As a side effect, commit ec50aa5180 ("Allow the init and apexd
processes to read all block device properties") removed permission for
the shell context to list the /sys/class/block directory. There is a
CTS test that relies on this (CtsNativeEncryptionTestCases), so grant
permission to do this again.
Bug: 196521739
Bug: 194450129
Test: Before this change, 'adb shell ls /sys/class/block' fails.
After this change, 'adb shell ls /sys/class/block' succeeds.
Change-Id: I87cb90880f927db1385887b35c84f4dd7f95021b
Merged-In: I87cb90880f927db1385887b35c84f4dd7f95021b
(cherry picked from commit ff53c4d16e)
As a side effect, commit ec50aa5180 ("Allow the init and apexd
processes to read all block device properties") removed permission for
the shell context to list the /sys/class/block directory. There is a
CTS test that relies on this (CtsNativeEncryptionTestCases), so grant
permission to do this again.
Bug: 196521739
Bug: 194450129
Test: Before this change, 'adb shell ls /sys/class/block' fails.
After this change, 'adb shell ls /sys/class/block' succeeds.
Change-Id: I87cb90880f927db1385887b35c84f4dd7f95021b
Merged-In: I87cb90880f927db1385887b35c84f4dd7f95021b
As a side effect, commit ec50aa5180 ("Allow the init and apexd
processes to read all block device properties") removed permission for
the shell context to list the /sys/class/block directory. There is a
CTS test that relies on this (CtsNativeEncryptionTestCases), so grant
permission to do this again.
Bug: 196521739
Bug: 194450129
Test: Before this change, 'adb shell ls /sys/class/block' fails.
After this change, 'adb shell ls /sys/class/block' succeeds.
Change-Id: I87cb90880f927db1385887b35c84f4dd7f95021b
Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`
Bug: 187105270
Test: booted twice on Cuttlefish
Ignore-AOSP-First: no merge path to this branch from AOSP.
Merged-In: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
Add debug property name with phone id.
Bug: 194281028
Test: Build and verified there is no avc denied in the log
Change-Id: Ia7ca93a3390b2f59e894ca7ebce4cae9c0f83d28
Merged-In: Ia7ca93a3390b2f59e894ca7ebce4cae9c0f83d28
Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`
Bug: 187105270
Test: booted twice on Cuttlefish
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.
Bug: 194450129
Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Ignore-AOSP-First: This patch is already in AOSP.
Merged-In: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The init process configures swapping over zram over a loop device. An
I/O scheduler is associated with the loop device. Tests have shown that
no I/O scheduler works better than the default, mq-deadline. Hence
allow the init process to configure the loop device I/O scheduler.
Without this patch, the following SELinux denials are reported during
boot:
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
Bug: 194450129
Test: Built Android images and installed these on an Android device.
Ignore-AOSP-First: This patch is already in AOSP.
Merged-In: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
Change-Id: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.
Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The shell context can invoke app_process (ART runtime), which in turn
reads odsign_prop to determine whether we determined that the generated
artifacts are valid. Since this was denied until now, app processes
invoked through shell would fall back to JIT Zygote. This is probably
fine, but since fixing the denial is really simple (and not risky), this
option might be preferred over adding it to the bug map.
Bug: 194630189
Test: `adb shell sm` no longer generates a denial
Change-Id: Ia7c10aec53731e5fabd05f036b12e10d63878a30
The init process configures swapping over zram over a loop device. An
I/O scheduler is associated with the loop device. Tests have shown that
no I/O scheduler works better than the default, mq-deadline. Hence
allow the init process to configure the loop device I/O scheduler.
Without this patch, the following SELinux denials are reported during
boot:
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
Bug: 194450129
Test: Built Android images and installed these on an Android device.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Change-Id: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
Previously vendor_sched is put under product area which will be replaced
by GSI. To solve it, move it to system/sepolicy.
Bug: 194656257
Test: build pass
Change-Id: I15801c0db0a8643cac2a2fc1f004db6fb21050dc
Merged-In: Ia0b855e3a876a58b58f79b4fba09293419797b47
Carve out a label for the property, and allow odsign to set it.
Bug: 194334176
Test: no denials
Change-Id: I9dafefabc27c679ed9f36e617e824f44f3b16bbd
Merged-In: I9dafefabc27c679ed9f36e617e824f44f3b16bbd
The denial occurs when system_server dynamically loads AOT artifacts at
runtime.
