tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
47374 commits 1 branch 0 tags 50 MiB
Commit graph

47374 commits

This branch
This branch
All branches
Author SHA1 Message Date
Maciej Żenczykowski
f83e395a4a bpfloader - relax neverallows for map_read/write/prog_run 
There's no way to currently define a new domain with map_read/write
access.

That's clearly desirable for example for vendor use of xt_bpf programs.

I believe that also holds true for prog_load which is checked
at attachment, and will be needed in the future to support things
like vendor tracepoint attachment.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6125f3de2f8a8dde0891ddabedfafe35f521e681
 2024-03-13 00:38:45 +00:00
Roland Levillain
b229d824ad Merge "Revert "Check added types/attributes on freeze test too"" into main 2024-03-12 15:35:32 +00:00
Roland Levillain
590bbddbd0 Revert "Check added types/attributes on freeze test too" 
This reverts commit a6a3726ed2.

Reason for revert: Breaks an internal build (see b/329217616)

Bug: 329217616
Bug: 296875906
Change-Id: Iac204a3e7501cd2d0e691f10b5bca88586f315aa
 2024-03-12 15:32:12 +00:00
Treehugger Robot
ed4d6b7929 Merge "Check added types/attributes on freeze test too" into main 2024-03-12 07:38:59 +00:00
Thiébaud Weksteen
8372e1fd71 Merge "Define persist.bootanim.color in platform policy" into main 2024-03-12 05:06:31 +00:00
Inseob Kim
a6a3726ed2 Check added types/attributes on freeze test too 
Without this check, a release build may accidentally include additional
public types and attributes after "freeze".

Also this adds a detailed error message for how to fix.

Bug: 296875906
Test: manual
Change-Id: Iabc6bc8c8616089207acfff8ec4f05445fe7b2b3
 2024-03-12 11:25:14 +09:00
Inseob Kim
d3afbdfffa Merge changes from topic "202404_sepolicy_mapping" into main 
* changes:
  Add 202404 mapping files
  Vendor API level 202404 is now frozen
 2024-03-12 00:10:16 +00:00
Treehugger Robot
17c2c80f7b Merge "sepolicy: Grant hal_bluetooth_server to access udp_socket" into android14-tests-dev am: d7d7463dbc 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2989876

Change-Id: I5153850c98ce0e31fac87416a68a3c15b9d75504
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-11 22:52:24 +00:00
Treehugger Robot
d7d7463dbc Merge "sepolicy: Grant hal_bluetooth_server to access udp_socket" into android14-tests-dev 2024-03-11 22:13:33 +00:00
Thiébaud Weksteen
e26898d633 [automerger skipped] Grant lockdown integrity to all processes am: 30404a42b8 -s ours am: 3b40904a9d -s ours 
am skip reason: Merged-In If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7 with SHA-1 c1b65e5d53 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2980251

Change-Id: Ifd4ff576bc75fc28139c5e1d0df36a5ada7ce1dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-11 21:25:35 +00:00
Thiébaud Weksteen
3b40904a9d [automerger skipped] Grant lockdown integrity to all processes am: 30404a42b8 -s ours 
am skip reason: Merged-In If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7 with SHA-1 c1b65e5d53 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2980251

Change-Id: I5a57c156e591a5bed9c65787300c29c342907bf2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-11 21:01:51 +00:00
Jiakai Zhang
efcc8dbdd7 Merge "Add rules for snapshotctl map/unmap." into main 2024-03-11 16:55:25 +00:00
Treehugger Robot
210e8b5651 Merge "Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service" into main 2024-03-11 15:21:42 +00:00
sandeepbandaru
600e395339 Adding on_device_intelligence selinux policy to allow system appliations to retrieve this service 
Bug: 316589195
Test: flashed on device and ran service with a demo app
Change-Id: I708d715525dd1c4f3985dfcc1560383d045f1a6f
 2024-03-11 11:33:18 +00:00
Jiakai Zhang
b9cf68a2f5 Add rules for snapshotctl map/unmap. 
This change adds rules for system properties "sys.snapshotctl.map" and
"sys.snapshotctl.unmap", for controlling snapshotctl.

This change also adds the missing rules for snapshotctl to perform its
job. Initially, the rules for snapshotctl were added by
http://r.android.com/1126904, for running snapshotctl through init
(http://r.android.com/1123645). However, the trigger was then removed by
http://r.android.com/1239286. Since then, snapshotctl can be only run by
the root shell, in which case it is run in the "su" domain, so the rules
are not tested and therefore get stale over time. To make snapshotctl
function properly when run by init, we need to add the missing rules.

