Automerger Merge Worker
4d83a33d41
Merge "Reland: Rework platform version to hide codenames." am: d21ecebb27
...
Change-Id: Ib58bd7a62f077e4efae7a6b40cba38507de52f47
2020-02-10 16:22:30 +00:00
Treehugger Robot
d21ecebb27
Merge "Reland: Rework platform version to hide codenames."
2020-02-10 15:58:38 +00:00
Automerger Merge Worker
49e3bbdb1d
Merge "Add sepolicy for persist.nfc" am: 036eb2518d
...
Change-Id: I9394631e48401963ded6851257dada8bdc45311d
2020-02-10 11:27:26 +00:00
Treehugger Robot
036eb2518d
Merge "Add sepolicy for persist.nfc"
2020-02-10 11:15:36 +00:00
Automerger Merge Worker
814d38a94c
Merge "Move some properties to system_vendor_config_prop" am: 219137d6ca
...
Change-Id: Ic24749fb024fe713c7d2f5b63239e8e570fb31e3
2020-02-09 01:59:19 +00:00
Treehugger Robot
219137d6ca
Merge "Move some properties to system_vendor_config_prop"
2020-02-09 01:38:26 +00:00
Automerger Merge Worker
a97d499ebd
Merge "Remove "ro." prefix from sdk extension props" am: 88ab8e9c75
...
Change-Id: Iecf51b1e22a4fef84274eb723bc2d2fdb66513e9
2020-02-08 11:43:59 +00:00
Anton Hansson
88ab8e9c75
Merge "Remove "ro." prefix from sdk extension props"
2020-02-08 11:26:57 +00:00
Inseob Kim
2597b513b3
Move some properties to system_vendor_config_prop
...
system_vendor_config_prop defines a property contexts which can only be
set from vendor_init. It is one of the mostly used patterns of system
properties. This migrates some properties to help readability and
security.
Bug: 148125056
Test: system/sepolicy/build_policies.sh
Change-Id: I6b53ef520331b32417ad59f4daa04bdfc077f682
2020-02-08 08:34:17 +09:00
Automerger Merge Worker
09162ab186
Merge "Add macros for vendor_init writeonce properties" am: d832c69a94
...
Change-Id: I0f8d9f54170905023d799084bd7790f679eeedaf
2020-02-07 22:36:39 +00:00
Treehugger Robot
d832c69a94
Merge "Add macros for vendor_init writeonce properties"
2020-02-07 22:17:42 +00:00
Automerger Merge Worker
8c020eec71
Merge "selinux rules for loading incremental module" am: 3cf7d1b5ee
...
Change-Id: I7007b6fd0a63010334ae5079ecd0866101b82ecf
2020-02-07 19:50:37 +00:00
Songchun Fan
3cf7d1b5ee
Merge "selinux rules for loading incremental module"
2020-02-07 19:33:08 +00:00
Anton Hansson
3c7cc7a896
Remove "ro." prefix from sdk extension props
...
It needs to be reset during userspace reboot, so isn't
readonly.
Bug: 148668435
Test: presubmit
Change-Id: If6b5f15eb7ade143a939c815bf8787659ceeb951
2020-02-07 19:04:06 +00:00
Automerger Merge Worker
eaf6255fff
Merge "Add TEST_MAPPING for pre-submit tests" am: 571dbd9e58
...
Change-Id: I1066d87b9916399012f6febe6492ac3b1f249db6
2020-02-07 18:55:19 +00:00
Treehugger Robot
571dbd9e58
Merge "Add TEST_MAPPING for pre-submit tests"
2020-02-07 18:36:09 +00:00
Automerger Merge Worker
6820031087
Merge "GpuService binder call StatsManagerService" am: 53114d6184
...
Change-Id: Ie3937b46a5ada0dafb5021c1bf532db267eeb777
2020-02-07 18:18:05 +00:00
Automerger Merge Worker
eeefd23830
Merge "Allow system server to add StatsHal" am: aac4b2f8c0
...
Change-Id: I67718c87e2c9e526b1de6a6b6977ce6cf7c1803e
2020-02-07 18:17:50 +00:00
Tim Murray
541ab34a0c
property_contexts: add cache for getDisplayInfo.
...
