tequilaOS/platform_system_sepolicy

Author	SHA1	Message	Date
Treehugger Robot	a3a3559743	Merge "tracefs: remove debugfs/tracing rules on release devices" into main	2024-03-05 13:33:02 +00:00
Ryan Savitski	5ee2595e8b	Merge "tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices" into main am: `d7a3de50a3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2976491 Change-Id: I2ca80ec6e19eb00b753b5104995d1ed7f47e7980 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-05 12:05:30 +00:00
Kangping Dong	29c440880d	Merge "[Thread] limit ot-daemon socket to ot-ctl" into main am: `564f1296b8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2984172 Change-Id: I310acdc5860501c6725b91ca33165fb2778af7f7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-05 12:05:18 +00:00
Ryan Savitski	d7a3de50a3	Merge "tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices" into main	2024-03-05 12:04:12 +00:00
Daniele Di Proietto	9a997590e1	Add perfetto persistent tracing configuration file Bug: 325622427 Change-Id: Ia77a029dfddfb3108bb6fdd2d3c6d5b4d9909f7b	2024-03-05 11:30:36 +00:00
Kangping Dong	564f1296b8	Merge "[Thread] limit ot-daemon socket to ot-ctl" into main	2024-03-05 11:18:56 +00:00
Matt Buckley	ee100057e0	Merge "Allow apps to access PowerHAL for FMQ" into main am: `19cb4c541f` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2978555 Change-Id: I27a9a5a1012270c305a2727951c3561c2eb56634 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-04 22:55:48 +00:00
Matt Buckley	19cb4c541f	Merge "Allow apps to access PowerHAL for FMQ" into main	2024-03-04 22:22:41 +00:00
Stefan Andonian	efd8723a4e	Merge "Enable platform_app to use perfetto/trace_data_file permissions in debug/eng builds." into main am: `79d1388d86` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2924820 Change-Id: I984a94aa4b6267aafc49adaf5ae45c99869080a8 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-04 21:26:12 +00:00
Stefan Andonian	79d1388d86	Merge "Enable platform_app to use perfetto/trace_data_file permissions in debug/eng builds." into main	2024-03-04 20:23:11 +00:00
Ján Sebechlebský	449b8ccd88	Merge "Allow virtual camera to use fd's from graphic composer" into main am: `f8ab94fa08` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2977091 Change-Id: I4a49700af6b9798045cf026c06d3cb68913cb596 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-04 15:49:46 +00:00
Ján Sebechlebský	f8ab94fa08	Merge "Allow virtual camera to use fd's from graphic composer" into main	2024-03-04 15:20:49 +00:00
Jiakai Zhang	625c4a9543	Allow postinstall script to invoke `pm` shell commands. Bug: 311377497 Change-Id: I46653dcbbe1d1b87b3d370bee80aae2d60998fbe Test: manual - Install an OTA package and see the hook called.	2024-02-29 23:12:32 +00:00
Dennis Shen	1bfa2552ad	Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main am: `3041c33c91` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2982791 Change-Id: I3c601bb71699e80fb052b9d5c087fe792ec87f52 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-29 19:32:49 +00:00
Dennis Shen	3041c33c91	Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main	2024-02-29 19:03:00 +00:00
Kangping Dong	90495cc79f	[Thread] limit ot-daemon socket to ot-ctl It's better to explicitly disallow access to ot-daemon from other than ot-ctl. Bug: 323502847 Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815	2024-02-29 23:43:34 +08:00
Dennis Shen	f008c29e47	aconfig_storage: setup RO partitions aconfig storage files SELinux policy system, system_ext, product and vendor partitions have aconfig storage files under /<partition>/etc/aconfig dir. need to grant access to aconfigd. Bug: b/312459182 Test: m and tested with AVD Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a	2024-02-29 15:28:48 +00:00
Stefan Andonian	ff413fd7d0	Enable platform_app to use perfetto/trace_data_file permissions in debug/eng builds. This change is to allow SystemUI, a platform_app, to start, stop, and share Perfetto/Winscope traces. Bug: 305049544 Test: Verified everything works on my local device. Change-Id: I8fc35a5a570c2199cfdd95418a6caf0c48111c46	2024-02-28 20:31:44 +00:00
Dennis Shen	154a08ef7e	Merge "aconfigd: create aconfig daemon selinux policy" into main am: `067f7db593` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2976451 Change-Id: Ib86e806430e8decea25e8de9b5f314891561e521 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-28 13:21:35 +00:00
Dennis Shen	067f7db593	Merge "aconfigd: create aconfig daemon selinux policy" into main	2024-02-28 12:31:26 +00:00
Matt Buckley	52c9b3b9a9	Allow apps to access PowerHAL for FMQ This patch allows apps to access PowerHAL FMQ memory to send ADPF messages. Test: n/a Bug: 315894228 Change-Id: I2733955807c40e63b688fcb0624db8acc8f9a139	2024-02-27 16:35:55 -08:00
Florian Mayer	9ceda37b18	Merge "Allow shell and adb to read tombstones" into main am: `9d7d3c4a0e` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974016 Change-Id: I2fdfb22d91512d081d1760952e23611a1d2e4917 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-26 22:02:00 +00:00
Florian Mayer	9d7d3c4a0e	Merge "Allow shell and adb to read tombstones" into main	2024-02-26 21:12:25 +00:00
