tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
42224 commits 1 branch 0 tags 50 MiB
Commit graph

42224 commits

This branch
This branch
All branches
Author SHA1 Message Date
Cody Northrop
b2d861307f Merge "Add EGL blobcache multifile properties" am: 1f1705917e am: 2008915bf8 am: 1ba4d0db97 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402875

Change-Id: I9cf31f31fba6a8b3f85dea4a4902be5d4f6a170e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 22:10:50 +00:00
Sumit Bhagwani
8bf2a56e26 Non app processes shouldn't be able to peek checkin data am: 7602d0f348 am: 3241672e80 am: 72c84139b2 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2417613

Change-Id: I9cfc59650c2bab7c88757befd4a944970005af60
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:49:25 +00:00
Alex Hong
4e8fb27bfa Merge changes from topic "fix_missing_set_denials" am: e79c506fe4 am: 41d99a9951 am: f842449fc4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410790

Change-Id: I7f4ff3221f5289ef2a069b533586c2be9bc60a7e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:47:43 +00:00
Alex Hong
0eecd559e3 Allow vendor_init to set properties for recovery/fastbootd USB IDs am: 1abf80e5c1 am: 255a5ae441 am: 503875252d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2388472

Change-Id: Idbff984eb4f60d3faf773c3be0916789050a625c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:47:41 +00:00
Karthik Mahesh
4ccdb766a4 Merge "Add sepolicy for ODP system server service." am: 4fd76147c4 am: 4fc055b5cd am: 5fe0aaca94 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402876

Change-Id: I8af698adfffd3b336217f9ae4f9d3fa8b87f3e22
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:47:26 +00:00
Charles Chen
04506d797b Merge "Creates mapping from isolated apps to isolated_compute_app" am: 3d629cdb5d am: 42564316e9 am: 707c2aef33 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2406772

Change-Id: I640235a8b86ee336086da5155ee7caf821b8fd69
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:46:49 +00:00
Cody Northrop
1ba4d0db97 Merge "Add EGL blobcache multifile properties" am: 1f1705917e am: 2008915bf8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402875

Change-Id: I2a68c7d279917ad9cbc8b12e63ec38014dd6c0bd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:36:52 +00:00
Girish
1b57ad1f1f Allow communication between mediaserver & statsd am: f9ef01a285 am: 82eb62f34d am: bf9f60c879 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411339

Change-Id: Icb15720334642e842c089b6a9486c1a034aa1a7a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:33:17 +00:00
Cody Northrop
2008915bf8 Merge "Add EGL blobcache multifile properties" am: 1f1705917e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402875

Change-Id: I73b5c4786e2cff76b395914857ed6630850ebb9e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 21:15:51 +00:00
Cody Northrop
1f1705917e Merge "Add EGL blobcache multifile properties" 2023-02-02 20:55:50 +00:00
Sumit Bhagwani
72c84139b2 Non app processes shouldn't be able to peek checkin data am: 7602d0f348 am: 3241672e80 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2417613

Change-Id: I733f370b12535d13146c73c399fb2344b3800f6b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:52:55 +00:00
Alex Hong
f842449fc4 Merge changes from topic "fix_missing_set_denials" am: e79c506fe4 am: 41d99a9951 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410790

Change-Id: Ica8787cf5dde278d5e37ea0b5bea2d25b6bf0be1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:52:21 +00:00
Alex Hong
503875252d Allow vendor_init to set properties for recovery/fastbootd USB IDs am: 1abf80e5c1 am: 255a5ae441 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2388472

Change-Id: Ide9df79d10e439350fa909a0c343463809ac9990
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:52:16 +00:00
Karthik Mahesh
5fe0aaca94 Merge "Add sepolicy for ODP system server service." am: 4fd76147c4 am: 4fc055b5cd 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402876

Change-Id: I541ffd2bcfd826849d92996b86946fb49d26bf9d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:51:46 +00:00
Charles Chen
707c2aef33 Merge "Creates mapping from isolated apps to isolated_compute_app" am: 3d629cdb5d am: 42564316e9 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2406772

Change-Id: I8b41b7ccbeacca731f3cb06abd79c6b2701136bc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:51:23 +00:00
Girish
bf9f60c879 Allow communication between mediaserver & statsd am: f9ef01a285 am: 82eb62f34d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411339

Change-Id: Idb17a524851b00c0fa11b31e7ea26928271f089c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:50:49 +00:00
Avichal Rakesh
e2cb0f2813 Prevent non-system apps from read ro.usb.uvc.enabled 
ro.us.uvc.enabled should not be readable from apps that can't or
shouldn't act on UVC support. This means all non-system apps. This CL
adds an explicit neverallow rule to prevent all appdomains (except
system_app and device_as_webcam).

