tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38808 commits 1 branch 0 tags 50 MiB
Commit graph

38808 commits

This branch
This branch
All branches
Author SHA1 Message Date
David Anderson
23b5027d30 Merge "Allow update_engine to inotify_add_watch dm-user device nodes." 2022-07-22 20:15:05 +00:00
Matt Buckley
110d394660 Merge "Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy" am: ae7e3756ba 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2161459

Change-Id: I3e088f0c56907c6829f18ac9af6f61a7e42102bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-22 05:35:27 +00:00
Matt Buckley
ae7e3756ba Merge "Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy" 2022-07-22 05:17:27 +00:00
Matt Buckley
1b23789dfe Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy 
Add new sysprop to control adpf cpu hints for surfaceflinger

Bug: b/195990840
Test: n/a
Change-Id: I5460e4668a2d69af194649ec076489de22caa348
 2022-07-21 23:00:15 +00:00
David Anderson
b7bb3d0071 Allow update_engine to inotify_add_watch dm-user device nodes. 
inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.

Denial: avc:  denied  { read } for  pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0

Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
 2022-07-21 12:47:46 -07:00
Thiébaud Weksteen
19710d032e Merge "Remove key migration related changes" am: c5a3726e58 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2160358

Change-Id: I64b2b63672c8482216d9515718bd5b64de26c6dd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-21 03:27:36 +00:00
Thiébaud Weksteen
c5a3726e58 Merge "Remove key migration related changes" 2022-07-21 01:20:53 +00:00
Katherine Lai
45ce880b05 Merge "Add bluetooth classic sysprops" am: 963596866a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2154517

Change-Id: I58363adb52d3cfa93fb86ef8ee24f95e41b55d60
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 20:56:52 +00:00
Katherine Lai
963596866a Merge "Add bluetooth classic sysprops" 2022-07-20 20:38:43 +00:00
David Anderson
568fd1f0ad Allow kernel to write to shell_data_file loop devices in userdebug builds. 
Tests around Virtual A/B, DSUs, remount etc need to create loop devices
and write to them, which requires the kernel domain to have file write
access.  However there are very few contexts where this is allowed, and
most are for testing. These testing locations are not consistently
available (eg, /data/nativetest does not always exist).

We already allow readonly loop devices in /data/local/tmp for testing
purposes, so this adds write support as well (userdebug/eng only).

Bug: 218976943
Test: fiemap_image_test
Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
 2022-07-20 11:43:20 -07:00
John Wu
e5010a22a6 Remove key migration related changes 
Migrating keys across UIDs is no longer required

Test: m
Bug: 228999189
Change-Id: I33e85635a4fe82bf1f98a9bfcf505a1067b4ed91
 2022-07-20 15:19:37 +10:00
Treehugger Robot
c181aeb9b2 Merge "seamendc: fix potential double-free" am: bfc800dfc0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2151753

Change-Id: Iec83624fe740af3ff28c093f70792039bb4d0da5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 02:02:59 +00:00
Treehugger Robot
bfc800dfc0 Merge "seamendc: fix potential double-free" 2022-07-20 01:50:47 +00:00
Inseob Kim
5cd2aa4f71 Merge "Remove dependency to distutils" am: 68e178a727 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2158116

Change-Id: I00b6456c5c4974f0a5f9a9393c51437dc7422b9c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 01:03:11 +00:00
Inseob Kim
68e178a727 Merge "Remove dependency to distutils" 2022-07-20 00:56:59 +00:00
Treehugger Robot
05c141c35a Merge "Lexicographically sort perms in rules output of searchpolicy.py" am: dfbf4f38b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2159196

Change-Id: Idd0c9121de53f9673a831957415e436cd6744027
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 00:54:35 +00:00
Treehugger Robot
dfbf4f38b6 Merge "Lexicographically sort perms in rules output of searchpolicy.py" 2022-07-20 00:35:26 +00:00
Treehugger Robot
22f508a58e Merge "Don't disallow vendor app hal_service_type" am: 9617447817 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2153808

Change-Id: Ica4bf13a474751efe61c5073165390a15d394338
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-19 18:39:53 +00:00
Treehugger Robot
9617447817 Merge "Don't disallow vendor app hal_service_type" 2022-07-19 18:18:45 +00:00
George Burgess IV
3f0bbd132d seamendc: fix potential double-free 
If we don't set `buff = NULL` after it's freed by this loop, a later
iteration over the loop where e.g., `stat` fails will call
`free(buff)` again.

