Commit graph

48232 commits

Author SHA1 Message Date
Treehugger Robot
9bb8a3a971 Merge "Compatibility for vendor_hidraw_device" into main am: 1327971c7c am: a4ffe3b38d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3116384

Change-Id: I1e09ffd0459dc0bf97276b25370320c7760d8ce8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-11 10:50:31 +00:00
Treehugger Robot
a4ffe3b38d Merge "Compatibility for vendor_hidraw_device" into main am: 1327971c7c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3116384

Change-Id: I34fb224ac84cf888527ad166b9ebd6cf13b6c1dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-11 10:34:00 +00:00
Treehugger Robot
1327971c7c Merge "Compatibility for vendor_hidraw_device" into main 2024-06-11 10:12:02 +00:00
Karuna Wadhera
69ca37c200 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main am: e357df7504 am: c91f365902
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3122031

Change-Id: Ie185c21765ed4a8086a33fd0775d7c2bbf0a8aa2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 19:46:49 +00:00
Karuna Wadhera
c91f365902 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main am: e357df7504
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3122031

Change-Id: Ic45ddce19ccc5d3ba42c7c7c4e40e3c883d81351
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 19:31:14 +00:00
Karuna Wadhera
e357df7504 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main 2024-06-10 19:06:35 +00:00
Zi Wang
d82f51dc1d Merge changes Ib9972bcd,I87d18451 into main am: f5f05c1f9f am: 2baa88a1b4
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3118318

Change-Id: I3cac14a251f6e62e61d88fc739fb02515098fa5d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 17:33:39 +00:00
Zi Wang
2baa88a1b4 Merge changes Ib9972bcd,I87d18451 into main am: f5f05c1f9f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3118318

Change-Id: I39d4edc62894f10149fcc382058934d5d26f0681
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 16:53:54 +00:00
Zi Wang
f5f05c1f9f Merge changes Ib9972bcd,I87d18451 into main
* changes:
  Use OutputFilesProvider on certain module types
  Use OutputFilesProvider on certain module types
2024-06-10 16:33:43 +00:00
Karuna Wadhera
fb728ac3af Untrack keystore SELinux denial on AVF RKP Hal
With the dontaudit line in keystore.te commented out on an otherwise clean build, I was unable to see the SELinux denial on boot. So, it seems like this denial may not be occurring anymore and it’s safe to remove the dontaudit line.

Bug: 312427637
Test: manual
Change-Id: Ib8887f0593ea984e3c011b76a81b7bf99cff2a44
2024-06-10 14:32:19 +00:00
Alan Stokes
8a6bb3ef84 Compatibility for vendor_hidraw_device
Older vendor policy may apply the label vendor_hidraw_device to the
HID device.

From 202404 we use the new label hidraw_device for this.

Fix the compatibility rules to allow new system policy to work with
older vendor policy by adding specific compat logic.

Note that the original 34.0 system policy didn't mention hidraw_device
at all, so the more normal compatibility mechanisms don't really work.

Bug: 340923653
Test: Builds, boots, no new denials
Change-Id: I358118b217c82b5f8111f3e05d35aa16c464b941
2024-06-10 14:59:04 +01:00
Alice Wang
d1ea1ff475 Merge "Add system property to disable avf remote attestation" into main am: 97091293b7 am: 94148a33fe
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3117519

Change-Id: I5029668ac2293d8a270a2b5bed869836cc837cb8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 12:23:25 +00:00
Alice Wang
94148a33fe Merge "Add system property to disable avf remote attestation" into main am: 97091293b7
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3117519

Change-Id: Ia99358fe9e6c4dcacc2814c96268ec47f9884db9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 12:09:00 +00:00
Alice Wang
97091293b7 Merge "Add system property to disable avf remote attestation" into main 2024-06-10 11:31:52 +00:00
Alice Wang
3d9ce1a965 Add system property to disable avf remote attestation
Introduce a new system property
avf.remote_attestation.enabled to allow vendors
to disable the feature in vendor init.

