This is needed for the camera service to be able to use
AChoreographer ndk.
Test: adb shell dmesg | audit2allow -p policy
Bug: 200306379
Change-Id: I191760f1cdd0a88c9d140fffd4470e9ae1956c52
These are similar to the existing exceptions added for
`hal_uwb_vendor_server`.
Also, added a TODO to remove the older `hal_uwb_vendor` tags once we
migrate to the new T architecture.
Bug: 196225233
Test: Compiles
Change-Id: I2077d409f575a2e46684de4fb92fe3da0cceaf70
The bufferhub daemon policy still remains, since it still needs to be
deleted. However, since the HAL no longer exists, removing policy
related to this.
Bug: 204068144
Test: build only
Change-Id: I96b96c77a39e2ba2024680ebaf3067283d0cfc65
Make Netlink Interceptor work when SELinux is enforcing
Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
Remove these SELinux attributes since the apexd and init SELinux policies
no longer rely on these attributes.
The only difference between a previous version of this patch and the
current patch is that the current patch moves these attributes to the
'compat' policy. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Change-Id: Id7d32a914e48bc74da63d87ce6a09f11e323c186
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Move type to public so that it can be vendor customized. This
can be necessary if (for example) the gralloc/gpu same-process-HAL
requires additional permissions.
Bug: 199581284
Test: build
Change-Id: I61a5a3ad96112d4293fd4bf6d55f939c974643ce
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert submission 1850578-remove-selinux-bdev-type
Reason for revert: DroidMonitor-triggered revert due to breakage, bug b/203480787
BUG: 203480787
Reverted Changes:
I263bce9c4:Remove the bdev_type and sysfs_block_type SELinux ...
Ibc9039f96:Revert "Add the 'bdev_type' attribute to all block...
Ic6ae83576:Remove the bdev_type and sysfs_block_type SELinux ...
Ie493022a8:Remove the bdev_type and sysfs_block_type SELinux ...
I1f1ca439b:Revert "Add the 'bdev_type' attribute to all block...
I283f8676b:Revert "Add the 'bdev_type' attribute to all block...
I7c5c242c5:Revert "Add the 'bdev_type' attribute to all block...
Id78d8f7dc:Remove the bdev_type and sysfs_block_type SELinux ...
I9c4b2c48b:Remove the bdev_type and sysfs_block_type SELinux ...
I51e9d384a:Remove the bdev_type and sysfs_block_type SELinux ...
I2c414de3b:Remove the sysfs_block_type SELinux attribute
Change-Id: I55609803d530772d507d9dca8ba202a96daf24b7
Remove these SELinux attributes since adding these attributes introduces
a depencency from vendor SELinux policies on the generic SELinux policy,
something that is not allowed. This patch includes a revert of commit
8b2b951349 ("Restore permission for shell to list /sys/class/block").
That commit is no longer necessary since it was a bug fix for the
introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: Ic6ae835768212648ca09fd5c83c39180103c3b1b
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Stop using these attributes since these will be removed soon.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I61dffb482f4e952299156f34be642ae52fcbfeb3
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In virtualized deployments of Android, it can be useful to have
access to a description of the hypervisor/host environment being
used to run the guest OS instance.
This is represented by means of a new system property
ro.boot.hypervisor.version, which is meant to convey a
free-form descriptor of the current host/hypervisor version
The property is meant to be provided to Android as androidboot.
by whatever host-specific means are used to supply other boot
properties to the target Android instance. Access could be later
opened to other vendor processes to set if needed for specific
setups where init is not a sufficiently-early stage for
host/guest communication. Such setups are not known at this time.
For a native Android incantation, the property defaults to
being missing
Other properties could later be added to this same namespace
and context if they turn out to be useful in specific scenarios.
Bug: 178749018
Test: build cuttlefish
Change-Id: Id721c14ef1958b525c2866a660dcae8fd176a79d
Commit ec50aa5180 ("Allow the init and apexd processes to read all
block device properties") did not include the SELinux type
sysfs_devices_block although it should have included that SELinux
type. Fix this.
