tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
47387 commits 1 branch 0 tags 50 MiB
Commit graph

10375 commits

Author SHA1 Message Date
Jooyung Han
e164e993f6 Merge "Allow apexd to send atoms to statsd via socket" into main 2024-03-15 05:00:51 +00:00
Jooyung Han
a1927afd8a Allow apexd to send atoms to statsd via socket 
apexd is going to send atoms (https://cs.android.com/android/platform/superproject/main/+/main:frameworks/proto_logging/stats/atoms/apex/apex_extension_atoms.proto) to statsd).

Bug: 281162849
Test: manual. statsd_testdrive 732 (id for an apexd atom)
Change-Id: Ic0f78ff17e868b2f3fa7e612a0884d5d4fa16eae
 2024-03-15 05:00:26 +00:00
Dennis Shen
f879f74d60 Merge "allow system server to search into /metadata/aconfig dir" into main 2024-03-13 13:10:01 +00:00
Treehugger Robot
c3274647b9 Merge "Add ro.lmk.use_psi property policy" into main 2024-03-13 09:06:03 +00:00
Treehugger Robot
ced9b5c164 Merge "bpfloader - relax neverallows for map_read/write/prog_run" into main 2024-03-13 07:24:39 +00:00
Inseob Kim
c35639d615 Sync 202404 prebuilts 
Unfortunately 202404 sepolicy changed a little after vendor API freeze.

Bug: 279809333
Test: build
Change-Id: Ib690abbe0cf04cd3bd55b7a82124a284782ed335
 2024-03-13 13:18:05 +09:00
Maciej Żenczykowski
f83e395a4a bpfloader - relax neverallows for map_read/write/prog_run 
There's no way to currently define a new domain with map_read/write
access.

That's clearly desirable for example for vendor use of xt_bpf programs.

I believe that also holds true for prog_load which is checked
at attachment, and will be needed in the future to support things
like vendor tracepoint attachment.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6125f3de2f8a8dde0891ddabedfafe35f521e681
 2024-03-13 00:38:45 +00:00
Carlos Galo
005875d7ed Add ro.lmk.use_psi property policy 
Add policy to control ro.lmk.use_psi property for lmkd.

Test: m
Bug: 328681151
Change-Id: Ie30d1c62a7f0594961667b3e2d2064be89e91506
Signed-off-by: Carlos Galo <carlosgalo@google.com>
 2024-03-12 19:27:16 +00:00
Dennis Shen
662d5e68f1 allow system server to search into /metadata/aconfig dir 
Bug: b/312459182
Test: m
Change-Id: I44a2113b53b23a47d30460d0e7120bbeceb3ecbf
 2024-03-12 17:43:51 +00:00
Thiébaud Weksteen
8372e1fd71 Merge "Define persist.bootanim.color in platform policy" into main 2024-03-12 05:06:31 +00:00
Inseob Kim
d3afbdfffa Merge changes from topic "202404_sepolicy_mapping" into main 
* changes:
  Add 202404 mapping files
  Vendor API level 202404 is now frozen
 2024-03-12 00:10:16 +00:00
Jiakai Zhang
efcc8dbdd7 Merge "Add rules for snapshotctl map/unmap." into main 2024-03-11 16:55:25 +00:00
Treehugger Robot
210e8b5651 Merge "Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service" into main 2024-03-11 15:21:42 +00:00
sandeepbandaru
600e395339 Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service 
Bug: 316589195
Test: flashed on device and ran service with a demo app
Change-Id: I708d715525dd1c4f3985dfcc1560383d045f1a6f
 2024-03-11 11:33:18 +00:00
Jiakai Zhang
b9cf68a2f5 Add rules for snapshotctl map/unmap. 
This change adds rules for system properties "sys.snapshotctl.map" and
"sys.snapshotctl.unmap", for controlling snapshotctl.

This change also adds the missing rules for snapshotctl to perform its
job. Initially, the rules for snapshotctl were added by
http://r.android.com/1126904, for running snapshotctl through init
(http://r.android.com/1123645). However, the trigger was then removed by
http://r.android.com/1239286. Since then, snapshotctl can be only run by
the root shell, in which case it is run in the "su" domain, so the rules
are not tested and therefore get stale over time. To make snapshotctl
function properly when run by init, we need to add the missing rules.

