Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: GrapheneOS/platform_system_sepolicy
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 15-qpr2
Choose a base ref
...
head repository: MaximilianGaedig/platform_system_sepolicy
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 11
Choose a head ref
Can’t automatically merge. Don’t worry, you can still create the pull request.
18 contributors

Commits on Jul 2, 2020

  1. Snap for 6649874 from 9b70a2c to rvc-qpr1-release 

    Change-Id: I46b1abbab762e507c2597ff71fd9851935c93a55
    android-build-team Robot committed Jul 2, 2020
    Copy the full SHA
    88da915 View commit details

Commits on Jul 7, 2020

  1. Snap for 6659731 from b258c98 to rvc-qpr1-release 

    Change-Id: I519503f53b69d961b2c35b2f0b3932a4937a715c
    android-build-team Robot committed Jul 7, 2020
    Copy the full SHA
    f9c56d0 View commit details

Commits on Jul 11, 2020

  1. Snap for 6672721 from 6ec36ff to rvc-qpr1-release 

    Change-Id: If033855bed21bc91af9f5463a54530a403ad7428
    android-build-team Robot committed Jul 11, 2020
    Copy the full SHA
    11787c5 View commit details

Commits on Jul 14, 2020

  1. Snap for 6680110 from 6f5797a to rvc-qpr1-release 

    Change-Id: I113529076189614dd3265ee04a977dac40e7fc9b
    android-build-team Robot committed Jul 14, 2020
    Copy the full SHA
    259cb0a View commit details

Commits on Jul 17, 2020

  1. Snap for 6689685 from e30b4b6 to rvc-qpr1-release 

    Change-Id: I6b10279efe1b5f840a16aeb41b703883638cc1ca
    android-build-team Robot committed Jul 17, 2020
    Copy the full SHA
    e4a0ed6 View commit details

Commits on Jul 23, 2020

  1. Snap for 6703926 from 0bee120 to rvc-qpr1-release 

    Change-Id: Id30fef085c4667f6b7f60514a31517334fe38d7e
    android-build-team Robot committed Jul 23, 2020
    Copy the full SHA
    7028de1 View commit details

Commits on Jul 29, 2020

  1. Snap for 6720487 from 88b86a7 to rvc-qpr1-release 

    Change-Id: Iff1d3b3ff6bb9aefb5ac0586da56799f23f1df21
    android-build-team Robot committed Jul 29, 2020
    Copy the full SHA
    6c87df6 View commit details

Commits on Aug 4, 2020

  1. Snap for 6736586 from df3b4ea to rvc-qpr1-release 

    Change-Id: I2dfdd0141a1d05961dc060a440d2191b33d8f600
    android-build-team Robot committed Aug 4, 2020
    Copy the full SHA
    0f0954c View commit details

Commits on Aug 11, 2020

  1. Snap for 6755001 from 112a122 to rvc-qpr1-release 

    Change-Id: Ic843d6d636513bb0d54e43f3576242710091daac
    android-build-team Robot committed Aug 11, 2020
    Copy the full SHA
    d7bcf17 View commit details

Commits on Aug 13, 2020

  1. Snap for 6761348 from 202b346 to rvc-qpr1-release 

    Change-Id: Ib93d202e73cccde7872b55c79d75636bbed0836d
    android-build-team Robot committed Aug 13, 2020
    Copy the full SHA
    5c1b607 View commit details

Commits on Aug 18, 2020

  1. Snap for 6773961 from 8f6b03c to rvc-qpr1-release 

    Change-Id: I1e092ba109f3cd79bf24753cf7c4609d7edb36ad
    android-build-team Robot committed Aug 18, 2020
    Copy the full SHA
    ade4da5 View commit details

Commits on Aug 20, 2020

  1. Snap for 6780056 from f1ecf7a to rvc-qpr1-release 

    Change-Id: I045091af2bf60f662a1c354f83a26d8344a8af9a
    android-build-team Robot committed Aug 20, 2020
    Copy the full SHA
    6b5c41b View commit details

