tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
33949 commits 1 branch 0 tags 50 MiB
Commit graph

33949 commits

This branch
This branch
All branches
Author SHA1 Message Date
Ramji Jiyani
86cfb85d49 Merge "system_dlkm: sepolicy: add system_dlkm_file_type" am: ba8615a186 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978574

Change-Id: I8c70b7c37e2d5a84b78f4b8862890c4a0d101f1d
 2022-02-11 18:52:59 +00:00
Daniel Norman
17327ac36a Merge "Expose the APEX multi-install props to non-root getprop." am: ea98866236 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965921

Change-Id: I43a503e66debdf898e7987c9b4ebc9c8709144bb
 2022-02-11 18:52:06 +00:00
Ramji Jiyani
ba8615a186 Merge "system_dlkm: sepolicy: add system_dlkm_file_type" 2022-02-11 18:36:04 +00:00
Daniel Norman
ea98866236 Merge "Expose the APEX multi-install props to non-root getprop." 2022-02-11 18:25:27 +00:00
Keith Mok
64a1571f5d Merge "Update SEPolicy apexd for API 32" am: 9984dcb28e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1976997

Change-Id: I85bd1c4b700b95d17ff25b73779f5fa7f4d2f8bf
 2022-02-11 05:21:22 +00:00
Keith Mok
9984dcb28e Merge "Update SEPolicy apexd for API 32" 2022-02-11 05:03:20 +00:00
Ramji Jiyani
4a556890f9 system_dlkm: sepolicy: add system_dlkm_file_type 
Add new attribute system_dlkm_file_type for
/system_dlkm partition files.

Bug: 218392646
Bug: 200082547
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3
 2022-02-11 04:19:33 +00:00
Treehugger Robot
6fa204250e Merge "Add microdroid sepolicy test support" am: 47b3505fbf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978387

Change-Id: I70801b12abc3d614d503c584ff0451a20d87d285
 2022-02-11 00:37:00 +00:00
Treehugger Robot
47b3505fbf Merge "Add microdroid sepolicy test support" 2022-02-11 00:22:27 +00:00
Keith Mok
16c0a350c5 Update SEPolicy apexd for API 32 
The bootchart problem need the selinux policy fix.
But it is missing API 32

Bug: 218729155
Test: Build
Change-Id: Ia011f8bcd52403980c2a6751bb612dd5b770e130
 2022-02-11 00:20:17 +00:00
Florian Mayer
3fc6370375 Merge "[MTE] Add property to specify default MTE mode for apps." am: 94782041d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1976994

Change-Id: I32140e8f8e8081a5f91fb09df241ffa8931f5ba6
 2022-02-10 23:48:54 +00:00
Florian Mayer
94782041d1 Merge "[MTE] Add property to specify default MTE mode for apps." 2022-02-10 23:38:23 +00:00
Treehugger Robot
5c66bea55b Merge "dmesgd: sepolicies" am: f07e7c31a4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1968400

Change-Id: I0afd007ea41fc82aa0887368bc2e84c94bf358d8
 2022-02-10 21:04:30 +00:00
Treehugger Robot
33f3804491 Merge changes from topic "revert-1979386-revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY-UVTCTRHQWF" am: 48f59f9ec2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978173

Change-Id: I82c6ff9bf4bcc3a572013b5afefb0123daaef7a3
 2022-02-10 21:03:47 +00:00
Treehugger Robot
f07e7c31a4 Merge "dmesgd: sepolicies" 2022-02-10 21:00:56 +00:00
Treehugger Robot
48f59f9ec2 Merge changes from topic "revert-1979386-revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY-UVTCTRHQWF" 
* changes:
  Revert^2 "Updates sepolicy for EVS HAL"
  Revert^2 "Adds a sepolicy for EVS manager service"
 2022-02-10 20:50:42 +00:00
Kevin Jeon
b476cc1f23 Merge "Make Traceur seapp_context reflect platform status" am: 25dfbfec14 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1962019

Change-Id: I9a8a640707d12580a9144418e64d4868aa56d651
 2022-02-10 19:24:58 +00:00
Kevin Jeon
25dfbfec14 Merge "Make Traceur seapp_context reflect platform status" 2022-02-10 19:09:45 +00:00
Kevin Jeon
9118e3a5ca Make Traceur seapp_context reflect platform status 
Because Traceur is being signed with the platform key in aosp/1961100,
the platform seinfo identifier is being added to Traceur so that SELinux
will correctly identify it as a platform app.

