tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29509 commits 1 branch 0 tags 50 MiB
Commit graph

29509 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
d09072122e Merge "Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp"" am: 351331b015 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690571

Change-Id: Iefc0db838c8e40ba46336df0577bc86c604e7588
 2021-05-03 00:13:50 +00:00
Treehugger Robot
351331b015 Merge "Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp"" 2021-05-02 23:54:40 +00:00
Shawn Willden
a4b0853bbc Merge "Allowing userdebug/eng builds crash dump access to ks" am: bdc4f744da 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1692507

Change-Id: Ib330b362e96a5f1a8a0dd1abe6dc9856fca847d0
 2021-04-30 22:45:16 +00:00
Shawn Willden
bdc4f744da Merge "Allowing userdebug/eng builds crash dump access to ks" 2021-04-30 22:19:04 +00:00
Max Bires
f09391624a Allowing userdebug/eng builds crash dump access to ks 
This will make debugging of keystore issues in dogfood populations much
easier than it previously was, as developers will have detailed crash
dump reporting on any issues that do occur.

Bug: 186868271
Bug: 184006658
Test: crash dumps appear if keystore2 explodes
Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99
 2021-04-30 18:50:54 +00:00
Songchun Fan
94242d39fb [sepolicy] allow system_server to ioctl INCFS_IOC_GET_LAST_READ_ERROR am: 979a1f8f34 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690659

Change-Id: I5d7a81ccc2a7530214d626fb208b2e07bb5229c0
 2021-04-30 17:01:56 +00:00
Songchun Fan
979a1f8f34 [sepolicy] allow system_server to ioctl INCFS_IOC_GET_LAST_READ_ERROR 
Solves the denial message like:

04-30 03:54:46.972 21944 21944 I Binder:21944_17: type=1400 audit(0.0:502): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F6170705F766D646C3133352F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6727 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

BUG: 184844615
Test: manual
Change-Id: I3ef32613de348bca1d58cddf4ec1296d4828b51a
 2021-04-30 16:46:06 +00:00
Orion Hodson
35a5d563d3 Merge "app_zygote.te: allow reading and searching the ART module dalvik-cache" am: 86e3ac05e6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1689848

Change-Id: I250f797e134539f49ad71d76b630d6e10935227a
 2021-04-30 14:51:08 +00:00
Orion Hodson
86e3ac05e6 Merge "app_zygote.te: allow reading and searching the ART module dalvik-cache" 2021-04-30 14:22:10 +00:00
Nicolas Geoffray
1f12fa3a57 Merge "Allow dex2oat to read /apex/apex-info-list.xml" am: 24878f8816 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1689846

Change-Id: I22b28297cc86f7dea888a0e23b29813b855bf566
 2021-04-30 08:57:29 +00:00
Nicolas Geoffray
24878f8816 Merge "Allow dex2oat to read /apex/apex-info-list.xml" 2021-04-30 08:42:31 +00:00
Inseob Kim
6cc75f4587 Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp" 
This reverts commit a46d61cd3f.

Reason for revert: fixed debug_ramdisk partition problem

Change-Id: If2350f115f5ff74ee50dac4e5a87c4d171067282
 2021-04-30 14:53:25 +09:00
Inseob Kim
89ba18411f Merge "Add precompiled hash only when policy exists" am: 785ac2bf1a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690570

Change-Id: I9ab235cb7a22ec54086f31431cc7fed3acef4fcf
 2021-04-30 01:50:04 +00:00
Inseob Kim
785ac2bf1a Merge "Add precompiled hash only when policy exists" 2021-04-30 01:14:15 +00:00
Inseob Kim
abb6c23670 Merge "Add sepolicy_vers for plat_sepolicy_vers.txt" am: c96bd38275 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690574

Change-Id: I762da1e220be6e3a8109bdc19702db3f90c46b2a
 2021-04-30 00:51:59 +00:00
Inseob Kim
c96bd38275 Merge "Add sepolicy_vers for plat_sepolicy_vers.txt" 2021-04-30 00:26:53 +00:00
Sandeep Patil
79db932195 OWNERS: Remove myself from owners am: 04eec64bd9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690653

Change-Id: I44bf0c90652aa15832a6deb6acce645ec7d43812
 2021-04-29 23:43:51 +00:00
Sandeep Patil
04eec64bd9 OWNERS: Remove myself from owners 
I haven't reviewed a single sepolicy change for over a year.
There are plenty of OWNERs who know the current code better.

