tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29037 commits 1 branch 0 tags 50 MiB
Commit graph

29037 commits

This branch
This branch
All branches
Author SHA1 Message Date
Martijn Coenen
b01e0a22a5 Merge "Add external_storage.cross_user.enabled property" 2021-03-08 12:46:23 +00:00
Treehugger Robot
a60ac31fcb Merge "Dontaudit zygote to read and open media_rw_data_file dir" 2021-03-08 11:26:35 +00:00
Jeffrey Vander Stoep
f6f2a79a2a Merge "Give resume_on_reboot key as separate context" 2021-03-08 08:33:16 +00:00
Chun-Wei Wang
75e3fa6ead Merge "Add persist.rollback.is_test (6/n)" 2021-03-06 14:33:38 +00:00
Alexander Potapenko
3d52817da4 Selinux policy for bootreceiver tracing instance 
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
 2021-03-05 08:53:39 +01:00
Pavel Grafov
ae69347dbe Merge "Allow wpa_supplicant to access KeyStore2" 2021-03-05 07:03:57 +00:00
Jiyong Park
05a80a5e72 Merge "Fix a build error reguarding build_sepolicy" 2021-03-05 02:32:15 +00:00
Jiyong Park
1e2a1b6e04 Merge "Reland "Build sepolicy files for microdroid_vendor"" 2021-03-05 02:27:40 +00:00
Pavel Grafov
b99c1924af Allow wpa_supplicant to access KeyStore2 
Bug: 171305388
Test: manual
Change-Id: I98134c41a4923bccf06c14858603fe888ec84633
 2021-03-05 00:27:23 +00:00
Tianjie
21ab75279a Give resume_on_reboot key as separate context 
As part of the keystore2 requirement, we give the keys used for
resume on reboot a separate context in keystore. And grant system
server the permission to generate, use and delete it.

Bug: 172780686
Test: resume on reboot works after using keystore2
Change-Id: I6b47625a0864a4aa87b815c6d2009cc19ad151a0
 2021-03-04 12:20:19 -08:00
Ricky Wai
d240d2be77 Dontaudit zygote to read and open media_rw_data_file dir 
Zygote will trigger sdcardfs to read and open media_rw_data_file:dir.
We can safely ignore this message.

Bug: 177248242
Test: Able to boot without selinux warning.
Change-Id: Ie9723ac79547bf857f55fc0e60b461210a4e4557
 2021-03-04 11:08:33 +00:00
Zim
aa1499dd27 Add external_storage.cross_user.enabled property 
This allows the FUSE daemon handle FUSE_LOOKUP requests across user boundaries.

Workaround to support some OEMs for their app cloning feature in R

Bug: 162476851
Bug: 172177780
Test: Manual
Change-Id: Ic1408f413ec3dc4917d3acfda2c5f62f9c16f187
 2021-03-04 08:41:04 +00:00
Wonsik Kim
89bd64cd0d Merge "Revert "Selinux policy for bootreceiver tracing instance"" 2021-03-04 00:44:58 +00:00
Wonsik Kim
08a25e6709 Revert "Selinux policy for bootreceiver tracing instance" 
Revert submission 1572240-kernel_bootreceiver

Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance

Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
 2021-03-03 22:47:02 +00:00
Jiyong Park
cc9a09953b Fix a build error reguarding build_sepolicy 
build_sepolicy internally uses other tools like checkpolicy and
version_policy. The dependencies are used to be found under
out/host/linux-x86/bin. But that assumption doesn't hold when soong
tried to sandbox command invocations. This change fixes the problem by
setting --android_host_path to the directory where build_sepolicy is
sandboxed and also by adding the internal dependeicies to the `tools`
property so that they are copied to the sandbox directory.

Bug: N/A
Test: choosecombo into aosp_x86_64 and run
m out/soong/.intermediates/system/sepolicy/microdroid_vendor_sepolicy.cil_gen/gen/vendor_sepolicy.cil

Change-Id: I28ae1f9013439f3ca1196b3816e0388ced5246e1
 2021-03-04 00:02:15 +09:00
Jiyong Park
d89564e95d Reland "Build sepolicy files for microdroid_vendor" 
This reverts commit 2c2c1f7c00.

