tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
22476 commits 1 branch 0 tags 50 MiB
Commit graph

22476 commits

This branch
This branch
All branches
Author SHA1 Message Date
Yifan Hong
7143e1c106 Merge "Allow charger to open health passthrough HAL" 
am: 242dbece51

Change-Id: Iefcc02fd4d90589be0cd7803fbb921541cc7a0c9
 2019-11-01 16:53:38 -07:00
Yifan Hong
242dbece51 Merge "Allow charger to open health passthrough HAL" 2019-11-01 23:46:31 +00:00
Peter Collingbourne
330ee2ca22 sepolicy: Allow system_server to use execmem in emulator builds with software rendering. 
In emulator builds without OpenGL passthrough, we use software rendering
via SwiftShader, which requires JIT support. Therefore, we need to allow
system_server to use execmem so that it can run JITed code. These builds
are never shipped to users.

Bug: 142352330
Change-Id: I4d55b5a1b4ebae2fc8198ef66107c22bde41ad7e
 2019-11-01 15:27:29 -07:00
Steven Moreland
416aa29a30 Merge "stable aidl vibrator policy" 
am: a71c74c188

Change-Id: I1b002a203b0c5eb592b78c4d0b3f3e20bf7ed3ac
 2019-11-01 14:34:23 -07:00
Tomasz Wasilczyk
3846fc25f6 Vehicle HAL: allow communication with CAN bus HAL and alternative service naming 
Bug: 143779011
Test: implemented a VHAL service prototype that communicates with VHAL
Change-Id: I8f449510fc638e29a5cb23c0e32f3d87386ba9bc
 2019-11-01 14:21:03 -07:00
Steven Moreland
a71c74c188 Merge "stable aidl vibrator policy" 2019-11-01 21:09:52 +00:00
Chong Zhang
9fef0f7b8b allow mediaserver to access configstore 
am: 0ee3eecbfa

Change-Id: I499932c0a31819389479af4cf3c288092828884f
 2019-11-01 13:26:50 -07:00
Yifan Hong
070d35916f Allow snapshotctl to create ota_metadata_file. 
When snapshotctl merge is called on sys.boot_completed
and /metadata/ota/state does not exist, it now tries
to initialize it by creating one.

Test: no selinux denials on boot
Bug: 143551390
Change-Id: I6ee268270e8f788d90610d7a1a90f252ea9baa3a
 2019-11-01 11:55:54 -07:00
Chong Zhang
0ee3eecbfa allow mediaserver to access configstore 
This is needed to use graphics RenderEngine, creation will
try to access configstore.

bug: 135717526
test: run MediaMetadataRetrieverTest, there shouldn't be any
avc denials in logcat.

Change-Id: Ie26ffe4844edd52684f254e77d9f515550dc82fb
 2019-11-01 10:07:36 -07:00
Yifan Hong
cedb97ee9b Merge "dumpstate: reads ota_metadata_file" 
am: 38c47f1bc0

Change-Id: Ib87cc6f69d2ca88a11c22702d589f966cff325f0
 2019-10-31 18:41:56 -07:00
Treehugger Robot
38c47f1bc0 Merge "dumpstate: reads ota_metadata_file" 2019-11-01 01:34:48 +00:00
David Anderson
d14cbfd082 Merge "Add fastbootd to the sys_rawio whitelist." 
am: 69e3af2d70

Change-Id: I59455428a2c4f89331930ee27289ba6468f934e5
 2019-10-31 13:38:29 -07:00
David Anderson
69e3af2d70 Merge "Add fastbootd to the sys_rawio whitelist." 2019-10-31 20:20:39 +00:00
TreeHugger Robot
fa2e6ea73b Merge "DO NOT MERGE - qt-qpr1-dev-plus-aosp-without-vendor@5915889 into stage-aosp-master" into stage-aosp-master 2019-10-31 18:38:53 +00:00
Ashwini Oruganti
001d3ce97a Merge "Create a separate domain for permissioncontroller" 
am: 9a85143b4d

Change-Id: I80a0fc5942f25838cda666ee126ca60f8602a378
 2019-10-31 09:44:46 -07:00
Ashwini Oruganti
9a85143b4d Merge "Create a separate domain for permissioncontroller" 2019-10-31 16:38:56 +00:00
Tom Cherry
b314448fa9 logpersist is now a shell script, so give it the appropriate permissions 
am: bf2f37325b

