tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
41962 commits 1 branch 0 tags 50 MiB
Commit graph

41962 commits

This branch
This branch
All branches
Author SHA1 Message Date
Vadim Caen
d64cf75c48 Policy for virtual_camera 
Adds a policy to run the virtual_camera process which:
 - registers a service implementing the camera HAL
 - registers a service to reveive communicate with virtual cameras via
   system_server

Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera

Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b
 2023-07-25 19:27:48 +00:00
Treehugger Robot
9f8e315bc8 Merge "Allow dex2oat access to symlinks in APEXes to find DCLA libs." into main 2023-07-25 15:25:57 +00:00
Martin Stjernholm
502a036436 Allow dex2oat access to symlinks in APEXes to find DCLA libs. 
With the introduction of DCLA (/apex/sharedlibs APEX), .so files can be
symlinked into that APEX, so we need to allow reading symlinks to be
able to link the dex2oat binary successfully.

This fixes "CANNOT LINK EXECUTABLE" errors for dex2oat during OTA
preopting.

Test: Apply an OTA manually and check logs for errors
Bug: 291974157
Change-Id: I9eca91c94e8d33fe618783cea262ea3881957620
 2023-07-25 00:07:27 +01:00
Jooyung Han
1c846df3b0 Add /bootstrap-apex 
It will be used to mount bootstrap APEXes. (with bind-mount to /apex)

Bug: 290148078
Test: atest VendorApexHostTestCases
Change-Id: I1a82af37db368a0eb2bf3a002a47439fb1f8b61d
 2023-07-22 20:44:00 +09:00
Pontus Lidman
1d68b1b2da Merge "Add SELinux config for new SensorFusion property" into main 2023-07-21 20:52:40 +00:00
Pontus Lidman
0af0e71062 Add SELinux config for new SensorFusion property 
Add required SELinux configuration to support the sensor
configuration property:
sensors.aosp_low_power_sensor_fusion.maximum_rate

Test: use getprop to verify presence and readability
of the new property. dumpsys sensorservice to verify
sensor service is picking up the property value.

Change-Id: I96b8fd6ce72d7a5bf69b028802b329b03f261585
 2023-07-21 00:42:24 +00:00
Devika Krishnadas
d4908949ef Merge "Add label for allocator 2 service" into main 2023-07-20 18:36:23 +00:00
Eric Biggers
306f510611 Remove fsverity_init SELinux rules 
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.

For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched.  It turns out to actually
be needed for a bit more than that.  We should be able to replace it
with something more precise, but we need to be careful.

Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
 2023-07-20 17:57:23 +00:00
Kiyoung Kim
4b6eabed21 Merge "Label former VNDK-SP libraries in vendor as sphal" into main 2023-07-20 01:46:44 +00:00
Lee George Thomas
ae8d169405 Merge "Add SELinux context for a new lmk system property" into main 2023-07-19 22:28:24 +00:00
Devika Krishnadas
c850a596b9 Add label for allocator 2 service 
Bug: 287353739

Change-Id: Ia78237361acac4b668d87ec94746e43945f58bbf
Signed-off-by: Devika Krishnadas <kdevika@google.com>
 2023-07-19 20:20:52 +00:00
Kiyoung Kim
0c3a3fd799 Label former VNDK-SP libraries in vendor as sphal 
When VNDK is being deprecated, former VNDK-SP libraries should be loaded
from vendor when system process uses SP-HAL, but this currently fails
because all former VNDK-SP libraries will be marked as vendor library.
This change labels former VNDK-SP libraries installed in the vendor
partition as same labels with SP-HAL libraries so it can be loaded from
system processes.

Bug: 291673098
Test: aosp_cf boot succeded with KEEP_VNDK=false build flag.
Change-Id: I2601ae8e7acd5bbd16fdbe6cee078dfcaa1a5aa2
 2023-07-19 14:13:06 +09:00
Lee George Thomas
d3f8efa843 Add SELinux context for a new lmk system property 
Add SELinux context for a new lmk system property to add configurability
for delaying psi monitoring until boot completed.

Bug: 288566858
Test: Build, boot and verified logs for avc denial logs.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6a80da52aa35a942e064c19fd31c01145d965688)
Merged-In: I7ba35f0ee5aad8f917e01c7586f04d11ed078633

Change-Id: I7ba35f0ee5aad8f917e01c7586f04d11ed078633
 2023-07-17 13:59:14 -07:00
David Anderson
f08664825b Merge "Allow lpdumpd to read Virtual A/B diagnostics." into main 2023-07-17 16:55:14 +00:00
Inseob Kim
9d6ce199be Fix seapp_contexts documentation 
Bug: 291528964
Test: N/A; documentation change
Change-Id: I00986c5ace94ed3ee91f3c90300966b0a006bcd5
 2023-07-17 19:53:25 +09:00
David Anderson
e6ad1f2e4c Allow lpdumpd to read Virtual A/B diagnostics. 
Give lpdump read (but not write) access to /metadata/ota so it can call
SnapshotManager::Dump for diagnostics.

