tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
38919 commits 1 branch 0 tags 50 MiB
Commit graph

38919 commits

This branch
This branch
All branches
Author SHA1 Message Date
SzuWei Lin
b540e93de2 Merge "Set up sepolicy for mediaserver64" am: 5d24b9a14d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2144720

Change-Id: I7a144eb156c3247102f47ce24d707ed882021d24
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-14 00:38:17 +00:00
SzuWei Lin
5d24b9a14d Merge "Set up sepolicy for mediaserver64" 2022-07-14 00:20:03 +00:00
Nikita Ioffe
0fd6e24297 Add apexd.config.loop_wait.attempts sysprop to sepolicy 
Also mark all apexd.config. properties to be apexd_config_prop

Bug: 237955261
Test: m
Change-Id: I93a9e1b450426ebe7cd11c87a9586697dc76a70e
 2022-07-13 12:31:18 +01:00
Inseob Kim
fa4c5bff42 Allow microdroid_manager to stop tombstoned 
If export_tombstones is false, leaving tombstoned running has no
meaning. However, we still can't selectively start tombstoned, because
post-fs-data happens eariler than config parsing. Thus, this change
allows microdroid_manager to stop tombstoned on demand.

Bug: 236588647
Test: atest MicrodroidTests
Change-Id: I813fe667f3394bdd234e204f3d35a27f3a182cb2
 2022-07-13 18:59:50 +09:00
Treehugger Robot
c383817add Merge "Added properties for rebootless apex install" am: be031287e4 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147819

Change-Id: Iac6f20e59f2924248892657c74525034ce1b3c95
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-13 04:20:59 +00:00
Treehugger Robot
be031287e4 Merge "Added properties for rebootless apex install" 2022-07-13 04:04:20 +00:00
Xin Li
e4d55178d5 DO NOT MERGE - Merge TP1A.220624.013 
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
Change-Id: Id8badc87768f66197ccaf2642f34fb2dc69e23df
 2022-07-11 21:47:46 -07:00
Siarhei Vishniakou
5fc093f370 Allow dumping of InputProcessor HAL am: 889d8aa9a7 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147322

Change-Id: I35913c59f0c1708ab59676534e964b26a798b9fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-11 19:26:56 +00:00
Siarhei Vishniakou
889d8aa9a7 Allow dumping of InputProcessor HAL 
In order to see the HAL state in bugreports, we need to allow the HAL to
write to file where the dump is going.

Bug: 237233372
Test: adb shell dumpsys android.hardware.input.processor.IInputProcessor/default
Change-Id: Idf78269e4ee9798c078ac3b7ee4f375515d7aadc
 2022-07-11 18:33:54 +00:00
sandrom
105435e426 Add seamendc binary am: b246b1dc35 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2104345

Change-Id: Ibff2cb00ee19bce4b9ab68909e51564c51cf9f9a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-11 11:30:19 +00:00
sandrom
b246b1dc35 Add seamendc binary 
Bug: 236691128
Test: adb shell seamendc -b <binary_policy> -o <output_policy> <test.cil> <test-redefinitions.cil>

Change-Id: Id51271e89261a2a612cf25e7b56147d5931c76f9
 2022-07-11 09:23:52 +00:00
SzuWei Lin
994195359f Set up sepolicy for mediaserver64 
Add mediaserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for mediaserver(32|64).

Bug: 236664614
Test: make gsi_arm64-user; Check the sepolicy
Change-Id: I61c69588b84305b9863a72b5a466d4185f7f1958
 2022-07-11 16:18:55 +08:00
Siarhei Vishniakou
a50b672979 Allow dumpstate to get traces in api 33.0 am: 1579b37a19 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147164

Change-Id: I04ac37c45b645ef51d0b04f321de743db932f3cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-08 16:05:54 +00:00
Inseob Kim
202fe3c2d6 microdroid: Remove redundant dontaudit from shell 
Bug: 238135989
Test: atest MicrodroidHostTestCases
Change-Id: Ia74ee40e952ffc3bf18e1ff890efcff5219ef33a
 2022-07-08 08:56:16 +00:00
Siarhei Vishniakou
1579b37a19 Allow dumpstate to get traces in api 33.0 
In order to debug the HAL getting stuck, dumpstate needs permission to
dump its traces. In this CL, we update the api 33.0 accordingly.

