tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
43336 commits 1 branch 0 tags 50 MiB
Commit graph

43336 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jeff Pu
caaf7885f8 Merge "Allow hal_fingerprint_default to have pipe read access" am: f19025e663 am: 80dec42b4b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605987

Change-Id: I8c8f0f266b033ca17114d18fb87cce0fbcd74e74
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 20:26:25 +00:00
Jeff Pu
80dec42b4b Merge "Allow hal_fingerprint_default to have pipe read access" am: f19025e663 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605987

Change-Id: I25ce105f8eeaa2b6199c7e7f017fd6f93620b413
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 19:42:10 +00:00
Jeff Pu
f19025e663 Merge "Allow hal_fingerprint_default to have pipe read access" 2023-06-09 19:09:58 +00:00
Jeff Pu
1e09f2ebf7 Allow hal_fingerprint_default to have pipe read access 
Bug: 284488745
Test: atest BiometricsE2eTests:BiometricPromptAuthSuccessTest
Change-Id: Ie69193964232b1a6b97877c650182fcdcd5b2cea
 2023-06-09 13:56:28 +00:00
Treehugger Robot
409639ad09 Merge "Allow VMs to log to shell pts" am: 550f10eaeb am: 0fa23e0be1 am: c538798bb0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617777

Change-Id: I8571475bb6e8484c27dc1c6f21f84377136deb09
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 11:01:11 +00:00
Treehugger Robot
c538798bb0 Merge "Allow VMs to log to shell pts" am: 550f10eaeb am: 0fa23e0be1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617777

Change-Id: I2eb821ffa291f44e8c4511eee134cf395b381fba
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 10:11:13 +00:00
Treehugger Robot
0fa23e0be1 Merge "Allow VMs to log to shell pts" am: 550f10eaeb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617777

Change-Id: I9737b5d4a1ca946b6aed006dfb5a14dcb472b2b1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 09:29:49 +00:00
Treehugger Robot
550f10eaeb Merge "Allow VMs to log to shell pts" 2023-06-09 09:03:29 +00:00
Jooyung Han
2b60a575e1 Merge "Allow vendor_overlay_file from vendor apex" am: ad08877b4d am: cef75edc33 am: a34197f152 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618632

Change-Id: If0392eee00457c2e41d3f2c214405c8ca12f9f04
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 08:02:14 +00:00
Jooyung Han
a34197f152 Merge "Allow vendor_overlay_file from vendor apex" am: ad08877b4d am: cef75edc33 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618632

Change-Id: I7263e36b7f522de5d35b634dead192d3f1fa1da2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 07:13:03 +00:00
Inseob Kim
367845c850 Add missing properties to microdroid am: deaa8b9f4a am: 20a9d569d2 am: 54ba7286ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2106044

Change-Id: If9cedd91479d5ea33bb986dd880d42f11bf8f7ff
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 06:32:49 +00:00
Jooyung Han
cef75edc33 Merge "Allow vendor_overlay_file from vendor apex" am: ad08877b4d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618632

Change-Id: I762e8a8848868268804b2d9d2012246e5fcc0707
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 06:31:34 +00:00
Jooyung Han
ad08877b4d Merge "Allow vendor_overlay_file from vendor apex" 2023-06-09 05:56:20 +00:00
Inseob Kim
54ba7286ca Add missing properties to microdroid am: deaa8b9f4a am: 20a9d569d2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2106044

Change-Id: I65bc5059e70dbd2ae2d7de3c616c913228130b43
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 05:43:33 +00:00
Inseob Kim
20a9d569d2 Add missing properties to microdroid am: deaa8b9f4a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2106044

Change-Id: I847ae3fac14c423243f9e113c1ba1a44bd294aa5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 05:01:04 +00:00
Weiwei.Zhang
0179ede5a4 Allow app_process to link /data/asan/system_ext/lib/* 
app_process couldn't map /data/asan/system_ext/lib/libgpud_sys.so
avc:  denied  { execute } for  path="/data/asan/system_ext/lib/libgpud_sys.so"
dev="dm-43" ino=784 scontext=u:r:zygote:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=0

Bug: 286479817
Test: bootup, app_process can work well with asan enabled.
Change-Id: I577105fe1b0c4cb7fa98ccb33eac0f59a0e645f6
 2023-06-09 04:43:52 +00:00
Jooyung Han
7c4f8a87d3 Allow vendor_overlay_file from vendor apex 
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.

Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
 2023-06-09 13:43:11 +09:00
Treehugger Robot
96b1043fd3 Merge "Allow app_zygote to open vendor_overlay_file from vendor apex" am: 9f254ba368 am: e930e1de6b am: 260b8ae48d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618492

Change-Id: Ic1436426d8d5d3fc1488e56065cb58f8f03cc04a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 02:46:32 +00:00
Inseob Kim
deaa8b9f4a Add missing properties to microdroid 
The main motivation is to reduce log spams.

Bug: 268333203
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Idffdcd7d543590d8c580b2282098d3abd8214f86
 2023-06-09 11:30:24 +09:00
Treehugger Robot
260b8ae48d Merge "Allow app_zygote to open vendor_overlay_file from vendor apex" am: 9f254ba368 am: e930e1de6b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618492

Change-Id: I7ba0d0cb62301a4f89a3c2a20fb7997dd5335dc1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 02:18:00 +00:00
Treehugger Robot
e930e1de6b Merge "Allow app_zygote to open vendor_overlay_file from vendor apex" am: 9f254ba368 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618492

Change-Id: I8bef8ca004f5dce791cdfe83b2308ea495cd6c1a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 01:55:30 +00:00
Thiébaud Weksteen
1fb3d3fa7f Merge "Grant signal permission for dumpstate on app_zygote" am: 4ba0198325 am: e5705ebae0 am: 3657ef0c2d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616609

Change-Id: Icf1e64e86a1003732068d3512b0442e219cf934d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 01:33:32 +00:00
Treehugger Robot
9f254ba368 Merge "Allow app_zygote to open vendor_overlay_file from vendor apex" 2023-06-09 01:06:38 +00:00
Thiébaud Weksteen
3657ef0c2d Merge "Grant signal permission for dumpstate on app_zygote" am: 4ba0198325 am: e5705ebae0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616609

Change-Id: I5cb8d42f9b0c8cda7ed566eecba4e7f16a053155
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 00:42:38 +00:00
Pawan Wagh
21f6f52922 Add update service fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I9532d1d473d3b053f464df48169dc9b23951a095
 2023-06-09 00:01:54 +00:00
Thiébaud Weksteen
e5705ebae0 Merge "Grant signal permission for dumpstate on app_zygote" am: 4ba0198325 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616609

Change-Id: Ifaaa76353fac36d8e880ae9684fae0de125aff53
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 23:57:12 +00:00
Thiébaud Weksteen
4ba0198325 Merge "Grant signal permission for dumpstate on app_zygote" 2023-06-08 23:22:42 +00:00
Jooyung Han
f108164ddf Allow app_zygote to open vendor_overlay_file from vendor apex 
To read overlay from vendor apex, app_zygote needs to have access to
vendor_apex_metadata_file:dir with {getattr,search} permissions.

Bug: 286320150
Test: atest
CtsExternalServiceTestCases: android.externalservice.cts.ExternalServiceTest#testBindExternalServiceWithZygote
Change-Id: Icef716e6d238936d04c5813c23042ec4b0e28541
 2023-06-09 08:16:16 +09:00
Pawan Wagh
38cfa74af2 Add credstore service fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: Ie47e0e7a479f130935ada52a28d4e26e3bf07041
 2023-06-08 21:28:46 +00:00
Treehugger Robot
0aff4d4a79 Merge "Add wificond service fuzzer to bindings" am: 34814e6d48 am: 5ed2584008 am: 1e8251cd60 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611796

Change-Id: Ieca50440bfed78bd54f5550454cf55d4eb0df510
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 20:35:22 +00:00
Treehugger Robot
1e8251cd60 Merge "Add wificond service fuzzer to bindings" am: 34814e6d48 am: 5ed2584008 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611796

Change-Id: I5af014e100162569f46aa0c427a33493424378e5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 19:46:41 +00:00
Treehugger Robot
a22340dd13 Merge "atrace: don't audit debugfs access" am: b61d353551 am: e300b61a6e am: c2e67da35c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619892

Change-Id: I07f7b928e4df05f126b09c82c97fb385b0b08b31
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 19:09:40 +00:00
Treehugger Robot
5ed2584008 Merge "Add wificond service fuzzer to bindings" am: 34814e6d48 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611796

