tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38808 commits 1 branch 0 tags 50 MiB
Commit graph

38808 commits

This branch
This branch
All branches
Author SHA1 Message Date
SzuWei Lin
994195359f Set up sepolicy for mediaserver64 
Add mediaserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for mediaserver(32|64).

Bug: 236664614
Test: make gsi_arm64-user; Check the sepolicy
Change-Id: I61c69588b84305b9863a72b5a466d4185f7f1958
 2022-07-11 16:18:55 +08:00
Siarhei Vishniakou
a50b672979 Allow dumpstate to get traces in api 33.0 am: 1579b37a19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147164

Change-Id: I04ac37c45b645ef51d0b04f321de743db932f3cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-08 16:05:54 +00:00
Inseob Kim
202fe3c2d6 microdroid: Remove redundant dontaudit from shell 
Bug: 238135989
Test: atest MicrodroidHostTestCases
Change-Id: Ia74ee40e952ffc3bf18e1ff890efcff5219ef33a
 2022-07-08 08:56:16 +00:00
Siarhei Vishniakou
1579b37a19 Allow dumpstate to get traces in api 33.0 
In order to debug the HAL getting stuck, dumpstate needs permission to
dump its traces. In this CL, we update the api 33.0 accordingly.

Bug: 237347585
Bug: 237322365
Test: m sepolicy_freeze_test
Change-Id: I5096f52358880e3c10657e5aae9ead1723cc9fa9
Merged-In: I5096f52358880e3c10657e5aae9ead1723cc9fa9
 2022-07-08 06:55:44 +00:00
Jooyung Han
ccfb0ef146 Added properties for rebootless apex install 
When apexd installs an apex without reboot, init also need to do some
work around the installation (e.g. terminating services from the apex
and remove data read from the apex and updating linker configuration
etc)

Apexd sets control properties to unload and load apex and init notifies
the completion with state properties.

These new properties are supposed to be used by apexd/init interaction.

Bug: 232114573
Bug: 232173613
Test: CtsStagedInstallHostTestCases
Test: CtsInitTestCases
Change-Id: I5af6b36310f3c81f1cd55537473e54756541d347
 2022-07-08 12:12:45 +09:00
Android Build Coastguard Worker
6f6029407a Merge cherrypicks of [19149566] into tm-release. 
Change-Id: If83579ef0c9dbe3bfefc10d6af77ec60642b2833
 2022-07-08 00:19:45 +00:00
Jeff Vander Stoep
e1189a7aa7 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Ignore-AOSP-First: It's a CP of aosp/2143512
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
(cherry picked from commit 6ae09a4609)
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-08 00:19:26 +00:00
Treehugger Robot
163fb597fd Merge "crash_dump: Update prebuilts for API 33" am: 355ecc995e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2145179

Change-Id: I916144a02848d952d70b6fd25889c4d5ff48084b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 16:47:36 +00:00
Treehugger Robot
355ecc995e Merge "crash_dump: Update prebuilts for API 33" 2022-07-07 16:33:48 +00:00
David Brazdil
707cad8692 crash_dump: Update prebuilts for API 33 
Bug: 236672526
Test: n/a
Merged-In: I49571dcfdd9c194101cc929772fa15463609fa8c
Change-Id: I49571dcfdd9c194101cc929772fa15463609fa8c
 2022-07-07 15:17:20 +00:00
Thiébaud Weksteen
5ce2e0e243 Merge "Revert "Remove key migration related changes"" am: febedf5a42 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147821

Change-Id: Ib0679d31928a4c09300cdfbe0dd03dd08ff084db
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 09:01:59 +00:00
Thiébaud Weksteen
febedf5a42 Merge "Revert "Remove key migration related changes"" 2022-07-07 08:43:54 +00:00
Thiébaud Weksteen
f412c13a02 Revert "Remove key migration related changes" 
This reverts commit 65dcdf2921.

