tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29770 commits 1 branch 0 tags 50 MiB
Commit graph

29770 commits

This branch
This branch
All branches
Author SHA1 Message Date
Andrew Walbran
b52306081a Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." am: 3b6a385137 am: 787c8b3320 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1655917

Change-Id: Id4cbc92855d61372af03b05bfc981bb6fc9791f0
 2021-04-22 20:44:18 +00:00
Andrew Walbran
787c8b3320 Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." am: 3b6a385137 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1655917

Change-Id: I6da1e0688f85bf8f9c911e6cd4084e101e7b805d
 2021-04-22 20:24:58 +00:00
Andrew Walbran
3b6a385137 Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." 2021-04-22 18:57:15 +00:00
Treehugger Robot
cf2b67a243 Merge changes from topic "debugfs_neverallow" am: 005ae599cd am: 95fef2b070 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1668411

Change-Id: Ic618330ba636a47d0b0e198ce97d5d19b00eaf30
 2021-04-22 17:20:45 +00:00
Florian Mayer
5ba2d74bcd Merge "Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"" am: 2b525c5ca3 am: f5120b98a6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1683876

Change-Id: Ic26709244f5334507d57a5dd0a253ae88777014b
 2021-04-22 17:10:23 +00:00
Treehugger Robot
95fef2b070 Merge changes from topic "debugfs_neverallow" am: 005ae599cd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1668411

Change-Id: I90babf42eb8504fb2b0fa269a4e538b557d2328d
 2021-04-22 17:03:14 +00:00
Florian Mayer
f5120b98a6 Merge "Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"" am: 2b525c5ca3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1683876

Change-Id: I690561365a51af21a5c1cc1a5bcf368b00304b9f
 2021-04-22 17:00:37 +00:00
Treehugger Robot
005ae599cd Merge changes from topic "debugfs_neverallow" 
* changes:
  Check that tracefs files are labelled as tracefs_type
  Exclude vendor_modprobe from debugfs neverallow restrictions
  Add neverallows for debugfs access
  Add a neverallow for debugfs mounting
 2021-04-22 16:41:06 +00:00
Florian Mayer
2b525c5ca3 Merge "Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp"" 2021-04-22 16:40:24 +00:00
Florian Mayer
e10ceab330 Revert^2 "Build userdebug_plat_sepolicy.cil with Android.bp" 
0177004c7f

Change-Id: I40aa5025d487922decd9909c0d35c9e3a6b8dd61
 2021-04-22 16:38:47 +00:00
Treehugger Robot
744817bb06 Merge "Revert "Build userdebug_plat_sepolicy.cil with Android.bp"" am: 714864cc24 am: 66f16a9acc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1684325

Change-Id: I5b2a0423979bcb386dcb233cdc3fd8491f897640
 2021-04-22 15:53:33 +00:00
Treehugger Robot
66f16a9acc Merge "Revert "Build userdebug_plat_sepolicy.cil with Android.bp"" am: 714864cc24 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1684325

Change-Id: Ib548845a0887bb5266e1f06ddbb342b4d943e15f
 2021-04-22 15:35:27 +00:00
Treehugger Robot
714864cc24 Merge "Revert "Build userdebug_plat_sepolicy.cil with Android.bp"" 2021-04-22 15:28:06 +00:00
Treehugger Robot
b8d397db9b Merge "sepolicy: Give access to ahal to flinger standby prop" am: e0646ba15b am: eba4818e88 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1658623

Change-Id: I83deb0f34d7eb22fa87b00885e72dc5ccc133622
 2021-04-22 03:26:47 +00:00
Treehugger Robot
eba4818e88 Merge "sepolicy: Give access to ahal to flinger standby prop" am: e0646ba15b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1658623

Change-Id: I0836fd09ee17319299413c3544e4765b43c4851f
 2021-04-22 02:58:37 +00:00
Treehugger Robot
e0646ba15b Merge "sepolicy: Give access to ahal to flinger standby prop" 2021-04-22 02:36:46 +00:00
Bowgo Tsai
0177004c7f Revert "Build userdebug_plat_sepolicy.cil with Android.bp" 
This reverts commit 57b64bd282.

Because it breaks the usage of boot-debug.img and
vendor_boot-debug.img.

