tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38881 commits 1 branch 0 tags 50 MiB
Commit graph

38881 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sophie Zheng
baf2379288 Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: a31ea3eb0c am: c7b828e56c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095

Change-Id: I1fd7f830a51d7dd504062dd9db82d8f58fd9dcfe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-15 23:09:30 +00:00
Florian Mayer
4eb6456501 Update prebuilts to fix sepolicy_freeze_test am: 5de1b2096d am: c84be7da03 am: 96b242efa2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642

Change-Id: I8e2b7d566aaa440d563e0166542a3707d9f619ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-15 23:08:21 +00:00
Florian Mayer
7c3e25a3fb Update prebuilts to fix sepolicy_freeze_test am: f99eeb6bd9 am: 6f2280dba9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137

Change-Id: I20238a581ac22098c8584bfc10e46e6c8bcbe65c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-15 23:06:53 +00:00
Sophie Zheng
c7b828e56c Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: a31ea3eb0c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095

Change-Id: I25e42e75635e6b5757ae0eba0068827b6e38fe40
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-15 22:36:57 +00:00
Florian Mayer
96b242efa2 Update prebuilts to fix sepolicy_freeze_test am: 5de1b2096d am: c84be7da03 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642

Change-Id: Ie0e54d81155920f8e5a8d98b777c69850066c242
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-15 22:36:06 +00:00
Florian Mayer
6f2280dba9 Update prebuilts to fix sepolicy_freeze_test am: f99eeb6bd9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137

Change-Id: I2848699e579daefe2ef542c6f01b81c9471c6a88
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-15 22:34:03 +00:00
Treehugger Robot
3ef5831b8d Merge "Add bluetooth LE inquiry scan parameters" 2022-09-14 22:29:10 +00:00
Pawan
0ecf99def5 sepolicy : Recommend fuzzers for new services 
Adding soong module and tool to check if there is fuzzer present
for every service in private/service_contexts. Whenever a service is
added, its is recommended to update
$ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go
with service name and its corresponding fuzzer.

Test: m
Bug: 242104782
Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
 2022-09-13 18:18:46 +00:00
Xin Li
6b09c56a6a Merge android12L-tests-dev@8941410 am: cba09e2963 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2189100

Change-Id: I8a6bb1872cd6e2d15fff0115d43afc9d5272a5a9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-12 18:28:36 +00:00
Katherine Lai
e3398210b8 Add bluetooth LE inquiry scan parameters 
Bug: 233119457
Tag: #floss
Test: Manual
Change-Id: I4d0b505b761ad49832ef1d5e5097f6aad7a472e7
 2022-09-09 20:48:36 +00:00
Suren Baghdasaryan
2d390e5094 Merge "Add policies for ro.kernel.watermark_scale_factor property" 2022-09-09 16:55:25 +00:00
Treehugger Robot
5384619c62 Merge "Allow reading process info from /proc." 2022-09-09 16:48:05 +00:00
Jiakai Zhang
88e5583eac Allow reading process info from /proc. 
This is needed for getting CPU time and wall time spent on subprocesses. Otherwise, the following denials will occur:

09-09 15:11:38.635  6137  6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { read } for scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1
09-09 15:11:38.635  6137  6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { search } for name="6157" dev="proc" ino=57917 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=dir permissive=1
09-09 15:11:38.635  6137  6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { open } for path="/proc/6157/stat" dev="proc" ino=57954 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1

Bug: 245380798
Test: -
  1. adb shell pm art optimize-package -m speed -f \
       com.google.android.youtube
  2. See CPU time and wall time in the output. No denial occured.
Change-Id: I9c8c98a31e1ac0c9431a721938c7a9c5c3ddc42b
 2022-09-09 15:13:45 +00:00
Suren Baghdasaryan
9fdb29826f Add policies for ro.kernel.watermark_scale_factor property 
New ro.kernel.watermark_scale_factor property is used to store the
original value read from /proc/sys/vm/watermark_scale_factor before
extra_free_kbytes.sh changes it. The original value is necessary to
use the same reference point in case the script is invoked multiple
times. The property is set by init the first time script is invoked
and should never be changed afterwards.

