tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
41353 commits 1 branch 0 tags 50 MiB
Commit graph

41353 commits

This branch
This branch
All branches
Author SHA1 Message Date
Satoshi Niwa
dcbde45b66 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts am: 80cd0acd64 am: 6fa337fef5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504898

Change-Id: I299e97e89c38500e6804589e50c57045443e1fea
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 08:03:53 +00:00
Satoshi Niwa
6fa337fef5 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts am: 80cd0acd64 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504898

Change-Id: I285ec1c77b57652e4ae18b12a93e90000362b21c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 07:27:20 +00:00
Satoshi Niwa
80cd0acd64 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts 
Needed when using com.android.tethering.inprocess with
flattened APEX.

Bug: 273821347
Test: trybot
Change-Id: Iae6d9547922575398c634433dc07b2e46fbffd8e
 2023-03-23 12:43:48 +09:00
Thiébaud Weksteen
7ba4801b6e Remove implicit access for isolated_app 
Bug: 265960698
Test: flash, boot and use Chrome; no denials related to isolated_app
Test: crash Chrome using chrome://crash; no new denials from
      isolated_app
Test: atest CtsWebkitTestCases
Change-Id: I0b9e433eb973a5e99741fc88be5e13e9704c9c9e
 2023-03-23 12:59:21 +11:00
Charles Chen
c038c59be9 Merge "Compliance test added for isolated_app_all" am: 3e86cee7c4 am: 3503d2ade9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491881

Change-Id: I2a83d707a87dc78cb9b761ee000db729f87b9c66
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 23:39:33 +00:00
Charles Chen
3503d2ade9 Merge "Compliance test added for isolated_app_all" am: 3e86cee7c4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491881

Change-Id: I9278d595f044acf390aea9b3f9bc8cdf835e8239
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 22:40:19 +00:00
Charles Chen
3e86cee7c4 Merge "Compliance test added for isolated_app_all" 2023-03-22 21:55:49 +00:00
Charles Chen
dc184e9aed Compliance test added for isolated_app_all 
Compliance test is added to analyzes all members of isolated_app_all
and only allows them to have specific differences. Currently only
certain targets and classes are permitted based on the usecase of such
member classses. The list could be expanded based on future requirement
of more functionality yet the change won't be huge to ensure the
properties of sandbox.

Bug: 255597123
Test: m && presubmit
Change-Id: Id579223c585759ab5f6fbd531583d002eb2b14a5
 2023-03-22 20:14:11 +00:00
Hector Dearman
7ca04a7e7f Allow traced_probes to subscribe to statsd atoms 
Denials:
SELinux : avc:  denied  { find } for pid=1279 uid=9999 name=stats scontext=u:r:traced_probes:s0 tcontext=u:object_r:stats_service:s0 tclass=service_manager permissive=0
traced_probes: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
traced_probes: type=1400 audit(0.0:12): avc: denied { transfer } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
binder:1076_7: type=1400 audit(0.0:13): avc: denied { call } for scontext=u:r:statsd:s0 tcontext=u:r:traced_probes:s0 tclass=binder permissive=1

See go/ww-atom-subscriber-api

Testing steps:
Patch ag/21985690
Run:
$ adb push test/configs/statsd.cfg /data/misc/perfetto-configs/statsd.cfg
$ adb shell perfetto --txt -c /data/misc/perfetto-configs/statsd.cfg -o /data/misc/perfetto-traces/statsd.pb
$ adb pull /data/misc/perfetto-traces/statsd.pb statsd.pb
$ out/linux_clang_debug/traceconv text statsd.pb
Check logcat for denials.

Test: See above
Bug: 268661096

Change-Id: I58045b55ca8a4aa6f00774cc2d72d7b10a232922
 2023-03-22 19:53:34 +00:00
Devin Moore
caabc471f4 Merge "Allow dumpstate to dump /proc/bootconfig" am: 9a3f429b00 am: db5b68a58e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2498305

Change-Id: Id31e8f6410f3f41aa30bfe6ba7625fac3469c347
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 17:48:30 +00:00
Devin Moore
db5b68a58e Merge "Allow dumpstate to dump /proc/bootconfig" am: 9a3f429b00 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2498305

Change-Id: I3a0a5089a45b972b34698c8fa212b37078b2bee2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 17:04:47 +00:00
Devin Moore
9a3f429b00 Merge "Allow dumpstate to dump /proc/bootconfig" 2023-03-22 16:11:44 +00:00
Andy Hung
64a1d36e3d Merge "sepolicy: Add spatial audio configuration properties" into tm-qpr-dev am: 816d7372d3 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22142639

Change-Id: I0f164623b16f992ca90a10c07d86781934b29775
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 12:55:52 +00:00
Thiébaud Weksteen
141b573253 Merge "Remove netd entries in bug_map" am: a5f87e47b6 am: f035715cfd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2498219

Change-Id: I7ad738767924840b12866e181562e8cc8eac5126
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 09:17:18 +00:00
Thiébaud Weksteen
f035715cfd Merge "Remove netd entries in bug_map" am: a5f87e47b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2498219

Change-Id: Iceb48f2fd1ba612039e1f105b2ebf0fcf436f54d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 08:42:41 +00:00
Thiébaud Weksteen
a5f87e47b6 Merge "Remove netd entries in bug_map" 2023-03-22 08:04:46 +00:00
Thiébaud Weksteen
3eaa53e552 Remove netd entries in bug_map 
These have been replaced with a dontaudit rule in netd.te in
commit e49acfa.

