tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
47880 commits 1 branch 0 tags 50 MiB
Commit graph

468 commits

Author SHA1 Message Date
Seungjae Yoo
f60a1e0b90 Set sepolicy for vmnic in AVF 
Bug: 340376951
Test: Presubmit
Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466
 2024-05-20 14:15:22 +09:00
Treehugger Robot
7ea1dd6dd1 Merge "c2: add default1 and default2" into main 2024-04-20 00:07:33 +00:00
Steven Moreland
f877f5dbec c2: add default1 and default2 
This is causing some targets to fail.

Bug: 335897540
Test: N/A
Change-Id: Ia077fc6bee952ff06ed13a555b96a00d6b5216e4
 2024-04-19 22:02:34 +00:00
Inseob Kim
8697fc80fd Add macro for board API level guard 
'starting_at_board_api' macro is added to guard system/sepolicy/public
types and attributes. The macro will work only when compiling vendor/odm
sepolicy. When compiling platform sepolicy (system / system_ext /
product), rules will always be included, regardless of board API level.

Policy authors should guard new public types and attributes with this
macro, similar to LLNDK. The new types and attributes will be exposed
since next vFRC release.

Bug: 330671090
Test: manually build with various board API level, see output
Change-Id: I03c601ce8fe1f77c7608dc488317d20276fd2d47
 2024-04-19 10:33:38 +09:00
Inseob Kim
ff2018fa84 Fix bpfmt 
Bug: N/A
Test: N/A
Flag: NONE trivial format change
Change-Id: I8f6293dcc47a4ead347c4861ba929d4b3042c311
 2024-04-17 09:55:49 +09:00
Inseob Kim
021596b37f Run neverallow tests on build time 
sepolicy_neverallows hasn't been running on `m droid` because of
LOCAL_UNINSTALLED_MODULE := true.

Test: m selinux_policy
Change-Id: Ia7a79723a0f92e659171f50a0829baf83f311661
 2024-04-15 11:08:17 +09:00
Inseob Kim
a9d412d373 Install cil_compat_map module's output 
... so it can be packaged as PackagingSpecs

Bug: 329208946
Test: m aosp_cf_system_x86_64
Change-Id: I6298a3e99e74c38befb3a3565e4c638e1558114d
 2024-04-05 23:45:23 +09:00
Treehugger Robot
210e8b5651 Merge "Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service" into main 2024-03-11 15:21:42 +00:00
sandeepbandaru
600e395339 Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service 
Bug: 316589195
Test: flashed on device and ran service with a demo app
Change-Id: I708d715525dd1c4f3985dfcc1560383d045f1a6f
 2024-03-11 11:33:18 +00:00
Alan Stokes
d02b052624 Merge "Add virtualization_maintenance_service" into main am: d2bc72b7eb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967637

Change-Id: Ib5539a82cb00a141c3c4d9877acb7195f853107d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-22 10:33:00 +00:00
Alan Stokes
38131e7ba8 Add virtualization_maintenance_service 
This is an AIDL service exposed by Virtualization Service to system
server (VirtualizationSystemService).

The implementation is Rust so no fuzzer is required.

I've put this behind the flag on general principle.

Bug: 294177871
Test: atest MicrodroidTests
Change-Id: Ia867fe27fb2e76d9688e4ba650ebf7b3f51ee597
 2024-02-20 17:08:28 +00:00
Treehugger Robot
8dae0dd2db Merge "Support multiple se_flags modules" into main am: f9f826fb30 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2963582

Change-Id: Ie6758c95131388b40c8731151529672e271dc430
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-19 05:01:22 +00:00
Inseob Kim
bf7f4a4401 Support multiple se_flags modules 
Instead of centralized one se_flags module under system/sepolicy,
additional se_flags modules can be defined anywhere to support defining
downstream branches' own flagging.

Bug: 321875465
Test: TH
Test: soong test
Change-Id: I6e45c859b7f09e27ba1d60033b0db1424472cb63
 2024-02-16 16:14:40 +09:00
Yisroel Forta
f86fab0d6d Merge "SELinux permissions for ProfilingService" into main am: e510cb8696 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2955343

Change-Id: Id393a7cdbcbb82d767b2457c33daf2c96c5bead7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-12 14:51:42 +00:00
Yisroel Forta
e510cb8696 Merge "SELinux permissions for ProfilingService" into main 2024-02-12 14:22:31 +00:00
Yisroel Forta
aa9d0bf24c SELinux permissions for ProfilingService 
Test: Presubmit, manually confirm service accessible
Bug: 293957254
Change-Id: I7103be95ff49eb87b4c7164a38a481034d72a9aa
 2024-02-09 19:25:32 +00:00
Jiakai Zhang
59bb9008fd Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main am: 95d371bcfd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2939419

