tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
47880 commits 1 branch 0 tags 50 MiB
Commit graph

7976 commits

Author SHA1 Message Date
Treehugger Robot
12665a9787 Merge "Add appcompat override files and contexts to SELinux" into main 2023-10-31 02:29:57 +00:00
Alex Xu
55f133ee5c Merge "Add sepolicy for security_state service." into main am: f82b6897cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2803335

Change-Id: Ib3c443cfb4ab4a43f345053348de66182d6b4249
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-27 19:47:13 +00:00
Alex Xu
f82b6897cf Merge "Add sepolicy for security_state service." into main 2023-10-27 19:20:58 +00:00
Alice Wang
104626ca99 [avf][rkp] Allow virtualizationservice to register RKP HAL service 
Bug: 274881098
Test: atest MicrodroidHostTests
Change-Id: Ib0953fa49f27719be63bb244071b132bc385dca3
 2023-10-27 09:26:42 +00:00
Kyle Zhang
12c42b5f50 Add system property persist.drm.forcel3.enabled 
Bug: 299987160
Change-Id: Icf945a2bfb7e25225f30630c5d24bf13a8960a01
 2023-10-26 22:16:49 +00:00
Xin Li
67d58f5f39 Merge "Merge android14-tests-dev" into main 2023-10-26 20:11:39 +00:00
Xin Li
522f0a9ef2 Merge android14-tests-dev 
Bug: 263910020
Merged-In: If027337f7e703fe5b80e18ecddeabbac29011c5f
Change-Id: Ic7943d9afe12602f3e4289a7aa6ad0c5d340ed81
 2023-10-26 10:31:12 -07:00
Alex Xu
902a010aaa Add sepolicy for security_state service. 
security_state service manages security state (e.g. SPL) information across partitions, modules, etc.

Bug: 307819014
Test: Manual
Change-Id: I4ebcd8431c11b41f7e210947b32cf64c2adf3901
 2023-10-26 06:11:58 +00:00
David Drysdale
c4ab01baad Add sepolicy for non-secure AuthGraph impl 
Bug: 284470121
Bug: 291228560
Test: hal_implementation_test
Test: VtsAidlAuthGraphSessionTest
Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d
 2023-10-26 02:00:43 +00:00
Steven Moreland
012b954125 Merge "binderfs neverallows" into main 2023-10-26 00:07:44 +00:00
Steven Moreland
0365329dad binderfs neverallows 
Add neverallow reading these files because this came
up in a review recently, and they contain information
about processes which is important for security, so
we'd like to avoid accidentally granted these
permissions.

Fixes: 306036348
Test: build (is build time change)
Change-Id: I8b8917dacd2a65b809b7b6fb7c1869a3db94156b
 2023-10-25 00:41:25 +00:00
Nate Myren
0e15f2d9c5 Add appcompat override files and contexts to SELinux 
This also allows the zygote to bind mount the system properties

Bug: 291814949
Test: manual
Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434
 2023-10-23 18:34:12 +00:00
Rhed Jao
ebe1316695 Create sepolicy for allowing system_server rw in /metadata/repair-mode 
Bug: 277561275
Test: ls -all -Z /metadata/repair-mode
Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123
 2023-10-23 13:38:38 +11:00
Li Li
0b3f585a63 Allow system server read binderfs stats 
When receiving the binder transaction errors reported by Android
applications, AMS needs a way to verify that information. Currently
Linux kernel doesn't provide such an API. Use binderfs instead until
kernel binder driver adds that functionality in the future.

Bug: 199336863
Test: send binder calls to frozen apps and check logcat
Test: take bugreport and check binder stats logs
Change-Id: I3bab3d4f35616b4a7b99d6ac6dc79fb86e7f28d4
 2023-10-20 13:22:24 -07:00
Eric Biggers
cc5cb431ee Stop granting permissions on keystore_key class 
When keystore was replaced with keystore2 in Android 12, the SELinux
class of keystore keys was changed from keystore_key to keystore2_key.
However, the rules that granted access to keystore_key were never
removed.  This CL removes them, as they are no longer needed.

Don't actually remove the class and its permissions from
private/security_classes and private/access_vectors.  That would break
the build because they're referenced by rules in prebuilts/.

Bug: 171305684
Test: atest CtsKeystoreTestCases
Flag: exempt, removing obsolete code
Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
 2023-10-16 22:22:54 +00:00
Vladimir Komsiyski
6e07de8088 Merge "Policy for virtualdevice_native service." into main 2023-10-06 14:20:09 +00:00
Vladimir Komsiyski
31facf0677 Policy for virtualdevice_native service. 
A parallel implementation of certain VDM APIs that need to
be exposed to native framework code.

Similar to package_native_service.

Not meant to be used directly by apps but should still be
available in the client process via the corresponding native
manager (e.g. SensorManager).

Starting the service: ag/24955732
Testing the service: ag/24955733

Bug: 303535376
Change-Id: I90bb4837438de5cb964d0b560585b085cc8eabef
Test: manual
 2023-10-06 12:52:42 +00:00
Steve Muckle
bd24038bb1 Merge "allow writes to /sys/power/sync_on_suspend from init" into main am: a4c440948b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2771125

Change-Id: I45a1841088438d19052353bab114b2d28006d103
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-04 14:05:29 +00:00
Steve Muckle
75603e3ccd allow writes to /sys/power/sync_on_suspend from init 
When suspend.disable_sync_on_suspend is set init must write to
/sys/power/sync_on_suspend.

Bug: 285395636
Change-Id: Ica1b039c3192f08ec84aa07d35c2d0c61e7449c0
 2023-10-04 07:44:33 +00:00
Brian Lindahl
1b32bccc1a Allow for server-side configuration of libstagefright 
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.

Bug: 301372559
Bug: 301250938
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b
 2023-09-27 16:15:23 +00:00
Treehugger Robot
d281acf1b5 Merge "hal_dumpstate service is now AIDL service" into main am: ae071b717b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2756129

Change-Id: I44fcc2c033df089e86ecd8bda6e5d5d8dd701522
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-22 01:51:01 +00:00
Treehugger Robot
ae071b717b Merge "hal_dumpstate service is now AIDL service" into main 2023-09-22 01:16:28 +00:00
Carlos Galo
ecb23b6ccb Merge "system_server: allow access to proc/memhealth/*" into main am: a8e1fe01da 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2754950

Change-Id: Ia3a154eda9673c605505d5440715cbb726f9c26b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-20 06:03:53 +00:00
Carlos Galo
a8e1fe01da Merge "system_server: allow access to proc/memhealth/*" into main 2023-09-20 05:04:44 +00:00
Jooyung Han
309065bb5b hal_dumpstate service is now AIDL service 
Bug: 301079572
Test: VtsHalDumpstateTargetTest
Change-Id: I86e80cadcfa51557efad58d854880b9d421e9df9
 2023-09-20 10:53:03 +09:00
Carlos Galo
004cc8c21c system_server: allow access to proc/memhealth/* 
Libmemevents requires read-access to the attribute files exposed by the
memhealth driver.

