tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
30128 commits 1 branch 0 tags 50 MiB
Commit graph

30128 commits

This branch
This branch
All branches
Author SHA1 Message Date
Thiébaud Weksteen
cf09580dc7 Merge "Add tweek@ to OWNERS" 2021-06-02 08:59:04 +00:00
Thiébaud Weksteen
51a115c0fc Add tweek@ to OWNERS 
Change-Id: If18014ae5a94de2381ac5f01c4b8583fb04f1f92
 2021-06-02 09:22:40 +02:00
Jeff Vander Stoep
e4116b4e44 uncrypt: allow reading /proc/bootconfig 
It's needed when calling ReadDefaultFstab.

Fixes: 189509028
Test: build
Change-Id: I0d4bac7f2e3a25faa921c8d77cbf92f7808f0ab7
 2021-06-02 08:46:59 +02:00
Jooyung Han
9562d7083e Add rules for microdroid_manager am: d470ed7b47 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1720671

Change-Id: Id2955bad90a74ce35598ccc04a57872dea7cdc53
 2021-06-02 01:56:03 +00:00
Jooyung Han
55393cc42b Allow microdroid_manager to execute shell, etc. 
Microdroid_manager should execute a command passed via a VM payload
config. Ideally, the spawned process should be in a dedicated domain
which has the right set of permissions.

For now, it is allowed to execute shell/toybox for testing/debuging. And
also it is allowed to access fusefs to load a library or a config file.

Bug: 189301496
Test: MicrodroidHostTestCases
Change-Id: I7872514b40a9e23bbbed2b3e1ccd322f4e9cf832
 2021-06-02 09:54:12 +09:00
Jooyung Han
d470ed7b47 Add rules for microdroid_manager 
Microdroid_manager is an executable in microdroid. It's role is to manage tasks
in microdroid and communicate with host's virtualizationservice.

To execute a task in microdroid, microdroid_manager should
- read "metadata" partition
- read VM payload config
- exec a command

Bug: 189301496
Test: atest MicrodroidHostTestCases
Change-Id: Iabbe0d3c8832f00df5c545e6b13fc55afa820b33
 2021-06-02 09:50:54 +09:00
Calin Juravle
0b2ca6c22c Enable ART properties modularization 
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:

- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART

Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
 2021-06-01 16:14:55 -07:00
Todd Kennedy
87674f0532 Merge "sepolicy: allow to play f2fs-compression for apk files" am: 7e7b6ab054 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1719991

Change-Id: I5c7436ac0348f511e774f95adc2f2140b905dea1
 2021-06-01 15:04:40 +00:00
Todd Kennedy
7e7b6ab054 Merge "sepolicy: allow to play f2fs-compression for apk files" 2021-06-01 14:37:41 +00:00
Inseob Kim
91889d3d6c Add permissions for microdroid vold and keymint 
vold uses tune2fs and e2fsck.

Bug: 185767624
Test: boot microdroid
Change-Id: Ie10448c444f80aae9a1d34a6f7f32ffeac03c608
 2021-06-01 20:32:42 +09:00
Tianjie Xu
8a58939f11 Merge "Add ro.vendor.build.fingerprint_has_digest to property context" am: 3b71803647 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1717076

Change-Id: I98e4bd4d51b3ed468b6a0f2f74ae0a6d912e74ad
 2021-06-01 04:46:16 +00:00
Tianjie Xu
3b71803647 Merge "Add ro.vendor.build.fingerprint_has_digest to property context" 2021-06-01 04:31:07 +00:00
Jaegeuk Kim
1a15808dc0 sepolicy: allow to play f2fs-compression for apk files 
This patch adds some ioctls for apk files and allows
shell to query for f2fs features.

Bug: 189169940
Test: Manual. Code runs.
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ia8bccf1bf663404b902703326a1853947b64e5ab
 2021-05-27 20:31:17 -07:00
Alexander Dorokhine
9eeb72826c Merge "Allow the appsearch apex access to the apexdata misc_ce dir." am: 73854e626d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1715470

Change-Id: I83643659cd918f9570ae6a827e6ef65f80eb3b87
 2021-05-27 21:08:10 +00:00
Alexander Dorokhine
73854e626d Merge "Allow the appsearch apex access to the apexdata misc_ce dir." 2021-05-27 20:39:03 +00:00
Michael Ayoubi
98c9e96324 Merge "Change dck properties to int" am: 880e0ee101 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1718111

Change-Id: Ia950113f257197d4a97ae55b044cf4f9f2ece92b
 2021-05-27 01:01:30 +00:00
Michael Ayoubi
880e0ee101 Merge "Change dck properties to int" 2021-05-27 00:35:30 +00:00
Andrew Walbran
899b1fe7d7 Merge "Rename VirtManager to VirtualizationService." am: 04e6256c94 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1715889

Change-Id: I661248e3d0ae4b5cec3b8765fcd4cf7a4ae7c952
 2021-05-26 21:58:36 +00:00
Andrew Walbran
04e6256c94 Merge "Rename VirtManager to VirtualizationService." 2021-05-26 21:43:54 +00:00
Tianjie
8428a105b4 Add ro.vendor.build.fingerprint_has_digest to property context 
This property indicates if the new fingerprint format is in use.
It's read by VTS to put the correct fingerprint in test report.

