tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
33864 commits 1 branch 0 tags 50 MiB
Commit graph

33864 commits

This branch
This branch
All branches
Author SHA1 Message Date
Inseob Kim
c02f7c6cf8 Neverallow domains other than VS from executing VM am: b20cb78404 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970460

Change-Id: I80f29ae146dd8dae40cbae9be13a4ffe5a05238d
 2022-02-07 03:53:41 +00:00
Inseob Kim
b20cb78404 Neverallow domains other than VS from executing VM 
Bug: 216610937
Test: atest MicrodroidTests
Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
 2022-02-07 09:42:21 +09:00
Treehugger Robot
fb52b5754e Merge "Grant system_app permission to access cgroup_v2 directories" am: b289dc4d1d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966048

Change-Id: Ia0fee0a8ac12689bf2bc562b3fdab63a250e3d59
 2022-02-04 19:39:02 +00:00
Treehugger Robot
b289dc4d1d Merge "Grant system_app permission to access cgroup_v2 directories" 2022-02-04 19:26:00 +00:00
Treehugger Robot
eb03dcc59c Merge "Allow VM clients access to hypervisor capability" am: 391f2b26fc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1970590

Change-Id: I4de2693ef001b522132f393ffe9c970fa8c652c3
 2022-02-04 09:50:49 +00:00
Treehugger Robot
391f2b26fc Merge "Allow VM clients access to hypervisor capability" 2022-02-04 09:37:19 +00:00
Treehugger Robot
713984514c Merge "bluetooth.device.class_of_device should be type string" am: 7b7a42e6cf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969420

Change-Id: I6acf3397d7b922943f8ce144e95375bf1a66a001
 2022-02-04 01:00:51 +00:00
Treehugger Robot
7b7a42e6cf Merge "bluetooth.device.class_of_device should be type string" 2022-02-04 00:38:52 +00:00
Kevin Han
641d56be3f Merge "Extend visibility of hibernation service for CTS" am: 4d81dc33f8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966099

Change-Id: I39ef4366bb10c73dfab63b73599e653ea9d3d288
 2022-02-04 00:01:09 +00:00
Kevin Han
4d81dc33f8 Merge "Extend visibility of hibernation service for CTS" 2022-02-03 23:43:03 +00:00
Seth Moore
10ec76f621 Add remotely provisioned key pool se policy am: a75cad0d0a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1969539

Change-Id: If71da72859fb454be505d02c40de2bcbf34bca97
 2022-02-03 23:13:55 +00:00
Alan Stokes
3864ea8e4a Allow VM clients access to hypervisor capability 
Clients of virtualization service use these properties to
determine whether normal and protected VMs are supported and tailor
their VM requests accordingly.

Bug: 217687661
Test: adb unroot; adb shell getprop | grep ro.boot.hypervisor
Change-Id: Ia1c017c2346217dbc45973cbfb5adbecabedf050
 2022-02-03 12:18:11 +00:00
Seth Moore
a75cad0d0a Add remotely provisioned key pool se policy 
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.

Add a new service context and include it in the keystore services.

Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.

Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
 2022-02-02 15:07:26 -08:00
Sal Savage
724381a97a bluetooth.device.class_of_device should be type string 
Bug: 217452259
Test: Manual, set property in system.prop, build, flash, make sure value
is reflected in getprop | grep bluetooth.device

Change-Id: Id4bfebb4da5bcd64ea4bac8e3c9e9754c96256c6
 2022-02-02 14:13:41 -08:00
Bart Van Assche
be3ff9b93a Grant system_app permission to access cgroup_v2 directories 
Without this change, the migration of the blkio controller to the cgroup
v2 hierarchy triggers the following denials:

01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0

Bug: 213617178
Test: Booted Android in the Cuttlefish emulator.
Change-Id: I20f136d5cd58fa4ebabbb5a328fc6001b11110d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
 2022-02-02 17:37:45 +00:00
Andrew Scull
e1a1607e1b Merge changes I82f0c2ef,I013894de am: 7e07941d3d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966617

