tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Jooyung Han	b6211b88cf	Introduce vendor_apex_metadata_file A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf	2023-06-05 17:17:51 +09:00
Treehugger Robot	30c25de59d	Merge changes from topic "artsrv-experiment-flag" * changes: Give art_boot explicit access to experiment flags. Allow the ART boot oneshot service to configure ART config properties.	2023-06-01 18:21:50 +00:00
Treehugger Robot	cd69d35a5e	Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions"	2023-05-25 11:14:40 +00:00
Kelvin Zhang	60456bd47e	Add sepolicy for ro.build.ab_update.ab_ota_partitions Bug: 283042235 Test: th Change-Id: Ie2296b75c91fbeb83cb0f3e61d5013b106fb78d0	2023-05-24 18:26:12 -07:00
Jin Jeong	d7558db004	Merge "Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore""	2023-05-24 08:21:54 +00:00
Martin Stjernholm	e1ac267ddd	Allow the ART boot oneshot service to configure ART config properties. Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/ (ag/23125728) Bug: 281850017 Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25 (cherry picked from commit `3d7093fd7b`) Merged-In: I14baf55d07ad559294bd3b7d9562230e78201d25	2023-05-16 16:13:42 +01:00
Jin Jeong	9bd3eedbef	Revert "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore" This reverts commit `489abecf67`. Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules Change-Id: I19d1da02baf8cc4b5182a3410111a0e78831d7f8 Merged-In: I0c2bfe55987949ad52f62e468c84df954f39a4ad	2023-05-15 10:43:05 +00:00
Jin Jeong	27d3cc7483	Merge "Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore"	2023-05-02 08:33:33 +00:00
Jinyoung Jeong	489abecf67	Add setupwizard_esim_prop to access ro.setupwizard.esim_cid_ignore bug: 279548423 Test: http://fusion2/b7c803be-2dca-4195-b91f-6c4939746b5b, http://fusion2/bb76429b-7d84-4e14-b127-8458abb3e2ed Change-Id: I4b190fca2f3825a09d27cfc74e8a528831f4f15b Merged-In: I4b190fca2f3825a09d27cfc74e8a528831f4f15b	2023-05-02 01:24:23 +00:00
Kelvin Zhang	dbe230a193	Allow snapuserd to write log files to /data/misc snapuserd logs are important when OTA failures happen. To make debugging easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs , and capture these logs in bugreport. Bug: 280127810 Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0	2023-05-01 17:15:17 -07:00
Yuxin Hu	b011ba5ffb	Merge "Add a new system property persist.graphics.egl"	2023-04-13 18:49:26 +00:00
Yuxin Hu	889dd078e9	Add a new system property persist.graphics.egl This new system property will be read and written by a new developer option switch, through gpuservice. Based on the value stored in persis.graphics.egl, we will load different GLES driver. e.g. persist.graphics.egl == $ro.hardware.egl: load native GLES driver persist.graphics.egl == angle: load angle as GLES driver Bug: b/270994705 Test: m; flash and check Pixel 7 boots fine Change-Id: Idec4b947d0c69c52cd798df4f834053bd306cf5f	2023-04-13 04:38:46 +00:00
Yu Shan	9eb72464b5	Define sepolicy for ivn HAL. Test: manually verify ivn HAL on gcar_emu. Bug: 274139217 Change-Id: Ie12dccb723078d83b561c152cc4458e52c0f8090	2023-04-10 17:42:51 -07:00
Inseob Kim	1174fcf338	Merge "Remove 28.0 compat support"	2023-04-07 00:52:30 +00:00
Alexander Roederer	cf1ac9a714	Merge "Add persist.sysui.notification.builder_extras_ovrd"	2023-04-03 13:47:09 +00:00
Inseob Kim	d16612cd8a	Remove 28.0 compat support Treble doesn't support U system + P vendor, so removing P (28.0) prebuilts and compat files. Bug: 267692547 Test: build Change-Id: I3734a3d331ba8071d00cc196a2545773ae6a7a60	2023-04-03 15:17:03 +09:00
Treehugger Robot	f784149627	Merge "Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf"	2023-03-31 22:29:31 +00:00
Jiakai Zhang	22fb5c7d24	Allow system server to set dynamic ART properties. This change gives a new type (dalvik_dynamic_config_prop) to some ART properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to allow system server to set them. Bug: 274530433 Test: Locally added some code to set those properties and saw it being successfull. Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089	2023-03-31 11:46:05 +01:00