Bug: 341598459
Test: enable/disable the feature and check VmAttestationTestApp
Change-Id: I809e4c62a8590822eef70093e33854ab79757835
2024-06-10 09:16:24 +00:00
Treehugger Robot
29adc9967c Merge "system_app.te: fix misleading comment" into main am: 104099ef21 am: e6618432f9
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3120251

Change-Id: Iea1ca65f32ea08665dd9c6d991601c69cd5373b5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 09:03:15 +00:00
Treehugger Robot
e6618432f9 Merge "system_app.te: fix misleading comment" into main am: 104099ef21
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3120251

Change-Id: Ia49f4b47e4d08da7195812dd01b7df456c7e9025
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-10 08:24:21 +00:00
Treehugger Robot
104099ef21 Merge "system_app.te: fix misleading comment" into main 2024-06-10 08:03:10 +00:00
Nick Kralevich
c8ac77735e system_app.te: fix misleading comment
A comment within system_app.te implies that system_apps can read/write
the /data/data directory (and all subdirectories). The comment is
misleading. Fix the comment.

Test: comment only change. No test needed
Change-Id: I51b95f8b55ac89730a866d2a829326b276b11824
2024-06-07 10:20:18 -07:00
Ellen Arteca
90474bb471 Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main am: c628579730 am: 949db99e7c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3095418

Change-Id: I2c856547883f86a7833d36b8e1deaf7e92ed175b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-06 23:51:14 +00:00
Ellen Arteca
949db99e7c Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main am: c628579730
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3095418

Change-Id: I0a019e1b6054825929fadd320036991e3979778c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-06 23:36:22 +00:00
Ellen Arteca
c628579730 Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main 2024-06-06 23:16:13 +00:00
mrziwang
dc268a72fb Use OutputFilesProvider on certain module types
se_build_files, se_cil_compat_map and sepolicy_vers will be using
OutputFilesProvider for output files inter-module-communication.

Test: CI
Bug: 339477385
Change-Id: Ib9972bcdea4850508cb9070903af53973bff9f66
2024-06-06 14:42:10 -07:00
Steven Moreland
5db4cf2605 more vm socket isolation am: 378ed74529 am: 57061954d2
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3114226

Change-Id: If484cab984486b6c884d0ce53a8b460cdcd009e1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-06 19:06:28 +00:00
Steven Moreland
57061954d2 more vm socket isolation am: 378ed74529
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3114226

Change-Id: Ib8605365b1823611b41183bdfc548c6abc913ec8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-06 18:47:07 +00:00
mrziwang
cb3f550b59 Use OutputFilesProvider on certain module types
The module types below no longer implement OutputFileProducer, but
use OutputFilesProvider for output files inter-module-communication.

se_policy_conf
se_policy_cil
se_policy_binary
se_compat_cil
se_versioned_policy

Test: CI
Bug: 339477385
Change-Id: I87d1845162f91065acd7d2f6c27fd7583cc8b5e0
2024-06-06 10:49:47 -07:00
Ellen Arteca
aa898dc541 Modify permissions to move encryption policy assignment to vold_prepare_subdirs
We have moved the encryption policy assignment from vold to
vold_prepare_subdirs. This CL removes some permissions from vold
over storage areas that are no longer needed due to this change,
and adds some permissions to vold_prepare_subdirs.

Bug: 325129836
Test: atest StorageAreaTest
Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
2024-06-06 17:48:43 +00:00
Steven Moreland
378ed74529 more vm socket isolation
Bugs: me
Test: build
Change-Id: Ie34ac041f1234891043098a4decf05ec7a9e6761
2024-06-05 23:45:44 +00:00
Dennis Shen
01574fa210 Merge "selinux: allow everybody to read flags from RO flag storage file" into main am: 0467d14618 am: 1f2eea0c7a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3112421

Change-Id: Ifd062c82caa79b9a71268bfffbf33d99b9d6b915
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 17:37:11 +00:00
Dennis Shen
1f2eea0c7a Merge "selinux: allow everybody to read flags from RO flag storage file" into main am: 0467d14618
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3112421

Change-Id: I948458b771e030fb4b7ef31f5a5c38a854f7db2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 17:22:58 +00:00
Dennis Shen
0467d14618 Merge "selinux: allow everybody to read flags from RO flag storage file" into main 2024-06-04 17:11:18 +00:00
Dennis Shen
33bc92dab5 selinux: allow everybody to read flags from RO flag storage file
Bug: b/312459182
Test: m and avd
Change-Id: Ie5ce92b299ce2434256c9f963865b9d626b400fa
2024-06-04 15:02:56 +00:00
Treehugger Robot
91154f4719 Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main am: c6a554f200 am: 23ce6a536b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111559

