tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
28219 commits 1 branch 0 tags 50 MiB
Commit graph

28219 commits

This branch
This branch
All branches
Author SHA1 Message Date
Gavin Corkery
b0aae28b41 Add sepolicy for /metadata/watchdog 
See go/rescue-party-reboot for more context.

One integer will be stored in a file in this
directory, which will be read and then deleted at the
next boot. No userdata is stored.

Test: Write and read from file from PackageWatchdog
Bug: 171951174

Change-Id: I18f59bd9ad324a0513b1184b2f4fe78c592640db
 2021-01-07 19:42:56 +00:00
Treehugger Robot
c0d1040d58 Merge "Export ro.vendor.product.cpu.abilist*" 2020-12-10 09:01:40 +00:00
Xin Li
0777adef5e DO NOT MERGE - Merge Android R QPR1 
Bug: 172690556
Merged-In: Ibc15a90266d1f30174d6590a157571507e8ee31a
Change-Id: I279c3cc3cfcf8e6c28b3cddf98fee6e47f4b46a5
 2020-12-09 17:44:05 -08:00
Chong Zhang
2cbfd01949 add mediatranscoding to apex file context am: 9aed64920f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1522099

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Ibc15a90266d1f30174d6590a157571507e8ee31a
 2020-12-10 01:01:17 +00:00
Chong Zhang
9aed64920f add mediatranscoding to apex file context 
bug: 159172726
Change-Id: I8fbedab2605167af637108d5f564abf6c78c32bd
 2020-12-09 14:26:14 -08:00
Treehugger Robot
66ed360b5e Merge "Update 30.0 prebuilts to latest rvc-dev policy" am: 34d974838e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1521437

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I49504f4d757ff4449cf7940f743687d2b2a86e84
 2020-12-09 16:45:03 +00:00
Treehugger Robot
34d974838e Merge "Update 30.0 prebuilts to latest rvc-dev policy" 2020-12-09 16:09:12 +00:00
Treehugger Robot
60e32df155 Merge "Allow PermissonController to find app_api_service and system_api_service." am: a56c9eb016 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1519814

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I45dad0c44cdcf3d0cdd7e41bf5414d98db651610
 2020-12-09 15:55:28 +00:00
Treehugger Robot
a56c9eb016 Merge "Allow PermissonController to find app_api_service and system_api_service." 2020-12-09 15:25:42 +00:00
Treehugger Robot
a801411fef Merge "drmserver: audit permissions for /data/app" am: 951fc0b044 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1520730

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I86000c02ee3aad36710db934e046a022e1dd2e52
 2020-12-09 13:12:16 +00:00
Treehugger Robot
951fc0b044 Merge "drmserver: audit permissions for /data/app" 2020-12-09 12:38:06 +00:00
Inseob Kim
3b8b4251b7 Update 30.0 prebuilts to latest rvc-dev policy 
For whatever reason, system/sepolicy/prebuilts/api/30.0 and rvc-dev's
system/sepolicy differ a little. This makes 30.0 prebuilts up-to-date
and also updates plat_pub_versioned.cil, built from aosp_arm64-eng
target on rvc-dev branch.

Bug: 168159977
Test: m selinux_policy
Change-Id: I03e8a40bf021966c32f0926972cc2a483458ce5b
 2020-12-09 20:44:38 +09:00
Treehugger Robot
56d552af6d Merge "system_app: remove adb data loader permissions" am: db87cdf6a8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1520729

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I24c9712f07b70e9ecadfc0e4ff46a92157a86938
 2020-12-09 11:25:06 +00:00
Hai Zhang
86e10ef55d Allow PermissonController to find app_api_service and system_api_service. 
PermissionController is updatable, so we may need to call new APIs in newer versions.

Change-Id: I0a6657ad1f27e1e2fdc320184268966009d3a4fc
 2020-12-09 11:10:06 +00:00
Treehugger Robot
db87cdf6a8 Merge "system_app: remove adb data loader permissions" 2020-12-09 10:36:14 +00:00
Jeff Vander Stoep
5e6d60a2a5 drmserver: audit permissions for /data/app 
We would like to assert that only PackageManager can make
modifications to /data/app. However, I first need to remove
some existing permissions that seem like they are no longer
used (as per jtinker@). Add audit statements to confirm.

Test: build
Change-Id: Ie5ec5199f7e2f862c4d16d8c86b9b0db6fbe481c
 2020-12-09 09:16:51 +01:00
Jeff Vander Stoep
07aee66679 system_app: remove adb data loader permissions 
Per schfan@ these are no longer needed.

