tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
43989 commits 1 branch 0 tags 50 MiB
Commit graph

606 commits

Author SHA1 Message Date
Hasini Gunasinghe
daa1cec849 Merge "Add sepolicy for non-secure AuthGraph impl" into main 2023-11-01 16:27:51 +00:00
Treehugger Robot
cbe6fed87f Merge "To allow drm_clear_key_aidl hal to access mediacodec" into main 2023-10-27 18:45:24 +00:00
David Drysdale
c4ab01baad Add sepolicy for non-secure AuthGraph impl 
Bug: 284470121
Bug: 291228560
Test: hal_implementation_test
Test: VtsAidlAuthGraphSessionTest
Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d
 2023-10-26 02:00:43 +00:00
Arun Johnson
dae1783848 To allow drm_clear_key_aidl hal to access mediacodec 
Bug: 305163559
Change-Id: Iad16fd34c0b8f7071b43ae7fc19215319c8c9d82
 2023-10-23 17:10:28 +00:00
Changyeon Jo
561930c06b Update hal_evs_default policy 
- Allow to access writable graphics properties.
- Allow to perform binder IPC.

Bug: 303581276
Test: m -j selinux_policy
Change-Id: I02c8ccd416172e5f6c17eff6573137dd4a8147c7
 2023-10-12 20:31:07 +00:00
Wonsik Kim
a981983e70 C2 AIDL sepolicy update 
Bug: 251850069
Test: presubmit
Change-Id: Ica39920472de154aa01b8e270297553aedda6782
 2023-09-06 14:30:26 -07:00
Yu Shan
df5cd6fe19 Allow remoteaccess V2 and VHAL v2/v3. 
Test: None
Bug: 297271235
Change-Id: Icc6dbb007c50db6d8adf492726365fdc34a60e78
 2023-08-23 17:20:15 -07:00
Kangping Dong
fce4ea7adf [Thread] add missing ioctl permission for ot_rcp 
Otherwise, it throws permission denied error:
```
avc:  denied  { ioctl } for  path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=u:r:ot_rcp:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
```

Test: locally tested that this can fix the denied issue
Bug: 296969044
Change-Id: Ica28214693794b969138212ddb3d19f0dcc34bcf
 2023-08-22 07:46:35 +00:00
Devika Krishnadas
d4908949ef Merge "Add label for allocator 2 service" into main 2023-07-20 18:36:23 +00:00
Devika Krishnadas
c850a596b9 Add label for allocator 2 service 
Bug: 287353739

Change-Id: Ia78237361acac4b668d87ec94746e43945f58bbf
Signed-off-by: Devika Krishnadas <kdevika@google.com>
 2023-07-19 20:20:52 +00:00
Kiyoung Kim
0c3a3fd799 Label former VNDK-SP libraries in vendor as sphal 
When VNDK is being deprecated, former VNDK-SP libraries should be loaded
from vendor when system process uses SP-HAL, but this currently fails
because all former VNDK-SP libraries will be marked as vendor library.
This change labels former VNDK-SP libraries installed in the vendor
partition as same labels with SP-HAL libraries so it can be loaded from
system processes.

Bug: 291673098
Test: aosp_cf boot succeded with KEEP_VNDK=false build flag.
Change-Id: I2601ae8e7acd5bbd16fdbe6cee078dfcaa1a5aa2
 2023-07-19 14:13:06 +09:00
Zhanglong Xia
b2d1fbb7b2 Add sepolicy rules for Thread Network HAL 
Bug: b/283905423
Test: Build and run the Thread Network stack in Cuttlefish.
Change-Id: I783022c66b80274069f8f3c292d84918f41f8221
 2023-06-30 10:56:38 +08:00
Jeff Pu
1e09f2ebf7 Allow hal_fingerprint_default to have pipe read access 
Bug: 284488745
Test: atest BiometricsE2eTests:BiometricPromptAuthSuccessTest
Change-Id: Ie69193964232b1a6b97877c650182fcdcd5b2cea
 2023-06-09 13:56:28 +00:00
Peiyong Lin
54229d8157 Allow graphics_config_writable_prop to be modified. 
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.

Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
 2023-05-04 15:56:33 +00:00
Yu Shan
9eb72464b5 Define sepolicy for ivn HAL. 
Test: manually verify ivn HAL on gcar_emu.
Bug: 274139217
Change-Id: Ie12dccb723078d83b561c152cc4458e52c0f8090
 2023-04-10 17:42:51 -07:00
Changyeon Jo
89380c19c8 Allow EVS HAL to access graphics related properties 
EVS Display HAL needs to access graphics related properties to configure
a pipeline to render the contents of graphics buffers.

Bug: 274695271
Test: m -j selinux_policy
Change-Id: I97a8a3f35f7118325cff9a8ae69485c0f73fe17f
 2023-03-23 22:26:42 +00:00
Alice Wang
5e94b1698c [dice] Remove all the sepolicy relating the hal service dice 
As the service is not used anywhere for now and in the near future.

Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
 2023-02-24 08:34:26 +00:00
Treehugger Robot
22d25dcae4 Merge "Map AIDL Gatekeeper to same policy as HIDL version" 2023-02-14 17:48:17 +00:00
Cody Northrop
e4e43ebad8 Allow camera HAL to read EGL vendor properties 
Test: TreeHugger
Bug: b/267752967
Change-Id: I174420a3ef1f0059007616b4bee3091a888b1999
 2023-02-09 17:55:03 +00:00
David Drysdale
c9529ff336 Map AIDL Gatekeeper to same policy as HIDL version 
Bug: 268342724
Test: VtsHalGatekeeperTargetTest
Change-Id: Ifa90247753ae558f7bdb70cb4b4e494466cc457b
 2023-02-08 18:42:17 +00:00
Alistair Delva
e7fc603518 Merge "Add missing permissions for default bluetooth hal" 2023-01-18 22:16:06 +00:00
Lorenzo Colitti
b8194ca7fb Merge "Update SEPolicy for Tetheroffload AIDL" 2023-01-18 00:04:51 +00:00
Henri Chataing
9ff3423527 Add missing permissions for default bluetooth hal 
Test: launch_cvd
Bug: 205758693
Change-Id: Ie55352bbe48c5eef281a293bedc5aa057f5dcdad
Merged-In: Ie55352bbe48c5eef281a293bedc5aa057f5dcdad
 2023-01-12 19:02:57 +00:00
Nathalie Le Clair
98e20da831 Merge "HDMI: Refactor HDMI packages" 2023-01-10 17:05:17 +00:00
Treehugger Robot
6baccc1d8e Merge "EARC: Add Policy for EArc Service" 2023-01-04 03:30:47 +00:00
KH Shi
8ae99b5e5f Update SEPolicy for Tetheroffload AIDL 
Bug: b/205762647
Test: m
Change-Id: Iaf87e8a64a4a1af20f54e3c09c31d051acf549a1
 2023-01-04 11:28:47 +08:00
Venkatarama Avadhani
5a86d5f3f3 HDMI: Refactor HDMI packages 
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.

Bug: 261729059
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
 2022-12-27 18:15:26 +05:30
Venkatarama Avadhani
0f0861af8f EARC: Add Policy for EArc Service 
Test: atest vts_treble_vintf_framework_test
      atest vts_treble_vintf_vendor_test
Bug: 240388105
Change-Id: I561f647a68553fa0134f2e1bd65b0f18dd1785f1
 2022-12-27 18:11:36 +05:30
Devin Moore
e632fc098a Allow biometrics hals to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: atest CtsCameraTestCases && adb logcat | grep avc
Bug: 205764765
Change-Id: Id416cc2f92ba82d4068376a5f4d076137aab086a
 2022-12-19 19:51:55 +00:00
Devin Moore
a2765f212f Allow audio HAL to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: m
Bug: 205764765
Change-Id: I6b0871bbcdff920d1d9dc9b66ec1236405f90fd8
 2022-12-19 19:50:57 +00:00
Devin Moore
2a724dd853 Allow camera to talk to the new AIDL sensorservice 
This is being used in libsensorndkbridge now, so permissions are
required.

Test: atest CtsCameraTestCases && adb logcat | grep avc
Bug: 205764765
Change-Id: I7a1569b8b4e2a21961f3950fa3947b5e20fc674b
 2022-12-19 19:50:31 +00:00
Yu Shan
aa3f997dcc Merge "Allow wider remote access names." 2022-12-15 01:51:46 +00:00
Mohi Montazer
3bbdd15ece Merge "SEPolicy updates for camera HAL" 2022-12-13 20:37:59 +00:00
Mohi Montazer
ad059403ad SEPolicy updates for camera HAL 
Updates SEPolicy files to give camera HAL permission to access
Android Core Experiment flags.