Bug: 206470603
Test: TreeHugger
Change-Id: Ic19195adb7398fe2f8ab682ed451f24463872562
 2022-07-19 17:31:52 +00:00
Sandro
6e7e003344 Lexicographically sort perms in rules output of searchpolicy.py 
Bug: 238394904
Test: atest seamendc-test && atest CtsSecurityHostTestCases
Change-Id: I841e7d5cf3616d692dcd5b749544268bcbab76c2
 2022-07-19 13:56:30 +00:00
Maciej Żenczykowski
e65c35282a allow bpfloader to create symbolic links in /sys/fs/bpf am: d5098f99a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2154891

Change-Id: I3d282bde16f20a11d341b43640960a9c38b54645
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-19 07:36:43 +00:00
Inseob Kim
3a9ac6f10a Remove dependency to distutils 
Because distutils is deprecated since Python 3.10.

Test: atest android.security.cts.SELinuxHostTest
Change-Id: I29d390dcfbeaa65b2c868bbc8648835c644e3d18
 2022-07-19 14:27:36 +09:00
Katherine Lai
9bddb0d32f Add bluetooth classic sysprops 
Added new sysprops to configure classic link supervision timeout,
page/inquiry scan activity, and page timeout

Bug: 233119719
Tag: #floss
Tag: #feature
Test: Manual
Change-Id: I92c598f97ca37486c208c7e37ad0d194f6f0b8b2
 2022-07-18 20:55:20 +00:00
Maciej Żenczykowski
d5098f99a9 allow bpfloader to create symbolic links in /sys/fs/bpf 
(this is to allow /sys/fs/bpf/tethering -> net_shared/tethering
 for InProcessTethering, ie. Android Go devices)

Bug: 190523685
Bug: 236925089
Test: TreeHugger, manually on aosp_cf_x86_go_phone-userdebug
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifa52429f958b0af80f91af6bfb064c1cdf9cd070
 2022-07-18 05:14:44 -07:00
Steven Moreland
0ce7b3c92a Don't disallow vendor app hal_service_type 
Currently, vendor_service is excluded from this neverallow
for the same reason. However, the current plan is to remove
vendor_service. Since some vendor HAL services are not
marked as hal_service_type, this part of the change needs
to be submitted independently in order to clean them up.

Bug: 237115222
Test: build
Change-Id: I7893184c4d1011881b721d0b851e07c17f73732b
 2022-07-15 19:44:21 +00:00
Jooyung Han
507b641085 Merge "Allow (hw)servicemanager use bootstrap bionic" am: 8fe0b28bf1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152734

Change-Id: Ie004a6d7c7e284baf4cf20f057a91cbe649ce6e9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-15 00:34:25 +00:00
Jooyung Han
8fe0b28bf1 Merge "Allow (hw)servicemanager use bootstrap bionic" 2022-07-15 00:12:55 +00:00
Treehugger Robot
3b61b61c5a Merge "Allow system_server to signal InputProcessor HAL" am: 674d3e7822 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152242

Change-Id: I8156dd48981a76ed08e68ed548b4cdd47b92e89c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 23:25:46 +00:00
Treehugger Robot
674d3e7822 Merge "Allow system_server to signal InputProcessor HAL" 2022-07-14 23:06:38 +00:00
Siarhei Vishniakou
4cb2d3c13d Allow system_server to signal InputProcessor HAL 
This is needed for Watchdog to be able to dump InputProcessor HAL.
Watchdog can be triggered locally for testing by patching
InputDispatcher.cpp:

 void InputDispatcher::monitor() {
     // Acquire and release the lock to ensure that the dispatcher has not deadlocked.
     std::unique_lock _l(mLock);
+    std::this_thread::sleep_for(std::chrono::minutes(40));
     mLooper->wake();
     mDispatcherIsAlive.wait(_l);

Bug: 237322365
Test: adb bugreport (after triggering watchdog)
Change-Id: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
Merged-In: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
 2022-07-14 22:05:07 +00:00
Inseob Kim
992bfbcd27 Merge "Allow microdroid_manager to stop tombstoned" am: 9dd70bc942 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152733

Change-Id: I82db292f1e72f5fceed4f60f845e065e0873bef5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 16:27:47 +00:00
Inseob Kim
9dd70bc942 Merge "Allow microdroid_manager to stop tombstoned" 2022-07-14 16:09:23 +00:00
Nikita Ioffe
fb3df6dc4a Merge "Add apexd.config.loop_wait.attempts sysprop to sepolicy" am: 5dd9e3a320 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152793