Change-Id: I8634bc117809192e33ca9f69db66b171c7dc5183
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 14:35:26 +00:00
Treehugger Robot
23ce6a536b Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main am: c6a554f200
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111559

Change-Id: I130c9ac4848eda54b134faef7f49676017dd9b47
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 14:20:41 +00:00
Treehugger Robot
c6a554f200 Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main 2024-06-04 13:54:51 +00:00
Treehugger Robot
c91caadd2c Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main am: 8d9a89ed9e am: e0a8a9fa19
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111602

Change-Id: I6affce30b2b5e137d121e1c2c5a8a4305494bdaf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 13:20:20 +00:00
Treehugger Robot
e0a8a9fa19 Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main am: 8d9a89ed9e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111602

Change-Id: I7be81be6650996bf85b9c6bc77368f0b7521353e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 13:05:30 +00:00
Jiakai Zhang
413f44d5c4 Allow dexopt_chroot_setup to mount/unmount debugfs.
Some old devices use debugfs for /sys/kernel/debug.

Bug: 311377497
Change-Id: Ib9958b5cfdd85c37acd27ff6e637efdbd2a068e3
Test: adb shell pm art pr-dexopt-job --test
2024-06-04 12:54:25 +00:00
Treehugger Robot
8d9a89ed9e Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main 2024-06-04 12:48:49 +00:00
Treehugger Robot
80d78ae979 Merge "testNoBugreportDenials fix on user" into main am: 8ebc2aa055 am: 28b66e2893
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111766

Change-Id: I3e29af5398bff8c12422bbe8b289b127b5d034c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 01:32:46 +00:00
Treehugger Robot
28b66e2893 Merge "testNoBugreportDenials fix on user" into main am: 8ebc2aa055
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111766

Change-Id: Iaf7772fc912f0a247ac835e32d6eb76deae7a3f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 01:24:39 +00:00
Jooyung Han
b103d9dfe0 Merge "installd renames dirs in /data/app-staging" into main am: 672143fa6a am: 9a441ba91c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111259

Change-Id: Ied1053d8182aecfc4562ea917294437ca3d46fc2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 01:24:04 +00:00
Treehugger Robot
8ebc2aa055 Merge "testNoBugreportDenials fix on user" into main 2024-06-04 01:20:02 +00:00
Jooyung Han
9a441ba91c Merge "installd renames dirs in /data/app-staging" into main am: 672143fa6a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111259

Change-Id: I8ec24a3754acfac90b6a417ca6c768c0f8678f18
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 01:15:59 +00:00
Jooyung Han
672143fa6a Merge "installd renames dirs in /data/app-staging" into main 2024-06-04 01:12:49 +00:00
Jiakai Zhang
0a49ac3dbd Allow dexopt_chroot_setup to bind-mount dirs for incremental apps.
Bug: 311377497
Test: adb shell pm art pr-dexopt-job --test
Change-Id: I8da90876191eadfea77d34c7441d0e4bdb377d31
2024-06-03 20:43:25 +01:00
Daniel Zheng
037108359f Merge "add sepolicy for low mem device configurations" into main am: 2f4324ac5d am: 41c63c394f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3096261

Change-Id: I254d7217ee0aa6c3780d639296872b462590841f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-03 19:33:32 +00:00
Steven Moreland
496f08d378 testNoBugreportDenials fix on user
Bug: 343635916
Test: N/A
Change-Id: I2f73cc8429f87e9b7ada8e7c9a3fabcc9eb3d7ee
2024-06-03 19:30:04 +00:00
Daniel Zheng
41c63c394f Merge "add sepolicy for low mem device configurations" into main am: 2f4324ac5d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3096261

Change-Id: Ie2500bdc8247253f539df4e1a312bb0842af3d0a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-03 19:26:53 +00:00
Daniel Zheng
2f4324ac5d Merge "add sepolicy for low mem device configurations" into main 2024-06-03 19:17:52 +00:00