Bug: 242837506
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I7760484854a41394a2efda9445cff8cb61587514
 2022-09-08 19:35:34 +00:00
Alessandra Loro
6ecd2077bc Merge "Drop back-compatibility for hiding ro.debuggable and ro.secure" 2022-09-08 09:51:22 +00:00
Sandro Montanari
f4943f510e Merge "Rename apex_sepolicy-decompiled.cil target" 2022-09-08 08:36:42 +00:00
Sophie Zheng
3c91a33774 Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev am: a31ea3eb0c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2208095

Change-Id: I02d49c1617ec086df8817dbe3c144e9f1d6c1269
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-09-08 00:31:17 +00:00
Sophie Zheng
a31ea3eb0c Merge "Update prebuilts to fix sepolicy_freeze_test" into android12L-tests-dev 2022-09-08 00:14:55 +00:00
Sandro
3f5c18c213 Rename apex_sepolicy-decompiled.cil target 
For symmetry with the apex_sepolicy-33.cil target

Bug: 218672709
Test: atest SeamendcHostTest
Change-Id: Iaec6eb4d5186ed0c7e872ef210ff572655e263b6
 2022-09-07 15:04:59 +00:00
Sandro Montanari
3b94a3f3bc Revert^2 "Move allow rules of sdk_sandbox to apex policy" 
Next attempt at rolling forward aosp/2200430. It appears the
first-stage-init did not create the /dev/selinux folder on GSI
instances, resulting in breakages when selinux.cpp tries to copy files
to that folder.

To verify these changes for b/244793900, follow
gpaste/4922166775644160

Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I2bc630cfaad697d44053adcfd639a06e3510cc72
 2022-09-07 08:22:59 +00:00
sophiez
db3507dffc Update prebuilts to fix sepolicy_freeze_test 
Bug: 243820875
Test: refactoring CL. Existing unit tests still pass.

Change-Id: I516aed92ad1c7cb4de796844402b3456dc625f94
 2022-09-06 18:08:31 +00:00
Treehugger Robot
090f957d65 Merge "Fix io_uring permission denial for snapuserd" 2022-09-06 17:15:45 +00:00
Kelvin Zhang
aa3ac9fafd Fix io_uring permission denial for snapuserd 
Starting with
91a9ab7c94
, calling io_uring_setup will need selinux permission to create anon
inodes.

Test: th
Bug: 244785938

Change-Id: I351983fefabe0f6fdaf9272506ea9dd24bc083a9
 2022-09-06 17:11:54 +00:00
Kelvin Zhang
d87c1eb663 Merge "Fix selinux denials for fastbootd" 2022-09-06 05:50:57 +00:00
Kelvin Zhang
853085bd65 Fix selinux denials for fastbootd 
Test: flash on O6, flash an image using git_master system + mainline
kernel
Bug: 244785938

Change-Id: I1b0e1ea0f1937abd2ad96a606b565812ee8096e1
 2022-09-05 17:41:07 +00:00
Samiul Islam
b8650e82db Merge "Revert "Move allow rules of sdk_sandbox to apex policy"" 2022-09-05 11:45:44 +00:00
Sandro Montanari
8cce5b2ffb Revert "Move allow rules of sdk_sandbox to apex policy" 
Revert "Add seamendc tests for sdk_sandbox in apex sepolicy"

Revert submission 2201484-sdk_sandbox

Note: this is not a clean revert, I kept the changes in aosp/2199179
and the changes to system/sepolicy/Android.mk. Those changes are already
part of internal, I do not want to put those files out of sync again.

Test: atest SeamendcHostTest
Reason for revert: b/244793900
Reverted Changes:
Ib14b14cbc:Add seamendc tests for sdk_sandbox in apex sepolic...
I27ee933da:Move allow rules of sdk_sandbox to apex policy

Change-Id: If225cdd090248e050d1f0b42f547a4b073bbafc6
 2022-09-05 09:39:15 +00:00
Treehugger Robot
1896c039dd Merge "crosvm: dontaudit netlink perms for acpi" 2022-09-02 22:00:45 +00:00
Treehugger Robot
6eecd0a00c Merge "Allow installd delete staging folders." 2022-09-02 22:00:02 +00:00
Steven Moreland
fd59a2d46e crosvm: dontaudit netlink perms for acpi 
Currently experiencing these neverallows, but they're intentional.

Fixes: 228077254
Test: N/A
Change-Id: I79f8caaf1695e91d695b8cecbc5f01df09e4e2d2
 2022-09-02 20:41:56 +00:00
Alex Buynytskyy
37a0dcbbbc Allow installd delete staging folders. 
Apparently readdir uses getattr and skips a folder if denied.

