Commit graph

21058 commits

Author SHA1 Message Date
Steven Moreland
d181bc2c16 Remove mediacodec_service.
Since this service no longer exists.

Fix: 80317992
Test: TH, codesearch.
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
2019-08-21 01:19:20 +00:00
Steven Moreland
dbfbddbf0e Merge "Add uce service to core policy." into stage-aosp-master 2019-08-19 21:38:00 +00:00
Roland Levillain
2d47c5da94 Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access.
am: c72b7d1731

Change-Id: I39667ccca82601ef1afa3d38df0d184c73edc87b
2019-08-19 13:52:23 -07:00
Steven Moreland
92f72cd22d Add uce service to core policy.
This service is requested by AOSP framework, but there is no context for
it defined.

Bug: 136023468
Test: N/A
Change-Id: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
Merged-In: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
(cherry picked from commit 67cb30fabf)
2019-08-19 12:29:39 -07:00
Roland Levillain
c72b7d1731 Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access.
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to dexoptanalyzer(d) in cases where it could already access files (in
particular, secondary dex files).

Addresses denials of the form:

  avc: denied { map } for […] path="/data/data/[…]" […]
  scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0

Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel
      and check the absence of SELinux denials
Bug: 138683603

Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
2019-08-16 20:02:32 +01:00
Amy Zhang
3b62596f4f Merge "Tuner Hal 1.0 Enable ITuner service"
am: 3e7429359f

Change-Id: Ic4442460d60d51e97c84ea430830cd12c205e5f6
2019-08-15 13:23:33 -07:00
Amy Zhang
3e7429359f Merge "Tuner Hal 1.0 Enable ITuner service" 2019-08-15 18:04:05 +00:00
Remi NGUYEN VAN
b65731efb8 Merge "Add MAINLINE_SEPOLICY_DEV_CERTIFICATES to keys.conf"
am: 1fc3f318bf

Change-Id: I434639e3c40d5d0f5e3a8218891c7f173a44bd9b
2019-08-15 01:11:27 -07:00
Treehugger Robot
1fc3f318bf Merge "Add MAINLINE_SEPOLICY_DEV_CERTIFICATES to keys.conf" 2019-08-15 07:43:46 +00:00
Xin Li
b08436b805 DO NOT MERGE - Skip qt-dev-plus-aosp-without-vendor (5713463) in stage-aosp-master
Bug: 134405016
Change-Id: I7d7912abeb19a2a3ca8685f72a54837388ca7e84
2019-08-14 11:35:24 -07:00
Amy
89b4bbd4d8 Tuner Hal 1.0 Enable ITuner service
Test: cuttlefish
Bug: 135708935
Change-Id: Ica063458860df45f0e2ab640a2ab35cd4da3da8e
2019-08-14 11:22:09 -07:00
Kiyoung Kim
039549102c Merge changes from topic "use_generated_linkerconfig"
am: aff00188eb

Change-Id: I82225595e27aee8677c94d6a713d6ef5a195e2d7
2019-08-14 02:47:24 -07:00
Kiyoung Kim
98d2042b00 Add more permission for linkerconfig
am: 70e931caba

Change-Id: I734adf5a17214c895a3799cf04bdabb8dbf53039
2019-08-14 02:47:20 -07:00
Kiyoung Kim
aff00188eb Merge changes from topic "use_generated_linkerconfig"
* changes:
  Define sepolicy with property for linker
  Add more permission for linkerconfig
2019-08-14 09:28:23 +00:00
Kiyoung Kim
82c87ede24 Define sepolicy with property for linker
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.

Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
2019-08-14 12:35:15 +09:00
Tri Vo
7e4ef4871e Merge "sepolicy: public links in error messages"
am: 58188e5f42

Change-Id: I412f6f6d5ac9445478b9a50e372467d801271a3a
2019-08-13 16:50:38 -07:00
Tri Vo
58188e5f42 Merge "sepolicy: public links in error messages" 2019-08-13 23:09:33 +00:00
Carmen Jackson
5860205f67 Allow Traceur to record the suspend_resume trace event
am: 1e414b5355

Change-Id: I32de6f61520474f1cb9895e416ba409847082e6d
2019-08-13 01:13:23 -07:00
Carmen Jackson
1e414b5355 Allow Traceur to record the suspend_resume trace event
This should be available in user and userdebug builds.