Sample message:
type=1400 audit(0.0:4): avc: denied { execute } for comm="system_server" path="/data/misc/apexdata/com.android.art/dalvik-cache/arm64/system@framework@com.android.location.provider.jar@classes.odex" dev="dm-37" ino=296 scontext=u:r:system_server:s0 tcontext=u:object_r:apex_art_data_file:s0 tclass=file permissive=0
Currently, system_server is only allowed to load AOT artifacts at startup. odrefresh compiles jars in SYSTEMSERVERCLASSPATH, which are supposed to be loaded by system_server at startup. However, com.android.location.provider is a special case that is not only loaded at startup, but also loaded dynamically as a shared library, causing the denial.
Therefore, this denial is currently expected. We need to compile com.android.location.provider so that its AOT artifacts can be picked up at system_server startup, but we cannot allow the artifacts to be loaded dynamically for now because further discussion about its security implications is needed. We will find a long term solution to this, tracked by b/194054685.
Test: Presubmits
Bug: 194054685
Change-Id: I3850ae022840bfe18633ed43fb666f5d88e383f6
Allows dexopt to read odsign verification status and use on-device
generated artifacts when dexopting after an OTA.
(cherry pick from change 5fcce9ded3)
Bug: 194069492
Ignore-AOSP-First: cherry pick of https://r.android.com/1771328
Test: manually apply ota, see no denials for reading property
Merged-In: I97acfc17ffd9291d1a81906c75039f01624dff0f
Change-Id: I05453570add7365e1c094d3ea316d53d7c52023a
Allows dexopt to read odsign verification status and use on-device
generated artifacts when dexopting after an OTA.
Bug: 194069492
Test: manually apply ota, see no denials for reading property
Change-Id: I97acfc17ffd9291d1a81906c75039f01624dff0f
This service was renamed in
commit 8aaf796f980f21a8acda73180a876095b960fc28
after the mapping files were originally created in
commit 4f20ff73ee.
Bug: 191304621
Test: Merge redfin_vf_s T-based system with S-based vendor.
Change-Id: I3430f13a3438c06c6cb469a35a80390f83b1c0b4
ro.lmk.filecache_min_kb property allows vendors to specify min filecache
size in KB that should be reached after thrashing is detected.
Bug: 193293513
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I927f4a1c81db3f284353fe4ab93bf454acff69b7
Merged-In: I927f4a1c81db3f284353fe4ab93bf454acff69b7
Additionally, remove the obsolete permission which allows keystore to
register callbacks with statsd. There's no direct communication between
keystore and statsd now.
Ignore-AOSP-First: Resolving merge conflicts.
Bug: 188590587
Test: statsd TestDrive script.
Merged-In: I31d202751ba78bb547822020260a7e366cb8826e
Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
Additionally, remove the obsolete permission which allows keystore to
register callbacks with statsd. There's no direct communication between
keystore and statsd now.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: statsd TestDrive script.
Merged-In: I31d202751ba78bb547822020260a7e366cb8826e
Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
Additionally, remove the obsolete permission which allows keystore to
register callbacks with statsd. There's no direct communication between
keystore and statsd now.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: statsd TestDrive script.
Merged-In: I31d202751ba78bb547822020260a7e366cb8826e
Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
app_zygote inherits tmpfs files from zygote, and needs to be able to
stat them after fork.
Bug: 192634726
Bug: 192572973
Bug: 119800099
Test: forrest
Ignore-AOSP-First: cherry pick of https://r.android.com/1753279
Change-Id: I6ddf433dbbf4a894fcb6d35c0cb723444d360e47
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
These denials were found in the logs of a test failure that entered
recovery mode.
Recovery uses libfs_mgr which reads /proc/bootconfig.
Test: Boot device into recovery and check for "avd: denied" logs
Bug: 191904998
Bug: 191737840
Ignore-AOSP-First: Merged-In not used to allow the change in prebuilts to merge
Change-Id: I96ae514cfd68856717e143d295f2838a7d0eff14
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I2abf108f2504997b06c0269f905608d8063cb3b4
Merged-In: I2abf108f2504997b06c0269f905608d8063cb3b4
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I2abf108f2504997b06c0269f905608d8063cb3b4
Merged-In: I2abf108f2504997b06c0269f905608d8063cb3b4
This change adds a neverallow rule in traced.te to limit the processes
that can find tracingproxy_service, the context for TracingServiceProxy.
I wanted to avoid moving the tracingproxy_service definition to public,
so there were a few services that are exempted from this neverallow
rule.