Bug: 185970130
Bug: 185990198
Test: make bootimage_debug
Change-Id: I2c7c4f9954540a9be301b3ed0a6c2f0af2019803
 2021-04-22 09:55:21 +08:00
David Massoud
418070b5ac Merge "Allow traced_probes to read devfreq" am: 47b6227134 am: eeb537fcb8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676945

Change-Id: Id1ce2d929b9630ef4a55e8bd0dc4e1e28accea36
 2021-04-22 01:12:58 +00:00
David Massoud
eeb537fcb8 Merge "Allow traced_probes to read devfreq" am: 47b6227134 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676945

Change-Id: I21217e5e095b3113e6d65d006c043be75295a4d1
 2021-04-22 00:40:18 +00:00
David Massoud
47b6227134 Merge "Allow traced_probes to read devfreq" 2021-04-22 00:18:35 +00:00
Hridya Valsaraju
fde9b8f069 Check that tracefs files are labelled as tracefs_type 
Bug: 184381659
Test: make
Change-Id: Iaa4fce9f02d85f2657f2331b68ae5af318d0820f
 2021-04-21 14:13:54 -07:00
Hridya Valsaraju
4b6d50dcb4 Exclude vendor_modprobe from debugfs neverallow restrictions 
vendor_modprobe loads kernel modules which may create files in
debugfs during module_init().

Bug: 179760914
Test: build
Change-Id: I743a81489f469d52f94a88166f8583a7d797db16
 2021-04-21 14:13:41 -07:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access 
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
 2021-04-21 14:13:22 -07:00
Hridya Valsaraju
1c3d898d87 Add a neverallow for debugfs mounting 
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
 2021-04-21 14:13:02 -07:00
Steven Moreland
7b9b618f67 Merge "sepolicy: allow BINDER_ENABLE_ONEWAY_SPAM_DETECTION for all processes" am: 7534762861 am: b1406bc54a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1679693

Change-Id: Icce71cc00dd9f89a845ae5f6c4e3a92e32f341bb
 2021-04-21 17:28:30 +00:00
Steven Moreland
b1406bc54a Merge "sepolicy: allow BINDER_ENABLE_ONEWAY_SPAM_DETECTION for all processes" am: 7534762861 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1679693

Change-Id: I05b1c968f8446bfa49b42271c7d585a707af2dfd
 2021-04-21 16:59:56 +00:00
Steven Moreland
7534762861 Merge "sepolicy: allow BINDER_ENABLE_ONEWAY_SPAM_DETECTION for all processes" 2021-04-21 16:42:26 +00:00
Treehugger Robot
93119b8340 Merge "Make suspend_prop system_vendor_config_prop" am: c78b80667c am: bed8f2ac24 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1681505

Change-Id: I797e2111023b6433efe0659810e0c5ea7645f65a
 2021-04-21 01:13:57 +00:00
Treehugger Robot
bed8f2ac24 Merge "Make suspend_prop system_vendor_config_prop" am: c78b80667c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1681505

Change-Id: Ie6b1cfa813924da1f8a78ac37a638d6ad9a117b6
 2021-04-21 00:52:03 +00:00
Treehugger Robot
c78b80667c Merge "Make suspend_prop system_vendor_config_prop" 2021-04-21 00:28:12 +00:00
Seth Moore
742361a571 Merge "Enable pull metrics from keystore" am: 84742a3d92 am: ec3d371038 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1674808

Change-Id: Ia33a4523f550764abf075ef8ffd2835d76ac2696
 2021-04-20 16:50:20 +00:00
Seth Moore
ec3d371038 Merge "Enable pull metrics from keystore" am: 84742a3d92 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1674808

Change-Id: I4155db143c0b61da16e7f13fcbbe3816fd934f2e
 2021-04-20 16:25:35 +00:00
Benjamin Schwartz
c171a1d9b6 Make suspend_prop system_vendor_config_prop 
Bug: 185810834
Test: adb shell getprop suspend.short_suspend_threshold_millis
Change-Id: I270057e5f81b220b7168573b516dd102650f11e1
 2021-04-20 09:13:02 -07:00
Seth Moore
84742a3d92 Merge "Enable pull metrics from keystore" 2021-04-20 16:00:46 +00:00
Treehugger Robot
b48d208ee6 Merge "Move install_recovery.sh file_contexts mapping" am: 98dc738b57 am: 79d27196fd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1679446