Bug: 311377497
Test: adb shell setprop sys.snapshotctl.map requested
Test: adb shell setprop sys.snapshotctl.unmap requested
Change-Id: I304be6e1825a6768f757d74b3365c4d759b9d07e
 2024-03-11 11:18:50 +00:00
Inseob Kim
f038c8f1ac Add 202404 mapping files 
Bug: 327954176
Test: m treble_sepolicy_tests_202404
Test: m 202404_compat_test
Test: m selinux_policy
Change-Id: I6bdcbff305c0cc998bdd809006feb02e0609784d
 2024-03-11 16:38:02 +09:00
Thiébaud Weksteen
935206e8ab Define persist.bootanim.color in platform policy 
These properties are defined by the platform (see BootAnimation.cpp).

Test: m
Bug: 321088135
Ignore-AOSP-First: sync policy internally first
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:88995803f60b6df725747e658734a779043d6674)
Merged-In: I429b807deda5cfd3cf7db1512b97d25769f18086
Change-Id: I429b807deda5cfd3cf7db1512b97d25769f18086
 2024-03-08 01:26:49 +00:00
Xin Li
489766292a Merge "Merge Android 14 QPR2 to AOSP main" into main 2024-03-07 06:10:53 +00:00
Alice Ryhl
56f464fcc9 Merge "kcmdlinectrl: define system property for kcmdlinectrl" into main 2024-03-06 15:28:16 +00:00
Alice Ryhl
6b9aa6dc33 kcmdlinectrl: define system property for kcmdlinectrl 
This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.

It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.

Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
 2024-03-06 12:05:24 +00:00
Treehugger Robot
157fa3fc22 Merge "Allow postinstall script to invoke pm shell commands." into main 2024-03-06 11:12:49 +00:00
Daniele Di Proietto
113f34aab8 Merge "Add perfetto persistent tracing configuration file" into main am: edfb82499e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967564

Change-Id: I7bf682d11afd9cd8dbb5717afc0dba0c9e25a1a7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 14:37:14 +00:00
Daniele Di Proietto
edfb82499e Merge "Add perfetto persistent tracing configuration file" into main 2024-03-05 14:25:23 +00:00
Treehugger Robot
fbd5ca646f Merge "tracefs: remove debugfs/tracing rules on release devices" into main am: a3a3559743 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2973489

Change-Id: Ib81b790347f8cbba93e08df9dee3ae5d52ea49c2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 14:15:27 +00:00
Treehugger Robot
a3a3559743 Merge "tracefs: remove debugfs/tracing rules on release devices" into main 2024-03-05 13:33:02 +00:00
Ryan Savitski
5ee2595e8b Merge "tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices" into main am: d7a3de50a3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2976491

Change-Id: I2ca80ec6e19eb00b753b5104995d1ed7f47e7980
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 12:05:30 +00:00
Kangping Dong
29c440880d Merge "[Thread] limit ot-daemon socket to ot-ctl" into main am: 564f1296b8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2984172

Change-Id: I310acdc5860501c6725b91ca33165fb2778af7f7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 12:05:18 +00:00
Ryan Savitski
d7a3de50a3 Merge "tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices" into main 2024-03-05 12:04:12 +00:00
Daniele Di Proietto
9a997590e1 Add perfetto persistent tracing configuration file 
Bug: 325622427
Change-Id: Ia77a029dfddfb3108bb6fdd2d3c6d5b4d9909f7b
 2024-03-05 11:30:36 +00:00
Kangping Dong
564f1296b8 Merge "[Thread] limit ot-daemon socket to ot-ctl" into main 2024-03-05 11:18:56 +00:00
Matt Buckley
ee100057e0 Merge "Allow apps to access PowerHAL for FMQ" into main am: 19cb4c541f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2978555

Change-Id: I27a9a5a1012270c305a2727951c3561c2eb56634
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-04 22:55:48 +00:00
Matt Buckley
19cb4c541f Merge "Allow apps to access PowerHAL for FMQ" into main 2024-03-04 22:22:41 +00:00
Stefan Andonian
efd8723a4e Merge "Enable platform_app to use perfetto/trace_data_file permissions in debug/eng builds." into main am: 79d1388d86 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2924820