Dennis Shen	2659257c76	aconfigd: create aconfig daemon selinux policy Bug: b/312444587 Test: m and launch avd Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9	2024-02-26 19:58:48 +00:00
Jan Sebechlebsky	fd7e285504	Allow virtual camera to use fd's from graphic composer This is causing denials in case the fence fd comes from graphic composer. Bug: 301023410 Test: atest CtsCameraTestCases with test virtual camera enabled Change-Id: I14cb26c058342470aa2dc214ab47cc61aa2f3255	2024-02-26 11:55:16 +01:00
Thiébaud Weksteen	66bb617447	Merge "Grant lockdown integrity to all processes" into main am: `1fc3a6f955` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2971071 Change-Id: I21f3e67d0b697a532f65e4e21b8a193accca521a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-26 00:34:52 +00:00
Jooyung Han	a53593f6fa	Merge "Add input_device.config_file.apex property" into main am: `615aaf5998` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974852 Change-Id: I08eec3e2cd297b70d84ea92aa07159bd1b70d91e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-26 00:34:01 +00:00
Thiébaud Weksteen	1fc3a6f955	Merge "Grant lockdown integrity to all processes" into main	2024-02-26 00:11:52 +00:00
Ryan Savitski	ce8959c851	tracefs: remove debugfs/tracing rules on release devices The tracing filesystem used to be mounted on /sys/kernel/debug/tracing, but is nowaways available at /sys/kernel/tracing. Since debugfs itself is no longer mounted on release devices, there is no need for rules that relax specific .../debug/tracing/... files to be available on release devices. Leave them as debugfs_tracing_debug. Not touching other labels such as debugfs_tracing_printk_formats in case there are debug-only tools that grant themselves access to just that label. Might revisit those in a different patch. Bug: 303590268 Change-Id: Ic234c73ac7256117179c4b3eb35da0eac9a50eaa	2024-02-25 19:16:56 +00:00
Ryan Savitski	bdf0a56bf3	tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices This is a tracing control file that userspace can read/write an ascii number (e.g. "50"). In turn, it controls the behaviour of blocking read(), splice(), and poll() on the tracing kernel ring buffer fds. A blocked syscall will only be woken up once the kernel fills the buffer past the "buffer_percent" watermark (so 50% -> half-full). We'll be using this file in perfetto's traced_probes, but it should also be safe to expose to other users of the tracing file system (aka debugfs_tracing in sepolicy) on release builds. Added to linux in: https://android.googlesource.com/kernel/common/+/03329f99 Change-Id: Ifcdc73cb0162e8cdadf2e7c16b0215410134ccae	2024-02-25 19:00:07 +00:00
Florian Mayer	6c689e8438	Allow shell and adb to read tombstones tombstones are now openable by these domains: allow adbd tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads }; allow adbd tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads }; allow dumpstate tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads }; allow dumpstate tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads }; allow init tombstone_data_file:dir { add_name create getattr ioctl open read relabelfrom relabelto remove_name rmdir search setattr write }; allow init tombstone_data_file:fifo_file { create getattr open read relabelfrom relabelto setattr unlink }; allow init tombstone_data_file:file { create getattr map open read relabelfrom relabelto setattr unlink write }; allow init tombstone_data_file:sock_file { create getattr open read relabelfrom relabelto setattr unlink }; allow shell tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads }; allow shell tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads }; allow system_server tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write }; allow system_server tombstone_data_file:file { append create getattr ioctl lock map open read rename setattr unlink watch watch_reads write }; allow tombstoned tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write }; allow tombstoned tombstone_data_file:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }; Test: adb unroot, ls, cat, adb pull Bug: 312740614 Change-Id: I4a1af4fbdc48c5c5f4b0b33f124cea31af74dd87	2024-02-23 15:44:20 -08:00
Jooyung Han	c6d75293b9	Add input_device.config_file.apex property This new property is to set an apex name when input configuration files are bundled in an apex. libinput checks the new sysprop when loading input configuration. This removes hard-coded apex name (com.android.input.config). Bug: 315080500 Test: adb shell dumpsys input # set "touch.orientationAware = 0" in Touchscreen_0.idc # build/install the input config apex # Observe the Input configuration # "Touch Input Mapper" shows "OrientationAware: false" Change-Id: Ie0bf30bff2ed7f983caa5b893994a5bd2759e192	2024-02-23 14:31:58 +09:00
Steven Moreland	cfed32d4ff	Merge changes from topic "misctrl" into main am: `9fca32695a` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2966594 Change-Id: Id68b57052b905fd3aab14f17f1eb7e81913d7e05 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-22 19:16:50 +00:00
