tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private
History
Alan Stokes bc12bccd8f crosvm doesn't need IPC_LOCK 
crosvm calls mlock. It used to need this capability, but now we remove
the rlimit (in Virtualization Manager via Virtualization Service) so
it no longer needs it and in fact is no longer granted it.

(This was previously removed in
commit 88f98d96da, but accidentally
re-introduced in commit 88f98d96dae3fb2616e93969685cbd737c364a0f.)

Bug: 322197421
Test: atest MicrodroidTests
Change-Id: I091170d0cb9b5617584b687e7f24cff153e06c85
2024-01-26 12:03:02 +00:00
..
compat Merge "Add sepolicy for the Thread Network property" into main 2024-01-25 09:39:13 +00:00
access_vectors Add new keystore2 permission get_last_auth_time. 2023-10-31 20:28:43 +00:00
adbd.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
aidl_lazy_test_server.te
apex_test_prepostinstall.te
apexd.te Remove remaining APEX sepolicy types 2023-09-25 11:19:44 +09:00
apexd_derive_classpath.te
app.te Revert "Remove implicit access for isolated_app" 2023-12-07 16:52:28 +01:00
app_neverallows.te Allow system_server access to hidraw devices. 2023-11-30 23:33:55 +00:00
app_zygote.te Add appcompat override files and contexts to SELinux 2023-10-23 18:34:12 +00:00
art_boot.te Give art_boot explicit access to experiment flags. 2023-05-16 16:20:50 +01:00
artd.te Allow artd to reopen its own memfd. 2023-10-13 18:26:56 +00:00
asan_extract.te
atrace.te atrace: don't audit debugfs access 2023-06-07 20:29:47 +00:00
attributes Revert^2 "Introduce sdk_sandbox_audit SELinux domain" 2023-11-17 09:54:33 +00:00
audioserver.te Add SELinux policy for accessing the AudioService 2022-07-27 12:11:50 +00:00
auditctl.te
automotive_display_service.te Revert^2 "Updates sepolicy for EVS HAL" 2022-02-10 17:21:54 +00:00
binderservicedomain.te Stop granting permission to get_state of keystore2 2023-10-16 22:22:57 +00:00
blank_screen.te
blkid.te
blkid_untrusted.te
bluetooth.te Allow Bluetooth stack to read security log sysprop 2022-05-25 21:05:02 +00:00
bluetoothdomain.te
bootanim.te Allow bootanimation to access vendor apex 2023-11-06 18:26:27 +09:00
bootstat.te Making sys.boot.reason.last restricted 2023-09-11 18:29:24 +01:00
boringssl_self_test.te
bpfdomain.te refactor: get_prop(bpfdomain, bpf_progs_loaded_prop) 2023-01-06 10:09:33 +00:00
bpfloader.te sepolicy: allow netutils_wrapper access to fs_bpf_vendor 2024-01-20 23:56:37 +00:00
bufferhubd.te
bug_map Merge "Revert "bug_map selinux test failure"" into main 2023-12-19 14:47:37 +00:00
cameraserver.te Policy for virtual_camera native service 2023-10-13 16:42:11 +02:00
canhalconfigurator.te SEPolicy for AIDL CAN HAL 2022-12-09 11:00:10 -08:00
charger.te
charger_type.te
clatd.te clatd.te - no longer need netlink 2023-03-16 10:53:18 +00:00
compos_fd_server.te Delete more unused policies by CompOS 2022-01-25 08:40:46 -08:00
compos_verify.te Allow compos_verify to write VM logs 2022-06-17 13:41:51 +01:00
composd.te Allow system server to set dynamic ART properties. 2023-03-31 11:46:05 +01:00
coredomain.te Merge "Flag-guard vfio_handler policies" into main 2023-11-22 07:45:53 +00:00
cppreopts.te
crash_dump.te crash_dump: read bootstrap libs 2023-12-06 01:43:46 +00:00
credstore.te Remove RemoteProvisioner and remoteprovisioning services 2023-03-14 15:45:35 -07:00
crosvm.te crosvm doesn't need IPC_LOCK 2024-01-26 12:03:02 +00:00
derive_classpath.te Introduce vendor_apex_metadata_file 2023-06-05 17:17:51 +09:00
derive_sdk.te Introduce vendor_apex_metadata_file 2023-06-05 17:17:51 +09:00
device_as_webcam.te Add selinux permissions for DeviceAsWebcam Service 2023-02-02 12:26:33 -08:00
dex2oat.te Allow dex2oat access to symlinks in APEXes to find DCLA libs. 2023-07-25 00:07:27 +01:00
dexoptanalyzer.te dontaudit dexoptanalyzer's DM file check on secondary dex files. 2023-01-30 07:56:10 +00:00