Bug: 194726804
Change-Id: Ia299a0a8b28160c634863e15ae66fae8f18a5efb
Signed-off-by: Bart Van Assche <bvanassche@google.com>
fs_mgr::ReadDefaultFstab calls fs_mgr:ReadFstabFromDt() which eventually
calls fs_mgr_get_boot_config_from_bootconfig_source to read boot config.
Therefore bundle permission to read proc_bootconfig. This resolves some
selinux denials for update_engine
Test: th
Change-Id: Ia8bd94eb33a38ccd939577b54910645fec4ccda8
Without this change, any crash from an executable in /data/local/tests
is incomplete. Specifically, function names are missing which makes
the crash nearly useless for debugging.
Bug: 197229540
Test: Used the crasher executable and copied it to /data/local/tests
Test: and verified that running it as root and shell results in
Test: tombstones that have full unwinds with function names.
Change-Id: Ic4862ca6ee9b02132a593ccd5fe26508ed5c8510
Remove access from untrusted apps and instead grant it to platform_app
(but on user builds as well as debug).
Also restrict any app from creating a vsock_socket; using an already
created one is fine.
Bug: 193373841
Test: Microdroid demo app now gets a denial
Test: Rebuild demo with certifcate: platform, adb install, no denial
Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d
This is required for accessing sensor data in audioserver.
Bug: 188502620
Test: log-based verification of sensor data coming through.
Change-Id: I183ce5106401ae7853096e80a8650cc7919e6221
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.
Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.
Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.
As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).
I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)
Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
No new HIDL HAL's are allowed in Android T. UWB HAL converted to
versioned AIDL interface to be compliant.
Bug: 195308730
Test: Compiles
Change-Id: I35cf8edd244baa02778ee8eff46840ae26424869
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.
Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Ignore-AOSP-First: Dependent changes in internal-only projects.
Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
(cherry picked from commit 40465250e4)
(cherry picked from commit 27ab309fad)
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.
Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware
Ignore-AOSP-First: Dependent changes in internal-only projects.
Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
extra_free_kbytes.sh is used by init to set /sys/vm/watermark_scale_factor
value. Allow init to execute extra_free_kbytes.sh and the script to access
/proc/sys/vm/watermark_scale_factor and /proc/sys/vm/extra_free_kbytes
files.
Bug: 109664768
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I55ec07e12a1cc5322cfdd4a48d0bdc607f45d832
Bug: 179094324
Bug: 156537504
Test: confirm that installd killing those processes are not brininging
selinux violation
Change-Id: Icac3f5acc3d4d398bbe1431bb02140f3fe9cdc45
As a side effect, commit ec50aa5180 ("Allow the init and apexd
processes to read all block device properties") removed permission for
the shell context to list the /sys/class/block directory. There is a
CTS test that relies on this (CtsNativeEncryptionTestCases), so grant
permission to do this again.
Bug: 196521739
Bug: 194450129
Test: Before this change, 'adb shell ls /sys/class/block' fails.
After this change, 'adb shell ls /sys/class/block' succeeds.
Change-Id: I87cb90880f927db1385887b35c84f4dd7f95021b
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.
Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.
Don't prevent crosvm from reading such a SoC-specific VM disk images.
Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.
Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
crash_dump need to read process uptime
which need to be calc by minus the system uptime
Bug: 193159611
Bug: 183575981
Test: manual
Change-Id: I9f071007f31b8101d2d67db19b5d2b2835e6c5a4
Previously vendor_sched is put under product area which will be replaced
by GSI. To solve it, move it to system/sepolicy.
Bug: 194656257
Test: build pass
Change-Id: Ia0b855e3a876a58b58f79b4fba09293419797b47
This adds a new property prefix owned by snapuserd, for communicating
when the service is ready to accept connections (snapuserd.ready and
snapuserd.proxy_ready).
This also adds a new socket context. This is a seqpacket socket used to
communicate with a special instance of snapuserd that bridges to the
first-stage daemon.
Bug: 193833730
Test: no denials after OTA applies and boots
Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.