Test: getDisplayInfo works
Bug: 140788621
Change-Id: I131b9b34b9d2814ab2b2f95e5cef3635a67765e2
2020-02-07 10:07:01 -08:00
Jeffrey Huang
53114d6184
Merge "GpuService binder call StatsManagerService"
2020-02-07 18:03:26 +00:00
Jeffrey Huang
aac4b2f8c0
Merge "Allow system server to add StatsHal"
2020-02-07 18:03:04 +00:00
Songchun Fan
99d9374760
selinux rules for loading incremental module
...
Defining incremental file system driver module, allowing vold to load
and read it.
=== Denial messages ===
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1
Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
2020-02-07 09:52:34 -08:00
Songchun Fan
020e3ab035
selinux rules for apk files installed with Incremental
...
Apk files installed with Incremental are actually stored under the
/data/incremental directory.
Since files under /data/incremental are labeled as apk_file_data, we
need additional permissions to enable an apk installation.
Denial messages:
=== vold ===
02-04 14:22:45.756 599 599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.756 599 599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.760 599 599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.766 1431 1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0
02-04 14:22:45.923 1431 1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:47.326 8839 8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 15:32:02.386 591 591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
=== system_app ===
02-04 14:22:45.793 5064 5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
Test: manual
BUG: 133435829
Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
2020-02-07 16:34:42 +00:00
Automerger Merge Worker
2f146b705b
Merge "Allow vold FS_IOC_{GET|SET}FLAGS ioctl." am: e7c8f0425d
...
Change-Id: I88d91fc14a268bcad16a0c5b99ace5e006ad54a5
2020-02-07 10:43:41 +00:00
Martijn Coenen
e7c8f0425d
Merge "Allow vold FS_IOC_{GET|SET}FLAGS ioctl."
2020-02-07 10:29:14 +00:00
Automerger Merge Worker
b504189120
Merge "sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate" am: 3d44d91d0b
...
Change-Id: I0892aba0f22011f86bba6a6c2251cd3129ee9038
2020-02-07 03:30:36 +00:00
Treehugger Robot
3d44d91d0b
Merge "sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate"
2020-02-07 03:11:52 +00:00
Jerry Chang
5594f307c8
sepolicy: new prereboot_data_file type
...
This adds the type and permissions for dumping and appending prereboot
information.
Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
2020-02-07 10:22:47 +08:00
Nikita Ioffe
44f5ffca15
Add userspace_reboot_log_prop
...
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.
Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
2020-02-07 01:57:55 +00:00
Jeffrey Huang
b481e320a1
GpuService binder call StatsManagerService
...
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd
The binder call to statsd can be removed after the migration.
Test: m -j
Bug: 148641240
Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009
2020-02-06 11:54:33 -08:00
Ady Abraham
5e81162741
sepolicy: rename use_smart_90_for_video -> use_content_detection_for_refresh_rate
...
Add a new entry for use_content_detection_for_refresh_rate that will
eventually replace the deprecated use_smart_90_for_video
Change-Id: Iffe83fe0c7620f661228452495a02922f9662406
Test: play video and observe refresh rate
2020-02-06 19:23:52 +00:00
Martijn Coenen
127f5e863c
Allow vold FS_IOC_{GET|SET}FLAGS ioctl.
...
To enable quota project ID inheritance.
Bug: 146419093
Test: no denials
Change-Id: If9c616acc5010d513d1e7ccda0915cdb26272b8c
2020-02-06 18:08:36 +00:00
Inseob Kim
33994bba81
Add macros for vendor_init writeonce properties
...
There are a lot of properties which is meant to be set once by
vendor_init. Most of them are configuration properties from vendor. This
introduces a macro to define such properties, which can help readability
and better security than using plain system_public_prop.
Bug: 148125056
Test: manual
Change-Id: I8b68e635d42119bafd1d22cba7957f583822ac7b
2020-02-07 03:03:43 +09:00
Ashwini Oruganti
9301818539
Add TEST_MAPPING for pre-submit tests
...
Run SELinuxHostTest whenever a change is made.
Filtering the tests to the ones that check that priv-apps are running in
their own domains.
Bug: 143172058
Test: Running "atest" in system/sepolicy runs SELinuxHostTest
Change-Id: If17642400129e97eb3bf2f631e784f92826adb9a
2020-02-06 09:57:03 -08:00
Automerger Merge Worker
20d98449ac
Merge "Make platform_compat discoverable everywhere" am: c79be18ddd
...
