tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29398 commits 1 branch 0 tags 50 MiB
Commit graph

29398 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
d4ca559187 Merge "Mark ro.kernel properties as deprecated" am: 2678cacb3f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676727

Change-Id: Id788a53bd69ee0abbf170135054d773e8791ed8c
 2021-04-16 08:59:45 +00:00
Treehugger Robot
2678cacb3f Merge "Mark ro.kernel properties as deprecated" 2021-04-16 08:48:23 +00:00
Roman Kiryanov
08f51ea1c0 Mark ro.kernel properties as deprecated 
emulator migrated to `ro.boot`

Bug: 182291166
Test: presubmit
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I9cd443801ff7120ebb628acdc811f0eb339a02c9
 2021-04-15 22:46:40 -07:00
Treehugger Robot
76fc5c9fa5 Merge "Allow apexd to access a new dev_type: virtual disk" am: 1c996021a5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673185

Change-Id: I5cd7128b8b7caeefba9e84dfa82ab2b6e49838d3
 2021-04-16 01:22:48 +00:00
Treehugger Robot
1c996021a5 Merge "Allow apexd to access a new dev_type: virtual disk" 2021-04-16 00:54:40 +00:00
Treehugger Robot
4e51d76dce Merge "Label ro.boot.qemu" am: 6a864fd0b5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676731

Change-Id: I5093de78f89b95c43032c39be9e192234f38b481
 2021-04-15 10:10:00 +00:00
Orion Hodson
8684e82953 Merge "Add odrefresh_data_file for odrefresh metrics" am: cb0627099e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1671828

Change-Id: Iab1f924e011fc8d32fe3c69c608846918d7fa209
 2021-04-15 10:09:30 +00:00
Treehugger Robot
6a864fd0b5 Merge "Label ro.boot.qemu" 2021-04-15 09:33:17 +00:00
Orion Hodson
cb0627099e Merge "Add odrefresh_data_file for odrefresh metrics" 2021-04-15 08:51:01 +00:00
Roman Kiryanov
640a58d3c1 Label ro.boot.qemu 
This is an Android Studio Emulator (aka ranchu)
specific property, it is used for emulator
specific workarounds.

Bug: 182291166
Test: presubmit
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I2b8daf7c8ddb05b4082e4229f7b606c6ad4e717e
 2021-04-14 23:51:11 -07:00
Treehugger Robot
2933f3aab0 Merge "Build userdebug_plat_sepolicy.cil with Android.bp" am: 8d2bfafcf5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673194

Change-Id: Ie09df99a1615906faedf3af14bf3bc6777506bc8
 2021-04-15 05:44:25 +00:00
Treehugger Robot
8d2bfafcf5 Merge "Build userdebug_plat_sepolicy.cil with Android.bp" 2021-04-15 05:22:35 +00:00
Yo Chiang
25596272b6 Merge "Allow shell to read default fstab" am: 1bb00f0d81 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1669728

Change-Id: Iec066b8383e6afb856f94b55b91711ff55e4f85e
 2021-04-15 03:52:07 +00:00
Yo Chiang
1bb00f0d81 Merge "Allow shell to read default fstab" 2021-04-15 03:34:50 +00:00
Treehugger Robot
97994bab50 Merge "Allow mediaprovider to find the camera server." am: e40879c3b5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676687

Change-Id: Ic21f8e35f7389cadb000298447d135fe6bad933f
 2021-04-15 03:31:20 +00:00
Treehugger Robot
b46aacdc00 Merge "Add keystore2 namespace for LocksettingsService." am: 955362bfd0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1676685

Change-Id: I56571d00c89b52eb3a4628bfaffae06808febb0b
 2021-04-15 03:30:52 +00:00
Treehugger Robot
e40879c3b5 Merge "Allow mediaprovider to find the camera server." 2021-04-15 03:13:31 +00:00
Treehugger Robot
955362bfd0 Merge "Add keystore2 namespace for LocksettingsService." 2021-04-15 02:53:43 +00:00
Krzysztof Kosiński
a04ecbfd3e Allow mediaprovider to find the camera server. 
Fixed SELinux denials when trying to render the camera preview
to a texture in an internal test app. See the bug for additional
information.