Bug: 311377497
Test: adb shell setprop sys.snapshotctl.map requested
Test: adb shell setprop sys.snapshotctl.unmap requested
Change-Id: I304be6e1825a6768f757d74b3365c4d759b9d07e
 2024-03-11 11:18:50 +00:00
Inseob Kim
f038c8f1ac Add 202404 mapping files 
Bug: 327954176
Test: m treble_sepolicy_tests_202404
Test: m 202404_compat_test
Test: m selinux_policy
Change-Id: I6bdcbff305c0cc998bdd809006feb02e0609784d
 2024-03-11 16:38:02 +09:00
Devin Moore
1f93d9bca5 Vendor API level 202404 is now frozen 
Bug: 279809333
Test: build
Change-Id: If6ef4c3b02d06212923e757fb68aa74e38c68db3
(cherry picked from commit 39dd515546)
 2024-03-11 14:30:35 +09:00
Alan Stokes
55ae799b21 Allow adbd to read file_contexts 
Denials for this can cause local test failures.

The access is harmless, and is allowed in the host, so we also allow
it in the guest. And adbd does have a legitimate use for the access.

Bug: 328753027
Test: atest MicrodroidHostTests
      Run repeatedly on my test device
Change-Id: Ic2e991122527ae9a22babb417ad90f2ceb8d15fc
 2024-03-08 16:47:06 +00:00
Thiébaud Weksteen
935206e8ab Define persist.bootanim.color in platform policy 
These properties are defined by the platform (see BootAnimation.cpp).

Test: m
Bug: 321088135
Ignore-AOSP-First: sync policy internally first
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:88995803f60b6df725747e658734a779043d6674)
Merged-In: I429b807deda5cfd3cf7db1512b97d25769f18086
Change-Id: I429b807deda5cfd3cf7db1512b97d25769f18086
 2024-03-08 01:26:49 +00:00
Xin Li
489766292a Merge "Merge Android 14 QPR2 to AOSP main" into main 2024-03-07 06:10:53 +00:00
Hansen Kurli
64efe2d68f Merge "Remove tests for removed legacy vpns" into main 2024-03-07 05:57:32 +00:00
Treehugger Robot
7c6a7c0486 Merge "Allow dumpsys on user builds" into main 2024-03-07 00:03:35 +00:00
Xin Li
dea482ea8b Merge Android 14 QPR2 to AOSP main 
Bug: 319669529
Merged-In: I7bf682d11afd9cd8dbb5717afc0dba0c9e25a1a7
Change-Id: I995e7189c4fac90e8adfb21481ee87c35ca83788
 2024-03-06 09:30:17 -08:00
Alice Ryhl
56f464fcc9 Merge "kcmdlinectrl: define system property for kcmdlinectrl" into main 2024-03-06 15:28:16 +00:00
Steven Moreland
0f1df85994 Merge "OWNERS cleanup" into main 2024-03-06 14:13:56 +00:00
Steven Moreland
c826453ca2 OWNERS cleanup 
Bug: N/A
Test: N/A
Change-Id: I3e4bc8a5bc4dddb0bad25d5b9cb7ad1f84e8f041
 2024-03-06 12:47:46 +00:00
Alice Ryhl
6b9aa6dc33 kcmdlinectrl: define system property for kcmdlinectrl 
This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.

It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.

Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
 2024-03-06 12:05:24 +00:00
Treehugger Robot
157fa3fc22 Merge "Allow postinstall script to invoke pm shell commands." into main 2024-03-06 11:12:49 +00:00
Hansen Kurli
956d235e33 Remove tests for removed legacy vpns 
Follow up of aosp/2849357 and aosp/2849358. Tests related to the
removed file_context objects should also be removed

Bug: 161776767
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Change-Id: Id986b739cc81af91aadf8853d685d41ad4238292
 2024-03-06 15:47:59 +08:00
Jooyung Han
c6d23b47d8 Merge "Relax neverallows for vendor to use /system/bin/sh" into android14-tests-dev am: a1260cfa21 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2988072

Change-Id: If21747c23ef463345f1f2e19e0c389e084b2fd90
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-06 06:58:55 +00:00
Treehugger Robot
02d52b60d4 [automerger skipped] Merge "Grant lockdown integrity to all processes" into android14-tests-dev am: 9dba1b8892 -s ours 
am skip reason: Merged-In If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7 with SHA-1 99a4cbcee7 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2983718

Change-Id: Id6e863be8adeb1f2c35b31ac7336d8b3b0cd800d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-06 06:58:44 +00:00
Thiébaud Weksteen
27d142fe16 [automerger skipped] Grant lockdown integrity to all processes am: c1b65e5d53 -s ours 
am skip reason: Merged-In If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7 with SHA-1 99a4cbcee7 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2983718

Change-Id: I9f31a1c6be5825173d96e45f417332262cbaef84
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-06 06:58:40 +00:00
Jooyung Han
a1260cfa21 Merge "Relax neverallows for vendor to use /system/bin/sh" into android14-tests-dev 2024-03-06 06:18:53 +00:00
Treehugger Robot
9dba1b8892 Merge "Grant lockdown integrity to all processes" into android14-tests-dev 2024-03-06 06:18:07 +00:00
Yanfei Zhou
f89aad81a5 sepolicy: Grant hal_bluetooth_server to access udp_socket 
This change updates neverallow list to allow accessing udp
sockets from hal_bluetooth_server.

