Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.
Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.
First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively). This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.
Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
storage_area_content_file
These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.
Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName
We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.
Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
System server needs to create a file in /metadata/aconfig, and set its
permissions.
Bug: 328444881
Test: m
Change-Id: I30aa576e46d8963e78ff21ad328160a99bd5d523
Updates to allow profiling module to run new trace_redactor binary.
Allow the trace_redactor binary to read the input trace file and write
the output file.
Bug: 327423523
Test: build/flash and
atest CtsProfilingModuleTests#testRequestSystemTraceSuccess
Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097
- Add pm.dexopt.* properties.
- Add rules for running artd in chroot.
Bug: 311377497
Test: manual - Run Pre-reboot Dexopt and see no denial.
Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
Should be the same as for update_engine
Test: Boot the VM, make sure the service works.
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Bug: 328227527
Change-Id: I8521716dcf43e5e7c41c4ecd36be128bacbe07b4
This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.
It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.
Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
Follow up of aosp/2849357 and aosp/2849358. Tests related to the
removed file_context objects should also be removed
Bug: 161776767
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Change-Id: Id986b739cc81af91aadf8853d685d41ad4238292
Create a new folder for connectivity blobs, to be used by
ConnectivityBlobStore for VPN and WIFI to replace legacy
keystore.
System server will need permissions to manage databases in the
folder and system server will create the folder in init.rc.
Bug: 307903113
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Test: build and manual test.
Change-Id: Ib51632af9624d8c3ebf2f752547e162a3fbbb1b0
policy
system, system_ext, product and vendor partitions have aconfig storage
files under /<partition>/etc/aconfig dir. need to grant access to
aconfigd.
Bug: b/312459182
Test: m and tested with AVD
Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a
Give perfetto rw dir and create file permissions for new directory.
Give system server control to read, write, search, unlink files from new directory.
Test: locally ensure traces can be written by perfetto and accessed and deleted by system server
Bug: 293957254
Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.
Also allow mediaserver and app to read this new label as they can access
/oem/media folder.
Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)
2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.
Context to why we are hosting flag data on /metadata partition:
Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.
In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.
Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
Revert submission 2929484-fix-b-321651892-ihaladapter
Reason for revert: possible cause of b/323385784
Reverted changes: /q/submissionid:2929484-fix-b-321651892-ihaladapter
Change-Id: I9664f8f9dd6eec159be7fbf3b148a12d44cef582
This service is used by the audio server for translating
between legacy string KV pairs and AIDL vendor parameters.
It resides on the system_ext partition.
Since it has to be implemented by every SoC vendor, provide
an example implementation. This example service is added
to CF and GSI system_ext. Vendors can use their own names
and policy labels, the only thing that the audio server
depends on is the AIDL interface.
There is no fuzzer for this service because the example
implementation only contains trivial code (interface
methods are stubbed out).
Bug: 321651892
Test: atest audiorouting_tests
Change-Id: I8ab922660a30ffd44772987204ac4a28c1007c66
On Android, unix sockets are located in /dev/socket/ and managed by
init. This commit follows the convention for ot-daemon
Bug: 320451788
Test: verified that ot-daemon can create socket
/dev/socket/ot-daemon/thread-wpan.sock
Change-Id: I6b0fe45602bb54d6d482f5be46ddb5402bea477b
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
/tmp is a volatile temporary storage location for the shell user.
As with /data/local/tmp, it is owned by shell:shell and is chmod 771.
Bug: 311263616
Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a
This reverts commit 5e1d7f1c85.
Reason for revert: retry with a fix to the failed tests
Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
The changes include
- allow binder calls to ActivityManager and NativePackageManager
- allow binder calls from system server
- allow writes of statsd atoms
- allow init to start uprobestats
- permission for uprobestats config files and propery
- allow execution of oatdump so it can look up code offsets
- allow scanning /proc.
Test: m selinux_policy
Change-Id: Id1864b7dac3a2c5dcd8736c4932778e36b658ce3
This allows AccessibilityManagerService in system_server to
interact with a HID-supported Braille Display.
Bug: 303522222
Test: ls -z /dev/hidraw0
Test: plat_file_contexts_test
Test: Open FileInputStream and FileOutputStream on this device
path from AccessibilityManagerService
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db)
Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c
Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose.
Bug: 285854379
Test: m
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
This adds two macros which can be used in te files and contexts files.
* is_flag_enabled(flag_name, codes)
* is_flag_disabled(flag_name, codes)
Also flag-guarding requires to process input files before any
validations. Property contexts test and seapp contexts test are
modified a little to handle that.
Bug: 306563735
Test: build with manual guarding
Change-Id: Ia1c6d00b7aab0da3901c19f16d553153aace018c
Sorting algorithm of fc_sort is not perfect and often causes unexpected
behaviors. We are moving from fc_sort to manual ordering of platform
file_contexts files.
In addition, this sets remove_comment as true by default, as fc_sort has
been removing comments / empty lines.
Bug: 299839280
Test: TH
Change-Id: Ic8a02b64fc70481234467a470506580d2e6efd94
This tests the original private/file_contexts and not the built version
(as it may contain the overlay files or asan entries). This ensures that
all the rules in the base files are used.
Another test will be later added to validate the built version (but
without requiring that all rules are used).
Bug: 299839280
Test: mm
Change-Id: I5efdde3c7f5211472cd9a0cf8def243aef640825
Add test entries for property_service_for_system and virtual_camera.
Re-order file_contexts so that /data/vendor/tombstones/wifi and
/data/misc/perfetto-traces/bugreport are labelled correctly.
Bug: 299839280
Test: checkfc -t ./private/file_contexts ./contexts/plat_file_contexts_test pass
Change-Id: Ifb4453d02327b5cf678e6a4cd927b5df0960086b
There is no one actively using mixed sepolicy build, and it made
sepolicy codes too complicated. As we are deprecating mixed build,
removing such code for cleanup.
Bug: 298305798
Test: boot cuttlefish
Change-Id: I8beedd5a281fa957532deecb857da4e1bb66992a
We no longer have targets using flattened apexes. Flattened apexes will
be removed from the build system.
Bug: 278826656
Test: m
Change-Id: I657e01dbfd2525b07c29a234277062d5ac2fab9f
Adding soong module and tool to check if there is fuzzer present
for every service in private/service_contexts. Whenever a service is
added, its is recommended to update
$ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go
with service name and its corresponding fuzzer.
Test: m
Bug: 242104782
Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