Change-Id: I8a9355a53d2400a478571af91720154a65cbdb6e
 2021-04-20 12:01:04 +00:00
Treehugger Robot
79d27196fd Merge "Move install_recovery.sh file_contexts mapping" am: 98dc738b57 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1679446

Change-Id: Ie3ff271da90697aba7d928debcd23f1aa7dc969e
 2021-04-20 11:36:53 +00:00
Treehugger Robot
98dc738b57 Merge "Move install_recovery.sh file_contexts mapping" 2021-04-20 11:18:35 +00:00
Jeff Vander Stoep
bf49a89ba5 Move install_recovery.sh file_contexts mapping 
The type is declared in vendor policy, so the mapping should live
there as well.

Fixes: 185288751
Test: TH
Change-Id: Ia446d7b5eb0444cdbd48d3628f54792d8a6b2786
 2021-04-20 11:32:24 +02:00
Treehugger Robot
efb6c0b1b6 Merge "Add a property to enable runtime debugfs restrictions in non-user builds" am: f5ec134342 am: b9f8fd42d5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1663701

Change-Id: I75845c2c10cccbdb6f79ff48334850496532d0b6
 2021-04-20 06:57:04 +00:00
Treehugger Robot
b9f8fd42d5 Merge "Add a property to enable runtime debugfs restrictions in non-user builds" am: f5ec134342 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1663701

Change-Id: I06fff5f3ea60bfde9dc7b3230b780f3498cb5b6b
 2021-04-20 06:32:21 +00:00
Hang Lu
a251b7ed65 sepolicy: allow BINDER_ENABLE_ONEWAY_SPAM_DETECTION for all processes 
BINDER_ENABLE_ONEWAY_SPAM_DETECTION is used to enable/disable oneway
spamming detection in binder driver, and can be set per-proc.

Bug: 181190340
Change-Id: Id799b19ee5a74b458e286dc29122c140a047bdad
 2021-04-20 14:07:56 +08:00
Treehugger Robot
f5ec134342 Merge "Add a property to enable runtime debugfs restrictions in non-user builds" 2021-04-20 06:07:53 +00:00
Yo Chiang
b21fd0b819 Merge "Allow health storage HAL to read default fstab" am: 9c66e3dfa3 am: 305a726d77 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673195

Change-Id: If4d3cb014c3973e5b1732218f0d42b3ba66d5749
 2021-04-20 03:31:39 +00:00
Yo Chiang
305a726d77 Merge "Allow health storage HAL to read default fstab" am: 9c66e3dfa3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673195

Change-Id: I5e7574fe8b901d9cfc750a071bca8f816b2b4d8d
 2021-04-20 03:11:20 +00:00
Yo Chiang
9c66e3dfa3 Merge "Allow health storage HAL to read default fstab" 2021-04-20 02:36:06 +00:00
Treehugger Robot
82d927bad8 Merge "Add permission checker service" am: 644639584b am: e8a381e3e4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1678585

Change-Id: If6646467c8c6e9de283cad80f6bc1d26801479f8
 2021-04-19 19:13:11 +00:00
Treehugger Robot
e8a381e3e4 Merge "Add permission checker service" am: 644639584b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1678585

Change-Id: I3085296e62a6358ca4f66b541c896c6d9b929c8a
 2021-04-19 18:42:45 +00:00
Treehugger Robot
644639584b Merge "Add permission checker service" 2021-04-19 16:54:46 +00:00
Treehugger Robot
7782083c8a Merge "Add existing ro.hdmi sysprops to sepolicy" am: e2133c2f3a am: 0f0dc9dd42 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1675522

Change-Id: I5a1bf654c99ea8f9c2ce18a572a19add2ab070b2
 2021-04-19 09:19:27 +00:00
Treehugger Robot
0f0dc9dd42 Merge "Add existing ro.hdmi sysprops to sepolicy" am: e2133c2f3a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1675522

Change-Id: Ibeb5db36cf6deff1d5cc4e810ce336de5cc4584f
 2021-04-19 08:56:12 +00:00