dhcp.te
dmesgd.te dmesgd: sepolicies 2022-02-10 17:42:52 +00:00
dnsmasq.te
domain.te Introduce vendor_microdroid_file for microdroid vendor image 2023-11-16 16:44:15 +09:00
drmserver.te
dumpstate.te dumpstate += config_gz permission 2023-12-21 01:22:13 +00:00
ephemeral_app.te strengthen app_data_file neverallows 2023-05-23 00:01:27 +00:00
evsmanagerd.te Revert^2 "Adds a sepolicy for EVS manager service" 2022-02-10 17:21:14 +00:00
extra_free_kbytes.te Add policies for ro.kernel.watermark_scale_factor property 2022-09-08 19:35:34 +00:00
fastbootd.te Allow fastbootd set boottime property 2023-04-28 07:31:11 +00:00
file.te Merge "Rename uprobe_private to uprobestats for BPFs." into main 2024-01-19 18:15:45 +00:00
file_contexts [Thread] move ot-daemon socket to /dev/socket/ot-daemon 2024-01-23 00:00:01 +08:00
file_contexts_asan Allow app_process to link /data/asan/system_ext/lib/* 2023-06-09 04:43:52 +00:00
file_contexts_overlayfs
fingerprintd.te
flags_health_check.te add next_boot_prop SELinux context to store staged sys prop 2023-10-12 16:12:30 +00:00
fs_use
fsck.te
fsck_untrusted.te
fsverity_init.te Remove all module_request rules 2023-08-22 16:56:04 +00:00
fuseblkd.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
fuseblkd_untrusted.te Adds support for fuseblk binaries. 2023-02-02 15:32:39 +01:00
fwk_bufferhub.te
gatekeeperd.te
genfs_contexts Rename uprobe_private to uprobestats for BPFs. 2024-01-16 14:02:59 -08:00
gki_apex_prepostinstall.te
gmscore_app.te Stop granting permissions on keystore_key class 2023-10-16 22:22:54 +00:00
gpuservice.te Allow graphics_config_writable_prop to be modified. 2023-05-04 16:04:44 +00:00
gsid.te Allow gsid to create alternative installation directory 2023-04-28 07:06:02 +00:00
hal_allocator_default.te Allow hidl_allocator_default service to set its own prop 2023-12-19 17:05:59 +00:00
hal_lazy_test.te
halclientdomain.te
halserverdomain.te
healthd.te
heapprofd.te strengthen vendor_file neverallows 2023-05-18 00:07:32 +00:00
hidl_lazy_test_server.te
hwservice.te
hwservice_contexts Revert "Add sepolicies for CPU HAL." 2022-11-09 16:47:07 +00:00
hwservicemanager.te Allow service managers access to apex data. 2022-09-23 21:33:58 +00:00
idmap.te
incident.te
incident_helper.te
incidentd.te Let incidentd read the wakeup_sources debugfs node for userdebug/eng builds 2023-09-20 14:06:21 -07:00
init.te Revert "Suppress a denial on VM boot" 2023-10-20 19:14:26 +00:00
initial_sid_contexts
initial_sids
inputflinger.te
installd.te Allow installd to enable fs-verity on app's file 2023-08-07 11:08:34 -07:00
isolated_app.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
isolated_app_all.te Allow isolated to read staged apks 2023-12-05 15:17:19 +00:00
isolated_compute_app.te C2 AIDL sepolicy update 2023-09-06 14:30:26 -07:00
iw.te
kernel.te Remove remaining APEX sepolicy types 2023-09-25 11:19:44 +09:00
keys.conf sepolicy(nfc): Changing selinux policy for signed NFC APK 2024-01-19 10:22:56 -08:00
keystore.te Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 2023-11-22 08:21:27 +00:00
keystore2_key_contexts Stop granting permissions on keystore_key class 2023-10-16 22:22:54 +00:00
keystore_keys.te
linkerconfig.te Introduce vendor_apex_metadata_file 2023-06-05 17:17:51 +09:00
llkd.te [dice] Remove all the sepolicy relating the hal service dice 2023-02-24 08:34:26 +00:00
lmkd.te Add search in bpf directory for bpfdomains 2022-03-21 17:31:17 -07:00
logd.te
logpersist.te
lpdumpd.te Allow lpdumpd to read Virtual A/B diagnostics. 2023-07-14 09:08:56 -07:00
mac_permissions.xml sepolicy(nfc): Changing selinux policy for signed NFC APK 2024-01-19 10:22:56 -08:00
mdnsd.te
mediadrmserver.te
mediaextractor.te
mediametrics.te
mediaprovider.te
mediaprovider_app.te Allow apps and SDK sandbox to access each others' open FDs 2023-05-17 14:28:40 +00:00
