tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
24242 commits 1 branch 0 tags 50 MiB
Commit graph

24242 commits

This branch
This branch
All branches
Author SHA1 Message Date
Inseob Kim
93d1139bdc Merge "Add property contexts for vts props" am: 98fe6847bd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1361757

Change-Id: I6ca056b0816bc4e3465e6c61800746c7071bb9f7
 2020-07-16 11:50:50 +00:00
Inseob Kim
98fe6847bd Merge "Add property contexts for vts props" 2020-07-16 10:24:08 +00:00
Inseob Kim
212e2b621a Add property contexts for vts props 
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.

Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
      VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
 2020-07-16 16:26:17 +09:00
Tom Cherry
f241424f67 Merge "add logd. as logd_prop" am: aed2a79fb5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1362342

Change-Id: Ifb77b2ff1d8b0069edada00e76b0d0f796a2492e
 2020-07-15 23:13:53 +00:00
Tom Cherry
aed2a79fb5 Merge "add logd. as logd_prop" 2020-07-15 22:58:33 +00:00
Calin Juravle
150e00dd75 Fix sepolicy for secondary dex files am: de7244cf23 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1360752

Change-Id: I42e7ae0da2d566c983f706194510ec3b543af925
 2020-07-15 18:42:58 +00:00
Calin Juravle
de7244cf23 Fix sepolicy for secondary dex files 
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.

Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro

Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
 2020-07-15 16:43:40 +00:00
Ken Chen
0dbb6abf7d Merge "Add dontaudit statement to suppress denials" am: 62f0a4d306 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1361756

Change-Id: I87aa4636229f96ff4fe222caa3f4a8c889094474
 2020-07-15 08:53:03 +00:00
Wei Wang
2ac2b5956a Allow thermal tracing in user build am: 926145161a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1362170

Change-Id: Ic76a4ee2ed1eaaa61be0eee49125898fbd6eb304
 2020-07-15 08:46:43 +00:00
Ken Chen
62f0a4d306 Merge "Add dontaudit statement to suppress denials" 2020-07-15 08:42:48 +00:00
Wei Wang
926145161a Allow thermal tracing in user build 
Bug: 160818586
Test: Build and check label
Change-Id: I30b13af585daaf9a85f45ab3b41d0b5e060b4bf4
 2020-07-14 23:43:09 +00:00
Yifan Hong
2af8530e05 Merge "Correct labels on files / props in vendor_dlkm." am: f74fa29aed 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1311860

Change-Id: I5e3b822947d174f73543c2eaa157fdbd64fd5559
 2020-07-14 19:29:01 +00:00
Yifan Hong
f74fa29aed Merge "Correct labels on files / props in vendor_dlkm." 2020-07-14 19:15:13 +00:00
Tom Cherry
d45249e4a9 add logd. as logd_prop 
We already have ro.logd. and persist.logd. as logd_prop, but not
logd. so this change adds it.  New properties should be read-write by
default so logd. should be preferred to ro.logd.

Test: set logd.buffer_type appropriately.
Change-Id: I51ed19f0093a0302709116944153f37067814d08
 2020-07-14 11:08:32 -07:00
Inseob Kim
7606d96a63 Allow charger to read minui properties am: 792219e48d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1361758

Change-Id: I4c3ef4ef754a71474855718888a9f48bbdae0481
 2020-07-14 13:23:35 +00:00
Inseob Kim
792219e48d Allow charger to read minui properties 
Failing to read minui properties causes charger crash.

Bug: N/A
Test: enter charger mode with blueline
Change-Id: Ic174cd1116edd510499836ab42675d6fabc63324
 2020-07-14 18:06:54 +09:00
Inseob Kim
6755a00ac2 Merge "Add charger related property contexts" am: 1ef68a4852 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1360138

Change-Id: I93d34499c6febaa849744cf1b0a7ba4ec7cc44a6
 2020-07-14 07:22:15 +00:00
Inseob Kim
1ef68a4852 Merge "Add charger related property contexts" 2020-07-14 07:07:38 +00:00
Ken Chen
e49acfa33b Add dontaudit statement to suppress denials 
A few netd avc denials are observed. Supress audit messages since they
don't cause a problem.