Bug: 183749637
Test: Ran the internal test app, doesn't crash anymore.
Change-Id: I8fb62be424cd91c46cada55bb23db1624707997d
 2021-04-14 18:41:28 -07:00
Treehugger Robot
38dbf9f085 Merge "traced: move traced_tmpfs to public policy" am: f40c8b67ca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1675826

Change-Id: I363092c5d7b68b965ba295be1a53779dcbb1c5d2
 2021-04-15 00:33:40 +00:00
Treehugger Robot
f40c8b67ca Merge "traced: move traced_tmpfs to public policy" 2021-04-14 23:40:03 +00:00
Janis Danisevskis
79d167704e Add keystore2 namespace for LocksettingsService. 
Bug: 184664830
Test: N/A
Change-Id: Ie04186eddaae689b968690b2bb0d3692c81ac645
 2021-04-14 16:03:13 -07:00
Jeff Vander Stoep
16ebb161eb traced: move traced_tmpfs to public policy 
Allow the perfetto_producer macro to be used in device-specific
policy.

Bug: 185379881
Test: TH
Change-Id: I6932ff91a3ed095b5edce4076bdfd8607e925c6e
 2021-04-14 22:18:41 +02:00
Michael Butler
34ae962fc6 Merge "Allow binder to send signals to hal_neuralnetworks_service" am: 19ae37f4ef 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1674541

Change-Id: Idc704b37335e60c286fced17129f74e2ab72de16
 2021-04-14 20:14:28 +00:00
Michael Butler
19ae37f4ef Merge "Allow binder to send signals to hal_neuralnetworks_service" 2021-04-14 19:35:08 +00:00
Emilian Peev
1d1e424ac6 Merge "Define vendor side property "ro.camerax.extensions.enabled"" am: 87a3f24857 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1504131

Change-Id: I692728b89c9315e7190486f89597d626e2b2c88d
 2021-04-14 16:32:42 +00:00
Emilian Peev
87a3f24857 Merge "Define vendor side property "ro.camerax.extensions.enabled"" 2021-04-14 16:20:16 +00:00
Treehugger Robot
13eb54a4e4 Merge "OWNERS: add inseob@google.com" am: 539440d228 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1674607

Change-Id: I8b4a98bd4336ed0be2585c18c71b60e9c176e011
 2021-04-14 16:10:51 +00:00
Treehugger Robot
539440d228 Merge "OWNERS: add inseob@google.com" 2021-04-14 15:27:58 +00:00
Yo Chiang
caa0b4dceb Merge "se_compat_cil: Prepend generated files with a header" am: 466964d401 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673192

Change-Id: I6dcef0079e14d8ac7c979ad16c7a47dae77bb9c7
 2021-04-14 08:57:19 +00:00
Yo Chiang
466964d401 Merge "se_compat_cil: Prepend generated files with a header" 2021-04-14 08:30:38 +00:00
Yi-Yo Chiang
b44e506223 se_compat_cil: Prepend generated files with a header 
to ensure the file size is greater than 0, as secilc cannot handle
zero-sized cil files.

Fixes: 185256986
Bug: 183362912
Test: Forrest re-run broken test
Change-Id: Ief3039d38728fbeff67c6e39d6b15bddb006e5f8
 2021-04-14 07:41:23 +00:00
Jeff Vander Stoep
4b5ed6453a OWNERS: add inseob@google.com 
For ownership of system properties and microdroid policy.

Test: n/a
Change-Id: I8b729d0c6b9445b37d94858ae803db7db5eb9ff7
 2021-04-14 09:37:35 +02:00
Yo Chiang
e48dbd82ff Merge "Remove references to BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR" am: 86a8275378 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1671536

Change-Id: I464910b25aa9409978bed1964126979b0bd42b6d
 2021-04-14 07:33:31 +00:00
Yo Chiang
86a8275378 Merge "Remove references to BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR" 2021-04-14 06:55:59 +00:00
Inseob Kim
57b64bd282 Build userdebug_plat_sepolicy.cil with Android.bp 
Bug: 33691272
Test: build and see $OUT/debug_ramdisk
Change-Id: I7994857a3dd4e54f2c2d35ff8e362ecae93ea7a2
 2021-04-14 15:54:26 +09:00
Roshan Pius
4b47c80944 Merge "Uwb: Create a new Uwb system service" am: 0b8eafb54b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673587

Change-Id: I2f834534410b9b65e78b30f5131128f3bab04e1b
 2021-04-14 01:46:18 +00:00
Roshan Pius
0b8eafb54b Merge "Uwb: Create a new Uwb system service" 2021-04-14 00:52:10 +00:00
Emilian Peev
a974640390 Define vendor side property "ro.camerax.extensions.enabled" 
Add "ro.camerax.extensions.enabled" vendor-specific property.
Allow public apps to read this property.

