tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
32837 commits 1 branch 0 tags 50 MiB
Commit graph

32837 commits

This branch
This branch
All branches
Author SHA1 Message Date
Suren Baghdasaryan
6988677f22 Allow init to execute extra_free_kbytes.sh script 
extra_free_kbytes.sh is used by init to set /sys/vm/watermark_scale_factor
value. Allow init to execute extra_free_kbytes.sh and the script to access
/proc/sys/vm/watermark_scale_factor and /proc/sys/vm/extra_free_kbytes
files.

Bug: 109664768
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I55ec07e12a1cc5322cfdd4a48d0bdc607f45d832
 2021-08-17 17:02:38 +00:00
Keun young Park
d577958598 allow installd to kill dex2oat and dexoptanalyzer 
Bug: 179094324
Bug: 156537504

Test: confirm that installd killing those processes are not brininging
      selinux violation
Change-Id: Icac3f5acc3d4d398bbe1431bb02140f3fe9cdc45
 2021-08-17 09:48:47 -07:00
Rick Yiu
6ea5f2d083 Merge "Move mediaprovider_app to common code" am: 16c9c6a557 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1794168

Change-Id: I5f2b05279f469a609f851cd288b8d088f227f7b0
 2021-08-17 08:08:17 +00:00
Rick Yiu
16c9c6a557 Merge "Move mediaprovider_app to common code" 2021-08-17 07:55:03 +00:00
Treehugger Robot
356c5bca06 Merge "Remove obsolete file contexts" am: 49b13bc0f3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1793090

Change-Id: I3c984521d1ee12d08ff36c8cafccb4b15a680e36
 2021-08-17 01:27:29 +00:00
Treehugger Robot
49b13bc0f3 Merge "Remove obsolete file contexts" 2021-08-17 01:15:29 +00:00
Eric Biggers
8b2b951349 Restore permission for shell to list /sys/class/block 
As a side effect, commit ec50aa5180 ("Allow the init and apexd
processes to read all block device properties") removed permission for
the shell context to list the /sys/class/block directory.  There is a
CTS test that relies on this (CtsNativeEncryptionTestCases), so grant
permission to do this again.

Bug: 196521739
Bug: 194450129
Test: Before this change, 'adb shell ls /sys/class/block' fails.
      After this change, 'adb shell ls /sys/class/block' succeeds.
Change-Id: I87cb90880f927db1385887b35c84f4dd7f95021b
 2021-08-16 10:54:44 -07:00
Bart Van Assche
fdb7f7d542 Merge "Add the 'bdev_type' attribute to all block devices" am: 4dcefe8898 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1795967

Change-Id: Iecc21a8a310f7abdcb18c1f2292cf22ab703dd8c
 2021-08-16 16:51:20 +00:00
Bart Van Assche
4dcefe8898 Merge "Add the 'bdev_type' attribute to all block devices" 2021-08-16 16:39:24 +00:00
Victor Hsieh
d229485710 Allow compos to getattr on authfs am: 5f6e4324b3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1795971

Change-Id: I0aa12633add712e15acf9b3de0cf8b1fb0248653
 2021-08-16 16:14:41 +00:00
Xin Li
c62d3d8e87 Merge sc-dev-plus-aosp-without-vendor@7634622 
Merged-In: Iecfff03962c7c06c87fe4ec630fedb881dfa007f
Change-Id: Ic495f086991eeee833c10d90be0b2b2a9b2da7c0
 2021-08-14 06:31:08 +00:00
Victor Hsieh
5f6e4324b3 Allow compos to getattr on authfs 
Bug: 161471326
Bug: 196635431
Test: ComposTestCase
Change-Id: I3a4073726d31686c8eb945ba9417cb2afe238d79
 2021-08-13 15:48:21 -07:00
Bart Van Assche
27ecd60a79 Add the 'bdev_type' attribute to all block devices 
The following patch iterates over all block devices:
https://android-review.googlesource.com/c/platform/system/core/+/1783847/9

The following patch grants 'init' and 'apexd' permission to iterate over
all block devices:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947

The above SELinux policy change requires to add the 'bdev_type'
attribute to all block devices. Hence this patch.

Bug: 194450129
Test: Untested.
Change-Id: I959bae6f9590b1867905d46e194c45b0ea4248df
Signed-off-by: Bart Van Assche <bvanassche@google.com>
 2021-08-13 13:54:02 -07:00
Victor Hsieh
9ef8696796 Remove obsolete file contexts 
Bug: 194474784
Test: can't find "compos_key_main" and "compsvc_worker" in code search
Change-Id: If0959f180f54f798ecd90a12ce71f0570cf14484
 2021-08-13 15:03:23 +00:00
Treehugger Robot
79ceed2b7f Merge "Add MicrodroidHostTestCases to TEST_MAPPING" am: 2cc457c4fb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1795387