Commits on Aug 28, 2020

  1. Snap for 6799200 from e756e98 to rvc-qpr1-release 

    Change-Id: I9328059a0f6a69bdfc1c8ac5fbb998d93a178d5b
    android-build-team Robot committed Aug 28, 2020
    Copy the full SHA
    318517a View commit details

Commits on Sep 7, 2020

  1. Snap for 6818149 from a59853f to rvc-qpr1-release 

    Change-Id: I6668e51362cb0b854187f0d1e3a6d8d52fcc3c76
    android-build-team Robot committed Sep 7, 2020
    Copy the full SHA
    945dbd9 View commit details

Commits on Sep 8, 2020

  1. Snap for 6820514 from 2e4d149 to rvc-qpr1-release 

    Change-Id: I04a26c37a797ff400016e17eb04365224127d8a1
    android-build-team Robot committed Sep 8, 2020
    Copy the full SHA
    2128462 View commit details

Commits on Sep 9, 2020

  1. Snap for 6823548 from 6ee8dcd to rvc-qpr1-release 

    Change-Id: I75f8c30e4d4eb8f0b7229772e8b1a0aa3395acfa
    android-build-team Robot committed Sep 9, 2020
    Copy the full SHA
    c864b4c View commit details

Commits on Sep 18, 2020

  1. Snap for 6847696 from 63322ae to rvc-qpr1-release 

    Change-Id: I4661f61f56a7ce98f222d255efc8900fdecaf65f
    android-build-team Robot committed Sep 18, 2020
    Copy the full SHA
    31e0945 View commit details

Commits on Dec 8, 2020

  1. sepolicy: Add sdcard_posix_contextmount_type attribute 

    * Since we can't use contextmount_type for sdcard_posix
  due to contextmount_type being read only by design we
  need to declare our own attribute to bypass relabelto
  neverallow. That way we can mount external ext4/f2fs
  SD with sdcard_posix context and write permissions.

Test: m -j selinux_policy
Change-Id: I0dfe49cc0b34dfcce2840198843bde1272cbc61c
    @luk1337
    luk1337 authored and Michael Bestas committed Dec 8, 2020
    Copy the full SHA
    c65d07c View commit details

  2. sepolicy: whitelist recovery from node creation neverallow 

    Change-Id: If91584e58f3709c0b18eaf9ee12a0c057716f9f3
    @aleasto
    aleasto authored and Michael Bestas committed Dec 8, 2020
    Copy the full SHA
    c032133 View commit details

  3. Only require compat mapping files if they exist. 

    Call build_policy when determing which compat mapping files should be
included for a given partition.

Bug: 168637766
Test: Built aosp_bonito-userdebug and saw that the compat mapping files
in product/etc/sepolicy/mapping were no longer present.
Test: Added a test 30.0.cil file to bonito's product private compat
directory and saw that it was present at product/etc/sepolicy/mapping.

Change-Id: I83cc28a159b24c0a2c0717dae461983250ab6c25
    Chris Gross authored and Michael Bestas committed Dec 8, 2020
    Copy the full SHA
    bb4d016 View commit details

  4. sepolicy: Allow recovery to alter / 

    This is needed for /etc/fstab, /adb_keys and volmgr

Change-Id: I53332a57ce7879d7ba63c4ea3e27add01f5a3a90
    Gabriele M authored and Michael Bestas committed Dec 8, 2020
    Copy the full SHA
    2741936 View commit details

Commits on Dec 12, 2020

  1. Fix storaged access to /sys/block/mmcblk0/stat after 48027a0 

    * Commit "storaged: remove access to sysfs_type" denied the storaged
  daemon access to the sysfs node it needed to do its work.
* It also didn't provide any means necessary for adding the necessary
  rules at a device level, since its sepolicy is private.
* Here we define a new sysfs_disk_stat security label, which device
  maintainers are supposed to add to their genfs_contexts file. This is
  similar to how hal_health_default and sysfs_batteryinfo is handled.
* What prevents the genfs_contexts from being added here directly is
  that in a typical vendor implementation, these sysfs files are
  actually symlinks and not a single, unified path SELinux-wise.