Test: build
Test: no denials to /proc/memhealth/oom_victim_list from libmemevents
Bug: 244232958
Change-Id: I617c75ab874ad948af37d3e345e5202e46781f3f
Signed-off-by: Carlos Galo <carlosgalo@google.com>
 2023-09-20 00:30:13 +00:00
Treehugger Robot
35feb11562 Merge "Revert^3 "Start tracking vendor seapp coredomain violations"" into main am: 531e26d991 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2754249

Change-Id: I9bdf9240ad963a39882c75d76bf69ba2afd69af5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-18 06:16:58 +00:00
Treehugger Robot
531e26d991 Merge "Revert^3 "Start tracking vendor seapp coredomain violations"" into main 2023-09-18 05:06:32 +00:00
Inseob Kim
8bc8b75f95 Revert^3 "Start tracking vendor seapp coredomain violations" 
This reverts commit b193c80986.

Reason for revert: Fix is merged

Change-Id: Ia2dcd6584ee763c6da3f3b7fdd9f4710ffde9bfc
 2023-09-18 04:08:19 +00:00
Inseob Kim
76d5f36905 Merge "Revert^2 "Start tracking vendor seapp coredomain violations"" into main am: 5d94d75e38 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2752267

Change-Id: Ic7857eca04d3ad375735f9676b0cf17d1c667849
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-15 04:01:08 +00:00
Treehugger Robot
7a921e30f0 Merge "Revert "Start tracking vendor seapp coredomain violations"" into main am: 430c93557f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2750383

Change-Id: Idb97d60610296a2af52d503a2b7a597beab5498e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-15 04:00:27 +00:00
Inseob Kim
5d94d75e38 Merge "Revert^2 "Start tracking vendor seapp coredomain violations"" into main 2023-09-15 03:59:23 +00:00
Inseob Kim
b193c80986 Revert^2 "Start tracking vendor seapp coredomain violations" 
This reverts commit 6ec4e5f048.

Reason for revert: breaking build

Change-Id: If99f309fd8d5dd5b42a871259451c10530e1769d
 2023-09-15 03:58:00 +00:00
Treehugger Robot
430c93557f Merge "Revert "Start tracking vendor seapp coredomain violations"" into main 2023-09-15 03:06:00 +00:00
Inseob Kim
6ec4e5f048 Revert "Start tracking vendor seapp coredomain violations" 
This reverts commit 292f22a33b.

Reason for revert: removed all attribute usages; no need

Change-Id: Iab489f1a94733438ba0c552fb9e3eb354423a156
 2023-09-14 15:57:04 +00:00
Dennis Shen
71f389016f Merge "Update SELinux to allow vendor process access" into main am: b7052688e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746856

Change-Id: I2e20f23460e111cee6c9333480cc5b1644cef32a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-12 12:56:06 +00:00
Dennis Shen
b7052688e3 Merge "Update SELinux to allow vendor process access" into main 2023-09-12 12:19:14 +00:00
Dennis Shen
584852eaa7 Update SELinux to allow vendor process access 
Bug: b/298934058, b/295379636
Change-Id: I2521ae27a88d471263ba4bff69947b2ce28b4b4e
 2023-09-11 14:30:29 +00:00
Jeff Pu
2b22cd44e4 Accept binder calls from servicemanger am: 3778cd4765 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746858

Change-Id: Ie4c08f7b8d88fec9283aa31da9442f556253007a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-08 22:06:18 +00:00
Jeff Pu
3778cd4765 Accept binder calls from servicemanger 
Bug: 228638448
Test: Manual
Change-Id: Iaa64d252417ffeda7c07365c5ecd1b517b07314b
 2023-09-08 16:02:05 -04:00
Treehugger Robot
d065d025ed Merge "C2 AIDL sepolicy update" into main am: 8342def00a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2721424

Change-Id: I096e99c403f513a203040cf97e199392dc794177
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-07 19:52:25 +00:00
Wonsik Kim
a981983e70 C2 AIDL sepolicy update 
Bug: 251850069
Test: presubmit
Change-Id: Ica39920472de154aa01b8e270297553aedda6782
 2023-09-06 14:30:26 -07:00
Daeho Jeong
6bac935581 Merge "compress logcat files" into main am: e7a31d52c7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2726765

Change-Id: I46214a920ef0bd94e42f170e5e370211e8dc7dfc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-31 23:04:32 +00:00
Daeho Jeong
e7a31d52c7 Merge "compress logcat files" into main 2023-08-31 22:46:43 +00:00
Thiébaud Weksteen
a0075f40c6 Merge "Update documentation on binderservicedomain" into main am: 69a9189ddf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2728813

Change-Id: Ic44e49d612ef2fd1eff36068d345cf426e8f11f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 00:01:57 +00:00
Thiébaud Weksteen
5c20e61a92 Merge "Grant dumpstate access to artd service" into main am: 9432227844 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2724933

Change-Id: I4734d816e4946470b9368a2972894eedab236808
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-30 00:01:20 +00:00
Thiébaud Weksteen
69a9189ddf Merge "Update documentation on binderservicedomain" into main 2023-08-29 23:27:50 +00:00
Xin Li
80690d5086 Merge "Merge Android U (ab/10368041)" into aosp-main-future 2023-08-28 22:13:48 +00:00
Thiébaud Weksteen
5e9b88f739 Update documentation on binderservicedomain 
The binderservicedomain attribute grants further permissions than its
name suggests. Update the documentation to avoid its usage.

Bug: 297785784
Test: build, documentation update only.
Change-Id: I41bc6f32cf4d56bde320261fe221c3653cda945a
 2023-08-28 12:22:17 +10:00
Thiébaud Weksteen
8a250b9099 Grant dumpstate access to artd service 
The artd daemon is not always active. When running, it exposes a binder
service which may be dumped when a bug report is triggered. The current
policy did not fully grant access which resulted in spurious denials if
a bugreport was triggered when the daemon was running.

Test: Run bugreport; observe correct dump of artd service
Bug: 282614147
Bug: 192197221
Change-Id: Ie0986d7716de33ec38ae09cfee14c629f5a414a6
 2023-08-28 10:53:58 +10:00
Daeho Jeong
6ac8e4cf00 compress logcat files 
Change selinux policy to compress logcat files.

Test: check whether logcat files are compressed
Bug: 295175795
Change-Id: Ib120700c6dab4b1d0e29f0e19e55793bfb7a1675
Signed-off-by: Daeho Jeong <daehojeong@google.com>
 2023-08-25 15:02:34 -07:00
Kangping Dong
5e82983ee4 Merge "[Thread] add sepolicy rules for Thread system service" into main 2023-08-24 06:42:08 +00:00
Xin Li
e07dbe0a63 Merge Android U (ab/10368041) 
Bug: 291102124
Merged-In: Id2cc5dbbafffb4633706e5cc728cb44abd417340
Change-Id: I77e68f17a1273958bcdc32b5a4b6a0ff3ffdfd2a
 2023-08-23 17:20:59 -07:00
Kangping Dong
45efca84e5 [Thread] add sepolicy rules for Thread system service 
Add SEPolicy for the ThreadNetworkService
Add Fuzzer exception, thread_network service is java only

FR: b/235016403

Test: build and start thread_network service
bug: 262683651
Change-Id: Ifa2e9500dd535b0b4f2ad9af006b8dddaea900db
 2023-08-23 17:08:58 +08:00
Eric Biggers
448bd57181 Remove all module_request rules 
Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked.  Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary.  Their presence or absence makes no difference.

Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
 2023-08-22 16:56:04 +00:00
Treehugger Robot
6d6183a709 Merge "Add rules for reading VM DTBO by vfio_handler" into main 2023-08-18 08:56:17 +00:00
Inseob Kim
292f22a33b Start tracking vendor seapp coredomain violations 
As part of Treble, enforce that vendor's seapp_contexts can't label apps
using coredomains. Apps installed to system/system_ext/product should be
labeled with platform side sepolicy.

This change adds the violators attribute that will be used to mark
violating domains that need to be fixed.

Bug: 280547417
Test: manual
Change-Id: I64f3bb2880bd19e65450ea3d3692d1b424402d92
 2023-08-18 15:24:59 +09:00
Seungjae Yoo
1b2d9de08d Add rules for reading VM DTBO by vfio_handler 
Bug: 291191362
Test: m

Merged-In: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd
Change-Id: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd
 2023-08-18 01:17:23 +00:00
Victor Hsieh
1020cada2d Remove shell from neverallow of frp_block_device access 
Since shell doesn't have any frp_block_device rule anyway.

Bug: None
Test: m

Change-Id: I5aeb54969359500f9473bc08cb1fd42e3470b428
 2023-08-16 11:17:31 -07:00
Alfred Piccioni
cbb3ddd15f Revert "Add rules for reading VM DTBO by vfio_handler" 
This reverts commit 70d70e6be4.

Reason for revert: See internal bug for clarification: http://b/291191362

Change-Id: If37670f7d71635314c618f7ac88802bfbc6fa007
 2023-08-14 13:04:00 +00:00
Seungjae Yoo
70d70e6be4 Add rules for reading VM DTBO by vfio_handler 
Bug: 291191362
Test: m

Change-Id: If93ca63324679aa1d65b3bb6bf792f8745184132
 2023-08-14 10:46:44 +09:00
Jooyung Han
c30e7cdce3 Merge "Revert "Allow vold_prepare_subdirs to use apex_service"" into main 2023-08-11 23:23:18 +00:00
Jooyung Han
701a0dab5c Revert "Allow vold_prepare_subdirs to use apex_service" 
Revert submission 2685449-apexdata-dirs

Reason for revert: b/295345486 performance regression.

Reverted changes: /q/submissionid:2685449-apexdata-dirs

Change-Id: Iceb277cd8a291fb008b45310cc03b5df2057f08c
 2023-08-11 15:34:44 +00:00
Jooyung Han
1158a1559e Merge "Allow vold_prepare_subdirs to use apex_service" into main 2023-08-09 06:37:02 +00:00
igorzas
7489e93613 Add RemoteAuthService 
Add SEPolicy for the RemoteAuth Manager/Service
Add Fuzzer exception, remote_auth service is going to be in Java and
Rust only

Design doc: go/remote-auth-manager-fishfood-design

Test: loaded on device.
Bug: 290092977
Change-Id: I4decb29b863170aed5e7c85da9c4b50c0675d3bd
 2023-08-04 17:55:14 +00:00
Jakob Schneider
09916a69c9 Merge "Add SEPolicy for the ArchiveManager/Service." into main 2023-08-04 16:10:01 +00:00
Jakob Schneider
5c5a6af643 Add SEPolicy for the ArchiveManager/Service. 
Test: boots - CTS coming in a future change
Change-Id: Ia42bc21e1523c7b225b7c84c3a3f18dd3ed1a54f
 2023-08-04 14:13:03 +01:00
Kangping Dong
9d965761ca Merge "add sepolicy rules for OT daemon binder service" into main 2023-08-03 14:13:21 +00:00
Kangping Dong
0b3e8c62ee add sepolicy rules for OT daemon binder service 
Bug: 262681784
Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c
 2023-08-03 13:31:53 +08:00
Kelvin Zhang
0e7babefee Merge "Give vold permission to wipe a block device" into main 2023-08-02 23:31:50 +00:00
Kelvin Zhang
2b413622ce Give vold permission to wipe a block device 
During mountFstab call, vold might need to wipe and re-format a device.
See code in system/vold/model/PublicVolume.cpp , PublicVolume::doFormat
Allow IOCTLs such as BLKDISCARDZEROES for wiping.

Test: th
Bug: 279808236
Change-Id: I0bebf850aa45ece6227fa5c3e9c3fdb38164f79e
 2023-08-02 14:27:08 -07:00
Inseob Kim
825056de9a Add permission for VFIO device binding 
vfio_handler will bind platform devices to VFIO driver, and then
return a file descriptor containing DTBO. This change adds
permissions needed for that.

Bug: 278008182
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
      --devices /sys/bus/platform/devices/16d00000.eh --protected
Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
 2023-08-02 15:06:51 +09:00
Jooyung Han
0ce8184bed Allow vold_prepare_subdirs to use apex_service 
to get the list of active APEXes.

Bug: 293949266
Bug: 293546778
Test: CtsPackageSettingHostTestCases
Change-Id: I86f58158b97463206fb76a0c31f29b78874f4c35
 2023-08-01 10:46:03 +00:00
Vadim Caen
d64cf75c48 Policy for virtual_camera 
Adds a policy to run the virtual_camera process which:
 - registers a service implementing the camera HAL
 - registers a service to reveive communicate with virtual cameras via
   system_server

Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera

Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b
 2023-07-25 19:27:48 +00:00
Zhanglong Xia
b2d1fbb7b2 Add sepolicy rules for Thread Network HAL 
Bug: b/283905423
Test: Build and run the Thread Network stack in Cuttlefish.
Change-Id: I783022c66b80274069f8f3c292d84918f41f8221
 2023-06-30 10:56:38 +08:00
Jay Civelli
a574060586 Add 2 new system properties for Quick Start 
Test: Manually validated that GmsCore can access the properties, but not a test app.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
(cherry picked from commit c97b3a244f)
 2023-06-23 10:43:11 +00:00
Steven Moreland
edd361bf2e Merge "Give serial number access to drm hal server not client" am: ca5f06cdb9 am: 659dd24ae5 am: c74231dfa3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616969

Change-Id: Id2cc5dbbafffb4633706e5cc728cb44abd417340
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-21 23:52:00 +00:00
Steven Moreland
ca5f06cdb9 Merge "Give serial number access to drm hal server not client" 2023-06-21 21:27:09 +00:00
Eric Biggers
9cb04c4dbc Merge "Allow vold to rename system_data_file directories" am: 8b703551d8 am: 0038d8f822 am: 122d3f0d20 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619901

Change-Id: I372c6c155928c9772f8d9aa8ba9e82affb12d6cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 00:08:32 +00:00
Eric Biggers
8b703551d8 Merge "Allow vold to rename system_data_file directories" 2023-06-13 22:11:39 +00:00
Eric Biggers
95930cf6a7 Allow vold to rename system_data_file directories 
To fully close a race condition where processes can access per-user
directories before an encryption policy has been assigned, vold is going
to start creating these directories under temporary names and moving
them into place once fully prepared.  To make this possible, give vold
permission to rename directories with type system_data_file.

