tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public
History
Dennis Shen 6c8210da20 selinux setup for files under /metadata/aconfig dir 
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)

2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.

Context to why we are hosting flag data on /metadata partition:

Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.

In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.

Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
2024-02-14 17:56:29 +00:00
..
adbd.te Add shell_test_data_file for /data/local/tests 2020-09-01 11:17:19 -07:00
aidl_lazy_test_server.te
apexd.te Revert "Allow vold_prepare_subdirs to use apex_service" 2023-08-11 15:34:44 +00:00
app.te Allow isolated to read staged apks 2023-12-17 23:46:04 +00:00
app_zygote.te
artd.te Update SELinux policy for app compilation CUJ. 2022-07-29 14:07:52 +00:00
asan_extract.te asan_extract: add system_file_type to asan_extract_exec 2020-05-06 13:25:28 -07:00
atrace.te Make AIDL HAL client attribute an exclusive client. 2020-09-11 00:02:00 +00:00
attributes Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 2023-11-22 08:21:27 +00:00
audioserver.te Allow audioserver to access sensorservice 2021-09-08 11:44:11 -07:00
blkid.te
blkid_untrusted.te
bluetooth.te
bootanim.te remount: allow bootanimation to run animation from oem 2024-02-09 16:09:05 +01:00
bootstat.te Enable incidentd access to ro.boot.bootreason 2020-04-22 17:55:18 +00:00
bpfloader.te Allow BPF programs from vendor. 2022-02-08 22:46:54 +00:00
bufferhubd.te
camera_service_server.te
cameraserver.te Policy for virtual_camera 2023-07-25 19:27:48 +00:00
charger.te Add charger_type. 2021-11-05 18:44:04 -07:00
charger_type.te Add charger_type. 2021-11-05 18:44:04 -07:00
charger_vendor.te Add sepolicies to allow hal_health_default to load BPFs. 2022-03-21 12:54:49 -07:00
crash_dump.te Allow crash_dump to read from /data/local/tests. 2021-09-09 14:49:36 -07:00
credstore.te Add get_auth_token permission to allow credstore to call keystore2. 2021-03-12 20:32:06 +00:00
device.te Allow system_server access to hidraw devices. 2023-11-30 23:33:55 +00:00
dhcp.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
display_service_server.te
dnsmasq.te Remove all module_request rules 2023-08-22 16:56:04 +00:00
domain.te selinux setup for files under /metadata/aconfig dir 2024-02-14 17:56:29 +00:00
drmserver.te Add fusefs_type for FUSE filesystems 2021-06-28 13:18:46 +02:00
dumpstate.te Secretkeeper/Sepolicy: Create required domains 2023-11-21 12:29:18 +00:00
e2fs.te Give vold permission to wipe a block device 2023-08-02 14:27:08 -07:00
ephemeral_app.te
evsmanagerd.te Revert^2 "Adds a sepolicy for EVS manager service" 2022-02-10 17:21:14 +00:00
extra_free_kbytes.te Allow init to execute extra_free_kbytes.sh script 2021-08-17 17:02:38 +00:00
fastbootd.te Remove all module_request rules 2023-08-22 16:56:04 +00:00
file.te selinux setup for files under /metadata/aconfig dir 2024-02-14 17:56:29 +00:00
fingerprintd.te Stop granting permissions on keystore_key class 2023-10-16 22:22:54 +00:00
flags_health_check.te Move system property rules to private 2020-03-18 16:46:04 +00:00
