tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Xin Li	81e2126bb3	Merge Android 24Q2 Release (ab/11526283) to aosp-main-future Bug: 337098550 Merged-In: Ic3cbc8e238628955c1e9c44ee60cae4001667533 Change-Id: I04e8aabd8e4c1f6d856eeab541b6a730d3a71e26	2024-05-24 08:33:13 -07:00
Treehugger Robot	07e0507c74	Merge "Revert "Suppress denials for odsign console"" into main am: `c087c0b98c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3101601 Change-Id: Ifb6d5d5a8024f090006387d6af962184c87427e5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-24 13:38:31 +00:00
Treehugger Robot	c087c0b98c	Merge "Revert "Suppress denials for odsign console"" into main	2024-05-24 13:20:01 +00:00
Alan Stokes	ef8cf12fd5	Revert "Suppress denials for odsign console" This reverts commit `8b80dacadc`. Reason for revert: b/341649167 Bug: 293259827 Change-Id: I25183a11b2c522f475eceeadcde5bcc74c95ba56	2024-05-24 08:56:37 +00:00
Treehugger Robot	c488d0bd8f	Merge "Allow system_server to reopen its own memfd." into main am: `ab0272ccb4` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3094247 Change-Id: Iad3f40b3e52aef2f234e22b0099aabf7ce26742f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-23 14:03:43 +00:00
Treehugger Robot	ab0272ccb4	Merge "Allow system_server to reopen its own memfd." into main	2024-05-23 13:45:23 +00:00
Yakun Xu	d066eaa355	Merge "Thread: allow ot-rcp on user build" into main am: `1838718317` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3099137 Change-Id: I3f7a1b218fd1e916f52539fc8c6e6e542aef207f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-23 08:00:10 +00:00
Yakun Xu	1838718317	Merge "Thread: allow ot-rcp on user build" into main	2024-05-23 07:44:27 +00:00
Yakun Xu	66947c66d6	Thread: allow ot-rcp on user build This commit adds sepolicy on user build so that Thread HAL simulation can run on cuttlefish user builds. Bug: 342154029 Test: presubmit Change-Id: I576f52a1bdf5b0966e73ee93e4b68bed613b0796	2024-05-23 11:22:36 +08:00
Treehugger Robot	9f4c7bc53f	Merge "Update transaction log permissions." into main am: `6f388111e0` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3092992 Change-Id: I3cf12a24653cd8ab3ba51fff8142148c0806758a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-22 19:33:18 +00:00
Treehugger Robot	6f388111e0	Merge "Update transaction log permissions." into main	2024-05-22 19:21:00 +00:00
Ellen Arteca	96da6272a8	Merge "Fix installd not having permission to delete storage area keys" into main am: `19208cb0e3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3095417 Change-Id: I5714bd938eaa91bfe8e96d13bd407bf2973163f1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-22 17:04:47 +00:00
Ellen Arteca	19208cb0e3	Merge "Fix installd not having permission to delete storage area keys" into main	2024-05-22 17:03:15 +00:00
Dennis Shen	3a33d825f9	selinux: added a new dir /metadata/aconfig/maps, it assumes existing am: `08da1322db` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3092943 Change-Id: I2e155b96b37b9e0021401814f00709246dfb8aa2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-22 16:57:22 +00:00
Jiakai Zhang	7a257541e9	Allow system_server to reopen its own memfd. Bug: 311377497 Test: Run Pre-reboot Dexopt. Change-Id: Ic6e273732a042f0906fad7ffa73a3e45af2adde5	2024-05-22 17:09:06 +01:00
Dennis Shen	08da1322db	selinux: added a new dir /metadata/aconfig/maps, it assumes existing aconfig_storage_metadata_file file type by default Bug: b/312444587 Test: atest aconfigd_test Change-Id: Ic0b8974dc33d4ecc3e46f0f595a6b068a78539ff	2024-05-21 18:47:04 +00:00
Ellen Arteca	1c7e529242	Fix installd not having permission to delete storage area keys Bug: 325129836 Test: atest StorageAreaTest Change-Id: I6dd1678fe1b184372221b479aaeba17c1ab4788c	2024-05-21 17:58:05 +00:00
Dennis Shen	2e2632b219	Merge "selinux: allow aconfig to read /aepx" into main am: `2f5774f756` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3092562 Change-Id: If0217ac2d3181e58b0c8cf4fbb198ca85dec21a4 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-21 14:55:24 +00:00
Dennis Shen	2f5774f756	Merge "selinux: allow aconfig to read /aepx" into main	2024-05-21 14:39:44 +00:00
Thiébaud Weksteen	30591033a7	Merge changes I9b32916e,I7c4771de into main am: `e138fe460b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3088167 Change-Id: I86722870f9d7c216f633fe36cc01049fb3a4efcb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-21 10:45:14 +00:00
Thiébaud Weksteen	e138fe460b	Merge changes I9b32916e,I7c4771de into main * changes: Define new kernel security classes Symlink microdroid access_vectors and security_classes	2024-05-21 10:26:46 +00:00
