tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
40263 commits 1 branch 0 tags 50 MiB
Commit graph

40263 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sandro Montanari
94f7b16893 Merge "Move get_prop rules from public/domain.te to private/domain.te" am: de243c1585 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2284275

Change-Id: If637e8ae2123df474c66ae765ef8841e07b8bc15
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-16 10:54:35 +00:00
Sandro Montanari
de243c1585 Merge "Move get_prop rules from public/domain.te to private/domain.te" 2022-11-16 10:33:10 +00:00
Treehugger Robot
4b6d1f5ea4 Merge "Add IAllocator-V2" am: 299ee9fb24 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2263543

Change-Id: I7093809290ebe11d245f0429293fa697ddffea56
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-15 23:36:39 +00:00
Treehugger Robot
299ee9fb24 Merge "Add IAllocator-V2" 2022-11-15 23:13:42 +00:00
Sandro
bcc04e69fc Move get_prop rules from public/domain.te to private/domain.te 
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.

Bug: 210811873
Test: m -j, boot device
Change-Id: Idbcc4928c8d0d433f819d8b114e84a5f09466ad0
 2022-11-15 17:05:11 +00:00
Seungjae Yoo
3d9b334391 Merge "Allow reading proc file in crosvm process for reading cpu/mem stat in VM" am: b43e1b1c19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2300539

Change-Id: I0981485fb364b89e3a697d263d8323126ac7837c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-15 02:36:10 +00:00
Seungjae Yoo
b43e1b1c19 Merge "Allow reading proc file in crosvm process for reading cpu/mem stat in VM" 2022-11-15 01:47:50 +00:00
Treehugger Robot
80e6a481d8 Merge "Allow microdroid_manager to do stdio_to_kmsg" am: 069b9502b1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2300540

Change-Id: I9d366d7e6b9ca87d817819394fd48225416bd650
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-14 14:20:46 +00:00
Treehugger Robot
069b9502b1 Merge "Allow microdroid_manager to do stdio_to_kmsg" 2022-11-14 13:48:17 +00:00
Treehugger Robot
5bdeb76422 Merge "Add adaptive haptics restricted system property" am: bc37c334e5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2300027

Change-Id: I5dd21700c9f64d08785855436c4c5eeb2e88a616
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-14 11:21:07 +00:00
Treehugger Robot
bc37c334e5 Merge "Add adaptive haptics restricted system property" 2022-11-14 10:52:56 +00:00
Chris Paulo
ad2f883271 Add adaptive haptics restricted system property 
Create adaptive haptics system property to store adaptive haptics enable
state.

Bug: 198239103
Test: Verified system property usage
Change-Id: I5d4f0a5c8ec4a5b0ce18bc03a6d30879dd76d58b
Signed-off-by: Chris Paulo <chrispaulo@google.com>
 2022-11-14 09:20:56 +00:00
Inseob Kim
22c1bff56b Allow microdroid_manager to do stdio_to_kmsg 
To track any possible bugs on microdroid_manager.

Bug: 258760809
Test: intentionally crash microdroid_manager and see console
Change-Id: I6cd24f3129d153159d76115c833a80353aeee42a
 2022-11-14 17:59:08 +09:00
Seungjae Yoo
9f240f2d68 Allow reading proc file in crosvm process for reading cpu/mem stat in VM 
Bug: 257159905
Test: N/A
Change-Id: Ica4da2f7f29be2c4f3f9446040247bee36e42f1a
 2022-11-14 15:24:27 +09:00
Jooyung Han
8a6f0733b8 Merge "Allow dumpstate to read apex-info-list.xml" am: 01e9b4d5d0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2272967

Change-Id: I52250de8c7570e9cb4be389114d1e62be2f7ee63
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-14 02:46:26 +00:00
Jooyung Han
01e9b4d5d0 Merge "Allow dumpstate to read apex-info-list.xml" 2022-11-14 02:23:23 +00:00
Max Bires
361d7632f8 Merge "Allow shell to call IRemotelyProvisionedComponent" am: 37992dce8d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2243814

