Commit graph

931 commits

Author SHA1 Message Date
Satoshi Niwa
56a5c1c0db Add /system/bin/traced_relay to file_contexts
traced_relay is a service that takes the place of traced
in a guest VM and relays the producer connections to the
host tracing service. (aosp/2646664)

The service requires the same permissions as traced.

Bug: 333835162
Bug: 340402999
Test: Run traced_relay in a guest VM
Change-Id: Ifc7854e0d3ebaf0f9021cf455a2433037525a0bc
2024-06-13 04:17:37 +00:00
Nattharat Jariyanuntanaet
dd2e2ba866 Define UWB snoop log in sepolicy
Bug: 341014812
Test: manual, bugreport attached in the associated bugreport
Change-Id: I6e96663345263f2587d7ae2e73b7007b2bdcd640
2024-05-20 08:42:31 +00:00
Pawan Wagh
b071882d76 Allow system app and update_engine to read OTA from /vendor
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.

Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
2024-05-02 01:14:47 +00:00
Ellen Arteca
27b515e70a Add SELinux policy for storage areas
We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.

First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively).  This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.

Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
 that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
		storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
		storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
		storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
		storage_area_content_file

These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.

Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName

We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.

Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 20:26:55 +00:00
William Loh
38b57bcc47 Add policy for /data/app-metadata
Bug: 336618214
Test: manual
Change-Id: If2da435f6622c6bc28a867c9a70e8efafe6524b0
2024-04-25 04:06:45 +00:00
Ted Bauer
ba5998d7a2 Merge "Let system server set permissions on marker file" into main 2024-04-10 21:16:43 +00:00
Ted Bauer
86405531d5 Let system server set permissions on marker file
System server needs to create a file in /metadata/aconfig, and set its
permissions.

Bug: 328444881
Test: m
Change-Id: I30aa576e46d8963e78ff21ad328160a99bd5d523
2024-04-10 15:26:01 +00:00
Jared Duke
abf12e1e9b Remove sepolicy for viewcompiler
This tool has been removed, so remove the associated sepolicy config.

Bug: 158121974
Test: m
Change-Id: I7fe3a731fe5680d192bae640b6fc3ccdacbc60d3
2024-04-04 23:23:10 +00:00
Steven Terrell
c5401edfb4 Changes to allow trace redactor to run
Updates to allow profiling module to run new trace_redactor binary.
Allow the trace_redactor binary to read the input trace file and write
the output file.

Bug: 327423523
Test: build/flash and
      atest CtsProfilingModuleTests#testRequestSystemTraceSuccess
Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097
2024-04-03 23:35:36 +00:00
Jiakai Zhang
4acd07323e Update SELinux policy for Pre-reboot Dexopt.
- Add pm.dexopt.* properties.
- Add rules for running artd in chroot.

Bug: 311377497
Test: manual - Run Pre-reboot Dexopt and see no denial.
Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
2024-03-27 10:53:50 +00:00
Hansen Kurli
78f7da3136 Merge "Sepolicy setup for /data/misc/connectivityblobdb/" into main 2024-03-20 20:27:18 +00:00
Nikita Putikhin
69a21c0167 Add contexts for update_engine_nostats
Should be the same as for update_engine

Test: Boot the VM, make sure the service works.
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Bug: 328227527
Change-Id: I8521716dcf43e5e7c41c4ecd36be128bacbe07b4
2024-03-11 19:24:56 +01:00
Alice Ryhl
6b9aa6dc33 kcmdlinectrl: define system property for kcmdlinectrl
This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.

It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.

Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
2024-03-06 12:05:24 +00:00
Hansen Kurli
0e638112f2 Sepolicy setup for /data/misc/connectivityblobdb/
Create a new folder for connectivity blobs, to be used by
ConnectivityBlobStore for VPN and WIFI to replace legacy
keystore.
System server will need permissions to manage databases in the
folder and system server will create the folder in init.rc.

Bug: 307903113
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Test: build and manual test.
Change-Id: Ib51632af9624d8c3ebf2f752547e162a3fbbb1b0
2024-03-05 19:52:20 +00:00
Daniele Di Proietto
9a997590e1 Add perfetto persistent tracing configuration file
Bug: 325622427
Change-Id: Ia77a029dfddfb3108bb6fdd2d3c6d5b4d9909f7b
2024-03-05 11:30:36 +00:00
Kangping Dong
564f1296b8 Merge "[Thread] limit ot-daemon socket to ot-ctl" into main 2024-03-05 11:18:56 +00:00
Kangping Dong
90495cc79f [Thread] limit ot-daemon socket to ot-ctl
It's better to explicitly disallow access to ot-daemon from other than
ot-ctl.