Steven Moreland	d7c3bf781e	intro misctrl am: `b4f42d449b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2966593 Change-Id: Ie652cf5516fe3c1042931bb07162f39996180e66 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-22 19:16:46 +00:00
Steven Moreland	9fca32695a	Merge changes from topic "misctrl" into main * changes: misctrl: add a property intro misctrl	2024-02-22 18:57:01 +00:00
Alan Stokes	d02b052624	Merge "Add virtualization_maintenance_service" into main am: `d2bc72b7eb` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967637 Change-Id: Ib5539a82cb00a141c3c4d9877acb7195f853107d Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-22 10:33:00 +00:00
Alan Stokes	d2bc72b7eb	Merge "Add virtualization_maintenance_service" into main	2024-02-22 09:45:13 +00:00
Treehugger Robot	444ca3ef45	Merge "Reland "[res] Allow accessing idmap files in all zygotes"" into main am: `b4d6657a5c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2970351 Change-Id: I61de789991aeb6254b9d2f80bff9a65f06c4b533 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-22 09:07:53 +00:00
Treehugger Robot	b4d6657a5c	Merge "Reland "[res] Allow accessing idmap files in all zygotes"" into main	2024-02-22 08:42:02 +00:00
Treehugger Robot	3fbbe8f2ab	Merge "Allow shell/toolbox for all domains" into main am: `b08b54e735` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2968882 Change-Id: I27a83570324b203d1c2eb86adc82dcc5fec1db8e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-22 06:19:57 +00:00
Treehugger Robot	b08b54e735	Merge "Allow shell/toolbox for all domains" into main	2024-02-22 05:48:44 +00:00
Thiébaud Weksteen	99a4cbcee7	Grant lockdown integrity to all processes The default policy for the "lockdown" access vector on Android was introduced in commit `bcfca1a6`. While the "confidentiality" permission was granted to all processes, the "integrity" was marked as neverallowed. Upstream, the support for that access vector was removed from kernel 5.16 onwards. It was found that the "integrity" permission either does not apply to Android or duplicates other access control (e.g., capabilities sys_admin). Instead of simply removing the neverallow rule, the access is granted to all processes. This will prevent the proliferation of references to this access vector in vendors' policies and ultimately facilitate its removal. Test: presubmit Bug: 285443587 Bug: 269377822 Bug: 319390252 Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7	2024-02-22 12:20:38 +11:00
Yisroel Forta	dc79d84476	Add context that system server can access and perfetto can save traces to am: `c5cb5a248d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2965922 Change-Id: I3e286eb5cfb4de9fc80eb8462fb183d67898db98 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-21 22:38:05 +00:00
Steven Moreland	9f41fc081f	misctrl: add a property misctrl can set properties which can be injected into bugreports. Limit visibility of these properties so that no device code can branch based off these properties. Bug: 317262681 Test: bugreport Change-Id: I74f6f240b08b2681540bca262dcc76bcdca9cdad	2024-02-21 18:16:49 +00:00
Yisroel Forta	c5cb5a248d	Add context that system server can access and perfetto can save traces to Give perfetto rw dir and create file permissions for new directory. Give system server control to read, write, search, unlink files from new directory. Test: locally ensure traces can be written by perfetto and accessed and deleted by system server Bug: 293957254 Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf	2024-02-21 16:43:57 +00:00
David Drysdale	bd6d03f58b	Allow virtualizationservice to check parent dir am: `a9d70d7ba8` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967573 Change-Id: I915ec4bc0144cc9a1a9ac20525f48ad1b33af3d7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-21 11:39:06 +00:00
Jooyung Han	66c5beaecc	Allow shell/toolbox for all domains Bug: 324142245 Test: m (presubmit) Change-Id: If408294d31c66241eca938ee2a681e6a9cf37ee2	2024-02-21 11:13:14 +09:00
Yurii Zubrytskyi	9128735f1f	Reland "[res] Allow accessing idmap files in all zygotes" This reverts commit `7ee66a0391`. Reason for revert: The change is supposed to be a noop, trying it as a separate CL now Change-Id: I0a1befb0015f39596423da7049040de6be18db65	2024-02-20 20:49:37 +00:00
Steven Moreland	b4f42d449b	intro misctrl Generic binary for managing the misc partition. Bug: 317262681 Test: boot, check bugreport Change-Id: Ib172d101d68409f2500b507df50b02953c392448	2024-02-20 18:56:05 +00:00
Alan Stokes	38131e7ba8	Add virtualization_maintenance_service This is an AIDL service exposed by Virtualization Service to system server (VirtualizationSystemService). The implementation is Rust so no fuzzer is required. I've put this behind the flag on general principle. Bug: 294177871 Test: atest MicrodroidTests Change-Id: Ia867fe27fb2e76d9688e4ba650ebf7b3f51ee597	2024-02-20 17:08:28 +00:00
David Drysdale	a9d70d7ba8	Allow virtualizationservice to check parent dir Needed for SQLite database creation Test: boot Cuttlefish, printf debugging Bug: 294177871 Change-Id: I9ec2a8956c501ddea9514ea07a7c89d09b027dd3	2024-02-20 12:04:39 +00:00