Bug: 156305599
Bug: 285239971
Change-Id: Iae2c8f7d2dc343e7d177e6fb2e893ecca1796f7f
 2023-06-13 16:22:03 +00:00
Jooyung Han
2b60a575e1 Merge "Allow vendor_overlay_file from vendor apex" am: ad08877b4d am: cef75edc33 am: a34197f152 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2618632

Change-Id: If0392eee00457c2e41d3f2c214405c8ca12f9f04
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 08:02:14 +00:00
Jooyung Han
7c4f8a87d3 Allow vendor_overlay_file from vendor apex 
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.

Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
 2023-06-09 13:43:11 +09:00
Thiébaud Weksteen
1fb3d3fa7f Merge "Grant signal permission for dumpstate on app_zygote" am: 4ba0198325 am: e5705ebae0 am: 3657ef0c2d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2616609

Change-Id: Icf1e64e86a1003732068d3512b0442e219cf934d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-09 01:33:32 +00:00
Thiébaud Weksteen
4ba0198325 Merge "Grant signal permission for dumpstate on app_zygote" 2023-06-08 23:22:42 +00:00
Jooyung Han
aa33b4a079 Merge "Introduce vendor_apex_metadata_file" am: 94dc202954 am: 1f47660fb4 am: 3f9a296855 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2606717

Change-Id: I98af12c69db65fada6ee659a9066ba14996bd2fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-08 01:58:18 +00:00
David Anderson
ae8817dc1e Allow ueventd to access device-mapper. 
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.

Bug: 286011429
Test: libdm_test, treehugger
(cherry picked from https://android-review.googlesource.com/q/commit:e09c0eee36d58894bb0d30b9af4e33ee7dd7011c)
Merged-In: I36b9b460a0fa76a37950d3672bd21b1c885a5069
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069

Change-Id: I1197d0051a9ce96b7edd87347b5db266b1643d30
 2023-06-07 08:06:12 -07:00
Robert Shih
1bd70df43b Give serial number access to drm hal server not client 
Bug: 284812208
Change-Id: I489feba47f9eb0d9a4ea483cd55aa3a8bbfd389e
 2023-06-06 08:33:19 +00:00
Thiébaud Weksteen
ae39ba7068 Grant signal permission for dumpstate on app_zygote 
Bug: 282614147
Bug: 238263438
Bug: 238263561
Bug: 238263942
Bug: 264483390
Bug: 279680264
Test: TreeHugger
Change-Id: I8b74fec0ea855e244e218fdeb43a57407fe77388
 2023-06-06 10:29:57 +10:00
Jooyung Han
b6211b88cf Introduce vendor_apex_metadata_file 
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
 2023-06-05 17:17:51 +09:00
Brian Lindahl
ccc0033ce2 Move allow rule out of the neverallow section am: abbd8aeefd am: 94a092c7d0 am: 9933bee328 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2611889

Change-Id: I0808bb2bde69adbadfbf9d790736eba2bd86029e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-02 02:57:08 +00:00
Brian Lindahl
abbd8aeefd Move allow rule out of the neverallow section 
Resovles comment from aosp/2605806

Bug: 234833109
Test: build
Change-Id: I248613ed2d9a7f26d404df8552c2dfc74694754a
 2023-06-01 12:36:55 -06:00
Treehugger Robot
30c25de59d Merge changes from topic "artsrv-experiment-flag" 
* changes:
  Give art_boot explicit access to experiment flags.
  Allow the ART boot oneshot service to configure ART config properties.
 2023-06-01 18:21:50 +00:00
Brian Lindahl
da80fcc173 Allow media server configurable flags to be read from anywhere am: ffeb680417 am: 7975447205 am: 9d16f70010 am: 35ea33c233 am: 94e54d5eb0 am: 6e6229bb73 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605806

Bug: 234833109
Test: manual test with 'adb shell device_config' commands
Ignore-AOSP-First: cherry pick from AOSP
Change-Id: I4d9de68549de6f1664711c5da1bed3dfc034a21b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
(cherry picked from commit 1d2f8fa03f)
 2023-05-26 23:49:29 +00:00
Steven Moreland
4f70ae5aa6 Merge "strengthen app_data_file neverallows" am: 46288c6b97 am: 5b0dad1c2a am: 1989332545 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599511

Change-Id: I61e512562c3db401cdaaed373b97b2dc1580fe20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-26 20:20:08 +00:00
Steven Moreland
46288c6b97 Merge "strengthen app_data_file neverallows" 2023-05-26 15:32:15 +00:00
Brian Lindahl
35ea33c233 Allow media server configurable flags to be read from anywhere am: ffeb680417 am: 7975447205 am: 9d16f70010 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2605806

Change-Id: I699cab1755fee0c02ff74a62245238d51328b61b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-26 09:01:44 +00:00
Brian Lindahl
ffeb680417 Allow media server configurable flags to be read from anywhere 
The majority of code for media encoding and decoding occurs within the
context of client app processes via linking with libstagefright. This
code needs access to server-configurable flags to configure
codec-related features.

Bug: 234833109
Test: manual test with 'adb shell device_config' commands
Change-Id: I95aa6772a40599636d109d6960c2898e44648c9b
 2023-05-25 20:48:00 -06:00
Treehugger Robot
d3fe5e76f3 Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions" am: cd69d35a5e am: b7185cb58e am: ed859c9fd8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2597146

Change-Id: I55e7784d8efbea27201df09ddf08702ddcf810d1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-25 13:06:21 +00:00
Treehugger Robot
cd69d35a5e Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions" 2023-05-25 11:14:40 +00:00
Treehugger Robot
23e8e00690 Merge "Allow ueventd to read apexd property" am: d16bf50b26 am: 4774a44073 am: f3dfb131e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1933081

Change-Id: I5bb9c934dd8bb34f9f209a9153a50942c58351ef
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-25 03:49:14 +00:00
Treehugger Robot
d16bf50b26 Merge "Allow ueventd to read apexd property" 2023-05-25 01:40:11 +00:00
Kelvin Zhang
60456bd47e Add sepolicy for ro.build.ab_update.ab_ota_partitions 
Bug: 283042235
Test: th
Change-Id: Ie2296b75c91fbeb83cb0f3e61d5013b106fb78d0
 2023-05-24 18:26:12 -07:00
Steven Moreland
0bb95dd4fd Merge "strengthen proc_type neverallows" am: fd92d967ee am: 12523b02c3 am: 79190c4da7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599509

Change-Id: I210c48f15715cb5c4f808341d39beefc996e30c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 20:14:29 +00:00
Steven Moreland
fd92d967ee Merge "strengthen proc_type neverallows" 2023-05-24 18:01:14 +00:00
Jin Jeong
d7558db004 Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore"" 2023-05-24 08:21:54 +00:00
Jin Jeong
ae80e8cffa Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..."" into udc-dev am: 7b646790c5 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23201116

Change-Id: I272af89efc194c111a0cb0c3955e2e37ff82b763
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-24 01:42:43 +00:00
Jin Jeong
7b646790c5 Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..."" into udc-dev 2023-05-24 01:07:12 +00:00
Suchang Woo
6b4c45393b Allow ueventd to read apexd property 
To run external firmware handler, ueventd should wait for apexd activation
by reading 'apexd.status' property.