Change-Id: I13ca09cf2458b22ffb6c70b8a353e891e810c606
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
    @vladimiroltean @bgcngm
    vladimiroltean authored and bgcngm committed Dec 12, 2020
    Copy the full SHA
    2814cfc View commit details

  2. sepolicy: Treat proc-based DT fstab the same and sys-based 

    * Older devices have a DT fstab in proc, so we need to expand our
  policy to make this first-class like the fancy, new, sys devices

Change-Id: I3cfed1e8e9fdf8665f1348fa07fa42d4f37873e9
    @haggertk @bgcngm
    haggertk authored and bgcngm committed Dec 12, 2020
    Copy the full SHA
    31f3ea2 View commit details

  3. Allow init to write to /proc/cpu/alignment 

    * AOSP init.rc attempts to write to /proc/cpu/alignment, but
  following 84e181b, general access to procfs nodes is prohibited.
* Add an appropriate type, genfscon, and allow to permit this
  action.

Change-Id: I31ad8eaa6ebb6dd57d1b9c4395cb22cdd0d7b3d3
(cherry picked from commit 6213f5041a6e9242b2a23c8cc85d0d76cbc1fc45)
    @haggertk @bgcngm
    haggertk authored and bgcngm committed Dec 12, 2020
    Copy the full SHA
    faa2181 View commit details

Commits on Mar 2, 2021

  1. Merge tag 'android-11.0.0_r32' into staging/lineage-18.1_merge-androi… 

    …d-11.0.0_r32

Android 11.0.0 Release 32 (RQ2A.210305.006)

* tag 'android-11.0.0_r32':
  Track another instance of b/77870037
  Merge "Expand the scope of sepolicy_freeze_test" am: 8fea06a am: c3aaa34 am: 3d9c929

Change-Id: Ic895d44df78914e5fcea4270fdd7da00bb4a516b
    @haggertk
    haggertk committed Mar 2, 2021
    Copy the full SHA
    f351416 View commit details

Commits on Mar 21, 2021

  1. Allow dumpstate to get thermal and power hal debug info 

    Bug: 156710131
Bug: 170070222
Test: tested in userdebug with dumpstate.unroot set to true
Change-Id: Iabd636f109e719753fdd650f05e1a7af835c49d7
Signed-off-by: TeYuan Wang <kamewang@google.com>
(cherry picked from commit 900c723)
    @ramshell68
    ramshell68 authored and Michael Bestas committed Mar 21, 2021
    Copy the full SHA
    8baeefa View commit details

  2. Allow dumpstate to dump hal_light 

    Bug: 162594434
Bug: 170070222
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I440b5627abe0127324679fcb54bc52a68c44bea4
(cherry picked from commit 83b88d5)
    Roman Kiryanov authored and Michael Bestas committed Mar 21, 2021
    Copy the full SHA
    73da57f View commit details

  3. Add ro.cdma.home.operator. properties 

    vendor_init writes ro.cdma.home.operator. properties, and framework
codes reads the properties. This adds them to telephony_config_prop to
explicitly allow it.

Bug: 157958356
Bug: 173683489
Test: boot
Change-Id: I3bd515bd7adcc01ec268e4d2b5a6a2f1fbca7deb
(cherry picked from commit 18cbb77)
    @iskim517
    iskim517 authored and Michael Bestas committed Mar 21, 2021
    Copy the full SHA
    46d058f View commit details

  4. Add ro.cpuvulkan.version to property_contexts 

    Bug: 173683489
Test: vts_treble_sys_prop_test
Test: VulkanTest
Change-Id: I4d78ed5de6640c4342c4f6c2362976577007a681
(cherry picked from commit f1a7f16)
    @iskim517
    iskim517 authored and Michael Bestas committed Mar 21, 2021
    Copy the full SHA
    5a9e45a View commit details

