tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
24457 commits 1 branch 0 tags 50 MiB
Commit graph

24457 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
49e22cd9ae Merge "Update selinux policy for statsd apex" am: 16e12a5ee3 am: 5d360fc02e am: 23a17b4b5d 
Change-Id: I4e38927a28f7783922da5709e5d64774a2bec6fe
 2020-02-17 10:10:44 +00:00
David Stevens
f746f9c25f Merge commit 'f3187f394915eac633f6803ac0ed34a4455d3a17' into manual_merge_f3187f394915eac633f6803ac0ed34a4455d3a17 
Bug: None
Test: blueline boots and property is build time configurable

Change-Id: Ie7a0f25f7e40a8aaa446033702c5fc0f32f438e0
 2020-02-17 04:28:59 +00:00
Treehugger Robot
6ade1f9380 Merge "snapshotctl: allow to write stats" am: 57ba84c959 am: 67fc52130c 
Change-Id: Ieae13536ae58d5be5a7dfeb23e8829b819ef1f47
 2020-02-16 14:48:32 +00:00
Treehugger Robot
67fc52130c Merge "snapshotctl: allow to write stats" am: 57ba84c959 
Change-Id: I5d58b5864eac3ae6cc653612e2a5e08fe282ae60
 2020-02-16 14:28:08 +00:00
Treehugger Robot
57ba84c959 Merge "snapshotctl: allow to write stats" 2020-02-16 14:14:51 +00:00
Mark Salyzyn
c3eb896930 bootstat: enhance last reboot reason property with file backing am: 79f9ca6789 am: d5c3a11681 
Change-Id: Idfd5cd446ca870f0a633d9471d1c8f666e771cbe
 2020-02-14 23:58:12 +00:00
Mark Salyzyn
d5c3a11681 bootstat: enhance last reboot reason property with file backing am: 79f9ca6789 
Change-Id: I45c0026a8436c0ee7052e311591b06a3f3106f9a
 2020-02-14 23:46:10 +00:00
Maciej Żenczykowski
63920a9f22 Merge "grant bpfloader CAP_CHOWN" am: 1d896ff5e5 am: 66b4be49d7 
Change-Id: I7b6a7b642bf63763fb6f94c3865e5a840d8b24c2
 2020-02-14 21:48:48 +00:00
Maciej Żenczykowski
66b4be49d7 Merge "grant bpfloader CAP_CHOWN" am: 1d896ff5e5 
Change-Id: I9667f3b499b44f4264c8dac9abcff3147044c853
 2020-02-14 21:35:07 +00:00
Mark Salyzyn
79f9ca6789 bootstat: enhance last reboot reason property with file backing 
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.  For now, label this file metadata_bootstat_file.

Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
 2020-02-14 13:30:21 -08:00
Maciej Żenczykowski
1d896ff5e5 Merge "grant bpfloader CAP_CHOWN" 2020-02-14 21:19:16 +00:00
Treehugger Robot
875b7a9352 Merge "Allow init to stat the root directory of FUSE filesystems." am: b4d3c575b3 am: cbc02c695a 
Change-Id: I83776a7483b00c1a126e4b3bd5e8320129e60609
 2020-02-14 21:11:32 +00:00
Treehugger Robot
cbc02c695a Merge "Allow init to stat the root directory of FUSE filesystems." am: b4d3c575b3 
Change-Id: I9ba637c13c6334e2563e5584fa5b1b09b04206a3
 2020-02-14 20:56:20 +00:00
Alessio Balsini
59cfa127e2 snapshotctl: allow to write stats 
To send statistics about snapshot merge times, snapshotctl will take
care of packing and sending all the information.
Allow snapshotctl to do so by creating an sepolicy exception.