Seungjae Yoo	14898c5d0c	Merge "Set sepolicy for vmnic in AVF" into main am: `e5df7418a4` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3084846 Change-Id: Ib7f263aad4bf9297b6491de86fb2dc17fdf992e9 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-21 05:01:49 +00:00
Seungjae Yoo	e5df7418a4	Merge "Set sepolicy for vmnic in AVF" into main	2024-05-21 04:40:55 +00:00
Treehugger Robot	bf9aec10fc	Merge "statsd: allow misctl property" into main am: `4fa0ed2bc1` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3086708 Change-Id: If41c1bf9b4f981dd959c0a15025acafec4d4b815 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-21 01:55:26 +00:00
Treehugger Robot	4fa0ed2bc1	Merge "statsd: allow misctl property" into main	2024-05-21 01:25:32 +00:00
Inseob Kim	9892ce9cee	Remove 1000000.0 mapping files am: `23c543c0ed` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3093740 Change-Id: I342c70bc77bd718d0152465809cd1f05402ccbb8 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-20 06:46:46 +00:00
Seungjae Yoo	f60a1e0b90	Set sepolicy for vmnic in AVF Bug: 340376951 Test: Presubmit Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466	2024-05-20 14:15:22 +09:00
Inseob Kim	23c543c0ed	Remove 1000000.0 mapping files It's a workaround for -with-phones branch and redundant now. Test: TH Change-Id: I0ec9e00a8ee1e3c929f33cbba3b8339c7e42b885	2024-05-20 10:23:55 +09:00
Dennis Shen	f6106361f1	selinux: allow aconfig to read /aepx Bug: b/312444587 Test: m and avd Change-Id: I6ac81dd211ad7669952f97f9541c44e14680bec6	2024-05-20 00:44:56 +00:00
Steven Moreland	248f0e069a	Update transaction log permissions. I locked down binderfs in Android V (this release still), but part of it was opened up too much, so transactions restricted to userdebug. transaction_log and failed_transaction_log are not used in AOSP, but they are requested by partners. Bug: 316970771 for transactions Bug: 336711420 for request to open up transaction history logs Test: boot, bugreport, also: :) adb shell ls -Z /dev/binderfs/binder_logs u:object_r:binderfs_logs_transaction_history:s0 failed_transaction_log u:object_r:binderfs_logs_proc:s0 proc u:object_r:binderfs_logs:s0 state u:object_r:binderfs_logs_stats:s0 stats u:object_r:binderfs_logs_transaction_history:s0 transaction_log u:object_r:binderfs_logs_transactions:s0 transactions :) adb shell cat /dev/binderfs/binder_logs/transaction_log 10058502: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 36:0 ret 0/0 l=0 10058503: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 116:0 ret 0/0 l=0 10058504: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 12:0 ret 0/0 l=0 10058505: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 84:0 ret 0/0 l=0 ... :) adb shell cat /dev/binderfs/binder_logs/failed_transaction_log 26418: reply from 584:1568 to 0:0 context binder node 0 handle -1 size 20:0 ret 29189/0 l=3194 57265: async from 2978:4304 to 3039:0 context binder node 40111 handle 6 size 96:0 ret 29189/-3 l=3465 57269: call from 4437:4613 to 670:0 context binder node 57183 handle 44 size 116:0 ret 29189/-3 l=3465 57288: async from 4252:4450 to 3039:0 context binder node 34895 handle 1 size 92:0 ret 29189/-3 l=3465 ... Change-Id: I73e570dee8e59e76acaf0def615701e0e85e207f	2024-05-17 22:35:55 +00:00
Yakun Xu	8077576872	Merge "Thread: allow ot-rcp to bind a specific netif" into main am: `60f55289f8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3081323 Change-Id: I833ea7b2e26feeefdf2529d2ab0c716c696cdda5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-17 04:11:55 +00:00
Yakun Xu	60f55289f8	Merge "Thread: allow ot-rcp to bind a specific netif" into main	2024-05-17 03:52:14 +00:00
Thiébaud Weksteen	31533d3c8b	Merge "Grant dumpstate append to app_data_file_type" into main am: `1b85ead322` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3088105 Change-Id: I534f0645532dfa73baf3aa6646f311a2755089d7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-16 23:42:09 +00:00
Thiébaud Weksteen	1b85ead322	Merge "Grant dumpstate append to app_data_file_type" into main	2024-05-16 23:29:39 +00:00
Treehugger Robot	f3e51a6fec	Merge "Adjust policy that allows virtualizationservice to access RKPD" into main am: `ca83352d1b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3086832 Change-Id: I0ffa6a6ae46e82cffd91cdae6368ea67f1cbee40 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-15 16:13:18 +00:00
Jiakai Zhang	085f25ef20	Add a system property namespace for Pre-reboot Dexopt. am: `1a3775bbb8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3087872 Change-Id: Ic6603cf425be82ca9bc1a36fa12c490649da7a3e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-15 16:12:49 +00:00
