tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
30055 commits 1 branch 0 tags 50 MiB
Commit graph

30055 commits

This branch
This branch
All branches
Author SHA1 Message Date
Nikita Ioffe
4274f98522 Add neverallow rules around who can mount/unmount /apex 
Test: m
Bug: 188002184
Change-Id: I8f46896edbee7b68df6f1e3008ff4141df164e4c
 2021-05-13 13:05:58 +01:00
Aaron Huang
0bcca11b72 Add app_api_service to pac_proxy_service 
Add app_api_service to pac_proxy_service so that
it can be reach by Cts tests.

Bug: 181745786
Test: CtsNetTestCases:PacProxyManagetTest
Change-Id: I9bf4ff810635aa5b3cbf984b77b547aa96cdd543
 2021-05-13 17:28:04 +08:00
Chris Wailes
2e44672a75 Added SELinux context for dalvik.vm.dexopt.thermal-cutoff property 
Test: Boot
Bug: 165935246
Change-Id: I266623fab1053ad1e058f041ccbe39880d74b768
 2021-05-12 17:23:49 -07:00
Treehugger Robot
611db2ce7c Merge "Add sepolicy for com.android.compos" am: 965cad9626 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1704385

Change-Id: I95e2d6eddbf9471d835b57b8c448522528e36a56
 2021-05-12 15:33:11 +00:00
Treehugger Robot
965cad9626 Merge "Add sepolicy for com.android.compos" 2021-05-12 15:19:04 +00:00
P.Adarsh Reddy
07dd59ff14 Adding sepolicy testcase for system_ext and product. 
Types defined in system_ext/public or product/public
can be referenced by vendor side so it is important
to make sure functionality is not broken across version
bumps. So we are adding the treble sepolicy test cases
for system_ext and product sepolicy.

Bug: 173571515
Change-Id: Ia45979497029f83b1ae6712d2d26ffab263a7f91
 2021-05-12 18:14:26 +05:30
Yo Chiang
e7e3c30c04 Merge "Revert "se_compat_cil: Prepend generated files with a header"" am: bb8d0050d9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1704766

Change-Id: Ib8e9454f243ceb944af9db9ec346bc1dba0408cc
 2021-05-12 05:53:43 +00:00
Yo Chiang
bb8d0050d9 Merge "Revert "se_compat_cil: Prepend generated files with a header"" 2021-05-12 05:35:51 +00:00
Yo Chiang
7c3ecf1356 Revert "se_compat_cil: Prepend generated files with a header" 
This reverts commit b44e506223.

Reason for revert: secilc is fixed by aosp/1701846, so the workaround is no longer needed

Bug: 183362912
Test: S GSI on R CF boot test
Change-Id: Ic73c7cea1ebe42b483049cbc29f192e738748894
 2021-05-12 01:54:27 +00:00
Shawn Willden
ccb890cff2 Merge "TEMP" am: 4361ef2724 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1700226

Change-Id: Icc47685e0190310af38b87c660125f1c41a30fe7
 2021-05-11 23:02:39 +00:00
Shawn Willden
4361ef2724 Merge "TEMP" 2021-05-11 22:53:43 +00:00
Max Bires
2189a1a447 TEMP 
Have system server add keystore2 stacktraces for ANR reporting

Test: ANR something
Bug: 184006658
Change-Id: I75892479cb59a8ae79cb9555b731dce479175aff
 2021-05-11 22:52:05 +00:00
Victor Hsieh
7b68126421 Add sepolicy for com.android.compos 
This is to unblock the apex setup.

There is only a system_file in the context, but we might need more
specific ones later.

Bug: 186126404
Test: m

Change-Id: Icf713c9bb92e7f7402c0b45bd0f1b06e9cb35d2b
 2021-05-11 14:07:57 -07:00
JJ Lee
8369aed9cf Add ro.audio.offload_wakelock to audio_config_prop am: dcc9b45e3b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1699887

Change-Id: I860c25d0ac4043e2e5187081cd479d85183efb33
 2021-05-11 13:50:55 +00:00
JJ Lee
dcc9b45e3b Add ro.audio.offload_wakelock to audio_config_prop 
Add ro.audio.offload_wakelock to audio_config_prop to allow
AudioFlinger to read this property.

