tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
35344 commits 1 branch 0 tags 50 MiB
Commit graph

35344 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
7e5a5e8b1f Merge "Remove compat test from treble sepolicy tests" am: 8e6b55a13d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1985246

Change-Id: I9b7cb61dfb0dc823d39c8e35d1fff323675a835d
 2022-02-17 01:46:44 +00:00
Treehugger Robot
8e6b55a13d Merge "Remove compat test from treble sepolicy tests" 2022-02-17 01:26:04 +00:00
Jiakai Zhang
bf58100685 dontaudit denial on the odex file of location provider. 
Bug: 194054685
Test: Presubmits
Change-Id: Ia636f7b32251c3b8cb018fee9216e5968d4e95ff
 2022-02-16 14:12:49 +00:00
Treehugger Robot
bc5dd2e143 Merge "Add ro.boot.microdroid.app_debuggable" am: cb1e4682c8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1986511

Change-Id: I49ed965517379b6e7be57c2ce7d81cb77ab6e62b
 2022-02-16 13:08:55 +00:00
Treehugger Robot
cb1e4682c8 Merge "Add ro.boot.microdroid.app_debuggable" 2022-02-16 11:56:04 +00:00
Andrew Scull
12bd3d9d2e Remove needless bootloader_prop rule 
Bootloader properties are available to all domains so don't need special
policy rules for microdroid_manager.

Test: atest MicrodroidTests
Change-Id: I0ccf6b28467a47c0f3cf7715b9ff34d01e8ac970
 2022-02-16 09:40:29 +00:00
Andrew Scull
b13117f3ba Add ro.boot.microdroid.app_debuggable 
This property is set in the bootconfig to reflect the debuggability of
the payload app. It is consumed microdroid_manager as a DICE input and
by compos to make choices based on the debuggability, e.g. not doing
test builds in non-debug states.

Bug: 219740340
Test: atest ComposHostTestCases
Test: atest MicrodroidTests
Change-Id: If84710f1fdbab957f5d19ce6ba3daad7e3e65935
 2022-02-16 09:40:27 +00:00
Treehugger Robot
2a17f21086 Merge "Revert^2 "Migrate contexts tests to Android.bp"" am: 8817edcbb4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1987148

Change-Id: Ia3f3cb136477d4958a652a68389d3f8af9327d26
 2022-02-16 05:02:46 +00:00
Treehugger Robot
8817edcbb4 Merge "Revert^2 "Migrate contexts tests to Android.bp"" 2022-02-16 04:23:47 +00:00
Inseob Kim
73f43ff847 Remove compat test from treble sepolicy tests 
Treble sepolicy tests check whether previous versions are compatible to
ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it,
but it also includes a compat test whether ToT sepolicy + {ver} mapping
+ {ver} plat_pub_versioned.cil can be built together or not. We
definitely need such tests, but we already have a test called "compat
test" which does exactly that, and testing it again with Treble sepolicy
tests is just redundant. The only difference between those two is that
Treble sepolicy tests can also test system_ext and product compat files,
which was contributed by a partner.

The ultimate goal here is to migrate *.mk to Soong, thus merging these
two tests (compat, Treble) into one. As we've already migrated the
compat test to Soong, this change removes the compat test part from
treble sepolicy tests. Instead, the compat test will be extended so it
can test system_ext and product compat files too.
prebuilts/api/{ver}/plat_pub_versioned.cil and
prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't
used anymore: vendor_sepolicy.cil is an empty stub, and
plat_pub_versioned.cil can be built from the prebuilt source files.

Bug: 33691272
Test: m selinux_policy
Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
 2022-02-16 04:09:29 +00:00
Inseob Kim
b5e235346e Revert^2 "Migrate contexts tests to Android.bp" 
This reverts commit baa93cc651.

Reason for revert: amlogic build fixed

Change-Id: I8b046dc810d47a2d87012f02a668873889fce705
 2022-02-16 02:26:11 +00:00
Thiébaud Weksteen
373cf3ba8e Associate hal_service_type with all HAL services 
By default, HAL's services are not accessible by dumpstate. HIDL
implementations were silenced via a dontaudit on hwservice_manager. But
AIDL implementations will trigger a denial, unless authorized via
`dump_hal`. Mark all HAL services with a new attribute
`hal_service_type` so they can be ignored by dumpstate.

Test: m selinux_policy
Bug: 219172252
Change-Id: Ib484368fdeff814d4799792d57a238d6d6e965fd
 2022-02-16 10:49:21 +11:00
Xin Li
9fced2e705 Skip SP2A.220305.012 
Bug: 219523960
Merged-In: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
Change-Id: Ie743f909429f36f876d16cb2d52b3bed971ef207
 2022-02-14 20:07:30 +00:00
Xin Li
f1f2839e6e Merge "Merge sc-v2-dev-plus-aosp-without-vendor@8084891" into stage-aosp-master 2022-02-14 17:31:17 +00:00
Chris Morin
1d88bf547e Allow dumpstate to create tmpfs files 
dumpstate needs to be able to create tmpfs files for it's upcoming use
of memfd_create.

