tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
40212 commits 1 branch 0 tags 50 MiB
Commit graph

880 commits

Author SHA1 Message Date
Akilesh Kailash
fc9647264a Merge "Supress permissive audit messages post OTA reboot" am: 9f7ab3c0cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2166090

Change-Id: I476e1687df7cbb231bd69d8d8ca8125cf82b3cca
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-10-11 21:27:48 +00:00
Akilesh Kailash
1044702704 Supress permissive audit messages post OTA reboot 
For post-OTA boot, we run a userspace block device daemon to mount /system.
However if we let the daemon run while loading sepolicy, it would spam permissive audits.
Since sepolicy is still not enforced yet, we can supress these
audit messages.

Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I0af484f95b6a1deb41498d67de82afd3c6bb29b6
 2022-10-10 21:58:41 +00:00
Xin Li
a563c2c4f4 Merge tm-qpr-dev-plus-aosp-without-vendor@9129937 
Bug: 248070379
Merged-In: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
Change-Id: I5279b8730d4d19cd1f0ec9c4b107030e4e41b36a
 2022-10-06 12:03:38 -07:00
Pete Bentley
96268c6622 Update sepolicy prebuilts for PRNG seeder changes. 
Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
 2022-10-04 14:29:12 +01:00
Sophie Zheng
abc474594b Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: a31ea3eb0c am: 3c91a33774 am: 4a8cf4e8df am: 34e786791c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095

Change-Id: I3e8461a08ef5b86ef9053849a638a9f7755021e8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-08 02:19:06 +00:00
Sophie Zheng
34e786791c Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: a31ea3eb0c am: 3c91a33774 am: 4a8cf4e8df 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095

Change-Id: Ica46641f62037a01dc3e36042f5aaebee0e737b6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-08 01:46:23 +00:00
Sophie Zheng
3c91a33774 Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: a31ea3eb0c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095

Change-Id: I02d49c1617ec086df8817dbe3c144e9f1d6c1269
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-08 00:31:17 +00:00
Sophie Zheng
a31ea3eb0c Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev 2022-09-08 00:14:55 +00:00
sophiez
db3507dffc Update prebuilts to fix sepolicy_freeze_test 
Bug: 243820875
Test: refactoring CL. Existing unit tests still pass.

Change-Id: I516aed92ad1c7cb4de796844402b3456dc625f94
 2022-09-06 18:08:31 +00:00
Florian Mayer
ee660b4a69 Update prebuilts to fix sepolicy_freeze_test am: f99eeb6bd9 am: 87337a27b5 am: d15dedd668 am: c3780e81c6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137

Change-Id: Idd5fc1eed208a4ae5bd44404cedb37bde262861b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-01 01:02:53 +00:00
Florian Mayer
c3780e81c6 Update prebuilts to fix sepolicy_freeze_test am: f99eeb6bd9 am: 87337a27b5 am: d15dedd668 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137

Change-Id: I47880f4d23f3a3ab5f11c307bb8dcfd2abd9ffa6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-01 00:09:51 +00:00
Florian Mayer
87337a27b5 Update prebuilts to fix sepolicy_freeze_test am: f99eeb6bd9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137

Change-Id: I42b988dfdb0cf41f7851d1b7793a72073fe6006c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-31 23:10:47 +00:00
Florian Mayer
f99eeb6bd9 Update prebuilts to fix sepolicy_freeze_test 
Bug: 243820875
Change-Id: I99c09ff00c1b47e9bc4e8175c9b3e34c7851d25d
 2022-08-30 13:18:45 -07:00
Richard Chang
10cc361403 Merge "sepolicy: allow vendor system native boot experiments property" am: 6d5bb236da am: 3d45f3fd2f am: 87a84115df 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2183135

Change-Id: I265b7072089cbcb9c364041697160603fb56ee55
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-17 07:43:49 +00:00
Richard Chang
87a84115df Merge "sepolicy: allow vendor system native boot experiments property" am: 6d5bb236da am: 3d45f3fd2f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2183135

Change-Id: I6b145993e76f79042da49d9ae8a9254ba3576856
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-17 07:24:34 +00:00
Richard Chang
6d5bb236da Merge "sepolicy: allow vendor system native boot experiments property" 2022-08-17 06:29:30 +00:00
Richard Chang
74334efa4b sepolicy: allow vendor system native boot experiments property 
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native boot experiments.

