tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
45487 commits 1 branch 0 tags 50 MiB
Commit graph

45487 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
91b6feed24 Merge "crash_dump: read bootstrap libs" into main am: 116f36fdf8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2860733

Change-Id: Ie88318906d183fc271b321b3f8a550739aa4bf1e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-06 07:45:44 +00:00
Treehugger Robot
116f36fdf8 Merge "crash_dump: read bootstrap libs" into main 2023-12-06 06:20:14 +00:00
Steven Moreland
91497cc9db crash_dump: read bootstrap libs 
Required for nicer stacks for crashes
and ANRs, etc..

Bug: N/A
Test: adb shell am hang, check servicemanager
  section no longer displays warnings now that
  that it is dumped by watchdog
Change-Id: I49a93c1fec9c3219c11dc1a82440c7c2a1944010
 2023-12-06 01:43:46 +00:00
Marie Matheson
c3c9ebe781 Merge "Allow isolated to read staged apks" into main am: bce6591af7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854133

Change-Id: Ia140bce50b51b9218b6ba7dd2dac669cdc7b76f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-05 19:38:40 +00:00
Marie Matheson
bce6591af7 Merge "Allow isolated to read staged apks" into main 2023-12-05 17:57:17 +00:00
Marie Matheson
cf2694bf86 Allow isolated to read staged apks 
type=1400 audit(0.0:835): avc: denied { read }
for path="/data/app/vmdl1923101285.tmp/base.apk"
dev="dm-37" ino=29684
scontext=u:r:isolated_app:s0:c512,c768
tcontext=u:object_r:apk_tmp_file:s0 tclass=file
permissive=0

Bug: 308775782
Test: Flashed to device with and without this change, confirmed that this
change allows an isolated process to read already opened staged apk file

Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
 2023-12-05 15:17:19 +00:00
David Drysdale
8d1876b4f6 Allow for ISecretkeeper/default 
Test: VtsAidlAuthGraphSessionTest
Bug: 306364873
Change-Id: I788d6cd67c2b6dfa7b5f14bc66444d18e3fd35d3
 2023-12-05 14:33:47 +00:00
Jan Sebechlebsky
0959befc45 Allow virtual camera service to find permission_service 
Bug: 301023410
Test: atest CtsVirtualDevicesCameraTestCases
Change-Id: I517fa4cdf6c3143eaf8ab9858e13159a7c5a818a
 2023-12-05 14:20:39 +01:00
Jooyung Han
157848354e Introduce vendor_apex_metadata_file 
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Bug: 308058980
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
Merged-In: Icc234bf604e3cafe6da81d21db744abfaa524dcf
 2023-12-05 15:42:14 +11:00
Alexei Nicoara
c2af2e2ec4 Making sys.boot.reason.last restricted 
sys.boot.reason.last needs to be readable by SysUI to correctly display the reason why authentication is required to unlock the phone.

Bug: 299327097
Bug: 308058980
Test: presubmit
Change-Id: I9f83ade92858056609bc665ecb6ce9b93eb051e4
Merged-In: I9f83ade92858056609bc665ecb6ce9b93eb051e4
 2023-12-05 14:56:03 +11:00
Steven Moreland
5830ddb1d9 allow watchdog to dump servicemanager 
Cmd line: /system/bin/servicemanager
ABI: 'x86_64'

"servicemanager" sysTid=202
  NOTE: Function names and BuildId information is missing for some frames due
  NOTE: to unreadable libraries. For unwinds of apps, only shared libraries
  NOTE: found under the lib/ directory are readable.
  NOTE: On this device, run setenforce 0 to make the libraries readable.
  NOTE: Unreadable libraries:
  NOTE:   /system/lib64/bootstrap/libc.so
    #00 pc 00000000000babda  /system/lib64/bootstrap/libc.so
    #01 pc 0000000000017819  /system/lib64/libutils.so (android::Looper::pollAll(int, int*, int*, void**)+441) (BuildId: 2ed0ced7383d1676a37aed1236486ac3)
    #02 pc 0000000000011a25  /system/bin/servicemanager (main+1157) (BuildId: 509b83cb97addfa90aaa4ad911c2a3df)
    #03 pc 00000000000547a9  /system/lib64/bootstrap/libc.so

Bug: 314088872
Test: adb shell am hang and check ANRs
Change-Id: I7daf19a3afbd18aa93093fb152f9555022ece88f
 2023-12-04 23:24:41 +00:00
Thiébaud Weksteen
57b93a9733 Merge "Fix dumpstate denials related to ot_daemon" into main am: cba619bf60 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854492

Change-Id: I232a38e79d8311dcbf8b0e0fac48f02d22fb8d5b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-03 23:54:34 +00:00
Thiébaud Weksteen
cba619bf60 Merge "Fix dumpstate denials related to ot_daemon" into main 2023-12-03 23:09:01 +00:00
Daniel Norman
4ea95b1730 Merge "Allow system_server access to hidraw devices." into main am: 27bb0c60f6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2855126

