Commit graph

22409 commits

Author SHA1 Message Date
Colin Cross
e84bef4647 Merge "bug_map: track bluetooth storage_stub_file denial" 2019-11-26 18:33:37 +00:00
Colin Cross
b24b629ed3 bug_map: track bluetooth storage_stub_file denial
Bug: 145212474
Test: none
Change-Id: I64e7e73907637e100d59b735c57cc40996044607
2019-11-26 10:31:46 -08:00
markchien
b4eb08da19 Merge "[Tether12] Give network stack permission for tetheroffload"
am: e91bdc73d8

Change-Id: I703bffef2c8cf333fcd01532311cecdbebd8c800
2019-11-26 05:41:52 -08:00
Treehugger Robot
e91bdc73d8 Merge "[Tether12] Give network stack permission for tetheroffload" 2019-11-26 13:34:38 +00:00
Robert Shih
caefd4cdc3 Merge "allow mediaserver to access drm hidl"
am: 487411abab

Change-Id: Ie12aa1b3fe9fa2e38e1c56399b78a7723325fb5a
2019-11-25 17:46:02 -08:00
Robert Shih
487411abab Merge "allow mediaserver to access drm hidl" 2019-11-26 01:36:00 +00:00
Roshan Pius
43af57f547 sepolicy: Add entry for wifi apex mainline module
am: 3fbdcd4380

Change-Id: I385293784511012d8c543e00b67581f78668dee6
2019-11-25 16:24:38 -08:00
David Sehr
fa67ec4126 Revert^2 "SELinux policy for system server JVMTI"
This reverts commit baa06ee2cd.

Reason for revert: Added missing property name in vendor_init.te.

Bug: none
Test: none (other than neverallow checking)
Change-Id: I9e93bf4ea6ca3a4634f8f4cbce2f13c5f410883b
2019-11-25 15:53:52 -08:00
Roshan Pius
3fbdcd4380 sepolicy: Add entry for wifi apex mainline module
Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: If9207075b87dc938926c1fc1432d3b8fe481bc02
2019-11-25 20:51:50 +00:00
Terry Wang
fe5e7f7000 Add apex structure to appsearch module.
This change adds file_contexts for appsearch.

Bug: 144874026
Test: manual
Change-Id: Id8cba2eab3dbaab252eb42095e2ed265446b93c8
2019-11-25 11:30:38 -08:00
Robert Shih
cc8a4d3bf2 allow mediaserver to access drm hidl
Previously mediaserver could only access hidl via mediadrmserver.
Required because mediadrmserver will be removed in R.

Bug: 134787536
Bug: 144731879
Test: MediaPlayerDrmTest
Change-Id: If0ae1453251e88775a43750e24f7dac198294780
2019-11-25 11:24:44 -08:00
Ashwini Oruganti
f1c2a3821e Merge "Create a separate SELinux domain for gmscore"
am: 8f079fb0e2

Change-Id: I0311937da013fd703208f89f784cbf3c037f3740
2019-11-25 09:09:30 -08:00
Ashwini Oruganti
8f079fb0e2 Merge "Create a separate SELinux domain for gmscore" 2019-11-25 16:59:10 +00:00
Dan Willemsen
ebc6276b23 Fix sepolicy_tests on Mac 10.15
am: 1f944107a3

Change-Id: I5eec01713699814ee76f98db6c00e0711a5b2425
2019-11-25 05:45:47 -08:00
Dan Willemsen
1f944107a3 Fix sepolicy_tests on Mac 10.15
This is dlopened by sepolicy_tests, which uses embeds the python
interpreter built from our tree. That python interpreter links against
the shared version of libc++, so mixing it with this static copy was
causing segfaults on Mac 10.15 (but apparently not elsewhere).

