tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
29698 commits 1 branch 0 tags 50 MiB
Commit graph

29698 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
d8c269b321 Merge "Allow cameraserver to access permission checker" am: 0e1f6a5ddf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734253

Change-Id: I89ae9ab6e067e6997e88858dd26f990b5045c371
 2021-06-14 06:00:37 +00:00
Treehugger Robot
0e1f6a5ddf Merge "Allow cameraserver to access permission checker" 2021-06-14 05:47:01 +00:00
Nikita Ioffe
78e5b7a6b3 Merge "Give adbd and shell read access to /apex/apex-info-list.xml" am: 8f6d68c504 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734153

Change-Id: Iac2b56b709ace48f381987c56d7783a1e9debc48
 2021-06-13 22:06:41 +00:00
Nikita Ioffe
8f6d68c504 Merge "Give adbd and shell read access to /apex/apex-info-list.xml" 2021-06-13 21:41:45 +00:00
Songchun Fan
87b1f6ad2b [sepolicy] allow installd to query apps installed on Incremental File System am: f1a60ca2fe 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1734272

Change-Id: I10d5f61ba54877b462c9261653dc2a7f0c49741b
 2021-06-12 10:16:34 +00:00
Svet Ganov
da0c8923f7 Allow cameraserver to access permission checker 
Test: No SELinux errors and can access

Change-Id: Id7884e0fde4afc235b097be640ffde45fd067f33
 2021-06-12 02:56:00 +00:00
Songchun Fan
f1a60ca2fe [sepolicy] allow installd to query apps installed on Incremental File System 
Addresses denial messages like:
06-10 19:36:56.269  1214  1214 I Binder:1214_5: type=1400 audit(0.0:58): avc: denied { use } for path="/data/incremental/MT_data_app_vmdl199/backing_store/st_2_1/com.unity.megacity-HlbmeQJjThgePchBlByuoQ==" dev="dm-5" ino=10445 scontext=u:r:installd:s0 tcontext=u:r:vold:s0 tclass=fd permissive=1
06-10 19:36:56.516  1214  1214 I Binder:1214_6: type=1400 audit(0.0:59): avc: denied { use } for path="/data/incremental/MT_data_app_vmdl199/backing_store/st_2_1/com.unity.megacity-HlbmeQJjThgePchBlByuoQ==" dev="dm-5" ino=10445 scontext=u:r:installd:s0 tcontext=u:r:vold:s0 tclass=fd permissive=1

BUG: 190699430
Test: manual
Change-Id: Iee4bdb382b6af5bc8cd63fde2c0db5f0b9b4f02b
 2021-06-10 13:16:28 -07:00
Nikita Ioffe
681ad260b4 Give adbd and shell read access to /apex/apex-info-list.xml 
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.

Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.

Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
 2021-06-10 19:57:17 +01:00
Treehugger Robot
56b9d1fd7b Merge "Allow system_server to read /proc/vmstat" am: 03b80a12e4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729391

Change-Id: Ib62addb6c8bfebbc2804295996c098d10274a3da
 2021-06-10 11:22:29 +00:00
Treehugger Robot
03b80a12e4 Merge "Allow system_server to read /proc/vmstat" 2021-06-10 11:10:30 +00:00
Andrew Walbran
fe40a14cbd Merge "Allow init to clear VirtualizationService data directory." am: 60f40c02a0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1724711

Change-Id: Id98b8f9848b699ea75c3f4410cc2cf4499eae497
 2021-06-10 09:01:49 +00:00
Andrew Walbran
60f40c02a0 Merge "Allow init to clear VirtualizationService data directory." 2021-06-10 08:48:57 +00:00
Yi Kong
0b34dcbea6 Allow system server to read profcollectd data files am: 953aa5643f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1730160

Change-Id: I0601b1fe36d9572057edb669506c2ea593ef03ab
 2021-06-09 16:38:41 +00:00
Yi Kong
953aa5643f Allow system server to read profcollectd data files 
This allows the system server to read the reports for uploading.

also cleaned up the out of order qemu_hw_prop entry.