David Drysdale	d63c142e10	Allow virtualizationserver->ISecretkeeper am: `3242c6a271` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967566 Change-Id: I4c11744bb369f0fb72869f7a74f2adda7ec40079 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-20 09:03:00 +00:00
David Drysdale	3242c6a271	Allow virtualizationserver->ISecretkeeper Test: build and run in CF, see connection Change-Id: I2d6f0c3836c4de061a456039ded899b4d3a3e7f5	2024-02-19 15:29:33 +00:00
Inseob Kim	b42fd4cb3d	Merge "label boot animations on oem with bootanim_oem_file" into main am: `d1fada7e61` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2964524 Change-Id: I281fea83a7dc0144e7dc4383a61d7485688808f8 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-19 01:51:41 +00:00
Inseob Kim	d1fada7e61	Merge "label boot animations on oem with bootanim_oem_file" into main	2024-02-19 01:21:00 +00:00
Håkan Kvist	1f915b4b13	label boot animations on oem with bootanim_oem_file Bootanimation only access boot animation files on oem. Label these files with bootanim_oem_file and remove oemfs file allow rule. Also allow mediaserver and app to read this new label as they can access /oem/media folder. Bug: 324437684 Test: Confirm that boot animation on oem is shown without violations Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb	2024-02-16 11:08:30 +01:00
Trevor David Black	db14b179d2	Add fifo_file read access to enable gpuservice within device cts am: `4105da26f9` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2966382 Change-Id: I71db3ebeccff51145f667a2315cc536df058d345 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-16 05:32:10 +00:00
Trevor David Black	4105da26f9	Add fifo_file read access to enable gpuservice within device cts Bug: 299537644 Test: atest -c CtsGraphicsTestCases:VulkanFeaturesTest#testAndroidBaselineProfile2021Support Change-Id: Iab5c4255f01317c197488158ef8cc63fcf0ebb3b	2024-02-15 22:21:30 +00:00
Mikhail Naganov	f5b07ca2a3	Merge "Add ro.audio.ihaladaptervendorextension_enabled property" into main am: `ead55ce93a` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2964162 Change-Id: I623ddbc287c48ec0c7fad5b8f566ee1fc951f9f3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-15 17:47:17 +00:00
Mikhail Naganov	ead55ce93a	Merge "Add ro.audio.ihaladaptervendorextension_enabled property" into main	2024-02-15 17:08:10 +00:00
Dennis Shen	7254b104f6	Merge "selinux setup for files under /metadata/aconfig dir" into main am: `537a704088` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960462 Change-Id: I9e170a4fa7293aed2bf9d0818f6ba0c8d558b151 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-15 13:53:00 +00:00
Dennis Shen	537a704088	Merge "selinux setup for files under /metadata/aconfig dir" into main	2024-02-15 13:20:02 +00:00
Tej Singh	4ed39a7a6e	Merge "stats_service: only disallow untrusted access" into main am: `aebd92592a` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2962926 Change-Id: I8aa5df2f2472046ebc59a76df5bfc3c49a491476 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-15 09:20:12 +00:00
Tej Singh	aebd92592a	Merge "stats_service: only disallow untrusted access" into main	2024-02-15 08:30:19 +00:00
Tej Singh	000b251c7d	stats_service: only disallow untrusted access Allow device-specific domains to access stats_service. All access must be done over proper APIs (StatsManager, AStatsManager) instead of accessing the AIDL interfaces directly. Test: build Bug: 318788254 Change-Id: I98ddc1900350daf755372be7249f25a462e3242d	2024-02-14 15:07:21 -08:00
Brandon Liu	dbf77ceff6	Merge "Revert "[res] Allow accessing idmap files in all zygotes"" into main am: `37c4c7c500` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2962104 Change-Id: I65b5d1e3048828d13cb63653c965ca54b5af0d3b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-14 21:37:09 +00:00
Mikhail Naganov	8b69e5fd48	Add ro.audio.ihaladaptervendorextension_enabled property This property is used by libaudiohal@aidl to detect whether the system_ext partition provides an instance of IHalAdapterVendorExtension. This is a "system internal" property because it belongs to `system_ext`. Bug: 323989070 Test: atest audiorouting_test Ignore-AOSP-First: coupled with Pixel change, will upstream (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:17406cd0a723cb89a03705709ec78d37b3d66042) Merged-In: I81267da070958a70f2f3c4882718cac4600e3476 Change-Id: I81267da070958a70f2f3c4882718cac4600e3476	2024-02-14 18:53:37 +00:00
