Commit graph

24 commits

Author SHA1 Message Date
Ryan Savitski
941ba723ba sepolicy: rework perfetto producer/profiler rules for "user" builds
This patch:
* allows for heap and perf profiling of all processes on the system
  (minus undumpable and otherwise incompatible domains). For apps, the
  rest of the platform will still perform checks based on
  profileable/debuggable manifest flags. For native processes, the
  profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
  writers (=perfetto_producer) for the ART java heap graph plugin
  (perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
  graphs.

Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
2023-02-03 15:05:14 +00:00
Florian Mayer
94926f51df [MTE] Add memory_safety_native_boot namespace
Bug: 267234468
Change-Id: I248fdf58a744f0c70a26d6a8f7d4caa0a6ce8edb
2023-01-31 15:48:40 -08:00
Sandro
f7894fc62e Allow sdk_sandbox to read files/directory in /data/local/tmp
The /data/local/tmp directory is used by the CTS tests infrastructure to
store various data, like the list of tests to include/exclude after
failures
http://cs/android-internal/tools/tradefederation/core/test_framework/com/android/tradefed/testtype/AndroidJUnitTest.java;l=333-347;rcl=bbd3902197b7de1a99aef4c22db8e14e4dbf1157

Without this CL, CTS modules that attempt to re-execute failures will
get a '[INSTRUMENTATION_CRASH|SYSTEM_UNDER_TEST_CRASHED]' error.

Test results before/after this CL:
Before: http://ab/I04600010115474754
After: http://ab/I65000010115426482
Note the absence of "Module error" in the second case
https://screenshot.googleplex.com/C6Ui3GdfgQBt8bp
https://screenshot.googleplex.com/BDHKFfKJjnqVYpj

Bug: 261864298
Test: atest CtsBluetoothTestCases --retry-any-failure -- --enable-optional-parameterization --enable-parameterized-modules --module-parameter run_on_sdk_sandbox
Change-Id: Ibbb196f8c0ef1df320885ed8c56f20172f83d583
2022-12-15 10:29:36 +00:00
Sandro
d0553529bb Add auditallow for system properties access from the sdk sandbox
We want to more closely monitor the system properties that the
sdk_sandbox has access to.

Bug: 210811873
Test: adb logcat | grep "r:sdk_sandbox"
Change-Id: I0d590374e931ca41d5451cd7c2de5b02fee619e9
2022-10-11 15:21:08 +00:00
Sandro
692c3ad3b2 Rollback "Move allow rules of sdk_sandbox to apex policy"
Rolling back the changes from aosp/2206999.

Bug: 243923977#comment9
Test: atest SeamendcHostTest
Change-Id: I361811d021523f48f08bab5353ea5e03bc58fbef
2022-09-26 11:49:45 +00:00
Sandro Montanari
3b94a3f3bc Revert^2 "Move allow rules of sdk_sandbox to apex policy"
Next attempt at rolling forward aosp/2200430. It appears the
first-stage-init did not create the /dev/selinux folder on GSI
instances, resulting in breakages when selinux.cpp tries to copy files
to that folder.

To verify these changes for b/244793900, follow
gpaste/4922166775644160

Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I2bc630cfaad697d44053adcfd639a06e3510cc72
2022-09-07 08:22:59 +00:00
Sandro Montanari
8cce5b2ffb Revert "Move allow rules of sdk_sandbox to apex policy"
Revert "Add seamendc tests for sdk_sandbox in apex sepolicy"

Revert submission 2201484-sdk_sandbox

Note: this is not a clean revert, I kept the changes in aosp/2199179
and the changes to system/sepolicy/Android.mk. Those changes are already
part of internal, I do not want to put those files out of sync again.

Test: atest SeamendcHostTest
Reason for revert: b/244793900
Reverted Changes:
Ib14b14cbc:Add seamendc tests for sdk_sandbox in apex sepolic...
I27ee933da:Move allow rules of sdk_sandbox to apex policy

Change-Id: If225cdd090248e050d1f0b42f547a4b073bbafc6
2022-09-05 09:39:15 +00:00
Sandro
084b41748d Move allow rules of sdk_sandbox to apex policy
Third attempt to roll-forward the apex_sepolicy changes from
aosp/2179294 and aosp/2170746.

I was finally able to figure out the likely root cause of the test
breakages in internal b/243971667. The related CL aosp/2199179 is making
the apex_sepolicy files mandatory for all AOSP builds.

Without the apex_sepolicy files, mixed GSI builds in internal using AOSP
as base would not implement the sdk_sandbox rules, causing breakages for
the SdkSandbox components.

Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I27ee933da6648cca8ff1f37bde388f72b4fe6ad6
2022-09-01 09:11:38 +00:00
Sandro Montanari
38f009ba13 Revert "Move allow rules of sdk_sandbox to apex policy"
Revert "Add seamendc tests for sdk_sandbox in apex sepolicy"

Revert submission 2182195-seamendc

Reason for revert: 243971667
Reverted Changes:
I59fda23d9:Add seamendc tests for sdk_sandbox in apex sepolic...
I4c4800418:Move allow rules of sdk_sandbox to apex policy

Change-Id: Icc3fff21aae23f24f37dbae6276699c56842f9a1
2022-08-29 09:03:18 +00:00
Sandro
3bb7bb2e70 Move allow rules of sdk_sandbox to apex policy
This is a roll-forward of a small chunk of aosp/2170746.
The previous CL was causing test breakages (b/240731742, b/240462388,
b/240463116).

This CL is smaller than the previous one, it only moves allow rules from
the platform policy to the apex policy (I believe the error was caused
by typeattribute rules). I also ran the closest approximation I could
find to the breaking environment, and it appears the tests are passing
https://android-build.googleplex.com/builds/abtd/run/L44100000955891118
https://android-build.googleplex.com/builds/abtd/run/L68000000955937148

Bug: 236691128
Test: atest SeamendcHostTest
Change-Id: I4c480041838c8c14011f099ba8295097fe9212db
2022-08-25 15:48:25 +00:00
Gavin Corkery
5f7432546f Stop auditing sdk_sandbox access to audio_service
This service has valid use cases such as video players and should therefore not be audited.

Change-Id: I3a0cffb34429320a412a7c05220376c0b58e28a3
Test: make
Bug: 211632068
2022-08-15 10:18:50 +00:00
Lokesh Gidra
1269a179ac Revert "Move parts of sdk_sandbox from private to apex policy"
Revert "Add java SeamendcHostTest in cts"

Revert submission 2111065-seamendc

Reason for revert: b/240731742, b/240462388 and b/240463116
Reverted Changes:
I3ce2845f2:Move parts of sdk_sandbox from private to apex pol...
I0c10106e2:Add java SeamendcHostTest in cts

Test: revert cl
Change-Id: If9981796694b22b7cbfe1368cd815889c741e69d
2022-08-03 14:24:04 +00:00
sandrom
e6971f1330 Move parts of sdk_sandbox from private to apex policy
Bug: 236691128
Test: atest SeamendcHostTest

Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902
2022-07-27 13:39:06 +00:00
Sanjana Sunil
563016314c Allow zygote to relabel sdk_sandbox_system_data_file
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
2022-05-20 11:24:32 +00:00
Mohammad Samiul Islam
d2ffd35cc0 Create a separate label for sandbox root directory
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.

By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.

Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
2022-05-19 16:01:15 +01:00
Shiwangi Shah
0a6c81f6ce Merge "Add access to hardware_properties and linker" 2022-05-03 19:27:55 +00:00
Treehugger Robot
8594b156af Merge "Prevent sandbox executing from sdk_sandbox_data_file" 2022-04-28 06:28:08 +00:00
Shiwangi Shah
13bdca21d5 Add access to hardware_properties and linker
We might want to change this in later android versions.

Bug: b/228159127
Bug: b/227745962
Test: Manual
Change-Id: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
2022-04-27 15:13:27 +00:00
Shiwangi Shah
48b2b33844 Add ephemeral service access to sdk sandbox
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.

Test: Manual
Bug: b/227745962
Bug: b/227581095

Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
2022-04-27 09:21:02 +00:00
Bram Bonne
078b43cd40 Prevent sandbox executing from sdk_sandbox_data_file
Bug: 215105355
Test: make
Change-Id: I73c6a0d5034f194bf7149336fdac1db51a2b151d
2022-04-25 13:28:52 +02:00
Treehugger Robot
ae1844e593 Merge "Add ThermalService and file access to SdkSandbox" 2022-03-25 18:24:13 +00:00
Shiwangi Shah
155d318876 Add ThermalService and file access to SdkSandbox
Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.

Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f
2022-03-25 12:20:07 +00:00
Bram Bonne
85dfe313e5 Restrict sandbox access to drmservice
Bug: 226390597
Test: atest SdkSandboxRestrictionsTest

Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3
2022-03-24 14:09:46 +01:00
Bram Bonne
b93f26fd89 Move sdk_sandbox sepolicy to AOSP.
Bug: 224796470
Bug: 203670791
Bug: 204989872
Bug: 211761016
Bug: 217543371
Bug: 217559719
Bug: 215105355
Bug: 220320098
Test: make, ensure device boots

Change-Id: Ia96ae5407f5a83390ce1b610da0d49264e90d7e2
Merged-In: Ib085c49f29dab47268e479fe5266490a66adaa87
Merged-In: I2215ffe74e0fa19ff936e90c08c4ebfd177e5258
Merged-In: I478c9a16032dc1f1286f5295fc080cbe574f09c9
Merged-In: Ibf478466e5d6ab0ee08fca4da3b4bae974a82db0
Merged-In: I5d519605d9fbe80c7b4c9fb6572bc72425f6e90a
Merged-In: I05d2071e023d0de8a93dcd111674f8d8102a21ce
Merged-In: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145
Merged-In: I1b6d1a778cb658bdfd930b684e4ba0640031b226
Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799
2022-03-17 10:22:33 +01:00