tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
41130 commits 1 branch 0 tags 50 MiB
Commit graph

41130 commits

This branch
This branch
All branches
Author SHA1 Message Date
Treehugger Robot
e7fc28b43f Merge "Don't run ComposHostTestCases in presubmit" am: 1b382aa8b0 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506475

Change-Id: I67b0c4763bc1c5dd8ec2d3efbc64c41a40b1641c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 12:59:12 +00:00
Treehugger Robot
1b382aa8b0 Merge "Don't run ComposHostTestCases in presubmit" 2023-03-24 12:35:10 +00:00
Thiébaud Weksteen
065a7de2f9 Merge "Remove implicit access for isolated_app" am: 8ac5737d42 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494689

Change-Id: I8bab40e1f1a034e65bc531a99cbc4db3021f6582
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 04:09:19 +00:00
Thiébaud Weksteen
8ac5737d42 Merge "Remove implicit access for isolated_app" 2023-03-24 03:46:00 +00:00
Andy Hung
ea5100f1ad Merge "sepolicy: Add spatial audio configuration properties" am: 2e206f8cc9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501016

Change-Id: I61805a44c4f3d91d7921c8d48617915f498247fa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-24 01:16:44 +00:00
Andy Hung
2e206f8cc9 Merge "sepolicy: Add spatial audio configuration properties" 2023-03-24 00:41:02 +00:00
Alan Stokes
26dcfc5416 Don't run ComposHostTestCases in presubmit 
They're flaky on cuttlefish. Move to postsubmit instead.

Bug: 264496291
Test: N/A
Change-Id: I19b0357632be5a89e096fd1d9ce8d47dd865d245
 2023-03-23 15:45:24 +00:00
Satoshi Niwa
6fa337fef5 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts am: 80cd0acd64 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504898

Change-Id: I285ec1c77b57652e4ae18b12a93e90000362b21c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-23 07:27:20 +00:00
Satoshi Niwa
80cd0acd64 sepolicy: Add apex/com.android.tethering.inprocess-file_contexts 
Needed when using com.android.tethering.inprocess with
flattened APEX.

Bug: 273821347
Test: trybot
Change-Id: Iae6d9547922575398c634433dc07b2e46fbffd8e
 2023-03-23 12:43:48 +09:00
Thiébaud Weksteen
7ba4801b6e Remove implicit access for isolated_app 
Bug: 265960698
Test: flash, boot and use Chrome; no denials related to isolated_app
Test: crash Chrome using chrome://crash; no new denials from
      isolated_app
Test: atest CtsWebkitTestCases
Change-Id: I0b9e433eb973a5e99741fc88be5e13e9704c9c9e
 2023-03-23 12:59:21 +11:00
Charles Chen
3503d2ade9 Merge "Compliance test added for isolated_app_all" am: 3e86cee7c4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491881

Change-Id: I9278d595f044acf390aea9b3f9bc8cdf835e8239
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 22:40:19 +00:00
Charles Chen
3e86cee7c4 Merge "Compliance test added for isolated_app_all" 2023-03-22 21:55:49 +00:00
Charles Chen
dc184e9aed Compliance test added for isolated_app_all 
Compliance test is added to analyzes all members of isolated_app_all
and only allows them to have specific differences. Currently only
certain targets and classes are permitted based on the usecase of such
member classses. The list could be expanded based on future requirement
of more functionality yet the change won't be huge to ensure the
properties of sandbox.

Bug: 255597123
Test: m && presubmit
Change-Id: Id579223c585759ab5f6fbd531583d002eb2b14a5
 2023-03-22 20:14:11 +00:00
Devin Moore
db5b68a58e Merge "Allow dumpstate to dump /proc/bootconfig" am: 9a3f429b00 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2498305

Change-Id: I3a0a5089a45b972b34698c8fa212b37078b2bee2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 17:04:47 +00:00
Devin Moore
9a3f429b00 Merge "Allow dumpstate to dump /proc/bootconfig" 2023-03-22 16:11:44 +00:00
Thiébaud Weksteen
f035715cfd Merge "Remove netd entries in bug_map" am: a5f87e47b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2498219

Change-Id: Iceb48f2fd1ba612039e1f105b2ebf0fcf436f54d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-22 08:42:41 +00:00
Thiébaud Weksteen
a5f87e47b6 Merge "Remove netd entries in bug_map" 2023-03-22 08:04:46 +00:00
Thiébaud Weksteen
3eaa53e552 Remove netd entries in bug_map 
These have been replaced with a dontaudit rule in netd.te in
commit e49acfa.