Treehugger Robot	ca83352d1b	Merge "Adjust policy that allows virtualizationservice to access RKPD" into main	2024-05-15 16:05:38 +00:00
Alice Wang	f7fc9f921a	Adjust policy that allows virtualizationservice to access RKPD Test: atest AvfRkpdAppIntegrationTests Change-Id: I4f946326af3ce96466bb2c7de1762fbed056ec09	2024-05-15 14:33:36 +00:00
Jiakai Zhang	1a3775bbb8	Add a system property namespace for Pre-reboot Dexopt. We need to maintain the Pre-reboot Dexopt state across system server crashes and restarts, but not across reboots. System properties are suitable for this use case. The state includes whether the job has run and the OTA slot. Bug: 311377497 Change-Id: I527d4ba6064c1600d97ce2efc8be211b9460a8f0 Test: Presubmit	2024-05-15 14:20:22 +00:00
Maciej Żenczykowski	0c4f5d4745	Merge "allow non bpfloader creation of bpf maps" into main am: `6e95ee78e3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2751710 Change-Id: I7166f37d3638241147982db316e44c271506ab6f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-15 07:54:23 +00:00
Maciej Żenczykowski	6e95ee78e3	Merge "allow non bpfloader creation of bpf maps" into main	2024-05-15 07:37:07 +00:00
Thiébaud Weksteen	6772c50574	Define new kernel security classes Define new classes and access vectors recognised by the kernel. Bug: 340491179 Test: boot and check logs for undefined class or permission Change-Id: I9b32916ea231cf396aa326ed7e08cb14e4eb2c9b	2024-05-15 04:45:20 +00:00
Thiébaud Weksteen	4b79c66714	Symlink microdroid access_vectors and security_classes Symlink the access vectors and classes definitions of microdroid reqd_mask to microdroid platform. These definitions are not yet linked to the generic platform policy. Bug: 340491179 Bug: 215093641 Test: build & TH Change-Id: I7c4771dedfd2f35a7dda7d78bf863cbc0c288e67	2024-05-15 13:47:25 +10:00
Thiébaud Weksteen	76f7261d14	Grant dumpstate append to app_data_file_type dumpstate may be executed by apps in different domains. Notably, a system_app needs to be able to save the output in its own directory. avc: denied { append } for comm="binder:575_1" dev="dm-50" ino=10712 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file Using the app_data_file_type attribute to capture all the potential app data types. For info, the current Cuttlefish policy has: $ seinfo -x -a app_data_file_type cf_policy attribute app_data_file_type; app_data_file bluetooth_data_file nfc_data_file privapp_data_file radio_data_file sdk_sandbox_data_file shell_data_file storage_area_app_dir storage_area_content_file storage_area_dir system_app_data_file Test: bugreport Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01	2024-05-15 10:55:37 +10:00
Steven Moreland	0ae9148a35	statsd: allow misctl property For detecting 16 KB issues. Bug: 332406754 Test: build Change-Id: I27f7044133dad54b91bbab5911b05a6cc254be36	2024-05-14 20:31:11 +00:00
Alan Stokes	c702594172	Suppress denials for odsign console am: `8b80dacadc` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3085865 Change-Id: Id23bd90e60972781e25896dd2a0ee6a8195ec96e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-14 17:42:34 +00:00
Alan Stokes	8b80dacadc	Suppress denials for odsign console When odsign spawns compos_verify it has our stdin/out connected to its console. But none of the VM processes use stdin/out at all; they log to logcat instead. So instead of allowing the access (which immediately leads to the same denials in virtualizationmanager), just suppress the audit logs. Bug: 293259827 Test: Exercise isolated compilation successfully with no denials seen. Change-Id: I454bb2fe106b656a9695511cbf09350402b30bdd	2024-05-14 17:07:35 +01:00
Thiébaud Weksteen	7575d606d5	Collect test names in sepolicy_tests.py am: `70cf2cd6e3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3084845 Change-Id: I610f574d5ada646ed7bc58c1e48fc3b9e2237b83 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-14 06:32:14 +00:00
Thiébaud Weksteen	70cf2cd6e3	Collect test names in sepolicy_tests.py Some entries in Tests were not matching their actual function (e.g., TestSystemTypeViolators instead of TestSystemTypeViolations). Automatically generate the list of tests, based on the 'Test' prefix in their name. Test: sepolicy_tests -h Change-Id: I1865e24c6cc1bfe15f633263897ea7530140c41d	2024-05-14 13:42:13 +10:00
Treehugger Robot	c29897e144	Merge "Allow mounting and unmounting functionfs." into main am: `fff886e374` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3079245 Change-Id: I921561cb97cbbcf8811acea592b1e327170278a1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-05-09 09:07:45 +00:00

1 2 3 4 5 ...

47880 commits