tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
48036 commits 1 branch 0 tags 50 MiB
Commit graph

10587 commits

Author SHA1 Message Date
Karuna Wadhera
c91f365902 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main am: e357df7504 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3122031

Change-Id: Ic45ddce19ccc5d3ba42c7c7c4e40e3c883d81351
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 19:31:14 +00:00
Karuna Wadhera
e357df7504 Merge "Untrack keystore SELinux denial on AVF RKP Hal" into main 2024-06-10 19:06:35 +00:00
Karuna Wadhera
fb728ac3af Untrack keystore SELinux denial on AVF RKP Hal 
With the dontaudit line in keystore.te commented out on an otherwise clean build, I was unable to see the SELinux denial on boot. So, it seems like this denial may not be occurring anymore and it’s safe to remove the dontaudit line.

Bug: 312427637
Test: manual
Change-Id: Ib8887f0593ea984e3c011b76a81b7bf99cff2a44
 2024-06-10 14:32:19 +00:00
Alice Wang
94148a33fe Merge "Add system property to disable avf remote attestation" into main am: 97091293b7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3117519

Change-Id: Ia99358fe9e6c4dcacc2814c96268ec47f9884db9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 12:09:00 +00:00
Alice Wang
97091293b7 Merge "Add system property to disable avf remote attestation" into main 2024-06-10 11:31:52 +00:00
Alice Wang
3d9ce1a965 Add system property to disable avf remote attestation 
Introduce a new system property
avf.remote_attestation.enabled to allow vendors
to disable the feature in vendor init.

Bug: 341598459
Test: enable/disable the feature and check VmAttestationTestApp
Change-Id: I809e4c62a8590822eef70093e33854ab79757835
 2024-06-10 09:16:24 +00:00
Treehugger Robot
e6618432f9 Merge "system_app.te: fix misleading comment" into main am: 104099ef21 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3120251

Change-Id: Ia49f4b47e4d08da7195812dd01b7df456c7e9025
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-10 08:24:21 +00:00
Treehugger Robot
104099ef21 Merge "system_app.te: fix misleading comment" into main 2024-06-10 08:03:10 +00:00
Nick Kralevich
c8ac77735e system_app.te: fix misleading comment 
A comment within system_app.te implies that system_apps can read/write
the /data/data directory (and all subdirectories). The comment is
misleading. Fix the comment.

Test: comment only change. No test needed
Change-Id: I51b95f8b55ac89730a866d2a829326b276b11824
 2024-06-07 10:20:18 -07:00
Ellen Arteca
949db99e7c Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main am: c628579730 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3095418

Change-Id: I0a019e1b6054825929fadd320036991e3979778c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-06 23:36:22 +00:00
Ellen Arteca
c628579730 Merge "Modify permissions to move encryption policy assignment to vold_prepare_subdirs" into main 2024-06-06 23:16:13 +00:00
Steven Moreland
57061954d2 more vm socket isolation am: 378ed74529 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3114226

Change-Id: Ib8605365b1823611b41183bdfc548c6abc913ec8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-06 18:47:07 +00:00
Ellen Arteca
aa898dc541 Modify permissions to move encryption policy assignment to vold_prepare_subdirs 
We have moved the encryption policy assignment from vold to
vold_prepare_subdirs. This CL removes some permissions from vold
over storage areas that are no longer needed due to this change,
and adds some permissions to vold_prepare_subdirs.

Bug: 325129836
Test: atest StorageAreaTest
Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
 2024-06-06 17:48:43 +00:00
Steven Moreland
378ed74529 more vm socket isolation 
Bugs: me
Test: build
Change-Id: Ie34ac041f1234891043098a4decf05ec7a9e6761
 2024-06-05 23:45:44 +00:00
Dennis Shen
1f2eea0c7a Merge "selinux: allow everybody to read flags from RO flag storage file" into main am: 0467d14618 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3112421

Change-Id: I948458b771e030fb4b7ef31f5a5c38a854f7db2f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 17:22:58 +00:00
Dennis Shen
0467d14618 Merge "selinux: allow everybody to read flags from RO flag storage file" into main 2024-06-04 17:11:18 +00:00
Dennis Shen
33bc92dab5 selinux: allow everybody to read flags from RO flag storage file 
Bug: b/312459182
Test: m and avd
Change-Id: Ie5ce92b299ce2434256c9f963865b9d626b400fa
 2024-06-04 15:02:56 +00:00
Treehugger Robot
23ce6a536b Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main am: c6a554f200 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111559