Change-Id: I75166873b4baa3d781ebb0b7055f9f42b8a5dd1e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-09 03:29:50 +00:00
Jiakai Zhang
95d371bcfd Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main 2024-02-09 02:52:58 +00:00
mrulhania
faaec9dd3a Add SELinux policy for ContentProtectionManagerService am: 9a7700cd46 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952703

Change-Id: Ib8beac88752e6c4576bc177553c33c82df5b1026
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-09 00:41:43 +00:00
mrulhania
9a7700cd46 Add SELinux policy for ContentProtectionManagerService 
Bug: 324348549
Test: build
Change-Id: Ieb319ed033d2fdb18cf76107c44cd6357221ecc4
 2024-02-08 19:56:49 +00:00
Jiakai Zhang
817c49f74c Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot. 
Bug: 311377497
Test: manual - Call
  getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
  getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
 2024-02-08 10:13:27 +08:00
Treehugger Robot
ef4bd550ee Merge "Changes in SELinux Policy for CSS API" into main am: 49a519234b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2819838

Change-Id: I4cfa495bdeae5c048a6f5bf6b308de21c2e40ca7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-06 21:05:13 +00:00
Treehugger Robot
49a519234b Merge "Changes in SELinux Policy for CSS API" into main 2024-02-06 20:28:45 +00:00
Dan Shi
f6477f4f03 Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main am: b230f4f10c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2944648

Change-Id: I0ebc9160853d628eb184c53ffff580717fca2137
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-01 22:25:09 +00:00
Dan Shi
b230f4f10c Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main 2024-02-01 21:57:51 +00:00
Mikhail Naganov
1460db3c7c Merge "audio: Provide a default implementation of IHalAdapterVendorExtension" into main am: c301f8ef3d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2930452

Change-Id: I78f36755805b4cfc220a92b4b779aa7e8c3a7f44
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-01 21:44:09 +00:00
Dan Shi
0ad6f6bdd6 Revert "audio: Provide a default implementation of IHalAdapterVe..." 
Revert submission 2929484-fix-b-321651892-ihaladapter

Reason for revert: possible cause of b/323385784

Reverted changes: /q/submissionid:2929484-fix-b-321651892-ihaladapter

Change-Id: I9664f8f9dd6eec159be7fbf3b148a12d44cef582
 2024-02-01 19:32:34 +00:00
Mikhail Naganov
c301f8ef3d Merge "audio: Provide a default implementation of IHalAdapterVendorExtension" into main 2024-02-01 16:48:06 +00:00
Haining Chen
c269e3acee Merge "Add sepolicy for adaptive auth service" into main am: 2b8ddb7d7c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2926551

Change-Id: Ib7efb0b61d4a558fc80c7f716988966446cb4ef0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-01-31 20:36:46 +00:00
Xin Li
b96adcf722 Merge Android 24Q1 Release (ab/11220357) 
Bug: 319669529
Merged-In: Ia3c8bcddaed44d4dd03df6d504fecb61d999cbec
Change-Id: Iefabaeb2456a31cd008f6ccb6b4e924c87dc2f65
 2024-01-29 13:06:50 -08:00
Mikhail Naganov
00c2fedc5a audio: Provide a default implementation of IHalAdapterVendorExtension 
This service is used by the audio server for translating
between legacy string KV pairs and AIDL vendor parameters.
It resides on the system_ext partition.

Since it has to be implemented by every SoC vendor, provide
an example implementation. This example service is added
to CF and GSI system_ext. Vendors can use their own names
and policy labels, the only thing that the audio server
depends on is the AIDL interface.

There is no fuzzer for this service because the example
implementation only contains trivial code (interface
methods are stubbed out).

Bug: 321651892
Test: atest audiorouting_tests
Change-Id: I8ab922660a30ffd44772987204ac4a28c1007c66
 2024-01-26 15:35:51 -08:00
Haining Chen
982295a6af Add sepolicy for adaptive auth service 
Bug: 285053096
Test: m -j
Change-Id: I549de0536071ff5622c54e86927b1f20dab9d007
 2024-01-24 15:47:14 -08:00
Jay Thomas Sullivan
4e57c74f29 [ECM] Update SELinux policy for EnhancedConfirmationService 
EnhancedConfirmationService is a new SystemService.

These changes are required before the service will boot.