fsck.te Allow mkfs/fsck for zoned block device 2023-01-17 17:59:28 -08:00
fsck_untrusted.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
gatekeeperd.te Stop granting permissions on keystore_key class 2023-10-16 22:22:54 +00:00
global_macros
gmscore_app.te
gpuservice.te
hal_allocator.te
hal_atrace.te
hal_audio.te Allow STHAL to read model params from system 2023-02-22 03:27:29 +00:00
hal_audiocontrol.te hal_audiocontrol: use hal_attribute_service 2020-12-23 01:26:58 +00:00
hal_authgraph.te Add sepolicy for non-secure AuthGraph impl 2023-10-26 02:00:43 +00:00
hal_authsecret.te Add sepolicy for authsecret AIDL HAL 2021-01-12 06:01:22 +00:00
hal_bluetooth.te sepolicy: Add Bluetooth AIDL 2022-12-02 13:08:26 -08:00
hal_bootctl.te Add proper permission for AIDL bootcontrol server 2022-06-22 13:38:01 -07:00
hal_broadcastradio.te Applying new IBroadcastRadio AIDL 2022-09-21 23:17:20 +00:00
hal_camera.te System wide sepolicy changes for aidl camera hals. 2022-02-08 09:37:17 +00:00
hal_can.te binder_call should be binder_use 2022-12-13 17:38:33 +00:00
hal_cas.te Allow CAS AIDL sample HAL 2022-10-12 19:42:20 +05:30
hal_codec2.te Allow hal_codec2_server to read fifo_file from non-isolated apps 2024-01-13 00:56:39 +00:00
hal_configstore.te Merge "Adds support for fuseblk binaries." 2023-02-17 15:15:31 +00:00
hal_confirmationui.te hidl2aidl: sepolicy changes for confirmationui aidl 2022-09-23 19:00:15 +00:00
hal_contexthub.te Context Hub stable AIDL sepolicy 2021-08-10 22:06:43 +00:00
hal_drm.te Add system property persist.drm.forcel3.enabled 2023-10-26 22:16:49 +00:00
hal_dumpstate.te hal_dumpstate service is now AIDL service 2023-09-20 10:53:03 +09:00
hal_evs.te Revert^2 "Updates sepolicy for EVS HAL" 2022-02-10 17:21:54 +00:00
hal_face.te Accept binder calls from servicemanger 2023-09-08 16:02:05 -04:00
hal_fastboot.te Fastboot AIDL Sepolicy changes 2022-11-09 22:21:27 +00:00
hal_fingerprint.te Allow servicemanager to make binder call to hal_fingerprint 2023-02-09 22:02:29 +00:00
hal_gatekeeper.te hidl2aidl: conversion of gatekeeper hidl to aidl 2022-09-19 17:43:26 +00:00
hal_gnss.te Allow servicemanager to make binder calls to gnss 2023-05-01 14:38:21 -07:00
hal_graphics_allocator.te Add hal_graphics_mapper_service type 2024-02-05 18:14:53 +09:00
hal_graphics_composer.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
hal_health.te Add search in bpf directory for bpfdomains 2022-03-21 17:31:17 -07:00
hal_health_storage.te Allow health storage HAL to read default fstab 2021-04-15 12:44:24 +08:00
hal_identity.te Make AIDL HAL client attribute an exclusive client. 2020-09-11 00:02:00 +00:00
hal_input_classifier.te
hal_input_processor.te Allow dumping of InputProcessor HAL 2022-07-11 18:33:54 +00:00
hal_ir.te Add policy for new AIDL IR hal 2021-12-16 20:24:27 +00:00
hal_ivn.te Define sepolicy for ivn HAL. 2023-04-10 17:42:51 -07:00
hal_keymaster.te
hal_keymint.te Limit special file permissions to the keymint server domain 2022-11-03 05:30:01 +00:00
hal_light.te Make AIDL HAL client attribute an exclusive client. 2020-09-11 00:02:00 +00:00
hal_lowpan.te
hal_macsec.te SEPolicy for AIDL MACSEC HAL 2023-11-03 21:29:48 +00:00