Reason for revert: reland with a forward fix
Test: m on aosp_x86_64

Change-Id: I5c89ebeda88ca65286dff1e64841c2ada8634d34
 2021-03-04 00:02:04 +09:00
Adrian Roos
4357d55deb Merge "Revert "Build sepolicy files for microdroid_vendor"" 2021-03-03 14:54:04 +00:00
Adrian Roos
2c2c1f7c00 Revert "Build sepolicy files for microdroid_vendor" 
Revert submission 1609095-microdroid_vendor

Reason for revert: Breaks aosp_x86_64-userdebug build
Reverted Changes:
I82a66a00a:Add microdroid_vendor
I88eec6e1f:Build sepolicy files for microdroid_vendor

Bug: 180986662
Fixes: 181756343
Change-Id: Ie390d17ee99bae83fb98baaa3c3a1ca8d95c3919
 2021-03-03 14:02:56 +00:00
Jiyong Park
0b2fa0ec0e Merge "Build sepolicy files for microdroid_vendor" 2021-03-03 12:40:56 +00:00
Maciej Żenczykowski
5bca6989b4 Merge "grant bpfloader NET_ADMIN capability" 2021-03-03 12:16:26 +00:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n) 
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
 2021-03-03 10:34:06 +08:00
Amy Zhang
2125c53867 Merge "Allow TunerService to find and call native Package Manager Service" am: ab04edc49f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1612687

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Idfbc2001e84fd1e6e46b38cc849db60dfc341a7c
 2021-03-02 23:01:12 +00:00
Amy Zhang
ab04edc49f Merge "Allow TunerService to find and call native Package Manager Service" 2021-03-02 22:40:01 +00:00
Alexander Potapenko
34bc3c9383 Selinux policy for bootreceiver tracing instance am: 31251aa6ec 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1572220

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I1a423b814f87334cd6e28ceb8077409beaaac7ce
 2021-03-02 22:26:30 +00:00
Yi Kong
142ee65100 Merge "Allow profcollectd to search bootstrap bionic libs dir" am: f2dc35baf3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1612899

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I6d4db005cd86794a408d5651ecd962811253ac3b
 2021-03-02 20:15:50 +00:00
Orion Hodson
76f8dbcddb Merge "odrefresh.te: use create_rw_perms for apex_art_data_file:file" am: 0fdd1f9f37 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1612135

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I4133ad3858f5f07f21d4c6deafa4b3b7aded4fd5
 2021-03-02 20:00:27 +00:00
Alexander Potapenko
31251aa6ec Selinux policy for bootreceiver tracing instance 
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
 2021-03-02 16:53:12 +01:00
Yi Kong
f2dc35baf3 Merge "Allow profcollectd to search bootstrap bionic libs dir" 2021-03-02 12:41:16 +00:00
Yi Kong
fb621a4322 Allow profcollectd to search bootstrap bionic libs dir 
This is required in addition to reading files under the dir, so that
profcollectd can generate profiles for them.

Test: presubmit
Bug: 166559473
Change-Id: Ic46acab3cfc01c549e2f3ba5e765cb2c4ac8a197
 2021-03-02 12:39:44 +00:00
Orion Hodson
0fdd1f9f37 Merge "odrefresh.te: use create_rw_perms for apex_art_data_file:file" 2021-03-02 12:03:21 +00:00
Maciej Żenczykowski
94c30686cf grant bpfloader NET_ADMIN capability 
This is required for it to be able to create DEVMAP/DEVMAP_HASH maps.

See kernel source code in kernel/bpf/devmap.c:
  static struct bpf_map *dev_map_alloc(union bpf_attr *attr) {
    ...
    if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM);

Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2fc5b1541133859857fc9baa7564965f240c842a
 2021-03-01 23:40:08 -08:00
Adam Shih
543a3f9e34 Merge "Suppress error log coming from libfstab operation" am: 286fa14bae 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1607898

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I3d53fe6438e738723043259a82d97f5b3d244442
 2021-03-02 02:05:02 +00:00
Treehugger Robot
13a35a72f0 Merge "Transcoding: Allow media transcoding to log metrics to statsd" am: 581ddde15a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1611294