Bug: 291083311
Test: lpdump
Change-Id: I732bcebcd809449c86254ea23785dc2c692bedd5
 2023-07-14 09:08:56 -07:00
Kangping Dong
49fa8f5fe6 rename otbr-agent to ot-daemon 
Rename to better align with our long-term vision on Android

Bug: 288202515
Change-Id: I1b7e39950d39ec781e46c6c0e1b38ad837b9ce4e
 2023-07-04 18:56:37 +08:00
Treehugger Robot
7788174e66 Merge "webview: add cgroup dir create permission" 2023-07-03 09:52:58 +00:00
Zhanglong Xia
87c6069fe1 Merge "Add sepolicy rules for Thread Network HAL" 2023-07-01 00:12:41 +00:00
Zhanglong Xia
b2d1fbb7b2 Add sepolicy rules for Thread Network HAL 
Bug: b/283905423
Test: Build and run the Thread Network stack in Cuttlefish.
Change-Id: I783022c66b80274069f8f3c292d84918f41f8221
 2023-06-30 10:56:38 +08:00
Jiyong Park
bd1be6c554 Allow microdroid_payload to read /dev/console 
The first serial device of the VM can be made bi-directional. When it is
used as an output device, it's via /dev/kmsg. microdroid_payload already
has a write access to it. When it is used as an input device, it's via
/dev/console. Grant microdroid_payload read access to the device.

Bug: 263360203
Test: atest MicrodroidTestApp:com.android.microdroid.test.MicrodroidTests#testConsoleInputSupported
Change-Id: Ief039d06ffbddee1e254d662a6c1f321a607d5f5
 2023-06-29 19:03:34 +09:00
Wanhong Jiang
d18e345b8f webview: add cgroup dir create permission 
On 32 bit gsi img, when the webview launch, system will crash, due to
system_server not have the selinux permission of cgroup dir create.
Only 32 bit gsi img has this issue, 64 bit not have.

Bug: 288190486
Test: flash 32-bit GSI image and boot to check whether webview crash

Change-Id: I60fe69087ddbf97b5ebba62bf151626f9422c43c
 2023-06-28 18:35:53 +08:00
Max Bires
bc792606dc Merge "Remove deprecated enable_rkpd property" 2023-06-27 00:14:29 +00:00
Xin Li
372f5cd14e Merge "Merge Android 13 QPR3" 2023-06-26 22:29:53 +00:00
Dave Mankoff
665cad0d2c SE Linux perimissions for Feature Flags Service 
Bug: 279054964
Test: build && flash
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a1f8ca3cd3c4861a06c5042148aab6623a563651)
Merged-In: I5fffaccba61e218496ac82ccf9ba308cf9892868
Change-Id: I5fffaccba61e218496ac82ccf9ba308cf9892868
 2023-06-26 13:42:45 +00:00
Treehugger Robot
35a6d49c02 Merge changes from topic "34.0_sepolicy_mapping" 
* changes:
  Add 34.0 mapping files
  Add 2 new system properties for Quick Start
  SEPolicy Prebuilts for 34.0
 2023-06-26 12:04:42 +00:00
Treehugger Robot
289fe96dc8 Merge "Add MediaPlayerService fuzzer to bindings" 2023-06-23 17:35:27 +00:00
Inseob Kim
78fd639cac Add 34.0 mapping files 
Bug: 288517951
Test: m treble_sepolicy_tests_34.0
Test: m 34.0_compat_test
Test: m selinux_policy
Change-Id: I5c20439dd2c7e5a8d739b8ea9a97e5060ce3cec4
 2023-06-23 10:43:17 +00:00
Jay Civelli
a574060586 Add 2 new system properties for Quick Start 
Test: Manually validated that GmsCore can access the properties, but not a test app.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
(cherry picked from commit c97b3a244f)
 2023-06-23 10:43:11 +00:00
Inseob Kim
34ad1d0bc1 SEPolicy Prebuilts for 34.0 
Bug: 288517951
Test: build
Change-Id: I682e553ec8090281ded447780be41a8ea222b084
Merged-In: I15bf3817a8a6867d52f7963a04a69e543a9801e9
 2023-06-23 10:23:59 +00:00
Max Bires
8a74ff2e2d Remove deprecated enable_rkpd property 
The enable_rkpd property is no longer needed. This change removes the
vestigial property.