Bug: 209476712
Test: - Checked that Traceur can still take normal and long traces on
        AOSP userdebug and internal user/userdebug.
      - Checked that the Traceur app is now located in /system/app/
	instead of /system/priv-app/.
Change-Id: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
Merged-In: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
 2022-02-10 17:51:28 +00:00
Alexander Potapenko
0a64d100b8 dmesgd: sepolicies 
dmesgd is a daemon that collects kernel memory error reports.

When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.

Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.

Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
  read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
  find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)

Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea
 2022-02-10 17:42:52 +00:00
Changyeon Jo
eacb1095a8 Revert^2 "Updates sepolicy for EVS HAL" 
418f41ad13

Bug: 216727303
Test: m -j selinux_policy on failed targets reported
      in b/218802298
Change-Id: Iec8fd2a1e9073bf3dc679e308407572a8fcf44d9
 2022-02-10 17:21:54 +00:00
Changyeon Jo
8c12609bce Revert^2 "Adds a sepolicy for EVS manager service" 
0137c98b90

Bug: 216727303
Test: m -j selinux_policy on failed targets reported
      in b/218802298
Change-Id: I2ae2fc85a4055f2cb7d19ff70b120e7b7ff0957d
 2022-02-10 17:21:14 +00:00
Treehugger Robot
1d087ac705 Merge "Support legacy apexdata labels" am: 605715d665 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1977066

Change-Id: Id2d5508fb56eae96da5d04fdcb907a410aeb102a
 2022-02-10 11:55:44 +00:00
Mohammed Rashidy
aa0cb606c3 Merge changes from topic "revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY" am: 7f1eaf1b45 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1979387

Change-Id: I7f5e8791adc7e30a2f7c2da3c0658c2c33b88e4f
 2022-02-10 11:55:32 +00:00
Mohammed Rashidy
4d67e0d02b Revert "Updates sepolicy for EVS HAL" am: 418f41ad13 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1979386

Change-Id: If3080898b802cf7551c01c9425499591b815da6b
 2022-02-10 11:55:30 +00:00
Treehugger Robot
605715d665 Merge "Support legacy apexdata labels" 2022-02-10 11:44:11 +00:00
Mohammed Rashidy
7f1eaf1b45 Merge changes from topic "revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY" 
* changes:
  Revert "Adds a sepolicy for EVS manager service"
  Revert "Updates sepolicy for EVS HAL"
 2022-02-10 11:38:40 +00:00
Mohammed Rashidy
0137c98b90 Revert "Adds a sepolicy for EVS manager service" 
Revert submission 1967140-EVS_sepolicy_updates_T

Reason for revert: triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?branch=git_master&target=cf_x86_64_auto-userdebug&lkgb=8168894&lkbb=8168958&fkbb=8168947, bug b/218802298
Reverted Changes:
I730d56ab1:Allows hal_evs_default to read directories
I2df8e10f5:Updates sepolicy for EVS HAL
Ie6cb3e269:Adds a sepolicy for EVS manager service

Change-Id: I207c261bcf2c8498d937ab02c499bf709a5f1b15
 2022-02-10 10:07:44 +00:00
Mohammed Rashidy
418f41ad13 Revert "Updates sepolicy for EVS HAL" 
Revert submission 1967140-EVS_sepolicy_updates_T

Reason for revert: triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?branch=git_master&target=cf_x86_64_auto-userdebug&lkgb=8168894&lkbb=8168958&fkbb=8168947, bug b/218802298
Reverted Changes:
I730d56ab1:Allows hal_evs_default to read directories
I2df8e10f5:Updates sepolicy for EVS HAL
Ie6cb3e269:Adds a sepolicy for EVS manager service

Change-Id: I1cc37b0e56646db61bdb34cb209aefe7376c5a50
 2022-02-10 10:07:44 +00:00
Sandro Montanari
d20a77319a Merge "Allow apexd to write to /metadata/sepolicy" am: 306fca99db 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965103

Change-Id: I1aecfb46a194d837c62ac3ad14f84f03f5920a9b
 2022-02-10 10:01:30 +00:00
Sandro Montanari
306fca99db Merge "Allow apexd to write to /metadata/sepolicy" 2022-02-10 09:41:34 +00:00
Treehugger Robot
177cf20196 Merge changes from topic "EVS_sepolicy_updates_T" am: 2cedd28cf9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1967009