Bug: 191391382
Test: Manually verified that with this change, along with the other
change in this topic, I see no errors when taking a bugreport while a
Traceur trace is running and the expected trace is included in the
generated bugreport.
Change-Id: I28d0b1b08baac43a53fe5a1ff0f67b788d51dc74
Merged-In: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
Fixes: 191919967
Test: triggered bug on cf by running
m dist && python3 system/update_engine/scripts/update_device.py out/dist/cf_x86_64_phone-ota-eng.dariofreni.zip
Change-Id: I7a3abfdecd2d2276a291ab6c1ffe9a7d3f5fd60a
Merged-In: I7a3abfdecd2d2276a291ab6c1ffe9a7d3f5fd60a
Ignore-AOSP-first: this branch is not merging aosp changes anymore.
The primary goal is to have an ashmem region shared between the main app
process in Chrome (=Browser Process) and the app zygote. It can only be
passed from the App Zygote, since there is no communication in the other
direction. Passing of the file descriptor should happen by:
(A) inheriting via fork(2)
(B) using binder IPC
Currently ashmem FDs are sufficiently allowed to be mmap(2)-ed in all
Chrome processes. The mode of mapping (read-only, read-write etc.) is
controlled by the settings of the region itself, not by sepolicy.
This change additionally allows an FD created in the app zygote to be
passed to the 'untrusted_app' domain.
Note: This change allows *any* FD, not just an ashmem one to be passed.
This is on purpose: in the future we will likely want to return to the
memfd story. Other usecases (pipes, sockets) might appear.
The app zygote preload takes the responsibility not to share
capabilities in the form of FDs unintentionally with other app
processes.
Historical note: we tried to enable this for memfd (using additional
rules), but it required a 'write' permission when sending an FD. Reasons
for that are still puzzling, and there seems to be no easy workaround
for it. Decision: use ashmem.
Bug: 184808875
Test: Manual: Build and install Chrome (trichrome_chrome_google_bundle)
from [1]. Make sure FileDescriptorAllowlist allows the FD, like
[2]. Reach a NewTabPage, click on a suggested page, observe no
errors related to binder transactions and selinux violations.
[1] A change in Chrome to create an ashmem region during app zygote
preload and pass it to the browser process:
https://crrev.com/c/2752872/29
[2] Allowlist change in review:
https://android-review.googlesource.com/c/platform/frameworks/base/+/1739393
(Alternatively: Remove gOpenFdTable checks in ForkCommon() in
com_android_internal_os_Zygote.cpp)
Change-Id: Ide085f472c8fb6ae76ab0b094319d6924552fc02
Ignore-AOSP-First: in addition to changes in AOSP, copied to prebuilts
This change adds a neverallow rule in traced.te to limit the processes
that can find tracingproxy_service, the context for TracingServiceProxy.
I wanted to avoid moving the tracingproxy_service definition to public,
so there were a few services that are exempted from this neverallow
rule.
Bug: 191391382
Test: Manually verified that with this change, along with the other
change in this topic, I see no errors when taking a bugreport while a
Traceur trace is running.
Change-Id: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
Merged-In: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
Add a permission to use the graphics allocator.
Bug: 191094033
Test: Build a target and run the service after enforcing selinux
Ignore-AOSP-First: aosp won't auto merge to sc-dev
Change-Id: I52b6851bb95565c92fc4774a2de1f0791e6fdd23
Align the chagnes in aosp/1729396
Bug: 189787375
Test: AppDataIsolationTests
Ignore-AOSP-First: aosp won't auto merge to sc-dev
Change-Id: Ibf915e23e7db9c333e87cad75604d8251404092e
These properties allow to vendors to provide their
own camera2 extensions service. The properties
must be accesible to any android app that wishes
to use camera2 extensions.
Bug: 183533362
Change-Id: I94c7ac336b3103355124830320787472f0d2a8b6
Merged-In: I94c7ac336b3103355124830320787472f0d2a8b6
apexd needs to call the following two ioctls:
* FS_COMPR_FL - to check if fs supports compression.
* F2FS_IOC_RELEASE_COMPRESS_BLOCKS - to release compressed blocks.
Bug: 188859167
Test: m
Change-Id: Ia105d3dbcd64286cc33d1e996b2d2b85c09eae7a
Merged-In: Ia105d3dbcd64286cc33d1e996b2d2b85c09eae7a
(cherry picked from commit a12ba8a439)