Bug: 77870037
Test: TH
Change-Id: I1fc9996141419ec3a6194f97c4c42062cbeb4754
 2023-03-22 10:02:37 +11:00
Andy Hung
03c348df74 sepolicy: Add spatial audio configuration properties 
Controls default enable or disable for binaural and transaural.

Test: see bug
Bug: 270980127
Merged-In: I190644e88a520cf13ee2b56066d5afd258460b9e
Change-Id: I190644e88a520cf13ee2b56066d5afd258460b9e
 2023-03-21 15:08:27 -07:00
Shikha Panwar
5517c11a15 Merge "Microdroid sepolicy changes to handle crash export" am: 9d34facd25 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2422867

Change-Id: I758d1fe5523d0b8af3c0db3eb4cd35867c4722a0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 18:26:25 +00:00
Shikha Panwar
9d34facd25 Merge "Microdroid sepolicy changes to handle crash export" 2023-03-21 18:14:12 +00:00
Devin Moore
99c0909aae Merge changes I4128f428,I8c796dfe am: ce04629db7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2494537

Change-Id: I8cde9bb11b8c01f6a187e2dbc8efc3bae24f91fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 16:49:07 +00:00
Devin Moore
19bc295bb1 Allow dumpstate to dump /proc/bootconfig 
Test: adb shell dumpstate
Bug: 274528501
Change-Id: I0a4663a742e82d571811cb3fa9c15b8baaeeb847
 2023-03-21 16:27:13 +00:00
Devin Moore
ce04629db7 Merge changes I4128f428,I8c796dfe 
* changes:
  Add permissions for dumpstate to dump more hals
  Give dumpstate permissions to dump the sensor HAL
 2023-03-21 16:05:54 +00:00
David Drysdale
86305146a1 Merge "Don't emit audit logs for dumpstate->keystore" am: 4199df3d48 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2495878

Change-Id: I9e11ab351b06c0330da1afd33dda6e789edfa991
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-21 12:56:47 +00:00
David Drysdale
4199df3d48 Merge "Don't emit audit logs for dumpstate->keystore" 2023-03-21 11:54:58 +00:00
David Drysdale
e1075f7c0c Don't emit audit logs for dumpstate->keystore 
aosp/1696825 added the ability for dumpstate to signal Keystore on
debuggable builds, but this means that there will be an audit denial
message on non-debuggable builds.  Suppress this, in particular so that
the test mentioned below can pass on -user builds.

Bug: 269672964
Test: CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenial
Change-Id: I68a41f6b94d615f80e4d1490ec4159436693dce2
 2023-03-21 09:16:47 +00:00
Tri Vo
45734ff4a7 Merge "Remove RemoteProvisioner and remoteprovisioning services" am: 0099ba37f3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2488295

Change-Id: I2dc33e9abbce089d7333aefcd87705ec51756160
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 17:49:49 +00:00
Tri Vo
0099ba37f3 Merge "Remove RemoteProvisioner and remoteprovisioning services" 2023-03-17 17:18:01 +00:00
Alan Stokes
5fed924d3c Merge "Add label for charger property" am: 533c29fe34 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411334

Change-Id: Ie7896d816dc27422457b45a8d75a998578af0874
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-17 14:43:01 +00:00
Alan Stokes
533c29fe34 Merge "Add label for charger property" 2023-03-17 14:04:28 +00:00
Maciej Żenczykowski
f34d3cae4a Merge "clatd.te - no longer need netlink" am: 47675624b5 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2492264

Change-Id: Idf645b7f8f1fc64c0e73b6204f87f750c4cb115f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-16 23:48:55 +00:00
Maciej Żenczykowski
47675624b5 Merge "clatd.te - no longer need netlink" 2023-03-16 23:18:42 +00:00
Vikram Gaur
507df367fc Add set property permissions to RKPD application. am: 01390087b1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2491884

Change-Id: I8f5f32b5a9ce2bb0c2d55c78ba53265a54984034
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-16 21:57:00 +00:00
Devin Moore
7c0e17f987 Add permissions for dumpstate to dump more hals 
Dumpstate already has permissions to get these services to dump their
stack and they are listed in dump_utils.cpp.