hal_memtrack.te Reland: Memtrack HAL stable aidl sepolicy 2020-12-22 16:08:53 -05:00
hal_neuralnetworks.te Add gpu_device access to hal_neuralnetworks 2022-05-12 21:01:45 +00:00
hal_neverallows.te Merge "sepolicy: Grant hal_bluetooth_server to access tcp sockets" into main 2024-02-01 10:07:34 +00:00
hal_nfc.te Add hal_nfc_service 2022-01-20 03:48:57 +00:00
hal_nlinterceptor.te Give Netlink Interceptor route_socket perms 2021-12-01 04:08:19 +00:00
hal_oemlock.te Add sepolicy for oemlock aidl HAL 2021-01-11 05:57:17 +00:00
hal_omx.te Allow binder services to r/w su:tcp_socket 2021-06-08 10:39:02 -07:00
hal_power.te Make AIDL HAL client attribute an exclusive client. 2020-09-11 00:02:00 +00:00
hal_power_stats.te sepolicy: allow hal_power_stats_client to access IPowerStats AIDL 2021-03-08 22:19:47 +00:00
hal_rebootescrow.te Make AIDL HAL client attribute an exclusive client. 2020-09-11 00:02:00 +00:00
hal_remoteaccess.te Create selinux policy for remoteaccess HAL. 2022-09-20 18:09:49 -07:00
hal_remotelyprovisionedcomponent_avf.te Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 2023-11-22 08:21:27 +00:00
hal_secretkeeper.te Allow for ISecretkeeper/default 2023-12-05 14:33:47 +00:00
hal_secure_element.te sepolicy for SE HAL 2022-11-15 22:41:09 +00:00
hal_sensors.te Sensors stable AIDL HAL sepolicy 2021-10-15 17:39:56 +00:00
hal_telephony.te Remove all module_request rules 2023-08-22 16:56:04 +00:00
hal_tetheroffload.te Update SEPolicy for Tetheroffload AIDL 2023-01-04 11:28:47 +08:00
hal_thermal.te Update SEPolicy for Thermal AIDL 2022-10-05 00:55:20 +00:00
hal_threadnetwork.te Add sepolicy rules for Thread Network HAL 2023-06-30 10:56:38 +08:00
hal_tv_cec.te
hal_tv_hdmi_cec.te HDMI: Refactor HDMI packages 2022-12-27 18:15:26 +05:30
hal_tv_hdmi_connection.te HDMI: Refactor HDMI packages 2022-12-27 18:15:26 +05:30
hal_tv_hdmi_earc.te HDMI: Refactor HDMI packages 2022-12-27 18:15:26 +05:30
hal_tv_input.te TV Input HAL 2.0 sepolicy 2022-08-25 14:31:49 -07:00
hal_tv_tuner.te Allow Tuner AIDL sample HAL. 2021-07-26 11:35:18 -07:00
hal_usb.te Add selinux rules for android.hardware.usb.IUsb AIDL migration 2022-01-20 23:03:26 +00:00
hal_usb_gadget.te Add selinux permissions for ro.usb.uvc.enabled 2023-01-31 11:17:50 -08:00
hal_uwb.te Allow uwb HAL client/server to talk to service manager 2021-08-28 00:01:59 +00:00
hal_vehicle.te Add hal_vehicle_service for AIDL VHAL service. 2021-12-07 22:23:50 -08:00
hal_vibrator.te Add fwk_vibrator_control_service 2023-11-21 20:59:48 +00:00
hal_vr.te
hal_weaver.te Add sepolicy for weaver aidl HAL service 2021-01-22 06:34:41 +00:00
hal_wifi.te Fix SE policy violation of Wi-Fi vendor AIDL service 2023-03-03 02:10:50 +00:00
hal_wifi_hostapd.te Add rule to allow servicemanager to call 2022-02-08 18:00:15 +00:00
hal_wifi_supplicant.te Remove all module_request rules 2023-08-22 16:56:04 +00:00
healthd.te Remove healthd. 2021-10-20 18:47:41 -07:00
heapprofd.te
hwservice.te Revert "Add sepolicies for CPU HAL." 2022-11-09 16:47:07 +00:00
hwservicemanager.te Move system property rules to private 2020-03-18 16:46:04 +00:00
idmap.te Remove the last traces of idmap (replaced by idmap2) 2022-06-10 12:58:21 +02:00