Below is the summary of the added rules.
* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
- permission_service: to check Android permission
- apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.
Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json
without disabling selinux.
Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
Allow system_suspend to server the suspend AIDL hal service.
Bug: 170260236
Test: Check logcat for supend avc denials
Change-Id: Ie4c07e2e8d75fd4b12e55db15511060e09be59cf
We've got a SELinux warning in kernel-5.10 when "File Transfer" (MTP)
has been enabled by user.
Error log:
avc: denied { ioctl } for pid=5521 comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=102677 ioctlcmd=0x67e7 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0
Repeat steps:
1. Connect the phone to PC with USB cable.
2. Select "File Transfer" (MTP) in "USB Preferences" Menu.
3. Selinux warning will arise after "File Transfer" has been enabled by user
due to an IOCTL access to /dev/usb-ffs/mtp/ep1.
Solution:
To solve this warning, add a sepolicy to allow this type of IOCTL is required.
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Change-Id: Id340fb98062b3cee239343f3800f6dfceadeb572
Bug: 193473440
We ended up with 4 labels for specific APEX files that were all
identical; I've replaced them with a single one
(apex_system_server_data_file).
Additionally I created an attribute to be applied to a "standard" APEX
module data file type that establishes the basics (it can be managed
by vold_prepare_subdirs and apexd), to make it easier to add new such
types - which I'm about to do.
Fix: 189415223
Test: Presubmits
Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
In ApexTestCases, a temp file in /data/local/tmp is used via a loop
device, which requires the kernel to read it.
This is only allowed in userdebug/eng.
Bug: 192259606
Test: ApexTestCases
Change-Id: Ic7d3e67a8a3e818b43b7caead9053d82cbcbccf7
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.
Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Change-Id: I32ebb407b8dde1c872f53a1bc3c1ec20b9a5cb49
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I2abf108f2504997b06c0269f905608d8063cb3b4
Merged-In: I2abf108f2504997b06c0269f905608d8063cb3b4
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: I2abf108f2504997b06c0269f905608d8063cb3b4
Merged-In: I2abf108f2504997b06c0269f905608d8063cb3b4
The primary goal is to have an ashmem region shared between the main app
process in Chrome (=Browser Process) and the app zygote. It can only be
passed from the App Zygote, since there is no communication in the other
direction. Passing of the file descriptor should happen by:
(A) inheriting via fork(2)
(B) using binder IPC
Currently ashmem FDs are sufficiently allowed to be mmap(2)-ed in all
Chrome processes. The mode of mapping (read-only, read-write etc.) is
controlled by the settings of the region itself, not by sepolicy.
This change additionally allows an FD created in the app zygote to be
passed to the 'untrusted_app' domain.
Note: This change allows *any* FD, not just an ashmem one to be passed.
This is on purpose: in the future we will likely want to return to the
memfd story. Other usecases (pipes, sockets) might appear.
The app zygote preload takes the responsibility not to share
capabilities in the form of FDs unintentionally with other app
processes.
Historical note: we tried to enable this for memfd (using additional
rules), but it required a 'write' permission when sending an FD. Reasons
for that are still puzzling, and there seems to be no easy workaround
for it. Decision: use ashmem.
Bug: 184808875
Test: Manual: Build and install Chrome (trichrome_chrome_google_bundle)
from [1]. Make sure FileDescriptorAllowlist allows the FD, like
[2]. Reach a NewTabPage, click on a suggested page, observe no
errors related to binder transactions and selinux violations.
[1] A change in Chrome to create an ashmem region during app zygote
preload and pass it to the browser process:
https://crrev.com/c/2752872/29
[2] Allowlist change in review:
https://android-review.googlesource.com/c/platform/frameworks/base/+/1739393
(Alternatively: Remove gOpenFdTable checks in ForkCommon() in
com_android_internal_os_Zygote.cpp)
Change-Id: Ide085f472c8fb6ae76ab0b094319d6924552fc02
Ignore-AOSP-First: in addition to changes in AOSP, copied to prebuilts
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
Merged-In: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
These properties allow to vendors to provide their
own camera2 extensions service. The properties
must be accesible to any android app that wishes
to use camera2 extensions.