Change-Id: I8d7cc835aef5c30d246b9fdadc2afd5ed4ad4cee
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-12 01:02:30 +00:00
Max Bires
37992dce8d Merge "Allow shell to call IRemotelyProvisionedComponent" 2022-11-12 00:20:34 +00:00
Treehugger Robot
9ab626ae72 Merge "[rpc_binder] Enable connection with vm_payload_service" am: 5b7cde87cd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2268827

Change-Id: I61c61388ced4732463b59abbb3d2c05570c0158a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-11 23:03:06 +00:00
Treehugger Robot
5b7cde87cd Merge "[rpc_binder] Enable connection with vm_payload_service" 2022-11-11 22:36:38 +00:00
Jooyung Han
1802a16336 Allow dumpstate to read apex-info-list.xml 
Bug: 254486775
Test: sesearch --allow -s dumpstate -t apex_info_file policy
Change-Id: I52cc2ed2fcb0cf969009e323300741169d8e6d8a
 2022-11-11 11:30:20 +09:00
Jeff Pu
a2b1ea0619 Merge "Add properties for virtual fingerprint HAL" am: 1c92a1262e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2297757

Change-Id: If62dc426be2af5b619814c39228d2da7c7b05fca
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-11 00:04:09 +00:00
Jeff Pu
1c92a1262e Merge "Add properties for virtual fingerprint HAL" 2022-11-10 23:29:29 +00:00
Tri Vo
25d9631df4 Merge "Allow KeyMint HAL to read serialno" am: 9f4f08291b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2292580

Change-Id: Ic74f100cade1f1fa2779c9ba1cd288c3c808ce9b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-10 20:54:52 +00:00
Tri Vo
9f4f08291b Merge "Allow KeyMint HAL to read serialno" 2022-11-10 20:41:55 +00:00
Sandeep Dhavale
99c5e1cd9a Merge "Fastboot AIDL Sepolicy changes" am: d64fb55474 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2293917

Change-Id: I4578b89653f430bc6c95c6102dc7e5d6f90c667b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-10 18:55:34 +00:00
Treehugger Robot
98cc203f06 Merge "Use CAP_SYS_RESOURCE instead of CAP_IPC_LOCK for crosvm" am: c041485773 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2276846

Change-Id: Ifbc7486a0b2c82c6903157b948615c21546f8daa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-10 18:54:51 +00:00
Sandeep Dhavale
d64fb55474 Merge "Fastboot AIDL Sepolicy changes" 2022-11-10 18:29:00 +00:00
Treehugger Robot
c041485773 Merge "Use CAP_SYS_RESOURCE instead of CAP_IPC_LOCK for crosvm" 2022-11-10 18:24:04 +00:00
David Brazdil
88f98d96da Use CAP_SYS_RESOURCE instead of CAP_IPC_LOCK for crosvm 
Instead of giving CAP_IPC_LOCK to crosvm, give virtualizationservice
CAP_SYS_RESOURCE so it can modify the rlimit_memlock of itself and its
children. This is done in preparation for running crosvm as a child
process of the requestor, in which case it will not have the option to
use CAP_IPC_LOCK anymore, but it also allows us to set an upper bound on
the amount of pinnable memory if necessary.

Bug: 204298056
Bug: 245727626
Test: atest MicrodroidTestApp
Change-Id: Ic7f161fe4232440a0dd9924d971f22fc053d973b
 2022-11-10 16:18:35 +00:00
Jeff Pu
be8ede8c35 Add properties for virtual fingerprint HAL 
Bug: 228638448
Test: N/A
Change-Id: I58bfe2dd7f359b00203a1d10351ccdc5001bb166
 2022-11-10 09:50:16 -05:00
Alice Wang
a818fa2ee2 [rpc_binder] Enable connection with vm_payload_service 
Bug: 222479468
Test: atest MicrodroidTests
Change-Id: I85d4d2e2272143b0a1b044c307792feffde4cdf6
 2022-11-10 08:00:36 +00:00
Sandeep Dhavale
f0ea953e60 Fastboot AIDL Sepolicy changes 
Bug: 205760652
Test: Build & flash
Change-Id: I2709c5cc2ca859481aac6fecbc99fe30a52a668b
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
 2022-11-09 22:21:27 +00:00
Lakshman Annadorai
4faf2db7bc Merge "Revert "Add sepolicies for CPU HAL."" am: 9691a41b0a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2295597

Change-Id: I96e21bc963b9061e60993cd3b2d79b1761287dc2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-09 21:36:54 +00:00
Lakshman Annadorai
9691a41b0a Merge "Revert "Add sepolicies for CPU HAL."" 2022-11-09 20:57:15 +00:00
Max Bires
4d3dcd64d3 Allow shell to call IRemotelyProvisionedComponent 
This change gives the shell process the needed permissions to call the
rkp_factory_extraction_tool without also granting the ability to access
the KeyMint HAL service.