Bug: 137289935
Test: Alongside atrace changes, recorded a trace using Traceur and
verified that the tracepoints were included in the recorded trace in
both user and userdebug builds.

Change-Id: I6131557bdd0a298be9e75b39759599b189b9b988
2019-08-09 10:56:15 -07:00
Tri Vo
462c9c4382 sepolicy: public links in error messages
Bug: n/a
Test: n/a
Change-Id: Id449fe115fac8bf99c33bf4455a23dd29448f93d
2019-08-09 10:27:48 -07:00
vichang
146fd75622 Merge "Add sepolicy for com.android.i18n module"
am: 35108c95f5

Change-Id: I6c104082f1ad0b1fad63b79bbc9b9624a305927d
2019-08-08 04:25:00 -07:00
vichang
35108c95f5 Merge "Add sepolicy for com.android.i18n module" 2019-08-08 11:06:53 +00:00
Kiyoung Kim
70e931caba Add more permission for linkerconfig
Additional permission is required for linkerconfig from domain to get
access to ld.config.txt file from linker. This change allows linker to
get /dev/linkerconfig/ld.config.txt

Bug: 138920271
Test: m -j && confirmed from cuttlefish
Change-Id: Id130a072add8ae82840b0b4d9e997e146f502124
2019-08-08 17:18:21 +09:00
Zim
cf289bc411 Allow MediaProvider to host FUSE devices.
am: b56cc6fb1f

Change-Id: Id6909432f50669e4450e6c9fa9de8cc1a8164b08
2019-08-07 19:28:53 -07:00
Zim
b56cc6fb1f Allow MediaProvider to host FUSE devices.
This change is part of enabling upcoming platform changes that are
described in the bug linked below.

Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
2019-08-07 19:00:15 +01:00
Roland Levillain
3639c5dce7 Merge "Fix lock logspam for dexoptanalyzer."
am: d1936ac945

Change-Id: I6aae107f5234b1647c3822b581e1fd446c77bd99
2019-08-07 04:20:48 -07:00
Roland Levillain
d1936ac945 Merge "Fix lock logspam for dexoptanalyzer." 2019-08-07 10:35:39 +00:00
Remi NGUYEN VAN
bd3ab0278b Add MAINLINE_SEPOLICY_DEV_CERTIFICATES to keys.conf
DEFAULT_SYSTEM_DEV_CERTIFICATE is not appropriate as some OEMs may need
to change only the certificates used to generate
plat_mac_permissions.xml for mainline modules.

Test: m, checked output plat_mac_permissions.xml
Bug: 138097611
Bug: 134995443
Change-Id: Ie19130a243db043f432039c54c379f06e60ab6c6
2019-08-07 18:23:47 +09:00
Yifan Hong
92a0aa60b6 Merge "Allow update_engine to read virtual ab feature flag."
am: bfac74272a

Change-Id: I23968213768ee6fb5f2bab8e6238bee741011c11
2019-08-06 18:22:30 -07:00
Yifan Hong
bfac74272a Merge "Allow update_engine to read virtual ab feature flag." 2019-08-07 01:01:14 +00:00
Jon Spivack
74881bda63 Merge "Allow servicemanager to start processes"
am: 5fa2d8071b

Change-Id: I233ec0b00a442ca435944eac6a50bd22393722b4
2019-08-06 15:04:38 -07:00
Jon Spivack
5fa2d8071b Merge "Allow servicemanager to start processes" 2019-08-06 21:12:07 +00:00
Roland Levillain
47c7f84a20 Fix lock logspam for dexoptanalyzer.
Allow dexoptanalyzer(d) to lock `system_file` files, so that it can
lock `/system/framework/$ISA/*.art` files (which is harmless as these
files live in a read-only partition, but admittedly simplifies the
corresponding logic in ART).