Change-Id: Ia20dfb636599a2e0ab2d46efd8df46c9dcc3f8d8
 2022-02-02 14:13:55 +00:00
Andrew Scull
7e07941d3d Merge changes I82f0c2ef,I013894de 
* changes:
  Let VirtualizationService access hypervisor properties
  Tag new hypervisor properties
 2022-02-02 13:54:11 +00:00
Andrew Scull
792b03ddb5 Let VirtualizationService access hypervisor properties 
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.

Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
 2022-02-02 13:53:50 +00:00
Lalit Maganti
139cce7cc7 Merge "sepolicy: Allow system domains to be profiled" am: fb9d097d03 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966610

Change-Id: I53c4ae3c26dcc5579391e7a9319c939e75086a70
 2022-02-02 12:21:46 +00:00
Lalit Maganti
fb9d097d03 Merge "sepolicy: Allow system domains to be profiled" 2022-02-02 12:04:38 +00:00
Andrew Walbran
7e78484d39 Merge "virtualizationservice no longer tries to check for pKVM extension." am: 48cf9591f6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965102

Change-Id: I901ae736b9e79507248f78def350af7ba21534d3
 2022-02-02 09:25:26 +00:00
Andrew Walbran
48cf9591f6 Merge "virtualizationservice no longer tries to check for pKVM extension." 2022-02-02 09:08:18 +00:00
Roopa Sattiraju
dd862e57ee Changing sepolicy file to the right apex name am: 89556c69df 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1967166

Change-Id: Ib38c787a25ced135ff427eb7345247f1e239dcc4
 2022-02-02 05:34:27 +00:00
Roopa Sattiraju
89556c69df Changing sepolicy file to the right apex name 
Bug: 216476895
Test: Compile
Change-Id: I31a5534bad0f5c01ee163f109fa5dd0b54835ea8
 2022-02-01 15:59:30 -08:00
Andrew Scull
87ac3c3f80 Tag new hypervisor properties 
The properties that report hypervisor capabilities are grouped with the
other hypervisor properties for sepolicy.

Bug: 216639283
Test: buid
Change-Id: I013894de637bb7e40a450df6439ebbd5cba28c2b
 2022-02-01 18:17:10 +00:00
Andrew Walbran
2f27f96022 virtualizationservice no longer tries to check for pKVM extension. 
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400.

Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
 2022-02-01 16:37:13 +00:00
Lalit Maganti
bb197bba02 sepolicy: Allow system domains to be profiled 
Bug: 217368496
Doc: go/field-tracing-t
Change-Id: Ie95c0cc2b1f9e8fa03f6112818936af692edf584
 2022-02-01 16:27:26 +00:00
Andrew Scull
50094d86cf Merge "Allow the microdroid app to use diced" am: 4bbfaa6a2d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965106

Change-Id: Ic340f816742ca2ad713521012a7d42279b660f99
 2022-02-01 13:39:02 +00:00
Andrew Scull
4bbfaa6a2d Merge "Allow the microdroid app to use diced" 2022-02-01 13:23:20 +00:00
Treehugger Robot
8a96be8df9 Merge "Adds selinux rules for ICarDisplayProxy service" am: 108fdbc5f7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965562

Change-Id: I4954e05e2c8e7ce34f09120c137102fe134d1227
 2022-01-31 22:09:21 +00:00
Treehugger Robot
108fdbc5f7 Merge "Adds selinux rules for ICarDisplayProxy service" 2022-01-31 21:52:46 +00:00
Changyeon Jo
66eba13833 Adds selinux rules for ICarDisplayProxy service 
Bug: 170401743
Test: m -j selinux_policy
Change-Id: Idf3f09d0bcf24de18d6eddb05e51991b4c5edbe8
 2022-01-31 19:40:20 +00:00
Treehugger Robot
d2eabdb5a0 Merge "Build precompiled_sepolicy.apex_sepolicy.sha256" am: d0120eb4ac 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965099