Test: loading firmware from vendor apex using external firmware handler
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Ic2057ab2d014540ce5eeb26bcac35d39294b5dc9
 2023-05-23 14:12:40 +09:00
Steven Moreland
f3722d5a71 strengthen app_data_file neverallows 
There are more types of apps now.

Bug: 281877578
Test: boot
Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd
 2023-05-23 00:01:27 +00:00
Steven Moreland
8634a88595 strengthen proc_type neverallows 
These were unnecessarily lax. Some additional places
additionally exclude only the generic proc type, but
we don't care about those places.

Bug: 281877578
Test: boot
Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0
 2023-05-22 22:59:08 +00:00
Steven Moreland
c17369ecc7 Merge "strengthen system_file neverallows" am: 9a184232d7 am: 3bf96325d7 am: 679e6f2992 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2594974

Change-Id: I3417d75fce4e26efa69b7b2a56855b6ccfa15c1f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 22:44:35 +00:00
Steven Moreland
9a184232d7 Merge "strengthen system_file neverallows" 2023-05-19 21:37:26 +00:00
David Anderson
465859abb7 Merge "Allow ueventd to access device-mapper." am: 73d18c2bfe am: 5f2482d0dd am: d223637c8a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2591728

Change-Id: I76ff312e6d37a2abaf5b5144a6d13fcfc9c9421a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 21:34:43 +00:00
David Anderson
73d18c2bfe Merge "Allow ueventd to access device-mapper." 2023-05-19 19:43:21 +00:00
Suren Baghdasaryan
8a6f45d363 allow modprobe to load modules from /system/lib/modules/ 
This is needed to load GKI leaf modules like zram.ko.

Bug: 279227085
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8a8205e50aa00686f478aba5336299e03490bbb5
Merged-In: I8a8205e50aa00686f478aba5336299e03490bbb5
 2023-05-19 19:03:17 +00:00
Suren Baghdasaryan
ed668809d9 Merge "allow modprobe to load modules from /system/lib/modules/" am: f707e8271d am: 7d0a569d8a am: 9b2b2b1d77 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2597157

Change-Id: I24c780640c121fdadc1666bdb27228db32a69131
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-19 17:41:55 +00:00
Suren Baghdasaryan
9c23982a48 allow modprobe to load modules from /system/lib/modules/ 
This is needed to load GKI leaf modules like zram.ko.

Bug: 279227085
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8a8205e50aa00686f478aba5336299e03490bbb5
 2023-05-18 22:33:26 +00:00
Steven Moreland
9c2a5cf0c9 strengthen system_file neverallows 
no writing to system_file_type is the intention
here, but they only restricted system_file.

this does not touch the untrusted_app lock
neverallow, because it's specific to a single
system_file, and r_file_perms includes 'lock'.

Bug: 281877578
Test: build (neverallow only change)

Change-Id: I6c6078bc27c49e5a88862eaa330638f442dba9ee
 2023-05-18 00:07:25 +00:00
David Anderson
e09c0eee36 Allow ueventd to access device-mapper. 
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.

Bug: 270183812
Test: libdm_test, treehugger
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
 2023-05-17 11:07:19 -07:00
Ken Chen
4c32727f4b Allow netd to perform SIGKILL on process dnsmasq am: 099da6da31 am: edd9a20393 am: 0f06a8205c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2591265

Change-Id: I26cd316e59edbb9692942b18080f1a148797fe95
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-16 18:00:35 +00:00
Martin Stjernholm
e1ac267ddd Allow the ART boot oneshot service to configure ART config properties. 
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
      (ag/23125728)
Bug: 281850017
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
(cherry picked from commit 3d7093fd7b)
Merged-In: I14baf55d07ad559294bd3b7d9562230e78201d25
 2023-05-16 16:13:42 +01:00
Ken Chen
099da6da31 Allow netd to perform SIGKILL on process dnsmasq 
In tetherStop(), netd will send SIGKILL to dnsmasq if SIGTERM is failed.
But there is no corresponding sepolicy in netd.te.

Bug: 256784822
Test: atest netd_integration_test:NetdBinderTest#TetherStartStopStatus
      with aosp/2591245 => fail

      atest netd_integration_test:NetdBinderTest#TetherStartStopStatus
      with aosp/2591245 + this commit => pass

Change-Id: I16a19a95c3c8ffb35dcc394b4dc329b20ecb26a3
 2023-05-16 16:36:24 +08:00
Jin Jeong
9bd3eedbef Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore" 
This reverts commit 489abecf67.

Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Change-Id: I19d1da02baf8cc4b5182a3410111a0e78831d7f8
Merged-In: I0c2bfe55987949ad52f62e468c84df954f39a4ad
 2023-05-15 10:43:05 +00:00
Martin Stjernholm
5557ec5583 Merge "Allow the ART boot oneshot service to configure ART config properties." into udc-dev am: 4f2b8ce361 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/23131204

Change-Id: Idb0edb8c39f038d7d21e8c1c41c486d0b34a5e99
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-12 10:54:04 +00:00
Jin Jeong
ec4fe33a6a Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_..." 
Revert submission 22899490-euicc_selinux_fix

Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules

Reverted changes: /q/submissionid:22899490-euicc_selinux_fix

Change-Id: I0c2bfe55987949ad52f62e468c84df954f39a4ad
 2023-05-12 04:17:35 +00:00
Martin Stjernholm
3d7093fd7b Allow the ART boot oneshot service to configure ART config properties. 
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
      (ag/23125728)
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
 2023-05-11 13:38:57 +01:00
Peiyong Lin
82e2aa6c61 Merge "Allow graphics_config_writable_prop to be modified." into udc-dev 2023-05-05 16:24:26 +00:00
Peiyong Lin
d45f8ed733 Merge "Allow graphics_config_writable_prop to be modified." am: 10c06cea0d am: 1db27fde47 am: e8157979c1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2574331

Change-Id: I4f3114d5d98dd252a14ae0b6a081f40a4b94e7f8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-04 18:57:52 +00:00
Jay Civelli
8212b528ce Merge "Add 2 new system properties for Quick Start" into udc-dev am: 5fd77a4e68 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22872879

Change-Id: I4ed8cb09feae9b4f3b8990b82296332d2039d8da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-04 17:08:35 +00:00
Peiyong Lin
10c06cea0d Merge "Allow graphics_config_writable_prop to be modified." 2023-05-04 17:06:26 +00:00
Jay Civelli
5fd77a4e68 Merge "Add 2 new system properties for Quick Start" into udc-dev 2023-05-04 16:35:59 +00:00
Peiyong Lin
194abd16cb Allow graphics_config_writable_prop to be modified. 
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.

