tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38728 commits 1 branch 0 tags 50 MiB
Commit graph

38728 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
de453119e2 Merge "Update SELinux policy for app compilation CUJ." am: 9e2f8aa7a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2160660

Change-Id: I76e3fa493a483a85fec07fd77f8aba15e4136b49
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-29 17:48:30 +00:00
Treehugger Robot
9e2f8aa7a1 Merge "Update SELinux policy for app compilation CUJ." 2022-07-29 17:22:44 +00:00
Jiakai Zhang
c871c1cc75 Update SELinux policy for app compilation CUJ. 
- Adapt installd rules for app compilation.

- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.

Bug: 229268202
Test: -
  1. adb shell pm art optimize-package -m speed-profile -f \
       com.google.android.youtube
  2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
 2022-07-29 14:07:52 +00:00
Sandro
eca956218e seamendc: prefetch binary policy in memory before parsing am: 8978204264 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2163942

Change-Id: I57e48f09c3d83e9e57fbfdf85f78312abfe6d640
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-28 15:57:53 +00:00
Sandro
8978204264 seamendc: prefetch binary policy in memory before parsing 
This optimization improves the runtime of seamendc by ~6-7ms.

Bug: 236691128
Test: atest seamendc-test && atest SeamendcHostTest
Change-Id: Id1e86a5f51d035fac415a0e6ae05b99b3bd774d4
 2022-07-28 14:25:03 +00:00
Vlad Popa
91926a8b64 Merge "Add SELinux policy for accessing the AudioService" am: f503e3e7e2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2167262

Change-Id: I3a23093dcb121ef347a72a25137618b52ec3af01
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-28 12:48:20 +00:00
Vlad Popa
f503e3e7e2 Merge "Add SELinux policy for accessing the AudioService" 2022-07-28 09:18:03 +00:00
sandrom
dd5b63f702 Move parts of sdk_sandbox from private to apex policy am: e6971f1330 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2111065

Change-Id: I6711e1c15bbfd191ee1a4ad890e372563b873eab
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-27 16:33:05 +00:00
sandrom
e6971f1330 Move parts of sdk_sandbox from private to apex policy 
Bug: 236691128
Test: atest SeamendcHostTest

Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902
 2022-07-27 13:39:06 +00:00
Vlad Popa
3fc7d83663 Add SELinux policy for accessing the AudioService 
This is used by the playback notification API to get a reference to the
AudioService with the help of the ServiceManager.

Change-Id: I70324cf0579fd029ee9b3a20115bdab9106d24a8
Test: avd/avd_boot_test
Bug: 235521198
 2022-07-27 12:11:50 +00:00
Treehugger Robot
b3cf5e6948 Merge "Use dump_hal() macro for HAL services" am: f97d76d210 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2162565

Change-Id: Ic2256293a1379ba457df8e97df93610182d47716
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-27 08:22:13 +00:00
Treehugger Robot
f97d76d210 Merge "Use dump_hal() macro for HAL services" 2022-07-27 08:10:45 +00:00
Thiébaud Weksteen
33263a0869 Use dump_hal() macro for HAL services 
Sort the list of services alphabetically.

Test: build & boot bramble
Change-Id: I3dae597ae3780d7ac97bb8aeeeaf964b375cdf5e
 2022-07-27 13:13:47 +10:00
Inseob Kim
d6c252b1cb Merge "Use embedded launcher for python binaries" am: 52ffc6fe2a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2162563

Change-Id: I5231dce4ee5dfb6cf4a236197a3a1e3da7648a01
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-27 00:34:11 +00:00
Inseob Kim
52ffc6fe2a Merge "Use embedded launcher for python binaries" 2022-07-27 00:10:57 +00:00
Inseob Kim
4912a24447 Use embedded launcher for python binaries 
Bug: 239386651
Test: m selinux_policy
Change-Id: Ic267fcfe4c38b51f8cf2469157b7cb57b84ad779
 2022-07-26 22:59:04 +09:00
Treehugger Robot
503b01cf7a Merge "Remove 'vendor_service' neverallows." am: 7e53b6a8af 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2164691

Change-Id: Iba89cd312dcfa86c30175ff9ea79d12108986eee
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-26 12:53:18 +00:00
Treehugger Robot
7e53b6a8af Merge "Remove 'vendor_service' neverallows." 2022-07-26 12:34:31 +00:00
Steven Moreland
7d2abdfce2 Remove 'vendor_service' neverallows. 
In preparation for removing 'vendor_service'.