Change-Id: I46101555d3df93845c7a967f6a9277026053337f
 2019-10-31 06:58:45 -07:00
Ashwini Oruganti
9bc81125ef Create a separate domain for permissioncontroller 
This creates an SELinux domain for permissioncontroller and moves it out of the
priv_app SELinux domain.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller runs in the
permissioncontroller_app domain.
Change-Id: Ieb2e4cb806d18aaeb2e5c458e138975d1d5b64fe
 2019-10-30 14:59:12 -07:00
Tom Cherry
bf2f37325b logpersist is now a shell script, so give it the appropriate permissions 
Test: logcatd / logpersist work
Change-Id: Id283e24b0b48ddfa056ff842eecb51ee52b44c5e
 2019-10-30 13:54:35 -07:00
Xin Li
a9fd2e0647 DO NOT MERGE - qt-qpr1-dev-plus-aosp-without-vendor@5915889 into stage-aosp-master 
Bug: 142003500
Change-Id: I8aaa916e42e903adf1d1f26bda5b00e7ef91bfa5
 2019-10-30 11:50:45 -07:00
Roshan Pius
6ac2e87eb5 Merge "sepolicy: Move wifi keystore HAL service to wificond" 
am: 8e9b37da04

Change-Id: I77c7b4f745bdf98e3e840bd13d4b1213a23139f7
 2019-10-29 16:41:55 -07:00
Steven Moreland
d87649c645 stable aidl vibrator policy 
Bug: 141828236
Test: boot, dumpsys -l
Change-Id: Id3fc8724238883116e840794309efbf6c91226c9
 2019-10-29 16:39:55 -07:00
Roshan Pius
8e9b37da04 Merge "sepolicy: Move wifi keystore HAL service to wificond" 2019-10-29 23:09:12 +00:00
Sudheer Shanka
c9d3f222e7 Add a new system service "blob_store". 
Bug: 143559646
Test: manual
Change-Id: Id13566e9efc815f4a6ebb7228a1145aa91d6d526
 2019-10-29 15:34:11 -07:00
Josh Gao
807f15e93d Move adbd to an apex. 
Test: adb shell "su 0 readlink /proc/\`pidof adbd\`/exe"
Change-Id: Ic71e78111a7201b1e5a8eb6b43a1ea689a655cd1
 2019-10-29 14:58:09 -07:00
Yifan Hong
91709db313 dumpstate: reads ota_metadata_file 
Bug: 137757435
Test: bugreport
Change-Id: I72a7d1e01e2f4a050220f77d62e5592a14925e17
 2019-10-29 14:29:54 -07:00
Jeff Vander Stoep
ba14e2f6db Merge "priv_app: supress more snet selinux denial on sysfs" 
am: 1007f1b742

Change-Id: I47b5b12ee443338be3438c4e338f5a7d14760b03
 2019-10-29 03:24:12 -07:00
Treehugger Robot
1007f1b742 Merge "priv_app: supress more snet selinux denial on sysfs" 2019-10-29 10:08:49 +00:00
Paul Crowley
6c8488686f Merge "Replace "flags" property with "options" with same format as fstab" 
am: 6cbb3368df

Change-Id: I8aa0e1bf74cbdf234915aad6c3f93e112b45802d
 2019-10-28 19:22:42 -07:00
Paul Crowley
6cbb3368df Merge "Replace "flags" property with "options" with same format as fstab" 2019-10-29 02:00:36 +00:00
Adam Shih
64085f6f5c Merge "allow vendor to minimize area of module_load" 
am: 9911bd8929

Change-Id: Id66e9910fd60887b414eed88382bc8f6a966b85a
 2019-10-28 18:41:38 -07:00
Adam Shih
9911bd8929 Merge "allow vendor to minimize area of module_load" 2019-10-29 01:29:45 +00:00
Roshan Pius
31f511ae08 sepolicy: Move wifi keystore HAL service to wificond 
Bug: 142969896
Test: Verified connecting to passpoint networks.
Change-Id: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
Merged-In: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
 2019-10-28 14:06:17 -07:00
Adam Shih
712f0f3cac allow vendor to minimize area of module_load 
Vendor can only do module load in vendor_file, which is a large area.
Changing vendor_file to vendor_file_type allows vendor to use different
labels and restrict it to smaller area.

