tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29509 commits 1 branch 0 tags 50 MiB
Commit graph

29509 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
54873f4d24 Merge "Allow derive_classpath to read /apex." am: 8fa9b428c7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1662194

Change-Id: I15793824fee6537a1d02a7b7af22ddae3f1c68da
 2021-04-06 19:28:44 +00:00
Treehugger Robot
8fa9b428c7 Merge "Allow derive_classpath to read /apex." 2021-04-06 19:06:56 +00:00
Wei Wang
9d42156d64 Merge "Add SEpolicy for HintManagerService" am: a02227bd7a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1664996

Change-Id: Ifcce2ee8dfb3d83b24934c796f8820697ce8a621
 2021-04-06 17:35:50 +00:00
Wei Wang
a02227bd7a Merge "Add SEpolicy for HintManagerService" 2021-04-06 16:49:26 +00:00
Jenny Ho
42b0191e33 Add support for test_harness property am: e0efb683a7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1665339

Change-Id: I6555520c2f720c229330ce1bb66662e9d184aeda
 2021-04-06 16:02:11 +00:00
Artur Satayev
4c6d3081fd Allow derive_classpath to read /apex. 
Individual apexes may contribute jars to BOOTCLASSPATH and friends.
Configuration for these contributions are in /apex/foo/etc/ files that
derive_classpath service reads and processes.

Bug: 180105615
Test: presubmit && DeviceBootTest
Change-Id: I61379e55f2ad55e1c65956b854e5a9b8872c61df
 2021-04-06 15:14:19 +01:00
Jenny Ho
e0efb683a7 Add support for test_harness property 
Bug: 180511460
Signed-off-by: Jenny Ho <hsiufangho@google.com>
Change-Id: I796b29528522a615c8b15b0d7e53bb1903f1d965
 2021-04-06 10:21:01 +00:00
Wei Wang
4b98ddfee4 Add SEpolicy for HintManagerService 
Bug: 158791282
Test: Compiles, boots
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I76ad7858076b47990e5ddf3acb880443d0074e42
 2021-04-06 00:01:57 -07:00
Yo Chiang
2fc844f5e8 Merge "Add rules for calling ReadDefaultFstab()" am: 0b4677c566 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1645115

Change-Id: I1adffb4e5710871737d7d3c893fa905f4f364c3f
 2021-04-06 04:20:12 +00:00
Yo Chiang
0b4677c566 Merge "Add rules for calling ReadDefaultFstab()" 2021-04-06 03:37:58 +00:00
Suren Baghdasaryan
fc675e89fa Add lmkd. ro.lmk.thrashing_limit_critical property policies am: c461b3b778 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1661301

Change-Id: Ib1aaa0418efae2b85c644d1e1f88be57c3c329f4
 2021-04-06 01:36:53 +00:00
Inseob Kim
7dc49db091 Merge "Add plat_vendor tag to se_build_files for microdroid" am: ad82d6d5db 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1664400

Change-Id: I6e482cf42c0c7a2458882fdbe91824ef9a9cc9f7
 2021-04-06 01:28:48 +00:00
Suren Baghdasaryan
c461b3b778 Add lmkd. ro.lmk.thrashing_limit_critical property policies 
Add policies to control ro.lmk.thrashing_limit_critical lmkd property.

Bug: 181778155
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I25eeb84e6e073510e2f516fd38b80c67afe26917
 2021-04-06 00:40:56 +00:00
Inseob Kim
ad82d6d5db Merge "Add plat_vendor tag to se_build_files for microdroid" 2021-04-06 00:38:10 +00:00
Josh Gao
e9a119df6c Merge "Add neverallow to prevent reading heap dumps." am: d6d8a0fa5e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1532266

Change-Id: I79be8326c2fae6cfb022750185a03b49d9d8a72a
 2021-04-06 00:22:25 +00:00
Josh Gao
269016353b Merge "Make init.svc.adbd globally readable." am: f15793fa09 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1491136

Change-Id: I5cd6cff83c6e000e92395b60f90b29583c8ede69
 2021-04-06 00:21:57 +00:00
Josh Gao
d6d8a0fa5e Merge "Add neverallow to prevent reading heap dumps." 2021-04-05 23:55:11 +00:00
Josh Gao
f15793fa09 Merge "Make init.svc.adbd globally readable." 2021-04-05 23:47:56 +00:00
Kalesh Singh
ebedb3dd20 Merge "Memtrack Proxy Service Sepolicy" am: ca0e35d633 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1657039

Change-Id: Ida3bcc4d701432d9a3d2c4f15f25869165c64473
 2021-04-05 19:44:44 +00:00
Kalesh Singh
ca0e35d633 Merge "Memtrack Proxy Service Sepolicy" 2021-04-05 19:14:11 +00:00
Inseob Kim
39fbcf7c96 Add plat_vendor tag to se_build_files for microdroid 
plat_vendor tag consists of vendor available policies in system/sepolicy
directory, and is for minimized vendor policies.