Example denials:
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.244  1027  1027 W 3AThreadPool:  type=1400 audit(0.0:9): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0

Bug: 259433722
Test: m
Change-Id: I11165b56d7b7e38130698cf86d9739f878580a14
 2022-12-13 09:52:04 -08:00
Chris Weir
800a2c9f66 Merge "Add permissions to allow iface up/down" 2022-12-13 00:18:00 +00:00
Chris Weir
1bcbc0b667 Add permissions to allow iface up/down 
I need SIOCGIFFLAGS and SIOCSIFFLAGS in order to bring up/down
interfaces with AIDL CAN HAL.

Bug: 260592449
Test: CAN HAL can bring up interfaces
Change-Id: I67edaa857cffdf3c3fc9f3b17aad5879e09c6385
 2022-12-12 14:30:15 -08:00
Chris Weir
caf905ff3c Merge "SEPolicy for AIDL CAN HAL" 2022-12-09 22:09:12 +00:00
Chris Weir
eee59458c2 SEPolicy for AIDL CAN HAL 
CAN HAL moving to AIDL, SEPolicy will need to be adjusted.

Bug: 170405615
Test: AIDL CAN HAL VTS
Change-Id: I0d238d38aebb5895ae27fcb52cf43cd481327421
 2022-12-09 11:00:10 -08:00
Gabriel Biren
52b5ff67b9 Update file_contexts for WiFi Vendor HAL 
AIDL service.

Bug: 205044134
Test: Manual test - check that AIDL service
      starts successfully on Cuttlefish
Change-Id: If6dbb20ca982b998485257e212aa4aa82749d23d
 2022-12-05 23:53:30 +00:00
Yu Shan
96c3b41113 Allow wider remote access names. 
Test: local test @v1-tcu-test-service.
Bug: 254547153
Change-Id: I82ed9e9e439913602e26042e357b5fa33338ef97
 2022-11-30 17:07:49 -08:00
Steven Moreland
c3802445d0 Merge "sepolicy for SE HAL" 2022-11-29 22:30:40 +00:00
Treehugger Robot
299ee9fb24 Merge "Add IAllocator-V2" 2022-11-15 23:13:42 +00:00
Steven Moreland
4c6586817a sepolicy for SE HAL 
Bug: 205762050
Test: N/A
Change-Id: I76cd5ebc4d0e456a3e4f1aa22f5a932fb21f6a23
 2022-11-15 22:41:09 +00:00
Sandeep Dhavale
d64fb55474 Merge "Fastboot AIDL Sepolicy changes" 2022-11-10 18:29:00 +00:00
Sandeep Dhavale
f0ea953e60 Fastboot AIDL Sepolicy changes 
Bug: 205760652
Test: Build & flash
Change-Id: I2709c5cc2ca859481aac6fecbc99fe30a52a668b
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
 2022-11-09 22:21:27 +00:00
Lakshman Annadorai
4d277b7baa Revert "Add sepolicies for CPU HAL." 
This reverts commit f4ab6c9f3c.

Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.

Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
 2022-11-09 16:47:07 +00:00
Lakshman Annadorai
f4ab6c9f3c Add sepolicies for CPU HAL. 
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
      and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
 2022-11-04 18:13:00 +00:00
John Reck
5e20f62f8e Add IAllocator-V2 
Test: build & boot

Change-Id: I970585e4ba593f7d72d5ff14423920b38c9d57af
 2022-11-01 15:19:03 -04:00
Treehugger Robot
e6a43ec4c9 Merge "Add selinux rules for android.hardware.usb.gadget.IUsbGadget AIDL migration" 2022-10-27 14:03:48 +00:00
Ricky Niu
fc1463c164 Add selinux rules for android.hardware.usb.gadget.IUsbGadget AIDL migration 
Covers the rules needed for the default AIDL implementation.

10-26 10:22:42.408   448   448 I auditd  : type=1400 audit(0.0:95): avc: denied { read } for comm="android.hardwar" name="interrupts" dev="proc" ino=4026531995 scontext=u:r:hal_usb_gadget_default:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0

Bug: 218791946
Test: reboot and check if AIDL service is running.

Signed-off-by: Ricky Niu <rickyniu@google.com>
Change-Id: I8bdab3a682398f3c7e825a8894f45af2a9b6c199
 2022-10-27 15:42:56 +08:00