Reason for revert: broken internal target 

Change-Id: Idf57285d95f5466dfa3af08230af4c8f9d76326c
 2022-07-07 08:40:23 +00:00
Thiébaud Weksteen
3d242f752a Merge "Remove key migration related changes" am: c3cb5a25e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2134299

Change-Id: I79a4e7aeaa3a5f05a40332c1cbff8bda093529f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 04:32:15 +00:00
Thiébaud Weksteen
c3cb5a25e3 Merge "Remove key migration related changes" 2022-07-07 04:13:22 +00:00
Android Build Coastguard Worker
0930ade2ea Merge cherrypicks of [19143810, 19133814] into tm-release. 
Change-Id: I570c7d844c90c1b2bb7cb1086829c93d7a88c665
 2022-07-07 03:05:58 +00:00
Ryan Savitski
e1c2d9941e Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: redfin-user and barbet-userdebug: build+flash+boot;
        manual test of typical profiling (heap and perf);
        atest CtsPerfettoTestCases.
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
(cherry picked from commit babba5e83b)
(cherry picked from commit c592577fb2)
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-07 03:05:00 +00:00
Thiébaud Weksteen
a089864e82 Ignore access to /sys for dumpstate 
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 5e8a384f5a)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 2e23fa2c99)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
 2022-07-07 03:04:54 +00:00
Treehugger Robot
e36b5af694 Merge "Allow dumpstate to get InputProcessor traces" am: 2a3c76f09f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147021

Change-Id: I3e975e341d719997c4d1e269e8159534babc62fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-06 19:14:02 +00:00
Treehugger Robot
2a3c76f09f Merge "Allow dumpstate to get InputProcessor traces" 2022-07-06 18:58:22 +00:00
Mitch Phillips
064be20ec5 Add API level 33 persistent GWP-ASan Sysprop 
Looks like this is needed for TM.

Bug: 236738714
Test: atest bionic-unit-tests && presubmit ag/19136924 PS#3
Change-Id: Ida26db898f2edaddce67ae13a5859115126a18cb
 2022-07-06 16:21:52 +00:00
Siarhei Vishniakou
c982ef878d Allow dumpstate to get InputProcessor traces 
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.

In the future, we will also add a 'dump' facility to this HAL.

Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
 2022-07-06 08:28:50 -07:00
Inseob Kim
3f0ea4ffde Make logd and logcat bootstrappable 
Because we want to collect early kernel logs, before apexd is run.

Bug: 236451404
Test: atest MicrodroidTests
Change-Id: Id84f5b36df00394eb3444fdef5654c6ec0759faf
 2022-07-06 14:51:28 +09:00
Treehugger Robot
dbd0da73ba Merge "Revert system app/process profileability on user builds" am: 829acbee3a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2142152

Change-Id: Idf3f36723d703f55141b97aaa0605194283d723e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 15:56:18 +00:00
Treehugger Robot
829acbee3a Merge "Revert system app/process profileability on user builds" 2022-07-04 15:41:08 +00:00
Treehugger Robot
06f721e8de Merge "Allow all Apps to Recv UDP Sockets from SystemServer" am: c37a39c26d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143512

Change-Id: I214835a158c7851bb5971fe0fcf90cb1d8fb7fc2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 08:30:12 +00:00
Treehugger Robot
c37a39c26d Merge "Allow all Apps to Recv UDP Sockets from SystemServer" 2022-07-04 08:21:47 +00:00
Treehugger Robot
400465d53a Merge "selinux: allow bpfloader bpffs_type:file getattr" am: e6bd93d6b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143115

Change-Id: I7af7bc511f0b4373e07d34a70fafc475fb44fd6c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 08:21:10 +00:00
Treehugger Robot
e6bd93d6b6 Merge "selinux: allow bpfloader bpffs_type:file getattr" 2022-07-04 07:51:45 +00:00
David Brazdil
9a394805ac crash_dump: Remove permission to dump crosvm am: 28b34f1bca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143613

Change-Id: Ie6e57d2bf703384593c037d72de843586cb4dc33
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 07:45:09 +00:00
Maciej Żenczykowski
1fcf7c8e7e selinux: allow bpfloader bpffs_type:file getattr 
(to be able to stat() nodes in /sys/fs/bpf)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic71ebea683844a8d5ac0b542da815bae2816973a
 2022-07-02 02:02:51 -07:00
David Brazdil
28b34f1bca crash_dump: Remove permission to dump crosvm 
A crosvm instance running a protected VM contains a memory mapping of
the VM's protected memory. crash_dump can trigger a kernel panic if it
attaches to such crosvm instance and tries to dump this memory region.

Until we have a means of excluding only the protected memory from
crash_dump, prevent crash_dump from dumping crosvm completely by taking
away its SELinux permission to ptrace crosvm.