Bug: 237115222
Test: build
Change-Id: I607eecfd3346906b9843ee028945eeb3c3586733
 2022-07-25 22:20:02 +00:00
Treehugger Robot
08ebdc9892 Merge "Allow kernel to write to shell_data_file loop devices in userdebug builds." am: 5f3149434c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2161336

Change-Id: Ia9d566090914d0f8786c900d0ca22b6d4d3bd97e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-23 03:59:40 +00:00
Treehugger Robot
5f3149434c Merge "Allow kernel to write to shell_data_file loop devices in userdebug builds." 2022-07-23 03:18:58 +00:00
David Anderson
e7cd1ef0be Merge "Allow update_engine to inotify_add_watch dm-user device nodes." am: 23b5027d30 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2163416

Change-Id: Ifc9cfb1cec491584e3239ce1344f50c266192333
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-22 20:33:22 +00:00
David Anderson
23b5027d30 Merge "Allow update_engine to inotify_add_watch dm-user device nodes." 2022-07-22 20:15:05 +00:00
Matt Buckley
110d394660 Merge "Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy" am: ae7e3756ba 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2161459

Change-Id: I3e088f0c56907c6829f18ac9af6f61a7e42102bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-22 05:35:27 +00:00
Matt Buckley
ae7e3756ba Merge "Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy" 2022-07-22 05:17:27 +00:00
Matt Buckley
1b23789dfe Add ro.surface_flinger.enable_adpf_cpu_hint sysprop to sepolicy 
Add new sysprop to control adpf cpu hints for surfaceflinger

Bug: b/195990840
Test: n/a
Change-Id: I5460e4668a2d69af194649ec076489de22caa348
 2022-07-21 23:00:15 +00:00
David Anderson
b7bb3d0071 Allow update_engine to inotify_add_watch dm-user device nodes. 
inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.

Denial: avc:  denied  { read } for  pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0

Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
 2022-07-21 12:47:46 -07:00
Thiébaud Weksteen
19710d032e Merge "Remove key migration related changes" am: c5a3726e58 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2160358

Change-Id: I64b2b63672c8482216d9515718bd5b64de26c6dd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-21 03:27:36 +00:00
Thiébaud Weksteen
c5a3726e58 Merge "Remove key migration related changes" 2022-07-21 01:20:53 +00:00
Katherine Lai
45ce880b05 Merge "Add bluetooth classic sysprops" am: 963596866a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2154517

Change-Id: I58363adb52d3cfa93fb86ef8ee24f95e41b55d60
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 20:56:52 +00:00
Katherine Lai
963596866a Merge "Add bluetooth classic sysprops" 2022-07-20 20:38:43 +00:00
David Anderson
568fd1f0ad Allow kernel to write to shell_data_file loop devices in userdebug builds. 
Tests around Virtual A/B, DSUs, remount etc need to create loop devices
and write to them, which requires the kernel domain to have file write
access.  However there are very few contexts where this is allowed, and
most are for testing. These testing locations are not consistently
available (eg, /data/nativetest does not always exist).

We already allow readonly loop devices in /data/local/tmp for testing
purposes, so this adds write support as well (userdebug/eng only).

Bug: 218976943
Test: fiemap_image_test
Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
 2022-07-20 11:43:20 -07:00
John Wu
e5010a22a6 Remove key migration related changes 
Migrating keys across UIDs is no longer required

Test: m
Bug: 228999189
Change-Id: I33e85635a4fe82bf1f98a9bfcf505a1067b4ed91
 2022-07-20 15:19:37 +10:00
Treehugger Robot
c181aeb9b2 Merge "seamendc: fix potential double-free" am: bfc800dfc0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2151753

Change-Id: Iec83624fe740af3ff28c093f70792039bb4d0da5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 02:02:59 +00:00
Treehugger Robot
bfc800dfc0 Merge "seamendc: fix potential double-free" 2022-07-20 01:50:47 +00:00
Inseob Kim
5cd2aa4f71 Merge "Remove dependency to distutils" am: 68e178a727 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2158116

