Copied access from the old mediaprovider.te to the new
mediaprovider_app.te.
Test: MediaProvider can create dirs on /mnt/media_rw/<uuid>
Bug: 151981237
Change-Id: Icdb260d2e76a05a15512a5dd00e08f8ae861dce6
sysprop type checker compares a sysprop_library API file and
property_contexts files, and detects if there are any mismatches of
property types. For example, the following snippets are detected.
// foo.sysprop
prop {
prop_name: "ro.foo.bar"
type: Integer
...
}
// property_contexts
ro.foo.bar u:object_r:foo_prop:s0 exact string
"ro.foo.bar" is an Integer in .sysprop file, but it's a string in
property_contexts file.
Bug: 151879375
Test: sysprop_test
Test: run "m PlatformProperties" and see existing mismatches.
Change-Id: Ieb9965d14b8c90cfc730c3d20d95a28ecaabeba4
eng/userdebug rules added for integration testing of hidl_lazy_test,
similar to aidl_lazy_test.
This is required in sepolicy since the test requires defining a service
in an init.rc file, and so there needs to be sepolicy for init to start
this service.
Bug: 148114689
Test: hidl_lazy_test
Change-Id: Id6549cbb89b62d3f6de1ae2690ce95c3e8656f66
Change 1: when running the "perfetto" binary via "adb shell
perfetto...", ctrl-Cing the host process doesn't propagate the teardown
to the on-device process (which normally should stop the tracing session
immediately). Allow signals adbd->perfetto to resolve.
Change 2: don't print audit logs for a harmless isatty() check on adb
sockets when they're the stderr of a "perfetto" process.
Example denials from the isatty() check (ioctl is TCGETS):
avc: denied { getattr } for path="socket:[244990]" dev="sockfs"
ino=244990 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
avc: denied { ioctl } for path="socket:[244992]" dev="sockfs" ino=244992
ioctlcmd=0x5401 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
Example denial from ctrl-c'ing "adb shell perfetto ...":
avc: denied { signal } for comm=7368656C6C20737663203134343537
scontext=u:r:adbd:s0 tcontext=u:r:perfetto:s0 tclass=process
permissive=0
Tested: patched onto an internal branch, then verified that denials are
gone on a flashed crosshatch-userdebug.
Change-Id: I1dbe00ea91e3c3377d6e5eab05ad99620e02b965
(Cherry-picking)
We now only have one system service, called "incremental".
Test: builds
BUG: 150406132
Merged-In: I47643bac5711dcd4291bf4bf1cdcb853a0f51fb4
Change-Id: I6f96d3953611f34cdb52b958dfa95120ae930e35
This completely hides system internal properties (which are meant to be
used only in system) when compiling sepolicy of vendor, product, etc.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I4fc060f5973b7483c7f8502c40ef0a61f75ff088
Merged-In: I4fc060f5973b7483c7f8502c40ef0a61f75ff088
(cherry picked from commit c492c06e14)
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
Three properties are declared as vendor-init-settable:
ro.media.xml_variant.codecs
ro.media.xml_variant.codecs_performance
ro.media.xml_variant.profiles
media_codecs.xml can now be named
media_codecs${ro.media.xml_variant.codecs}.xml
media_codecs_performance.xml can now be named
media_codecs_performance${ro.media.xml_variant.codecs_performance}.xml
media_profiles_V1_0 can now be named
media_profiles${ro.media.xml_variant.profiles}.xml
Test: Rename "media_codecs.xml" to "media_codecs_test.xml",
set ro.media.xml_variant.codecs to "_test", then
call "stagefright -i".
Test: Rename "media_codecs_performance.xml" to
"media_codecs_performance_test.xml",
set ro.media.xml_variant.codecs_performance to "_test", then
run android.media.cts.VideoDecoderPerfTest.
Test: Rename "media_profiles_V1_0.xml" to "media_profiles_test.xml",
set ro.media.xml_variant.profiles to "_test", then
run vts_mediaProfiles_validate_test.
Bug: 142102953
Change-Id: I407a0a327fcc8e799bb4079b11048a497565be48
This grants default access to the new GNSS subsystem for Linux to the
GNSS HAL default implementation. The GNSS subsystem creates character
devices similar to ttys but without much unneeded complexity. The GNSS
device class is specific to location use cases.
Bug: 151670529
Change-Id: I03b27aa5bbfdf600eb830de1c8748aacb9bf4663
CAN HAL needs access to /sys/devices to search for USB serial numbers
for SocketCAN devices and for USB serial devices.
Bug: 142654031
Test: Manual + VTS
Change-Id: I3d9bff94f8d8f936f7d859c01b9ff920fcbc5130
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1
Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8
(cherry picked from commit 3bd53a9cee)
Add a vendor-specified system property to allow GPU fallback composition to occur at a lower resolution than the display mode resolution. This is required on platforms like TVs which have, for example, 2k GPUs but 4k capabilities, or 4k GPUs but 8k capabilities.
Bug: 144574809
Test: Tested with sysprop disabled, and tested backport in Android Q with sysprop enabled. Unable to test on Android R due to device issues.
Change-Id: Ife63c21a6e959d16e796d57956dd7dda2f5d383e
Originally public/property_contexts was introduced to create a whitelist
of system properties which can be accessed from vendor, and to be used
from VTS to ensure that the whitelist isn't modified. But it doesn't fit
well on sepolicy public/private split as the split isn't for stability,
but for letting vendor compile their sepolicy with public types. Also it
doesn't make sense only to check the whitelist on VTS, because platform
internal ones must also be unchanged.
This commit merges public/property_contexts into private as before. This
gives consistency with other context files such as file_contexts which
are already containing entries for vendor but are only defined in
private. This also simplifies property_contexts as there will be only one
property_contexts file. Another benefit is that VTS will check all
entries defined by system, not only exported ones.
Bug: 150331497
Test: m && run VtsTrebleSysProp manually
Change-Id: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
Merged-In: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
(cherry picked from commit 31391fa78e)
The previous attempt (aosp/1225417) had a missing piece: while we
allowed traced to use the shared memory, we haven't allowed it to use
the file descriptors in the producers' domains. Since the shared memory
is being transferred as an fd (obtained from memfd_create), the service
ends up hitting a denial (see below for an example).
We ended up missing the general case as we only tested with the shell
domain at the time, and traced is already allowed to use shell's fds for
other reasons.
To reiterate, the tracing service treats producers as inherently
untrusted/adversarial, so its implementation should never attempt to use
a file descriptor that isn't otherwise validated (such as checking seals
for the memfds).
Example denial from a chromium apk that is exercising this path:
traced : type=1400 audit(0.0:80): avc: denied { use } for
path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429
dev="tmpfs" ino=151536 scontext=u:r:traced:s0
tcontext=u:r:untrusted_app_29:s0:c136,c256,c512,c768 tclass=fd
permissive=0
(deobfuscated path in the denial: /memfd:perfetto_shmem (deleted))
Tested: experimental chromium apk no longer crashes when trying to hand
over shared memory to traced
Bug: 148841422
Change-Id: I7390fb174e2083ba7693c3160da44b4cfa7b1c8b
See discussion in aosp/1233645. There was a concern about this
filesystem automounting when enabled, so this change adds sepolicy to
preemptively lock it down.
I'm not confident it actually automounts. If it does, it'll land in
/sys/kernel/security, which is also protected with the sysfs policy.
Test: Builds
Bug: 148102533
Change-Id: I78a246a5c18953f2471f84367ab383afb2742908