  5. Sepolicy for dumsys suspend_control in bugreport 

    Bug: 155836352
Test: adb shell am bug-report && check logcat for denials
Change-Id: I8b65ea7c798121679bf27ce667c787a8dcbf5aae
(cherry picked from commit 215751a)
    Kalesh Singh authored and Michael Bestas committed Mar 21, 2021
    Copy the full SHA
    996e744 View commit details

  6. Export ro.vendor.product.cpu.abilist* 

    Bug: 173452246
Test: Read these properties from system_server
Change-Id: I26b8bbe153d55a2761ecc304a490a03a27156667
    @szuweilin
    szuweilin authored and Michael Bestas committed Mar 21, 2021
    Copy the full SHA
    95da6f3 View commit details

Commits on Apr 9, 2021

  1. disable unused gmscore_app domain 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    8cc89f9 View commit details

  2. allow system to use persist.keyguard.camera 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @inthewaves @randomhydrosol
    inthewaves authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    f74daa0 View commit details

  3. label protected_{fifos,regular} as proc_security 

    This is needed for init to override the default values.

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    c79f3d4 View commit details

  4. drop support for preloads_copy 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    167745d View commit details

  5. remove priv_app app_data_file execute 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    8cc9cf9 View commit details

  6. remove healthd ashmem execute 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    58ccf25 View commit details

  7. auditallow app execmem 

    Moving back towards an exception system.

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    668b83d View commit details

  8. auditallow app ashmem execute 

    Moving back towards an exception system.

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    7a73e2c View commit details

  9. add base system seinfo for shared/release keys 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: Ic7ecf8a49805772741a4bb6537466a3f1b7b2d5f
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    471e493 View commit details

  10. split out untrusted base app domains 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: I107b8365c938f03b7d98fefa01763cee6732eb57
    @renlord @randomhydrosol
    renlord authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    d135986 View commit details

  11. split base isolated app 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @renlord @randomhydrosol
    renlord authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    f4c9505 View commit details

  12. remove base system app execmod 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @renlord @randomhydrosol
    renlord authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    1c743bd View commit details

  13. remove base system app execmem 

    GrapheneOS doesn't use the ART JIT compiler.

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @renlord @randomhydrosol
    renlord authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    5f5750b View commit details

  14. remove base app app_data_file execute_no_trans 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    bddf5f5 View commit details

  15. remove base system app app_data_file execute 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @renlord @randomhydrosol
    renlord authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    366d68e View commit details

  16. remove base system app ashmem execute 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @renlord @randomhydrosol
    renlord authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    9f2650b View commit details

  17. auditallow app tmpfs execute 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    f862ca4 View commit details

  18. remove base system app tmpfs execute 

    Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    1b70770 View commit details

  19. auditallow apk_data_file execute 

    For libraries, apps should be migrating to the more modern approach of
storing them in the apk uncompressed and mapping them directly from it.

This is the most modern approach available for executables and is better
than using app data, but ideally it wouldn't be done. For now, audit use
of `execute_no_trans` anyway while this is given more thought.