Change-Id: I6161cbd8f80aa3a2cb17c2af364ee6df9d5354f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 10:34:05 +00:00
Nikita Ioffe
5dd9e3a320 Merge "Add apexd.config.loop_wait.attempts sysprop to sepolicy" 2022-07-14 10:15:56 +00:00
Jooyung Han
133ca4ea6b Allow (hw)servicemanager use bootstrap bionic 
Bug: 237672865
Test: m && boot
Change-Id: I436cf97c4c8e852e36cd1faa9da646c9f8a4d0a4
 2022-07-14 11:31:03 +09:00
Inseob Kim
1b570bde90 Merge changes from topics "microdroid_early_kernel_log", "no_logcat_on_microdroid_tests" am: 2bcdf84b6c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147820

Change-Id: I41cb1bccb4c06b9c6cd78003d73e55925acef521
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 01:35:58 +00:00
Inseob Kim
f1c1db1eff Make logd and logcat bootstrappable am: 3f0ea4ffde 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2145763

Change-Id: Ia09f809f9395f46eaec61b5f7c02060e846fbec3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 01:35:52 +00:00
Inseob Kim
2bcdf84b6c Merge changes from topics "microdroid_early_kernel_log", "no_logcat_on_microdroid_tests" 
* changes:
  microdroid: Remove redundant dontaudit from shell
  Make logd and logcat bootstrappable
 2022-07-14 01:19:32 +00:00
SzuWei Lin
b540e93de2 Merge "Set up sepolicy for mediaserver64" am: 5d24b9a14d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2144720

Change-Id: I7a144eb156c3247102f47ce24d707ed882021d24
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 00:38:17 +00:00
SzuWei Lin
5d24b9a14d Merge "Set up sepolicy for mediaserver64" 2022-07-14 00:20:03 +00:00
Nikita Ioffe
0fd6e24297 Add apexd.config.loop_wait.attempts sysprop to sepolicy 
Also mark all apexd.config. properties to be apexd_config_prop

Bug: 237955261
Test: m
Change-Id: I93a9e1b450426ebe7cd11c87a9586697dc76a70e
 2022-07-13 12:31:18 +01:00
Inseob Kim
fa4c5bff42 Allow microdroid_manager to stop tombstoned 
If export_tombstones is false, leaving tombstoned running has no
meaning. However, we still can't selectively start tombstoned, because
post-fs-data happens eariler than config parsing. Thus, this change
allows microdroid_manager to stop tombstoned on demand.

Bug: 236588647
Test: atest MicrodroidTests
Change-Id: I813fe667f3394bdd234e204f3d35a27f3a182cb2
 2022-07-13 18:59:50 +09:00
Treehugger Robot
c383817add Merge "Added properties for rebootless apex install" am: be031287e4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147819

Change-Id: Iac6f20e59f2924248892657c74525034ce1b3c95
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-13 04:20:59 +00:00
Treehugger Robot
be031287e4 Merge "Added properties for rebootless apex install" 2022-07-13 04:04:20 +00:00
Xin Li
e4d55178d5 DO NOT MERGE - Merge TP1A.220624.013 
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
Change-Id: Id8badc87768f66197ccaf2642f34fb2dc69e23df
 2022-07-11 21:47:46 -07:00
Siarhei Vishniakou
5fc093f370 Allow dumping of InputProcessor HAL am: 889d8aa9a7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147322

Change-Id: I35913c59f0c1708ab59676534e964b26a798b9fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-11 19:26:56 +00:00
Siarhei Vishniakou
889d8aa9a7 Allow dumping of InputProcessor HAL 
In order to see the HAL state in bugreports, we need to allow the HAL to
write to file where the dump is going.

Bug: 237233372
Test: adb shell dumpsys android.hardware.input.processor.IInputProcessor/default
Change-Id: Idf78269e4ee9798c078ac3b7ee4f375515d7aadc
 2022-07-11 18:33:54 +00:00
sandrom
105435e426 Add seamendc binary am: b246b1dc35 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2104345

Change-Id: Ibff2cb00ee19bce4b9ab68909e51564c51cf9f9a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-11 11:30:19 +00:00
sandrom
b246b1dc35 Add seamendc binary 
Bug: 236691128
Test: adb shell seamendc -b <binary_policy> -o <output_policy> <test.cil> <test-redefinitions.cil>

Change-Id: Id51271e89261a2a612cf25e7b56147d5931c76f9
 2022-07-11 09:23:52 +00:00