Change-Id: Iad11d57f83984e3d2b270d9cc1adfea1e0a890c2
 2021-08-13 04:48:06 +00:00
Treehugger Robot
2cc457c4fb Merge "Add MicrodroidHostTestCases to TEST_MAPPING" 2021-08-13 04:33:16 +00:00
Inseob Kim
5bc8cb0f5c Add MicrodroidHostTestCases to TEST_MAPPING 
Test: presubmit
Change-Id: I9cd6f575f0d7c9764103d09a44a128290bbaf973
 2021-08-13 01:19:27 +00:00
Andrew Walbran
9c267b8a5c Merge "crosvm now takes all files by FD." am: 21d1710c32 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1787994

Change-Id: I2e576cfb95f0fef252695e19d9d0e1140d450f27
 2021-08-12 16:37:00 +00:00
Andrew Walbran
21d1710c32 Merge "crosvm now takes all files by FD." 2021-08-12 16:25:50 +00:00
Treehugger Robot
fbf76a07ba Merge "Define sepolicy for compos and dex2oat" am: 1ca4b5c045 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1793089

Change-Id: Ic63d6b614770a9d28c2fc15cb6c3de8db34959d2
 2021-08-12 14:42:55 +00:00
Treehugger Robot
5ba830752b Merge "Grant authfs_service and authfs CAP_SYS_ADMIN" am: 92d6a4b271 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1793088

Change-Id: I92225e1afd05c5cca9610edc58160d265a8d95f7
 2021-08-12 14:42:53 +00:00
Treehugger Robot
1ca4b5c045 Merge "Define sepolicy for compos and dex2oat" 2021-08-12 14:27:09 +00:00
Treehugger Robot
92d6a4b271 Merge "Grant authfs_service and authfs CAP_SYS_ADMIN" 2021-08-12 14:27:09 +00:00
Rick Yiu
bc2fe2d944 Move mediaprovider_app to common code 
The policy under device folder will be removed for GSI, so move the
policy to common code.

Bug: 196326750
Test: build pass
Change-Id: I9544db1771ba7b94a98913bf892386f95cf919be
 2021-08-12 17:04:30 +08:00
Shawn Willden
4b10dac4fc [automerger skipped] Merge "Revert "Allow vold to deleteAllKeys in Keystore"" into sc-dev am: 9de6c0e94c -s ours 
am skip reason: Merged-In I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524 with SHA-1 bf29c3a2dc is already in history. Merged-In was found from reverted change.

Reverted change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15521094

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15536475

Change-Id: Iecfff03962c7c06c87fe4ec630fedb881dfa007f
 2021-08-12 01:31:31 +00:00
Shawn Willden
9de6c0e94c Merge "Revert "Allow vold to deleteAllKeys in Keystore"" into sc-dev 2021-08-12 01:17:13 +00:00
Android Build Coastguard Worker
4fc2a76b7e Snap for 7633965 from c0cae7496e to sc-release 
Change-Id: I32d5f01284c3622f9528d49cbee88049cb9e2a7f
 2021-08-12 01:10:17 +00:00
Shawn Willden
4b8112473d Revert "Allow vold to deleteAllKeys in Keystore" 
Revert submission 15521094-vold-deleteAllKeys

Reason for revert: Causes infinite loop in Trusty KeyMint
Reverted Changes:
I9c5c54714:Detect factory reset and deleteAllKeys
I2fb0e94db:Allow vold to deleteAllKeys in Keystore
Id23f25c69:Add deleteAllKeys to IKeystoreMaintenance
Ife779307d:Enable deleteAllKeys from vold
I4312b9a11:Enable deleteAllKeys from vold

Bug: 187105270
Change-Id: I1ed68dd9ee9a6f14152307d610af0b16dd3219ac
 2021-08-12 01:08:37 +00:00
Paul Crowley
e051412aa2 [automerger skipped] Merge "Allow vold to deleteAllKeys in Keystore" into sc-dev am: c0cae7496e -s ours 
am skip reason: Merged-In I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524 with SHA-1 bf29c3a2dc is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15521094

Change-Id: If49495f579284de0faa3db309cf5ee42201844d8
 2021-08-11 22:00:38 +00:00
Paul Crowley
c0cae7496e Merge "Allow vold to deleteAllKeys in Keystore" into sc-dev 2021-08-11 21:41:17 +00:00
Paul Crowley
cb00759831 Merge "Allow vold to deleteAllKeys in Keystore" am: d46569c261 am: 66b0b41923 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1789529

Change-Id: I03d240d980763f3a84971f185f207204bac2602d
 2021-08-11 18:13:25 +00:00
Paul Crowley
66b0b41923 Merge "Allow vold to deleteAllKeys in Keystore" am: d46569c261 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1789529

Change-Id: Ic84e3e702be8f7930a5a8000670cad97aba00265
 2021-08-11 17:52:00 +00:00
Victor Hsieh
aa987aaa2d Define sepolicy for compos and dex2oat 
Bug: 194474784
Test: ComposTestCase # with debug disabled
Change-Id: I2a53df337356fc8e299837358da2a5a88c9c20d3
 2021-08-11 10:42:19 -07:00
Paul Crowley
d46569c261 Merge "Allow vold to deleteAllKeys in Keystore" 2021-08-11 17:39:55 +00:00
Paul Crowley
4a664e8d5d Allow vold to deleteAllKeys in Keystore 
Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`