Test: Generate bugreport
Change-Id: I4ce19635d9b76929b05d85bdba89340e5d5399d1
 2022-02-12 13:52:39 -08:00
Ramji Jiyani
86cfb85d49 Merge "system_dlkm: sepolicy: add system_dlkm_file_type" am: ba8615a186 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978574

Change-Id: I8c70b7c37e2d5a84b78f4b8862890c4a0d101f1d
 2022-02-11 18:52:59 +00:00
Daniel Norman
17327ac36a Merge "Expose the APEX multi-install props to non-root getprop." am: ea98866236 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965921

Change-Id: I43a503e66debdf898e7987c9b4ebc9c8709144bb
 2022-02-11 18:52:06 +00:00
Ramji Jiyani
ba8615a186 Merge "system_dlkm: sepolicy: add system_dlkm_file_type" 2022-02-11 18:36:04 +00:00
Daniel Norman
ea98866236 Merge "Expose the APEX multi-install props to non-root getprop." 2022-02-11 18:25:27 +00:00
Xin Li
77c821174e Merge sc-v2-dev-plus-aosp-without-vendor@8084891 
Bug: 214455710
Merged-In: I129b5cb74259c9c028483e84c9b2ac3597c24701
Change-Id: I47ca55be668b9b2aabf86963b65b1403130ab802
 2022-02-11 06:58:07 +00:00
Keith Mok
64a1571f5d Merge "Update SEPolicy apexd for API 32" am: 9984dcb28e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1976997

Change-Id: I85bd1c4b700b95d17ff25b73779f5fa7f4d2f8bf
 2022-02-11 05:21:22 +00:00
Keith Mok
9984dcb28e Merge "Update SEPolicy apexd for API 32" 2022-02-11 05:03:20 +00:00
Ramji Jiyani
4a556890f9 system_dlkm: sepolicy: add system_dlkm_file_type 
Add new attribute system_dlkm_file_type for
/system_dlkm partition files.

Bug: 218392646
Bug: 200082547
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3
 2022-02-11 04:19:33 +00:00
Treehugger Robot
6fa204250e Merge "Add microdroid sepolicy test support" am: 47b3505fbf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978387

Change-Id: I70801b12abc3d614d503c584ff0451a20d87d285
 2022-02-11 00:37:00 +00:00
Treehugger Robot
47b3505fbf Merge "Add microdroid sepolicy test support" 2022-02-11 00:22:27 +00:00
Keith Mok
16c0a350c5 Update SEPolicy apexd for API 32 
The bootchart problem need the selinux policy fix.
But it is missing API 32

Bug: 218729155
Test: Build
Change-Id: Ia011f8bcd52403980c2a6751bb612dd5b770e130
 2022-02-11 00:20:17 +00:00
Florian Mayer
3fc6370375 Merge "[MTE] Add property to specify default MTE mode for apps." am: 94782041d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1976994

Change-Id: I32140e8f8e8081a5f91fb09df241ffa8931f5ba6
 2022-02-10 23:48:54 +00:00
Florian Mayer
94782041d1 Merge "[MTE] Add property to specify default MTE mode for apps." 2022-02-10 23:38:23 +00:00
Treehugger Robot
5c66bea55b Merge "dmesgd: sepolicies" am: f07e7c31a4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1968400

Change-Id: I0afd007ea41fc82aa0887368bc2e84c94bf358d8
 2022-02-10 21:04:30 +00:00
Treehugger Robot
33f3804491 Merge changes from topic "revert-1979386-revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY-UVTCTRHQWF" am: 48f59f9ec2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978173

Change-Id: I82c6ff9bf4bcc3a572013b5afefb0123daaef7a3
 2022-02-10 21:03:47 +00:00
Treehugger Robot
f07e7c31a4 Merge "dmesgd: sepolicies" 2022-02-10 21:00:56 +00:00
Treehugger Robot
48f59f9ec2 Merge changes from topic "revert-1979386-revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY-UVTCTRHQWF" 
* changes:
  Revert^2 "Updates sepolicy for EVS HAL"
  Revert^2 "Adds a sepolicy for EVS manager service"
 2022-02-10 20:50:42 +00:00
Kevin Jeon
b476cc1f23 Merge "Make Traceur seapp_context reflect platform status" am: 25dfbfec14 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1962019

Change-Id: I9a8a640707d12580a9144418e64d4868aa56d651
 2022-02-10 19:24:58 +00:00
Kevin Jeon
25dfbfec14 Merge "Make Traceur seapp_context reflect platform status" 2022-02-10 19:09:45 +00:00
Kevin Jeon
9118e3a5ca Make Traceur seapp_context reflect platform status 
Because Traceur is being signed with the platform key in aosp/1961100,
the platform seinfo identifier is being added to Traceur so that SELinux
will correctly identify it as a platform app.