Change-Id: I984a94aa4b6267aafc49adaf5ae45c99869080a8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-04 21:26:12 +00:00
Stefan Andonian
79d1388d86 Merge "Enable platform_app to use perfetto/trace_data_file permissions in debug/eng builds." into main 2024-03-04 20:23:11 +00:00
Ján Sebechlebský
449b8ccd88 Merge "Allow virtual camera to use fd's from graphic composer" into main am: f8ab94fa08 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2977091

Change-Id: I4a49700af6b9798045cf026c06d3cb68913cb596
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-04 15:49:46 +00:00
Ján Sebechlebský
f8ab94fa08 Merge "Allow virtual camera to use fd's from graphic composer" into main 2024-03-04 15:20:49 +00:00
Jiakai Zhang
625c4a9543 Allow postinstall script to invoke pm shell commands. 
Bug: 311377497
Change-Id: I46653dcbbe1d1b87b3d370bee80aae2d60998fbe
Test: manual - Install an OTA package and see the hook called.
 2024-02-29 23:12:32 +00:00
Dennis Shen
1bfa2552ad Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main am: 3041c33c91 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2982791

Change-Id: I3c601bb71699e80fb052b9d5c087fe792ec87f52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-29 19:32:49 +00:00
Dennis Shen
3041c33c91 Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main 2024-02-29 19:03:00 +00:00
Kangping Dong
90495cc79f [Thread] limit ot-daemon socket to ot-ctl 
It's better to explicitly disallow access to ot-daemon from other than
ot-ctl.

Bug: 323502847
Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815
 2024-02-29 23:43:34 +08:00
Dennis Shen
f008c29e47 aconfig_storage: setup RO partitions aconfig storage files SELinux 
policy

system, system_ext, product and vendor partitions have aconfig storage
files under /<partition>/etc/aconfig dir. need to grant access to
aconfigd.

Bug: b/312459182
Test: m and tested with AVD
Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a
 2024-02-29 15:28:48 +00:00
Stefan Andonian
ff413fd7d0 Enable platform_app to use perfetto/trace_data_file permissions in 
debug/eng builds.

This change is to allow SystemUI, a platform_app, to start, stop,
and share Perfetto/Winscope traces.

Bug: 305049544
Test: Verified everything works on my local device.
Change-Id: I8fc35a5a570c2199cfdd95418a6caf0c48111c46
 2024-02-28 20:31:44 +00:00
Dennis Shen
154a08ef7e Merge "aconfigd: create aconfig daemon selinux policy" into main am: 067f7db593 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2976451

Change-Id: Ib86e806430e8decea25e8de9b5f314891561e521
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-28 13:21:35 +00:00
Dennis Shen
067f7db593 Merge "aconfigd: create aconfig daemon selinux policy" into main 2024-02-28 12:31:26 +00:00
Matt Buckley
52c9b3b9a9 Allow apps to access PowerHAL for FMQ 
This patch allows apps to access PowerHAL FMQ memory to send ADPF
messages.

Test: n/a
Bug: 315894228
Change-Id: I2733955807c40e63b688fcb0624db8acc8f9a139
 2024-02-27 16:35:55 -08:00
Florian Mayer
9ceda37b18 Merge "Allow shell and adb to read tombstones" into main am: 9d7d3c4a0e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974016

Change-Id: I2fdfb22d91512d081d1760952e23611a1d2e4917
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-26 22:02:00 +00:00
Florian Mayer
9d7d3c4a0e Merge "Allow shell and adb to read tombstones" into main 2024-02-26 21:12:25 +00:00
Dennis Shen
2659257c76 aconfigd: create aconfig daemon selinux policy 
Bug: b/312444587
Test: m and launch avd
Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9
 2024-02-26 19:58:48 +00:00
Jan Sebechlebsky
fd7e285504 Allow virtual camera to use fd's from graphic composer 
This is causing denials in case the fence fd comes from
graphic composer.

Bug: 301023410
Test: atest CtsCameraTestCases with test virtual camera enabled
Change-Id: I14cb26c058342470aa2dc214ab47cc61aa2f3255
 2024-02-26 11:55:16 +01:00
Thiébaud Weksteen
66bb617447 Merge "Grant lockdown integrity to all processes" into main am: 1fc3a6f955 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2971071

Change-Id: I21f3e67d0b697a532f65e4e21b8a193accca521a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-02-26 00:34:52 +00:00