Bug: 183533362
Change-Id: I94c7ac336b3103355124830320787472f0d2a8b6
Merged-In: I94c7ac336b3103355124830320787472f0d2a8b6
These properties allow to vendors to provide their
own camera2 extensions service. The properties
must be accesible to any android app that wishes
to use camera2 extensions.
Change-Id: I94c7ac336b3103355124830320787472f0d2a8b6
The primary goal is to have an ashmem region shared between the main app
process in Chrome (=Browser Process) and the app zygote. It can only be
passed from the App Zygote, since there is no communication in the other
direction. Passing of the file descriptor should happen by:
(A) inheriting via fork(2)
(B) using binder IPC
Currently ashmem FDs are sufficiently allowed to be mmap(2)-ed in all
Chrome processes. The mode of mapping (read-only, read-write etc.) is
controlled by the settings of the region itself, not by sepolicy.
This change additionally allows an FD created in the app zygote to be
passed to the 'untrusted_app' domain.
Note: This change allows *any* FD, not just an ashmem one to be passed.
This is on purpose: in the future we will likely want to return to the
memfd story. Other usecases (pipes, sockets) might appear.
The app zygote preload takes the responsibility not to share
capabilities in the form of FDs unintentionally with other app
processes.
Historical note: we tried to enable this for memfd (using additional
rules), but it required a 'write' permission when sending an FD. Reasons
for that are still puzzling, and there seems to be no easy workaround
for it. Decision: use ashmem.
Bug: 184808875
Test: Manual: Build and install Chrome (trichrome_chrome_google_bundle)
from [1]. Make sure FileDescriptorAllowlist allows the FD, like
[2]. Reach a NewTabPage, click on a suggested page, observe no
errors related to binder transactions and selinux violations.
[1] A change in Chrome to create an ashmem region during app zygote
preload and pass it to the browser process:
https://crrev.com/c/2752872/29
[2] Allowlist change in review:
https://android-review.googlesource.com/c/platform/frameworks/base/+/1739393
(Alternatively: Remove gOpenFdTable checks in ForkCommon() in
com_android_internal_os_Zygote.cpp)
Change-Id: Ide085f472c8fb6ae76ab0b094319d6924552fc02
Add app_api_service to pac_proxy_service so that
it can be reach by Cts tests.
Ignore-AOSP-First: this is cherry-pick and add a change in
prebuilts/api/31.0 which is a path doesn't exist in AOSP
Bug: 181745786
Test: build, CtsNetTestCases:PacProxyManagetTest
Change-Id: I9bf4ff810635aa5b3cbf984b77b547aa96cdd543
Apps should be able to share their private files over binder,
including system_app.
Bug: 188869889
Test: go to setting ==> system ==> multi-users ==> tap icon to change
profile photo with camera
Change-Id: I3dc732f727b9b697c9a73f6089392690109ae035
Merged-In: I3dc732f727b9b697c9a73f6089392690109ae035
Apps should be able to share their private files over binder,
including system_app.
Bug: 188869889
Test: go to setting ==> system ==> multi-users ==> tap icon to change
profile photo with camera
Change-Id: I3dc732f727b9b697c9a73f6089392690109ae035
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
Allow system_app to set and get system property persist.nfc..
Bug: 187083201
Test: access persist.nfc.debug_enabled
Change-Id: Ia952f83d6206be458bcb56a9c4d44bc3e6db5e73
The feature is public, we can change the fake name to formal name.
Bug: 185550380
Test: build pass and can run service correctly
Merged-In: I956d916077f9a71cdf1df2f0be6f83e6f1f30a98
Change-Id: Idc29942eee6c2fd7658beb69ba62a70397176a66
These are moved to packages/modules/Virtualization.
Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:
- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART
(cherry picked from commit 0b2ca6c22c)
Test: boot
Bug: 181748174
Merged-In: Id23ff78474dba947301e1b6243a112b0f5b4a832
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