Bug: 237347585
Bug: 237322365
Test: m sepolicy_freeze_test
Change-Id: I5096f52358880e3c10657e5aae9ead1723cc9fa9
Merged-In: I5096f52358880e3c10657e5aae9ead1723cc9fa9
 2022-07-08 06:55:44 +00:00
Jooyung Han
ccfb0ef146 Added properties for rebootless apex install 
When apexd installs an apex without reboot, init also need to do some
work around the installation (e.g. terminating services from the apex
and remove data read from the apex and updating linker configuration
etc)

Apexd sets control properties to unload and load apex and init notifies
the completion with state properties.

These new properties are supposed to be used by apexd/init interaction.

Bug: 232114573
Bug: 232173613
Test: CtsStagedInstallHostTestCases
Test: CtsInitTestCases
Change-Id: I5af6b36310f3c81f1cd55537473e54756541d347
 2022-07-08 12:12:45 +09:00
Android Build Coastguard Worker
6f6029407a Merge cherrypicks of [19149566] into tm-release. 
Change-Id: If83579ef0c9dbe3bfefc10d6af77ec60642b2833
 2022-07-08 00:19:45 +00:00
Jeff Vander Stoep
e1189a7aa7 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Ignore-AOSP-First: It's a CP of aosp/2143512
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
(cherry picked from commit 6ae09a4609)
Merged-In: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-08 00:19:26 +00:00
Treehugger Robot
163fb597fd Merge "crash_dump: Update prebuilts for API 33" am: 355ecc995e 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2145179

Change-Id: I916144a02848d952d70b6fd25889c4d5ff48084b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 16:47:36 +00:00
Treehugger Robot
355ecc995e Merge "crash_dump: Update prebuilts for API 33" 2022-07-07 16:33:48 +00:00
David Brazdil
707cad8692 crash_dump: Update prebuilts for API 33 
Bug: 236672526
Test: n/a
Merged-In: I49571dcfdd9c194101cc929772fa15463609fa8c
Change-Id: I49571dcfdd9c194101cc929772fa15463609fa8c
 2022-07-07 15:17:20 +00:00
Thiébaud Weksteen
5ce2e0e243 Merge "Revert "Remove key migration related changes"" am: febedf5a42 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147821

Change-Id: Ib0679d31928a4c09300cdfbe0dd03dd08ff084db
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 09:01:59 +00:00
Thiébaud Weksteen
febedf5a42 Merge "Revert "Remove key migration related changes"" 2022-07-07 08:43:54 +00:00
Thiébaud Weksteen
f412c13a02 Revert "Remove key migration related changes" 
This reverts commit 65dcdf2921.

Reason for revert: broken internal target 

Change-Id: Idf57285d95f5466dfa3af08230af4c8f9d76326c
 2022-07-07 08:40:23 +00:00
Thiébaud Weksteen
3d242f752a Merge "Remove key migration related changes" am: c3cb5a25e3 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2134299

Change-Id: I79a4e7aeaa3a5f05a40332c1cbff8bda093529f5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-07 04:32:15 +00:00
Thiébaud Weksteen
c3cb5a25e3 Merge "Remove key migration related changes" 2022-07-07 04:13:22 +00:00
Android Build Coastguard Worker
0930ade2ea Merge cherrypicks of [19143810, 19133814] into tm-release. 
Change-Id: I570c7d844c90c1b2bb7cb1086829c93d7a88c665
 2022-07-07 03:05:58 +00:00
Ryan Savitski
e1c2d9941e Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: redfin-user and barbet-userdebug: build+flash+boot;
        manual test of typical profiling (heap and perf);
        atest CtsPerfettoTestCases.
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
(cherry picked from commit babba5e83b)
(cherry picked from commit c592577fb2)
Merged-In: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-07 03:05:00 +00:00
Thiébaud Weksteen
a089864e82 Ignore access to /sys for dumpstate 
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 5e8a384f5a)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
(cherry picked from commit 2e23fa2c99)
Merged-In: Id4e781908573607b28782fbb2da7cd553d6826fe
 2022-07-07 03:04:54 +00:00
Treehugger Robot
e36b5af694 Merge "Allow dumpstate to get InputProcessor traces" am: 2a3c76f09f 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2147021

Change-Id: I3e975e341d719997c4d1e269e8159534babc62fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-06 19:14:02 +00:00
Treehugger Robot
2a3c76f09f Merge "Allow dumpstate to get InputProcessor traces" 2022-07-06 18:58:22 +00:00
Mitch Phillips
064be20ec5 Add API level 33 persistent GWP-ASan Sysprop 
Looks like this is needed for TM.

Bug: 236738714
Test: atest bionic-unit-tests && presubmit ag/19136924 PS#3
Change-Id: Ida26db898f2edaddce67ae13a5859115126a18cb
 2022-07-06 16:21:52 +00:00
Siarhei Vishniakou
c982ef878d Allow dumpstate to get InputProcessor traces 
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.