Bug: 242344221
Bug: 242344229
Test: Build passes, manually confirmed that non-system apps cannot
      access the property
Change-Id: I1a40c3c3cb10cebfc9ddb791a06f26fcc9342ed9
 2023-02-02 12:26:33 -08:00
Avichal Rakesh
e0929241a1 Add selinux permissions for DeviceAsWebcam Service 
DeviceAsWebcam is a new service that turns an android device into a
webcam. It requires access to all services that a
regular app needs access to, and it requires read/write permission to
/dev/video* nodes which is how the linux kernel mounts the UVC gadget.

Bug: 242344221
Bug: 242344229
Test: Manually tested that the service can access all the nodes it
      needs, and no selinux exceptions are reported for the service
      when running.
Change-Id: I45c5df105f5b0c31dd6a733f50eb764479d18e9f
 2023-02-02 12:26:33 -08:00
Sumit Bhagwani
3241672e80 Non app processes shouldn't be able to peek checkin data am: 7602d0f348 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2417613

Change-Id: Iab7cebd106f5b6b7217ad81449705ed6f92e89c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 20:12:29 +00:00
Sumit Bhagwani
7602d0f348 Non app processes shouldn't be able to peek checkin data 
Change-Id: I1df0ce47ae9d08f66689f82e21656cbdd70d7f25
Test: Manually built the change and flashed the device.
Bug: 197636740
 2023-02-02 17:51:51 +00:00
Alex Hong
41d99a9951 Merge changes from topic "fix_missing_set_denials" am: e79c506fe4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410790

Change-Id: I24358b23b958974800af032577f7b6758e0f05c8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 14:23:14 +00:00
Alex Hong
255a5ae441 Allow vendor_init to set properties for recovery/fastbootd USB IDs am: 1abf80e5c1 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2388472

Change-Id: I01ea3a4ebb6d5111941e61f8a7e41bbff2d83a3c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 14:23:10 +00:00
Alex Hong
e79c506fe4 Merge changes from topic "fix_missing_set_denials" 
* changes:
  Add build properties for attestation feature
  Allow vendor_init to set properties for recovery/fastbootd USB IDs
 2023-02-02 14:04:36 +00:00
Alan Stokes
8b40e907f4 Allow dex2oat access to relevant properties 
I noticed a bunch of denials in the logs like this:

avc: denied { read } for pid=187 comm="dex2oat64"
name="u:object_r:device_config_runtime_native_boot_prop:s0"
dev="tmpfs" ino=76 scontext=u:r:dex2oat:s0
tcontext=u:object_r:device_config_runtime_native_boot_prop:s0
tclass=file permissive=0

But we actually want to be able to access these properties.

Bug: 264496291
Test: atest android.compos.test.ComposTestCase#testOdrefreshSpeed
Change-Id: I6ce8ee74a1024a9ddd6ef91e73111d68da878899
 2023-02-02 11:46:12 +00:00
Alex Hong
4c23abb282 Add build properties for attestation feature 
The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow vendor_init to set these properties and allow Zygote to access
them.

Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Change-Id: I5666524a9708c6fefe113ad4109b8a344405ad57
 2023-02-02 18:52:35 +08:00
Karthik Mahesh
4fc055b5cd Merge "Add sepolicy for ODP system server service." am: 4fd76147c4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402876

Change-Id: I0aea8a5cc639ad2bd70b59148dfc2c463827497a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 10:39:26 +00:00
Charles Chen
42564316e9 Merge "Creates mapping from isolated apps to isolated_compute_app" am: 3d629cdb5d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2406772

Change-Id: I81a41abc9d44515edda23215935338d0d3d49599
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 10:39:13 +00:00
Girish
82eb62f34d Allow communication between mediaserver & statsd am: f9ef01a285 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411339

Change-Id: I412e1f68e38c7b4b5f2133ce5164128d72944bb5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 10:38:38 +00:00
Karthik Mahesh
4fd76147c4 Merge "Add sepolicy for ODP system server service." 2023-02-02 08:21:46 +00:00
Karthik Mahesh
52e5914ca4 Add sepolicy for ODP system server service. 
Bug: 236174677
Test: build
Change-Id: Ief208b795dd05ddaa406f50a5fa91f46fe52fd71
 2023-02-01 22:27:36 -08:00
Charles Chen
3d629cdb5d Merge "Creates mapping from isolated apps to isolated_compute_app" 2023-02-02 05:41:22 +00:00
Florian Mayer
7e40fefc0e Merge "[MTE] Add memory_safety_native_boot namespace" am: cbeec8f821 am: e17c5905a6 am: 95da9e5052 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411338

