tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
43925 commits 1 branch 0 tags 50 MiB
Commit graph

43925 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
3e4b7bf2ce Merge "[service-vm] Adjust sepolicy for running service VM" into main 2023-09-04 17:10:03 +00:00
Alice Wang
ec922caf4d Merge "[avf] Fix warning when runnning Microdroid" into main am: e1bb7d02e1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2738394

Change-Id: I8b53bce93064bb86996e25d7cb4437b50b656e7a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-04 15:47:27 +00:00
Alice Wang
e1bb7d02e1 Merge "[avf] Fix warning when runnning Microdroid" into main 2023-09-04 15:18:49 +00:00
Alice Wang
40519f79dc [service-vm] Adjust sepolicy for running service VM 
Bug: 278858244
Test: Runs the ServiceVmClientApp in VM
Test: atest MicrodroidHostTests
Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d
 2023-09-04 13:01:53 +00:00
Alice Wang
ea51816b10 [avf] Fix warning when runnning Microdroid 
This cl fixes the following selinux denial:

09-04 10:15:34.544  3393  3393 W binder:3393_2: type=1400 audit(0.0:17): avc:  denied  { getattr } for  path="socket:[99352]" dev="sockfs" ino=99352 scontext=u:r:virtualizationmanager:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

Test: Runs the ServiceVmClientApp
Change-Id: I5f69bc966f8e136dab19d1fdc0bc79190bef5ca5
 2023-09-04 12:26:03 +00:00
Jaewan Kim
9a59df6765 Set neverallow for hypervisor test properties am: 796ec5f0cb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2737173

Change-Id: I15c99f0d82090676138794f83b279a5b6929d628
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-01 10:41:36 +00:00
Jaewan Kim
796ec5f0cb Set neverallow for hypervisor test properties 
Bug: 298306391
Change-Id: I754af47d063bb26549cd1793951b09262cadd95a
Test: TH
 2023-09-01 07:55:09 +00:00
Jaewan Kim
2c1062e71d Label hypervisor test properties am: 4183cbb63c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2733375

Change-Id: I7492da460a14a676a6fcb5c91d134791f94bb66e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-01 06:32:17 +00:00
Jaewan Kim
4183cbb63c Label hypervisor test properties 
Bug: 298306391
Change-Id: I160101325989f58ef3403ec5be20895468c2ccbb
Test: TH, atest CustomPvmfwHostTestCases
 2023-09-01 02:43:38 +00:00
Inseob Kim
9f976cba9d Merge "Remove code about mixed sepolicy build" into main am: 726bcb500c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2733319

Change-Id: I3b3099e72f547e09f1abca1cec1b7c55b6d91593
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-01 01:33:44 +00:00
Pawan Wagh
012b718b48 Merge "Adding ro.product.build.16k_page.enabled to property contexts" into main am: 2eb2d1c80b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2729879

Change-Id: I555aa4008021ad69c0cda31090a1e90a0db2f417
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-01 01:32:55 +00:00
Inseob Kim
726bcb500c Merge "Remove code about mixed sepolicy build" into main 2023-09-01 01:06:38 +00:00
Pawan Wagh
2eb2d1c80b Merge "Adding ro.product.build.16k_page.enabled to property contexts" into main 2023-09-01 00:26:13 +00:00
Daeho Jeong
6bac935581 Merge "compress logcat files" into main am: e7a31d52c7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2726765

Change-Id: I46214a920ef0bd94e42f170e5e370211e8dc7dfc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-31 23:04:32 +00:00
Kean Mariotti
16ac6cda98 Merge "Allow traceur_app to access winscope traces" into main am: b378302763 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2707733

Change-Id: I45f861fe114fd824e99bcf771c23b3de875f70b1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-31 23:03:55 +00:00
Daeho Jeong
e7a31d52c7 Merge "compress logcat files" into main 2023-08-31 22:46:43 +00:00
Kean Mariotti
b378302763 Merge "Allow traceur_app to access winscope traces" into main 2023-08-31 22:05:35 +00:00
Xin Li
932aba1fa5 Skip UP1A.230905.019 
Merged-In: Ida8363294bd4fca8b7d93deb3b90ba2c02fd53bc
Change-Id: I6954813c6cb7f8a4244fd9008d1753278990fee2
 2023-08-31 14:31:52 -07:00
Pawan Wagh
60cc0b3a39 Adding ro.product.build.16k_page.enabled to property contexts 
This property will be used to set 16k dev options on device.
This will be product specific property and will be added on
specific devices.