Bug: 138817833
Test: statsd_testdrive
Change-Id: If805a522898cb6c9838779be23df6078f77d0cdc
Signed-off-by: Alessio Balsini <balsini@google.com>
 2020-02-14 20:51:53 +00:00
Treehugger Robot
b4d3c575b3 Merge "Allow init to stat the root directory of FUSE filesystems." 2020-02-14 20:40:28 +00:00
Treehugger Robot
cb085e398f Merge "perfetto: allow producers to supply shared memory" am: 429ce33777 am: 63b0c52392 
Change-Id: I7f5aa7880defd434b69b7981ccfcb18cd19dd468
 2020-02-14 20:28:54 +00:00
Treehugger Robot
63b0c52392 Merge "perfetto: allow producers to supply shared memory" am: 429ce33777 
Change-Id: I231c8ac22c5645e356b7b5ad2c2ca9db6d231f23
 2020-02-14 20:15:51 +00:00
Treehugger Robot
429ce33777 Merge "perfetto: allow producers to supply shared memory" 2020-02-14 19:59:49 +00:00
Songchun Fan
23cb5adc6e Merge changes Ie973be6b,Ie090e085 am: ff40f150e8 am: a403503c57 
Change-Id: I9d06c6f73149786152c637dced2291b5973c1e70
 2020-02-14 18:25:56 +00:00
Songchun Fan
a403503c57 Merge changes Ie973be6b,Ie090e085 am: ff40f150e8 
Change-Id: I027ddb483a7697fa1059f3873ed6eb52ba1f1eb1
 2020-02-14 18:16:13 +00:00
Songchun Fan
ff40f150e8 Merge changes Ie973be6b,Ie090e085 
* changes:
  permissions for incremental control file
  new label for incremental control files
 2020-02-14 18:00:02 +00:00
Paul Crowley
fb9e80d83b Add properties for volume metadata encryption. 
Test: create private volume on Cuttlefish, setting property both ways.
Bug: 147814592
Change-Id: I662204e06dd6831ab98182b679b3cd88e9191681
 2020-02-14 09:55:15 -08:00
Martijn Coenen
a0fa53ead6 Allow init to stat the root directory of FUSE filesystems. 
init has a mount handler that stats mount-points for block devices; on
devices without sdcardfs, that handler will stat the FUSE filesystem,
since we have a bindmount on FUSE to the lower filesystem, which is an
actual block device.

Test: no more denial on cf without sdcardfs
Change-Id: Idb351f5ccba00440f4f8b39616de76336bb81a1b
 2020-02-14 17:17:36 +01:00
George Chang
989fcaae3c Merge "Add sepolicy for persist.nfc_cfg." am: 9cc657e43e am: 4fc2a2396a 
Change-Id: Ic3731f6ea1159a1347f2225f4113a5bfe3f901f1
 2020-02-14 12:12:25 +00:00
George Chang
4fc2a2396a Merge "Add sepolicy for persist.nfc_cfg." am: 9cc657e43e 
Change-Id: I612768a6cc57180aa3bf056128a9f95156009e26
 2020-02-14 11:49:02 +00:00
George Chang
9cc657e43e Merge "Add sepolicy for persist.nfc_cfg." 2020-02-14 11:37:33 +00:00
Treehugger Robot
86a25241c5 Merge "access_vectors: add lockdown class" am: 98d0a95753 am: 9c6a92e0e7 
Change-Id: I1a58cebddd76891473aad1b256046eaa3af59b4c
 2020-02-14 10:48:18 +00:00
Treehugger Robot
9c6a92e0e7 Merge "access_vectors: add lockdown class" am: 98d0a95753 
Change-Id: I91e2e21af1c7a4d5b507927ccfb5a9016fd02ec8
 2020-02-14 10:31:33 +00:00
Treehugger Robot
98d0a95753 Merge "access_vectors: add lockdown class" 2020-02-14 10:18:17 +00:00
Treehugger Robot
23a17b4b5d Merge "Update selinux policy for statsd apex" am: 16e12a5ee3 am: 5d360fc02e 
Change-Id: I224138aa6908ac0898735b4dc27f3df84fe0b13f
 2020-02-14 05:11:26 +00:00
Treehugger Robot
5d360fc02e Merge "Update selinux policy for statsd apex" am: 16e12a5ee3 
Change-Id: I65a8d3cffaf0aec75080ef9fd6cf4b5da94e415d
 2020-02-14 04:59:04 +00:00
Treehugger Robot
16e12a5ee3 Merge "Update selinux policy for statsd apex" 2020-02-14 04:43:51 +00:00
stevensd
f3187f3949 Merge "selinux policy for buffer queue config" am: e3e16a313b am: c8f9abad21 
Change-Id: I8ea094448b9ac72740b68e900b365f9e3a03afcc
 2020-02-14 04:03:31 +00:00
stevensd
c8f9abad21 Merge "selinux policy for buffer queue config" am: e3e16a313b 
Change-Id: Iee1983864bdb008cf0149f9ed59905db6264202d
 2020-02-14 03:09:29 +00:00
stevensd
e3e16a313b Merge "selinux policy for buffer queue config" 2020-02-14 02:54:20 +00:00
Jeffrey Huang
baacdfa48b Update selinux policy for statsd apex 
Bug: 145923087
Test: m -j
Change-Id: I6197e6005d7c6e5c69b42de54f07965798663565
 2020-02-13 15:42:23 -08:00
Etan Cohen
8bd638eae4 Merge "[WIFICOND] Rename service to nl80211" 2020-02-13 22:34:09 +00:00
Songchun Fan
051549cc83 remove incfs genfscon label am: d9b78b4c84 am: b55fd10e0b am: 6262f99b5a 
Change-Id: If020e8520a27c473551bd1d92529d9e4cee44830
 2020-02-13 21:16:04 +00:00
Nick Kralevich
e4686b4d8e access_vectors: add lockdown class 
Needed to support upstream patch
59438b4647