mediaserver.te Allow binder calls between virtual_camera / mediaserver & 2023-12-27 17:26:52 +01:00
mediaswcodec.te
mediatranscoding.te Adds GPU sepolicy to support devices with DRM gralloc/rendering 2022-04-18 17:30:56 -07:00
mediatuner.te Allow mediatuner to get tuner.server.enable 2023-06-20 17:24:51 +00:00
migrate_legacy_obb_data.te
mls
mls_decl
mls_macros
mlstrustedsubject.te Update SELinux policy to allow artd to perform secondary dex compilation 2022-10-24 16:07:01 +01:00
mm_events.te
modprobe.te
mtectrl.te [MTE] ignore mtectrl selinux error for device tree. 2022-09-29 22:53:58 +00:00
mtp.te
net.te Create sdk_sandbox_all. 2023-05-10 17:54:07 +00:00
netd.te sepolicy: allow netutils_wrapper access to fs_bpf_vendor 2024-01-20 23:56:37 +00:00
netutils_wrapper.te sepolicy: allow netutils_wrapper access to fs_bpf_vendor 2024-01-20 23:56:37 +00:00
network_stack.te sepolicy: grant network_stack CAP_WAKE_ALARM 2023-12-13 18:52:51 +00:00
nfc.te
odrefresh.te
odsign.te Revert "Remove fsverity_init SELinux rules" 2023-07-26 06:21:37 +00:00
ot_daemon.te [Thread] move ot-daemon socket to /dev/socket/ot-daemon 2024-01-23 00:00:01 +08:00
otapreopt_chroot.te Allow otapreopt_chroot to use stdin and stdout pipes. 2023-08-07 21:21:20 +01:00
otapreopt_slot.te
perfetto.te Allow perfetto to write into perfetto_traces_bugreport_data_file 2023-03-28 11:34:58 +00:00
performanced.te
permissioncontroller_app.te
platform_app.te Making sys.boot.reason.last restricted 2023-09-11 18:29:24 +01:00
policy_capabilities
port_contexts
postinstall.te
postinstall_dexopt.te Allow vendor_overlay_file from vendor apex 2023-06-09 13:43:11 +09:00
ppp.te
preloads_copy.te
preopt2cachename.te
priv_app.te Allow pm.archiving.enabled to be read by priv apps. 2023-12-12 23:55:49 +00:00
prng_seeder.te Add SEPolicy for PRNG seeder daemon. 2022-11-15 01:50:22 +00:00
profcollectd.te profcollectd: allow to request wakelock from system_suspend. 2022-02-17 10:20:08 -08:00
profman.te Allow profman to read from memfd created by artd. 2023-10-12 13:48:00 +00:00
property.te Add sepolicy for suspend.debug.wakestats_log.enabled 2024-01-04 15:45:39 -08:00
property_contexts Merge "Add sepolicy for the Thread Network property" into main 2024-01-25 09:39:13 +00:00
racoon.te
radio.te
recovery.te
recovery_persist.te
recovery_refresh.te
remount.te Allow remount to update the super partition. 2023-12-13 12:09:30 -08:00
rkpd.te Add SELinux policies for remote_key_provisioning_native namespace. 2022-09-29 21:32:58 +00:00
rkpd_app.te Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 2023-11-22 08:21:27 +00:00
roles_decl
rs.te Add dontaudit for rs fd usage 2023-07-26 12:12:41 +02:00
rss_hwm_reset.te
runas.te
runas_app.te Don't audit shell_test_data_file for runas_app 2023-08-03 21:28:21 +00:00
sdcardd.te
sdk_sandbox_34.te Revert^2 "Introduce sdk_sandbox_audit SELinux domain" 2023-11-17 09:54:33 +00:00
sdk_sandbox_all.te strengthen app_data_file neverallows 2023-05-23 00:01:27 +00:00
sdk_sandbox_audit.te Revert^2 "Introduce sdk_sandbox_audit SELinux domain" 2023-11-17 09:54:33 +00:00
sdk_sandbox_current.te Revert^2 "Introduce sdk_sandbox_audit SELinux domain" 2023-11-17 09:54:33 +00:00
sdk_sandbox_next.te Add canary restrictions for sdk_sandbox 2023-05-12 20:06:31 +00:00
seapp_contexts sepolicy(nfc): Changing selinux policy for signed NFC APK 2024-01-19 10:22:56 -08:00
secure_element.te
security_classes Add SELinux Policy For io_uring 2023-01-27 11:44:59 -05:00
service.te Update wearable_sensing_service to app_api_service 2023-12-18 22:02:06 +00:00
service_contexts [ECM] Update SELinux policy for EnhancedConfirmationService 2024-01-23 23:15:16 +00:00
servicemanager.te Allow service managers access to apex data. 2022-09-23 21:33:58 +00:00
sgdisk.te
shared_relro.te
