tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
45479 commits 1 branch 0 tags 50 MiB
Commit graph

1133 commits

Author SHA1 Message Date
Thiébaud Weksteen
efa4cf8469 Prebuilt updates am: 448968a6d1 am: 084b293596 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: If8cc1dbc910cb2fec2d4996c1a2f8fef602472cc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:56:58 +00:00
Thiébaud Weksteen
084b293596 Prebuilt updates am: 448968a6d1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: I991e63e36e9e680edfd21e4a20293ae779caffcb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-29 06:25:40 +00:00
Thiébaud Weksteen
448968a6d1 Prebuilt updates 
Bug: 308058980
Test: m selinux_policy
Change-Id: I23b2265340002b4b9f8d15ad0a8e8324aa0f94e1
 2023-11-29 06:01:56 +00:00
Thiébaud Weksteen
fa2999a627 Revert^2 "Add permission for VFIO device binding" 
This reverts commit c6227550f7.

Reason for revert: Faulty merging paths have been removed

Change-Id: Icf56c2e977c5517af63e206a0090159e43dd71eb
Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272
 2023-11-21 02:18:30 +00:00
Thiébaud Weksteen
90945326cd Revert "Prebuilt updates for aosp/2827450" am: b460885e50 am: c541c1eb80 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2830890

Change-Id: I6d5f197c9cb4a1728e0bd6bc9acf220f05ed05de
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-15 03:34:07 +00:00
Thiébaud Weksteen
c541c1eb80 Revert "Prebuilt updates for aosp/2827450" am: b460885e50 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2830890

Change-Id: Ief55d435dff2e58e463d4498fb3cf5740af8d21d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-15 03:02:23 +00:00
Thiébaud Weksteen
b460885e50 Revert "Prebuilt updates for aosp/2827450" 
This reverts commit 74ec7d8343.

Reason for revert: Tests are still failing

Change-Id: Ic7dcd5fb4703cfe476f74835782b99d5848ed738
 2023-11-14 23:37:47 +00:00
Sandro Montanari
8dab5407de Prebuilt updates for aosp/2827450 am: 74ec7d8343 am: 20d6a0ec30 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828198

Change-Id: I7780eb835be7dafc39865ac6446b416c7d96ed77
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-14 18:51:08 +00:00
Sandro Montanari
20d6a0ec30 Prebuilt updates for aosp/2827450 am: 74ec7d8343 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828198

Change-Id: Idce3a100d6c6db0d90f21142baf1158185bd97e1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-11-14 18:16:13 +00:00
Sandro Montanari
74ec7d8343 Prebuilt updates for aosp/2827450 
Bug: 295861450
Test: presubmits

Merged-In: I3d36a17697623f51618913d16ed4d3ea2ccf923b
Change-Id: I3f031449457a7cf8912b17c3eac4b7aa82710d58
 2023-11-14 15:07:54 +00:00
Inseob Kim
c6227550f7 Revert "Add permission for VFIO device binding" 
This reverts commit 901385f711.

Reason for revert: breaking build

Change-Id: Ib936ca7c347b657b94bb44692cd0e9ceee5db55a
Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272
 2023-11-14 08:41:48 +00:00
Inseob Kim
901385f711 Add permission for VFIO device binding 
vfio_handler will bind platform devices to VFIO driver, and then
return a file descriptor containing DTBO. This change adds
permissions needed for that.

Bug: 278008182
Bug: 308058980
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
      --devices /sys/bus/platform/devices/16d00000.eh --protected
Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272
(cherry picked from commit 825056de9a)
 2023-11-14 01:56:24 +00:00
Rhed Jao
ebe1316695 Create sepolicy for allowing system_server rw in /metadata/repair-mode 
Bug: 277561275
Test: ls -all -Z /metadata/repair-mode
Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123
 2023-10-23 13:38:38 +11:00
Thiébaud Weksteen
642a37cf31 Update 34.0 prebuilts for gmscore_app am: 26b0676c04 am: f71e64f518 am: f23fbc9242 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24965007

Change-Id: I40810d10ef0ae524b427cdb2480139fc80ef0dac
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 11:01:21 +00:00
Thiébaud Weksteen
f23fbc9242 Update 34.0 prebuilts for gmscore_app am: 26b0676c04 am: f71e64f518 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24965007