Bug: 241730607
Test: Build
Merged-In: Idc2334534c2d42a625b451cfce488d7d7a651036
Change-Id: I3e98f1b05058245cad345061d801ecd8de623109
 2022-08-11 08:03:42 +00:00
Treehugger Robot
a79cfaeb4d Merge "Add API level 33 persistent GWP-ASan Sysprop" am: 1d538e9b22 am: 0930d82c76 am: 5e00816491 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147179

Change-Id: I6086a1574ecae94a6c809b76d95eec57d8d0144a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-03 06:30:11 +00:00
Treehugger Robot
5e00816491 Merge "Add API level 33 persistent GWP-ASan Sysprop" am: 1d538e9b22 am: 0930d82c76 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147179

Change-Id: I698bf3ff8ac4f913777c4a820a377ac9752cac0f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-03 05:39:12 +00:00
Treehugger Robot
0930d82c76 Merge "Add API level 33 persistent GWP-ASan Sysprop" am: 1d538e9b22 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147179

Change-Id: Iff91be573efa4b3b37a2256a334daa66018f35d0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-03 05:11:02 +00:00
Treehugger Robot
1d538e9b22 Merge "Add API level 33 persistent GWP-ASan Sysprop" 2022-08-03 04:41:57 +00:00
Siarhei Vishniakou
a4fb5a7890 Allow system_server to signal InputProcessor HAL am: a445318b8f 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/19283101

Change-Id: I4cace6896b99170a07b7bb07f414aa4844f68833
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 19:37:52 +00:00
Siarhei Vishniakou
a445318b8f Allow system_server to signal InputProcessor HAL 
This is needed for Watchdog to be able to dump InputProcessor HAL.
Watchdog can be triggered locally for testing by patching
InputDispatcher.cpp:

 void InputDispatcher::monitor() {
     // Acquire and release the lock to ensure that the dispatcher has not deadlocked.
     std::unique_lock _l(mLock);
+    std::this_thread::sleep_for(std::chrono::minutes(40));
     mLooper->wake();
     mDispatcherIsAlive.wait(_l);

Ignore-AOSP-First: under review in aosp/2152242

Bug: 237322365
Test: adb bugreport (after triggering watchdog)
Change-Id: I746df8be4faaef2a67293d6b1c0cde5fa7810de6
 2022-07-13 22:04:41 +00:00
Xin Li
e4d55178d5 DO NOT MERGE - Merge TP1A.220624.013 
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
Change-Id: Id8badc87768f66197ccaf2642f34fb2dc69e23df
 2022-07-11 21:47:46 -07:00
Siarhei Vishniakou
a50b672979 Allow dumpstate to get traces in api 33.0 am: 1579b37a19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147164

Change-Id: I04ac37c45b645ef51d0b04f321de743db932f3cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-08 16:05:54 +00:00
Siarhei Vishniakou
1579b37a19 Allow dumpstate to get traces in api 33.0 
In order to debug the HAL getting stuck, dumpstate needs permission to
dump its traces. In this CL, we update the api 33.0 accordingly.

Bug: 237347585
Bug: 237322365
Test: m sepolicy_freeze_test
Change-Id: I5096f52358880e3c10657e5aae9ead1723cc9fa9
Merged-In: I5096f52358880e3c10657e5aae9ead1723cc9fa9
 2022-07-08 06:55:44 +00:00
Jeff Vander Stoep
e1189a7aa7 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Ignore-AOSP-First: It's a CP of aosp/2143512
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
(cherry picked from commit 6ae09a4609)
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-08 00:19:26 +00:00
Rubin Xu
0b1c137ee5 Merge "Allow all Apps to Recv UDP Sockets from SystemServer" into tm-dev am: 8fc9b04967 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/19149566

Change-Id: I2f3629ae4456919e295c20ca1896501121b1d012
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 21:21:22 +00:00
Rubin Xu
8fc9b04967 Merge "Allow all Apps to Recv UDP Sockets from SystemServer" into tm-dev 2022-07-07 21:00:53 +00:00
Treehugger Robot
163fb597fd Merge "crash_dump: Update prebuilts for API 33" am: 355ecc995e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2145179

Change-Id: I916144a02848d952d70b6fd25889c4d5ff48084b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 16:47:36 +00:00
Treehugger Robot
355ecc995e Merge "crash_dump: Update prebuilts for API 33" 2022-07-07 16:33:48 +00:00
Siarhei Vishniakou
c2d9ef9725 Allow dumpstate to get traces in api 33.0 am: 36f28f9de8 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/19204839