Test: m, booted device with PRODUCT_16K_DEVELOPER_OPTION ON/OFF and
verified option visibility.
Bug: 297922563

Change-Id: I2be5e7236eb8259ef6d5893e70712a5c89aaad52
 2023-08-31 20:30:04 +00:00
Devin Moore
402260249c Merge "Moving hwservicemanager and allocator to system_ext" into main am: 424c64de83 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2608419

Change-Id: If98df98c42019a9c8d59798eeabd9818d792d66c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-31 16:22:41 +00:00
Devin Moore
424c64de83 Merge "Moving hwservicemanager and allocator to system_ext" into main 2023-08-31 15:51:14 +00:00
Inseob Kim
6c6aa01ae4 Remove code about mixed sepolicy build 
There is no one actively using mixed sepolicy build, and it made
sepolicy codes too complicated. As we are deprecating mixed build,
removing such code for cleanup.

Bug: 298305798
Test: boot cuttlefish
Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
 2023-08-31 16:54:17 +09:00
Thiébaud Weksteen
9547e81612 Remove SeamendcHostTest from TEST_MAPPING 
Bug: 297794885
Test: TH
Change-Id: I9f508b1cab5a8e386457cc645b2ef7d0897b8692
 2023-08-31 14:20:59 +10:00
Treehugger Robot
f8843de0a4 Merge "Allow VS to read vendor cfg for assignable devices" into main am: 40c32c1b91 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2731197

Change-Id: Ida567a00d9b348280b7178ca64b874258398c231
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 16:47:22 +00:00
Treehugger Robot
40c32c1b91 Merge "Allow VS to read vendor cfg for assignable devices" into main 2023-08-30 16:14:34 +00:00
Inseob Kim
d61618bcb6 Allow VS to read vendor cfg for assignable devices 
Bug: 297313212
Test: add /vendor/etc/avf/assignable_devices.xml and run vm info
Change-Id: I602be057b118ac68a59e6c4f5f7fce17685cd7ae
 2023-08-30 14:14:51 +09:00
Treehugger Robot
2458174b02 Merge "Reland "Make coredomain violation as a build error"" into main am: b30f713bd4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2732533

Change-Id: Ifa69bc61aee19db55d3ac3aa4eff43756c0c1cdc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 02:24:25 +00:00
Treehugger Robot
b30f713bd4 Merge "Reland "Make coredomain violation as a build error"" into main 2023-08-30 01:47:46 +00:00
Inseob Kim
e65098d4a7 Reland "Make coredomain violation as a build error" 
This reverts commit 3bda1c9761.

Reason for revert: The fix ag/24590089 is verified with ABTD and merged

Change-Id: I17124df1ddfd52cbd2a17b1a90e0f332eb4e41f9
 2023-08-30 00:24:06 +00:00
Samuel Wu
7cbdd09938 Merge "Revert "Make coredomain violation as a build error"" into main am: 0bbc9270e0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2731478

Change-Id: Ie5265feaf89d3351c5959d6404b9fcef1b1455b6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 00:02:29 +00:00
Thiébaud Weksteen
a0075f40c6 Merge "Update documentation on binderservicedomain" into main am: 69a9189ddf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2728813

Change-Id: Ic44e49d612ef2fd1eff36068d345cf426e8f11f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 00:01:57 +00:00
Thiébaud Weksteen
5c20e61a92 Merge "Grant dumpstate access to artd service" into main am: 9432227844 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2724933

Change-Id: I4734d816e4946470b9368a2972894eedab236808
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 00:01:20 +00:00
Samuel Wu
0bbc9270e0 Merge "Revert "Make coredomain violation as a build error"" into main 2023-08-29 23:41:19 +00:00
Samuel Wu
3bda1c9761 Revert "Make coredomain violation as a build error" 
This reverts commit 9289cf6fa7.