Bug: 171572972
Test: Camera CTS
Change-Id: Id5fadedff6baaaebe5306100c2a054e537aa61ed
 2021-04-13 16:42:10 -07:00
Michael Butler
581fafffd3 Allow binder to send signals to hal_neuralnetworks_service 
Bug: 170696939
Test: mma
Change-Id: Ic960f81854f5d9c913d09adcfba9782bc94c3c2b
 2021-04-13 16:27:19 -07:00
Zimuzo Ezeozue
22e8e5cc88 Merge "Allow appdomain sepolicy search access to /mnt/media_rw" am: a62ecbdf51 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1669925

Change-Id: I60a9c103e228b09d634f9c4734b6ee42812e0a3e
 2021-04-13 23:24:02 +00:00
Zimuzo Ezeozue
a62ecbdf51 Merge "Allow appdomain sepolicy search access to /mnt/media_rw" 2021-04-13 22:49:51 +00:00
Alistair Delva
7a157d03d2 Merge "Suppress some su capability2 related denials" am: 5bbeaa39d8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673589

Change-Id: I0fa5af7973399ccc3884f8f43ab64c4de29399cb
 2021-04-13 21:31:01 +00:00
Alistair Delva
5bbeaa39d8 Merge "Suppress some su capability2 related denials" 2021-04-13 20:03:53 +00:00
Alistair Delva
124c77140d Suppress some su capability2 related denials 
The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

avc: denied { bpf } for comm="bpf_module_test" capability=39
scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1

Bug: 185230825
Test: builds
Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5
 2021-04-13 08:24:14 -07:00
Zim
b61bcc87ed Allow appdomain sepolicy search access to /mnt/media_rw 
untrusted apps were already granted this policy and we now extend it
to all apps. This allows FileManager apps with the
MANAGE_EXTERNAL_STORAGE permisssion to access USB OTG volumes mounted
on /mnt/media_rw/<vol>.

This permission access in the framework is implemented by granting
those apps the external_storage gid. And at the same time USB volumes
will be mounted on /mnt/media_rw/<vol> with the external_storage gid.
There is no concern of interferring with FUSE on USB volumes because
they are not FUSE mounted.

For sdcards (non-USB) volumes mounted on /mnt/media_rw/<vol>, those
volumes are mounted with the media_rw gid, so even though they are
FUSE mounted on /storage/<vol>, arbitrary apps cannot access the
/mnt/media_rw path since only the FUSE daemon is granted the media_rw
gid.

Test: Manual
Bug: 182732333
Change-Id: I70a3eb1f60f32d051f44253b0db2c7b852d79ba1
 2021-04-13 14:56:44 +00:00
Nikita Ioffe
03af761bfd Merge "Allow adbd to pull apexes from /data/apex/active" am: 2bac3f308d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673267

Change-Id: I59d4e479964edbcf2bf28d5435913d75fd2117f9
 2021-04-13 12:01:33 +00:00
Nikita Ioffe
2bac3f308d Merge "Allow adbd to pull apexes from /data/apex/active" 2021-04-13 11:12:14 +00:00
Maciej Żenczykowski
34a8d23a61 Merge "network_stack - dontaudit getopt on key_socket" am: 755faacde2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1671965

Change-Id: Icdbaad8fd88f4014a9d7e76a2557acbd88f09d2e
 2021-04-13 09:48:07 +00:00
Yo Chiang
8c171f34f9 Merge changes I5275e9ce,I2fb9b10b am: ac94a46634 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673186

Change-Id: Id2cecbdfa432b8cb2537fa7f1ad19a6ec60e32ef
 2021-04-13 09:47:25 +00:00