Test: N/A
Bug: None

Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: I2f8345a0220e0f59ca56fad44768a074c3921f05
 2021-04-29 14:25:08 -07:00
Oleg Matcovschi
14512b19a6 Merge "sepolicy: add ro.product.vendor_dlkm coverage" am: 102883c1e0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690648

Change-Id: I3bac584f2d6d3d9e49a4d6db6481ce5d6974ec1b
 2021-04-29 19:25:43 +00:00
Oleg Matcovschi
102883c1e0 Merge "sepolicy: add ro.product.vendor_dlkm coverage" 2021-04-29 18:32:11 +00:00
Oleg Matcovschi
db8fa96ac6 sepolicy: add ro.product.vendor_dlkm coverage 
Bug: 186747827
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I51801feeaf67537e6628cf34b4b7425b075f711b
 2021-04-29 08:38:17 -07:00
Orion Hodson
90d3351ad1 app_zygote.te: allow reading and searching the ART module dalvik-cache 
Fix: 185637711
Test: SELinux denials gone for chrome_zygote
Change-Id: I31ba5d5b4fa8cb002814809a533bf2b2dc465c99
 2021-04-29 15:29:12 +00:00
Inseob Kim
1c056b1ad0 Add sepolicy_vers for plat_sepolicy_vers.txt 
plat_sepolicy_vers.txt stores the version of vendor policy. This change
adds sepolicy_vers module to migrate plat_sepolicy_vers.txt to
Android.bp.

- Device's plat_sepolicy_vers: should be BOARD_SEPOLICY_VERS
- Microdroid's plat_sepolicy_vers: should be PLATFORM_SEPOLICY_VERSION
because all microdroid artifacts are bound to platform

Bug: 33691272
Test: boot device && boot microdroid
Change-Id: Ida293e1cb785b44fa1d01543d52d3f8e15b055c2
 2021-04-30 00:17:39 +09:00
Treehugger Robot
b31a754011 Merge "app.te: enable mapping ART apexdata cache executable" am: d82e1e4214 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1688390

Change-Id: Ic451f32d09714efaeb70792f72f3e7305b4af5cf
 2021-04-29 14:15:45 +00:00
Treehugger Robot
d82e1e4214 Merge "app.te: enable mapping ART apexdata cache executable" 2021-04-29 14:02:34 +00:00
Inseob Kim
a76c0c8540 Add precompiled hash only when policy exists 
precompiled_system_ext_and_mapping.sha256 and
precompiled_product_and_mapping.sha256 has been installed, regardless of
existence of system_ext and product policies. This change only installs
such hash files when policy files exist, for consistency.

Bug: 186727553
Test: boot yukawa and see precompiled sepolicy is used
Change-Id: Iaad827cefdbe82e68288cd6cc59b55b5f28c229d
 2021-04-29 19:45:50 +09:00
Nicolas Geoffray
75de97b2e4 Merge "Allow boot animation to update boot status." am: 82bf10a79c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1687883

Change-Id: Ib5c44be9666d94e09187f7eafa2fe94c6fd0526e
 2021-04-29 08:49:24 +00:00
Nicolas Geoffray
82bf10a79c Merge "Allow boot animation to update boot status." 2021-04-29 07:53:05 +00:00
Treehugger Robot
85647c642b Merge "Add support for invoking derive_classpath from otadexopt" am: 59e8007be0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1687094

Change-Id: I1a763ec4c6e9d9457b72ad5b0ef090b3629e75e1
 2021-04-28 19:34:16 +00:00
Christian Wailes
b9502c818f Merge "Add SELinux properties for artd" am: 6553a8dbe6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1663786

Change-Id: I7ae15288c3a672ae73ed1d2ce6598d481dd66c62
 2021-04-28 19:21:59 +00:00
Treehugger Robot
59e8007be0 Merge "Add support for invoking derive_classpath from otadexopt" 2021-04-28 17:44:31 +00:00
Christian Wailes
6553a8dbe6 Merge "Add SELinux properties for artd" 2021-04-28 16:41:09 +00:00
Xusong Wang
7dfd4783bc Merge "Allow NN HAL service to read files from apk data files" am: c5bae6f802 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1679971

Change-Id: I074eb4d1252917bf0681fc91da22f21c7ee87bb0
 2021-04-28 15:43:24 +00:00
Xusong Wang
c5bae6f802 Merge "Allow NN HAL service to read files from apk data files" 2021-04-28 15:09:42 +00:00
Nicolas Geoffray
6a311471a6 Allow boot animation to update boot status. 
This CL was missed from the topic:
https://android-review.googlesource.com/q/topic:bootanim-percent

Test: update ART module, see animation go to 100%
Bug: 184881321
Change-Id: I59706718af11751a7e1f4b5ab1ff2793f554fb19
 2021-04-28 15:17:09 +01:00
Nicolas Geoffray
78f0250077 Allow dex2oat to read /apex/apex-info-list.xml 
Test: ART tests
Bug: 182465342
Change-Id: Ied9f41d59795fa72b9806c71241ae0c9bc05ce48
 2021-04-28 13:37:27 +01:00
Midas Chien
fca308fbdf Add a sysprop to set display update imminent timeout am: 3c24ea1793 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1688265