Bug: 305104428
Bug: 328147587
Change-Id: Ic1d80c7cb1aa62969b541ee30686afd57ec51fb0
(cherry picked from commit 3a739f9bed)
 2024-03-06 01:28:15 +00:00
Daniele Di Proietto
113f34aab8 Merge "Add perfetto persistent tracing configuration file" into main am: edfb82499e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967564

Change-Id: I7bf682d11afd9cd8dbb5717afc0dba0c9e25a1a7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 14:37:14 +00:00
Daniele Di Proietto
edfb82499e Merge "Add perfetto persistent tracing configuration file" into main 2024-03-05 14:25:23 +00:00
Treehugger Robot
fbd5ca646f Merge "tracefs: remove debugfs/tracing rules on release devices" into main am: a3a3559743 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2973489

Change-Id: Ib81b790347f8cbba93e08df9dee3ae5d52ea49c2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 14:15:27 +00:00
Treehugger Robot
a3a3559743 Merge "tracefs: remove debugfs/tracing rules on release devices" into main 2024-03-05 13:33:02 +00:00
Ryan Savitski
5ee2595e8b Merge "tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices" into main am: d7a3de50a3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2976491

Change-Id: I2ca80ec6e19eb00b753b5104995d1ed7f47e7980
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 12:05:30 +00:00
Kangping Dong
29c440880d Merge "[Thread] limit ot-daemon socket to ot-ctl" into main am: 564f1296b8 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2984172

Change-Id: I310acdc5860501c6725b91ca33165fb2778af7f7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 12:05:18 +00:00
Ryan Savitski
d7a3de50a3 Merge "tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices" into main 2024-03-05 12:04:12 +00:00
Daniele Di Proietto
9a997590e1 Add perfetto persistent tracing configuration file 
Bug: 325622427
Change-Id: Ia77a029dfddfb3108bb6fdd2d3c6d5b4d9909f7b
 2024-03-05 11:30:36 +00:00
Kangping Dong
564f1296b8 Merge "[Thread] limit ot-daemon socket to ot-ctl" into main 2024-03-05 11:18:56 +00:00
Jooyung Han
6ece857f4f Relax neverallows for vendor to use /system/bin/sh 
Since 202404, vendor components will use /system/bin/sh for system(3),
popen(3), etc.

Bug: 324142245
Test: system("readlink /proc/$$/exe") in vendor HALs
Change-Id: I521499678e87a7d0216a276e014888867f495803
(cherry picked from commit f0ba322926)
 2024-03-05 19:09:05 +09:00
Maciej Żenczykowski
45686712d0 [automerger skipped] Merge "sepolicy: allow netutils_wrapper access to fs_bpf_vendor" into android14-tests-dev am: 4e02fed10f -s ours am: 4e3c63263f -s ours 
am skip reason: Merged-In I7ff8a0319bec2f3a57c7ce48939b13b2fca182de with SHA-1 37ca69e5c8 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2978635

Change-Id: I8f3e6e956b3481c98c42f7119a84e6a7b6e00967
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 08:29:57 +00:00
Maciej Żenczykowski
fc3aae7693 [automerger skipped] sepolicy: allow netutils_wrapper access to fs_bpf_vendor am: a4208e9f10 -s ours am: 405115efd7 -s ours 
am skip reason: Merged-In I7ff8a0319bec2f3a57c7ce48939b13b2fca182de with SHA-1 37ca69e5c8 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2978635

Change-Id: I98965df2edfec7ca4c17b420b29f243524f6996f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 08:29:54 +00:00
Maciej Żenczykowski
4e3c63263f [automerger skipped] Merge "sepolicy: allow netutils_wrapper access to fs_bpf_vendor" into android14-tests-dev am: 4e02fed10f -s ours 
am skip reason: Merged-In I7ff8a0319bec2f3a57c7ce48939b13b2fca182de with SHA-1 37ca69e5c8 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2978635

Change-Id: I325e645ddeeb165617ff7ee2199f0751b56fee76
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 07:47:28 +00:00
Maciej Żenczykowski
405115efd7 [automerger skipped] sepolicy: allow netutils_wrapper access to fs_bpf_vendor am: a4208e9f10 -s ours 
am skip reason: Merged-In I7ff8a0319bec2f3a57c7ce48939b13b2fca182de with SHA-1 37ca69e5c8 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2978635

Change-Id: If132bed3272ba8445ba3c9ba131ddc4b5926d7cc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2024-03-05 07:47:24 +00:00
Maciej Żenczykowski
4e02fed10f Merge "sepolicy: allow netutils_wrapper access to fs_bpf_vendor" into android14-tests-dev 2024-03-05 07:14:51 +00:00