Bug: 33691272
Test: boot microdroid
Change-Id: Icb3c1be02ee41b526d7d95f0053e56bf8b34f49d
 2021-04-05 09:50:47 +00:00
Christine Franks
c56f32bbbd Merge "Make uhid_device an mlstrustedobject" am: 2347901495 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1660645

Change-Id: I193e3975ae5218ee8964aa6208d0e02009d814dd
 2021-04-02 00:09:47 +00:00
Christine Franks
2347901495 Merge "Make uhid_device an mlstrustedobject" 2021-04-01 23:24:33 +00:00
Alex Hong
4bdc8fa19b Allow incident to access statsd sockets am: 4d750b56e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1662279

Change-Id: I2fb9980c0117b7f96046a9408445a74d052eba99
 2021-04-01 19:00:38 +00:00
Alex Hong
4d750b56e3 Allow incident to access statsd sockets 
For incident section 1116, it runs incident-helper-cmd which executes app_process.
The metrics reporting in app_process currently writes metrics to Statsd.
Now grant the required statsd socket permission.

Bug: 183759310
Test: $ make selinux_policy
      Push SELinux modules
      $ ./pts-tradefed run pts -m PtsSELinuxTest -t com.google.android.selinux.pts.SELinuxTest#scanBugreport
Change-Id: I7a1ff6a3022414c4da2592a9a215d4b5e5f59ca2
 2021-04-01 22:05:22 +08:00
Kalesh Singh
58fdefc953 Memtrack Proxy Service Sepolicy 
Bug: 177664629
Test: Boot; No avc denials;
Change-Id: Ieae6b1dc446a91aca26fdf1314690ca30b0ed5c5
 2021-04-01 00:44:00 -04:00
juanjuan.hou
6a22e37be9 Add sepolicy for installd check sdcardfs usage property 
We should add sepolicy for installd to get permission to check for external_storage.sdcardfs.enabled before deciding that the system is using sdcardfs.

Test: Run on device not using sdcardfs, but with sdcardfs present in kernel

Bug: 160727529
Bug: 181819712

Change-Id: I79df67789ab003762337ad4e89e46892990d0e60
 2021-04-01 03:09:06 +00:00
Christine Franks
225fb93724 Make uhid_device an mlstrustedobject 
This is intended so apps that are allowed access to uhid_device can pass
the mls constraints.

Bug: 183449317
Test: n/a

Change-Id: I8ca87014ddfd7e9a02a2ac97a13f2c43841ee181
 2021-03-31 21:43:33 +00:00
Arun Mirpuri
fa23ae1247 sepolicy: Give access to ahal to flinger standby prop 
Allow Vendor Audio HAL to update Audio Flinger standby
idle timeout.

Bug: 181967247
Change-Id: I7ae992bde5fdcf81ce2ca7a5a93e5e70aab1b56c
 2021-03-31 09:14:39 -07:00
Steven Moreland
6a3aec4f4d Merge "Remove old binder interface entry for keystore2" am: 0369e8ba9d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1654452

Change-Id: I11fe9d8281845f14adb2e9447aa4c9b1fa200237
 2021-03-30 23:10:21 +00:00
Steven Moreland
0369e8ba9d Merge "Remove old binder interface entry for keystore2" 2021-03-30 22:24:09 +00:00
Treehugger Robot
b999b35c7a Merge "Use postinstall file_contexts" am: da7889276f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1646766

Change-Id: Ia4a358af244df9ab36dcf15aa617eecaf57d2379
 2021-03-30 18:27:43 +00:00
Treehugger Robot
da7889276f Merge "Use postinstall file_contexts" 2021-03-30 18:01:34 +00:00
Treehugger Robot
18987fea97 Merge "crash_dump: supress denials for files in /proc" am: d64e4f4fd1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1657732

Change-Id: I5b73bcbc8807e9570842b76afcaf2e3bcac2544c
 2021-03-30 14:40:25 +00:00
Treehugger Robot
d64e4f4fd1 Merge "crash_dump: supress denials for files in /proc" 2021-03-30 14:03:10 +00:00
Jeff Vander Stoep
bd247bc88a crash_dump: supress denials for files in /proc 
Crash_dump may not have access to files in /proc that are passed
across exec(). Rather than let these cause test failures, suppress
them.