Addresses denials of the form:

  avc: denied { lock } for path="/system/framework/arm/boot.art"
  dev="dm-0" ino=1330 scontext=u:r:dexoptanalyzer:s0
  tcontext=u:object_r:system_file:s0 tclass=file permissive=0 […]

Test: Reproduce steps in bug 138683603 and check the absence of SELinux denials
Bug: 138683603
Change-Id: I8a08822b4908b3b37bd0e450dd1356ed92332327
2019-08-06 14:51:01 +01:00
Yifan Hong
20010d199b Allow update_engine to read virtual ab feature flag.
Test: adb shell getprop -Z [the two flags]
Bug: 135752105

Change-Id: I3e0372e969ea0161787c32560a8c40fed2953619
2019-08-05 14:32:15 -07:00
Daniel Norman
ee5547dca8 Merge "Adds new policy for init_svc_debug_prop."
am: 95c9b61d3c

Change-Id: I866f58e08fd58226d209f15e8ea341cbd5c53261
2019-08-02 15:21:59 -07:00
Daniel Norman
95c9b61d3c Merge "Adds new policy for init_svc_debug_prop." 2019-08-02 21:51:17 +00:00
Tri Vo
a2da94ca2b Merge "system_suspend: remove /sys/power/wake_lock permissions"
am: 1e5524eb30

Change-Id: I243275e535d93887263ca4d93dd2e0e01d9c669c
2019-08-02 11:26:39 -07:00
Tri Vo
1e5524eb30 Merge "system_suspend: remove /sys/power/wake_lock permissions" 2019-08-02 17:44:04 +00:00
Daniel Norman
4eca819483 Adds new policy for init_svc_debug_prop.
Used to restrict properties init.svc_debug_pid.*

Bug: 138114550
Test: getprop | grep init.svc_debug_pid  only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678
2019-08-02 10:27:15 -07:00
Tri Vo
f517b7a5fd Merge "Label /product/lib(64)/* as system_lib_file"
am: 2765c29bef

Change-Id: I82ba26300d444ab3a31b4fd7f0ac5907d8da7060
2019-08-02 00:28:10 -07:00
Treehugger Robot
2765c29bef Merge "Label /product/lib(64)/* as system_lib_file" 2019-08-02 07:01:39 +00:00
Tomasz Wasilczyk
0540154021 SEPolicy rules for CAN bus HAL
am: 602b30302a

Change-Id: I5ae916b8f4c3d6038c48a522df1efc2ce8fc3d39
2019-08-01 19:34:47 -07:00
Jon Spivack
839e3db7c7 Allow servicemanager to start processes
Used to lazily start AIDL services.

Bug: 138756857
Test: Manual (using mediaextractor as a test service)
Change-Id: Ia1f2c10072e42d8917985c38500be0955f98b8eb
2019-08-02 00:23:16 +00:00
Tomasz Wasilczyk
602b30302a SEPolicy rules for CAN bus HAL
Bug: 135918744
Test: VTS (separate new change)
Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9
2019-08-01 10:24:00 -07:00
Changyeon Jo
c90bc366e6 Update sepolicy for EVS v1.x
am: 5ee628f0ce

Change-Id: I3aa2c140f2ab37a604ab70221926d15c25822bef
2019-07-30 19:57:29 -07:00
Changyeon Jo
5ee628f0ce Update sepolicy for EVS v1.x
Modify vendor file context and hal_evs_server policy to enable EVS v1.1
service.

Change-Id: I1e717b3209200300005c3fa7f91423589505a41c
Signed-off-by: Changyeon Jo <changyeon@google.com>
2019-07-30 13:22:03 -07:00
Tri Vo
3d58603623 Label /product/lib(64)/* as system_lib_file
Bug: 138545724
Test: n/a
Change-Id: Ic707229a04c2484503154110c45f4acb5ff61bd5
2019-07-29 12:39:10 -07:00
Tri Vo
5a5266e74c system_suspend: remove /sys/power/wake_lock permissions
Now that our tools are routed to system_suspend, there is no reason for
system_suspend to write to /sys/power/wake_[un]lock.

Bug: 128923994
Bug: 115946999
Test: boot blueline, no denials from system_suspend
Change-Id: I1097d30c050ce7d88677e07f4aaef07ce78dc958
2019-07-26 11:13:05 -07:00
Victor Chang
422d86ae03 Add sepolicy for com.android.i18n module
Bug: 137009149
Test: device boots
Change-Id: Ib6afa4437f1a844ade9a35e5d23e816e02edba35
2019-07-26 17:34:02 +01:00
Greg Hartman
a550160b92 Allow vendor to configure lmkd properties
am: 626114424f

Change-Id: I90510b01562d9c5cb291a0e75ae0b82db839e954
2019-07-26 07:10:35 -07:00