* changes:
Separate system_ext_mac_permissions.xml out of system sepolicy.
Separate system_ext_service_contexts out of system sepolicy.
Separate system_ext_property_contexts out of system sepolicy.
Separate system_ext_hwservice_contexts out of system sepolicy.
Separate system_ext_seapp_contexts out of system sepolicy.
Separate system_ext_file_contexts out of system sepolicy.
Separate system_ext_sepolicy.cil out of system sepolicy
Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.
The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.
For more details see change I9082241066cba82b531e51f9a5aec14526467162
Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
Since these libraries were vndk-sp, previously, passthrough HALs were
able to load them. However, now that they have been removed from the
vndk-sp set (these libraries are empty), marking them as
same_process_hal_file so that vendor passthrough implementations that
still link against these empty libraries can still use them.
Bug: 135686713
Test: boot device using these libraries from an sphal (otherwise,
bootloops)
Change-Id: Ic5170eb0fcbb87c82bbea840dcfcb17899eaa899
Also, since fsverity_init has been rewriten in C++, shell execution is no
longer needed.
Test: no denial is generated
Bug: 112038744
Change-Id: I7e409cadd68cb6d5d8557a126a3b9e78063190be
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
/system_ext/etc/selinux are identical to previous contents in
/product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9
Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: I53984e8a973eff15de0653916203020dbabe9c03
This duplicated ashmem device is intended to replace ashmemd.
Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.
Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
ro.crypto.fde_algorithm
ro.crypto.fde_sector_size
ro.crypto.volume.contents_mode
These properties were not added to sepolicy export2vold. vold can't access
crypto algorithm type when flashing a GSI image and when the properties are in
/vendor/build.prop. This prevents FDE from working.
Bug: 141518844
Change-Id: I234bda439f6be7a2211a194856baf75800396232
Signed-off-by: yuguoxu <yuguoxu@allwinnertech.corp-partner.google.com>
This is the flag for when sepolicy is split. Also removed other
commented-out heuristics around fake-treble. We should aim to remove it
entirely instead.
Fixes: 141348590
Test: build w/ and without adding binder_in_vendor_violators to a vendor
process (and see the expected error there)
Change-Id: I29fb335cc5b5d6e117d93038fe458b8c74acf321
To aid in debugging if there are failures.
Bug: 137267623
Test: add prints to boringssl_self_test and see them
Change-Id: I34b20225514898911b3f476d4517430433eb379e
The 'stdio_to_kmsg' option will print stdout and stderr to
kmsg_debug. This requires init to be able to open kmsg_debug.
Test: services with stdio_to_kmsg can print to kmsg_debug
Change-Id: I63f0af8f079f7327c1224aa9e46f19d6549d875b
This is part of a series of updates to bug_map across all of android
tree.
Bug: 141014771
Test: Generated a denial, verified that the bug id in the dmesg logs
remains unchanged.
Change-Id: I852e8ac38a162cc074232f15d919212548d485bf
applypatch (called by install_recovery) used to back up the source
partition to /cache when installing the recovery image on non-A/B
devices. The change from the same topic drops the backup behavior.
The access to /cache was also the reason for having dac_override_allowed
(applypatch runs as root:root, while /cache is owned by system:cache
with 0770).
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Change-Id: I0533ba82260d0adb23b328e6eef8bd6dda3d0439
This introduces some attributes that can be used to restrict access to
exported properties so that one can easily check from which the
properties can be accessed, and that OEMs can extend their own exported
properties.
Bug: 71814576
Bug: 131162102
Test: boot aosp_cf_x86_phone-userdebug
Test: logcat | grep "avc: "
Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
Allow dumpsys to dump process information for bug reports.
Test: build
Test: adb bugreport
Bug: 140541614
Change-Id: Ia361e8c8de2cc5f798e746dffcf067393fd6bcae
This new apex is a VNDK APEX which is going to replace /system/lib/vndk
libraries.
Bug: 134357236
Bug: 139772411
Test: m com.android.vndk
Change-Id: I9bdda5bc7862917a196b894cc562e0351db76c52
The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
when init is executing other binaries. The use of LD_PRELOAD for init spawned
services is generally considered a no-no, as it injects libraries which the
binary was not expecting. This is especially problematic for APEXes. The use
of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
code into a process which wasn't expecting that code, with potentially
unexpected side effects.
Test: compiles
Bug: 140789528
Change-Id: Ia781ec7318e700cddfd52df97c504b771f413504
This exception is needed for overriding gated changes in tests.
Bug: 140367850
Test: http://aosp/1113771
Change-Id: I2a76f92fe06c1c759a537dea7539a8899f02b15e
This reverts commit a9b718a1ed.
Reason for revert: No longer be necessary after
http://r.android.com/1120246 lands as this causes BoringSSL to only write
flag files if a particular environment variable is set, and this variable
will only be set for the self test binaries which have permission to
write to /dev/boringssl.
Bug: 140918050
Test: Manually observed audit log after change
Change-Id: I851f4aea991d91c67b64535829eea5b9594a3e2c
Bug: 136592946
Bug: 138261472
Test: Ran with the patch applied, confirmed surface flinger can access
the system property.
Change-Id: I259a488399c5e698de384322852ea81ea1a96e7d
Merged-In: I259a488399c5e698de384322852ea81ea1a96e7d
Binaries other than boringssl_self_test_exec are not allowed
to create marker files /dev/boringssl/selftest/[hash].
Right now, some processes still attempt to because:
- Some binaries run so early during early-init that
boringssl_self_test{32,64} hasn't had a chance to
run yet, so the marker file doesn't exist yet, so
the unprivileged process attempts to create it.
- Some binaries statically link libcrypto so their
[hash] is different from that used by
boringssl_self_test{32,64}.
There's some ongoing work to stop those binaries even
attempting to create the marker files but it's not a
big deal if they do. Similarly, there is ongoing work
to minimize or eliminate static linking of this library.
For now, this CL turns off audit logs for this behavior
since it is harmless (a cosmetic issue) and in order to
not hold up the bulk of the logic being submitted.
Bug: 137267623
Test: Treehugger
Change-Id: I3de664c5959efd130f761764fe63515795ea9b98
app_zygote used by for example Google Chrome needs access
to at least search /oem partition.
Google chrome version: 76.0.3809.132 is running in app_zygote
and the following access is blocked by selinux causing Chrome
to hang.
avc: denied { search } for pid=813 comm="d.chrome_zygote"
name="/" dev="sda42" ino=2 scontext=u:r:app_zygote:s0:c214,c256,c512,c768
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0 ppid=798
pcomm="d.chrome_zygote" pgid=798 pgcomm="d.chrome_zygote"
Change-Id: Idcce1a5ad1a8be3d7bd057c12ec477baa9669235