Change-Id: Ica7c23a256f9ee99c2f4a19cc00b4f0496297f84
 2022-01-31 09:29:38 +00:00
Treehugger Robot
d0120eb4ac Merge "Build precompiled_sepolicy.apex_sepolicy.sha256" 2022-01-31 09:11:05 +00:00
Andrew Scull
248e8a998f Allow the microdroid app to use diced 
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I9672d678c7b698d15a0efa8dab567dbc2696ca81
 2022-01-30 22:42:38 +00:00
Thiébaud Weksteen
0603b86049 Merge "Split sepolicy_neverallow rule" am: 080a201dee 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1962379

Change-Id: Iaa5cf554b34902865b0a5c7f09a9c198d97354a3
 2022-01-30 22:23:39 +00:00
Thiébaud Weksteen
080a201dee Merge "Split sepolicy_neverallow rule" 2022-01-30 22:16:35 +00:00
Thiébaud Weksteen
5dec00e247 Merge "Grant getpgid to system_server on zygote" am: 79ff061802 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1963561

Change-Id: Ie4afeda8caebf6cbd4be30a0b772715d8c3dc3e2
 2022-01-30 22:14:58 +00:00
Thiébaud Weksteen
79ff061802 Merge "Grant getpgid to system_server on zygote" 2022-01-30 21:59:04 +00:00
Huihong Luo
270ddf48d0 Merge "Migrate screenshot methods to AIDL" am: 9b82051367 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1954716

Change-Id: I67bfa6d8d94bcb2406fcdb3e6bf99fa4630af55c
 2022-01-29 21:35:33 +00:00
Huihong Luo
9b82051367 Merge "Migrate screenshot methods to AIDL" 2022-01-29 21:17:18 +00:00
Kevin Han
4ef3178e8c Extend visibility of hibernation service for CTS 
Expand the visibility of the app hibernation service so that CTS can
actually test the APIs.

Bug: 216383448
Test: atest AppHibernationIntegrationTest
Change-Id: Ibde79c9b7e2d863a7c8f4f311ec008cd72962d45
 2022-01-28 18:48:56 -08:00
Etienne Ruffieux
ecac410d40 Merge "Bluetooth boot time start service" am: f3acf42a4c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965101

Change-Id: I116996cf7b5e1d9b94b8f76119fb91d2eaf52a9b
 2022-01-28 20:26:41 +00:00
Etienne Ruffieux
f3acf42a4c Merge "Bluetooth boot time start service" 2022-01-28 20:13:35 +00:00
Treehugger Robot
6093f3febf Merge "Move pf_key socket creation permission to system_server" am: d3d214482f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1964902

Change-Id: I5a17509a858aa1fd7b068943a5cfd457518ddb27
 2022-01-28 19:07:14 +00:00
Treehugger Robot
d3d214482f Merge "Move pf_key socket creation permission to system_server" 2022-01-28 19:01:36 +00:00
Robert Shih
0de1ba742a Merge "Add sepolicy for DRM AIDL HAL" am: d70f0af2bf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1918837

Change-Id: I34ff7ea1a6cbb6e8f0c11759b4ceb7366b8e2992
 2022-01-28 19:01:02 +00:00
Robert Shih
d70f0af2bf Merge "Add sepolicy for DRM AIDL HAL" 2022-01-28 18:40:53 +00:00
Treehugger Robot
5c5fef071a Merge "Touch up microdroid sepolicy after removing keystore" am: ae1acbe12d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1965100

Change-Id: I6184c30e97b95a4e92157e209e0bf6058c9403a8
 2022-01-28 18:07:47 +00:00
Treehugger Robot
ae1acbe12d Merge "Touch up microdroid sepolicy after removing keystore" 2022-01-28 17:53:34 +00:00