Bug: 321053639
Change-Id: I15a4004ca57deb5c6f8757913c1894ba0ced399d
 2024-01-23 23:15:16 +00:00
Pawan Wagh
d4205898ec Add statsd service fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I7f6a2b8f4f00f38863d7d0d9d12370f23d9d556b
 2024-01-12 22:10:28 +00:00
Treehugger Robot
24d52ac42a Merge "Change sepolicy version format for vFRC" into main 2023-12-22 02:25:15 +00:00
David Drysdale
7e09f9ceef Add the fuzzer for ISecretkeeper/nonsecure 
Test: N/A
Bug: 291228655
Change-Id: Ie67905f0703762198339ff80e9ae8d10b06eba3f
 2023-12-19 09:49:26 +00:00
Inseob Kim
3e34b72f9c Change sepolicy version format for vFRC 
sepolicy versioning is for system <-> vendor compatibility. This changes
sepolicy version format from sdk version (e.g. 34.0) to vendor api
version (e.g. 202404.0).

Bug: 314010177
Test: build and boot
Change-Id: I2422c416b7fb85af64c8c835497bbecd2e10e2ab
 2023-12-19 13:35:38 +09:00
Franklin Abreu Bueno
a3bfb1485e Bluetooth LMP Events: Add Lmp Events Hal 
Bug: 281503650
Change-Id: Ie9fa616d4142c554c30e5b45b625203387edb9a7
 2023-12-13 12:02:33 -08:00
Chienyuan Huang
992ee5d4f1 Merge "Add bluetooth ranging hal" into main am: 6217aedfdb am: 198beb4785 am: 29c7c5e380 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854391

Change-Id: Ie68a60c7544fc01f912b49b8eea17a573e755c36
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-11 23:13:44 +00:00
Chienyuan Huang
2e19c7632e Add bluetooth ranging hal 
Bug: 310941161
Test: make
Change-Id: I9b2bc9d945b016361f44a5600c61ed2795c00622
 2023-12-08 09:37:17 +00:00
David Drysdale
71babc2b44 Merge "Allow for ISecretkeeper/default" into main am: 3f63eead74 am: 98c169553f am: 42207db4cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829790

Change-Id: I27acef348359e3d2fe1aadcd339dfd27db2d2355
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-06 12:44:04 +00:00
David Drysdale
8d1876b4f6 Allow for ISecretkeeper/default 
Test: VtsAidlAuthGraphSessionTest
Bug: 306364873
Change-Id: I788d6cd67c2b6dfa7b5f14bc66444d18e3fd35d3
 2023-12-05 14:33:47 +00:00
Ted Wang
4792dd12ce Merge "Add bluetooth finder hal" into main am: fb82802fc0 am: 2ca6c9a46a am: 8fe9f4da45 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2836616

Change-Id: I383c9a5ccb2b5ec204224054b8e6d8cbb40c0e01
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 19:23:10 +00:00
Ted Wang
fb82802fc0 Merge "Add bluetooth finder hal" into main 2023-12-01 17:41:04 +00:00
Ján Sebechlebský
7820573474 Merge "Revert^2 "Add fuzzer for "virtual_camera" service"" into main 2023-11-22 10:29:10 +00:00
Alice Wang
7652b9104f Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" am: e79bbf9cf8 am: d6a81a15f1 am: b76b119dfc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828234

Change-Id: I3253cb79cd16f11534640e18ff5ad3bbea354944
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-22 10:17:41 +00:00
Ján Sebechlebský
5a01f3d5b7 Revert^2 "Add fuzzer for "virtual_camera" service" 
This reverts commit b701c8d098.

Reason for revert: aosp/2824498 merged

Change-Id: Ie885405d6998c0997f3fba9f3968195ec3022a37
 2023-11-22 09:12:55 +00:00
Alice Wang
e79bbf9cf8 Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22

Changes from the reverted cl aosp/2812455:
 - The AIDL service type has been renamed from avf_* to hal_* to be
   consistent with the others.

 - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service,
   for the IRPC/avf service, has been set up with the server/client model
   for AIDL Hal. The virtualizationservice is declared as server and
   RKPD is declared as client to access the service instead of raw
   service permission setup as in the reverted cl. This is aligned
   with the AIDL Hal configuration recommendation.

 - Since the existing type for IRPC hal_remotelyprovisionedcomponent is
   already associated with keymint server/client and has specific
   permission requirements, and some of the keymint clients might not
   need the AVF Hal. We decided to create a new AIDL service type
   instead of reusing the exisiting keymint service type.

Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Bug: 312427637
Bug: 310744536
Bug: 299257581
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
 2023-11-22 08:21:27 +00:00
Ján Sebechlebský
e5c69d1279 Merge changes I0ca68d6c,Ie621f896 into main am: d97e6b1d70 am: 5c1d248fd0 am: 98c2d64a81 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2837616

Change-Id: Ia4804c51a283b680c0d605abde24d43023ed5ce2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-22 07:39:27 +00:00
Ján Sebechlebský
d97e6b1d70 Merge changes I0ca68d6c,Ie621f896 into main 
* changes:
  Allow virtual camera service to access gpu.
  Revert^2 "Allow system_server to communicate with virtual_camera"
 2023-11-22 06:58:18 +00:00