Bug: 178789331
Test: build pass, property can be successfully set and read
Signed-off-by: JJ Lee <leejj@google.com>
Change-Id: I4650e03eb0a406b7531c08001adcfebe822bd75b
 2021-05-10 14:36:15 +08:00
Xin Li
93958bf847 [automerger skipped] DO NOT MERGE - Mark RQ2A.210105.001 as merged. am: 945c456807 -s ours 
am skip reason: Merged-In Ifbb111dbee0429d8aaea4688c0390ee80e25cb22 with SHA-1 a96cb4d339 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1699299

Change-Id: Ie2704cfe5b6670051340f02284851934e7392fcb
 2021-05-08 01:48:59 +00:00
Xin Li
945c456807 DO NOT MERGE - Mark RQ2A.210105.001 as merged. 
Bug: 180401296
Merged-In: Ifbb111dbee0429d8aaea4688c0390ee80e25cb22
Change-Id: I8f6ea01c2aba66ed72afb27f3b21aa1daf83a432
 2021-05-07 14:32:31 -07:00
Vova Sharaienko
0fa219044b Merge "Stats: Marked service as app_api_service" am: ad8cf2fe1b 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1698879

Change-Id: Ia25fba01be2714781c796661c45b1325c8f823dd
 2021-05-07 16:29:16 +00:00
Vova Sharaienko
ad8cf2fe1b Merge "Stats: Marked service as app_api_service" 2021-05-07 16:05:57 +00:00
Inseob Kim
bbe881263a Merge "Migrate precompiled sepolicy hashes to Android.bp" am: 5f831c37f9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1697248

Change-Id: I1bcdd8cd91f5288656dd7a22a3095fd930d2f056
 2021-05-07 00:29:09 +00:00
Inseob Kim
5f831c37f9 Merge "Migrate precompiled sepolicy hashes to Android.bp" 2021-05-06 23:59:18 +00:00
David Anderson
8b039a7b43 Merge "Allow fastbootd to mount /metadata in recovery." am: deef325f8f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1674731

Change-Id: Ie7dd9a29f2455c81b8d0fc452d670b67895f89e7
 2021-05-06 23:22:59 +00:00
Vova Sharaienko
a96cb4d339 Stats: Marked service as app_api_service 
Marked the fwk_stats_service service as app_api_service so that
it can be reached by apps (also means that it's stable)

Bug: 185789914
Test: Build, flash, boot & and logcat | grep "SELinux"
Change-Id: Ifbb111dbee0429d8aaea4688c0390ee80e25cb22
 2021-05-06 22:03:47 +00:00
David Anderson
deef325f8f Merge "Allow fastbootd to mount /metadata in recovery." 2021-05-06 17:34:08 +00:00
Treehugger Robot
a1b84ce3c5 Merge "Add profile saver properties to selinux rules" am: 9395fb4b78 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1697662

Change-Id: I8797b7f26eb6bd2acaf7212f2db25abca1c357df
 2021-05-06 16:15:19 +00:00
Treehugger Robot
9395fb4b78 Merge "Add profile saver properties to selinux rules" 2021-05-06 16:01:15 +00:00
Inseob Kim
731182a4a1 Migrate precompiled sepolicy hashes to Android.bp 
Bug: 33691272
Test: build with odm and build without odm
Test: boot and see precompiled sepolicy used
Change-Id: Id84cca38f81ba3ecf7480d41a704085c7fff8b87
 2021-05-06 11:44:37 +00:00
Nathalie Le Clair
f9b4893515 Merge "Add existing ro.hdmi sysprop to sepolicy" am: ce32e9bcdb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1697046

Change-Id: I4179035032e8a166f7706a891a2a29971cf494c7
 2021-05-06 06:52:02 +00:00
Nathalie Le Clair
ce32e9bcdb Merge "Add existing ro.hdmi sysprop to sepolicy" 2021-05-06 06:30:30 +00:00
Calin Juravle
4e3599e2f9 Add profile saver properties to selinux rules 
Test: manual

Bug: 184714236
Bug: 185979271
Change-Id: I5135e182ba26150cd917ded72d2af72c1c5b15a1
 2021-05-05 17:12:22 -07:00
David Anderson
018004d9d1 Allow fastbootd to mount /metadata in recovery. 
It is important that fastbootd is able to mount /metadata in recovery, in
order to check whether Virtual A/B snapshots are present. This is
enabled on userdebug builds, but currently fails on user builds.