Bug: 236672526
Test: run 'killall -s SIGSEGV crosvm' while running crosvm
Change-Id: I6672746c479183cc2bbe3dce625e5b5ebcf6d822
 2022-07-01 17:30:54 +01:00
Ryan Savitski
babba5e83b Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: builds successfully (barbet-userdebug)
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-01 12:41:01 +00:00
Jeff Vander Stoep
7295721417 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-01 12:41:28 +01:00
Xin Li
03efcb5695 Merge "Merge tm-dev-plus-aosp-without-vendor@8763363" into stage-aosp-master 2022-06-29 21:21:45 +00:00
Mitch Phillips
c854d0d9da Merge "Add persistent gwp-asan sysprops" am: 038018e113 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2133021

Change-Id: Ia47cb44e9340eaaae9f22d98a1c00fc98bb26650
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-29 21:17:11 +00:00
Mitch Phillips
038018e113 Merge "Add persistent gwp-asan sysprops" 2022-06-29 20:56:56 +00:00
Siim Sammul
252a0502c8 Allow creating /data/tombstones files by system_server. 
Needed for ag/18773746

Bug: 225173288
Test: atest ErrorsTest +  manual
Change-Id: I31bab12a59babd9a197cfb03d2417b926e60af84
 2022-06-29 15:07:01 +00:00
Xin Li
b347e9fd52 Merge tm-dev-plus-aosp-without-vendor@8763363 
Bug: 236760014
Merged-In: I036e48530e37f7213a21b250b858a37fba3e663b
Change-Id: Ic7d4432aea1d37546d342df3e2157b9dc8207770
 2022-06-27 23:40:18 +00:00
John Wu
65dcdf2921 Remove key migration related changes 
Migrating keys across UIDs is no longer required

Test: m
Bug: 228999189
Change-Id: Icdecbdb3997f9c5b3d470578b1d61e580a1c3537
 2022-06-26 01:04:02 +10:00
David Anderson
3336ac363a Merge "Allow fastbootd to execute dmesg in userdebug builds." am: af348da192 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2133985

Change-Id: I38795a9bc3740d90fd97238a08d4d073393cfba0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-24 21:31:47 +00:00
David Anderson
af348da192 Merge "Allow fastbootd to execute dmesg in userdebug builds." 2022-06-24 21:10:55 +00:00
Kelvin Zhang
ff5e433e62 Merge "Add proper permission for AIDL bootcontrol server" am: f70d708544 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2120294

Change-Id: Iea95394148eb531d9ad926e3c7eb17cb71c596f7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-24 19:16:46 +00:00
Thiébaud Weksteen
3fcaeeaea8 Merge "Ignore access to /sys for dumpstate" am: 091943f99d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2133439

Change-Id: I7b19bdd7a17784b040ab97f2307c3dcdcea7f1c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-24 19:14:22 +00:00
Maciej Żenczykowski
e440dc50aa Merge "much more finegrained bpf selinux privs for networking mainline" am: afa8ca689f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2103424

Change-Id: I4614099b6dc746efa27e6509944948fd435de59d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-24 19:08:30 +00:00
Almaz Mingaleev
0097f5158e Merge "Remove TZUvA feature." am: 0e70ea793f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/953400

Change-Id: If35376848195ebd0ecd834630598cf7312eb3ee2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-24 19:07:34 +00:00
Kelvin Zhang
f70d708544 Merge "Add proper permission for AIDL bootcontrol server" 2022-06-23 23:44:39 +00:00
Android Build Coastguard Worker
3372b4eda9 Snap for 8762204 from 15715aea32 to tm-release 
Change-Id: I58217a97c2bbbb4dd03e9d3ff0a0accbf66f43c4
 2022-06-23 23:29:11 +00:00
Mitch Phillips
add13f0783 Add persistent gwp-asan sysprops 
Like the non-persistent variants, should be settable by shell without
root to allow external developer use on locked bootloaders.

Bug: 236738714
Test: atest bionic-unit-tests
Change-Id: Id9fc4abe491f560134267b06dd53c2dacca9422d
 2022-06-23 11:11:35 -07:00
Thiébaud Weksteen
091943f99d Merge "Ignore access to /sys for dumpstate" 2022-06-23 13:22:45 +00:00