tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38899 commits 1 branch 0 tags 50 MiB
Commit graph

38899 commits

This branch
This branch
All branches
Author SHA1 Message Date
Thiébaud Weksteen
7700bb7f95 Merge "Remove dumpstate from exception for hal_attribute_service" am: b478c02402 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2171082

Change-Id: Ic45b67c9ff104b859c5d4ce2c66e4395644a18e6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-02 22:30:02 +00:00
Thiébaud Weksteen
b478c02402 Merge "Remove dumpstate from exception for hal_attribute_service" 2022-08-02 21:59:04 +00:00
Treehugger Robot
e558e909d4 Merge "Add sepolicy for bluetooth.core.gap.le.conn.min.limit sysprop" am: bc2ecffff5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2170423

Change-Id: Ifd6b084143f9ec0ab0fe5a4eabbb276977ca5d03
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-02 19:32:04 +00:00
Treehugger Robot
bc2ecffff5 Merge "Add sepolicy for bluetooth.core.gap.le.conn.min.limit sysprop" 2022-08-02 18:58:46 +00:00
Max Bires
da19b45a14 Remove inapplicable comment. 
There don't seem to be any security issues raised by allowing crash dump
to access keystore. More specifically, all key material is encrypted by
KeyMint anyways in the absolute worst case, so even if key exposure
occurred, there would be no harm.

Fixes: 186868271
Test: The comment is gone.
Change-Id: Ib09fc8e1eaa3f1a0876139e175dc28be9e0d4a4a
 2022-08-02 11:01:25 -07:00
Sandro
3505cba8f8 Add missing definition to definitions.cil am: d40a70403c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2171608

Change-Id: I86abb36147c7c074aa7adfb7aca60128f1d2c63b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-02 13:03:13 +00:00
Sandro
d40a70403c Add missing definition to definitions.cil 
The servicemanager_prop type was added in aosp/2161201

Bug: 2111065
Test: atest SeamendcHostTest
Change-Id: I0f0efe215845f6f1d1d54bc03243950eb5cb71ed
 2022-08-02 09:53:22 +00:00
Steven Moreland
5c587349fd Merge "Fully prepare vendor_service removal." am: 46138cca6a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2140049

Change-Id: Ib5f07ce54608fcb325c0ba5cc1402ab25e13c3fa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-01 23:35:20 +00:00
Steven Moreland
46138cca6a Merge "Fully prepare vendor_service removal." 2022-08-01 23:20:05 +00:00
Roland Levillain
ddac3b9b82 Reconcile file_contexts files for Release and Debug ART APEXes. am: 4e8dbdf63e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2168184

Change-Id: Iac97b16658722eb52b32ea86e0fc30767538b85d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-08-01 13:20:27 +00:00
Roland Levillain
4e8dbdf63e Reconcile file_contexts files for Release and Debug ART APEXes. 
Replicate change
https://android-review.googlesource.com/c/1663786/2/apex/com.android.art-file_contexts
in `apex/com.android.art.debug-file_contexts`.

Test: Patch this commit into a tree that uses `artd` (only internal
      ones at the moment) and run the following command on a device
      running the Debug ART APEX:
        adb shell pm art \
          get-optimization-status com.google.android.youtube
Change-Id: If0b10b585778e8b585e76b2a4512a2f23facd22e
 2022-08-01 09:13:46 +01:00
Thiébaud Weksteen
b18a9d9b65 Remove dumpstate from exception for hal_attribute_service 
Bug: 240362192
Test: TH
Change-Id: Ifb54a4467c56bc8aee49ac928f84d83863c0a2b9
 2022-08-01 11:34:09 +10:00
Steven Moreland
99d79a5737 Merge "servicemanager started property" am: 560a947de8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2161201

Change-Id: I37959f094a56b64a0e61141e8dca613a7294322d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-29 18:48:10 +00:00
Dorin Drimus
1c3cf830d9 Add sepolicy for bluetooth.core.gap.le.conn.min.limit sysprop 
Bug: 240709612
Change-Id: I893f5ec04a8abb4ecf724e9e179d0295a681b82b
Test: N/A, CL only adds the sysprop API sepolicy
 2022-07-29 18:45:52 +00:00
Steven Moreland
560a947de8 Merge "servicemanager started property" 2022-07-29 18:30:14 +00:00
Treehugger Robot
de453119e2 Merge "Update SELinux policy for app compilation CUJ." am: 9e2f8aa7a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2160660

Change-Id: I76e3fa493a483a85fec07fd77f8aba15e4136b49
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-29 17:48:30 +00:00
Treehugger Robot
9e2f8aa7a1 Merge "Update SELinux policy for app compilation CUJ." 2022-07-29 17:22:44 +00:00
Jiakai Zhang
c871c1cc75 Update SELinux policy for app compilation CUJ. 
- Adapt installd rules for app compilation.

- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.

Bug: 229268202
Test: -
  1. adb shell pm art optimize-package -m speed-profile -f \
       com.google.android.youtube
  2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
 2022-07-29 14:07:52 +00:00
Steven Moreland
fd1eb68337 servicemanager started property 
If something starts before servicemanager does,
intelligently wait for servicemanager to start rather
than sleeping for 1s.

Bug: 239382640
Test: boot
Change-Id: If0380c3a1fce937b0939cd6137fcb25f3e47d14c
 2022-07-28 17:09:14 +00:00
Sandro
eca956218e seamendc: prefetch binary policy in memory before parsing am: 8978204264 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2163942

Change-Id: I57e48f09c3d83e9e57fbfdf85f78312abfe6d640
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-28 15:57:53 +00:00
Sandro
8978204264 seamendc: prefetch binary policy in memory before parsing 
This optimization improves the runtime of seamendc by ~6-7ms.

Bug: 236691128
Test: atest seamendc-test && atest SeamendcHostTest
Change-Id: Id1e86a5f51d035fac415a0e6ae05b99b3bd774d4
 2022-07-28 14:25:03 +00:00
Vlad Popa
91926a8b64 Merge "Add SELinux policy for accessing the AudioService" am: f503e3e7e2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2167262

Change-Id: I3a23093dcb121ef347a72a25137618b52ec3af01
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-28 12:48:20 +00:00
Vlad Popa
f503e3e7e2 Merge "Add SELinux policy for accessing the AudioService" 2022-07-28 09:18:03 +00:00
sandrom
dd5b63f702 Move parts of sdk_sandbox from private to apex policy am: e6971f1330 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2111065

Change-Id: I6711e1c15bbfd191ee1a4ad890e372563b873eab
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-27 16:33:05 +00:00
sandrom
e6971f1330 Move parts of sdk_sandbox from private to apex policy 
Bug: 236691128
Test: atest SeamendcHostTest

Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902
 2022-07-27 13:39:06 +00:00
Vlad Popa
3fc7d83663 Add SELinux policy for accessing the AudioService 
This is used by the playback notification API to get a reference to the
AudioService with the help of the ServiceManager.

Change-Id: I70324cf0579fd029ee9b3a20115bdab9106d24a8
Test: avd/avd_boot_test
Bug: 235521198
 2022-07-27 12:11:50 +00:00
Treehugger Robot
b3cf5e6948 Merge "Use dump_hal() macro for HAL services" am: f97d76d210 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2162565

Change-Id: Ic2256293a1379ba457df8e97df93610182d47716
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-27 08:22:13 +00:00
Treehugger Robot
f97d76d210 Merge "Use dump_hal() macro for HAL services" 2022-07-27 08:10:45 +00:00
Thiébaud Weksteen
33263a0869 Use dump_hal() macro for HAL services 
Sort the list of services alphabetically.

Test: build & boot bramble
Change-Id: I3dae597ae3780d7ac97bb8aeeeaf964b375cdf5e
 2022-07-27 13:13:47 +10:00
Inseob Kim
d6c252b1cb Merge "Use embedded launcher for python binaries" am: 52ffc6fe2a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2162563

Change-Id: I5231dce4ee5dfb6cf4a236197a3a1e3da7648a01
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-27 00:34:11 +00:00
Inseob Kim
52ffc6fe2a Merge "Use embedded launcher for python binaries" 2022-07-27 00:10:57 +00:00
Inseob Kim
4912a24447 Use embedded launcher for python binaries 
Bug: 239386651
Test: m selinux_policy
Change-Id: Ic267fcfe4c38b51f8cf2469157b7cb57b84ad779
 2022-07-26 22:59:04 +09:00
Treehugger Robot
503b01cf7a Merge "Remove 'vendor_service' neverallows." am: 7e53b6a8af 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2164691

Change-Id: Iba89cd312dcfa86c30175ff9ea79d12108986eee
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-26 12:53:18 +00:00
Treehugger Robot
7e53b6a8af Merge "Remove 'vendor_service' neverallows." 2022-07-26 12:34:31 +00:00
Steven Moreland
ffaa4e883f remove vendor_service 
Now that all users are cleaned up, this is unused.

