This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.
Apply the label to all the existing types, then refactor rules to use
the new attribute.
This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
nfc_data_file;
- We allow zygote limited access to system_app_data_file.
Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.
Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
This allows calling tcsetattr() with TCSAFLUSH, in addition to TCSANOW
and TCSADRAIN.
Fixes: 172740382
Test: manual
Change-Id: Idd2e9e0db2e0210df515f46d9d0323c6b517dd39
Commit 67c36884 changed the label of service.adb.tcp.port to allow
vendor init to set it, but accidentally prevented adbd from setting it,
which broke `adb tcpip`.
Bug: http://b/171280882
Test: `adb tcpip`
Change-Id: I154e2f43a4d3b72b27508ce02d66298673939738
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.
This adds some missing properties to property_contexts. Newly added
property contexts are:
- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.
- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.
- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.
Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.
Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
Test: ls -lZ /sys/kernel/tracing/printk_formats
[...] u:object_r:debugfs_tracing_printk_formats:s0 [...]
Test: setenforce 0;
runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
logcat complains about /sys/kernel/tracing/printk_formats
Test: setenforce 0;
runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
logcat does not complain about /sys/kernel/tracing/printk_formats
(need to setenforce 0, because otherwise the exec of ls is denied).
Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
ro.actionable_compatible_property.enabled and ro.treble.enabled are in
system/build.prop, so they are assigned as build_prop. The other added
properties are introduced by build/make/core/sysprop.mk.
Bug: 170590987
Test: boot and see default_prop
Change-Id: I2ec1df99985ca81d27e657750eb8895fe4b85b35
Merged-In: I2ec1df99985ca81d27e657750eb8895fe4b85b35
Since many files can correspond to the same error, it can be hard to see
which file is causing the error for an attribute
Example, here I couldn't find which file was 'vendor_file':
The following types on / must be associated with the "no_fs_type"
attribute: vendor_file
corresponding to files: /cache/overlay/oem/upper
Bug: 154851797
Test: see above example
Change-Id: Ic96536da3ce55ccc5f600579b9f6b1b4f56fc93d
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
This is required for ART's Checker tests, which are part of
(host-driven) ART run-tests, and will also be required to run ART
run-tests via TradeFed in AOT-compilation modes in the future.
Test: Run `atest art-run-test-004-checker-UnsafeTest18` with
https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1484277
merged in, on a device where `adb` commands are not run as root
Bug: 162408889
Bug: 147812905
Change-Id: I3e4824bf15bdbad1ddf26601f871feec11313ecc
Adds missing partitions to Treble sepolicy tests, and makes exceptions
explicit.
Bug: 154851797
Test: build runs this test
Change-Id: I93f3e633981383d3d215d3a850f6ade12c910415
During first-stage init we spawn a daemon (snapuserd) to interact with
the dm-user kernel module. Immediately after sepolicy is loaded, we
launch the daemon again with the correct privileges, and kill the
original one.
In order for init to do this, it needs to be able to open and write to
the snapuserd socket (which is corrected to the "correct" daemon), as
well as call flock() on /metadata/ota which is how libsnapshot ensures
exclusive access to Virtual A/B snapshots.
Bug: 168259959
Test: no denials with Virtual A/B Compression enabled
Change-Id: Ic7fc78ca1a17673b878766e0f4dfe0265c1be768
These files are required by CTS tests.
Bug: 168540056
Bug: 170202980
Test: ApexSignatureVerificationTest
Change-Id: Ia88517d55003b67efaa94f500e3619bcacc91d80
Few domains are granted access to this, but they should have access
from any user.
Also add some neverallows to prevent misuse.
Bug: 170622707
Test: presubmits
Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
This reverts commit 6c99a6781c.
Reason for revert: build breaks on build test
Bug: 171847597
Test: None
Change-Id: I7d3556aa0f06684b43f80f09e4c8194c6c44336c
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.
snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.
Bug: 168259959
Test: ctl.start snapuserd, no denials
vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
Devices launched with S must use the new variable naming
scheme introduced in If8188feb365eb9e500f2270241fa190a20e9de01
"Android.mk: Support SYSTEM_EXT* sepolicy".
The old variable name
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR` does no longer
accurately reflect its usage and as such is deprecated.
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=26
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=31
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe error
Signed-off-by: Felix Elsner <google@ix5.org>
Change-Id: Ic4d1164be611836f6aa697fbf1cb1f1c73a3cd39
This property controls the minimal timing window that triggers init
process fatal abort, when the zygote service crashes repeatedly in it.
Bug: 146818493
Change-Id: Ibd371be0daf6510df8b4d1a1f12f0aab8d6392c7
Add proc_net rules into prebuilts/api/30.0/public/file.te to fix build
errors
After applying AOSP/1468206, TH complains a build error:
Files system/sepolicy/prebuilts/api/30.0/public/file.te and
system/sepolicy/public/file.te differ
Bug: 145579144
Bug: 170265025
Test: build pass and reboot to check avc message in bugreport
Change-Id: I2085366b345c044e1b69f726809100fa43336c34
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].
[1] 4cbffc461e/kernel/sysctl.c (L2254)
Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882
Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