Fixes: 183575981
Test: build
Change-Id: I285dc84ef8a43a8f5a34538143c6506c70540b03
 2021-03-30 12:05:46 +02:00
Treehugger Robot
b830444372 Merge "Migrate micordroid genrules to selinux module" am: 702b357796 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1653927

Change-Id: I20d008b6e9759db98a25a4352b5cf9a3151522d6
 2021-03-30 07:11:22 +00:00
Martijn Coenen
03aaee138c Merge "Allow apps to read apex_art_data_file:dir" am: 932949ef0f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1655218

Change-Id: Id7565d734c699ea2f402350e77d9faa97c530e91
 2021-03-30 07:09:41 +00:00
Treehugger Robot
702b357796 Merge "Migrate micordroid genrules to selinux module" 2021-03-30 06:45:19 +00:00
Martijn Coenen
932949ef0f Merge "Allow apps to read apex_art_data_file:dir" 2021-03-30 06:39:58 +00:00
Inseob Kim
50375ce708 Migrate micordroid genrules to selinux module 
Bug: 33691272
Test: boot microdroid, see selinux works
Change-Id: Ic360604edb1b75e94d06a7961ea60ea46a34aa68
 2021-03-30 13:14:27 +09:00
Colin Cross
5c115a943e Merge "Fix missing dependency in sepolicy mapping file rules" am: fde2fdb0b4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1656091

Change-Id: Id522cea2a6544ce6b2a6d7188de02d7e1f7ebf75
 2021-03-30 00:14:13 +00:00
Colin Cross
fde2fdb0b4 Merge "Fix missing dependency in sepolicy mapping file rules" 2021-03-29 23:38:58 +00:00
Stephen Crane
31f4eae342 Remove old binder interface entry for keystore2 
Now that keystore2 is a VNDK stable interface, we need to remove the
legacy unqualified interface from the keystore service context.

Test: Compile, boot, and ensure no SELinux violations for keystore2 service
Change-Id: I770c08eae9690b0dc0e2bae86c9ef72f9540d2f4
 2021-03-29 21:40:38 +00:00
Steven Moreland
a5018de37c Merge "Add IKeystoreService interface to keystore_service" am: 2d2f8af278 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1627399

Change-Id: Id0c2cf233cffaf94d52035ffae166ee2f0ca9bd1
 2021-03-29 17:41:26 +00:00
Colin Cross
c8aa1bba0b Fix missing dependency in sepolicy mapping file rules 
The system_ext_mapping_cil_$(ver) and product_mapping_cil_$(ver) rules
use build_sepolicy, but are missing a dependency on the tool.

Bug: 183865297
Test: forrest
Change-Id: Ic4e860ccf3e7a3cd06bc5c6fe947717fadb164f5
 2021-03-29 10:03:29 -07:00
Steven Moreland
2d2f8af278 Merge "Add IKeystoreService interface to keystore_service" 2021-03-29 17:02:31 +00:00
Martijn Coenen
4825e8662d Allow apps to read apex_art_data_file:dir 
This should be ok since apps are already allowed to read the contained
files; the dir is iterated by tests to ensure that all files are signed
correctly.

Bug: 165630556
Test: new test passes

Change-Id: Ib6c298f2b267839a802c17288230a8151a1eec86
 2021-03-29 13:51:47 +02:00
Jeffrey Vander Stoep
49c5eeb4bd Merge "virtmanager: add selinux domain" am: 48740d0d6b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1654408

Change-Id: I64250f9d49582a07927ae75b827f6ecbd20af03e
 2021-03-29 08:03:05 +00:00
Inseob Kim
f3766f6b13 Merge "Allow adbd to use vsock_socket" am: 4d8f634987 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1626224

Change-Id: I0ba18b2573566672dcb53d73a5603a184d7f65dd
 2021-03-29 08:02:23 +00:00