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
    @thestinger @randomhydrosol
    thestinger authored and randomhydrosol committed Apr 9, 2021
    Copy the full SHA
    eab1c9a View commit details
Showing with 1,420 additions and 325 deletions.
  1. +13 −4 Android.mk
  2. +5 −2 prebuilts/api/28.0/plat_pub_versioned.cil
  3. +1 −1 prebuilts/api/28.0/vendor_sepolicy.cil
  4. +2 −0 prebuilts/api/29.0/plat_pub_versioned.cil
  5. +1 −0 prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
  6. +1 −0 prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
  7. +1 −0 prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
  8. +5 −0 prebuilts/api/29.0/private/storaged.te
  9. +1 −0 prebuilts/api/29.0/public/file.te
  10. +20 −2 prebuilts/api/30.0/private/app_neverallows.te
  11. +3 −9 prebuilts/api/30.0/private/app_zygote.te
  12. +1 −0 prebuilts/api/30.0/private/compat/26.0/26.0.cil
  13. +8 −0 prebuilts/api/30.0/private/compat/26.0/26.0.ignore.cil
  14. +1 −0 prebuilts/api/30.0/private/compat/27.0/27.0.cil
  15. +8 −0 prebuilts/api/30.0/private/compat/27.0/27.0.ignore.cil
  16. +2 −0 prebuilts/api/30.0/private/compat/28.0/28.0.cil
  17. +8 −0 prebuilts/api/30.0/private/compat/28.0/28.0.ignore.cil
  18. +2 −0 prebuilts/api/30.0/private/compat/29.0/29.0.cil
  19. +9 −0 prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
  20. +1 −1 prebuilts/api/30.0/private/domain.te
  21. +12 −0 prebuilts/api/30.0/private/ephemeral_app.te
  22. +0 −1 prebuilts/api/30.0/private/file_contexts
  23. +6 −0 prebuilts/api/30.0/private/genfs_contexts
  24. +12 −0 prebuilts/api/30.0/private/isolated_app.te
  25. +152 −0 prebuilts/api/30.0/private/isolated_base_app.te
  26. +10 −0 prebuilts/api/30.0/private/mac_permissions.xml
  27. +1 −0 prebuilts/api/30.0/private/platform_app.te
  28. +0 −18 prebuilts/api/30.0/private/preloads_copy.te
  29. +0 −15 prebuilts/api/30.0/private/priv_app.te
  30. +5 −0 prebuilts/api/30.0/private/property_contexts
  31. +20 −7 prebuilts/api/30.0/private/seapp_contexts
  32. +5 −0 prebuilts/api/30.0/private/storaged.te
  33. +0 −5 prebuilts/api/30.0/private/system_server.te
  34. +0 −16 prebuilts/api/30.0/private/system_server_startup.te
  35. +4 −0 prebuilts/api/30.0/private/system_suspend.te
  36. +15 −15 prebuilts/api/30.0/private/technical_debt.cil
  37. +19 −0 prebuilts/api/30.0/private/untrusted_app.te
  38. +19 −0 prebuilts/api/30.0/private/untrusted_app_25.te
  39. +19 −0 prebuilts/api/30.0/private/untrusted_app_27.te
  40. +19 −0 prebuilts/api/30.0/private/untrusted_app_29.te
  41. +0 −6 prebuilts/api/30.0/private/untrusted_app_all.te
  42. +16 −0 prebuilts/api/30.0/private/untrusted_base_app.te
  43. +43 −0 prebuilts/api/30.0/private/untrusted_base_app_25.te
  44. +32 −0 prebuilts/api/30.0/private/untrusted_base_app_27.te
  45. +19 −0 prebuilts/api/30.0/private/untrusted_base_app_29.te
  46. +17 −0 prebuilts/api/30.0/private/updater_app.te
  47. +3 −9 prebuilts/api/30.0/private/webview_zygote.te
  48. +3 −4 prebuilts/api/30.0/private/zygote.te
  49. +38 −40 prebuilts/api/30.0/public/app.te
  50. +3 −0 prebuilts/api/30.0/public/attributes
  51. +9 −5 prebuilts/api/30.0/public/domain.te
  52. +5 −0 prebuilts/api/30.0/public/dumpstate.te
  53. +4 −0 prebuilts/api/30.0/public/file.te
  54. +1 −1 prebuilts/api/30.0/public/hal_camera.te
  55. +1 −1 prebuilts/api/30.0/public/hal_drm.te
  56. +1 −1 prebuilts/api/30.0/public/hal_omx.te
  57. +1 −1 prebuilts/api/30.0/public/hal_sensors.te