Bug: 188824341
Test: boot the device, check build prop
Change-Id: I2694d613e8d91d355506a4c7aaad4bdc191a800a
 2021-05-26 11:21:24 -07:00
Alexander Dorokhine
0b2553a32b Allow the appsearch apex access to the apexdata misc_ce dir. 
Bug: 177685938
Test: AppSearchSessionCtsTest
Change-Id: I727860a02cb9e612ce6c322662d418cddc2ff358
 2021-05-26 09:47:19 -07:00
Michael Ayoubi
c14bc7ef3c Change dck properties to int 
Change dck r2/r3 properties to wcc levels.

Bug: 186488185
Test: Confirm GMSCore access

Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I9aab231d3e4bb7bd696e26652b9215d91d07b8b3
 2021-05-26 15:04:02 +00:00
Treehugger Robot
3a4ca4e4fe Merge "Allow mke2fs to format virtual block devices in microdroid" am: b8c6055b6f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1717690

Change-Id: I800caab1d2a660771a3bff8710a2bb828facba81
 2021-05-26 00:21:16 +00:00
Treehugger Robot
b8c6055b6f Merge "Allow mke2fs to format virtual block devices in microdroid" 2021-05-26 00:03:08 +00:00
Jiyong Park
e1bfe4332f Allow mke2fs to format virtual block devices in microdroid 
Bug: 185767624
Test: atest MicrodroidHostTestCases
Change-Id: I324064a8b58eb07a34f5724f36865865156d0db5
 2021-05-26 00:40:24 +09:00
Treehugger Robot
1e7b6902d7 Merge "sepolicy: add f2fs ioctls" am: 3040e15baa 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1717550

Change-Id: I12c95f262858470187e264f6a1642dee6b18e4e3
 2021-05-25 14:35:49 +00:00
Jiyong Park
70f99c0e9f Add rules for microdroid_launcher am: 6645ad3b1f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1716573

Change-Id: I333a782b597e757e4d653ec27ecff9935d10b36a
 2021-05-25 14:33:42 +00:00
Treehugger Robot
3040e15baa Merge "sepolicy: add f2fs ioctls" 2021-05-25 14:30:03 +00:00
Jiyong Park
5fbb412638 Allow zipfuse to mount /dev/vd* on /mnt/apk am: cf1eb370d8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1708094

Change-Id: Ic660ef4b234815b17985058ea220a167b5b260d6
 2021-05-25 12:57:07 +00:00
Jaegeuk Kim
da1d8a3ce6 sepolicy: add f2fs ioctls 
This cleans up ioctl definitions.

Bug: 189169940
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I8cf2daa11911ef2fb817e125fcfc4f8ad91af0ed
 2021-05-25 05:54:14 -07:00
Jiyong Park
6645ad3b1f Add rules for microdroid_launcher 
Microdroid_launcher is an executable in microdroid. It's role is to load
a shared library in an APK that is shared from the host Android and
execute it by calling an entry point (android_native_main) in it.

For now, it is executed from shell, but will eventually be executed from
a binder service (which also is running in microdroid) called
microdroid_manager.

Bug: 188513012
Test: atest MicrodroidHostTestCases
Change-Id: I150a958c1ed0e3e960f4b4b577e808e54e898644
 2021-05-25 17:22:01 +09:00
Jiyong Park
cf1eb370d8 Allow zipfuse to mount /dev/vd* on /mnt/apk 
zipfuse is a FUSE implementation that runs in microdroid. In the virtual
machine, it reads a block device (/dev/vd* via the symlink
/dev/block/by-name/microdroid-apk) whose content is read from an apk
in the host side. Then the makes the entries in the zip file (apk is
also a zip) as regular files in the virtual machine.

Note that the filesystem is mounted as default 'fuse:filesystem' because
it's mounted without the `fcontext` option, which is due to the libfuse
library we are importing from crosvm (b/188400186).