Change-Id: I130c9ac4848eda54b134faef7f49676017dd9b47
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 14:20:41 +00:00
Treehugger Robot
c6a554f200 Merge "Allow dexopt_chroot_setup to mount/unmount debugfs." into main 2024-06-04 13:54:51 +00:00
Treehugger Robot
e0a8a9fa19 Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main am: 8d9a89ed9e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111602

Change-Id: I7be81be6650996bf85b9c6bc77368f0b7521353e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 13:05:30 +00:00
Jiakai Zhang
413f44d5c4 Allow dexopt_chroot_setup to mount/unmount debugfs. 
Some old devices use debugfs for /sys/kernel/debug.

Bug: 311377497
Change-Id: Ib9958b5cfdd85c37acd27ff6e637efdbd2a068e3
Test: adb shell pm art pr-dexopt-job --test
 2024-06-04 12:54:25 +00:00
Treehugger Robot
8d9a89ed9e Merge "Allow dexopt_chroot_setup to bind-mount dirs for incremental apps." into main 2024-06-04 12:48:49 +00:00
Treehugger Robot
28b66e2893 Merge "testNoBugreportDenials fix on user" into main am: 8ebc2aa055 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111766

Change-Id: Iaf7772fc912f0a247ac835e32d6eb76deae7a3f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 01:24:39 +00:00
Treehugger Robot
8ebc2aa055 Merge "testNoBugreportDenials fix on user" into main 2024-06-04 01:20:02 +00:00
Jooyung Han
9a441ba91c Merge "installd renames dirs in /data/app-staging" into main am: 672143fa6a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3111259

Change-Id: I8ec24a3754acfac90b6a417ca6c768c0f8678f18
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-04 01:15:59 +00:00
Jooyung Han
672143fa6a Merge "installd renames dirs in /data/app-staging" into main 2024-06-04 01:12:49 +00:00
Jiakai Zhang
0a49ac3dbd Allow dexopt_chroot_setup to bind-mount dirs for incremental apps. 
Bug: 311377497
Test: adb shell pm art pr-dexopt-job --test
Change-Id: I8da90876191eadfea77d34c7441d0e4bdb377d31
 2024-06-03 20:43:25 +01:00
Steven Moreland
496f08d378 testNoBugreportDenials fix on user 
Bug: 343635916
Test: N/A
Change-Id: I2f73cc8429f87e9b7ada8e7c9a3fabcc9eb3d7ee
 2024-06-03 19:30:04 +00:00
Daniel Zheng
41c63c394f Merge "add sepolicy for low mem device configurations" into main am: 2f4324ac5d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3096261

Change-Id: Ie2500bdc8247253f539df4e1a312bb0842af3d0a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-03 19:26:53 +00:00
Daniel Zheng
2f4324ac5d Merge "add sepolicy for low mem device configurations" into main 2024-06-03 19:17:52 +00:00
Treehugger Robot
22770877f7 Merge "Improve CIL parsing" into main am: da362e9fa9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3110097

Change-Id: I0db46b765111b07de99052a7deb36350764b7f1b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-03 09:15:10 +00:00
Treehugger Robot
da362e9fa9 Merge "Improve CIL parsing" into main 2024-06-03 09:09:21 +00:00
Treehugger Robot
e70d1b832a Merge "Allow system_server to kill artd and its subprocesses." into main am: d7f526fd05 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3110061

Change-Id: I4bc46d4c1e4b253db29e8ff2be87aea1086e52a3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-03 08:32:41 +00:00
Treehugger Robot
d7f526fd05 Merge "Allow system_server to kill artd and its subprocesses." into main 2024-06-03 08:27:59 +00:00
Jooyung Han
cb51acc9dc installd renames dirs in /data/app-staging 
before removing a session directory. Hence, it needs more permissions on
staging_data_file.