incident.te
incident_helper.te
incidentd.te
init.te Mount /tmp as tmpfs. 2023-12-15 16:46:46 -08:00
inputflinger.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
installd.te Allow vendor_overlay_file from vendor apex 2023-06-09 13:43:11 +09:00
ioctl_defines Allow vold to use FS_IOC_GET_ENCRYPTION_KEY_STATUS 2023-02-23 00:49:42 +00:00
ioctl_macros sepolicy: allow new BINDER_GET_EXTENDED_ERROR ioctl 2022-05-10 04:20:09 +00:00
isolated_app.te
isolated_compute_app.te Move isolated_compute_app to be public 2023-04-20 05:39:29 +00:00
kernel.te Allow kernel to write to shell_data_file loop devices in userdebug builds. 2022-07-20 11:43:20 -07:00
keystore.te Remove RemoteProvisioner and remoteprovisioning services 2023-03-14 15:45:35 -07:00
keystore_keys.te Keystore 2.0: Add wifi namespace to sepolicy. 2021-02-09 08:28:45 -08:00
llkd.te
lmkd.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
logd.te Merge "strengthen app_data_file neverallows" 2023-05-26 15:32:15 +00:00
logpersist.te compress logcat files 2023-08-25 15:02:34 -07:00
mdnsd.te
mediadrmserver.te
mediaextractor.te Remove TZUvA feature. 2022-06-13 11:45:50 +00:00
mediametrics.te Allow binder services to r/w su:tcp_socket 2021-06-08 10:39:02 -07:00
mediaprovider.te
mediaserver.te Allow communication between mediaserver & statsd 2023-02-01 22:33:28 +00:00
mediaswcodec.te mediaswcodec: Allow getprop for aac drc params 2023-12-12 15:39:55 +00:00
mediatranscoding.te Move mediatranscoding type to public 2021-10-21 09:10:45 +02:00
modprobe.te allow modprobe to load modules from /system/lib/modules/ 2023-05-19 19:03:17 +00:00
mtp.te Remove all sepolicy relating to ppp/mtp. 2024-01-30 17:46:49 +08:00
net.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
netd.te Remove all module_request rules 2023-08-22 16:56:04 +00:00
netutils_wrapper.te
network_stack.te
neverallow_macros
nfc.te
otapreopt_chroot.te Use postinstall file_contexts 2021-03-25 00:01:25 +00:00
perfetto.te
performanced.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
platform_app.te
postinstall.te
ppp.te Remove all sepolicy relating to ppp/mtp. 2024-01-30 17:46:49 +08:00
priv_app.te
prng_seeder.te Add SEPolicy for PRNG seeder daemon. 2022-11-21 09:32:48 +11:00
profman.te strengthen app_data_file neverallows 2023-05-23 00:01:27 +00:00
property.te Add sepolicy for the Thread Network property 2024-01-15 11:48:20 +08:00
radio.te Add new selinux type for radio process 2020-12-24 15:11:15 +08:00
recovery.te recovery/fastbootd: allow to talk to health HAL. 2021-12-07 16:22:53 -08:00
recovery_persist.te Merge "strengthen app_data_file neverallows" 2023-05-26 15:32:15 +00:00
recovery_refresh.te Merge "strengthen app_data_file neverallows" 2023-05-26 15:32:15 +00:00
remote_provisioning_service_server.te Add permissions for remote_provisioning service 2022-12-06 08:46:20 -08:00
rkpd_app.te Add new appdomain for RKPD mainline app 2022-11-16 12:55:31 -08:00
roles
rootdisk_sysdev.te SELinux policy for /dev/sys/block/by-name/rootdisk 2022-03-16 11:04:39 -07:00
rs.te
rss_hwm_reset.te
runas.te
runas_app.te
scheduler_service_server.te
sdcardd.te Add fusefs_type for FUSE filesystems 2021-06-28 13:18:46 +02:00