Ignore-AOSP-First: Cherry-pick
Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
Merged-In: I2f47c1048aad4565cb13d4289b9a018734d18c07
 2023-05-04 16:04:44 +00:00
Peiyong Lin
54229d8157 Allow graphics_config_writable_prop to be modified. 
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.

Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
 2023-05-04 15:56:33 +00:00
Jay Civelli
c97b3a244f Add 2 new system properties for Quick Start 
Test: Manually validated that GmsCore can access the properties, but not a test app.
Ignore-AOSP-First: Change is targeted at Google devices.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
 2023-05-03 04:04:15 +00:00
Weilin Xu
812ccd1ce9 Merge "Make broadcastradio_service accessible from CTS" into udc-dev am: 07767709c9 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22634562

Change-Id: I17d696b5214ae8d8ef8ec3a67b37d28661dd4446
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 10:38:49 +00:00
Jin Jeong
27d3cc7483 Merge "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore" 2023-05-02 08:33:33 +00:00
Treehugger Robot
f39f800139 Merge "Allow snapuserd to write log files to /data/misc" am: 5ab4239bfb am: caced74f2c am: b0cc16407d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2573077

Change-Id: Iae5fff7a7afdc217852ae2d0e984a5ab9a15677a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 07:55:04 +00:00
Weilin Xu
07767709c9 Merge "Make broadcastradio_service accessible from CTS" into udc-dev 2023-05-02 05:05:55 +00:00
Treehugger Robot
fc9f1eb745 Merge "Allow servicemanager to make binder calls to gnss" am: a5915bd166 am: 6d0a80055f am: 4cf33a491f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2574713

Change-Id: Ia7a43346200637420dd316711f8d474d04574294
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-05-02 04:09:51 +00:00
Treehugger Robot
5ab4239bfb Merge "Allow snapuserd to write log files to /data/misc" 2023-05-02 02:52:58 +00:00
Jinyoung Jeong
489abecf67 Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore 
bug: 279548423
Test:  http://fusion2/b7c803be-2dca-4195-b91f-6c4939746b5b, http://fusion2/bb76429b-7d84-4e14-b127-8458abb3e2ed
Change-Id: I4b190fca2f3825a09d27cfc74e8a528831f4f15b
Merged-In: I4b190fca2f3825a09d27cfc74e8a528831f4f15b
 2023-05-02 01:24:23 +00:00
Kelvin Zhang
dbe230a193 Allow snapuserd to write log files to /data/misc 
snapuserd logs are important when OTA failures happen. To make debugging
easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs ,
and capture these logs in bugreport.

Bug: 280127810
Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0
 2023-05-01 17:15:17 -07:00
Roman Kiryanov
1f4b85c9f8 Allow servicemanager to make binder calls to gnss 
not device specific

Bug: 274041413
Test: boot emulator
Change-Id: I5a70562865f64a258feefd19042949365197b990
 2023-05-01 14:38:21 -07:00
Jinyoung Jeong
fa95e8c591 Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore 
bug: 279548423
Test:  http://fusion2/b7c803be-2dca-4195-b91f-6c4939746b5b, http://fusion2/bb76429b-7d84-4e14-b127-8458abb3e2ed
Ignore-AOSP-First: will merge in AOSP aosp/2571810
Change-Id: I4b190fca2f3825a09d27cfc74e8a528831f4f15b
 2023-04-28 16:25:26 +00:00
Weilin Xu
85b94c7c49 Make broadcastradio_service accessible from CTS 
When CTS test app tries to get broadcastradio_service from context, it
is considered as untrusted app by sepolicy since broadcastradio_service
is not app_api_service. Made it as app_api_service so that CTS for
broadcastradio can be ran on devices.

Bug: 262191898
Test: atest CtsBroadcastRadioTestCase
Ignore-AOSP-First: fix CTS issue
Change-Id: I0583f549eb5b781ff23f81b2073baa0390009f9e
 2023-04-27 23:40:33 +00:00
Jeff Vander Stoep
f9a774f1ae Disallow watch and watch_reads on apk_data_file for apps 
This can be used as a side channel to observe when an application
is launched.

Gate this restriction on the application's targetSdkVersion to
avoid breaking existing apps. Only apps targeting 34 and above will
see the new restriction.

Remove duplicate permissions from public/shell.te. Shell is
already appdomain, so these permissions are already granted to it.

Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: Ic7577884e9d994618a38286a42a8047516548782
 2023-04-25 15:20:45 +02:00
Martin Stjernholm
87143bd904 Revert "Introduce a new sdk_sandbox domain" 
This reverts commit 304962477a.

Reason for revert: b/279565840

Change-Id: I6fc3a102994157ea3da751364f80730f4d0e87f0
 2023-04-25 12:40:37 +00:00
Mugdha Lakhani
304962477a Introduce a new sdk_sandbox domain 
Define the selinux domain to apply to SDK runtime for
targetSdkVersion=34.
The existing sdk_sandbox domain has been renamed to sdk_sandbox_next.
Future CLs will add logic to apply one of these to the SDK runtime
processes on the device, based on a flag.

auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.

Bug: 270148964
Test: make and boot the test device, load SDK using test app
Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d
 2023-04-21 17:26:26 +00:00
Charles Chen
27a8f43fde Fix attribute plurals for isolated_compute_allowed 
Following the naming convention.

Bug: N/A
Test: m
Change-Id: Ie26d67423f9ee484ea91038143ba763ed8f97e2f
 2023-04-20 16:39:39 +00:00
Charles Chen
c8ab3593d0 Move isolated_compute_app to be public 
This will allow vendor customization of isolated_compute_app. New permissions added should be associated with isolated_compute_allowed.

Bug: 274535894
Test: m
Change-Id: I4239228b80544e6f5ca1dd68ae1f44c0176d1bce
 2023-04-20 05:39:29 +00:00
Yuxin Hu
b011ba5ffb Merge "Add a new system property persist.graphics.egl" 2023-04-13 18:49:26 +00:00
Yuxin Hu
889dd078e9 Add a new system property persist.graphics.egl 
This new system property will be read and written
by a new developer option switch, through gpuservice.

Based on the value stored in persis.graphics.egl,
we will load different GLES driver.

e.g.
persist.graphics.egl == $ro.hardware.egl: load native GLES driver
persist.graphics.egl == angle: load angle as GLES driver

Bug: b/270994705
Test: m; flash and check Pixel 7 boots fine
Change-Id: Idec4b947d0c69c52cd798df4f834053bd306cf5f
 2023-04-13 04:38:46 +00:00
Yu Shan
9eb72464b5 Define sepolicy for ivn HAL. 
Test: manually verify ivn HAL on gcar_emu.
Bug: 274139217
Change-Id: Ie12dccb723078d83b561c152cc4458e52c0f8090
 2023-04-10 17:42:51 -07:00
Treehugger Robot
f784149627 Merge "Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf" 2023-03-31 22:29:31 +00:00
Jiakai Zhang
326d35c04b Merge "Allow system server to set dynamic ART properties." 2023-03-31 14:02:56 +00:00
Jiakai Zhang
22fb5c7d24 Allow system server to set dynamic ART properties. 
This change gives a new type (dalvik_dynamic_config_prop) to some ART
properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to
allow system server to set them.