Change-Id: I00b6456c5c4974f0a5f9a9393c51437dc7422b9c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 01:03:11 +00:00
Inseob Kim
68e178a727 Merge "Remove dependency to distutils" 2022-07-20 00:56:59 +00:00
Treehugger Robot
05c141c35a Merge "Lexicographically sort perms in rules output of searchpolicy.py" am: dfbf4f38b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2159196

Change-Id: Idd0c9121de53f9673a831957415e436cd6744027
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-20 00:54:35 +00:00
Treehugger Robot
dfbf4f38b6 Merge "Lexicographically sort perms in rules output of searchpolicy.py" 2022-07-20 00:35:26 +00:00
Treehugger Robot
22f508a58e Merge "Don't disallow vendor app hal_service_type" am: 9617447817 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2153808

Change-Id: Ica4bf13a474751efe61c5073165390a15d394338
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-19 18:39:53 +00:00
Treehugger Robot
9617447817 Merge "Don't disallow vendor app hal_service_type" 2022-07-19 18:18:45 +00:00
George Burgess IV
3f0bbd132d seamendc: fix potential double-free 
If we don't set `buff = NULL` after it's freed by this loop, a later
iteration over the loop where e.g., `stat` fails will call
`free(buff)` again.

Bug: 206470603
Test: TreeHugger
Change-Id: Ic19195adb7398fe2f8ab682ed451f24463872562
 2022-07-19 17:31:52 +00:00
Sandro
6e7e003344 Lexicographically sort perms in rules output of searchpolicy.py 
Bug: 238394904
Test: atest seamendc-test && atest CtsSecurityHostTestCases
Change-Id: I841e7d5cf3616d692dcd5b749544268bcbab76c2
 2022-07-19 13:56:30 +00:00
Maciej Żenczykowski
e65c35282a allow bpfloader to create symbolic links in /sys/fs/bpf am: d5098f99a9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2154891

Change-Id: I3d282bde16f20a11d341b43640960a9c38b54645
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-19 07:36:43 +00:00
Inseob Kim
3a9ac6f10a Remove dependency to distutils 
Because distutils is deprecated since Python 3.10.

Test: atest android.security.cts.SELinuxHostTest
Change-Id: I29d390dcfbeaa65b2c868bbc8648835c644e3d18
 2022-07-19 14:27:36 +09:00
Katherine Lai
9bddb0d32f Add bluetooth classic sysprops 
Added new sysprops to configure classic link supervision timeout,
page/inquiry scan activity, and page timeout

Bug: 233119719
Tag: #floss
Tag: #feature
Test: Manual
Change-Id: I92c598f97ca37486c208c7e37ad0d194f6f0b8b2
 2022-07-18 20:55:20 +00:00
Maciej Żenczykowski
d5098f99a9 allow bpfloader to create symbolic links in /sys/fs/bpf 
(this is to allow /sys/fs/bpf/tethering -> net_shared/tethering
 for InProcessTethering, ie. Android Go devices)

Bug: 190523685
Bug: 236925089
Test: TreeHugger, manually on aosp_cf_x86_go_phone-userdebug
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifa52429f958b0af80f91af6bfb064c1cdf9cd070
 2022-07-18 05:14:44 -07:00
Steven Moreland
0ce7b3c92a Don't disallow vendor app hal_service_type 
Currently, vendor_service is excluded from this neverallow
for the same reason. However, the current plan is to remove
vendor_service. Since some vendor HAL services are not
marked as hal_service_type, this part of the change needs
to be submitted independently in order to clean them up.

Bug: 237115222
Test: build
Change-Id: I7893184c4d1011881b721d0b851e07c17f73732b
 2022-07-15 19:44:21 +00:00
Jooyung Han
507b641085 Merge "Allow (hw)servicemanager use bootstrap bionic" am: 8fe0b28bf1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2152734

Change-Id: Ie004a6d7c7e284baf4cf20f057a91cbe649ce6e9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-15 00:34:25 +00:00
Jooyung Han
8fe0b28bf1 Merge "Allow (hw)servicemanager use bootstrap bionic" 2022-07-15 00:12:55 +00:00