Dennis Shen	6c8210da20	selinux setup for files under /metadata/aconfig dir 1, /metadata/aconfig is the directory that stores aconfig storage related protobuf files and flag value files boot copy. Grant read access to everybody. But limit the write access only to init and aconfig storage service process (to be created later) 2, /metadata/aconfig/flags is the sub directory that stores persistent aconfig value files.Initially set it up to be accessible by system_server process only . When aconfig storage service process is created, will add another permission to storage service process. Context to why we are hosting flag data on /metadata partition: Android is adopting trunk stable workflow, flagging and A/B testing is essential to every platform component. We need some place to host the flag that are accessible to system processes that starts before /data partition becomes available. In addition, there has been a long discussion regarding utilizing /metadata partition for some process data, another example is mainline modules, we are trying to make them to be able to be mounted earlier, but cannot due to /data availability. Bug: 312444587 Test: m Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428	2024-02-14 17:56:29 +00:00
Patrick Baumann	7ee66a0391	Revert "[res] Allow accessing idmap files in all zygotes" This reverts commit `1195b5eb14`. Reason for revert: b/325161357 Change-Id: I7e6846791020938fb732311105e0f692c648a0f1	2024-02-14 16:24:59 +00:00
Yurii Zubrytskyi	940443d4df	[res] Allow accessing idmap files in all zygotes am: `1195b5eb14` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2962670 Change-Id: I7eb51708ceca8b3dafdaf9dd65c0595cf801f432 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-14 04:20:01 +00:00
Yurii Zubrytskyi	1195b5eb14	[res] Allow accessing idmap files in all zygotes Resources now cache open idmap fds to speed up the up-to-date checks, and this requires zygote processes to be able to access them Bug: 282215580 Test: atest android.text.cts.EmojiTest Change-Id: I808be8a5d321a01193e7f76e316f5f64d4235753	2024-02-14 02:04:55 +00:00
Seungjae Yoo	ec2735ac6a	Allow appdomain to read dir and files under vendor_microdroid_file am: `01c4f57431` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960542 Change-Id: Idd6fae593bbe92fd7b15500aa0ce3c3ff1bb0013 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-14 01:31:41 +00:00
Seungjae Yoo	01c4f57431	Allow appdomain to read dir and files under vendor_microdroid_file For testing purpose, now we need to use microdroid vendor image for the production due to vendor hashtree digest value comes from the bootloader. In the past, we've used distinguished image file for testing purpose, but we can't now. Bug: 323768068 Test: atest MicrodroidTests#bootsWithVendorPartition Test: atest MicrodroidBenchmarks#testMicrodroidDebugBootTime_withVendorPartition Change-Id: Ic58e51466da0273cf27219d9228f33000e0ecb88	2024-02-13 05:44:15 +00:00
Treehugger Robot	5ce39158f3	Merge "Add rules for Perfetto to be used from system_server" into main am: `f80a830b32` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2958867 Change-Id: Ie3a299620a9aa99c92bde99bd27ea72fdade9a69 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-12 20:59:08 +00:00
Nate Myren	0980c27aef	Merge "Remove mounton from app and web zygote" into main am: `a8f2bbf7c2` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2947925 Change-Id: I4143393154c2850cd4891420d0dc0eddcca0e3ab Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-12 20:58:29 +00:00
Treehugger Robot	f80a830b32	Merge "Add rules for Perfetto to be used from system_server" into main	2024-02-12 20:51:16 +00:00
Nate Myren	a8f2bbf7c2	Merge "Remove mounton from app and web zygote" into main	2024-02-12 20:13:33 +00:00
Carmen Jackson	28b811df1c	Add rules for Perfetto to be used from system_server This includes rules for starting Perfetto as well as rules for communicating over stdio between Perfetto and system_server. Bug: 293957254 Test: Presubmit & tested in conjunction with internal change Change-Id: I7e4c044a6a2afb48c33d65cc421e797d77aacc12	2024-02-12 18:33:32 +00:00
Carlos Galo	34b93f22b7	lmkd: Add ro.lmkd.direct_reclaim_threshold_ms property policies Add policies to control ro.lmkd.direct_reclaim_threshold_ms lmkd property. Test: m Bug: 244232958 Change-Id: Ic2438a17569ef12925c45ee2f15a05449c77f205 Signed-off-by: Carlos Galo <carlosgalo@google.com>	2024-02-12 09:37:00 -08:00
Yisroel Forta	f86fab0d6d	Merge "SELinux permissions for ProfilingService" into main am: `e510cb8696` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2955343 Change-Id: Id393a7cdbcbb82d767b2457c33daf2c96c5bead7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-12 14:51:42 +00:00
Yisroel Forta	e510cb8696	Merge "SELinux permissions for ProfilingService" into main	2024-02-12 14:22:31 +00:00
Yisroel Forta	aa9d0bf24c	SELinux permissions for ProfilingService Test: Presubmit, manually confirm service accessible Bug: 293957254 Change-Id: I7103be95ff49eb87b4c7164a38a481034d72a9aa	2024-02-09 19:25:32 +00:00
Jiakai Zhang	59bb9008fd	Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main am: `95d371bcfd` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2939419 Change-Id: I75166873b4baa3d781ebb0b7055f9f42b8a5dd1e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-09 03:29:50 +00:00
Jiakai Zhang	95d371bcfd	Merge "Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot." into main	2024-02-09 02:52:58 +00:00
mrulhania	faaec9dd3a	Add SELinux policy for ContentProtectionManagerService am: `9a7700cd46` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952703 Change-Id: Ib8beac88752e6c4576bc177553c33c82df5b1026 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-09 00:41:43 +00:00