Alexander Roederer	829d974505	Add persist.sysui.notification.builder_extras_ovrd Adds persist.sysui.notification.builder_extras_override property and associated permissions, which will be used to flag guard a change in core/...Notification.java. Permissions are limited in scope to avoid unnecessary access. Apps may need to read the flag (because Notification.java is a core library), but setting should only be possible internally (and via debug shell). Test: manual flash+adb setprop/getprop Bug: 169435530 Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d	2023-03-29 16:35:39 +00:00
Lakshman Annadorai	124be07e24	Add sepolicy rules for CpuMonitorService. Change-Id: Icda952c148150e4d7824e303d163996679a0f36b Test: m Bug: 242722241	2023-03-27 16:29:09 +00:00
Alan Stokes	a45646c024	Allow CompOS to read VM config properties We want to allow both the VM and ART to contribute to the VM config (e.g. memory size), so define labels for 2 sets of properties and grant the necessary access. Bug: 274102209 Test: builds Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568	2023-03-23 15:40:14 +00:00
Tri Vo	0099ba37f3	Merge "Remove RemoteProvisioner and remoteprovisioning services"	2023-03-17 17:18:01 +00:00
Tri Vo	4bb2d30701	Remove RemoteProvisioner and remoteprovisioning services Bug: 273325840 Test: keystore2_test Change-Id: I295ccdda5a3d87b568098fdf97b0ca5923e378bf	2023-03-14 15:45:35 -07:00
Paul Lawrence	6b5da95419	Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf Bug: 262887267 Test: ro.fuse.bpf.is_running is true Change-Id: I9c4a54e9ac232e9f35a6be5b3bcc3cc040d64b47	2023-03-01 14:45:57 -08:00
Alice Wang	13e58cf7b1	[dice] Remove all the sepolicy relating the hal service dice am: `5e94b1698c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2426073 Change-Id: I60664669f08fa3d83dfacb57ebd7da912951ad0a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-24 19:57:23 +00:00
Alice Wang	5e94b1698c	[dice] Remove all the sepolicy relating the hal service dice As the service is not used anywhere for now and in the near future. Bug: 268322533 Test: m Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150	2023-02-24 08:34:26 +00:00
Treehugger Robot	c82b062d97	Merge "Allow dumpstate to read /data/system/shutdown-checkpoints/" am: `863cedfae6` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2422419 Change-Id: I8c47edbc31e2bf7bf0142ed0cb63af32385c6160 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-22 11:44:51 +00:00
Treehugger Robot	863cedfae6	Merge "Allow dumpstate to read /data/system/shutdown-checkpoints/"	2023-02-22 10:21:25 +00:00
Ioannis Ilkos	2a73c910d3	Merge "Sysprop for the count of active OOME tracing sessions" am: `300f93bf5a` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2433415 Change-Id: I94c868305fc6c681b01bc86b6f3d9ffaf8fac9d1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-17 18:51:54 +00:00
Ioannis Ilkos	300f93bf5a	Merge "Sysprop for the count of active OOME tracing sessions"	2023-02-17 17:50:59 +00:00
Alfred Piccioni	89cd736d8d	Merge "Adds support for fuseblk binaries." am: `dd4c5fa93b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2393296 Change-Id: Ic1a8d2a297848430a672826f1780bbb3e976f1be Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-17 16:23:38 +00:00
Alfred Piccioni	dd4c5fa93b	Merge "Adds support for fuseblk binaries."	2023-02-17 15:15:31 +00:00
Woody Lin	35541e183f	Allow dumpstate to read /data/system/shutdown-checkpoints/ Bug: 260366497 Bug: 264600011 Test: Take bugreport and check dmesg for avc error Test: Reboot and check shutdown-checkpoints Change-Id: Ifcc7de30ee64e18f78af147cd3da39d7c6dc6f5f	2023-02-16 14:23:33 +08:00
Feiyu Chen	e68fe11b3a	Merge "Add SELinux policy for edgetpu_native device_config prop" am: `b4b757cd83` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2434232 Change-Id: Iba932201fe56697b23f25a7ecb41a2f9829dd48a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-15 03:31:01 +00:00
Feiyu Chen	b4b757cd83	Merge "Add SELinux policy for edgetpu_native device_config prop"	2023-02-15 02:32:22 +00:00
Ioannis Ilkos	8d168e2d8a	Sysprop for the count of active OOME tracing sessions In order for ART code to call perfetto DataSource::Trace() we need to wait for all data source instances to have completed their setup. To do so, we need to know how many of them exist. This introduces a new sysprop traced.oome_heap_session.count, writeable by perfetto traced and readable by apps and system_server that can be used to communicate this. See go/art-oom-heap-dump for more details Test: manual, atest HeapprofdJavaCtsTest Bug: 269246893 Change-Id: Ib8220879a40854f98bc2f550ff2e7ebf3e077756	2023-02-14 15:14:39 +00:00