Bug: 237115222
Test: build
Change-Id: I22a303194bb760a40dac0e306895c348c5ce7b7a
 2022-07-25 22:21:40 +00:00
Steven Moreland
e6b2acbfc4 Fully prepare vendor_service removal. 
Removes all references to vendor_service in policy except the
definition of this type, which also needs to be removed by
clients.

We don't need this because interface type shouldn't be associated
with where they are served. We can serve HALs from anywhere if they are
implemented in software.

Bug: 237115222
Test: builds
Change-Id: If370a904af81e015e7e1f7a408c4bfde2ebff9a4
 2022-07-25 22:20:16 +00:00
Steven Moreland
7d2abdfce2 Remove 'vendor_service' neverallows. 
In preparation for removing 'vendor_service'.

Bug: 237115222
Test: build
Change-Id: I607eecfd3346906b9843ee028945eeb3c3586733
 2022-07-25 22:20:02 +00:00
Inseob Kim
42d563bb62 Remove dependency to distutils 
Because distutils is deprecated since Python 3.10.

Bug: 239631627
Test: atest android.security.cts.SELinuxHostTest
Change-Id: I29d390dcfbeaa65b2c868bbc8648835c644e3d18
(cherry picked from commit 3a9ac6f10a)
Merged-In: I29d390dcfbeaa65b2c868bbc8648835c644e3d18
 2022-07-25 07:31:33 +00:00
Treehugger Robot
08ebdc9892 Merge "Allow kernel to write to shell_data_file loop devices in userdebug builds." am: 5f3149434c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2161336

Change-Id: Ia9d566090914d0f8786c900d0ca22b6d4d3bd97e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-23 03:59:40 +00:00
Treehugger Robot
5f3149434c Merge "Allow kernel to write to shell_data_file loop devices in userdebug builds." 2022-07-23 03:18:58 +00:00
David Anderson
e7cd1ef0be Merge "Allow update_engine to inotify_add_watch dm-user device nodes." am: 23b5027d30 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2163416

Change-Id: Ifc9cfb1cec491584e3239ce1344f50c266192333
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-22 20:33:22 +00:00
David Anderson
23b5027d30 Merge "Allow update_engine to inotify_add_watch dm-user device nodes." 2022-07-22 20:15:05 +00:00
Matt Buckley
110d394660 Merge "Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy" am: ae7e3756ba 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2161459

Change-Id: I3e088f0c56907c6829f18ac9af6f61a7e42102bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-22 05:35:27 +00:00
Matt Buckley
ae7e3756ba Merge "Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy" 2022-07-22 05:17:27 +00:00
Matt Buckley
1b23789dfe Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy 
Add new sysprop to control adpf cpu hints for surfaceflinger

Bug: b/195990840
Test: n/a
Change-Id: I5460e4668a2d69af194649ec076489de22caa348
 2022-07-21 23:00:15 +00:00
David Anderson
b7bb3d0071 Allow update_engine to inotify_add_watch dm-user device nodes. 
inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.

Denial: avc:  denied  { read } for  pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0

Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
 2022-07-21 12:47:46 -07:00
Thiébaud Weksteen
19710d032e Merge "Remove key migration related changes" am: c5a3726e58 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2160358

Change-Id: I64b2b63672c8482216d9515718bd5b64de26c6dd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-21 03:27:36 +00:00
Thiébaud Weksteen
c5a3726e58 Merge "Remove key migration related changes" 2022-07-21 01:20:53 +00:00
Katherine Lai
45ce880b05 Merge "Add bluetooth classic sysprops" am: 963596866a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2154517

Change-Id: I58363adb52d3cfa93fb86ef8ee24f95e41b55d60
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 20:56:52 +00:00
Katherine Lai
963596866a Merge "Add bluetooth classic sysprops" 2022-07-20 20:38:43 +00:00