Reason for revert:
DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_main&target=cf_x86_64_auto-trunk_staging-userdebug&lkgb=10733608&lkbb=10733914&fkbb=10733779, bug b/298102197

Bug: 298102197

Change-Id: Ia68dc64d3a7b02195e72d1c85ae8c9280fa665cc
 2023-08-29 23:40:24 +00:00
Thiébaud Weksteen
69a9189ddf Merge "Update documentation on binderservicedomain" into main 2023-08-29 23:27:50 +00:00
Thiébaud Weksteen
9432227844 Merge "Grant dumpstate access to artd service" into main 2023-08-29 23:20:27 +00:00
Inseob Kim
dd24cf4fd9 Make coredomain violation as a build error am: 9289cf6fa7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2727854

Change-Id: I70ffe3baddaa297680389e8aa7d79b74649bf553
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-29 01:56:48 +00:00
Inseob Kim
da15aa9d1b Use board api level for seapp coredomain check am: 06518b14f7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2727834

Change-Id: Ia96fef6b3b70fbe0743efc0cedf6e6767ba584d8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-29 01:56:08 +00:00
Inseob Kim
9289cf6fa7 Make coredomain violation as a build error 
Also add how to fix the volations.

Bug: 280547417
Test: m selinux_policy with violations
Change-Id: Icdce73bf0c3b3d98297606958e45e5dd9192f8a0
 2023-08-29 01:15:14 +00:00
Xin Li
80690d5086 Merge "Merge Android U (ab/10368041)" into aosp-main-future 2023-08-28 22:13:48 +00:00
Thiébaud Weksteen
5e9b88f739 Update documentation on binderservicedomain 
The binderservicedomain attribute grants further permissions than its
name suggests. Update the documentation to avoid its usage.

Bug: 297785784
Test: build, documentation update only.
Change-Id: I41bc6f32cf4d56bde320261fe221c3653cda945a
 2023-08-28 12:22:17 +10:00
Thiébaud Weksteen
8a250b9099 Grant dumpstate access to artd service 
The artd daemon is not always active. When running, it exposes a binder
service which may be dumped when a bug report is triggered. The current
policy did not fully grant access which resulted in spurious denials if
a bugreport was triggered when the daemon was running.

Test: Run bugreport; observe correct dump of artd service
Bug: 282614147
Bug: 192197221
Change-Id: Ie0986d7716de33ec38ae09cfee14c629f5a414a6
 2023-08-28 10:53:58 +10:00
Daeho Jeong
6ac8e4cf00 compress logcat files 
Change selinux policy to compress logcat files.

Test: check whether logcat files are compressed
Bug: 295175795
Change-Id: Ib120700c6dab4b1d0e29f0e19e55793bfb7a1675
Signed-off-by: Daeho Jeong <daehojeong@google.com>
 2023-08-25 15:02:34 -07:00
Inseob Kim
06518b14f7 Use board api level for seapp coredomain check 
Rather than PRODUCT_SHIPPING_API_LEVEL, use board api level
(BOARD_API_LEVEL or BOARD_SHIPPING_API_LEVEL) to determine whether we
check coredomain violations or not.

Bug: 280547417
Test: see build command of vendor_seapp_contexts
Change-Id: I20859d6054ab85f464b29631bdfd55ade3e78f53
 2023-08-25 21:20:08 +09:00
Yu Shan
cd8ea1198a Merge "Allow remoteaccess V2 and VHAL v2/v3." into main am: 3734f169ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2724738

Change-Id: I8b34fa8fb0a40cc791b863fb4644eec73b4b4488
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-24 18:03:53 +00:00
Yu Shan
3734f169ca Merge "Allow remoteaccess V2 and VHAL v2/v3." into main 2023-08-24 17:39:08 +00:00
Treehugger Robot
7b6714e90e Merge "Policy changes for running payloads not as root" into main am: 33a68d6284 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2721955

Change-Id: I4710c3102fd200d8e4dc4e0b013ee25932e50188
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-24 08:57:34 +00:00
Treehugger Robot
270c33f986 Merge "Allow init to access user mode helpers" into main am: 171a6fbca2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2724013

Change-Id: If0c73ef112601385917c9e0b52b5aa88570100bf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-24 08:56:17 +00:00
Treehugger Robot
33a68d6284 Merge "Policy changes for running payloads not as root" into main 2023-08-24 08:07:21 +00:00
Treehugger Robot
171a6fbca2 Merge "Allow init to access user mode helpers" into main 2023-08-24 08:06:42 +00:00