Change-Id: I6afaec68f2dc3f3436c6894d36e30ebcce874642
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 18:45:33 +00:00
Ted Wang
2ca6c9a46a Merge "Add bluetooth finder hal" into main am: fb82802fc0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2836616

Change-Id: Ia3824b12b13d2f53c8770076a41c4c0da59fdf3b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 18:16:59 +00:00
Daniel Norman
27bb0c60f6 Merge "Allow system_server access to hidraw devices." into main 2023-12-01 18:12:02 +00:00
Ted Wang
fb82802fc0 Merge "Add bluetooth finder hal" into main 2023-12-01 17:41:04 +00:00
Andrea Zilio
d7d0bc5b7f Merge "Add pm.archiving.enabled system property" into main am: 1a3e09bdf1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2852511

Change-Id: Icebf658d13eb7a1e20fae9932fbffe5ffd82e2a1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 11:38:39 +00:00
Jeff Pu
0a522a3d8f [automerger skipped] Add biometric face virtual hal service am: e0755e0d68 -s ours am: 374f35be24 -s ours 
am skip reason: Merged-In I1f61b687be4abe53c62c21769fb57dc9cf9daf45 with SHA-1 fb5d221b27 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854489

Change-Id: I94e3698227d268eec1f8f0a36b6d71dfc3f3b23f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 11:38:04 +00:00
Andrea Zilio
1a3e09bdf1 Merge "Add pm.archiving.enabled system property" into main 2023-12-01 10:52:21 +00:00
Jeff Pu
374f35be24 [automerger skipped] Add biometric face virtual hal service am: e0755e0d68 -s ours 
am skip reason: Merged-In I1f61b687be4abe53c62c21769fb57dc9cf9daf45 with SHA-1 fb5d221b27 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2854489

Change-Id: Ic29a37f6fd5248c578d334f83322ee9b3ef8133c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-12-01 10:27:29 +00:00
Kangping Dong
e1ee768a97 Fix dumpstate denials related to ot_daemon 
Bug: 313794601
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I5dfa427e3c7ad99ec21392d2f219f14b66dd6256
 2023-12-01 13:02:38 +08:00
Jeff Pu
e0755e0d68 Add biometric face virtual hal service 
Bug: 228638448
Bug:313817413
Test: Manually following face virtual hal provisioning procedure
Change-Id: I1f61b687be4abe53c62c21769fb57dc9cf9daf45
Merged-In: I1f61b687be4abe53c62c21769fb57dc9cf9daf45
 2023-12-01 03:16:38 +00:00
Daniel Norman
4245d0413b Allow system_server access to hidraw devices. 
This allows AccessibilityManagerService in system_server to
interact with a HID-supported Braille Display.

Bug: 303522222
Test: ls -z /dev/hidraw0
Test: plat_file_contexts_test
Test: Open FileInputStream and FileOutputStream on this device
      path from AccessibilityManagerService
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db)
Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c
Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c
 2023-11-30 23:33:55 +00:00
Treehugger Robot
419203bea5 Merge "Fix dumpstate denials related to virtual_camera" into main am: d3fe043eb8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2852613

Change-Id: Ifd5829ddd964479ed7b53320a2470bc8e993138b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-30 22:43:12 +00:00
Treehugger Robot
99cf9a3df5 Merge "Allow hal_codec2_server to read fifo_file" into main am: f6a4cb8115 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2847905

Change-Id: Ia220902299ab47e6f80025527143605fe283c146
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-30 22:42:39 +00:00
Treehugger Robot
d3fe043eb8 Merge "Fix dumpstate denials related to virtual_camera" into main 2023-11-30 22:34:24 +00:00
Treehugger Robot
f6a4cb8115 Merge "Allow hal_codec2_server to read fifo_file" into main 2023-11-30 21:43:42 +00:00
Andrea Zilio
32ab868eac Add pm.archiving.enabled system property 
Test: Builds and starts up fine on acloud
Bug: 314160630
Change-Id: I1d90876979bcdb9416bb711f59678a0e640a3e89
 2023-11-30 21:14:21 +00:00
Jan Sebechlebsky
de644175a9 Fix dumpstate denials related to virtual_camera 
Bug: 313794601
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5b7c89388190fa927f8c762b2e65557f9d9870b
 2023-11-30 10:57:16 +01:00
Sungtak Lee
46c6c0e28e Allow hal_codec2_server to read fifo_file 
Test: m
Bug: 254050314
Change-Id: I5b2fc4fade7d9ff05af88044c0c779ac20478851
 2023-11-29 22:32:24 +00:00
Alex Xu
2664a80285 Merge "Update sepolicy for security_state service to include public API." into main am: 11f4cc754d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2851545

Change-Id: Id6d8d09b4c9bda0c8d4c1e6538fbb493eff4c5f4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 19:23:56 +00:00
Alex Xu
11f4cc754d Merge "Update sepolicy for security_state service to include public API." into main 2023-11-29 18:31:40 +00:00
Yu-Ting Tseng
de8e7682c0 [automerger skipped] Revert "Revert "SELinux policy changes for uprobe."" am: 086e1f0eaa -s ours am: 09b3def95b -s ours 
am skip reason: Merged-In I5b9a102879a65917d496ba2194187ddd2b4545d1 with SHA-1 3e8e8eac08 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827250