Change-Id: I6e25a9c2f0030539b1bbf5892c4fd51f931053b7
 2022-02-10 08:12:58 +00:00
Treehugger Robot
2cedd28cf9 Merge changes from topic "EVS_sepolicy_updates_T" 
* changes:
  Updates sepolicy for EVS HAL
  Adds a sepolicy for EVS manager service
 2022-02-10 08:02:04 +00:00
Maciej Żenczykowski
960f03e7e6 Merge "bpfdomain: attribute for domain which can use BPF" am: 337e6b1e1c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978573

Change-Id: I4dfb42eedfec394488dea73910f11b23f08cfb92
 2022-02-10 07:25:40 +00:00
Maciej Żenczykowski
337e6b1e1c Merge "bpfdomain: attribute for domain which can use BPF" 2022-02-10 07:08:22 +00:00
Treehugger Robot
2379b4582c Merge "Fix se_policy_conf file output stem" am: 099b15ea2e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978386

Change-Id: I7ad40cc5750a49f77ff015d979e140d357c1892d
 2022-02-10 03:24:26 +00:00
Treehugger Robot
099b15ea2e Merge "Fix se_policy_conf file output stem" 2022-02-10 03:08:30 +00:00
Changyeon Jo
a083d7a8d8 Updates sepolicy for EVS HAL 
This CL updates hal_evs_default to be sufficient for the defautl EVS HAL
implementation and modifies other services' policies to be able to
communicate with EVS HAL implementations

Bug: 217271351
Test: m -j selinux_policy and Treehugger
Change-Id: I2df8e10f574d62f8b84e0ff0381656ab1b18b52f
 2022-02-10 01:42:59 +00:00
Changyeon Jo
5c3bc58163 Adds a sepolicy for EVS manager service 
Bug: 170401743
Bug: 216727303
Test: m -j selinux_policy and TreeHugger
Change-Id: Ie6cb3e269fc46a61b56ca93efd69fbc447da0e3d
 2022-02-10 01:42:21 +00:00
Steven Moreland
6598175e06 bpfdomain: attribute for domain which can use BPF 
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.

Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
 2022-02-10 00:34:50 +00:00
Florian Mayer
360ddf5583 [MTE] Add property to specify default MTE mode for apps. 
Bug: 216305376
Change-Id: I9374c8681510037279deaf3e5ae011e8f9111f17
 2022-02-09 22:13:59 +00:00
Yabin Cui
4906441dc5 Merge "profcollectd: allow to call callbacks registered by system_server." am: c30b45e242 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1973763

Change-Id: Id7138581429d7a7a4d03e8df35cd6d5e6f669490
 2022-02-09 18:21:42 +00:00
Yabin Cui
c30b45e242 Merge "profcollectd: allow to call callbacks registered by system_server." 2022-02-09 18:09:59 +00:00
Steven Moreland
4e83d24871 Merge "Allow BPF programs from vendor." am: 2536bf9dac 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1189663

Change-Id: I71bbd8460727eff793dd59d5c5b1d8dcc963fdde
 2022-02-09 17:45:41 +00:00
Steven Moreland
2536bf9dac Merge "Allow BPF programs from vendor." 2022-02-09 17:28:16 +00:00
sandrom
e9a5e7ca6c Allow apexd to write to /metadata/sepolicy 
Test: manual tests
Bug: 218672709
Change-Id: I91e173cc41bca0f8fd62d5a783e514f6bbb0e214
 2022-02-09 15:11:06 +00:00
Inseob Kim
74caef3591 Add microdroid sepolicy test support 
MicrodroidHostTestCases will pull the VM's sepolicy and check it against
system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze
tool.

Bug: 218461215
Test: atest MicrodroidHostTestCases
Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477
 2022-02-09 23:35:44 +09:00
Inseob Kim
6c5fa54a8b Fix se_policy_conf file output stem 
OutputFileProducer interface has been returning "conf", not the
designated stem.

Test: try including se_policy_conf module as other module's srcs
Change-Id: I17de5e10ed9bd1d45dc9a8b1be11ea6f5290c179
 2022-02-09 23:35:43 +09:00
Jayant Chowdhary
4c51fa993e Merge "System wide sepolicy changes for aidl camera hals." am: b00bf9d282 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1975831

Change-Id: Ie9b95c5b231a014d0123271b5cfd63f20b9519db
 2022-02-09 03:23:54 +00:00
Jayant Chowdhary
b00bf9d282 Merge "System wide sepolicy changes for aidl camera hals." 2022-02-09 03:08:37 +00:00