shell.te Revert^2 "Update uprobestats SELinux policy" 2023-12-14 17:17:18 -08:00
simpleperf.te
simpleperf_app_runner.te
simpleperf_boot.te
slideshow.te
snapshotctl.te
snapuserd.te snapuserd: sepolicy for setting task-profiles 2023-12-29 23:02:17 +00:00
stats.te Allow traced_probes to subscribe to statsd atoms 2023-03-22 19:53:34 +00:00
statsd.te Revert^2 "Update uprobestats SELinux policy" 2023-12-14 17:17:18 -08:00
storaged.te
su.te Allow su to access virtualization 2023-12-20 14:55:28 +00:00
surfaceflinger.te Revert "sepolicy: allow surfaceflinger to read device_config_aconfig_flags_prop" 2023-09-13 17:11:11 +00:00
system_app.te Merge "Allow binder calls from system app to update engine" into main 2024-01-12 19:42:36 +00:00
system_server.te Enable system server to read pm.archiving.enabled system property, as system server will need this check to have the archiving feature during testing. 2024-01-26 01:50:27 +00:00
system_server_startup.te
system_suspend.te Add sepolicy for suspend.debug.wakestats_log.enabled 2024-01-04 15:45:39 -08:00
technical_debt.cil Create sdk_sandbox_all. 2023-05-10 17:54:07 +00:00
tombstoned.te
toolbox.te Dontaudit chmod of virtualizationsevice_data_file 2022-06-15 17:25:20 +01:00
traced.te Allow Perfetto's traced daemon to set debug sysprops 2023-05-10 10:44:20 -04:00
traced_perf.te strengthen app_data_file neverallows 2023-05-23 00:01:27 +00:00
traced_probes.te traced_probes: allow perfetto to read /proc/pressure entries 2023-12-15 19:15:57 +00:00
traceur_app.te Allow traceur_app to access winscope traces 2023-08-21 07:13:42 +00:00
ueventd.te
uncrypt.te
untrusted_app.te Blocks untrusted apps to access /dev/socket/mdnsd from U 2023-01-20 15:25:46 +09:00
untrusted_app_25.te Disallow watch and watch_reads on apk_data_file for apps 2023-04-25 15:20:45 +02:00
untrusted_app_27.te Disallow watch and watch_reads on apk_data_file for apps 2023-04-25 15:20:45 +02:00
untrusted_app_29.te Disallow watch and watch_reads on apk_data_file for apps 2023-04-25 15:20:45 +02:00
untrusted_app_30.te Disallow watch and watch_reads on apk_data_file for apps 2023-04-25 15:20:45 +02:00
untrusted_app_32.te Disallow watch and watch_reads on apk_data_file for apps 2023-04-25 15:20:45 +02:00
untrusted_app_all.te sepolicy: rework perfetto producer/profiler rules for "user" builds 2023-02-03 15:05:14 +00:00
update_engine.te Allow binder calls from system app to update engine 2024-01-05 21:25:40 +00:00
update_engine_common.te
update_verifier.te Allow update_verifier to connect to snapuserd daemon 2023-01-09 13:19:20 -08:00
uprobestats.te Merge "Rename uprobe_private to uprobestats for BPFs." into main 2024-01-19 18:15:45 +00:00
usbd.te
users
vdc.te
vehicle_binding_util.te Revert "Revert "Allow vehicle_binding_util to access AIDL VHAL. am: d5af7b7cea am: 565699bc61 am: e4ddf119a1 am: 54e7d19e1d am: 3686a43f8f"" 2022-05-11 18:14:06 +00:00
vendor_init.te Introduce vm_manager_device_type for crosvm 2023-03-29 10:19:06 -07:00
vfio_handler.te Flag-guard vfio_handler policies 2023-11-22 05:28:20 +00:00
viewcompiler.te
virtual_camera.te Allow binder calls between virtual_camera / mediaserver & 2023-12-27 17:26:52 +01:00
virtual_touchpad.te
virtualizationmanager.te Fix denial due to vfio_handler's IBoundDevice 2024-01-03 09:35:43 +09:00
virtualizationservice.te [attestation] Allow virtualizationservice to retrieve keys 2024-01-19 14:54:05 +00:00
vold.te Give vold permission to wipe a block device 2023-08-02 14:27:08 -07:00
vold_prepare_subdirs.te Revert "Allow vold_prepare_subdirs to use apex_service" 2023-08-11 15:34:44 +00:00
vzwomatrigger_app.te
wait_for_keymaster.te
watchdogd.te
webview_zygote.te Add appcompat override files and contexts to SELinux 2023-10-23 18:34:12 +00:00
wificond.te
zygote.te Add appcompat override files and contexts to SELinux 2023-10-23 18:34:12 +00:00