Bug: 77870037
Test: build, flash, boot
Change-Id: I019c5af62630fcd0a35e22c560b9043bba58f6f1
 2020-07-14 09:49:06 +08:00
Alexander Mishkovets
64bd525035 Merge "Define sepolicy for locale filter property" am: abe9923ef5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1358091

Change-Id: I08a69017b835f15379231f0233953ced210a8734
 2020-07-13 16:19:41 +00:00
Alexander Mishkovets
abe9923ef5 Merge "Define sepolicy for locale filter property" 2020-07-13 16:06:00 +00:00
Jeff Vander Stoep
316741a589 gmscore_app is attempting to access /dev/ashmem am: 3e2b91d672 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1361318

Change-Id: Ib22bab5eb94cc33df6e9e6f36d988c56fd485cdf
 2020-07-13 14:40:48 +00:00
Jeff Vander Stoep
3e2b91d672 gmscore_app is attempting to access /dev/ashmem 
This is not allowed for apps with targetSdkVersion>=Q.

Allow this failure until gmscore fixes.

Bug: 160984921
Test: build
Change-Id: I1e9f2af091b22eef2bc05ae1e571fb45dec05cfe
 2020-07-13 14:57:52 +02:00
Inseob Kim
ea1296c80e Merge "Add tombstone_config_prop and move related prop" am: 00a87e48d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1355673

Change-Id: I89fb373d6a5aae2bcbd5387aa5b3cce731c96ad4
 2020-07-10 11:59:16 +00:00
Inseob Kim
00a87e48d1 Merge "Add tombstone_config_prop and move related prop" 2020-07-10 11:48:05 +00:00
Jeffrey Vander Stoep
f21156625c Merge "netd: suppress dir write to /system" am: 771376b7e2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1360317

Change-Id: I5032ec302759cf676d9a643a9937d0fa5f441fb1
 2020-07-10 10:00:33 +00:00
Jeffrey Vander Stoep
771376b7e2 Merge "netd: suppress dir write to /system" 2020-07-10 09:47:12 +00:00
Jeff Vander Stoep
f8155a0c34 netd: suppress dir write to /system 
avc:  denied  { write } for  pid=661
comm="iptables-restor" name="etc" dev="overlay" ino=55668
scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
permissive=0

Occurs after an adb remount and running netd unit tests.

Bug: 160562747
Test: build tests
Change-Id: I4c8ea7ef8d00e214bf0dab1496a6b8dcc449f59e
 2020-07-10 09:12:00 +02:00
Inseob Kim
8ef4792f01 Add charger related property contexts 
ro.enable_boot_charger_mode and sys.boot_from_charger_mode are moved to
new property contexts for charger props to remove exported*_prop.

Bug: 155844385
Test: boot device with ro.enable_boot_charger_mode
Change-Id: I17d195d3c9c002a42125d46a5efcdb890f1c2a5c
 2020-07-10 14:15:15 +09:00
Yifan Hong
85aba14765 Correct labels on files / props in vendor_dlkm. 
All files under vendor_dlkm are tagged vendor_file.
All build props for vendor_dlkm are mapped as build_vendor_prop.

Test: build and
    `ls /vendor_dlkm -lZ`
    `adb shell getprop -Z | grep vendor_dlkm`

Bug: 154633114

Change-Id: Ie9dc26d948357767fec09aca645606310ad3425c
 2020-07-09 15:02:00 -07:00
Alexander Mishkovets
f0be89be1d Define sepolicy for locale filter property 
Bug: 154133013
Test: Manual
Change-Id: I28ae279e4fd47553fcf4ab9421944f552490b49f
 2020-07-09 20:32:58 +02:00
Inseob Kim
e7a03c3c7d Merge "Relabel media.recorder.show_manufacturer_and_model" am: 881f8c6b2d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1355666

Change-Id: I87b3a655d24d151166c1b744f94c35a99d9c057c
 2020-07-08 08:30:57 +00:00
Inseob Kim
881f8c6b2d Merge "Relabel media.recorder.show_manufacturer_and_model" 2020-07-08 08:18:48 +00:00
Inseob Kim
dddf6f561f Relabel media.recorder.show_manufacturer_and_model 
To remove exported*_default_prop

Bug: 155844385
Test: capture video
Test: atest writerTest
Change-Id: I74223c8daa44acf0aba33bff31cfe21f6242f941
 2020-07-08 15:32:57 +09:00
Treehugger Robot
3764f14ae6 Merge "simplify neverallowxperm for tun_device" am: f1d02d4230 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1355676