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I265d8f283a6c651679895709a17a4b843cf12259
 2021-03-02 02:04:08 +00:00
Adam Shih
286fa14bae Merge "Suppress error log coming from libfstab operation" 2021-03-02 01:20:33 +00:00
Treehugger Robot
581ddde15a Merge "Transcoding: Allow media transcoding to log metrics to statsd" 2021-03-02 01:17:23 +00:00
Amy Zhang
bd2e154e23 Allow TunerService to find and call native Package Manager Service 
Test: local tested on Cuttlefish
Bug: 181350336
Change-Id: If5df4593a17bd0a3b21bb44b54c305f79660c663
 2021-03-01 16:48:02 -08:00
Linus Nilsson
ba1ba35a19 Transcoding: Allow media transcoding to log metrics to statsd 
Bug: 179274112
Test: Used statsd_testdrive to verify that metrics reach statsd
Change-Id: Ia63b522f7898e86dffe629bd41d76934c95b8aee
 2021-03-01 15:09:14 -08:00
Orion Hodson
46c2aad205 odrefresh.te: use create_rw_perms for apex_art_data_file:file 
odrefresh should setattr on generated artifacts. This is apparent now
that it is now launched from init which sets a restrictive umask on
forked processes.

Bug: 181397437
Test: manually apply ART APEX update
Change-Id: I8e30c1ef1e42b3b68b3c07e860abb4dc2728e275
 2021-03-01 15:33:31 +00:00
Evan Severson
2804dc2e09 Merge "Allow cameraserver to use package manager native" am: 6c6d467ffd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1599913

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I14d22fb6078b217bd19638e0f45cec4ad32be29c
 2021-02-28 02:09:07 +00:00
Evan Severson
6c6d467ffd Merge "Allow cameraserver to use package manager native" 2021-02-28 01:28:44 +00:00
Paul Crowley
5f47f7a2bb Merge "init sets keystore.boot_level, keystore reads" am: 28befc841c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1600565

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I2da5dfa8c8874f8dbc21006541951652a0585b8f
 2021-02-27 07:25:36 +00:00
Paul Crowley
28befc841c Merge "init sets keystore.boot_level, keystore reads" 2021-02-27 05:05:50 +00:00
Kalesh Singh
c20eb9dca6 Merge "gmscore_app: Don't audit memtrack hal denials" am: 144e5d7e9b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1609855

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I3f684c751c8580b784aec133f8759b2745c36bb5
 2021-02-27 01:00:33 +00:00
Kalesh Singh
144e5d7e9b Merge "gmscore_app: Don't audit memtrack hal denials" 2021-02-27 00:08:21 +00:00
Kalesh Singh
cdf7b0f374 gmscore_app: Don't audit memtrack hal denials 
Bug: b/177664629
Test: Check logcat for no memtrack denial on boot
Change-Id: I3b6644d2374c97e7f4a0f90aa2c596e0a870d00f
 2021-02-26 16:12:47 -05:00
Evan Severson
5fa543a26b Allow cameraserver to use package manager native 
Test: Mnaual
Bug: 162549680
Change-Id: I77681bf2e21ab8bf5ab24e683bb2eed50c4c53ce
 2021-02-26 12:42:56 -08:00
Janis Danisevskis
99590f81c5 Merge "Keystore 2.0: Add policy for vpnprofilestore" am: ffdbf4370a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1569720

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I5c356b9d2ab917b7f11c3ff72340eedb7161e377
 2021-02-26 20:08:22 +00:00
Janis Danisevskis
ffdbf4370a Merge "Keystore 2.0: Add policy for vpnprofilestore" 2021-02-26 19:20:39 +00:00
Jiyong Park
db7a475f65 Build sepolicy files for microdroid_vendor 
microdroid_vendor is the vendor.img for microdroid. We need
microdroid_vendor.img and sepolicy files in it because init demands the
files during the boot process. Since microdroid_vendor.img is a Soong
module, the sepolicy files in it should be built with Soong as well.

Note that, these Soong modules are configured only for microdroid. In
the future, we will generalize this so that ordinary Android can use
the Soong-build sepolicy files.

Bug: 180986662
Test: m microdroid_vendor
Change-Id: I88eec6e1fbf687301366d5c814265131c8d3fdbb
 2021-02-26 21:52:13 +09:00
Darren Hsu
f62ce658ba sepolicy: Create new attribute to serve ISuspendControlServiceInternal am: 70ae5f4c34 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1608013

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Iea337bf2c5a33ed1e8e37b4c4e6fc2ba2045f9c9
 2021-02-26 09:28:22 +00:00