Test: SANITIZE_HOST=address m treble_sepolicy_tests
Test: `m` on Mac 10.15
Change-Id: I31744acd018ea4c980c46a9979bbad17ae1c4f68
2019-11-23 17:45:01 -08:00
Martijn Coenen
6f6f3e04a8 Merge changes Ide8fc07c,Ia1f51db4
am: d1460a1111

Change-Id: Iafec16db4abd3ceb6a2ab398c2c91c0f3c171c39
2019-11-23 01:18:01 -08:00
Martijn Coenen
d1460a1111 Merge changes Ide8fc07c,Ia1f51db4
* changes:
  Allow vold to mount on top of /data/media.
  Revert "Temporarily relax Zygote storage mounting rules."
2019-11-23 09:10:34 +00:00
Benedict Wong
07b24a8c03 Merge "Add file_contexts for com.android.ipsec"
am: bf76bf82e1

Change-Id: I0b1b01f32cb1c6089ca0319818dbfc559d09452b
2019-11-22 20:10:58 -08:00
Benedict Wong
bf76bf82e1 Merge "Add file_contexts for com.android.ipsec" 2019-11-23 03:45:53 +00:00
Jooyung Han
d7e4075389 Merge "Make file_contexts as "android:path" property"
am: c9e73b87e2

Change-Id: I67730ea8df6764e83ad481a5f473507dc44a7737
2019-11-22 19:45:26 -08:00
Jooyung Han
c9e73b87e2 Merge "Make file_contexts as "android:path" property" 2019-11-23 03:37:33 +00:00
Mathieu Chartier
41337fa284 Merge "Revert "Remove ability to set profilebootimage and profilesystemserver""
am: c075ef38d4

Change-Id: I1f2f8935532715ba77e9a9f2bef11dd8965e5bfa
2019-11-22 15:05:54 -08:00
Mathieu Chartier
c075ef38d4 Merge "Revert "Remove ability to set profilebootimage and profilesystemserver"" 2019-11-22 22:52:45 +00:00
Raman Tenneti
2159cbe2cd Merge "Revert submission"
am: 9f793aff87

Change-Id: I54a74c3b4b6f1d344bd9ac2aef1f3457634f473a
2019-11-22 13:51:53 -08:00
Raman Tenneti
9f793aff87 Merge "Revert submission" 2019-11-22 21:17:29 +00:00
Raman Tenneti
baa06ee2cd Revert submission
Reason for revert: BUG: 145006573

Change-Id: I87f640383ab0fc4005ce31f938e81dcfa6572058
2019-11-22 21:07:49 +00:00
Tomasz Wasilczyk
fadede5a4d Merge "Vehicle HAL: allow communication with CAN bus HAL and alternative service naming"
am: eeb6279953

Change-Id: I7a8431161ed07bcce3d76b1f89b849238ebfa452
2019-11-22 12:54:18 -08:00
Tomasz Wasilczyk
eeb6279953 Merge "Vehicle HAL: allow communication with CAN bus HAL and alternative service naming" 2019-11-22 20:27:23 +00:00
David Sehr
ddb207c7c0 Merge "SELinux policy for system server JVMTI property"
am: c0bb680fee

Change-Id: I46d3fd825f918ac0150de81c18906e4fddbde620
2019-11-22 10:43:56 -08:00
Ashwini Oruganti
c46a7bc759 Create a separate SELinux domain for gmscore
This change creates a gmscore_app domain for gmscore. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update the gmscore_app rules
accordingly.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.gms runs in the gmscore_app domain. Tested different
flows on the Play Store app, e.g., create a new account, log in, update
an app, etc. and verified no new denials were generated.
Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
2019-11-22 10:39:19 -08:00
David Sehr
c0bb680fee Merge "SELinux policy for system server JVMTI property" 2019-11-22 18:36:20 +00:00
Roshan Pius
d804a76d03 Revert "sepolicy: Permission changes for new wifi mainline module"
This reverts commit 3aa1c1725e.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 09:49:32 -08:00
Roshan Pius
a483b5df72 Revert "wifi_stack: Move to network_stack process"
This reverts commit 1086c7d71d.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: I69ccc6afbe15db88f516cdc64e13d8cfdb0c743c
2019-11-22 09:48:54 -08:00
Roshan Pius
845b10c3db Revert "sepolicy(wifi): Allow audio service access from wifi"
This reverts commit 386cf9d957.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ibb4db9d92c8d9f1170fcc047fa3377eef2acfce6
2019-11-22 09:48:01 -08:00
Martijn Coenen
313cff7687 Allow vold to mount on top of /data/media.
For performance reasons, we want to bind-mount parts of the lower
filesystem on top of /data/media.