Test: build
Change-Id: Idda1d9775fdd38cbd53c3652b567ddfc5beca0a6
 2020-12-09 08:58:23 +01:00
Christian Wailes
06e163b290 Merge "Added permissions for new dexopt flags." am: 93e6997181 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1480337

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I882363b3cf293f5bac811e5d6b2c914935b6031a
 2020-12-09 01:22:52 +00:00
Christian Wailes
93e6997181 Merge "Added permissions for new dexopt flags." 2020-12-09 00:00:26 +00:00
Maciej Żenczykowski
afd4d49733 Allow network_stack to synchronize the kernel rcu am: 5a7e49e525 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1516277

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I19840b4bafacb69561cec658b5a076988e4c4dc7
 2020-12-08 22:47:33 +00:00
Maciej Żenczykowski
5a7e49e525 Allow network_stack to synchronize the kernel rcu 
via opening/closing a PF_KEY socket (this mirrors netd's privs)

Bug: 173167302
Test: m
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia2c2cb52c4ec9149db29dc86a7927e3432bd2b9b
 2020-12-08 14:49:20 +00:00
Adam Shih
9c9386d68d never allow untrusted apps accessing debugfs_tracing am: 2543715187 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1513758

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I28a14b4f551938725684dcd1153c48fc67d3da53
 2020-12-08 02:26:32 +00:00
Chris Wailes
4540efcf73 Added permissions for new dexopt flags. 
Bug: 173137187
Test: build
Merged-In: Iad1d23277915e1dbf655b0f2820320f15462ab33
Change-Id: Iad1d23277915e1dbf655b0f2820320f15462ab33
 2020-12-07 16:15:24 -08:00
Adam Shih
2543715187 never allow untrusted apps accessing debugfs_tracing 
debugfs_tracing can only be accessed by tracing tools provided by the
platform.

Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
 2020-12-07 16:33:59 +08:00
Hai Zhang
6ac5499355 Add SELinux policy for legacy permission service. am: 04db97a72d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1518957

Change-Id: I049bf9c591c539f698ba4cf7a172a2b7a0439ea4
 2020-12-06 01:12:29 +00:00
Hai Zhang
04db97a72d Add SELinux policy for legacy permission service. 
The updatable and non-updatable permission manager cannot share one
AIDL, so we need to create a new system service for the non-updatable
legacy one, and add the SELinux policy for it.

Bug: 158736025
Test: presubmit
Change-Id: Ief8da6335e5bfb17d915d707cf48f4a43332f6ae
 2020-12-04 14:43:33 -08:00
Dmitri Plotnikov
682fa8c22b Merge "Add sched_process_free to debugfs_tracing label" am: 5d23015a3d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1517343

Change-Id: I13e85a4ccc056e0d1aca0c7d9f2afbeff03b1ea5
 2020-12-04 19:20:05 +00:00
Dmitri Plotnikov
5d23015a3d Merge "Add sched_process_free to debugfs_tracing label" 2020-12-04 18:05:11 +00:00
Jonglin Lee
8ef765aa93 Merge "Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"" am: 7ce5e714e5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1516549

Change-Id: Id114a507f1c9ad1059c39ce4121d7330e72fe14c
 2020-12-04 05:09:02 +00:00
Jonglin Lee
7ce5e714e5 Merge "Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2020-12-04 04:47:39 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy" 
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
 2020-12-04 03:12:59 +00:00
Kevin Chyn
83418f088b Merge "Add SEPolicy for fingerprint2.2 example HAL" am: 9e8896ee4b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1516278

Change-Id: I8f23e1a57418999cc3156a5f37057febebf3f203
 2020-12-04 01:24:03 +00:00
Kevin Chyn
9e8896ee4b Merge "Add SEPolicy for fingerprint2.2 example HAL" 2020-12-04 01:17:07 +00:00
Kiyoung Kim
39afa48eab Merge "Support linkerconfig in Runtime APEX" am: 34395349f8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1512755

Change-Id: Icfe8b0ddf01d345b23b51004a3bb4911b5b3f3fa
 2020-12-04 01:12:26 +00:00
Kiyoung Kim
34395349f8 Merge "Support linkerconfig in Runtime APEX" 2020-12-04 01:00:06 +00:00
Treehugger Robot
2bfabf0b3f Merge "Use intermediates for sepolicy contexts tests" am: 88eb862ab4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1516485