Change-Id: Ib241e58bda3208dd2c886722b9061f4d35e02e9c
 2021-04-28 06:58:00 +00:00
Chris Wailes
467d8a80ea Add SELinux properties for artd 
Test: boot device and check for artd process
Change-Id: I2a161701102ecbde3e293af0346d1db0b11d4aab
 2021-04-27 14:49:13 -07:00
Alex Light
8393a05fee Add support for invoking derive_classpath from otadexopt 
otadexopt needs to be able to invoke derive_classpath in order to
determine the boot-classpath after the OTA finishes.

Test: manual OTA on blueline
Bug: 186432034
Change-Id: I3ec561fc0aa9de25ae1186f012ef72ba851990d0
 2021-04-27 14:31:54 -07:00
Orion Hodson
13ee65392e app.te: enable mapping ART apexdata cache executable 
Some jars, such com.android.location.provider.jar, are both on the
system_server classpath and loaded as libraries. If the .oat files are
in the ART apexdata cache (due to being system_server classpath), they
need to be execute permission to be usable as AOT compiled libraries.

Bug: 184881321
Test: install an updated ART apex, open apps, see no more denials
Change-Id: I89b74dfa047699c568575d99a29c5e74abdef076
 2021-04-27 16:41:23 +01:00
Midas Chien
3c24ea1793 Add a sysprop to set display update imminent timeout 
Adding 'ro.surface_flinger.display_update_imminent_timeout_ms' to set
timeout for rate limit display update imminent notifications.

Bug: 164411401
Change-Id: I90a00fe7f8df3aa505f08081d096fd83b3342f59
 2021-04-27 20:45:29 +08:00
Treehugger Robot
5fc200133c Merge "[incfs] Allow everyone read the IncFS sysfs features" am: 98914119ae 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1683348

Change-Id: Ib74b71af500a1751407697b658a30cd1f06635fe
 2021-04-26 22:48:30 +00:00
Treehugger Robot
98914119ae Merge "[incfs] Allow everyone read the IncFS sysfs features" 2021-04-26 22:19:37 +00:00
Treehugger Robot
e85d0ef89c Merge "Fix permissions for vold.post_fs_data_done" am: 206d6d80a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1684054

Change-Id: Ie7b4b792d06130a9d2b9b1121a2b1c6cb487d90c
 2021-04-26 20:58:55 +00:00
Treehugger Robot
206d6d80a1 Merge "Fix permissions for vold.post_fs_data_done" 2021-04-26 20:36:34 +00:00
Eric Biggers
040ce199b2 Fix permissions for vold.post_fs_data_done 
The system property "vold.post_fs_data_done" is used by init and vold to
communicate with each other in order to set up FDE on devices that use
FDE.  It needs to be gettable and settable by vold, and settable by init
and vendor_init.  This was the case in Android 11 and earlier; however,
the change
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1277447
("Rename exported and exported2 vold prop") broke this by giving this
property the type "vold_config_prop", which made it no longer settable
by vold.

Since none of the existing property types appear to be appropriate for
this particular property, define a new type "vold_post_fs_data_prop" and
grant the needed domains permission to get/set it.

This is one of a set of changes that is needed to get FDE working again
so that devices that launched with FDE can be upgraded to Android 12.

Bug: 186165644
Test: Tested FDE on Cuttlefish
Change-Id: I2fd8af0091f8b921ec37381ad3b85a156d074566
 2021-04-26 12:43:05 -07:00
Hridya Valsaraju
b4fe53980f Merge changes from topic "revert-1668411-MWQWEZISXF" am: 7362f58895 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1685768

Change-Id: I70943f02d4d3d7d915e5c820db872519c9766e06
 2021-04-23 22:26:18 +00:00
Hridya Valsaraju
7362f58895 Merge changes from topic "revert-1668411-MWQWEZISXF" 
* changes:
  Revert "Add a neverallow for debugfs mounting"
  Revert "Add neverallows for debugfs access"
  Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
  Revert "Check that tracefs files are labelled as tracefs_type"
 2021-04-23 22:06:31 +00:00
Robert Horvath
03070a86ec Merge "Add bootanim property context, ro.bootanim.quiescent.enabled property" am: dbfe4809ba 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676224

Change-Id: I54ee8a4383490b5e05ed5dda46676bb3e0db145b
 2021-04-23 17:06:58 +00:00
Robert Horvath
dbfe4809ba Merge "Add bootanim property context, ro.bootanim.quiescent.enabled property" 2021-04-23 16:45:32 +00:00