Change-Id: I1ef916ea4c7ea5152ca6df1e0d6dc1c16dd4cf46
 2020-07-08 04:46:48 +00:00
Treehugger Robot
f1d02d4230 Merge "simplify neverallowxperm for tun_device" 2020-07-08 04:33:34 +00:00
Inseob Kim
703c99cfae Merge "Add keyguard_config_prop for keyguard property" am: d702d3fae1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1355669

Change-Id: I2bd84bef0b255245bbb48f4e6f2003363f71e9f3
 2020-07-08 03:33:57 +00:00
Inseob Kim
d702d3fae1 Merge "Add keyguard_config_prop for keyguard property" 2020-07-08 03:22:12 +00:00
Maciej Żenczykowski
e346fbc044 simplify neverallowxperm for tun_device 
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia92fc0b9a805763779a13cad6ad3137c9327ca61
 2020-07-07 18:41:56 -07:00
Treehugger Robot
f5d09cc2a8 Merge "Add export of ro.hdmi.cec_device_types" am: 1786098e96 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1311554

Change-Id: I6636cfce9847dc5d7032b75c2aa463836f551466
 2020-07-07 22:08:17 +00:00
Treehugger Robot
1786098e96 Merge "Add export of ro.hdmi.cec_device_types" 2020-07-07 21:51:53 +00:00
Treehugger Robot
2312be1814 Merge "Update prebuilt/seapp_contexts" am: 7b4027a826 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1356843

Change-Id: I3ea26a93ebb8a83b566c85bfc1d8113717cb0444
 2020-07-07 20:31:52 +00:00
Treehugger Robot
7b4027a826 Merge "Update prebuilt/seapp_contexts" 2020-07-07 20:09:18 +00:00
Ashwini Oruganti
a9ab9362d4 Update prebuilt/seapp_contexts 
The seinfo=platform bit seems to have been missed in a previous update.

Test: builds
Change-Id: I0d8faeb8ca1ed326ab958e5da329288b91719206
 2020-07-07 11:48:26 -07:00
Paul Crowley
a05c24d464 Merge "Uncrypt: Allow uncrypt to write on ota_package_file." am: 42f9a5337a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1344636

Change-Id: I7b32605e427c1930bafafe00ec7b9c9640424780
 2020-07-07 15:37:41 +00:00
Paul Crowley
42f9a5337a Merge "Uncrypt: Allow uncrypt to write on ota_package_file." 2020-07-07 15:27:29 +00:00
Inseob Kim
14a71fb162 Add tombstone_config_prop and move related prop 
tombstoned.max_tombstone_coun becomes tombstone_config_prop to remove
exported*_default_prop

Bug: 155844385
Test: tombstoned is running and logcat shows no denials
Change-Id: I57bebb5766d790dc52d40a6d106f480e0e34fa4e
 2020-07-07 14:17:40 +09:00
Inseob Kim
04f435ca52 Add keyguard_config_prop for keyguard property 
keyguard.no_require_sim becomes keyguard_config_prop to remove
exported*_default_prop

Bug: 155844385
Test: boot and see no denials
Change-Id: Icffa88b650a1d35d8c1cd29f89daf0644a79ddd3
 2020-07-07 12:46:24 +09:00
P.Adarsh Reddy
916bd874d6 Uncrypt: Allow uncrypt to write on ota_package_file. 
This adds sepolicy rule to allow uncrypt module to write
on OTA zip (for f2fs_pin_file functionality).

Also, add a few dontaudit rules to suppress harmless denials.

Denials:
I uncrypt : type=1400 audit(0.0:177): avc: denied { write } for name="update.zip" dev="dm-10" ino=7727 scontext=u:r:uncrypt:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=0

I uncrypt : type=1400 audit(0.0:175): avc: denied { search } for name="/" dev="sda9" ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0

I uncrypt : type=1400 audit(0.0:176): avc: denied { search } for name="gsi" dev="sda9" ino=19 scontext=u:r:uncrypt:s0 tcontext=u:object_r:gsi_metadata_file:s0 tclass=dir permissive=0

Bug: 158070965
Change-Id: I473c5ee218c32b481040ef85caca907a48aadee6
 2020-07-07 00:03:11 +00:00
Nicolas Geoffray
aca20df682 Fix sepolicy of ART module. am: 612ce87b51 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1355562

Change-Id: Ibc78ca0e69ab3c7f782afdb9078a90a60ddc7563
 2020-07-06 18:42:13 +00:00