Change-Id: Ib14492671e68e45bcb1ac055d71c654de4c040a4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 15:42:33 +00:00
TreeHugger Robot
a90cda370b Merge changes from topic "cherrypicker-L08700000955388658:N69000001277965825" into tm-d1-dev 
* changes:
  Allow dumpstate to get InputProcessor traces
  Allow dumpstate to get traces in api 33.0
 2022-07-07 15:18:39 +00:00
David Brazdil
707cad8692 crash_dump: Update prebuilts for API 33 
Bug: 236672526
Test: n/a
Merged-In: I49571dcfdd9c194101cc929772fa15463609fa8c
Change-Id: I49571dcfdd9c194101cc929772fa15463609fa8c
 2022-07-07 15:17:20 +00:00
David Brazdil
6f1ddc0653 crash_dump: Update prebuilts for API 33 am: 49465870fa 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/19200797

Change-Id: I6cde1f4f5a28d8c048acaab1901b985d09f74178
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 12:51:17 +00:00
David Brazdil
49465870fa crash_dump: Update prebuilts for API 33 
Bug: 236672526
Test: n/a
Ignore-AOSP-First: Will update AOSP after this has landed.
Change-Id: I49571dcfdd9c194101cc929772fa15463609fa8c
 2022-07-07 09:11:40 +00:00
Siarhei Vishniakou
36f28f9de8 Allow dumpstate to get traces in api 33.0 
In order to debug the HAL getting stuck, dumpstate needs permission to
dump its traces. In this CL, we update the api 33.0 accordingly.

Ignore-AOSP-First: under review in aosp/2147164

Bug: 237347585
Bug: 237322365
Test: m sepolicy_freeze_test
Change-Id: I5096f52358880e3c10657e5aae9ead1723cc9fa9
 2022-07-07 06:05:18 +00:00
Ryan Savitski
e1c2d9941e Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: redfin-user and barbet-userdebug: build+flash+boot;
        manual test of typical profiling (heap and perf);
        atest CtsPerfettoTestCases.
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
(cherry picked from commit babba5e83b)
(cherry picked from commit c592577fb2)
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-07 03:05:00 +00:00
Thiébaud Weksteen
a089864e82 Ignore access to /sys for dumpstate 
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 5e8a384f5a)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 2e23fa2c99)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
 2022-07-07 03:04:54 +00:00
Mitch Phillips
064be20ec5 Add API level 33 persistent GWP-ASan Sysprop 
Looks like this is needed for TM.

Bug: 236738714
Test: atest bionic-unit-tests && presubmit ag/19136924 PS#3
Change-Id: Ida26db898f2edaddce67ae13a5859115126a18cb
 2022-07-06 16:21:52 +00:00
Ryan Savitski
c592577fb2 Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: redfin-user and barbet-userdebug: build+flash+boot;
        manual test of typical profiling (heap and perf);
        atest CtsPerfettoTestCases.
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
(cherry picked from commit babba5e83b)
 2022-07-06 13:24:53 +00:00
Treehugger Robot
dbd0da73ba Merge "Revert system app/process profileability on user builds" am: 829acbee3a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2142152

Change-Id: Idf3f36723d703f55141b97aaa0605194283d723e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 15:56:18 +00:00
Treehugger Robot
829acbee3a Merge "Revert system app/process profileability on user builds" 2022-07-04 15:41:08 +00:00
Treehugger Robot
06f721e8de Merge "Allow all Apps to Recv UDP Sockets from SystemServer" am: c37a39c26d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143512

Change-Id: I214835a158c7851bb5971fe0fcf90cb1d8fb7fc2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 08:30:12 +00:00
Thiébaud Weksteen
2e23fa2c99 Ignore access to /sys for dumpstate 
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 5e8a384f5a)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
 2022-07-04 11:24:42 +10:00
Ryan Savitski
babba5e83b Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: builds successfully (barbet-userdebug)
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-01 12:41:01 +00:00
Jeff Vander Stoep
6ae09a4609 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Ignore-AOSP-First: It's a CP of aosp/2143512
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-01 12:43:16 +01:00
Jeff Vander Stoep
7295721417 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-01 12:41:28 +01:00
Maciej Żenczykowski
5c8461a277 much more finegrained bpf selinux privs for networking mainline am: 15715aea32 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/19039305

Change-Id: I0a8443a02956251a9d5da3bd582f711d0999fd08
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-23 11:15:50 +00:00
Treehugger Robot
18d8be2994 Merge changes I036e4853,I55e03a3c,Ic98c6fc6 am: 0235cbf4b9 am: 1999548d9d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2134419

Change-Id: I2b2f1ca424a44bad40b7748e429db57bfd1f9af1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-23 02:19:26 +00:00