Bug: 323502847
Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815
2024-02-29 23:43:34 +08:00
Dennis Shen
f008c29e47 aconfig_storage: setup RO partitions aconfig storage files SELinux
policy

system, system_ext, product and vendor partitions have aconfig storage
files under /<partition>/etc/aconfig dir. need to grant access to
aconfigd.

Bug: b/312459182
Test: m and tested with AVD
Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a
2024-02-29 15:28:48 +00:00
Dennis Shen
2659257c76 aconfigd: create aconfig daemon selinux policy
Bug: b/312444587
Test: m and launch avd
Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9
2024-02-26 19:58:48 +00:00
Steven Moreland
9fca32695a Merge changes from topic "misctrl" into main
* changes:
  misctrl: add a property
  intro misctrl
2024-02-22 18:57:01 +00:00
Yisroel Forta
c5cb5a248d Add context that system server can access and perfetto can save traces to
Give perfetto rw dir and create file permissions for new directory.
Give system server control to read, write, search, unlink files from new directory.

Test: locally ensure traces can be written by perfetto and accessed and deleted by system server
Bug: 293957254
Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-21 16:43:57 +00:00
Steven Moreland
b4f42d449b intro misctrl
Generic binary for managing the misc partition.

Bug: 317262681
Test: boot, check bugreport
Change-Id: Ib172d101d68409f2500b507df50b02953c392448
2024-02-20 18:56:05 +00:00
Håkan Kvist
1f915b4b13 label boot animations on oem with bootanim_oem_file
Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.

Also allow mediaserver and app to read this new label as they can access
/oem/media folder.

Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb
2024-02-16 11:08:30 +01:00
Dennis Shen
6c8210da20 selinux setup for files under /metadata/aconfig dir
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)

2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.

Context to why we are hosting flag data on /metadata partition:

Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.

In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.

Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
2024-02-14 17:56:29 +00:00
Hansen Kurli
34ee0b5da3 Merge "Remove all sepolicy relating to ppp/mtp." into main 2024-02-02 05:16:37 +00:00
Dan Shi
b230f4f10c Merge "Revert "audio: Provide a default implementation of IHalAdapterVe..."" into main 2024-02-01 21:57:51 +00:00
Dan Shi
0ad6f6bdd6 Revert "audio: Provide a default implementation of IHalAdapterVe..."
Revert submission 2929484-fix-b-321651892-ihaladapter

Reason for revert: possible cause of b/323385784

Reverted changes: /q/submissionid:2929484-fix-b-321651892-ihaladapter

Change-Id: I9664f8f9dd6eec159be7fbf3b148a12d44cef582
2024-02-01 19:32:34 +00:00
Mikhail Naganov
c301f8ef3d Merge "audio: Provide a default implementation of IHalAdapterVendorExtension" into main 2024-02-01 16:48:06 +00:00
Hansen Kurli
ff6cb347be Remove all sepolicy relating to ppp/mtp.
Legacy VPNs are removed, including the usage of mtpd/pppd.
Only the type ppp and mtp remain as there are usages elsewhere.

Bug: 161776767
Test: m, presubmit
Change-Id: I556b0daa55f9ea7bf844f6a52d10dda02e324ee0
2024-01-30 17:46:49 +08:00
Mikhail Naganov
00c2fedc5a audio: Provide a default implementation of IHalAdapterVendorExtension
This service is used by the audio server for translating
between legacy string KV pairs and AIDL vendor parameters.
It resides on the system_ext partition.

Since it has to be implemented by every SoC vendor, provide
an example implementation. This example service is added
to CF and GSI system_ext. Vendors can use their own names
and policy labels, the only thing that the audio server
depends on is the AIDL interface.

There is no fuzzer for this service because the example
implementation only contains trivial code (interface
methods are stubbed out).

Bug: 321651892
Test: atest audiorouting_tests
Change-Id: I8ab922660a30ffd44772987204ac4a28c1007c66
2024-01-26 15:35:51 -08:00
Youngtae Cha
0d106f832c Merge "Setting up SELinux policy for TelephonyCofnig" into main 2024-01-26 15:37:46 +00:00
Hansen Kurli
59bd48484b Merge "Remove all sepolicy relating to racoon" into main 2024-01-26 09:48:22 +00:00
Kangping Dong
0d6679a410 [Thread] move ot-daemon socket to /dev/socket/ot-daemon
On Android, unix sockets are located in /dev/socket/ and managed by
init. This commit follows the convention for ot-daemon

Bug: 320451788
Test: verified that ot-daemon can create socket
/dev/socket/ot-daemon/thread-wpan.sock

Change-Id: I6b0fe45602bb54d6d482f5be46ddb5402bea477b
2024-01-23 00:00:01 +08:00
youngtaecha
acbcf8a0ba Setting up SELinux policy for TelephonyCofnig
Bug: 320002105
Test: Build
Change-Id: I9cab4c1fd1f4fe77ca7a1d5e94dc5911debc3a28
2024-01-13 14:59:44 +00:00
Kangping Dong
e21496b105 [Thread] move Thread settings data to APEX data dir
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
   /data/misc/apexdata/com.android.tethering

The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.

Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)?  u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.

Bug: 309932508
Test: manually verified that Thread settings file can be written to
      /data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
2024-01-03 23:01:24 +08:00
Peter Collingbourne
4912d266e1 Mount /tmp as tmpfs.
/tmp is a volatile temporary storage location for the shell user.
As with /data/local/tmp, it is owned by shell:shell and is chmod 771.

Bug: 311263616
Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a
2023-12-15 16:46:46 -08:00
Yu-Ting Tseng
43cae4ea24 Revert^2 "Update uprobestats SELinux policy"
This reverts commit 5e1d7f1c85.

Reason for revert: retry with a fix to the failed tests

Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
2023-12-14 17:17:18 -08:00
Yu-Ting Tseng
5e1d7f1c85 Revert "Update uprobestats SELinux policy"
This reverts commit a87a13f16c.

Reason for revert: b/316386186

Change-Id: Ia39371ee9d96c1b1fdf71d67abc7765019c4f185
2023-12-14 19:50:49 +00:00
Yu-Ting Tseng
a87a13f16c Update uprobestats SELinux policy
The changes include
- allow binder calls to ActivityManager and NativePackageManager
- allow binder calls from system server
- allow writes of statsd atoms
- allow init to start uprobestats
- permission for uprobestats config files and propery
- allow execution of oatdump so it can look up code offsets
- allow scanning /proc.

Test: m selinux_policy
Change-Id: Id1864b7dac3a2c5dcd8736c4932778e36b658ce3
2023-12-13 16:49:23 -08:00
Daniel Norman
4245d0413b Allow system_server access to hidraw devices.
This allows AccessibilityManagerService in system_server to
interact with a HID-supported Braille Display.

Bug: 303522222
Test: ls -z /dev/hidraw0
Test: plat_file_contexts_test
Test: Open FileInputStream and FileOutputStream on this device
      path from AccessibilityManagerService
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db)
Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c
Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c
2023-11-30 23:33:55 +00:00
Hansen Kurli
1aac0c51a0 Remove all sepolicy relating to racoon
Legacy VPNs are removed, including the usage of racoon.

Bug: 161776767
Test: m
Change-Id: I8211b3f00cc0213b1c89b269857adc7c21b97efb
2023-11-28 14:16:07 +08:00
Seungjae Yoo
d2a0892121 Introduce vendor_microdroid_file for microdroid vendor image
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose.

Bug: 285854379
Test: m
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
2023-11-16 16:44:15 +09:00
Thiébaud Weksteen
aead1ae441 Document the file_contexts evaluation
Remove a duplicate entry with its comment as the sorting logic is not
applied since commit dfa4a48b.

Bug: 299839280
Test: m selinux_policy
Change-Id: I4fa556c2ff8f114b56bba7ab32fac1d17373ef8b
2023-11-09 15:23:13 +11:00
Nate Myren
0e15f2d9c5 Add appcompat override files and contexts to SELinux
This also allows the zygote to bind mount the system properties

Bug: 291814949
Test: manual
Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434
2023-10-23 18:34:12 +00:00
Thiébaud Weksteen
a8bcaec228 Merge changes I3a6f9db9,Ifb4453d0,I33d88b42 into main
* changes:
  Refactor contextsTestModule
  Fix private/file_contexts entry order
  checkfc: validate that all rules are matching
2023-10-23 04:06:09 +00:00
Rhed Jao
ebe1316695 Create sepolicy for allowing system_server rw in /metadata/repair-mode
Bug: 277561275
Test: ls -all -Z /metadata/repair-mode
Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123
2023-10-23 13:38:38 +11:00
Thiébaud Weksteen
9c2a967114 Fix private/file_contexts entry order
Add test entries for property_service_for_system and virtual_camera.

Re-order file_contexts so that /data/vendor/tombstones/wifi and
/data/misc/perfetto-traces/bugreport are labelled correctly.

Bug: 299839280
Test: checkfc -t ./private/file_contexts ./contexts/plat_file_contexts_test pass
Change-Id: Ifb4453d02327b5cf678e6a4cd927b5df0960086b
2023-10-23 10:51:11 +11:00
Treehugger Robot
c5509a8ea0 Merge "Policy for virtual_camera native service" into main 2023-10-18 15:55:42 +00:00
Vadim Caen
f6e88ec70a Policy for virtual_camera native service
Change-Id: Id0c582f9259ffd056b22f111d7e81bc061c2371d
2023-10-13 16:42:11 +02:00
Treehugger Robot
57056e5249 Merge "Fix context for mapping/xx.yy.compat.cil files" into main 2023-10-11 03:18:57 +00:00