Bug: 244638667
Test: adb root; adb shell mkdir -p
/data/app-staging/session_917335144/lib; adb reboot; adb logcat | grep
session_917335144, check if the folder was removed

Change-Id: I39de49c77d3bf3428d75f0cf4d4c603ea7e03ed5
 2022-09-02 13:16:24 -07:00
Treehugger Robot
455ae8adca Merge "Allow init to launch BootControlHAL in recovery" 2022-09-02 19:25:28 +00:00
Treehugger Robot
33a74d6881 Merge "Allow system_server to obtain verity root hash for install files." 2022-09-02 18:08:04 +00:00
Kelvin Zhang
19a5785522 Allow init to launch BootControlHAL in recovery 
Test: install OTA with data wipe, reboot
Bug: 227536004
Change-Id: I3b76b054e67dcaee83ad330f9fcbcbd98bb6f1f7
 2022-09-02 17:50:10 +00:00
Treehugger Robot
d7dfa043ab Merge "Rename migrate_legacy_obb_data.sh" 2022-09-02 17:38:43 +00:00
Alex Buynytskyy
aad4ae8a74 Allow system_server to obtain verity root hash for install files. 
Bug: 160605420
Test: atest ChecksumsTest, check for selinux denials
Change-Id: I33b60d86317c37ef58a1be691d6a90dfef637db1
 2022-09-02 09:30:21 -07:00
Treehugger Robot
3047b2ca12 Merge "Set apex. property as "system_restricted"" 2022-09-02 12:46:03 +00:00
Sandro Montanari
536babd22b Merge "Move allow rules of sdk_sandbox to apex policy" 2022-09-02 09:29:06 +00:00
Jooyung Han
cae2368d2d Set apex. property as "system_restricted" 
Since the property is supposed to be used by vendor-side .rc file as
read-only (especially by vendor apex), it should be "system_restricted".

Also allow vendor_init to read the property.

Bug: 232172382
Test: boot cuttlefish (with vendor apex using the property)
Change-Id: I502388e550e0a3c961a51af2e2cf11335a45b992
 2022-09-02 18:11:33 +09:00
Jooyung Han
ba80cd59a7 Merge changes from topics "apex-ready-prop", "apex-update-prop" 
* changes:
  Modifed sepolicy for new apex ready prop
  Remove init.apex.<apex-name>.load/unload property
 2022-09-02 06:46:54 +00:00
Cole Faust
a60a34cd79 Rename migrate_legacy_obb_data.sh 
See other cl in this topic for more information.

Bug: 198619163
Test: adb root; adb shell /system/bin/migrate_legacy_obb_data; adb logcat | grep obb shows "migrate_legacy_obb_data: No legacy obb data to migrate."
Change-Id: Ic2fb4183f80b36463f279b818e90c203e9a51422
 2022-09-01 18:11:56 -07:00
Deyao Ren
7848d3a437 Modifed sepolicy for new apex ready prop 
Bug: 232172382
Test: atest ApexTestCases
Change-Id: I2947b2c9b1d983bdbc410e67509508f73efff1f4
 2022-09-01 22:20:10 +00:00
Deyao Ren
3fab00fab2 Remove init.apex.<apex-name>.load/unload property 
Bug: 240533726
Test: atest CtsInitTestCases ApexTestCases
Change-Id: Ibe4d1c199157397a747bb87918848917a24f0535
 2022-09-01 16:24:55 +00:00
Sandro
084b41748d Move allow rules of sdk_sandbox to apex policy 
Third attempt to roll-forward the apex_sepolicy changes from
aosp/2179294 and aosp/2170746.

I was finally able to figure out the likely root cause of the test
breakages in internal b/243971667. The related CL aosp/2199179 is making
the apex_sepolicy files mandatory for all AOSP builds.

Without the apex_sepolicy files, mixed GSI builds in internal using AOSP
as base would not implement the sdk_sandbox rules, causing breakages for
the SdkSandbox components.

Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I27ee933da6648cca8ff1f37bde388f72b4fe6ad6
 2022-09-01 09:11:38 +00:00
Treehugger Robot
7bd59df9b7 Merge "Make sure only VS can access its data files" 2022-09-01 08:40:00 +00:00
Florian Mayer
2f2efbee52 Update prebuilts to fix sepolicy_freeze_test am: 5de1b2096d am: c84be7da03 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642

Change-Id: I7d4086acc6e13df2d0ab7f2ac423634ea7be2b84
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-31 23:11:00 +00:00
Florian Mayer
87337a27b5 Update prebuilts to fix sepolicy_freeze_test am: f99eeb6bd9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2201137

Change-Id: I42b988dfdb0cf41f7851d1b7793a72073fe6006c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-31 23:10:47 +00:00
Florian Mayer
c84be7da03 Update prebuilts to fix sepolicy_freeze_test am: 5de1b2096d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642

Change-Id: If6ed12e01659cb56b5b56d2f92f6c68b2d626880
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-31 23:10:38 +00:00
Alan Stokes
991087cb24 Make sure only VS can access its data files 
Bug: 237054515
Test: Builds
Change-Id: Id207bfc3639254e63b00e2a9ac9780ab83a013ff
 2022-08-31 17:39:59 +01:00
Alice Wang
c60552839b Merge "Allow getopt to eliminate warnings in MicrodroidBenchmarks tests" 2022-08-31 15:18:44 +00:00