Change-Id: I4cc0c6b114e3b6fc28d1e91a9d12f7341490867b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 07:20:27 +00:00
Thiébaud Weksteen
efa4cf8469 Prebuilt updates am: 448968a6d1 am: 084b293596 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: If8cc1dbc910cb2fec2d4996c1a2f8fef602472cc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:56:58 +00:00
Yu-Ting Tseng
09b3def95b [automerger skipped] Revert "Revert "SELinux policy changes for uprobe."" am: 086e1f0eaa -s ours 
am skip reason: Merged-In I5b9a102879a65917d496ba2194187ddd2b4545d1 with SHA-1 3e8e8eac08 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827250

Change-Id: Ia6fdfbf2e483abdf129f441cd69c330200c96b82
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:25:54 +00:00
Thiébaud Weksteen
084b293596 Prebuilt updates am: 448968a6d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: I991e63e36e9e680edfd21e4a20293ae779caffcb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:25:40 +00:00
Yu-Ting Tseng
086e1f0eaa Revert "Revert "SELinux policy changes for uprobe."" 
This reverts commit e2bd44d48d.

Reason for revert: 2nd attempt to add the policy change

Bug: 308058980
Test: m selinux_policy
Change-Id: I5b9a102879a65917d496ba2194187ddd2b4545d1
Merged-In: I5b9a102879a65917d496ba2194187ddd2b4545d1
 2023-11-29 06:12:36 +00:00
Thiébaud Weksteen
448968a6d1 Prebuilt updates 
Bug: 308058980
Test: m selinux_policy
Change-Id: I23b2265340002b4b9f8d15ad0a8e8324aa0f94e1
 2023-11-29 06:01:56 +00:00
Alex Xu
c4fb354a37 Update sepolicy for security_state service to include public API. 
security_state service manages security state (e.g. SPL) information across partitions, modules, etc.

Bug: 307819014
Test: Manual
Change-Id: I70c5d24b19cc457215d329b03ce2fd696c765905
 2023-11-29 01:23:59 +00:00
Treehugger Robot
4d7c8deb40 Merge "Label wifi.interface." into main am: e22500d7b9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2845878

Change-Id: Ic5b53487a40b2b1b82f91598da3c03355c6b9023
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-28 10:58:50 +00:00
Treehugger Robot
e22500d7b9 Merge "Label wifi.interface." into main 2023-11-28 10:20:23 +00:00
Seungjae Yoo
d60c51cbe4 vendor_microdroid_file shouldn't be overwrited am: ed25d9436d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2846873

Change-Id: I8617f2cad23e811d32502f5130321c1213fe4f73
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-28 04:48:33 +00:00
Seungjae Yoo
ed25d9436d vendor_microdroid_file shouldn't be overwrited 
If malicious process in the host overwrites microdroid vendor image,
unexpected behavior could be happened.

Bug: 285854379
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --vendor /vendor/etc/avf/microdroid/microdroid_vendor.img

Change-Id: I18ce5112b75b2793c85bb59c137715beb602a5f3
 2023-11-28 11:20:18 +09:00
LuK1337
0372255af1 Label wifi.interface. 
This lets us override AIDL WiFi HAL interfaces.

Bug: 313385486
Change-Id: I3bb0c274f5fb6f709d09b67deff2df7229e04369
 2023-11-27 18:00:55 +00:00
Thiébaud Weksteen
dfd11d7740 Merge "Ignore access to /proc/pagetypeinfo for Settings" into main am: 8c225b0c73 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2845233

Change-Id: Id803459af1bd32bd32d5b4e83a98de2202e55e2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-23 23:49:40 +00:00
Thiébaud Weksteen
8c225b0c73 Merge "Ignore access to /proc/pagetypeinfo for Settings" into main 2023-11-23 22:55:54 +00:00
Max Bires
268cffde84 Remove deprecated enable_rkpd property am: f019332f6d am: 6d82dbcdbb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2843933

Change-Id: I84371a77842a2531ea317e74a607572dbe8e5f2e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-23 20:43:34 +00:00
Max Bires
6d82dbcdbb Remove deprecated enable_rkpd property am: f019332f6d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2843933

Change-Id: I5ffe70fa49fbb66326e5d46bc1959b65596b0073
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-23 20:11:50 +00:00
Thiébaud Weksteen
bdc7214f85 Ignore access to /proc/pagetypeinfo for Settings 
avc:  denied  { read } for  comm="pool-3-thread-6" name="pagetypeinfo"
dev="proc" ino=4026531857 scontext=u:r:system_app:s0
tcontext=u:object_r:proc_pagetypeinfo:s0 tclass=file permissive=0

Bug: 312375728
Test: m selinux_policy
Change-Id: Ic2946e181d3a0af65a6ebe093ef7f257c75a1c22
 2023-11-23 10:40:07 +11:00