Bug: 137890172
Test: No denials when mounting
Change-Id: Ide8fc07cdeb6a6816585af1582bee69bc68043af
2019-11-22 16:02:07 +01:00
Martijn Coenen
357eb193e9 Revert "Temporarily relax Zygote storage mounting rules."
This reverts commit 9f02b30a72.

This is no longer needed, because we never shipped app storage
sandboxes.

Bug: 130812417
Test: builds
Change-Id: Ia1f51db4904742d2ef15222f2350c67af0dd4a28
2019-11-22 16:02:07 +01:00
Ashwini Oruganti
2db9a09a0e Merge "Update permissioncontroller_app domain rules"
am: a227509173

Change-Id: I062e6a6860612daaab4e4b611ad5e058e8c28c1d
2019-11-21 18:45:47 -08:00
Ashwini Oruganti
a227509173 Merge "Update permissioncontroller_app domain rules" 2019-11-22 01:10:02 +00:00
David Sehr
38f6e59bd6 SELinux policy for system server JVMTI property
Add the SELinux policy to implement a no-write persistent property
controlling whether to launch a JVMTI agent in the system server.

Bug: none
Test: none (other than the neverallow)
Change-Id: Ic70ee5b05c5507b4159ef4c825a360be47bc02b0
2019-11-21 15:50:37 -08:00
Shawn Willden
e44ba58615 Merge "Add Keymaster 4.1"
am: 88554af5c0

Change-Id: I294334172d832bf149ecb56a803b091ed7e42853
2019-11-21 14:53:38 -08:00
Victor Hsieh
136110cace Merge "Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng""
am: b7098cb480

Change-Id: I21add0130c82e64a45ace0da9393c857c0d28b0c
2019-11-21 14:46:14 -08:00
Treehugger Robot
88554af5c0 Merge "Add Keymaster 4.1" 2019-11-21 22:41:49 +00:00
Treehugger Robot
b7098cb480 Merge "Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng"" 2019-11-21 22:27:37 +00:00
Ashwini Oruganti
5064189c23 Update permissioncontroller_app domain rules
This adds permissions for content_capture_service,
incidentcompanion_service, media_session_service, and telecom_service.
These were observed via sedenials on dogfood builds.

Bug: 142672293
Bug: 144677148
Test: Green builds, no more denials show up for these services.
Change-Id: Ifd93c54fb3ca3f0da781cd2038217a29e812a40f
2019-11-21 12:59:33 -08:00
Ashwini Oruganti
7d94fd3d6a PermissionController goes to the permissioncontroller_app domain
am: 288c14f137

Change-Id: I2f95baac42201cbd7a78753634ed539a41372dc9
2019-11-21 12:23:36 -08:00
Victor Hsieh
7a4064c5ee Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng"
Reason for revert: Kernel fix has been backported to coral kernel.

Bug: 132323675
Change-Id: Ie797e5cf212b15c6fff34d2a096ac96de31ce627
2019-11-21 18:37:52 +00:00
Ashwini Oruganti
288c14f137 PermissionController goes to the permissioncontroller_app domain
This change adds a rule for com.android.permissioncontroller to run in
the previously defined permissioncontroller_app.
com.android.permissioncontroller would require similar permissions to
com.google.android.permissioncontroller.

Bug: 142672293
Test: Green builds
Change-Id: I92e7175526380c0711f52fafe8d1f8d9531d07f8
2019-11-21 09:48:01 -08:00
Stan Rokita
16d522871d Add sensors multihal support in file_contexts regex
Bug: 144722764
Test: N/A
Change-Id: Ic595d9c21639bdf2874dc6734344ff1a41767399
2019-11-21 08:57:58 -08:00
markchien
e9bb9a4c98 [Tether12] Give network stack permission for tetheroffload
Tethering module would run in network stack process. Add network_stack
as client of tetheroffload hidl and give it permission to create and share
netlink_netfilter_sockets

Bug: 144320246
Test: -build, flas, boot
      -OFF/ON hotspot

Change-Id: Id961fd4af0d30f902eb0115aa15db612aaa8bb91
2019-11-21 12:58:31 +08:00
Ashwini Oruganti
746421b932 Merge "Revert "Don't run permissioncontroller_app in permissive mode""
am: 82eca37afa

Change-Id: Ic45f8ab133b4d4a781506dc1a0a5751a32a2d528
2019-11-20 20:27:41 -08:00