Fixes:

        audit: type=1400 audit(7258310.023:24): avc:  denied  { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 181097763
Test: fastboot flash on user build
Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc
 2021-05-05 16:37:56 -07:00
Hridya Valsaraju
c62ed986ed Merge "Allow multiple heaps to use the system-secure vendor heap category" am: b99176333a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690064

Change-Id: I7a28be44805de9924d45ffc04b89076f60847597
 2021-05-05 20:30:37 +00:00
Hridya Valsaraju
b99176333a Merge "Allow multiple heaps to use the system-secure vendor heap category" 2021-05-05 20:10:50 +00:00
Hridya Valsaraju
09665a69c3 Merge changes If26ba23d,Ibea38822 am: f35c70b0dd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1696318

Change-Id: I346a95817e986e43498d92ce93bc12ec73c09fb2
 2021-05-05 18:03:03 +00:00
Hridya Valsaraju
f35c70b0dd Merge changes If26ba23d,Ibea38822 
* changes:
  Revert "Revert "Exclude vendor_modprobe from debugfs neverallow restrictions""
  Revert "Revert "Add neverallows for debugfs access""
 2021-05-05 17:31:35 +00:00
Eric Biggers
37aa32c945 Merge "Allow dumpstate to signal keystore to dump its stack" am: 740f9b72fa 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1696825

Change-Id: I3391485b9cb9682f44996972075c03795392b42b
 2021-05-05 16:40:23 +00:00
Eric Biggers
740f9b72fa Merge "Allow dumpstate to signal keystore to dump its stack" 2021-05-05 16:16:15 +00:00
Songchun Fan
5ba48ae269 [sepolicy] allow system server to read incfs metrics from sysfs am: 633f7ca868 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1696320

Change-Id: I618b434f52fbfcbda3a1707d7aebfd71c9f22f82
 2021-05-05 15:19:51 +00:00
Nathalie Le Clair
f696109b23 Add existing ro.hdmi sysprop to sepolicy 
Bug: 186998799
Test: make
Change-Id: If99e3c029b992cea5b4af1b4f062d3b19e601df9
 2021-05-05 09:06:09 +02:00
Songchun Fan
633f7ca868 [sepolicy] allow system server to read incfs metrics from sysfs 
Address denial messages like:

05-05 05:02:21.480  1597  1597 W Binder:1597_12: type=1400 audit(0.0:140): avc: denied { read } for name="reads_delayed_min" dev="sysfs" ino=107358 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

BUG: 184844615
Test: atest android.cts.statsdatom.incremental.AppErrorAtomTests#testAppCrashOnIncremental
Change-Id: I201e27e48a08f99f41a030e06c6f22518294e056
 2021-05-04 22:56:41 -07:00
Hridya Valsaraju
498318cc65 Revert "Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"" 
This reverts commit 231c04b2b9.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: If26ba23df19e9854a121bbcf10a027c738006515
 2021-05-04 22:07:08 -07:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access"" 
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
 2021-05-04 22:06:46 -07:00
Eric Biggers
f9519a6d3f Allow dumpstate to signal keystore to dump its stack 
This is needed to debug hangs in keystore2.

Restricted to debuggable builds for now.

Bug: 186879912
Test: 'adb bugreport', then find the stack traces for keystore2 in the
      "VM TRACES JUST NOW" section of the main bugreport file.
Change-Id: I4434cab7e79cb4aae8bbb2e3a8abff02e0073c13
 2021-05-04 21:09:35 -07:00
Lalit Maganti
d9a988406d Merge "sepolicy: allow traced_probes to access statsd socket" am: 6c03124c3c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1690876

Change-Id: If39869f0c15b0ccf9290ac82447afbb9c24fcd29
 2021-05-04 19:20:09 +00:00
Lalit Maganti
6c03124c3c Merge "sepolicy: allow traced_probes to access statsd socket" 2021-05-04 19:04:45 +00:00
Treehugger Robot
5e0fb52f82 Merge "Revert "Revert "Add a neverallow for debugfs mounting""" am: 22c7415dbf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1687093

Change-Id: I619758508171fcc1e4e66fc4091581367167ac6c
 2021-05-04 17:12:10 +00:00
Treehugger Robot
22c7415dbf Merge "Revert "Revert "Add a neverallow for debugfs mounting""" 2021-05-04 16:58:40 +00:00
Alex Hong
1a7f964293 Label the odm_dlkm properties in "odm_dlkm/etc/build.prop" am: ec6d12f2bf 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1695585

Change-Id: I03f747d72f3cf3b313f0b78aed742dfe059a5efa
 2021-05-04 09:58:49 +00:00
Alex Hong
ec6d12f2bf Label the odm_dlkm properties in "odm_dlkm/etc/build.prop" 
Test: make selinux_policy
Bug: 185920634
Change-Id: I09eec15a8a2e2b2f64075f148b414bf89f8ebcd6
 2021-05-04 16:06:50 +08:00
Hridya Valsaraju
8ad5c9319a Give mediatranscoding access to the DMA-BUF system heap am: 15f0f9234c 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1688819

Change-Id: Ied7cc51f02d6c1cfb0cad4a6cc4ee200f6269df0
 2021-05-04 06:48:09 +00:00