Test: manual
Bug: 178561556
Bug: 183487233
Change-Id: I9e5aef9cbcf50fd085dd72900e3ab00a1b6c20a7
 2021-06-09 13:01:50 +00:00
Treehugger Robot
132707a3c2 Merge "Add sys.usb.mtp.batchcancel to usb_config_prop" am: c73a91f49d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1728031

Change-Id: Ib02c72e90bd0d3691e8deaf9db7eb1489c408799
 2021-06-09 02:14:14 +00:00
Treehugger Robot
c73a91f49d Merge "Add sys.usb.mtp.batchcancel to usb_config_prop" 2021-06-09 01:52:39 +00:00
Yifan Hong
34f017a2d0 Merge "Allow binder services to r/w su:tcp_socket" am: a66a5df13d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729830

Change-Id: If3c55331bc2faaf65871b6e28752d8ae8949129d
 2021-06-08 22:30:46 +00:00
Yifan Hong
a66a5df13d Merge "Allow binder services to r/w su:tcp_socket" 2021-06-08 22:13:23 +00:00
Yifan Hong
be04b091bb Allow binder services to r/w su:tcp_socket 
Test: binderHostDeviceTest
Bug: 182914638
Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9
 2021-06-08 10:39:02 -07:00
David Anderson
2291ad9dcd Merge "Fix fastbootd denials when using /proc/bootconfig." am: b0efbee6ed 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729182

Change-Id: I524e06fb79b0056497a59257210e337ceed60170
 2021-06-08 17:03:40 +00:00
David Anderson
b0efbee6ed Merge "Fix fastbootd denials when using /proc/bootconfig." 2021-06-08 16:47:41 +00:00
Ioannis Ilkos
351326b578 Allow system_server to read /proc/vmstat 
/proc/vmstat oom_kill counts the number of times __oom_kill_process
was actioned
(https://lore.kernel.org/lkml/149570810989.203600.9492483715840752937.stgit@buzz/)

We want to record this in the context of system_server for tracking
purposes.

Bug: 154233512
Change-Id: I27bcbcd5d839e59a1dca0e87e2f4ae107201654c
Test: build, verify vmstat can be read
 2021-06-08 14:24:26 +00:00
Wei Wang
f362d255a2 Merge "Rename surfaceflinger uclamp.min property" am: 0e139d0a3a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729184

Change-Id: I03e8409d231961768a60a273a4cac7010412a371
 2021-06-08 06:15:32 +00:00
Wei Wang
0e139d0a3a Merge "Rename surfaceflinger uclamp.min property" 2021-06-08 05:54:57 +00:00
Inseob Kim
3ed8e90369 Call SkipInstall before InstallFile am: 31db274078 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1730150

Change-Id: I109b5cae8bfac408d73b4834ff95e14019183d10
 2021-06-08 04:33:45 +00:00
Ray Chi
07bb5d076a Add sys.usb.mtp.batchcancel to usb_config_prop 
Add sys.usb.mtp.batchcancel to usb_config_prop to allow
mediaprovider to read this property.

Bug: 181729410
Test: boot the device, and confirm the property could be read
Change-Id: I44b2d9c36bfa439cdbf8b8a874ead424381e3e50
 2021-06-08 02:32:20 +00:00
Wei Wang
4d9438808e Rename surfaceflinger uclamp.min property 
Bug: 190137562
Test: boot and check uclamp.min of SF
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I058c72012a28cebe09f001688a35fb4c6839e6cc
 2021-06-07 18:52:50 -07:00
David Anderson
08a08ab21f Fix fastbootd denials when using /proc/bootconfig. 
Bug: 189493387
Test: fastboot flashall on device using bootconfig
Change-Id: Ibfb7c8a2861f61803a449a4b0ec9ed92ded5c4de
 2021-06-07 18:40:24 -07:00
Inseob Kim
31db274078 Call SkipInstall before InstallFile 
InstallFile skips install only if SkipInstall is called before
InstallFile.

Bug: 190442286
Test: build/soong/scripts/build-ndk-prebuilts.sh
Change-Id: Ic497e34816ea5ac23be45e34c242b59bf1a01e28
 2021-06-08 10:31:09 +09:00
Inseob Kim
bf48ef246a Merge "Remove microdroid specific rules and files" am: af2697a452 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1728032

Change-Id: Ibd151eca327f00cc04f85c655631301d7cbe00e2
 2021-06-08 01:04:31 +00:00
Tej Singh
8bd5ea7e60 Merge "Make *-apex-info-list.xml readable by shell" am: 6550adcaed 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729178

Change-Id: I5a04e0a0fa7230f77bfcfc1399fc0528ccfc9210
 2021-06-08 01:03:49 +00:00
Inseob Kim
af2697a452 Merge "Remove microdroid specific rules and files" 2021-06-08 00:53:26 +00:00
Tej Singh
6550adcaed Merge "Make *-apex-info-list.xml readable by shell" 2021-06-08 00:47:33 +00:00
Tej Singh
75385efd27 Make *-apex-info-list.xml readable by shell 
Enables CTS testing of the bootstrap apexes.

Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
 2021-06-07 21:39:34 +00:00
Treehugger Robot
b6f2c42245 Merge "Add a new SF property for setting uclamp.min" am: 6a94b64583 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729630

Change-Id: I961a5dc9085f2324f961659b8b453b31452dc7bd
 2021-06-07 21:15:31 +00:00
Treehugger Robot
6a94b64583 Merge "Add a new SF property for setting uclamp.min" 2021-06-07 20:55:10 +00:00
Nikita Ioffe
14215d4b74 Allow apexd to write to /apex/apex-info-list.xml am: 5b4e13f73f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729392

Change-Id: I930d1d27d983d6dbca4089148a3d023905f446e5
 2021-06-07 19:08:30 +00:00
Wei Wang
7dc88f080b Add a new SF property for setting uclamp.min 
Bug: 190137562
Test: boot and check uclamp.min of SF
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I2acca834f6257f5e718413b831b78c487520b0cd
 2021-06-07 11:51:56 -07:00
Nikita Ioffe
5b4e13f73f Allow apexd to write to /apex/apex-info-list.xml 
After non-staged install apexd needs to be update apex-info-list.xml.

Test: m
Bug: 187864524
Bug: 188713178
Change-Id: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6
Merged-In: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6
(cherry picked from commit 894657bea3)
 2021-06-07 18:05:16 +01:00
Treehugger Robot
0302d30cb2 Merge "Revert "priv_app: use per-app selinux contexts"" am: c9b4286e05 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729111

Change-Id: I785693defc9ef5c11531f221f7e468746ddfeba3
 2021-06-07 15:30:19 +00:00
Treehugger Robot
c9b4286e05 Merge "Revert "priv_app: use per-app selinux contexts"" 2021-06-07 15:09:32 +00:00
Jeff Vander Stoep
538e0d6d0e Revert "priv_app: use per-app selinux contexts" 
There's some fragility in how selinux contexts are assigned
to apps with sharedUserId. As a result, some apps which share
a UID can end up in separate selinux domains. This causes bugs
when part of the app has the levelFrom=all categories set, and
other parts only have levelFrom=user resulting in an mls category
mismatch. Until this is fixed, revert back to using levelFrom=user
for priv_app.

This reverts commit 4e7769e040.
Bug: 188141923
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest#testPendingSystemUpdate

Change-Id: Ic4256f9056f2c218ca94628d0707eb893f83fa5a
 2021-06-07 14:28:34 +02:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files 
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
 2021-06-07 19:22:18 +09:00
Calin Juravle
7cf5f0c41e Allow system_server_startup to read ART config am: cf6a7e9821 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1726492

Change-Id: I170585f6ecc39103f60e62c2ef6e1f9824048505
 2021-06-03 19:50:49 +00:00
Calin Juravle
cf6a7e9821 Allow system_server_startup to read ART config 
Denial:

06-03 14:18:31.491   691   691 I auditd  : type=1400 audit(0.0:88): avc:
denied { read } for comm="system_server"
name="u:object_r:device_config_runtime_native_prop:s0" dev="tmpfs"
ino=140 scontext=u:r:system_server_startup:s0
tcontext=u:object_r:device_config_runtime_native_prop:s0 tclass=file
permissive=0

Test: DeviceBootTest.DeviceBootTest#SELinuxUncheckedDenialBootTest
Bug: 181748174
Change-Id: I5e7624e2410e6c533e7ef238a0c3cc38ff6e368a
 2021-06-03 08:17:21 -07:00
Calin Juravle
e6bf8c1409 Merge "Enable ART properties modularization" am: c4efcbdc06 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1710967

Change-Id: I40cb9f712f70a78e312e5cd8e0e9ee59088d849a
 2021-06-02 14:41:08 +00:00
Treehugger Robot
deacec1387 Merge "Allow adb to pull jar files from /vendor/framework/." am: 7188696c6d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1724710

Change-Id: I31c08d35b0888ee5dd69d181f853c3939d0f308a
 2021-06-02 14:40:32 +00:00
Calin Juravle
c4efcbdc06 Merge "Enable ART properties modularization" 2021-06-02 14:39:36 +00:00
Treehugger Robot
7188696c6d Merge "Allow adb to pull jar files from /vendor/framework/." 2021-06-02 14:23:50 +00:00
Andrew Walbran
eb21b41c90 Allow init to clear VirtualizationService data directory. 
Bug: 184131523
Bug: 189725484
Test: mm
Change-Id: Ie4f38266e32c64b52f55da2c6d3fc9e4c1a4c572
 2021-06-02 14:05:28 +00:00