To run the tool from a shell accessible folder, push
rkp_factory_extraction_tool to /data/local/tmp with:

adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \
/data/local/tmp

Test: the tool can be executed in SELinux enforcing mode
Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
 2022-11-09 12:42:28 -08:00
Lakshman Annadorai
4d277b7baa Revert "Add sepolicies for CPU HAL." 
This reverts commit f4ab6c9f3c.

Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.

Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
 2022-11-09 16:47:07 +00:00
Treehugger Robot
27d3469e44 Merge "Grant permission for mediatranscoding hal_allocator for OMX platforms" am: 3dfa40c621 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966579

Change-Id: I5e27b9e9f1e876dd9c2ccf69d167c0d49be94ebf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-09 04:18:00 +00:00
Treehugger Robot
3dfa40c621 Merge "Grant permission for mediatranscoding hal_allocator for OMX platforms" 2022-11-09 03:23:48 +00:00
Changyeon Jo
6f62240be5 Allow dumpstate to signal evsmanagerd am: 0dd6bc0c5e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2291525

Change-Id: I9f62fa606825ae3b3c4e226b28c62f6071ef8e19
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-08 22:44:23 +00:00
Tri Vo
6ac74e8051 Allow KeyMint HAL to read serialno 
Test: VtsAidlKeyMintTargetTest
Change-Id: Ifb1c55b73f869b531dbef600df03fb95cd343cd0
 2022-11-08 10:50:57 -08:00
Changyeon Jo
0dd6bc0c5e Allow dumpstate to signal evsmanagerd 
This CL allows dumpstate to signal evsmanagerd, which is another
android.hardware.automotive.evs.IEvsEnumerator implementation, to dump
its stack.

Fix: 243335867
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I37b4cf0ae45f8196f92088cf07a2b45c44f50ee8
 2022-11-08 12:53:50 +00:00
Lakshman Annadorai
167d75b748 Add sepolicies for CPU HAL. am: f4ab6c9f3c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2254815

Change-Id: I652d85dd55578831d7fc76bd58e4f54dd4f659b9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-04 20:56:59 +00:00
Lakshman Annadorai
f4ab6c9f3c Add sepolicies for CPU HAL. 
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
      and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
 2022-11-04 18:13:00 +00:00
Sandro
3933c831d1 Move get_prop rules from public/app.te to private/app.te am: 080c579d47 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2284274

Change-Id: Ic426aa01747fc5998f2c016105e95651db283025
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-04 13:23:00 +00:00
Alfred Piccioni
8662c71db1 Merge "Add NTFS support in sepolicy." am: 8a909eb966 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2284273

Change-Id: Ibc1a5d932bd16e3424d4a0d324910a20442b77f8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-04 10:04:21 +00:00
Sandro
080c579d47 Move get_prop rules from public/app.te to private/app.te 
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.

Bug: 210811873
Test: m -j, boot device
Change-Id: I55e3a4b76cabb6f47cee0972e6bad30565f0db7a
 2022-11-04 09:34:22 +00:00
Alfred Piccioni
8a909eb966 Merge "Add NTFS support in sepolicy." 2022-11-04 09:22:51 +00:00
Yi-yo Chiang
a4a30aeb02 Merge "remount: Allow 'shell' to run 'remount_exec' domain" am: b888a092b5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2280988

Change-Id: I16d80ea0500c5705faf72f3cfb94f0ab2819f0df
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-11-04 05:10:10 +00:00
Yi-yo Chiang
b888a092b5 Merge "remount: Allow 'shell' to run 'remount_exec' domain" 2022-11-04 04:44:00 +00:00