mrulhania	9a7700cd46	Add SELinux policy for ContentProtectionManagerService Bug: 324348549 Test: build Change-Id: Ieb319ed033d2fdb18cf76107c44cd6357221ecc4	2024-02-08 19:56:49 +00:00
Jiakai Zhang	817c49f74c	Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot. Bug: 311377497 Test: manual - Call getDexoptChrootSetupServiceRegisterer().waitForService() Test: manual - Set up a chroot environment and call getArtdPreRebootServiceRegisterer().waitForService() Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083	2024-02-08 10:13:27 +08:00
Nikhil Bhanu	c7b99fbf76	Merge "Add property for enabling stereo spatialization" into main am: `67c12aa98d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2951223 Change-Id: Iedb7747a9d0fd1818abc161b2e6d545434c56450 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-07 17:09:10 +00:00
Nikhil Bhanu	67c12aa98d	Merge "Add property for enabling stereo spatialization" into main	2024-02-07 16:41:01 +00:00
Treehugger Robot	ef4bd550ee	Merge "Changes in SELinux Policy for CSS API" into main am: `49a519234b` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2819838 Change-Id: I4cfa495bdeae5c048a6f5bf6b308de21c2e40ca7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-06 21:05:13 +00:00
Treehugger Robot	49a519234b	Merge "Changes in SELinux Policy for CSS API" into main	2024-02-06 20:28:45 +00:00
Nikhil Bhanu	977260767a	Add property for enabling stereo spatialization Bug: 323223919 Test: manual Change-Id: I49d12bfc878ec63d8fe036880033e1c309961430	2024-02-06 08:52:42 -08:00
Justin Yun	d6a43bcb89	Set ro.llndk.api_level as a system prop am: `385d5099cf` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2952405 Change-Id: I29fca56cdb6fe33c2b302be5859dbe86713aef18 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-06 07:24:46 +00:00
Justin Yun	385d5099cf	Set ro.llndk.api_level as a system prop ro.llndk.api_level is included in system/build.prop. It must have the system build_prop context instead of the vendor prop. Bug: 312098788 Test: TH Change-Id: I223ae2cd56490a2cfd6f6454ad685d23d90d9329	2024-02-06 13:55:52 +09:00
David Dai	ef608892b8	Merge "Allow CAP_SYS_NICE for crosvm" into main am: `8a216be443` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2945565 Change-Id: I5bf6d0890878da75a9ae77566b1f9d1ff6a3fcdb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-05 23:10:10 +00:00
David Dai	8a216be443	Merge "Allow CAP_SYS_NICE for crosvm" into main	2024-02-05 22:20:13 +00:00
Jooyung Han	786f91880a	Merge "Add hal_graphics_mapper_service type" into main am: `d4ae4c1165` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2928071 Change-Id: I5de03cbe4546badfabadce7861ef9b757999153f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-05 21:44:48 +00:00
Jooyung Han	d4ae4c1165	Merge "Add hal_graphics_mapper_service type" into main	2024-02-05 21:02:15 +00:00
David Dai	7066a961bd	Allow CAP_SYS_NICE for crosvm Open up CAP_SYS_NICE policies so that crosvm can adjust uclamp on its vCPU threads to provide a boost in performance. Bug: 322197421 Test: Booted device and processes that checked that the correct capabilites are given with no sepolicy denials. Change-Id: I089bf26caf862c32e85440575800bb095bb9087b Signed-off-by: David Dai <davidai@google.com>	2024-02-05 11:14:53 -08:00
Alan Stokes	dc589e9e66	Merge "Suppress spurious ipc_lock denials" into main am: `e01e8d5595` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2944165 Change-Id: I43a7872c74237b3d7a734a26b4cab2c705ddc3aa Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-05 10:19:30 +00:00
Alan Stokes	e01e8d5595	Merge "Suppress spurious ipc_lock denials" into main	2024-02-05 09:37:52 +00:00
Jooyung Han	952673da5b	Add hal_graphics_mapper_service type This is used for mapper sphal library which is defined in VINTF and queried via servicemanager. Bug: 317178925 Test: cuttlefish loads mapper.minigbm Change-Id: Ibddc0239e52065a89c656f885f34835406665009	2024-02-05 18:14:53 +09:00
Nate Myren	ef856207af	Remove mounton from app and web zygote These aren't necessary for app compat overrides Change-Id: Ie210a6487a80ef4fa618beedef0d957d79c7d38a Fixes: 319616964 Test: presubmit	2024-02-02 22:29:55 +00:00
Harshit Mahajan	48c1888db7	Merge "Revert^2 "Adding sepolicy rules for CrashRecoveryProperties"" into main am: `d02643a3ed` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2943945 Change-Id: I34af98e454e3f87b553c96dd7920d79df6a62853 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-02 17:01:02 +00:00
Harshit Mahajan	d02643a3ed	Merge "Revert^2 "Adding sepolicy rules for CrashRecoveryProperties"" into main	2024-02-02 16:24:56 +00:00
Hansen Kurli	00ceacf706	Merge "Remove all sepolicy relating to ppp/mtp." into main am: `34ee0b5da3` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2849358 Change-Id: Ib1e0f836c448abfc872e4e6d93ea5333ff744bcb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-02 05:34:56 +00:00
Hansen Kurli	34ee0b5da3	Merge "Remove all sepolicy relating to ppp/mtp." into main	2024-02-02 05:16:37 +00:00