Change-Id: I88db0dd48363b77710701f64e09befa802155de1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 10:27:06 +00:00
Thiébaud Weksteen
f71e64f518 Update 34.0 prebuilts for gmscore_app am: 26b0676c04 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24965007

Change-Id: I902e0afc48e14b22f415451386948f3b9eb969d3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 09:50:55 +00:00
Thiébaud Weksteen
71a0fcaacc Ignore non-API access by gmscore_app am: 9712670bb3 am: 774179cea8 am: bb1c4586e4 am: d2ce0987b3 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24947462

Change-Id: I085b8c0a5c1a67b23e20f413ac52cd6762e5008d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 07:19:53 +00:00
Thiébaud Weksteen
26b0676c04 Update 34.0 prebuilts for gmscore_app 
Bug: 303768123
Test: m selinux_policy
Ignore-AOSP-First: prebuilts update only
Change-Id: Iab041f3fa8d27f815c8fc1a21934216d1ad40917
 2023-10-06 17:53:08 +11:00
Thiébaud Weksteen
ef51878097 Ignore non-API access by gmscore_app am: 9712670bb3 am: 774179cea8 am: bb1c4586e4 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24947462

Change-Id: Icab1741838c783506698a0a094770bb050ddacf7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 06:44:45 +00:00
Thiébaud Weksteen
d2ce0987b3 Ignore non-API access by gmscore_app am: 9712670bb3 am: 774179cea8 am: bb1c4586e4 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24947462

Change-Id: I88efc3f4fc00a051a15d9b6b6bfaaa36a491d9da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 06:43:18 +00:00
Thiébaud Weksteen
bb1c4586e4 Ignore non-API access by gmscore_app am: 9712670bb3 am: 774179cea8 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24947462

Change-Id: Ief2f4832b81e0bb96c82c52efd28c262f58cb732
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 05:51:00 +00:00
Thiébaud Weksteen
774179cea8 Ignore non-API access by gmscore_app am: 9712670bb3 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/24947462

Change-Id: If6d7b4478bca2860da07fc541f5c9b53f66ff169
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-10-06 05:19:22 +00:00
Thiébaud Weksteen
9712670bb3 Ignore non-API access by gmscore_app 
Bug: 303319090
Bug: 303272800
Bug: 303374964
Test: m selinux_policy
Ignore-AOSP-First: merged in aosp already
Change-Id: I0999023b315bd31d70b1908353acebc87182747c
 2023-10-06 13:06:27 +11:00
Brian Lindahl
b6caa06fe9 Allow for server-side configuration of libstagefright am: 1b32bccc1a am: 3e8fbf6a4d am: 2a23f0d194 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762467

Change-Id: I7570fe0cc0e87c0674524a5cf20c73dac257ff93
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-27 23:47:11 +00:00
Brian Lindahl
2a23f0d194 Allow for server-side configuration of libstagefright am: 1b32bccc1a am: 3e8fbf6a4d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762467

Change-Id: I1685cfb8cac9cd8ffaca1ad78b272ae3db8240eb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-27 22:37:46 +00:00
Brian Lindahl
3e8fbf6a4d Allow for server-side configuration of libstagefright am: 1b32bccc1a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762467

Change-Id: I21356699f9d67eed69fcc9a43154d6d66cfe454e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-27 21:33:23 +00:00
Brian Lindahl
1b32bccc1a Allow for server-side configuration of libstagefright 
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.

Bug: 301372559
Bug: 301250938
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b
 2023-09-27 16:15:23 +00:00
wufei3
d2c42ca105 Add remaining attestation properties to selinux 
Add "ro.product.device_for_attestation" and
"ro.product.manufacturer_for_attestation" prop to selinux permissions.

