avc: denied { ioctl } for pid=599 comm="mke2fs" path="/dev/block/sda13" dev="tmpfs" ino=18975 ioctlcmd=127b scontext=u:r:recovery:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file
avc: denied { ioctl } for pid=587 comm="mke2fs" path="/dev/block/sda20" dev="tmpfs" ino=17931 ioctlcmd=0x127b scontext=u:r:recovery:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file
0x127b (BLKPBSZGET) is called by mke2fs that queries physical sector
size. Although the denial is currently non-fatal, as mke2fs falls back
to use logical sector size, it might lead to undesired result in future.
Test: Factory reset on taimen and blueline respectively.
Change-Id: I14fc6593aeae309c79f5eadcffc8158b0a2ab2f6
The network stack needs access to TelephonyManager#getAllCellInfo to
send network conditions broadcasts.
Bug: 122843997
Test: Flashed, verified violation not shown and cell info obtained
properly.
Change-Id: I6ef2858c9a2d1fbbb993164a93bd985e0eee8887
For experiment flag testing, we add a flag netd and have
SEPolicy updates.
Test: add sepolicy, m -j, check GetServerConfigurableFlag function in netd
Bug:122050512
Change-Id: I21c844c277afc358085d80447f16e4c0d4eba5b3
This change installs *_contexts files to the same location on Treble and
non-Treble devices.
This was previously not possible because first stage mount was not
required on all platforms. It is now b/79758715.
Bug: 70851112
Test: m selinux_policy
Change-Id: I8124c59b129aef86d78d2ae4ebcfaecd896032fc
In order to boot into GSI, we need init's second-stage block-device
machinery to relable metadata. This will allow it to format / mount
the block device later
Bug: 121209697
Test: device boots
Change-Id: I4e63151767345976b5667df74530cd69fffcfa89
Signed-off-by: Sandeep Patil <sspatil@google.com>
Grant for icmp_socket for devices with 4.14 or greater kernel, and
rawip_socket for devices with earlier kernels.
Bug: 122572608
Test: build
Change-Id: I1c9d2ce6761dbd2c4db3635600c5f5c335461083
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.
Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
bpfloader needs to load bpf programs with tracepoints in them. The
tracepoint programs are not activated but are just loaded and pinned.
The kernel expects the process doing this to have CAP_SYS_ADMIN. Since
bpfloader was intended to be a 1-shot run and exit process with security
privileges, lets assign it CAP_SYS_ADMIN so that it is able to load the
tracepoint programs.
Bug: 112334572
Change-Id: Icf9b5d95615e69f5c28dc28f021b07f49710c97d
Signed-off-by: Joel Fernandes <joelaf@google.com>
Vendor domains may use net_domain() so it should be moved to public
policy. This will allow removal of permissions such as rawip_socket
in future releases without breaking Treble compatiblity.
Bug: 122572608
Test: build
Change-Id: Id84feb11587d305334cd9dbbc6e4f6f71ffff6f2
The original fs-verity implementation requires CAP_SYS_ADMIN and thus
the actual setup is proxied through installd. Instead, upstream
FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus
can happen in system_server.
Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT.
Note that although the number is name, they work differently.
Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial
Bug: 112037636
Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac
There are multiple trusted system components which may be responsible
for creating executable code within an application's home directory.
Renderscript is just one of those trusted components.
Generalize rs_data_file to app_exec_data_file. This label is intended to
be used for any executable code created by trusted components placed
into an application's home directory.
Introduce a typealias statement to ensure files with the previous label
continue to be understood by policy.
This change is effectively a no-op, as it just renames a type, but
neither adds or removes any rules.
Bug: 121375718
Bug: 112357170
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
Test: Adding a camera.provider@2.5 to a device works correctly
Merged-In: I516698afedad1294c0af3f4efedb0aed0a141780
Change-Id: I516698afedad1294c0af3f4efedb0aed0a141780
update_engine no longer needs a standalone bspatch executable since [1]
(which first landed into O). And we don't ship /system/bin/bspatch on
device by default.
[1] https://android-review.googlesource.com/c/platform/system/update_engine/+/327365
Test: Verify that /system/bin/bspatch doesn't exist on device.
Test: Trigger an A/B OTA install for aosp_walleye-userdebug:
`m dist`;
`system/update_engine/scripts/update_device.py out/dist/aosp_walleye-ota.zip`.
No update_engine related denial.
Change-Id: Iff578bdb0b1909092dd19feff069755a44d29398
This was a regression in Q, and the file is an implementation of
liblog.
Bug: 113083310
Test: use tags from vendor and see no denials
Change-Id: I726cc1fcfad39afc197b21e431a687a3e4c8ee4a
Add the required permissions for the InputClassifier HAL.
Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76
This appears to be the minimum change required to accommodate Traceur
running the detachable Perfetto process.
Bug: 116754732
Test: Started a perfetto trace using --detach and it started
successfully.
Change-Id: I12881ae343389abdcc74af5f11ecbac99b03ef7c
When recording hour-long traces, logcat messages help
to interpret the trace, giving human readable context on what
is happening on the system.
Furthermore this is particularly helpful for startup
debugging thanks to activity manager instrumentation events
(am_on_create_called, am_on_start, ...).
This is only allowed on userdebug/eng builds.
Bug: 122243384
Change-Id: I4dfaebf21107e9853b0bf42403fbab6c3b4d5141
Create the system property ro.gfx.angle.supported that indicates if the
device supports ANGLE. The current planned use of this property is to
allow CTS to validate ANGLE functionality if the device indicates ANGLE
is supported.
Bug: 80239516
Test: Flash the build and verify the property is 'false' for marlin.
Test: Flash the build and verify the property is 'true' for walleye.
Change-Id: I00387db9ade34152f79d75453ea17d5ea7b063cd
The way we build and run CTS expects full_treble_only and
compatible_property_only macros to be applied to whole rules and not be
nested inside other rules.
Fixes: 122601363
Test: corresponding neverallow rule in auto-generated
SELinuxNeverallowRulesTest.java is parsed correctly.
Change-Id: Ibf5187cedca72510fe74c6dc55a75a54a86c02ff