Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.
Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
Address any denials in the log - currently just adding
the virtualization service.
Bug: 183583115
Test: ps -AZ | grep virtmanager
u: r:virtmanager:s0 virtmanager 2453 1 10930880 4544 0 0 S virtmanager
Change-Id: Ie034dcc3b1dbee610c591220358065b8508d81cf
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.
Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
Add early_boot_ended permission to the keystore2 access vector. This
permission must be checked before allowing calls to earlyBootEnded() on
Keymint devices.
Bug: 181821046
Bug: 181910578
Change-Id: I8860a4424a249455ab540b6c2896e7d836ceb8a3
Bug: 182546466
Test: Test with getprop code outside system img
Change-Id: I4817c22ecc0a143ea818e0850fb721cbdf1d5ae5
Signed-off-by: Denny cy Lee <dennycylee@google.com>
This permission is required to call
IKeystoreMaintenance::onDeviceOffBody.
Test: N/A
Bug: 171305684
Change-Id: Idf2e496dce607d63497b55858652869d85529238
Due to the nature of RemoteProvisioner being an app, there
are many components under the hood of frameworks that make calls out to
standard app available services. This change allows remote_prov_app to
find any service labeled with app_api_service to avoid the brittleness
that has already arisen from generating SELinux denials on boot, and
avoid any potential unintended functionality consequences as a result of
those.
Test: No selinux denials
Change-Id: I95fc4d15a196646deb6b9f6040bac88ee00b2a7f
It was missing when migrating definitions.mk to Android.bp module.
Test: m selinux_policy on sc-arc
Change-Id: I3c943440295bc9064d50e1a2f9025715c76b539e
These neverallow rules have grown over the years, and there are now some
duplicated rules. For example,
neverallow scon tcon:tcls ~{ read };
really isn't doing anything due to the
neverallow scon tcon:tcls *;
banning every actions already.
Remove these rules to make them more manageable, and make the follow-up
changes simpler to review.
Bug: 181110285
Test: Build pass
Change-Id: I82f2bbb54436153507b451a61b3075f223522028
We're not doing anything special with device files, so no point
excluding them from the neverallow rules.
Principle of KISS.
Bug: 181110285
Test: Build pass
Change-Id: I0e203665aa2134579d97b580cb9301755edb62b1
Some details here are copied from hal_attribute_hwservice but
no longer make sense here.
Bug: N/A
Test: N/A
Change-Id: Ia4a4d6731b5e5270922d32b7854d36bd726d202b
This node ID will be used to uniquely and anonymously identify a device
by profcollectd on engineering (userdebug or eng) builds.
Test: build
Change-Id: If01f71c62479d63d4d19aac15da24bc835621e66
IKeystoreService is a VINTF stability interface, and keystore2 is now
using this interface correctly from Rust.
Test: m && adb shell start keystore2
Bug: 179907868
Change-Id: I3b583df2fac7e6bca7c1875efb7650f9ea0a548c
qemu.hw.mainkeys exists both in plat_property_contexts and
vendor_property_contexts. This would cause breakage in GSI build
for certain vendors. To fix, add `exact {type}` to make the property
defined in system takes precedence.
Bug: 180412668
Signed-off-by: Weilun Du <wdu@google.com>
Change-Id: I1268e6a202d561a1e43f3d71fb38c6000042306b
As data and obbs are already mounted to lowerfs, and we need per app visibility isolation to mount
on those directories.
Here's the warning if we do not add it.
3094 3094 W main : type=1400 audit(0.0:36): avc: denied { mounton } for path="/storage/emulated/0/Android/obb" dev="dm-5" ino=9206 scontext=u:r:zygote:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0
Bug: 182997439
Test: No selinux warnings during boot.
Change-Id: Id78d793e70acf0d7699c006e19db6d7fda766bf1
This reverts commit d869d02758.
Reason for revert: fixed breakage
The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf
Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
Introduce the convert_storage_key_to_ephemeral permission to the
keystore2_key access vector and give vold permission to use it. This
permission must be checked when a caller wants to get a per-boot
ephemeral key from a long lived wrapped storage key.
Bug: 181806377
Bug: 181910578
Change-Id: I542c084a8fab5153bc98212af64234e62e9ad032
* Permits setting the sys.drop_caches property from shell.
* Permits init to read and write to the drop_caches file.
* Can only be set to 3 (drop_caches) and 0 (unset).
Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