Change-Id: I1d2671baa08a503eeb897df518b58dae4cb3cc09
 2020-12-04 00:50:57 +00:00
Dmitri Plotnikov
c2d6e7e978 Add sched_process_free to debugfs_tracing label 
Bug: 169279846
Test: atest bpf-time-in-state-tests
Test: verified that the time-in-state BPF prog still loads into
      the kernel with no errors and gets attached without errors
Change-Id: If74632ae6f72e0371fea844d4ba7bef9260d1bdb
 2020-12-03 16:47:30 -08:00
Treehugger Robot
88eb862ab4 Merge "Use intermediates for sepolicy contexts tests" 2020-12-04 00:17:49 +00:00
Colin Cross
b67df1f259 Use intermediates for sepolicy contexts tests 
Using the installed locations for the sepolicy contexts tests
causes checkbuilds to incorrectly install the files, and races
with the packaging rules to cause them to be non-deterministically
included in the final NOTICE files or images.  Use the intermediates
location instead.

Fixes: 174692639
Test: mmma system/sepolicy
Change-Id: Iea6869583b634f6018915934a1576fc283c106b2
 2020-12-03 14:06:19 -08:00
Colin Cross
54c6e65216 Merge "Follow argument changes to RuleBuilder" am: 5fcbc0c472 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1501252

Change-Id: I7003545a68e432813f19d6bf9d1aebc7b4724496
 2020-12-03 20:16:10 +00:00
Colin Cross
5fcbc0c472 Merge "Follow argument changes to RuleBuilder" 2020-12-03 20:07:30 +00:00
Nick Moukhine
56e271a5bc Amend sepolicy for music recognition service am: 63edb71f15 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1516159

Change-Id: I5f579d9cc38ddfc5905c75d2c21947863267bea7
 2020-12-03 14:34:28 +00:00
Nick Moukhine
63edb71f15 Amend sepolicy for music recognition service 
Denial in cts tests prior to this change:
E/SELinux: avc:  denied  { find } for pid=20252 uid=10295 name=music_recognition scontext=u:r:untrusted_app:s0:c39,c257,c512,c768 tcontext=u:object_r:music_recognition_service:s0 tclass=service_manager permissive=0

Bug: 158194857
Test: patched and verified on internal master
Change-Id: Ia3ad66b12f8410b9be30941f2681f1bf4e50337e
 2020-12-03 12:12:05 +01:00
Alistair Delva
3359155b2f Fix pid_max denials from dumpstate, incidentd am: 2bbf1cea1e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1513499

Change-Id: I27dd8ce6151810e481e04f1b829f55c18e3c2c62
 2020-12-03 10:12:47 +00:00
Kevin Chyn
a492bf048d Add SEPolicy for fingerprint2.2 example HAL 
Bug: 172957689
Test: atest CtsBiometricsTestCases
Change-Id: I0de92a880e4ca04765da3e3184e5ad0382dc958a
 2020-12-03 01:11:30 -08:00
Xin Li
77ec098a0a Merge "Merge rvc-qpr-dev-plus-aosp-without-vendor@6881855" into stage-aosp-master 2020-12-03 03:19:15 +00:00
Alistair Delva
2bbf1cea1e Fix pid_max denials from dumpstate, incidentd 
The dumpstate and incidentd contexts may call on to toybox tools like
"ps" and "top" which are now reading /proc/sys/kernel/pid_max.

Fixes denials like:

avc: denied { read } for comm="top" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

Bug: 171070708
Bug: 172703374
Bug: 174618269
Change-Id: Ief5662c6d484e966bd1ba7134eddfabb3f7ad0e4
 2020-12-02 16:05:01 -08:00
Treehugger Robot
621ca4b0bb Merge "sepolicy: rules for uid/pid cgroups v2 hierarchy" am: b18b39486f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1511581

Change-Id: Id9b2de18a4ad4109b09dc538c0f234280ff6daf9
 2020-12-02 20:38:41 +00:00
Treehugger Robot
b18b39486f Merge "sepolicy: rules for uid/pid cgroups v2 hierarchy" 2020-12-02 19:50:11 +00:00
Treehugger Robot
430ef349d5 Merge "Allow network_stack to update eBPF map" am: 77dd325871 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1510914

Change-Id: I1086e5a7439fc9e58c0697b2710a1343ba7670d5
 2020-12-02 08:57:34 +00:00