am skip reason: Merged-In I9c5873181c925c6b8ebb411328d30aa519053acf with SHA-1 4db0e27a50 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827450
Change-Id: I8cda89bf2c39b3a670d0cd40824bc646212f6865
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I9c5873181c925c6b8ebb411328d30aa519053acf with SHA-1 4db0e27a50 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827450
Change-Id: Ie68f04ce481bdbd71e001b8df3d03e80fc7eb156
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In Ie947adff00d138426d4703cbb8e7a8cd429c2272 with SHA-1 901385f711 is already in history. Merged-In was found from reverted change.
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829493
Change-Id: Iae2e8d5cf961bb045a7f636a866d6c893d4abc94
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I9c5873181c925c6b8ebb411328d30aa519053acf with SHA-1 4db0e27a50 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827450
Change-Id: I408f1d5bec2f00214fc0472e1862a3a435cd055f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I9c5873181c925c6b8ebb411328d30aa519053acf with SHA-1 4db0e27a50 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2827450
Change-Id: I6886db030bb1e2d8aa0bb3222c11307c0ccdc01d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In Ie947adff00d138426d4703cbb8e7a8cd429c2272 with SHA-1 825056de9a is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2825716
Change-Id: I46a72a811af7123e87c5ff24cbb52c53b1b7828f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In Ie947adff00d138426d4703cbb8e7a8cd429c2272 with SHA-1 825056de9a is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2825716
Change-Id: I67fe9d38864e0f87211959b75d41a5f76a9ad031
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Looks like we missed this, and so non-rooted locked devices can't override the persistent sysprops. On Pixel 8 for example, we ship with 'persist.arm64.memtag.system_server=off' by default (from some droidfood carry-overs), and this can't be edited (https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html).
We should allow these advanced users to set all the MTE properties on the device that they own, and they can already control the non-persistent properties.
Change-Id: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Test: N/A
Bug: N/A
payload_accessible_device label can be used by microdroid vendor's
file_contexts to allow payloads to access their assigned devices.
Bug: 306313100
Test: put vendor_file_contexts, boot microdroid, see labels
Change-Id: I91aeb3169d14160a2d80587e3eb2e7fde240f804
This adds two macros which can be used in te files and contexts files.
* is_flag_enabled(flag_name, codes)
* is_flag_disabled(flag_name, codes)
Also flag-guarding requires to process input files before any
validations. Property contexts test and seapp contexts test are
modified a little to handle that.
Bug: 306563735
Test: build with manual guarding
Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
This will be used to guard sepolicy changes. Also this adds default
modules for se_policy_conf and contexts modules.
Bug: 306563735
Test: build
Change-Id: I9b3460aaca07d325e0f83a1e2bf0e57caa498101
Remove a duplicate entry with its comment as the sorting logic is not
applied since commit dfa4a48b.
Bug: 299839280
Test: m selinux_policy
Change-Id: I4fa556c2ff8f114b56bba7ab32fac1d17373ef8b
During OTA install, update_engine needs to read this file to determine
if overlayfs is enabled, as OTA requires overlayfs to be disabled.
The selinux denial looks like
audit(0.0:242): avc: denied { read } for name="filesystems"
dev="proc" ino=4026532076 scontext=u:r:update_engine:s0
tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
Bug: 309812002
Test: th
Change-Id: I10903ced21e79c90dec45fb40ecd169d98c94e89