secure_element.te
sensor_service_server.te
service.te Merge "SELinux permissions for ProfilingService" into main 2024-02-12 14:22:31 +00:00
servicemanager.te servicemanager: kernel log perms 2022-10-17 21:30:50 +00:00
sgdisk.te Allow sgdisk to use BLKPBSZGET ioctl 2020-05-17 12:32:44 -07:00
shared_relro.te Make shared_relro policy private. 2021-01-05 09:48:10 +00:00
shell.te Disallow watch and watch_reads on apk_data_file for apps 2023-04-25 15:20:45 +02:00
simpleperf.te
simpleperf_app_runner.te simpleperf_app_runner: move rules to private. 2021-06-30 17:24:05 -07:00
slideshow.te
stats_service_server.te Stats: new sepolicy for the AIDL service 2021-02-10 23:48:35 +00:00
statsd.te Allow traced_probes to subscribe to statsd atoms 2023-03-22 19:53:34 +00:00
su.te Secretkeeper/Sepolicy: Create required domains 2023-11-21 12:29:18 +00:00
surfaceflinger.te
system_app.te
system_server.te Allow the shell to disable charging. 2022-01-10 10:36:01 -08:00
system_suspend_internal_server.te sepolicy: Create new attribute to serve ISuspendControlServiceInternal 2021-02-25 18:04:04 +08:00
system_suspend_server.te
te_macros Allow su to access virtualization 2023-12-20 14:55:28 +00:00
tee.te
tombstoned.te
toolbox.te Restrict creating per-user encrypted directories 2022-05-05 04:12:46 +00:00
traced.te Iorapd and friends have been removed 2022-05-18 12:07:39 +02:00
traced_perf.te
traced_probes.te
traceur_app.te Iorapd and friends have been removed 2022-05-18 12:07:39 +02:00
ueventd.te Allow ueventd to access device-mapper. 2023-06-07 08:06:12 -07:00
uncrypt.te uncrypt: allow reading /proc/bootconfig 2021-06-03 21:29:57 +02:00
untrusted_app.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
update_engine.te Allow update_engine to read /proc/filesystems 2023-11-08 18:40:12 +00:00
update_engine_common.te Allow update_engine to inotify_add_watch dm-user device nodes. 2022-07-21 12:47:46 -07:00
update_verifier.te Move system property rules to private 2020-03-18 16:46:04 +00:00
usbd.te Add usbd servicemanager permission 2022-12-19 16:16:17 +08:00
userdata_sysdev.te sepolicy: Add label to userdata file node 2021-02-19 07:45:02 +08:00
vdc.te Remove some FDE rules and update comments 2022-04-15 21:06:51 +00:00
vendor_init.te selinux setup for files under /metadata/aconfig dir 2024-02-14 17:56:29 +00:00
vendor_misc_writer.te Add rules for calling ReadDefaultFstab() 2021-03-29 15:23:29 +08:00
vendor_modprobe.te Revert "Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"" 2021-05-04 22:07:08 -07:00
vendor_shell.te sepolicy(hal_wifi): Allow wifi HAL to access persist.vendor.debug properties 2020-11-12 18:22:47 -08:00
vendor_toolbox.te Update language to comply with Android's inclusive language guidance 2020-07-31 12:28:11 -06:00
virtual_touchpad.te
vndservice.te Allow vndservicemanager to self-register. 2020-03-06 16:35:52 -08:00
vndservicemanager.te
vold.te Modify SELinux rules to allow vold to use the keymaster HAL directly. am: b1c857c824 am: 769bbce026 2024-02-01 23:08:23 +00:00
vold_prepare_subdirs.te
watchdogd.te
webview_zygote.te
wificond.te Stop granting permissions on keystore_key class 2023-10-16 22:22:54 +00:00
zygote.te