Carlos Galo	e7c0b7d7fa	Merge "system_server: remove access to proc/memhealth/*" into main am: `878f7f1795` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2945507 Change-Id: Ice66b2aa79d2095a4061ed8455a179b43b633e46 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-02 05:14:08 +00:00
Carlos Galo	878f7f1795	Merge "system_server: remove access to proc/memhealth/*" into main	2024-02-02 04:26:54 +00:00
Carlos Galo	4a9f07fe21	system_server: remove access to proc/memhealth/* Memhealth driver has been removed from all android kernels. Test: m Bug: 315560026 Change-Id: Ia4f91bde3a999a490b42b57abcd521ff9cc94633 Signed-off-by: Carlos Galo <carlosgalo@google.com>	2024-02-01 23:40:25 +00:00
Dan Shi	f6477f4f03	Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main am: `b230f4f10c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2944648 Change-Id: I0ebc9160853d628eb184c53ffff580717fca2137 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-01 22:25:09 +00:00
Dan Shi	b230f4f10c	Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main	2024-02-01 21:57:51 +00:00
Yuyang Huang	05001e214b	Merge "Add system property bluetooth.sco.managed_by_audio" into main am: `ec4196e1b7` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2929416 Change-Id: If0d4c79a9e81856eee0233d573fe08a02daa283f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-01 21:50:00 +00:00
Mikhail Naganov	1460db3c7c	Merge "audio: Provide a default implementation of IHalAdapterVendorExtension" into main am: `c301f8ef3d` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2930452 Change-Id: I78f36755805b4cfc220a92b4b779aa7e8c3a7f44 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-01 21:44:09 +00:00
Yuyang Huang	ec4196e1b7	Merge "Add system property bluetooth.sco.managed_by_audio" into main	2024-02-01 21:32:46 +00:00
Bubble Fang	484e50f68b	Merge "Revert "Adding sepolicy rules for CrashRecoveryProperties"" into main am: `e12fc98b59` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2943267 Change-Id: Iee5d52063db352425c217e3dc809ad9af017037c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-01 21:29:51 +00:00
Treehugger Robot	f610ab2296	Merge "Use /proc/device-tree for reading AVF DT" into main am: `bb1c62ca16` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2938000 Change-Id: If0b9b806b163a26fcde5e2a2925d5421b25aad0f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-01 21:27:01 +00:00
Harshit Mahajan	af573353d3	Merge "Adding sepolicy rules for CrashRecoveryProperties" into main am: `fedcb415a7` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2931990 Change-Id: I79bfa1189aaa4406021d86101e4ac1ec4605c1fd Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-02-01 21:26:19 +00:00
Dan Shi	0ad6f6bdd6	Revert "audio: Provide a default implementation of IHalAdapterVe..." Revert submission 2929484-fix-b-321651892-ihaladapter Reason for revert: possible cause of b/323385784 Reverted changes: /q/submissionid:2929484-fix-b-321651892-ihaladapter Change-Id: I9664f8f9dd6eec159be7fbf3b148a12d44cef582	2024-02-01 19:32:34 +00:00
Alan Stokes	aeab04ffcd	Suppress spurious ipc_lock denials When running a VM from a root shell (e.g. via vm_shell), we see frequent ipc_lock denials: avc: denied { ipc_lock } for comm="crosvm" capability=14 scontext=u:r:crosvm:s0 tcontext=u:r:crosvm:s0 tclass=capability permissive=0 These don't appear for non-root crosvm, and don't prevent the VM from working. Suppress them to reduce log spam. Test: Run vm_shell Change-Id: I3b68ca9e3f15709a1f0fce285ba8916419ee82e8	2024-02-01 17:01:20 +00:00
Mikhail Naganov	c301f8ef3d	Merge "audio: Provide a default implementation of IHalAdapterVendorExtension" into main	2024-02-01 16:48:06 +00:00
Harshit Mahajan	7740a47b34	Revert^2 "Adding sepolicy rules for CrashRecoveryProperties" This reverts commit `f76b3cf07a`. Reason for revert: This part is not causing failures Change-Id: I3c01877f7473f35552e43433c069664276a99067	2024-02-01 13:00:46 +00:00
Bubble Fang	e12fc98b59	Merge "Revert "Adding sepolicy rules for CrashRecoveryProperties"" into main	2024-02-01 08:44:38 +00:00
Bubble Fang	f76b3cf07a	Revert "Adding sepolicy rules for CrashRecoveryProperties" Revert submission 2931990-cr-sysprop Reason for revert: Causing CTS fail at b/323272250 b/323278067 b/323284822 Reverted changes: /q/submissionid:2931990-cr-sysprop Change-Id: I41c3804cb5b6e0aff0cc8e90995d0e65888c7988	2024-02-01 06:42:28 +00:00
Treehugger Robot	bb1c62ca16	Merge "Use /proc/device-tree for reading AVF DT" into main	2024-02-01 03:21:18 +00:00
Jaewan Kim	2141ad5877	Use /proc/device-tree for reading AVF DT Although /proc/device-tree is symlink to /sys/firmware/devicetree/base, /proc/device-tree is the stable API but the absolute path may be changed in the future. Bug: 322465386 Test: atest CustomPvmfwHostTestCases Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378	2024-02-01 01:53:59 +00:00
Harshit Mahajan	fedcb415a7	Merge "Adding sepolicy rules for CrashRecoveryProperties" into main	2024-02-01 00:59:34 +00:00
Haining Chen	c269e3acee	Merge "Add sepolicy for adaptive auth service" into main am: `2b8ddb7d7c` Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2926551 Change-Id: Ib7efb0b61d4a558fc80c7f716988966446cb4ef0 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-01-31 20:36:46 +00:00