Test: Successful build
Change-Id: I810d5a21cbe01b43a37244959e21febd0880be59
 2023-06-21 16:33:42 -07:00
Xin Li
4f5ba7ca8d Merge Android 13 QPR3 
Bug: 275386652
Merged-In: I89a052032341990256d608d6708b6d1ac8aceda9
Change-Id: Ifa06cf00a9afba89d0d31c865dc5fde9bf1c05e6
 2023-06-21 15:16:15 -07:00
Steven Moreland
ca5f06cdb9 Merge "Give serial number access to drm hal server not client" 2023-06-21 21:27:09 +00:00
Treehugger Robot
d947550b6f Merge "Remove flatten_apex: property" am: 7f7e8d79a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2628996

Change-Id: I89a052032341990256d608d6708b6d1ac8aceda9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-21 05:24:50 +00:00
Treehugger Robot
7f7e8d79a9 Merge "Remove flatten_apex: property" 2023-06-21 04:52:41 +00:00
Hongguang Chen
b34240136c Allow mediatuner to get tuner.server.enable am: 8dd58bffd9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2631349

Change-Id: I3549a333a811c73948e918c2c98946e66b48d834
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-21 01:19:15 +00:00
Pawan Wagh
9f118c8d62 Add MediaPlayerService fuzzer to bindings 
Test: m
Bug: 232439428
Change-Id: I669c427279ce43fa614c68a02a468c3e64002537
 2023-06-20 22:50:45 +00:00
Hongguang Chen
8dd58bffd9 Allow mediatuner to get tuner.server.enable 
Bug: 287520719
Test: start mediatuner
Change-Id: I582aac593e2419b6cae37522e6493744fe58240a
 2023-06-20 17:24:51 +00:00
Brian Lindahl
73c779e5fd Force HALs to explicitly enable legacy method for clearing buffer caches am: 612ab8588f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2627815

Change-Id: I05655dff7c72d64498eb9c34e026542967f1431d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-20 14:17:12 +00:00
Jooyung Han
804e234ced Remove flatten_apex: property 
We no longer have targets using flattened apexes. Flattened apexes will
be removed from the build system.

Bug: 278826656
Test: m
Change-Id: I657e01dbfd2525b07c29a234277062d5ac2fab9f
 2023-06-20 15:41:05 +09:00
Brian Lindahl
612ab8588f Force HALs to explicitly enable legacy method for clearing buffer caches 
Some HAL implementations can't support setLayerBuffer multiple times to
clear the per-layer buffer caches. Therefore, default this behavior to
disabled, and allow HALs to explcitily enable this behavior to obtain
the necessary memory savings.

Test: play videos with both true and false on both HIDL and AIDL
Bug: 285561686
Change-Id: I928cef25e35cfc5337db4ceb8581bf5926b4fbe3
 2023-06-15 14:30:07 -06:00
Nikita Ioffe
4eb36f4615 Merge "Reland "Change the stem name to microdroid_precompiled_s..."" am: d16d7d17e5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2627369

Change-Id: I56600eae4e2ba33c56a5d4827db882388cdae97a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-15 11:45:31 +00:00
Nikita Ioffe
d16d7d17e5 Merge "Reland "Change the stem name to microdroid_precompiled_s..."" 2023-06-15 10:27:39 +00:00
Dimitry Ivanov
6c61a71e33 Merge "Allow app_zygote to map memfd backed memeory as PROT_EXEC" am: c01d3fb36c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2623093

Change-Id: I6e6457337d66ba4e7c5590799c565af05b99e363
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-15 09:51:00 +00:00
Dimitry Ivanov
c01d3fb36c Merge "Allow app_zygote to map memfd backed memeory as PROT_EXEC" 2023-06-15 08:44:16 +00:00
Nikita Ioffe
4e6839e677 Reland "Change the stem name to microdroid_precompiled_s..." 
Bug: 285855150
Test: presubmit
Change-Id: I3343b7cf22165541f880fd1c88b27b0204c94c4b
 2023-06-14 20:31:29 +00:00
Pawan Wagh
b23a691e10 Merge "Revert "Change the stem name to microdroid_precompiled_sepolicy"" am: 899f6c0537 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2626909

Change-Id: I69ec0b39693293176b40fb8f9702b8d001c013d7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 18:57:21 +00:00
Pawan Wagh
899f6c0537 Merge "Revert "Change the stem name to microdroid_precompiled_sepolicy"" 2023-06-14 18:40:59 +00:00
Pawan Wagh
8f2923421e Revert "Change the stem name to microdroid_precompiled_sepolicy" 
Revert submission 2625691

Reason for revert: b/287283650

Reverted changes: /q/submissionid:2625691

Change-Id: I775d07a388556796d25b4f5d99135d5878489ce8
 2023-06-14 18:28:17 +00:00
Pawan Wagh
02c84cec70 Merge "Add update service fuzzer to bindings" am: b4f463824c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2619905

Change-Id: I3221bc020b8400a6a1e9f0ccf556527e39e71146
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-06-14 18:10:07 +00:00