Bug: 274530433
Test: Locally added some code to set those properties and saw it being
  successfull.
Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089
 2023-03-31 11:46:05 +01:00
Steven Moreland
ccbe862858 Merge "Introduce vm_manager_device_type for crosvm" 2023-03-30 15:57:43 +00:00
Elliot Berman
ae5869abf4 Introduce vm_manager_device_type for crosvm 
Introduce hypervisor-generic type for VM managers:
vm_manager_device_type.

Bug: 274758531
Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c
Suggested-by: Steven Moreland <smoreland@google.com>
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
 2023-03-29 10:19:06 -07:00
Treehugger Robot
1ab1f7cd01 Merge "Add sepolicy rules for CpuMonitorService." 2023-03-28 21:02:14 +00:00
Steven Moreland
f7fa8ead83 Merge "remove iorapd from sepolicy" 2023-03-28 19:32:32 +00:00
Steven Moreland
c0ce089045 remove iorapd from sepolicy 
It's already marked as removed in:
   ./private/compat/33.0/33.0.cil

Bug: N/A
Test: builds
Change-Id: I1b31f83fb5b210be047edb2896c7b66b58353784
 2023-03-27 20:55:55 +00:00
Lakshman Annadorai
124be07e24 Add sepolicy rules for CpuMonitorService. 
Change-Id: Icda952c148150e4d7824e303d163996679a0f36b
Test: m
Bug: 242722241
 2023-03-27 16:29:09 +00:00
Hector Dearman
c9ff8d010b Merge "Allow traced_probes to subscribe to statsd atoms" 2023-03-27 16:04:42 +00:00
Alan Stokes
a45646c024 Allow CompOS to read VM config properties 
We want to allow both the VM and ART to contribute to the VM config
(e.g. memory size), so define labels for 2 sets of properties and
grant the necessary access.

Bug: 274102209
Test: builds
Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568
 2023-03-23 15:40:14 +00:00
Hector Dearman
7ca04a7e7f Allow traced_probes to subscribe to statsd atoms 
Denials:
SELinux : avc:  denied  { find } for pid=1279 uid=9999 name=stats scontext=u:r:traced_probes:s0 tcontext=u:object_r:stats_service:s0 tclass=service_manager permissive=0
traced_probes: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
traced_probes: type=1400 audit(0.0:12): avc: denied { transfer } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
binder:1076_7: type=1400 audit(0.0:13): avc: denied { call } for scontext=u:r:statsd:s0 tcontext=u:r:traced_probes:s0 tclass=binder permissive=1

See go/ww-atom-subscriber-api

Testing steps:
Patch ag/21985690
Run:
$ adb push test/configs/statsd.cfg /data/misc/perfetto-configs/statsd.cfg
$ adb shell perfetto --txt -c /data/misc/perfetto-configs/statsd.cfg -o /data/misc/perfetto-traces/statsd.pb
$ adb pull /data/misc/perfetto-traces/statsd.pb statsd.pb
$ out/linux_clang_debug/traceconv text statsd.pb
Check logcat for denials.

Test: See above
Bug: 268661096

Change-Id: I58045b55ca8a4aa6f00774cc2d72d7b10a232922
 2023-03-22 19:53:34 +00:00
Devin Moore
9a3f429b00 Merge "Allow dumpstate to dump /proc/bootconfig" 2023-03-22 16:11:44 +00:00
Devin Moore
19bc295bb1 Allow dumpstate to dump /proc/bootconfig 
Test: adb shell dumpstate
Bug: 274528501
Change-Id: I0a4663a742e82d571811cb3fa9c15b8baaeeb847
 2023-03-21 16:27:13 +00:00
Devin Moore
ce04629db7 Merge changes I4128f428,I8c796dfe 
* changes:
  Add permissions for dumpstate to dump more hals
  Give dumpstate permissions to dump the sensor HAL
 2023-03-21 16:05:54 +00:00
Devin Moore
7c0e17f987 Add permissions for dumpstate to dump more hals 
Dumpstate already has permissions to get these services to dump their
stack and they are listed in dump_utils.cpp.

Test: adb shell bugreport && check bugreport
Bug: 273937310
Change-Id: I4128f4285da2693242aa02fec1bb2928e34cfcbf
 2023-03-16 21:19:37 +00:00
Devin Moore
fdaed41d46 Give dumpstate permissions to dump the sensor HAL 
Test: adb shell dumpstate && check the bugreport
Bug: 273937310
Change-Id: I8c796dfe5fc1377a9eb14d62eee74f983b6442fc
 2023-03-16 20:51:59 +00:00
Tri Vo
4bb2d30701 Remove RemoteProvisioner and remoteprovisioning services 
Bug: 273325840
Test: keystore2_test
Change-Id: I295ccdda5a3d87b568098fdf97b0ca5923e378bf
 2023-03-14 15:45:35 -07:00
Ye Jiao
10a639613a Fix SE policy violation of Wi-Fi vendor AIDL service 
Wi-Fi vendor AIDL service uses NDK to register itself to service
manager. AServiceManager_registerLazyService registers an
IClientCallback to service manager. The callback is invoked when there
is a transition between having >= 1 clients and having 0 clients (or
vice versa). Please check IClientCallback.aidl. As a result servicemanager may
make binder call to Wi-Fi vendor AIDL service. Since this is not allowed
per current SE policies, "avc denied" occurred:

servicemanager: type=1400 audit(0.0:248): avc: denied { call } for scontext=u:r:servicemanager:s0 tcontext=u:r:hal_wifi_default:s0 tclass=binder permissive=0

We add SE policy for hal_wifi_default to allow binder call like this.

Bug: 270511173
Test: manually build and test, check logs for avc denied

Change-Id: Ia6fcf5fc1cafff0381fc9857805bdc61cc838c1e
 2023-03-03 02:10:50 +00:00
Paul Lawrence
6b5da95419 Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf 
Bug: 262887267
Test: ro.fuse.bpf.is_running is true
Change-Id: I9c4a54e9ac232e9f35a6be5b3bcc3cc040d64b47
 2023-03-01 14:45:57 -08:00
Neil Fuller
05f8ebe1db Allow timedetector_service access 4 ephemeral apps 
Allow timedetector_service access for ephemeral apps.

The service call behind currentNetworkTimeClock() moved from
AlarmManager to TimeDetector.

Before this change, alarm_service is accessible by ephemeral apps but
timedetector_service is not. After this change, timedetector_service is
accessible by ephemeral apps, unbreaking the call.

The breakage was not previously noticed because the test involved does
not run in the ephemeral case because of restrictions around what test
infra can do in the ephemeral case. A recent test refactor tests the
method in a different way, revealing the issue.