Bug: 187105270
Test: booted twice on Cuttlefish
Ignore-AOSP-First: no merge path to this branch from AOSP.
Merged-In: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
 2021-08-11 10:16:28 -07:00
Bart Van Assche
8aecb6aa91 [automerger skipped] Allow the init and apexd processes to read all block device properties am: db5e6c2424 -s ours 
am skip reason: Merged-In Icb62449fe0d21b3790198768a2bb8e808c7b968e with SHA-1 ec50aa5180 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15515665

Change-Id: I84036326da850aff4d3aedb78eeeee86a914ccdd
 2021-08-11 17:09:11 +00:00
Bart Van Assche
a43ec1646f [automerger skipped] init.te: Allow init to modify the properties of loop devices am: 052995e65e -s ours 
am skip reason: Merged-In I0af0a92c53bb1f68b57f6814c431a7f03d8ea967 with SHA-1 9059e215dc is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15515664

Change-Id: Id426d3b3fdf669f3815a9f0d4c9b3e8d1ae49dbd
 2021-08-11 17:09:06 +00:00
Victor Hsieh
5f7c02328c Grant authfs_service and authfs CAP_SYS_ADMIN 
CAP_SYS_ADMIN is required to mount a filesystem (currently in authfs, a
child process of authfs_service). It seems the parent also needs to be
allowed.

Bug: 194474784
Test: Use the service (from compsvc), no longer seeing the denials
Change-Id: I122734ee9f11899af4d7b647bc3049e4dbdad09e
 2021-08-11 15:48:14 +00:00
Treehugger Robot
866963a32d Merge "sepolicy: Add supporting for property name with phone id" am: d456d11251 am: ed9f1e9225 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1790287

Change-Id: I9651f6973b09d4b8d15838c303def18bc51170bd
 2021-08-11 09:26:02 +00:00
Treehugger Robot
ed9f1e9225 Merge "sepolicy: Add supporting for property name with phone id" am: d456d11251 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1790287

Change-Id: I38fb169796b0be2cc3b45d49ae2f2755154dc936
 2021-08-11 09:12:47 +00:00
Treehugger Robot
d456d11251 Merge "sepolicy: Add supporting for property name with phone id" 2021-08-11 09:03:40 +00:00
EdenSu
8d82a8f10b sepolicy: Add supporting for property name with phone id 
Add debug property name with phone id.

Bug: 194281028
Test: Build and verified there is no avc denied in the log
Change-Id: Ia7ca93a3390b2f59e894ca7ebce4cae9c0f83d28
 2021-08-11 13:57:54 +08:00
Paul Crowley
bf29c3a2dc Allow vold to deleteAllKeys in Keystore 
Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`

Bug: 187105270
Test: booted twice on Cuttlefish
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
 2021-08-10 21:51:09 -07:00
Arthur Ishiguro
cfa6d86d50 Context Hub stable AIDL sepolicy am: e1ced2f4d8 am: 779c996ebd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1792668

Change-Id: Icdfb36f33e59953f6f13eb9901803ff61d2d4c90
 2021-08-11 03:28:18 +00:00
Arthur Ishiguro
779c996ebd Context Hub stable AIDL sepolicy am: e1ced2f4d8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1792668

Change-Id: Icfbad01e3e47cadc0d4e76680d466645bb53df2e
 2021-08-11 03:10:23 +00:00
Arthur Ishiguro
e1ced2f4d8 Context Hub stable AIDL sepolicy 
Bug: 194285834
Test: TreeHugger
Change-Id: I88675f7f61821619abbff87fa5ee321836745324
 2021-08-10 22:06:43 +00:00
Victor Hsieh
20b6cc8307 Allow authfs_service to add itself to service manager am: a70e6052c2 am: 18e91ef6c4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1792168

Change-Id: Iee39c98c6bb7b13a0f3683c07d0b2a9eb9ca7306
 2021-08-10 19:53:54 +00:00
Victor Hsieh
18e91ef6c4 Allow authfs_service to add itself to service manager am: a70e6052c2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1792168

Change-Id: I7d29662ba6cb8f0dd3d2d7293406ba6ebd301af4
 2021-08-10 19:38:38 +00:00
Victor Hsieh
a70e6052c2 Allow authfs_service to add itself to service manager 
Fixes: 196018177
Test: atest MicrodroidHostTestCases
Change-Id: Ib47b8bf5d5d683e7f163e8f69d8a06ffe8f2675b
 2021-08-10 10:55:54 -07:00
Bart Van Assche
db5e6c2424 Allow the init and apexd processes to read all block device properties 
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.

Bug: 194450129
Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Ignore-AOSP-First: This patch is already in AOSP.
Merged-In: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
 2021-08-10 09:30:27 -07:00