Bug: 209476712
Test: - Checked that Traceur can still take normal and long traces on
        AOSP userdebug and internal user/userdebug.
      - Checked that the Traceur app is now located in /system/app/
	instead of /system/priv-app/.
Change-Id: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
Merged-In: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
 2022-02-10 17:51:28 +00:00
Alexander Potapenko
0a64d100b8 dmesgd: sepolicies 
dmesgd is a daemon that collects kernel memory error reports.

When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.

Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.

Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
  read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
  find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)

Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea
 2022-02-10 17:42:52 +00:00
Changyeon Jo
eacb1095a8 Revert^2 "Updates sepolicy for EVS HAL" 
418f41ad13

Bug: 216727303
Test: m -j selinux_policy on failed targets reported
      in b/218802298
Change-Id: Iec8fd2a1e9073bf3dc679e308407572a8fcf44d9
 2022-02-10 17:21:54 +00:00
Changyeon Jo
8c12609bce Revert^2 "Adds a sepolicy for EVS manager service" 
0137c98b90

Bug: 216727303
Test: m -j selinux_policy on failed targets reported
      in b/218802298
Change-Id: I2ae2fc85a4055f2cb7d19ff70b120e7b7ff0957d
 2022-02-10 17:21:14 +00:00
Treehugger Robot
1d087ac705 Merge "Support legacy apexdata labels" am: 605715d665 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1977066

Change-Id: Id2d5508fb56eae96da5d04fdcb907a410aeb102a
 2022-02-10 11:55:44 +00:00
Mohammed Rashidy
aa0cb606c3 Merge changes from topic "revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY" am: 7f1eaf1b45 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1979387

Change-Id: I7f5e8791adc7e30a2f7c2da3c0658c2c33b88e4f
 2022-02-10 11:55:32 +00:00
Mohammed Rashidy
4d67e0d02b Revert "Updates sepolicy for EVS HAL" am: 418f41ad13 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1979386

Change-Id: If3080898b802cf7551c01c9425499591b815da6b
 2022-02-10 11:55:30 +00:00
Treehugger Robot
605715d665 Merge "Support legacy apexdata labels" 2022-02-10 11:44:11 +00:00
Mohammed Rashidy
7f1eaf1b45 Merge changes from topic "revert-1967140-EVS_sepolicy_updates_T-MBLQTXKQEY" 
* changes:
  Revert "Adds a sepolicy for EVS manager service"
  Revert "Updates sepolicy for EVS HAL"
 2022-02-10 11:38:40 +00:00
Mohammed Rashidy
0137c98b90 Revert "Adds a sepolicy for EVS manager service" 
Revert submission 1967140-EVS_sepolicy_updates_T

Reason for revert: triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?branch=git_master&target=cf_x86_64_auto-userdebug&lkgb=8168894&lkbb=8168958&fkbb=8168947, bug b/218802298
Reverted Changes:
I730d56ab1:Allows hal_evs_default to read directories
I2df8e10f5:Updates sepolicy for EVS HAL
Ie6cb3e269:Adds a sepolicy for EVS manager service

Change-Id: I207c261bcf2c8498d937ab02c499bf709a5f1b15
 2022-02-10 10:07:44 +00:00
Mohammed Rashidy
418f41ad13 Revert "Updates sepolicy for EVS HAL" 
Revert submission 1967140-EVS_sepolicy_updates_T

Reason for revert: triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?branch=git_master&target=cf_x86_64_auto-userdebug&lkgb=8168894&lkbb=8168958&fkbb=8168947, bug b/218802298
Reverted Changes:
I730d56ab1:Allows hal_evs_default to read directories
I2df8e10f5:Updates sepolicy for EVS HAL
Ie6cb3e269:Adds a sepolicy for EVS manager service

Change-Id: I1cc37b0e56646db61bdb34cb209aefe7376c5a50
 2022-02-10 10:07:44 +00:00
Sandro Montanari
d20a77319a Merge "Allow apexd to write to /metadata/sepolicy" am: 306fca99db 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965103

Change-Id: I1aecfb46a194d837c62ac3ad14f84f03f5920a9b
 2022-02-10 10:01:30 +00:00
Sandro Montanari
306fca99db Merge "Allow apexd to write to /metadata/sepolicy" 2022-02-10 09:41:34 +00:00
Treehugger Robot
177cf20196 Merge changes from topic "EVS_sepolicy_updates_T" am: 2cedd28cf9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1967009

Change-Id: I6e25a9c2f0030539b1bbf5892c4fd51f931053b7
 2022-02-10 08:12:58 +00:00
Treehugger Robot
2cedd28cf9 Merge changes from topic "EVS_sepolicy_updates_T" 
* changes:
  Updates sepolicy for EVS HAL
  Adds a sepolicy for EVS manager service
 2022-02-10 08:02:04 +00:00
Maciej Żenczykowski
960f03e7e6 Merge "bpfdomain: attribute for domain which can use BPF" am: 337e6b1e1c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1978573

Change-Id: I4dfb42eedfec394488dea73910f11b23f08cfb92
 2022-02-10 07:25:40 +00:00