Bug: 343165326
Test: atest CtsStagedInstallHostTestCases:com.android.tests.stagedinstall.host.StagedInstallTest#testRebootlessUpdate_unsignedPayload_fails
Change-Id: Ic94c74d4ef896129491cee39098f43f33793851f
 2024-06-03 14:24:46 +09:00
Mu-Le Lee
397d1c59bc Merge "Sepolicy for crosvm to play audio with aaudio" into main am: 12d84e2484 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3046213

Change-Id: I367c968a615df84904a36d17b26ebc193d133318
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-01 01:35:12 +00:00
Mu-Le Lee
12d84e2484 Merge "Sepolicy for crosvm to play audio with aaudio" into main 2024-06-01 01:28:10 +00:00
Treehugger Robot
d2f10fceac Merge "lmkd: Adding io_uring support" into main am: 5bad7a2683 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3038159

Change-Id: Id2753b2043ef7a92c57be1c6a1b74d0259f39ac4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-06-01 00:18:59 +00:00
Treehugger Robot
5bad7a2683 Merge "lmkd: Adding io_uring support" into main 2024-06-01 00:14:11 +00:00
Jiakai Zhang
03f9866873 Allow system_server to kill artd and its subprocesses. 
This is to make sure that no process is accessing files in chroot when
we teardown chroot.

Bug: 311377497
Test: Set a very short timeout for `ensureNoProcessInDir` and run
  Pre-reboot Dexopt.
Change-Id: I5c60497c73a9d56068e47840ffd4a0f0a550c250
 2024-05-31 19:06:12 +01:00
Jiakai Zhang
c61adf777c Merge "Allow system_server to read from postinstall scripts through STDIN." into main am: ca2f3851af 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3110098

Change-Id: I9a04c0d7dead2b17e905c73b4a3939eb848fd423
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-05-31 14:47:35 +00:00
Jiakai Zhang
ca2f3851af Merge "Allow system_server to read from postinstall scripts through STDIN." into main 2024-05-31 14:43:51 +00:00
Alan Stokes
13b4208c6d Compatibility for vendor_hidraw_device am: e65ff877d2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3108097

Change-Id: I39c65cd16fe202a60d4283439e5dd786096ffe38
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-05-31 13:17:39 +00:00
Jiakai Zhang
92768f7a41 Allow system_server to read from postinstall scripts through STDIN. 
Bug: 311377497
Test: -
  1. system/update_engine/scripts/update_device.py out/dist/aosp_cf_x86_64_phone-ota-*.zip
  2. Wait for update_engine to enter the postinstall stage.
  3. adb shell update_engine_client --cancel
Change-Id: Ib0cbfc7b97d5ec24700ca71099e3a47af579fc8a
 2024-05-31 12:26:43 +01:00
Alan Stokes
39507ae44e Improve CIL parsing 
treble_sepolicy_tests gets very confused by parentheses in comments.

Fix the search for the opening parenthesis of a statement to skip
comments.

And then update a comment that was intended to use parentheses to
actually do so. (Without the parser change, this fails horribly.)

Test: Build
Change-Id: I1e36136e97dd9b8190add29b7f2155a08ea87d80
 2024-05-31 12:24:38 +01:00
Alan Stokes
e65ff877d2 Compatibility for vendor_hidraw_device 
Older vendor policy may apply the label vendor_hidraw_device to the
HID device.

From Android V we use the new label hidraw_device for this.

Fix the compatibility rules to allow new system policy to work with
older vendor policy:
- Add vendor_hidraw_device for devices that don't have it (duplicate
  definitions are ignored when we compile CIL).
- Add compatibility mapping so that rules for hidraw_device also
  apply to vendor_hidraw_device on devices with older vendor.

Bug: 340923653
Test: Builds, boots, no new denials
Change-Id: I3ffc44be2c98be137303263f569515103c4996b8
 2024-05-31 12:22:57 +01:00
Kelvin Zhang
96b770c9e2 Revert^2 "Add ro.fstype.data to indicate fs type of /data" am: 7babcdb8d8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3109577

Change-Id: Ie7da6f4c8ed26d1c7584a650f9749856560cd14c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-05-30 21:27:28 +00:00
Kelvin Zhang
7babcdb8d8 Revert^2 "Add ro.fstype.data to indicate fs type of /data" 
d6c52fdbd0

Change-Id: I160dadeb63db41618f37c66114518b49befc9d1a
 2024-05-30 12:16:42 -07:00
Treehugger Robot
e6d64bc165 Merge "Define UWB snoop log in sepolicy" into main am: f1956206fc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3088485

Change-Id: Ib05f56a88885b19256d3679dc628f338c6e9cae2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-05-30 18:03:58 +00:00
Treehugger Robot
f1956206fc Merge "Define UWB snoop log in sepolicy" into main 2024-05-30 17:58:47 +00:00