Pedro Loureiro	14060332c7	Merge "Add SEPolicy for device config service" am: `43b0b8a65c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2430374 Change-Id: I16624fc06f8cd15de32734e31a47acc504a5dea1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-14 12:16:51 +00:00
Pedro Loureiro	43b0b8a65c	Merge "Add SEPolicy for device config service"	2023-02-14 11:18:41 +00:00
Akilesh Kailash	12e344b7de	Merge "Set sepolicy for ublk control device and block device" am: `a3c0ca4e67` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2433673 Change-Id: Ia1104a335a2932a48bc2f9eecb547c65e13fe334 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-14 04:41:42 +00:00
Akilesh Kailash	a3c0ca4e67	Merge "Set sepolicy for ublk control device and block device"	2023-02-14 03:59:06 +00:00
Akilesh Kailash	63a21044f2	Set sepolicy for ublk control device and block device ublk-control device: /dev/ublk-control ublk-block device: /dev/block/ublkbN where N is 0,1,2.. Bug: 269144965 Test: Verify sepolicy changes through kernel logs when user-space daemon communicates with ublk driver Change-Id: I10de557566e3c0628ea72fbbda4cff21e7cda68f Signed-off-by: Akilesh Kailash <akailash@google.com>	2023-02-13 16:30:40 -08:00
Jeffrey Huang	e53a5b25b6	Merge "Restrict system server from reading statsd data" am: `01fd5eb907` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410783 Change-Id: I18a4d57758865141a9e0b6f479ff5aabf8db0ece Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-13 23:07:21 +00:00
Jeffrey Huang	01fd5eb907	Merge "Restrict system server from reading statsd data"	2023-02-13 22:37:09 +00:00
feiyuchen	70e1942fb3	Add SELinux policy for edgetpu_native device_config prop The new android property namespace will store the configurations which are set on the server side and read by the EdgeTpu HAL. Notes: * This CL is similar to nnapi_native CL: https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/1844919 * The read permission of EdgeTpu HAL will be added in another internal CL. Test: mm Bug: 243553703 Bug: 246401730 Change-Id: I5705f679148b313d919f334c51e31f7645aca82a	2023-02-13 21:55:57 +00:00
Pedro Loureiro	58847ab171	Add SEPolicy for device config service A new mainline module that will have the device config logic requires a new service (device_config_updatable). Bug: 252703257 Test: manual because logic that launches service is behind flag Change-Id: I4ffba0c7d2afc44af8438b7d84d836e42388bd7d	2023-02-13 09:37:12 +00:00
Brian Julian	e346f2fe80	Merge "Backports sepolicy for AltitudeService to T." am: `f388934ffe` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2406792 Change-Id: I8cd9387e7b27e032e38b23a531a710a8801c6a5b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-08 18:51:22 +00:00
Brian Julian	32b0a39d27	Backports sepolicy for AltitudeService to T. Test: VtsHalAltitudeServiceTargetTest Bug: 265013616 Change-Id: I8eb6af8b9350e0d021ef781eb9f3776b4adf3b7f Merged-In: I8eb6af8b9350e0d021ef781eb9f3776b4adf3b7f	2023-02-07 19:38:17 +00:00
Jeffrey Huang	fcf5a91e00	Restrict system server from reading statsd data Bug: 267367423 Test: m -j Change-Id: I0628142c2380cf568643f864ae211fbf5380550c	2023-02-06 18:29:21 -08:00
Treehugger Robot	d1c26af880	Merge "Add selinux permissions for DeviceAsWebcam Service" am: `870b368ec5` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410788 Change-Id: I4f2f7feac7862ff525e1ebf15c7ee1f036ca9fb3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2023-02-03 02:00:29 +00:00
Avichal Rakesh	e0929241a1	Add selinux permissions for DeviceAsWebcam Service DeviceAsWebcam is a new service that turns an android device into a webcam. It requires access to all services that a regular app needs access to, and it requires read/write permission to /dev/video* nodes which is how the linux kernel mounts the UVC gadget. Bug: 242344221 Bug: 242344229 Test: Manually tested that the service can access all the nodes it needs, and no selinux exceptions are reported for the service when running. Change-Id: I45c5df105f5b0c31dd6a733f50eb764479d18e9f	2023-02-02 12:26:33 -08:00

1 2 3 4 5 ...

2004 commits