Haining Chen	2b8ddb7d7c	Merge "Add sepolicy for adaptive auth service" into main	2024-01-31 19:58:26 +00:00
Yuyang Huang	d367ea8e6a	Add system property bluetooth.sco.managed_by_audio Bug: 294134504 Test: m . Change-Id: Ieab490d5a508beb6440751b8a0ac28b0e3e2c1bb	2024-01-31 18:10:18 +00:00
Harshit Mahajan	3e37acd48f	Adding sepolicy rules for CrashRecoveryProperties Restricting that properties can only be written by platform and module. It will be read and written from init and sytem_server. Bug: b/289203818 Test: m Change-Id: Ie6b44d1222ec1a9fbfc9b90e0455588f9defe848	2024-01-31 12:52:10 +00:00
Hansen Kurli	ff6cb347be	Remove all sepolicy relating to ppp/mtp. Legacy VPNs are removed, including the usage of mtpd/pppd. Only the type ppp and mtp remain as there are usages elsewhere. Bug: 161776767 Test: m, presubmit Change-Id: I556b0daa55f9ea7bf844f6a52d10dda02e324ee0	2024-01-30 17:46:49 +08:00
Xin Li	b96adcf722	Merge Android 24Q1 Release (ab/11220357) Bug: 319669529 Merged-In: Ia3c8bcddaed44d4dd03df6d504fecb61d999cbec Change-Id: Iefabaeb2456a31cd008f6ccb6b4e924c87dc2f65	2024-01-29 13:06:50 -08:00
Alan Stokes	31b6d34f6b	Merge "crosvm doesn't need IPC_LOCK" into main	2024-01-29 09:19:43 +00:00
Treehugger Robot	14d7483a93	Merge "Allow system_server to find hal_bluetooth with service_manager" into main	2024-01-29 08:48:23 +00:00
Ted Wang	fb2d929c48	Allow system_server to find hal_bluetooth with service_manager Bug: 322731389 Test: make and check if there is avc denied. Change-Id: Ifb0fef383c42e7b6045dfa4ff9240ef2315be2f1	2024-01-29 07:31:57 +00:00
Mikhail Naganov	00c2fedc5a	audio: Provide a default implementation of IHalAdapterVendorExtension This service is used by the audio server for translating between legacy string KV pairs and AIDL vendor parameters. It resides on the system_ext partition. Since it has to be implemented by every SoC vendor, provide an example implementation. This example service is added to CF and GSI system_ext. Vendors can use their own names and policy labels, the only thing that the audio server depends on is the AIDL interface. There is no fuzzer for this service because the example implementation only contains trivial code (interface methods are stubbed out). Bug: 321651892 Test: atest audiorouting_tests Change-Id: I8ab922660a30ffd44772987204ac4a28c1007c66	2024-01-26 15:35:51 -08:00
Youngtae Cha	0d106f832c	Merge "Setting up SELinux policy for TelephonyCofnig" into main	2024-01-26 15:37:46 +00:00
Alan Stokes	bc12bccd8f	crosvm doesn't need IPC_LOCK crosvm calls mlock. It used to need this capability, but now we remove the rlimit (in Virtualization Manager via Virtualization Service) so it no longer needs it and in fact is no longer granted it. (This was previously removed in commit `88f98d96da`, but accidentally re-introduced in commit 88f98d96dae3fb2616e93969685cbd737c364a0f.) Bug: 322197421 Test: atest MicrodroidTests Change-Id: I091170d0cb9b5617584b687e7f24cff153e06c85	2024-01-26 12:03:02 +00:00
Hansen Kurli	59bd48484b	Merge "Remove all sepolicy relating to racoon" into main	2024-01-26 09:48:22 +00:00
Andrea Zilio	410b2ae5fd	Enable system server to read pm.archiving.enabled system property, as system server will need this check to have the archiving feature during testing. Change-Id: Ia75f3ea0570075e9600548e24e42f17a783187ba Bug: 321730881 Test: Presubmit	2024-01-26 01:50:27 +00:00
Kangping Dong	943f869f1b	Merge "Add sepolicy for the Thread Network property" into main	2024-01-25 09:39:13 +00:00
Haining Chen	982295a6af	Add sepolicy for adaptive auth service Bug: 285053096 Test: m -j Change-Id: I549de0536071ff5622c54e86927b1f20dab9d007	2024-01-24 15:47:14 -08:00
Kangping Dong	75f527a74e	Merge "[Thread] move ot-daemon socket to /dev/socket/ot-daemon" into main	2024-01-24 10:08:28 +00:00
Jay Sullivan	895bf9d99c	Merge "[ECM] Update SELinux policy for EnhancedConfirmationService" into main	2024-01-23 23:19:40 +00:00
Jay Thomas Sullivan	4e57c74f29	[ECM] Update SELinux policy for EnhancedConfirmationService EnhancedConfirmationService is a new SystemService. These changes are required before the service will boot. Bug: 321053639 Change-Id: I15a4004ca57deb5c6f8757913c1894ba0ced399d	2024-01-23 23:15:16 +00:00
Roshan Pius	d41b0a66fe	Merge "sepolicy(nfc): Changing selinux policy for signed NFC APK" into main	2024-01-22 22:45:48 +00:00
Kangping Dong	0d6679a410	[Thread] move ot-daemon socket to /dev/socket/ot-daemon On Android, unix sockets are located in /dev/socket/ and managed by init. This commit follows the convention for ot-daemon Bug: 320451788 Test: verified that ot-daemon can create socket /dev/socket/ot-daemon/thread-wpan.sock Change-Id: I6b0fe45602bb54d6d482f5be46ddb5402bea477b	2024-01-23 00:00:01 +08:00
Maciej Żenczykowski	37ca69e5c8	sepolicy: allow netutils_wrapper access to fs_bpf_vendor This is needed to allow vendor xt_bpf programs. Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de	2024-01-20 23:56:37 +00:00
Alice Wang	7a3d15416e	Merge "[attestation] Allow virtualizationservice to retrieve keys" into main	2024-01-20 12:19:21 +00:00

1 2 3 4 5 ...

10452 commits