ro.secure and ro.debuggable system properties are not intended
to be visible via Android SDK. This change blocks untrusted
apps from reading these properties.
Test: n/a for cherry-pick
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
Merged-In: I40ac5d43da5778b5fa863b559c28e8d72961f831
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev. If needed we can add this to
AOSP later.
Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Ignore-AOSP-First: will be cherrypicked from tm-dev to aosp/master
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
This change allows remote_prov_app to find mediametrics. This is a
permission that all apps have. It is now needed for remote_prov_app due
to a new feature related to provisioning Widevine through the MediaDrm
framework.
Ignore-AOSP-First: Need to cherry pick to TM-dev
Bug: 235491155
Test: no selinux denials related to remote_prov_app
Change-Id: Id3057b036486288358a9a84100fe808eb56df5fe
This is required for testing new ethernet APIs in T.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 171872016
Merged-In: I1e6024d7d649be50aa2321543b289f81fcdfc483
(cherry picked from commit 02b55354bd)
Change-Id: I1d620bcd9b3d02c6acb45636bb862f40282f636d
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.
This patch updates the prebuilts, in addition to the changes to the
master source.
Bug: 233392908
Test: Compiled
Merged-In: I25539dc579f21d6288fa962d1fad9b51573f017d
(cherry picked from commit b25b4bf53f)
Change-Id: I25539dc579f21d6288fa962d1fad9b51573f017d
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99
(cherry picked from commit ab02397814)
Merged-In: I9559185081213fdeb33019733654ce95af816d99
Adding a new system property that will act as a toggle
enabling/disabling the framework changes that were submitted to prevent
leaked animators.
Bug: 233391022
Test: manual.
Ignore-AOSP-First: planning to commit to tm-dev then cherry-pick over to
AOSP later.
Change-Id: I57225feb50a3f3b4ac8c39998c47f263ae211b66
Bluetooth stack needs to read persist.logd.security and
ro.organization_owned sysprop (via __android_log_security())
to control security logging for Bluetooth events.
Bug: 232283779
Test: manual
Change-Id: Ic8162cd4a4436981a15acea6ac75079081790525
(cherry picked from commit a274858e3b)
Merged-In: Ic8162cd4a4436981a15acea6ac75079081790525
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Ignore-AOSP-First: Already merged in aosp
Change-Id: Ie8fd1f478fd12141bd6240cee96d0c3da55ba7a0
Merged-In: I28d1709ab4601f0fb1788435453ed19d023dc80b
Let vendor_init can react Vendor System Native Experiment
changes via persist.device_config.vendor_system_native.* properties.
Ignore-AOSP-First: Will cherry-pick
Bug: 223685902
Test: Build and check no avc denied messages in dmesg
Change-Id: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Ignore-AOSP-First: Test is missing in AOSP. Will cherry-pick to AOSP
once merged here.
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Bug: 231579544
Test: see allowlisted system properties in the VM
Ignore-AOSP-First: Cherry-pick from AOSP
Change-Id: Idb263087639e4677e437ac2fcd2726ee71547f48
Merged-In: Idb263087639e4677e437ac2fcd2726ee71547f48
We might want to change this in later android versions.
Ignore-AOSP-First: Already merged via aosp/2051365
Bug: b/228159127
Bug: b/227745962
Bug: b/229251344
Test: Manual
Change-Id: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Merged-In: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Merged-In: I2e308ca9ce58e71ac9d7d9b0fa515bdf2f5dfa1f
(cherry picked from commit 13bdca21d5)
(cherry picked from commit ce2b6da673)