Bug:294190893
Test: atest CtsKeystoreTestCases:android.keystore.cts.DeviceOwnerKeyManagementTest#testAllVariationsOfDeviceIdAttestation

Signed-off-by: wufei3 <wufei3@xiaomi.corp-partner.google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:50a326d04af16a2c566f8e98726ad31e900955a1)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:258bdd7d6cf4110d51622903b833ec100965b43e)
Merged-In: I71ee17ab59838680199acc9a7c209deba756f603
Change-Id: I71ee17ab59838680199acc9a7c209deba756f603
 2023-09-08 18:16:22 +00:00
Treehugger Robot
c836bdb702 Merge "Use prebuilts for compat test if prebuilts exist" into main am: 6952d2f612 am: 8d022b888c am: 11d5dd1de3 am: 7e45e06d5b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746580

Change-Id: I772b3412b14bc9ba69f8a98f77ddba0548a7729e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-08 06:50:59 +00:00
Treehugger Robot
7e45e06d5b Merge "Use prebuilts for compat test if prebuilts exist" into main am: 6952d2f612 am: 8d022b888c am: 11d5dd1de3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746580

Change-Id: If59fceb48ced4fd37f3c672e48d847e8effc26b3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-08 06:13:26 +00:00
Treehugger Robot
8d022b888c Merge "Use prebuilts for compat test if prebuilts exist" into main am: 6952d2f612 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2746580

Change-Id: I920639164d6e304b50046a17506be2972ee1199f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-08 05:18:40 +00:00
Inseob Kim
2aac33597d Use prebuilts for compat test if prebuilts exist 
system/sepolicy should support both REL build and ToT build. That means
that system/sepolicy and prebuilts may differ. As the frozen sepolicy is
what vendor sepolicy uses, so we need to use prebuilts to run Treble
compat test.

Bug: 296875906
Test: m selinux_policy on REL
Change-Id: I4b290266ba87e3f011d640bec133fc88359ea52f
 2023-09-08 10:44:49 +09:00
Treehugger Robot
3149017ddb Merge changes Ia2c07331,I93f0d222 into main am: f476f5c8f1 am: 31406c242e am: 0f0286303f am: 332e63bee5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2742356

Change-Id: I057521eaa91d120a5131ec0a86d8b43de6889f0a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-07 10:43:34 +00:00
Treehugger Robot
332e63bee5 Merge changes Ia2c07331,I93f0d222 into main am: f476f5c8f1 am: 31406c242e am: 0f0286303f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2742356

Change-Id: If45b9540924a95c8d91255920f565f51fa99dc9e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-07 10:05:57 +00:00
Treehugger Robot
31406c242e Merge changes Ia2c07331,I93f0d222 into main am: f476f5c8f1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2742356

Change-Id: If3a6af8553b6d645653ae38e898c3770b7dab868
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-07 09:14:47 +00:00
Inseob Kim
0d49b9bc28 Use only public cil files for Treble compat test 
Rationale for this change:

1) Vendors use only public files, so we should be able to use only
   public cil files for compatibility test.
2) treble_sepolicy_tests_for_release.mk is too complex, because it
   requires compiled sepolicy. Reducing the complexity will help migrate
   into REL build.
3) This fixes a tiny bug of treble_sepolicy_tests that it can't catch
   public types being moved to private types, and then removed. 29.0.cil
   and 30.0.cil change contains such missing public types.

Bug: 296875906
Test: m selinux_policy (with/without intentional breakage)
Change-Id: Ia2c0733176df898f268b5680195da25b588b09c7
 2023-09-07 16:35:08 +09:00
Inseob Kim
5d7423ff3d Build prebuilt policy with Soong 
... and remove redundant Makefile codes. This also updates commit hook
as we now only use Soong to build sepolicy.

Bug: 296875906
Test: m selinux_policy
Change-Id: I93f0d222a0c10e31c51c9380780a8927c47d62b1
 2023-09-07 16:32:30 +09:00
Treehugger Robot
6c5dbcc0f5 Merge "Relax freeze_test to check only compatibility" into main am: b316f8bf95 am: d1710c749b am: a05b914242 am: f64415ac50 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2737118

Change-Id: Ib391ca3a54b164945f61045b89bb798dbc03833e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-05 08:39:44 +00:00
Treehugger Robot
f64415ac50 Merge "Relax freeze_test to check only compatibility" into main am: b316f8bf95 am: d1710c749b am: a05b914242 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2737118

Change-Id: I5bed312ebf4fb1dbf4a582e8db42528e0a300da7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-05 08:02:22 +00:00
Treehugger Robot
d1710c749b Merge "Relax freeze_test to check only compatibility" into main am: b316f8bf95 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2737118

Change-Id: I575c28928e4c5690fc1b87ee09938cf0ed451476
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-09-05 07:06:46 +00:00
Inseob Kim
36d9d39e6e Relax freeze_test to check only compatibility 
For now, freeze_test compares prebuilts against sources with diff, to
ensure that sources are identical to prebuilts. However, it could be the
case that the branch should be able to build both REL and ToT. In that
case, changes to the sources are inevitable and the freeze test will
fail.