In the future, we will also add a 'dump' facility to this HAL.

Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
 2022-07-06 08:28:50 -07:00
Inseob Kim
3f0ea4ffde Make logd and logcat bootstrappable 
Because we want to collect early kernel logs, before apexd is run.

Bug: 236451404
Test: atest MicrodroidTests
Change-Id: Id84f5b36df00394eb3444fdef5654c6ec0759faf
 2022-07-06 14:51:28 +09:00
Treehugger Robot
dbd0da73ba Merge "Revert system app/process profileability on user builds" am: 829acbee3a 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2142152

Change-Id: Idf3f36723d703f55141b97aaa0605194283d723e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 15:56:18 +00:00
Treehugger Robot
829acbee3a Merge "Revert system app/process profileability on user builds" 2022-07-04 15:41:08 +00:00
Treehugger Robot
06f721e8de Merge "Allow all Apps to Recv UDP Sockets from SystemServer" am: c37a39c26d 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143512

Change-Id: I214835a158c7851bb5971fe0fcf90cb1d8fb7fc2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 08:30:12 +00:00
Treehugger Robot
c37a39c26d Merge "Allow all Apps to Recv UDP Sockets from SystemServer" 2022-07-04 08:21:47 +00:00
Treehugger Robot
400465d53a Merge "selinux: allow bpfloader bpffs_type:file getattr" am: e6bd93d6b6 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143115

Change-Id: I7af7bc511f0b4373e07d34a70fafc475fb44fd6c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 08:21:10 +00:00
Treehugger Robot
e6bd93d6b6 Merge "selinux: allow bpfloader bpffs_type:file getattr" 2022-07-04 07:51:45 +00:00
David Brazdil
9a394805ac crash_dump: Remove permission to dump crosvm am: 28b34f1bca 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2143613

Change-Id: Ie6e57d2bf703384593c037d72de843586cb4dc33
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-07-04 07:45:09 +00:00
Maciej Żenczykowski
1fcf7c8e7e selinux: allow bpfloader bpffs_type:file getattr 
(to be able to stat() nodes in /sys/fs/bpf)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic71ebea683844a8d5ac0b542da815bae2816973a
 2022-07-02 02:02:51 -07:00
David Brazdil
28b34f1bca crash_dump: Remove permission to dump crosvm 
A crosvm instance running a protected VM contains a memory mapping of
the VM's protected memory. crash_dump can trigger a kernel panic if it
attaches to such crosvm instance and tries to dump this memory region.

Until we have a means of excluding only the protected memory from
crash_dump, prevent crash_dump from dumping crosvm completely by taking
away its SELinux permission to ptrace crosvm.

Bug: 236672526
Test: run 'killall -s SIGSEGV crosvm' while running crosvm
Change-Id: I6672746c479183cc2bbe3dce625e5b5ebcf6d822
 2022-07-01 17:30:54 +01:00
Ryan Savitski
babba5e83b Revert system app/process profileability on user builds 
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: builds successfully (barbet-userdebug)
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
 2022-07-01 12:41:01 +00:00
Jeff Vander Stoep
7295721417 Allow all Apps to Recv UDP Sockets from SystemServer 
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.

Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
 2022-07-01 12:41:28 +01:00
Xin Li
03efcb5695 Merge "Merge tm-dev-plus-aosp-without-vendor@8763363" into stage-aosp-master 2022-06-29 21:21:45 +00:00
Mitch Phillips
c854d0d9da Merge "Add persistent gwp-asan sysprops" am: 038018e113 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2133021

Change-Id: Ia47cb44e9340eaaae9f22d98a1c00fc98bb26650
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
 2022-06-29 21:17:11 +00:00
Mitch Phillips
038018e113 Merge "Add persistent gwp-asan sysprops" 2022-06-29 20:56:56 +00:00
Siim Sammul
252a0502c8 Allow creating /data/tombstones files by system_server. 
Needed for ag/18773746

Bug: 225173288
Test: atest ErrorsTest +  manual
Change-Id: I31bab12a59babd9a197cfb03d2417b926e60af84
 2022-06-29 15:07:01 +00:00
Xin Li
b347e9fd52 Merge tm-dev-plus-aosp-without-vendor@8763363 
Bug: 236760014
Merged-In: I036e48530e37f7213a21b250b858a37fba3e663b
Change-Id: Ic7d4432aea1d37546d342df3e2157b9dc8207770
 2022-06-27 23:40:18 +00:00