Bug: 188388851
Test: atest MicrodroidHostTestCases
Change-Id: Ide9bac88088535f4f335f2725fa929d23015e6e1
 2021-05-25 14:10:55 +09:00
Michael Ayoubi
64c125adc0 Merge "Add DCK eligibility properties" am: 20af5f1e4e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1715931

Change-Id: I2f1baab0809fd92a5af04f1fedd6f46ec96eefc3
 2021-05-25 01:22:54 +00:00
Michael Ayoubi
20af5f1e4e Merge "Add DCK eligibility properties" 2021-05-25 01:06:03 +00:00
Calin Juravle
49c9420233 Merge "Add SELinux context for pm.dexopt.cmdline property" am: 11c6d45e7c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1710948

Change-Id: I8e088de62fd83b020e0a9883aed29d1ef05b5ab9
 2021-05-24 15:26:23 +00:00
Calin Juravle
11c6d45e7c Merge "Add SELinux context for pm.dexopt.cmdline property" 2021-05-24 15:06:35 +00:00
Michael Ayoubi
77c10eff1e Add DCK eligibility properties 
Bug: 186488185
Test: Confirm GMSCore access
Change-Id: I20baf5c9ae9fbebc9e43d2798401ad49776fb74a
 2021-05-21 23:31:09 +00:00
Calin Juravle
aca5d73453 Add SELinux context for pm.dexopt.cmdline property 
Test: boot
Bug: 188655918
Change-Id: I4e5bd0e0c72adc76017f15c35df5c373fb2bf220
 2021-05-21 14:48:14 +00:00
Andrew Walbran
4b80a3fc3d Rename VirtManager to VirtualizationService. 
Bug: 188042280
Test: atest VirtualizationTestCases
Change-Id: Ia46a0dda923cb30382cbcba64aeb569685041d2b
 2021-05-21 14:47:30 +00:00
Thiébaud Weksteen
d759ecfefb Merge "Add transfer permission to wait_for_keymaster" am: a1be68e451 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1713992

Change-Id: Ice21ef09f4d7975368b0accfa1237bc3d0496265
 2021-05-21 13:42:21 +00:00
Thiébaud Weksteen
a1be68e451 Merge "Add transfer permission to wait_for_keymaster" 2021-05-21 13:27:11 +00:00
Andrew Walbran
9efb8f8f53 Merge "Set sepolicy for VirtualizationService data directory and mk_cdisk." am: e6e25ba2f9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1714239

Change-Id: I51683c4af56c6648b9b3cec66fbfa9efaa117f1f
 2021-05-21 09:51:35 +00:00
Andrew Walbran
e6e25ba2f9 Merge "Set sepolicy for VirtualizationService data directory and mk_cdisk." 2021-05-21 09:33:31 +00:00
Thiébaud Weksteen
eb353bc228 Add transfer permission to wait_for_keymaster 
Bug: 188809569
Test: m sepolicy
Change-Id: I79ead2fdf258f824ef9b0bf13c8179a6b819ccd7
 2021-05-21 09:18:08 +02:00
Treehugger Robot
c556d4662d Merge "Fix product policy in prebuilt_policy.mk" am: cdce724b57 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1714048

Change-Id: I0be8ee15832c440e06a3ac8cb14dd55b4c244344
 2021-05-21 01:48:52 +00:00
Treehugger Robot
cdce724b57 Merge "Fix product policy in prebuilt_policy.mk" 2021-05-21 01:23:41 +00:00
Svet Ganov
15f5651570 Allow mediaserver/audioserver to access permission checker service am: 365c57f338 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1714769

Change-Id: Ibe6580a2543bb99ecc600a394d64a73f4ca4c092
 2021-05-20 21:28:47 +00:00
Svet Ganov
365c57f338 Allow mediaserver/audioserver to access permission checker service 
bug: 158792096

Test: atest CtsMediaTestCases
      atest CtsPermissionTestCases
      atest CtsPermission2TestCases
      atest CtsPermission3TestCases
      atest CtsPermission4TestCases

Change-Id: I392c87f0a85a09d891bceaaefeae1b3f9acff55a
 2021-05-20 19:07:29 +00:00
Andrew Walbran
654c5b0ea8 Set sepolicy for VirtualizationService data directory and mk_cdisk. 
Bug: 184131523
Test: atest VirtualizationTestCases
Test: flashed on VIM3L and ran microdroid manually
Change-Id: I6d1b69b63debf44431cd542a0ee85748fcc4191b
 2021-05-20 15:00:49 +00:00
Inseob Kim
4769d842fc Fix product policy in prebuilt_policy.mk 
This was not caught because the test happened on a device without
product policies.

Bug: 180035144
Test: set BOARD_SEPOLICY_VERS and build
Change-Id: Iac53af2f03f8c2eb054216c10337e2476114b9a2
 2021-05-20 10:18:58 +00:00