Change-Id: I809ad3e0d4176ccc5f78bb582af6bdc08d64083c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 19:04:58 +00:00
Treehugger Robot
34814e6d48 Merge "Add wificond service fuzzer to bindings" 2023-06-08 18:30:49 +00:00
Treehugger Robot
c2e67da35c Merge "atrace: don't audit debugfs access" am: b61d353551 am: e300b61a6e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619892

Change-Id: I065b87dcd4ccfe950f718ac65f1b0d70432c4fb5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 18:21:41 +00:00
Treehugger Robot
e300b61a6e Merge "atrace: don't audit debugfs access" am: b61d353551 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619892

Change-Id: I6e97c5950ed76ff25246bed2977d69ff56891633
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 17:41:15 +00:00
Treehugger Robot
b61d353551 Merge "atrace: don't audit debugfs access" 2023-06-08 17:05:47 +00:00
Treehugger Robot
b7a7080b60 Merge "Switch rkpd to levelFrom=all" am: 243575199b am: 21ce192314 am: e741666f3d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617614

Change-Id: I015cc8187d81427b5c7b0f3f0cf710e0d6d3be35
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 16:57:09 +00:00
David Anderson
758b620b46 [automerger skipped] Allow ueventd to access device-mapper. am: ae8817dc1e -s ours 
am skip reason: Merged-In I36b9b460a0fa76a37950d3672bd21b1c885a5069 with SHA-1 e09c0eee36 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23598602

Change-Id: I4d5c31561131673e9c3bc11f865de10d1dacb421
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 16:11:42 +00:00
Treehugger Robot
e741666f3d Merge "Switch rkpd to levelFrom=all" am: 243575199b am: 21ce192314 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617614

Change-Id: I2ddcaf5ac6be7b6ee76ad681e63b4ff2f6fb0566
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 16:10:25 +00:00
Treehugger Robot
21ce192314 Merge "Switch rkpd to levelFrom=all" am: 243575199b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2617614

Change-Id: I3dac79b1cb82541aa9e892c14d3d78757552c673
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 15:32:37 +00:00
Treehugger Robot
243575199b Merge "Switch rkpd to levelFrom=all" 2023-06-08 14:57:35 +00:00
Kangping Dong
f946b06074 Merge "add sepolicy rules for Thread network" am: aa83af5c3b am: ff6ae919c2 am: 498a752dd7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2612795

Change-Id: Iaf8e6d654eb9fbb7d2b2b17ef16468b0eb7f6ce1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 14:50:57 +00:00
Kangping Dong
498a752dd7 Merge "add sepolicy rules for Thread network" am: aa83af5c3b am: ff6ae919c2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2612795

Change-Id: Iedf1f13dc9e9e80187e9ca7e4d1ef137b19655e2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 13:43:13 +00:00
Kangping Dong
ff6ae919c2 Merge "add sepolicy rules for Thread network" am: aa83af5c3b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2612795

Change-Id: Ice94d8ee77ed007ef0aa234ce1886c9bf564e24e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 13:04:47 +00:00
Alan Stokes
6d019be31f Allow VMs to log to shell pts 
If we run a VM from an adb shell, e.g. via `vm run`, then we would
like to get the VM console & log sent to the shell console.

That doesn't work unless virtualization manager & crosvm can write to
devpts.

Bug: 286355623
Test: Manual: adb shell, /apex/com.android.virt/bin/vm run-microdroid --debug full
Change-Id: I01b233bc6ad5fba8f333f379af62a03806ae8949
 2023-06-08 13:47:38 +01:00
Kangping Dong
aa83af5c3b Merge "add sepolicy rules for Thread network" 2023-06-08 12:23:00 +00:00
Alan Stokes
12de184d37 Switch rkpd to levelFrom=all 
Defense in depth: ensure no other app can access rkpd data files.

Test: Presubmits.
Change-Id: Id3ca9829eadf19fb50da8d0a7414706121871633
 2023-06-08 11:24:56 +01:00
Jooyung Han
e7c910010f Allow webview_zygote to "search" vendor apex dirs am: f91152af55 am: 5f37382487 am: 1d19ac74c7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2620249

Change-Id: I74834401af747aa3460620a208d1f77cbe03e098
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 08:53:30 +00:00
Jooyung Han
1d19ac74c7 Allow webview_zygote to "search" vendor apex dirs am: f91152af55 am: 5f37382487 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2620249

Change-Id: I8ae5a9b382b9c0f20734d791ac589cbf34e0cc75
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 08:04:54 +00:00