To fix the issue, freeze_test will now only check compatibility. To be
specific, it will check if any public types or attributes are removed.
Contexts files and neverallow rules are not checked, but they may be
added later. Also to support the new freeze_test

- build_files module is changed to use glob (because REL version won't
  be in compat versions list)
- plat_pub_policy modules are added under prebuilts/api (because
  freeze_test needs that)

Bug: 296875906
Test: m selinux_policy
Change-Id: I39c40992965b98664facea3b760d9d6be1f6b87e
 2023-09-05 03:37:18 +00:00
Xin Li
e07dbe0a63 Merge Android U (ab/10368041) 
Bug: 291102124
Merged-In: Id2cc5dbbafffb4633706e5cc728cb44abd417340
Change-Id: I77e68f17a1273958bcdc32b5a4b6a0ff3ffdfd2a
 2023-08-23 17:20:59 -07:00
Alfred Piccioni
967f1d0e6c Merge "Revert ntfs file context changes" into main am: ee7e77ba63 am: 600d05a08e am: 9bbd7edcf6 am: 22061e8600 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2722017

Change-Id: Ic527ba04b7775ec4bf6c2bfd4da7e9c4eaac1cdf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-23 15:16:37 +00:00
Alfred Piccioni
22061e8600 Merge "Revert ntfs file context changes" into main am: ee7e77ba63 am: 600d05a08e am: 9bbd7edcf6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2722017

Change-Id: I7641a1121a60d12e80450a10457c270f69e380da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-23 14:48:04 +00:00
Alfred Piccioni
9bbd7edcf6 Merge "Revert ntfs file context changes" into main am: ee7e77ba63 am: 600d05a08e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2722017

Change-Id: Ia3d350cd854fbfc01a366ab09bfb0ce8669998c3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-23 14:10:23 +00:00
Alfred Piccioni
ee7e77ba63 Merge "Revert ntfs file context changes" into main 2023-08-23 12:47:58 +00:00
Alfred Piccioni
33ebe0ef1b Revert ntfs file context changes 
Partial revert of:

commit 3e1dc57bf4

commit 30ae427ed0

The current file contexts could break potential implementations of NTFS
by partners in future. I am not rolling back the adjoining
fuseblkd_exec andfuseblkd_untrusted_exec code, because secure
implementations of fuseblk drivers should still endeavour to use the
more compartmentalised policies.

However, as we don't support NTFS officially, we should give
implementors the choices whether to use it or not, even if it will open
the door to potentially less secure implementations.

NTFS Context: http://b/254407246,
https://docs.google.com/document/d/1b5RjdhN2wFFqmLCK0P_chVyiEhiYqNlTn52TFBMNwxk

Bug: 294925212
Test: Builds and boot.
Change-Id: I6d3858517e797b3f7388f9d3f18dd4a11770d5bc
 2023-08-23 11:42:20 +00:00
Eran Messeri
ddec51fad5 Merge "Add remaining attestation properties to selinux" into main am: 8330358c5d am: 5a8860b497 am: a8eec02d3b am: b7bcae1e0e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2712213

Change-Id: I9e4270cef438e6d973ad9b708f9f02e83a62ef8d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-21 15:55:52 +00:00
Eran Messeri
b7bcae1e0e Merge "Add remaining attestation properties to selinux" into main am: 8330358c5d am: 5a8860b497 am: a8eec02d3b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2712213

Change-Id: I659ef6503c7954d6e12eb097f304c29590f07cc5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-21 15:31:38 +00:00
Eran Messeri
a8eec02d3b Merge "Add remaining attestation properties to selinux" into main am: 8330358c5d am: 5a8860b497 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2712213

Change-Id: I5db3db3eb622f17647d6ca3294c4348bd2dd4c20
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-08-21 14:57:57 +00:00