Change-Id: Iae60d2cbc2c74097b91b6bc8e5a5b680a151ce6e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-02 00:01:46 +00:00
Florian Mayer
95da9e5052 Merge "[MTE] Add memory_safety_native_boot namespace" am: cbeec8f821 am: e17c5905a6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411338

Change-Id: Ia56afdd9a7cedde6f2efea7069d4fddaadf31e2e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 23:02:12 +00:00
Girish
f9ef01a285 Allow communication between mediaserver & statsd 
Bug: 265488359
Test: atest cts/tests/media/misc/src/android/media/misc/cts/ResourceManagerTest.java
Change-Id: I34bcdc3c403093af90a0e09b18842d7b872c0392
 2023-02-01 22:33:28 +00:00
Florian Mayer
e17c5905a6 Merge "[MTE] Add memory_safety_native_boot namespace" am: cbeec8f821 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2411338

Change-Id: I68c6e7830b622bcbd6d9f10527378183a53044ae
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 22:21:23 +00:00
Florian Mayer
cbeec8f821 Merge "[MTE] Add memory_safety_native_boot namespace" 2023-02-01 21:41:45 +00:00
Charles Chen
12b3014623 Merge "Update seapp_contexts with isIsolatedComputeApp selector" am: eb1290f511 am: cbd5aa73ff am: 0e848232ec 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390135

Change-Id: I742ed5d1761b9531ac41a5b84177265ef4671854
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 21:32:12 +00:00
Charles Chen
ebe6578818 Merge changes from topic "iso_compute" am: b36ecf6caa am: 5317542847 am: 368eb993eb 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390967

Change-Id: I2f2a635d2de69535f6c2623328f6cc95754c1831
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 21:27:29 +00:00
Charles Chen
0e848232ec Merge "Update seapp_contexts with isIsolatedComputeApp selector" am: eb1290f511 am: cbd5aa73ff 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390135

Change-Id: Ib84aeb3868306bbd00f2ae4fd62f28a08dd49424
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 20:46:25 +00:00
Charles Chen
368eb993eb Merge changes from topic "iso_compute" am: b36ecf6caa am: 5317542847 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390967

Change-Id: If4ccd26c1d57febb427c84817407a1edd4b33c30
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 20:45:18 +00:00
Charles Chen
bc965c900a Creates mapping from isolated apps to isolated_compute_app 
Provides mapping using the isIsolatedComputeApp to enable certain
isolated process running in such domain with more hardware
acceleratation.

Bug: 267494028
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: I9ff341de69e0ad15cb7764276e0c726d54261b84
 2023-02-01 18:41:09 +00:00
Charles Chen
cbd5aa73ff Merge "Update seapp_contexts with isIsolatedComputeApp selector" am: eb1290f511 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390135

Change-Id: I1145c5ed3b4fd9736c7636ad921a6235045a4f93
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 18:29:29 +00:00
Charles Chen
5317542847 Merge changes from topic "iso_compute" am: b36ecf6caa 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390967

Change-Id: Ib84377f876f96dfcbac94bcee9a4a9c7cf408eed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 18:29:18 +00:00
Charles Chen
eb1290f511 Merge "Update seapp_contexts with isIsolatedComputeApp selector" 2023-02-01 17:34:48 +00:00
Charles Chen
b36ecf6caa Merge changes from topic "iso_compute" 
* changes:
  Add isolated_compute_app domain
  Share isolated properties across islolated apps
 2023-02-01 17:33:59 +00:00
Shikha Panwar
20830f7568 Merge "Allow MM to open/syncfs/close encryptedstore dir" am: 2d91b6fc97 am: db1018c3ff am: b13ccd0a35 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2376232

Change-Id: I7d7de50a1427279ac32bb0b05c8b51dfa8de25f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 12:35:13 +00:00
Shikha Panwar
b13ccd0a35 Merge "Allow MM to open/syncfs/close encryptedstore dir" am: 2d91b6fc97 am: db1018c3ff 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2376232

Change-Id: Icf72af4fd2ea51f12b0a9f5168362714a4d37eec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 11:51:59 +00:00
Shikha Panwar
db1018c3ff Merge "Allow MM to open/syncfs/close encryptedstore dir" am: 2d91b6fc97 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2376232

Change-Id: I8f9efbe0770db9346c131159c465b8e6ab88e4c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2023-02-01 11:17:22 +00:00
Shikha Panwar
2d91b6fc97 Merge "Allow MM to open/syncfs/close encryptedstore dir" 2023-02-01 11:13:01 +00:00
Alex Hong
1abf80e5c1 Allow vendor_init to set properties for recovery/fastbootd USB IDs 
Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Test: Enter recovery/fastbootd mode
      $ lsusb -d 18d1:
Change-Id: Ibee1210c1a70a3165e70f9b3b57e11949e412c97
 2023-02-01 17:49:32 +08:00