In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.
Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.
Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
This type is used for properties that provides per-device configuration
for apexd behaviour (so far - timeouts for creating/deleting dm device).
Test: builds
Bug: 182296338
Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
Now that we have proper API using which update_engine can ask apexd to
reserve space, we no longer need to allow update_engine access to
directories at /data/apex.
Instead, apexd should get those permission.
Bug: 172911822
Test: atest ApexHandlerAndroidTest
Change-Id: I3a575eead0ac2fef69e275077e5862e721dc0fbf
We have created a new directory called /data/apex/decompressed. All
files under this directory will have staging_data_file label, but
the directory itself needs to have apex_data_file label. This is
because apexd needs to write inside this directory and we don't want
to give apexd write access to staging_data_file label.
When a file is written under this directory, it gets its parent's label.
So we need to restore the proper labeling. Hence, we are allowing apexd
labeling permissions.
Bug: 172911820
Test: atest ApexCompressionTests#testCompressedApexIsActivated
Change-Id: I0a910fa5591b2aace70804701545eb4ac510ec24
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).
There are two types of change here:
1) enabling odrefresh to run dex2oat and write updated boot class path
and system server AOT artifacts into the ART APEX data directory.
2) enabling the zygote and assorted diagnostic tools to use the
updated AOT artifacts.
odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.
Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
Earlier changes removed the scripts for ART APEX pre- and post-install
hooks (I39de908ebe52f06f19781dc024ede619802a3196) and the associated
boot integrity checks (I61b8f4b09a8f6695975ea1267e5f5c88f64a371f), but
did not cleanup the SELinux policy.
Bug: 7456955
Test: Successful build and boot
Test: adb install com.android.art.debug && adb reboot
Change-Id: I1580dbc1c083438bc251a09994c28107570c48c5
This is a new ioctl for configuring loop devices, and is used by apexd.
Bug: 148607611
Bug: 161575393
Test: boot on device with/without LOOP_CONFIGURE
Change-Id: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Merged-In: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Adds proper file_contexts and domains for pre/postinstall hooks.
Allow the pre/postinstall hooks to communicate with update_engine stable
service.
Bug: 161563386
Test: apply a GKI update
Change-Id: I4437aab8e87ccbe55858150b95f67ec6e445ac1f
apexd runs in two separate mount namespaces: bootstrap & default.
To support separate apex-info-list.xml for each mount namespaces, apexd
needs to emit separate .xml file according to the mount namespace and
then bind-mount it to apex-info-list.xml file.
Bug: 158964569
Test: m & boot
nsenter -m/proc/1/ns/mnt -- ls -lZ /apex/apex-info-list.xml
nsenter -m/proc/2/ns/mnt -- ls -lZ /apex/apex-info-list.xml
=> shows the label apex_info_file correctly
Change-Id: I25c7445da570755ec489edee38b0c6af5685724b
/apex/apex-info-file.xml is labeled as apex_info_file. It is
created/written by apexd once by apexd, and can be read by zygote and
system_server. The content of the file is essentially the same as the
return value of getAllPackages() call to apexd.
Bug: 154823184
Test: m
Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
(cherry picked from commit f1de4c02cc)
Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
As apexd now has dac_override, it should also have dac_read_search to
avoid spurious denials.
Bug: 141148175
Test: Build, run apex installation, check denials.
Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
This allows apexd to execute "cp" to perform snapshot and
restore operations.
Other rules for this were added in aosp/1217340, but this one was
missed.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
This adds rules required for apexd to perform snapshot and restore
of the new apex data directories.
See go/apex-data-directories for more information on the feature.
See the chain of CLs up to ag/10169468 for the implementation of
snapshot and restore.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce
Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.
Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.
Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.
Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.
See go/apex-data-directories.
Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
apexd stops itself when it finds that it is running on a device with
flattened APEXes (i.e. ro.apex.updatable = false).
Bug: 133907211
Test: launch sdk_phone_x86_64
adb logcat -d | grep apexd | wc -l
returns 3
Change-Id: I7fa161b069aa34adb028194b55f367fe740a0cfc
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
We no longer have /system/etc/security/apex/* as the public keys are all
bundled in APEXes. Removing the selinux label and policies for it.
Bug: 936942
Test: device is bootable
Change-Id: I6b6144a8d15910d1ba8584a0778244ed398dc615
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.
Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.
This CL also remove some stale rules being addressed since.
Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.
Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.
Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
In some scenarios (native watchdog finding a regression, apexd failing
to mount apexes), a rollback of apexd will be triggered which requires
device reboot.
Bug: 123622800
Test: manually triggered apexd rollback and verified it reboots phone
Change-Id: I4c5d785a69dd56a63348c75c1897601749db9bc5
In order to support rollback for apex files, apexd will need to unlink
previously active apex files in /data/apex/active folder. Those files
are hardlinked from /data/staging/session_XXXX which means that they
have staging_data_file:file SELinux fields.
I double checked that this change won't allow apexd to unlink files in
/data/staging/session_XXXX folders, because it will lack write access,
logcat contains following entries:
avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0
Bug: 122339211
Test: verified that apexd can't unlink files in /data/staging/session_XXXX
Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
Different devices can have /sys/* labeled differently. This allows
apexd, to traverse /sys directory tree agnostic of device-specific
labeling.
Bug: 122876102
Test: m selinux_policy
Change-Id: I08f2eb2242913e3a7d532d36a452cf111fd4e4c4
Give apexd permission to execute sh.
Add userdebug_or_eng domains and rules for the test
APEX for pre- and post-install.
Bug: 119260955
Bug: 119261380
Test: atest apexservice_test
Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267
Allow apexd to log to the kernel log. This aids in low-level
diagnostics, when adb is not available.
Test: m
Change-Id: Ib8f286bd917b34f5e8992b37ab230313a4820bf9
For consistency with APKs, signature verification is performed
in the system_server. This includes checking that the signature of
an updated install matches the signature of the active package that
it updates. For this, it requires search access to /data/apex and
read access to the files under that directory.
Test: m
Change-Id: Ia073adb8892886e4767fa5529e95c110b9cbff1b
Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
To configure read-ahead on loop devices, eg.
/sys/devices/virtual/block/loop0/queue/read_ahead_kb
Bug: 120776455
Test: configuring read-ahead on loop devices works from apexd
Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58
To work around a kernel bug where pages that are read before changing
the loop device offset are not invalidated correctly.
Bug: 120853401
Test: apexd mounts APEX files on gphone_sdk_x86_64
Change-Id: I89f23f8f9d472e599f053553b73cc0618dcb3747
Currently, when an APEX is staged, apexd moves the file from
/data/app/vmdl*.tmp directory to /data/apex. However, the original file
is labeled with apk_tmp_file and is not readable from apexd.
We plan to resolve this issue by moving the file content via file
descriptor in between the package manager and apexd.
However, until the plan is implemented, temporarily allow apexd to
relabel the file to apex_data_file that is readable to it. This unblocks
the end-to-end test for APEX.
Bug: 112669193
Test: adb install --apex system/apex/apexd/apexd_testdata/test.apex
adb reboot; adb root; adb shell; cmd apexservice getActivePackages
The test APEX is activated
Change-Id: Ib9d4f5c699261f1fa1e6d557731767ee4d7168f9
In earlier kernel versions (<4.0), the loopback driver issues
requests from a kernel thread. Therefore, the kernel needs access
to APEX file descriptors and data files (which are loopback
mounted).
Bug: 119220815
Test: mounting works on sailfish
Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