Bug: 148822198
Test: compiles
Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed
 2020-02-13 13:05:54 -08:00
Songchun Fan
6262f99b5a remove incfs genfscon label am: d9b78b4c84 am: b55fd10e0b 
Change-Id: I2f46b66a5a8872797a5a2cfb189e05c55b4047ce
 2020-02-13 21:02:25 +00:00
Songchun Fan
3922253de9 permissions for incremental control file 
=== for mounting and create file ===

02-12 21:09:41.828   593   593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.841  1429  1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== for reading signature from file ===
02-12 21:09:47.931  8972  8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:47.994  1429  1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
02-12 21:09:50.034  8972  8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:52.914  1429  1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== data loader app reading from log file ===
02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

Test: manual with incremental installation
BUG: 133435829
Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
 2020-02-13 12:53:36 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files 
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
 2020-02-13 12:52:51 -08:00
Songchun Fan
b55fd10e0b remove incfs genfscon label am: d9b78b4c84 
Change-Id: I78fa1acada138b0f6e038f2b842766d0951c46b7
 2020-02-13 20:50:37 +00:00
Maciej Żenczykowski
1189fac418 grant bpfloader CAP_CHOWN 
so that it can change the uid/gid of pinned bpf progs and maps

Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1d873c7799e1d9fa5d4bde145e89254dabb75a01
 2020-02-13 20:46:02 +00:00
Andrei Onea
663305dbe2 Add binder cache key for PlatformCompat 
This key is used for invalidating the per-process cache for calls to
PlatformCompat.isChangeEnabledByPackageName and
PlatformCompat.isChangeEnabledByUid.

Bug: 140441727
Test: atest PlatformCompatTest
Test: atest CompatConfigTest
Test: atest CompatChanges
Test: atest PlatformCompatGating
Change-Id: I203ea43c3451bddc0aeb298f5892868969b67fc3
 2020-02-13 17:35:15 +00:00
Songchun Fan
d9b78b4c84 remove incfs genfscon label 
Test: manual with incremental installation
BUG: 133435829
Change-Id: I8b38db18851a5b3baf925be621de3eb0e83efbb4
 2020-02-13 08:44:48 -08:00
David Stevens
3942fe1682 selinux policy for buffer queue config 
Test: boot and check for no policy violations

Change-Id: I1ea2a79b9a45b503dcb061c196c5af1d0ddab653
 2020-02-13 20:11:47 +09:00
Automerger Merge Worker
058a32b858 Merge "property_contexts: add location cache" am: d39a906a25 am: e27c59412d am: 5677813c9a 
Change-Id: I5eec2ff8e8c9e01c068ffe7b473eaf81d32d8048
 2020-02-13 05:08:27 +00:00
Automerger Merge Worker
5677813c9a Merge "property_contexts: add location cache" am: d39a906a25 am: e27c59412d 
Change-Id: I172dd2ee5325c9ef23cc7ada51a82c6a9448501b
 2020-02-13 04:58:18 +00:00
Automerger Merge Worker
e27c59412d Merge "property_contexts: add location cache" am: d39a906a25 
Change-Id: Iee3a29e28721c11f69a32470630cb0c0a8b9b802
 2020-02-13 04:41:01 +00:00