Change-Id: Idfa1540dd171d6ada539f06cc50bb1f11b1fc82a
2020-02-06 13:51:30 +00:00
Andrei-Valentin Onea
c79be18ddd
Merge "Make platform_compat discoverable everywhere"
2020-02-06 13:40:34 +00:00
Automerger Merge Worker
c22738a787
Merge "Don't audit dumpstate reading /mnt/user, /mnt/installer." am: 55b7ccd989
...
Change-Id: Ie00ede70277839dfaeb291ee21825fab99bfc134
2020-02-06 12:42:27 +00:00
Martijn Coenen
55b7ccd989
Merge "Don't audit dumpstate reading /mnt/user, /mnt/installer."
2020-02-06 12:37:24 +00:00
Automerger Merge Worker
0bbe440a69
Merge "net_dns_prop: neverallow most access" am: 9788ca1738
...
Change-Id: If7272632fd3e7162b37ac1530ec49fd49f028b0c
2020-02-06 12:34:42 +00:00
Dianne Hackborn
c2f74ac6ae
Reland: Rework platform version to hide codenames.
...
The public platform version no longer can be a codename, it is
always the most recently released platform. A new build property
and API provides either the offical version or the current codename
as appropriate. This will avoid breaking apps that look at the
platform version while development is under a codename.
Bug: 143175463
Test: manual
(cherry picked from commit afa84c96ac
)
Merged-In: I257ca42672e4712841c90b0608202c846bda628c
Change-Id: If8c91986afe682902787145dae4c0a3b9a2aa8d1
2020-02-06 12:31:25 +00:00
Jeffrey Vander Stoep
9788ca1738
Merge "net_dns_prop: neverallow most access"
2020-02-06 12:16:22 +00:00
Andrei Onea
25b39acefe
Make platform_compat discoverable everywhere
...
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).
This is a re-landing of https://r.android.com/1210143 , which was
reverted due to http://b/142942524 . The actual fix was done in
http://ag/10234812 .
Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
2020-02-06 12:11:37 +00:00
Martijn Coenen
722026676b
Don't audit dumpstate reading /mnt/user, /mnt/installer.
...
Dumpstate runs 'df', which in turn tries to get attributes on all
mounted filesystems. We don't care much for stats on /mnt/user, since
it's simply a mapping of /data. /mnt/installer is simply a bind mount of
/mnt/user, and we don't need to show that in df either.
Bug: 148761246
Test: atest
CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie71b9cde08eb08bd3a7a3e2659ea71c61ca5ab3b
2020-02-06 09:44:24 +00:00
Automerger Merge Worker
557f360d29
Merge "sepolicy: Relabel wifi. properties as wifi_prop" am: 15d70fec33
...
Change-Id: I496b18dadf830a96e6e6a27e14a985b784707a5a
2020-02-06 03:06:08 +00:00
Treehugger Robot
15d70fec33
Merge "sepolicy: Relabel wifi. properties as wifi_prop"
2020-02-06 02:53:51 +00:00
Automerger Merge Worker
49f6767ac7
Merge "adbd should be able to shutdown shell:unix_stream_socket" am: ca3d3dfa70
...
Change-Id: I5fbc449b0d6f463aaa4e4b0e22638cc684b811b3
2020-02-06 02:30:57 +00:00
Treehugger Robot
ca3d3dfa70
Merge "adbd should be able to shutdown shell:unix_stream_socket"
2020-02-06 02:17:31 +00:00
Automerger Merge Worker
74f0d2e626
Merge "Add filegroup for extservices file context" am: f9e9eabea5
...
Change-Id: I7988f26f5741c78273b8dd05da8194e5ca301c35
2020-02-06 02:11:51 +00:00
Treehugger Robot
f9e9eabea5
Merge "Add filegroup for extservices file context"
2020-02-06 02:06:41 +00:00
Automerger Merge Worker
8312d3a4f3
Merge "Surfaceflinger binder call StatsManagerService" am: f8ddb83890
...
Change-Id: I08f1b3a9cb50e4981489274d3cd780bebdf93262
2020-02-06 02:03:09 +00:00