  58. +0 −1 prebuilts/api/30.0/public/healthd.te
  59. +6 −0 prebuilts/api/30.0/public/init.te
  60. +9 −0 prebuilts/api/30.0/public/isolated_base_app.te
  61. +7 −0 prebuilts/api/30.0/public/property_contexts
  62. +1 −1 prebuilts/api/30.0/public/te_macros
  63. +3 −0 prebuilts/api/30.0/public/ueventd.te
  64. +3 −0 prebuilts/api/30.0/public/uncrypt.te
  65. +19 −0 prebuilts/api/30.0/public/untrusted_base_app.te
  66. +19 −0 prebuilts/api/30.0/public/untrusted_base_app_25.te
  67. +19 −0 prebuilts/api/30.0/public/untrusted_base_app_27.te
  68. +19 −0 prebuilts/api/30.0/public/untrusted_base_app_29.te
  69. +1 −0 prebuilts/api/30.0/public/update_engine.te
  70. +3 −0 prebuilts/api/30.0/public/update_engine_common.te
  71. +5 −0 prebuilts/api/30.0/public/updater_app.te
  72. +3 −0 prebuilts/api/30.0/public/vold.te
  73. +20 −2 private/app_neverallows.te
  74. +3 −9 private/app_zygote.te
  75. +1 −0 private/compat/26.0/26.0.cil
  76. +8 −0 private/compat/26.0/26.0.ignore.cil
  77. +1 −0 private/compat/27.0/27.0.cil
  78. +8 −0 private/compat/27.0/27.0.ignore.cil
  79. +2 −0 private/compat/28.0/28.0.cil
  80. +8 −0 private/compat/28.0/28.0.ignore.cil
  81. +2 −0 private/compat/29.0/29.0.cil
  82. +9 −0 private/compat/29.0/29.0.ignore.cil
  83. +1 −1 private/domain.te
  84. +12 −0 private/ephemeral_app.te
  85. +0 −1 private/file_contexts
  86. +6 −0 private/genfs_contexts
  87. +12 −0 private/isolated_app.te
  88. +152 −0 private/isolated_base_app.te
  89. +10 −0 private/mac_permissions.xml
  90. +1 −0 private/platform_app.te
  91. +0 −18 private/preloads_copy.te
  92. +0 −15 private/priv_app.te
  93. +5 −0 private/property_contexts
  94. +20 −7 private/seapp_contexts
  95. +5 −0 private/storaged.te
  96. +0 −5 private/system_server.te
  97. +0 −16 private/system_server_startup.te
  98. +4 −0 private/system_suspend.te
  99. +15 −15 private/technical_debt.cil
  100. +19 −0 private/untrusted_app.te
  101. +19 −0 private/untrusted_app_25.te
  102. +19 −0 private/untrusted_app_27.te
  103. +19 −0 private/untrusted_app_29.te
  104. +0 −6 private/untrusted_app_all.te
  105. +16 −0 private/untrusted_base_app.te
  106. +43 −0 private/untrusted_base_app_25.te
  107. +32 −0 private/untrusted_base_app_27.te
  108. +19 −0 private/untrusted_base_app_29.te
  109. +17 −0 private/updater_app.te
  110. +3 −9 private/webview_zygote.te
  111. +3 −4 private/zygote.te
  112. +38 −40 public/app.te
  113. +3 −0 public/attributes
  114. +9 −5 public/domain.te
  115. +5 −0 public/dumpstate.te
  116. +4 −0 public/file.te
  117. +1 −1 public/hal_camera.te
  118. +1 −1 public/hal_drm.te
  119. +1 −1 public/hal_omx.te
  120. +1 −1 public/hal_sensors.te
  121. +0 −1 public/healthd.te
  122. +6 −0 public/init.te
  123. +9 −0 public/isolated_base_app.te
  124. +7 −0 public/property_contexts
  125. +1 −1 public/te_macros
  126. +3 −0 public/ueventd.te
  127. +3 −0 public/uncrypt.te
  128. +19 −0 public/untrusted_base_app.te
  129. +19 −0 public/untrusted_base_app_25.te
  130. +19 −0 public/untrusted_base_app_27.te
  131. +19 −0 public/untrusted_base_app_29.te
  132. +1 −0 public/update_engine.te
  133. +3 −0 public/update_engine_common.te
  134. +5 −0 public/updater_app.te
  135. +3 −0 public/vold.te
  136. +2 −0 tests/treble_sepolicy_tests.py
17 changes: 13 additions & 4 deletions Android.mk
View file
Original file line number Diff line number Diff line change
@@ -149,6 +149,9 @@ sepolicy_build_files := security_classes \
genfs_contexts \
port_contexts

sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))

# Security classes and permissions defined outside of system/sepolicy.
security_class_extension_files := $(call build_policy, security_classes access_vectors, \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
@@ -379,8 +382,11 @@ endif

ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file \
$(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
system_ext_mapping_file

system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))

LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))

endif

@@ -405,8 +411,11 @@ endif

ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_REQUIRED_MODULES += \
product_mapping_file \
$(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
product_mapping_file

product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))

LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))

endif

7 changes: 5 additions & 2 deletions prebuilts/api/28.0/plat_pub_versioned.cil
View file
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@
(typeattribute domain)
(typeattributeset domain (adbd_28_0 audioserver_28_0 blkid_28_0 blkid_untrusted_28_0 bluetooth_28_0 bootanim_28_0 bootstat_28_0 bufferhubd_28_0 cameraserver_28_0 charger_28_0 clatd_28_0 cppreopts_28_0 crash_dump_28_0 dex2oat_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 e2fs_28_0 ephemeral_app_28_0 fingerprintd_28_0 fsck_28_0 fsck_untrusted_28_0 gatekeeperd_28_0 healthd_28_0 hwservicemanager_28_0 idmap_28_0 incident_28_0 incident_helper_28_0 incidentd_28_0 init_28_0 inputflinger_28_0 install_recovery_28_0 installd_28_0 isolated_app_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 logpersist_28_0 mdnsd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaprovider_28_0 mediaserver_28_0 modprobe_28_0 mtp_28_0 netd_28_0 netutils_wrapper_28_0 nfc_28_0 otapreopt_chroot_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 platform_app_28_0 postinstall_28_0 postinstall_dexopt_28_0 ppp_28_0 preopt2cachename_28_0 priv_app_28_0 profman_28_0 racoon_28_0 radio_28_0 recovery_28_0 recovery_persist_28_0 recovery_refresh_28_0 runas_28_0 sdcardd_28_0 secure_element_28_0 servicemanager_28_0 sgdisk_28_0 shared_relro_28_0 shell_28_0 slideshow_28_0 su_28_0 surfaceflinger_28_0 system_app_28_0 system_server_28_0 tee_28_0 thermalserviced_28_0 tombstoned_28_0 toolbox_28_0 traced_probes_28_0 traceur_app_28_0 tzdatacheck_28_0 ueventd_28_0 uncrypt_28_0 untrusted_app_28_0 untrusted_app_27_28_0 untrusted_app_25_28_0 untrusted_v2_app_28_0 update_engine_28_0 update_verifier_28_0 usbd_28_0 vdc_28_0 vendor_init_28_0 vendor_shell_28_0 virtual_touchpad_28_0 vndservicemanager_28_0 vold_28_0 vold_prepare_subdirs_28_0 vr_hwc_28_0 watchdogd_28_0 webview_zygote_28_0 wificond_28_0 wpantund_28_0 zygote_28_0))
(typeattribute fs_type)
(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
(typeattribute contextmount_type)
(typeattributeset contextmount_type (oemfs_28_0 app_fusefs_28_0))
(typeattribute file_type)
@@ -21,7 +21,7 @@
(typeattributeset vendor_file_type (vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 mediacodec_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0))
(typeattribute proc_type)
(expandtypeattribute (proc_type) false)
(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
(typeattribute sysfs_type)
(typeattributeset sysfs_type (sysfs_usermodehelper_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0))
(typeattribute debugfs_type)
@@ -856,6 +856,9 @@
(type proc_cpuinfo)
(typeattribute proc_cpuinfo_28_0)
(roletype object_r proc_cpuinfo_28_0)
(type proc_deny_new_usb)
(typeattribute proc_deny_new_usb_28_0)
(roletype object_r proc_deny_new_usb_28_0)
(type proc_dirty)
(typeattribute proc_dirty_28_0)
(roletype object_r proc_dirty_28_0)
Loading