Bug: 77870037
Test: TH
Change-Id: I1fc9996141419ec3a6194f97c4c42062cbeb4754
 2023-03-22 10:02:37 +11:00
Andy Hung
03c348df74 sepolicy: Add spatial audio configuration properties 
Controls default enable or disable for binaural and transaural.

Test: see bug
Bug: 270980127
Merged-In: I190644e88a520cf13ee2b56066d5afd258460b9e
Change-Id: I190644e88a520cf13ee2b56066d5afd258460b9e
 2023-03-21 15:08:27 -07:00
Shikha Panwar
71e6ad2e2b Merge "Microdroid sepolicy changes to handle crash export" am: 9d34facd25 am: 5517c11a15 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2422867

Change-Id: I23cdd6a88b3b7d579adbf421e6ddf8743ca37786
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 18:50:08 +00:00
Shikha Panwar
5517c11a15 Merge "Microdroid sepolicy changes to handle crash export" am: 9d34facd25 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2422867

Change-Id: I758d1fe5523d0b8af3c0db3eb4cd35867c4722a0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 18:26:25 +00:00
Shikha Panwar
9d34facd25 Merge "Microdroid sepolicy changes to handle crash export" 2023-03-21 18:14:12 +00:00
Devin Moore
5b38a8187b Merge changes I4128f428,I8c796dfe am: ce04629db7 am: 99c0909aae 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494537

Change-Id: Iefc2d4bdc9160c349d8a5c68c73e894d5ad25f8d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 18:04:03 +00:00
Andy Hung
816d7372d3 Merge "sepolicy: Add spatial audio configuration properties" into tm-qpr-dev 2023-03-21 17:53:50 +00:00
Devin Moore
99c0909aae Merge changes I4128f428,I8c796dfe am: ce04629db7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494537

Change-Id: I8cde9bb11b8c01f6a187e2dbc8efc3bae24f91fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 16:49:07 +00:00
Devin Moore
19bc295bb1 Allow dumpstate to dump /proc/bootconfig 
Test: adb shell dumpstate
Bug: 274528501
Change-Id: I0a4663a742e82d571811cb3fa9c15b8baaeeb847
 2023-03-21 16:27:13 +00:00
Devin Moore
ce04629db7 Merge changes I4128f428,I8c796dfe 
* changes:
  Add permissions for dumpstate to dump more hals
  Give dumpstate permissions to dump the sensor HAL
 2023-03-21 16:05:54 +00:00
David Drysdale
6777609a64 Merge "Don't emit audit logs for dumpstate->keystore" am: 4199df3d48 am: 86305146a1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2495878

Change-Id: I2d82b5b2e5c7724b728307ad26dac2df4be25861
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 13:33:09 +00:00
David Drysdale
86305146a1 Merge "Don't emit audit logs for dumpstate->keystore" am: 4199df3d48 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2495878

Change-Id: I9e11ab351b06c0330da1afd33dda6e789edfa991
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 12:56:47 +00:00
David Drysdale
4199df3d48 Merge "Don't emit audit logs for dumpstate->keystore" 2023-03-21 11:54:58 +00:00
David Drysdale
e1075f7c0c Don't emit audit logs for dumpstate->keystore 
aosp/1696825 added the ability for dumpstate to signal Keystore on
debuggable builds, but this means that there will be an audit denial
message on non-debuggable builds.  Suppress this, in particular so that
the test mentioned below can pass on -user builds.

Bug: 269672964
Test: CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenial
Change-Id: I68a41f6b94d615f80e4d1490ec4159436693dce2
 2023-03-21 09:16:47 +00:00
Ioannis Ilkos
865d0883ac Merge changes from topic "tm-qpr-oome-perfetto" into tm-qpr-dev am: 37883b47f8 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21986580

Change-Id: I66f23e61f789b8a18f44f6a68af9f399e9d06be0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-20 11:02:24 +00:00
Ioannis Ilkos
59ff4cbc51 [automerger skipped] Fix incorrect domain used in system_server.te am: 900d221a1f -s ours 
am skip reason: Merged-In I78d5fa62a2e112d3bf363b8d96348a645ef4caaa with SHA-1 0e978ba9f1 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21986579