Test: adb shell bugreport && check bugreport
Bug: 273937310
Change-Id: I4128f4285da2693242aa02fec1bb2928e34cfcbf
 2023-03-16 21:19:37 +00:00
Devin Moore
fdaed41d46 Give dumpstate permissions to dump the sensor HAL 
Test: adb shell dumpstate && check the bugreport
Bug: 273937310
Change-Id: I8c796dfe5fc1377a9eb14d62eee74f983b6442fc
 2023-03-16 20:51:59 +00:00
Vikram Gaur
01390087b1 Add set property permissions to RKPD application. 
Test: atest RkpdAppGoogleIntegrationTests
Change-Id: Ib1680319f7299b27aab2cc36cc917a8da35ec216
 2023-03-16 18:05:10 +00:00
Maciej Żenczykowski
737ee6ee89 clatd.te - no longer need netlink 
After:
  https://android-review.git.corp.google.com/c/platform/external/android-clat/+/2491075
  clatd: remove ipv6 address monitoring

clatd no longer does any netlink.

Test: TreeHugger, ping 1.1.1.1 on ipv6-only network works
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id1c87b926a75c94f3c0ede04effd73c25844fefd
 2023-03-16 10:53:18 +00:00
Treehugger Robot
05d1c76bf9 Merge "Allow composd to enable fs-verity to compiled artifacts" am: 15c64f5a21 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2488601

Change-Id: I3c7bcfe68eb5c0fdaf14618ecff76201667ecad1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-15 17:47:01 +00:00
Treehugger Robot
15c64f5a21 Merge "Allow composd to enable fs-verity to compiled artifacts" 2023-03-15 17:04:04 +00:00
Victor Hsieh
a115d49cd6 Allow composd to enable fs-verity to compiled artifacts 
Bug: 272587415
Test: com.android.tests.odsign.CompOsSigningHostTest
Change-Id: Icfdf72478481492a18a231e63faac0492a1e4536
 2023-03-15 08:14:52 -07:00
Treehugger Robot
eb879ba0b1 Merge "Move cardisplayproxyd to system_ext" am: a5dbf64602 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2486580

Change-Id: I2ef2d356502c5f29c5ecfc873d98afe85da7b430
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-15 06:10:00 +00:00
Treehugger Robot
a5dbf64602 Merge "Move cardisplayproxyd to system_ext" 2023-03-15 05:31:20 +00:00
Nikita Ioffe
b164310273 Merge "Add selinux rules for perfetto daemones" am: 103794c43c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2468440

Change-Id: Ide807183e07b0008c7266e9b96302eb4b85dc8fd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-14 23:01:43 +00:00
Tri Vo
4bb2d30701 Remove RemoteProvisioner and remoteprovisioning services 
Bug: 273325840
Test: keystore2_test
Change-Id: I295ccdda5a3d87b568098fdf97b0ca5923e378bf
 2023-03-14 15:45:35 -07:00
Xin Li
ebd51b2c49 [automerger skipped] Merge Android 13 QPR2 am: 8086fce77e -s ours 
am skip reason: Merged-In Id5f052116834034a9e4fd5c3adf17d3d7ef6610a with SHA-1 a8b6900a49 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2487130

Change-Id: I87e3a8ec615e2b75a758f6b13befac950ceccd5f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-03-14 22:32:17 +00:00
Nikita Ioffe
103794c43c Merge "Add selinux rules for perfetto daemones" 2023-03-14 22:06:34 +00:00
Nikita Ioffe
6069e7c8f2 Add selinux rules for perfetto daemones 
Note: this is a somewhat minimal set of rules required to be able to
capture traces on Microdroid. After the trace is captured I still see a
bunch of SELinux denials. We might need to add more allow rules in the
follow up changes.

Bug: 249050813
Test: boot Microdroid VM, capture traces with record_android_traces
Change-Id: I62098fb79a8db65706a5bb28c8acce7ff3821f15
 2023-03-14 15:07:54 +00:00
Changyeon Jo
fc0b3da21f Move cardisplayproxyd to system_ext 
Bug: 218588089
Bug: 273324345
Test: 1. m -j selinux_policy
      2. Build cf_x86_64_auto lunch target.
      3. Launch cvd in the accelerated graphics mode.
      4. Run evs_app and confirm the color bar pattern is shown on the
         display.
         > adb root && adb shell evs_app --test
      6. Do the same on sdk_car_x86_64 lunch target.
Change-Id: I1f570e7d43981ce2f5a7ae0d78ee3d5bfa8c7576
 2023-03-14 14:28:28 +00:00
Xin Li
8086fce77e Merge Android 13 QPR2 
Bug: 273316506
Merged-In: Id5f052116834034a9e4fd5c3adf17d3d7ef6610a
Change-Id: I8eeb4e5dc1c7257f1b4ae83b8088fb9c2b7d81c0
 2023-03-13 23:11:40 -07:00