Bug: 143338171
Change-Id: If8e0c088f2d49b7fbffff062dcae3b4084016b03
 2019-10-28 09:26:48 +00:00
Xin Li
c84aeab5ba [automerger skipped] Merge Coral/Flame into AOSP master 
am: dbdad5d989 -s ours
am skip reason: change_id Ie0eb4dfb17e3f64a9f375306a85d9eb58c8ab424 with SHA1 5daea7332d is in history

Change-Id: I7e344e79840207cf74b1ec03ad296ac0ffcfe430
 2019-10-26 22:25:47 -07:00
David Anderson
74affd1403 Add fastbootd to the sys_rawio whitelist. 
A similar problem was previously encountered with the boot control HAL
in bug 118011561. The HAL may need access to emmc to implement
set_active commands.

fastbootd uses the boot control HAL in passthru mode when in recovery,
so by extension, it needs this exception as well.

Bug: 140367894
Test: fastbootd can use sys_rawio
Change-Id: I1040e314a58eae8a516a2e999e9d4e2aa51786e7
 2019-10-25 22:32:32 +00:00
Xin Li
dbdad5d989 Merge Coral/Flame into AOSP master 
Bug: 141248619
Change-Id: I421ad141f2a1bbda2b2a2d7610aa8305b0ecd03a
Merged-In: Ie0eb4dfb17e3f64a9f375306a85d9eb58c8ab424
 2019-10-25 10:28:41 -07:00
Jeff Vander Stoep
90bd1de368 priv_app: supress more snet selinux denial on sysfs 
Bug: 143294492
Test: build
Change-Id: I55c9baf7f55d9ab36bf1509ca466e0747c49567d
 2019-10-25 11:28:40 +02:00
Paul Crowley
dddf492468 Replace "flags" property with "options" with same format as fstab 
Bug: 143307095
Test: Set override, check policy is as expected with sm set-virtual-disk

Change-Id: I78b36295141db43ae3e910c654696d3e36a24734
 2019-10-24 23:26:02 -07:00
Yifan Hong
22da872625 Merge "Give dumpstate access to gsid." 
am: 175a317083

Change-Id: Id4c2362d6f165ff054146569e576458fbace7b01
 2019-10-24 17:55:31 -07:00
Yifan Hong
175a317083 Merge "Give dumpstate access to gsid." 2019-10-25 00:34:15 +00:00
Yifan Hong
5daea7332d Merge "Add health 2.1 HAL" 
am: ba48222bc7

Change-Id: Ie0eb4dfb17e3f64a9f375306a85d9eb58c8ab424
 2019-10-23 18:30:34 -07:00
Yifan Hong
ba48222bc7 Merge "Add health 2.1 HAL" 2019-10-24 01:03:09 +00:00
Igor Murashkin
fb035ca15e Merge "sepolicy: Add iorap_prefetcherd rules" 
am: 91e58ac87b

Change-Id: I0555da9b952836983cd55d0f8204437acfe8edf2
 2019-10-23 11:10:37 -07:00
Treehugger Robot
91e58ac87b Merge "sepolicy: Add iorap_prefetcherd rules" 2019-10-23 17:46:42 +00:00
Steven Moreland
a756a73b3d Merge "Service context for servicemanager." 
am: 3057643aef

Change-Id: I20b88ff67fe91b4ccb63bfee2173595ff4ab194c
 2019-10-23 10:16:20 -07:00
Steven Moreland
3057643aef Merge "Service context for servicemanager." 2019-10-23 17:02:08 +00:00
Joel Galenson
8f8c5e314e Cleanup: use binder_call macro. 
am: 4321551734

Change-Id: Idd69abe372db4851ebccb5e5cd9e7b845f4e163c
 2019-10-23 07:53:31 -07:00
Joel Galenson
4321551734 Cleanup: use binder_call macro. 
Test: Compile.
Change-Id: Ic05ed96f50d5139b12a28565a0dc697476874a22
 2019-10-22 13:08:10 -07:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules 
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
 2019-10-22 12:45:46 -07:00