Change-Id: I200e0aa430f6ef4272ba4f8a22eb5ce50da49b10
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-20 11:02:22 +00:00
Ioannis Ilkos
ad1c3e4200 Merge changes from topic "tm-qpr-syssrv-perfetto" into tm-qpr-dev am: a6494f6163 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21986577

Change-Id: I37e9725ed27177234f34357ebacd27e1c648dfec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-20 11:01:53 +00:00
Ryan Savitski
fce5dfad47 [automerger skipped] tm-qpr backport: allow perfetto profiling of system_server and sys/platform apps am: b2fecc3954 -s ours 
am skip reason: Merged-In I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6 with SHA-1 941ba723ba is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21986575

Change-Id: I60f5522549eed817778718cc34a1d09226be25b7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-20 11:01:48 +00:00
Ioannis Ilkos
37883b47f8 Merge changes from topic "tm-qpr-oome-perfetto" into tm-qpr-dev 
* changes:
  update api=33 sepolicy prebuilts for perfetto oome heap dumps
  Fix incorrect domain used in system_server.te
  Sysprop for the count of active OOME tracing sessions
 2023-03-20 10:35:12 +00:00
Ioannis Ilkos
a6494f6163 Merge changes from topic "tm-qpr-syssrv-perfetto" into tm-qpr-dev 
* changes:
  update api=33 sepolicy prebuilts for perfetto profiling of system_server and sys/platform apps
  tm-qpr backport: allow perfetto profiling of system_server and sys/platform apps
 2023-03-20 10:31:50 +00:00
Andy Hung
3b7b6c3b30 sepolicy: Add spatial audio configuration properties 
Controls default enable or disable for binaural and transaural.

Ignore-AOSP-First: will land in AOSP afterwards
Test: see bug
Bug: 270980127
Change-Id: I190644e88a520cf13ee2b56066d5afd258460b9e
 2023-03-17 14:58:36 -07:00
Tri Vo
ddc3df3035 Merge "Remove RemoteProvisioner and remoteprovisioning services" am: 0099ba37f3 am: 45734ff4a7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2488295

Change-Id: Iffabeb7cb8cdc23b53dc6cf42743e1da44c20554
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 18:26:13 +00:00
Tri Vo
45734ff4a7 Merge "Remove RemoteProvisioner and remoteprovisioning services" am: 0099ba37f3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2488295

Change-Id: I2dc33e9abbce089d7333aefcd87705ec51756160
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 17:49:49 +00:00
Tri Vo
0099ba37f3 Merge "Remove RemoteProvisioner and remoteprovisioning services" 2023-03-17 17:18:01 +00:00
Alan Stokes
2ff7e61834 Merge "Add label for charger property" am: 533c29fe34 am: 5fed924d3c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411334

Change-Id: I6ceb34cef286a430b85d14d159f98a5a7ed67700
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 15:19:33 +00:00
Alan Stokes
5fed924d3c Merge "Add label for charger property" am: 533c29fe34 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411334

Change-Id: Ie7896d816dc27422457b45a8d75a998578af0874
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 14:43:01 +00:00
Alan Stokes
533c29fe34 Merge "Add label for charger property" 2023-03-17 14:04:28 +00:00
Nathan Huckleberry
7878f968fe Allow vold to use FS_IOC_GET_ENCRYPTION_KEY_STATUS am: 7bedb9d1a0 
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21649283

Change-Id: I553546da822bb3880b3b325382409f63f5e47b85
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 00:26:48 +00:00
Maciej Żenczykowski
6ce3db1f77 Merge "clatd.te - no longer need netlink" am: 47675624b5 am: f34d3cae4a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2492264

Change-Id: I837a42ac145d73b669d537677563e6847d3a054a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 00:25:36 +00:00
Maciej Żenczykowski
f34d3cae4a Merge "clatd.te - no longer need netlink" am: 47675624b5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2492264

Change-Id: Idf645b7f8f1fc64c0e73b6204f87f750c4cb115f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-16 23:48:55 +00:00
Maciej Żenczykowski
47675624b5 Merge "clatd.te - no longer need netlink" 2023-03-16 23:18:42 +00:00
Vikram Gaur
a6c082cb8c Add set property permissions to RKPD application. am: 01390087b1 am: 507df367fc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491884

Change-Id: I7b856bc5724c0ebc9389c57ad8c59c1bba0f8d93
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-16 22:33:46 +00:00
Vikram Gaur
507df367fc Add set property permissions to RKPD application. am: 01390087b1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491884

Change-Id: I8f5f32b5a9ce2bb0c2d55c78ba53265a54984034
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-16 21:57:00 +00:00
Devin Moore
7c0e17f987 Add permissions for dumpstate to dump more hals 
Dumpstate already has permissions to get these services to dump their
stack and they are listed in dump_utils.cpp.

Test: adb shell bugreport && check bugreport
Bug: 273937310
Change-Id: I4128f4285da2693242aa02fec1bb2928e34cfcbf
 2023-03-16 21:19:37 +00:00