Bug: 270788539
Test: run cts -m CtsOsTestCases -t android.os.cts.SystemClockNetworkTimeTest#testCurrentNetworkTimeClock
Change-Id: Iafdfb9f13d473bcc65c4e60733e57f1d25c511ab
 2023-02-28 10:11:28 +00:00
Alice Wang
5e94b1698c [dice] Remove all the sepolicy relating the hal service dice 
As the service is not used anywhere for now and in the near future.

Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
 2023-02-24 08:34:26 +00:00
Nathan Huckleberry
ffb9f8855a Allow vold to use FS_IOC_GET_ENCRYPTION_KEY_STATUS 
This ioctl can be used to avoid a race condition between key
reinstallation and busy files clean up.

Test: Trigger busy file clean-up and ensure that the ioctl succeeds
Bug: 140762419

Change-Id: I153c2e7b2d5eb39e0f217c9ef8b9dceba2a5a487
 2023-02-23 00:49:42 +00:00
Atneya Nair
b2ad5b058b Merge "Allow STHAL to read model params from system" 2023-02-22 18:11:28 +00:00
Treehugger Robot
863cedfae6 Merge "Allow dumpstate to read /data/system/shutdown-checkpoints/" 2023-02-22 10:21:25 +00:00
Atneya Nair
f3096dc93d Allow STHAL to read model params from system 
Test: Compiles
Bug: 269544793
Change-Id: I3ea576c6ef092b27f602b047497e5c01fe36e057
 2023-02-22 03:27:29 +00:00
Ioannis Ilkos
300f93bf5a Merge "Sysprop for the count of active OOME tracing sessions" 2023-02-17 17:50:59 +00:00
Alfred Piccioni
dd4c5fa93b Merge "Adds support for fuseblk binaries." 2023-02-17 15:15:31 +00:00
Woody Lin
35541e183f Allow dumpstate to read /data/system/shutdown-checkpoints/ 
Bug: 260366497
Bug: 264600011
Test: Take bugreport and check dmesg for avc error
Test: Reboot and check shutdown-checkpoints
Change-Id: Ifcc7de30ee64e18f78af147cd3da39d7c6dc6f5f
 2023-02-16 14:23:33 +08:00
Treehugger Robot
8faa679c9a Merge "Allow to format zoned device w/o dm-default-key" 2023-02-16 00:58:24 +00:00
Feiyu Chen
b4b757cd83 Merge "Add SELinux policy for edgetpu_native device_config prop" 2023-02-15 02:32:22 +00:00
Ioannis Ilkos
8d168e2d8a Sysprop for the count of active OOME tracing sessions 
In order for ART code to call perfetto DataSource::Trace() we need to
wait for all data source instances to have completed their setup. To do
so, we need to know how many of them exist.

This introduces a new sysprop traced.oome_heap_session.count, writeable
by perfetto traced and readable by apps and system_server that can be
used to communicate this.

See go/art-oom-heap-dump for more details

Test: manual, atest HeapprofdJavaCtsTest
Bug: 269246893
Change-Id: Ib8220879a40854f98bc2f550ff2e7ebf3e077756
 2023-02-14 15:14:39 +00:00
Pedro Loureiro
43b0b8a65c Merge "Add SEPolicy for device config service" 2023-02-14 11:18:41 +00:00
Akilesh Kailash
a3c0ca4e67 Merge "Set sepolicy for ublk control device and block device" 2023-02-14 03:59:06 +00:00
Akilesh Kailash
63a21044f2 Set sepolicy for ublk control device and block device 
ublk-control device: /dev/ublk-control
ublk-block device: /dev/block/ublkbN where N is 0,1,2..

Bug: 269144965
Test: Verify sepolicy changes through kernel logs when user-space daemon
communicates with ublk driver

Change-Id: I10de557566e3c0628ea72fbbda4cff21e7cda68f
Signed-off-by: Akilesh Kailash <akailash@google.com>
 2023-02-13 16:30:40 -08:00
Jeffrey Huang
01fd5eb907 Merge "Restrict system server from reading statsd data" 2023-02-13 22:37:09 +00:00
feiyuchen
70e1942fb3 Add SELinux policy for edgetpu_native device_config prop 
The new android property namespace will store the configurations which are set on the server side and read by the EdgeTpu HAL.

Notes:
* This CL is similar to nnapi_native CL: https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/1844919
* The read permission of EdgeTpu HAL will be added in another internal CL.

Test: mm
Bug: 243553703
Bug: 246401730
Change-Id: I5705f679148b313d919f334c51e31f7645aca82a
 2023-02-13 21:55:57 +00:00
Jaegeuk Kim
38c89acec4 Allow to format zoned device w/o dm-default-key 
Bug: 197782466
Change-Id: Id8afd1afef61303087ca54f4d4bb109efa98e381
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
 2023-02-13 10:37:11 -08:00
Pedro Loureiro
58847ab171 Add SEPolicy for device config service 
A new mainline module that will have the device config logic requires a new service (device_config_updatable).

Bug: 252703257

Test: manual because logic that launches service is behind flag

Change-Id: I4ffba0c7d2afc44af8438b7d84d836e42388bd7d
 2023-02-13 09:37:12 +00:00
Jeff Pu
22adabc37e Merge "Allow servicemanager to make binder call to hal_fingerprint" 2023-02-10 13:35:32 +00:00
Thiébaud Weksteen
f0e86adfc3 Merge "Ignore fusefs_type access for su" 2023-02-09 22:46:54 +00:00
Jeff Pu
0e6dce0ae9 Allow servicemanager to make binder call to hal_fingerprint 
Bug: 263519851
Test: boot Cuttlefish with lazy virtual fingerprint HAL
Change-Id: I8cef9d1c55065561786718aad589cf4dd327ff66
 2023-02-09 22:02:29 +00:00
Thiébaud Weksteen
3714d72a64 Ignore fusefs_type access for su 
Similarly to fs_type, fusefs_type accesses are ignored. It may be
triggered by tradefed when listing mounted points.

Bug: 177481425
Bug: 240632971
Bug: 239090033
Bug: 238971088
Bug: 238932200
Bug: 239085619
Test: presubmit boot tests
Change-Id: Ic96140d6bf2673d0de6c934581b3766f911780b6
 2023-02-09 12:45:14 +11:00
Brian Julian
f388934ffe Merge "Backports sepolicy for AltitudeService to T." 2023-02-08 18:28:25 +00:00
Ryan Savitski
b9a365a35f Merge "sepolicy: rework perfetto producer/profiler rules for "user" builds" 2023-02-08 17:23:44 +00:00
Brian Julian
32b0a39d27 Backports sepolicy for AltitudeService to T. 
Test: VtsHalAltitudeServiceTargetTest
Bug: 265013616
Change-Id: I8eb6af8b9350e0d021ef781eb9f3776b4adf3b7f
Merged-In: I8eb6af8b9350e0d021ef781eb9f3776b4adf3b7f
 2023-02-07 19:38:17 +00:00