-Id: Ie53faddd95bdd5aa268d83f2cb31cf701d535710
 2022-03-23 05:18:51 +00:00
Adam Shih
052730e12c Merge "suppress su behavior when running lsof" am: 92f87ac0b9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038023

Change-Id: I000d26e3d3a9369e29ba46cf90311ba55c663fef
 2022-03-23 05:18:50 +00:00
Adam Shih
92f87ac0b9 Merge "suppress su behavior when running lsof" 2022-03-23 05:03:02 +00:00
Treehugger Robot
aecb8dbfb6 Merge "Allow init to relabelto console_device" am: 3a8977155c am: 5cc5fc4d31 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2035646

Change-Id: I2c5bd5b07e1f193842ec3c3118a3770f740b7bd7
 2022-03-23 04:59:26 +00:00
Treehugger Robot
5cc5fc4d31 Merge "Allow init to relabelto console_device" am: 3a8977155c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2035646

Change-Id: I74eaa4c1b4c8ffe21f787b2938069431705d510c
 2022-03-23 04:45:55 +00:00
Treehugger Robot
3a8977155c Merge "Allow init to relabelto console_device" 2022-03-23 04:29:53 +00:00
Adam Shih
643d2439c2 suppress su behavior when running lsof 
Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);

This is an intended behavior and the log is useless for debugging so I
suppress them.

Bug: 225767289
Test: do bugreport with no su related avc errors
Change-Id: I0f322cfc8a461da9ffb17f7493c6bbdc58cce7b6
 2022-03-23 10:52:00 +08:00
Ocean Chen
7eae0544a4 Merge "Add persist.device_config.storage_native_boot.smart_idle_maint_enabled property policies" am: b299b79473 am: eeeb06a4ee am: 1739c39853 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030532

Change-Id: Ib7cf6da50ce19e543e10cd4c76be28f2190d5798
 2022-03-23 02:47:01 +00:00
Ocean Chen
1739c39853 Merge "Add persist.device_config.storage_native_boot.smart_idle_maint_enabled property policies" am: b299b79473 am: eeeb06a4ee 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030532

Change-Id: I230a9da68bacead198ed5472c427d9af3f2bfe30
 2022-03-23 02:26:52 +00:00
Ocean Chen
eeeb06a4ee Merge "Add persist.device_config.storage_native_boot.smart_idle_maint_enabled property policies" am: b299b79473 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030532

Change-Id: I197ee43a6564cdd513476f4e9b79ecb8543d56ce
 2022-03-23 02:10:59 +00:00
Ocean Chen
b299b79473 Merge "Add persist.device_config.storage_native_boot.smart_idle_maint_enabled property policies" 2022-03-23 01:51:08 +00:00
Shikha Malhotra
3a0a549d44 Merge "Added permission to allow for ioctl to be added to install_data_file" am: b00341ad1e am: 9e7c0e6ead am: 14218bf4d3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030123

Change-Id: I02c2e50b2cc02dc5107643bb07d564dc3f214f25
 2022-03-22 17:05:46 +00:00
Shikha Malhotra
14218bf4d3 Merge "Added permission to allow for ioctl to be added to install_data_file" am: b00341ad1e am: 9e7c0e6ead 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030123

Change-Id: I891a7c2bbd6b8869464ebe8055421c79f5b75fac
 2022-03-22 17:04:53 +00:00
Shikha Malhotra
9e7c0e6ead Merge "Added permission to allow for ioctl to be added to install_data_file" am: b00341ad1e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2030123

Change-Id: I8628f7536336d1cad320c19d5802e04d86f50268
 2022-03-22 16:49:24 +00:00
Shikha Malhotra
b00341ad1e Merge "Added permission to allow for ioctl to be added to install_data_file" 2022-03-22 16:32:40 +00:00
Stephane Lee
a499a7a280 Merge "Add sepolicies to allow hal_health_default to load BPFs." am: 68e028b731 am: affee5160d am: 7529345cfd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2020276

Change-Id: I4265c46b275c8ad9d859b80f877f5173b23bd534
 2022-03-22 16:11:51 +00:00
Stephane Lee
7529345cfd Merge "Add sepolicies to allow hal_health_default to load BPFs." am: 68e028b731 am: affee5160d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2020276

Change-Id: I8a26a9e2ac4e71548cad0990e0a13a5d44ff652e
 2022-03-22 16:00:38 +00:00