07af2808d5 (b/239632964) added
security policy support for /system_ext/bin/convert_to_ext4.sh.
This shell script converts f2fs filesystems into ext4 filesystems
on debuggable builds (userdebug or eng) only. Ever since 2022,
the security policy for this shell script has been in permissive
mode, meaning no SELinux rules were being enforced.
# convert-to-ext4-sh.te
permissive convert-to-ext4-sh;
In the intervening 2 years, there has been no attempt to move
this domain into enforcing mode. And by now, this script has
likely served its purpose, by converting f2fs /persist filesystems
on engineering builds to ext4, and is probably no longer needed.
This change eliminates the use of the unenforced convert-to-ext4-sh
security domain, preferring instead to use the "su" security domain.
Like convert-to-ext4-sh, the su security domain enforces no rules
on debuggable builds, and is equivalent to traditional root on
desktop Linux systems, or running /system/xbin/su. This change
eliminates unnecessary technical complexity, and unblocks other
hardening changes, such as WIP commit
https://android-review.googlesource.com/c/platform/system/sepolicy/+/3308856
Moving from one permissive domain ("convert-to-ext4-sh") to another
permissive domain ("su") should be a no-op from a security and
functionality perspective.
Test: compiles and builds, passes treehugger.
Bug: 239632964
Change-Id: Ifd628310a923926d1a57b568c7703cb857f0871b
The change also labeled files under /data/vendor/chre/ to grant
required access.
Test: compilation
Bug: 248615564
Change-Id: Ia96b7a592523e7b5e64acb8cb7ae4f0f1fc3a78b
remove mediacodec_samsung sepolicy in legacy path since we will include it from gs-common.
Bug: 318793681
Test: build pass, camera record, youtube
Change-Id: I08a9ce89155324b0ac749bde4a9d205585a57320
Signed-off-by: wenchangliu <wenchangliu@google.com>
Bug: 305120274
Test: Compile pass. Flash the build to WHI_PRO devices and no sensor
related avc denied log.
Change-Id: I48d959d439565e9c31ce83812bf29b6d8025c35b
Signed-off-by: Rick Chen <rickctchen@google.com>
Bug: 264490014
Test: 1. Enable tcpdump_logger always-on function
2. Dump bugreport
3. Pull dumpstate_board.bin and chagne it to zip
4. Unzip dumpstate_board.zip and check if tcpdump files
are there.
Change-Id: Ic804a3a4739ec5a9604320cb8e0fdae91b8429c1
Bug: 264490014
Test: 1. Enable tcpdump_logger always-on function
2. Dump bugreport
3. Pull dumpstate_board.bin and chagne it to zip
4. Unzip dumpstate_board.zip and check if tcpdump files
are there.
Change-Id: I0eb9352e349ae8f06e469e953f137b00204f1c3b
The CMA dump is common feature for pixel devices so move
it to gs-common.
Bug: 276901078
Test: dumpstate_board.txt on adb bugreport includes the info
Change-Id: I3997e27e3037f013338de5bc36687c63338769aa
Signed-off-by: Minchan Kim <minchan@google.com>
Allowing the ModemService write access to the sysfs attribute
cp_temp which is used to update the thermal zones.
Test: Verified sysfs attribute security labels
Bug: 267485434
Change-Id: I0915969bfa6354e1884088476fc59cd8027bd2f1
Signed-off-by: Mahesh Kallelil <kallelil@google.com>
The sepolicy must be self-contained without including wirelss_charger to
avoid build break in AOSP
Bug: 263830018
Change-Id: Ib3e36c9bb4b3048ce97592c3f68260035a32239d
Signed-off-by: Ken Yang <yangken@google.com>
Mitigation Logger logs battery related information for 1 second when it
is triggered by under voltage or over current interrupts. Information
collected is to help debug system brownout.
Bug: 228383769
Test: Boot and Test
Change-Id: Ia13f6b16dd35803873f20514c21a95ed8dd20a55
Signed-off-by: George Lee <geolee@google.com>
Creating a mechanism to save some USF stat history to device and pipe it
to bugreports. Granting permissions so that this can work.
Bug: 242320914
Test: Stats save and are visible in a bugreport.
Change-Id: Ie08fce80e79bd564ea58dab66ce8f0d9892d7020
Bug: 215271971
Test: no sepolicy for hardware info
Change-Id: Ic887e59878352fa5784a172af0453f3bb881e1f2
Signed-off-by: Denny cy Lee <dennycylee@google.com>
Bug: 235050913
Test: no Permission denied while accessing the file node
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I7de0a374e1c98f4e9bbf36e39cb0131b0e9ffebc
Mitigation Logger logs battery related information for 1 second when it
is triggered by under voltage or over current interrupts. Information
collected is to help debug system brownout.
Bug: 228383769
Test: Boot and Test
Signed-off-by: George Lee <geolee@google.com>
Change-Id: I9ac873d03d57d9a6db8d9233f25c8fabdfc399a5
... as it has moved to system/sepolicy.
Bug: b/161819018
Test: presubmit
Change-Id: I107f92617bea56590b5af351341cc1c3b2844360
Merged-In: I107f92617bea56590b5af351341cc1c3b2844360
