This is an experimental feature only on userdebug and eng build.
Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
so we can dlopen the libraries that are there
Test: build&run
Merged-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855
Change-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855
Add sepolicy rules to grant wificond permission to use SIOCSIFHWADDR
ioctl. This permission is needed to dynamically change MAC address of
the device when connecting to wifi networks.
Bug: 63905794
Test: Verified manually that wificond can dynamically change MAC
address.
Change-Id: If2c6b955b0b792f706d8438e8e2e018c0b4cfc31
And grant appropriate permissions to more granular types.
Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.
Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.
Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.
Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
These property sets will be long term restricted with
compatible_property but allowing them now eases the transition.
Bug: 62875318
Test: boot marlin without audits for setprop in vendor_init
Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2
system_update service manages system update information: system updater
(priv_app) publishes the pending system update info through the service,
while other apps can read the info accordingly (design doc in
go/pi-ota-platform-api).
This CL adds the service type, and grants priv_app to access the service.
Bug: 67437079
Test: Build and flash marlin image. The system_update service works.
Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.
Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+
To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.
Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.
Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746
Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
Duplicate property names are supported now for prefix and exact
matching.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458
We use this attribute to annotate coredomains that execute vendor code
in a Treble-violating way.
Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.
Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
Added - CameraTest#testCameraAccessForIdleUid
Change-Id: I9ab3d6ec99764a93638746f18912ed60d299015f
/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956
This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886
Test: boot Taimen. Walk through setup-wizard. Make phone call and
video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
This CL lists all the exported platform properties in
private/exported_property_contexts.
Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.
Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).
1) traced: unprivileged daemon. This is architecturally similar to logd.
It exposes two UNIX sockets:
- /dev/socket/traced_producer : world-accessible, allows to stream
tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
from traced to each client process, which needs to be able to
mmap it R/W (but not X)
- /dev/socket/traced_consumer : privilege-accessible (only from:
shell, statsd). It allows to configure tracing and read the trace
buffer.
2) traced_probes: privileged daemon. This needs to:
- access tracingfs (/d/tracing) to turn tracing on and off.
- exec atrace
- connect to traced_producer to stream data to traced.
init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc
Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
This fixes an incorrect exception in the neverallow rule.
Test: Built policy for all lunch targets.
Change-Id: I283833131c6f1fd741e934de24c838594ac38a18
After offline discussions, we decided that this was the proper
exception to the neverallow rule.
Test: Built policy.
Change-Id: Ic1603bfdd803151ccfb79f90195b83b616acc873
This CL creates a traceur_app domain with userdebug privileges akin to
what shell has with regards to being able to find most services on
device. Previously, traceur was running as shell which was an
unintentional abuse of selinux architecture.
Bug: 68126425
Test: Traceur functions outside of shell user privilege
Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.
Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
CrossProfileAppsService allows apps to do limited cross profile
operations, like checking the caller package is installed in
the specified user. It is similar to LauncherAppsService in some sense.
Merged-In: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Change-Id: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Fix: 67765768
Test: Built with ag/3063260. Can boot and verified those APIs are working.
(cherry picked from commit 6536c9e092)
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
we are aiming to improve logging performance by having wifi hal
directly write to the flash.
Wifi hal need to be able to create, write, and delete files in
a directory. This will be restricted to userdebug and eng builds only.
Bug: 70170285
Test: compile, run on device
Change-Id: Id0cd317411f4c393d7529aa31b501046d7350edb
Many processes including third party apps are expected to
access /proc/net/xt_qtaguid/stats. Give this file a new label
to avoid spamming the logs and temporarily grant read access to
all processes.
Read-only permission is adequate for all processes based on unix
permissions.
sailfish:/ # ls -laZ /proc/net/xt_qtaguid/stats
-r--r--r-- 1 root net_bw_stats u:object_r:proc_net_xt_qtaguid_stats:s0 stats
Bug: 9496886
Bug: 68016944
Bug: 70722355
Test: Build/flash Sailfish. Browse in Chrome and watch videos in youtube.
No "denied" or "granted" selinux messages observed in the logs.
Change-Id: I29f1ee806c8149988b9b93a950790d14754927ef
Bug: 70275668
Test: walleye builds, boots.
This change only expands the existing permissions, so shouldn't regress
runtime behavior.
Change-Id: I36e63f11d78998a88e3f8d1e6913e20762a359af
Allow init to create a serialized property_info file and allow all
processes to read it.
Bug: 36001741
Test: boot bullhead, walleye using property_info
Change-Id: Ie51d4c0f0221b128dd087029c811fda15b4d7093
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.
b/68399339
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
This will allow bionic cts test to list network interfaces in
/sys/class/net.
Bug: 70537905
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=ifaddrs.getifaddrs_interfaces
Change-Id: Ie07425fc54f9101e911962142824697e64d2bc45
Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed
many permissions from recovery, a few of which are still required.
Restore these.
[ 2918.409108] type=1400 audit(2327427.540:159): avc: denied
{ search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38"
ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
[ 2586.563071] E:Failed to mount / create /cache/recovery: Permission
denied
[ 2586.780320] E:Can't open /cache/recovery/log: Permission denied
[ 2586.850399] E:Can't open /cache/recovery/last_log: Permission
denied
[ 2586.918979] E:Can't open /cache/recovery/last_install: Permission
denied
[ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown }
for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0
tcontext=u:r:recovery:s0 tclass=capability permissive=0a
Bug: 70350029
Test: xunchang to test
Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
We rely on vendors to label all dependencies of healthd/charger under
/sys/class/power_supply with sysfs_batteryinfo type.
Bug: 65643247
Bug: 32659667
Test: boots without denials from healthd, to sysfs_batteryinfo or to
sysfs_msm_subsys.
Test: charging with device turned off works without /sys denials.
Change-Id: I893f309ecad8a0caf7d0b81f5f945725907255c2
Until simpleperf does not optimistically try /data/local/tmp for
tmp storage, silence the denials.
Bug: 70232908
Test: m
Test: manual
Change-Id: Icbc230dbfbfa6493b4e494185c536a10e3b0ae7b
Now that creating a symlink automatically sets its context,
init needs permission to create this file.
Bug: 69965807
Test: Booted device and tested wifi and camera.
Change-Id: I41f5ca8f4d877312c9b2a909001fe9cd80c3d458
Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.
Bug: 35853185
Bug: 15575013
Bug: 69664758
Test: adb reboot recovery && adb sideload [file]
Change-Id: I22aa208859b8478a2a90e1ed1c0f0d6b62a6664e
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.
Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye
(cherry picked from commit ba2130a882)
Change-Id: Iaedbbe31237822cf3348209028bba45ad85465f8
Self sideload OTA installation is aborted in #PPR1.171122.001.
Likely cause is the removal of the file-based OTA rules. Revert
the change while I investigate.
This reverts commit 7388575591.
Bug: 35853185
Bug: 69664758
Bug: 15575013
Change-Id: I65ca3bad7251f06df33eae8b2d4bcfada93ae9b8
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug
Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.
Bug: 35853185
Bug: 15575013
Test: adb reboot recovery && adb sideload [file]
Change-Id: I4238d17808bed6a81f47e14eb1797496c07642e2
This reverts commit ed876a5e96.
Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
