set_prop(hal_wifi, wifi_hal_prop) violates a neverallow rule
on PRODUCT_SHIPPING_API_LEVEL=28 b/173611344#comment20
Bug: 173611344
Test: m
Change-Id: I56ff953e196777ffdc7a8ca92bcf788e3431aaac
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.
Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.
update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.
This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.
Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
VTS tests require access to cgroups.json system and vendor files. Enable
read access to these files from shell.
Bug: 172868075
Test: vts_processgroup_validate_test
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I16ad13729e10c4e033499351761b163cad7cef34
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.
Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
We want to tweak some device params at runtime via shell (alleviates the
need to recompile HAL for changing device configuration). This will help
us test/teamfood couple of new features under development.
Bug: 173044646
Test: Wifi HAL can read persist.vendor.debug.wifi properties.
Change-Id: Iabd07e72aa5f0d97519a37d0ebb1e0a3458b6d06
This tracing daemon interfaces with perf_events, and is used for
callstack sampling. Currently, we only handle userspace stacks. We
have the ability to collect kernel frame addresses (as unwound
by the kernel itself), but need /proc/kallsyms to symbolize them.
This patch mirrors what was done for traced_probes (ftrace event
kptr symbolization) in aosp/1455337 - the daemon can set a sysprop
that causes "init" to temporarily relax kptr_restrict, then the daemon
can open and read /proc/kallsyms. After the file is parsed, the
kptr_restrict value is restored.
To reiterate, this is confined to userdebug_or_eng due to the reasons
outlined in go/perfetto-kallsyms.
Bug: 173124818
Change-Id: I9077bbfe6fea3318f4c37947a5c455061ca43d8d
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.
To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.
Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
Any partitions should be able to write this property with build.prop.
This adds a new context for ro.product.property_source_order so it can
be set from any build.prop, e.g. vendor/build.prop, product/build.prop,
etc.
Bug: 172459064
Test: PRODUCT_VENDOR_PROPERTIES can set this property
Change-Id: Ibf85a4ad02d8454f621428b271e8e298067aa126
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.
Apply the label to all the existing types, then refactor rules to use
the new attribute.
This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
nfc_data_file;
- We allow zygote limited access to system_app_data_file.
This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.
Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
Now running ps requires the read permission for /proc/sys/kernel/pid_max.
Also, grant the binder_call permission for recently added profcollectd.
Bug: 170070222
Change-Id: I5bc0f89a0538091de40647777ff6bf47f47dc066
This allows calling tcsetattr() with TCSAFLUSH, in addition to TCSANOW
and TCSADRAIN.
Fixes: 172740382
Test: manual
Change-Id: Idd2e9e0db2e0210df515f46d9d0323c6b517dd39
Commit 67c36884 changed the label of service.adb.tcp.port to allow
vendor init to set it, but accidentally prevented adbd from setting it,
which broke `adb tcpip`.
Bug: http://b/171280882
Test: `adb tcpip`
Change-Id: I154e2f43a4d3b72b27508ce02d66298673939738
Test: ls -lZ /sys/kernel/tracing/printk_formats
[...] u:object_r:debugfs_tracing_printk_formats:s0 [...]
Test: setenforce 0;
runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
logcat complains about /sys/kernel/tracing/printk_formats
Test: setenforce 0;
runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
logcat does not complain about /sys/kernel/tracing/printk_formats
(need to setenforce 0, because otherwise the exec of ls is denied).
Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
Few domains are granted access to this, but they should have access
from any user.
Also add some neverallows to prevent misuse.
Bug: 170622707
Test: presubmits
Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.
snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.
Bug: 168259959
Test: ctl.start snapuserd, no denials
vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
This property controls the minimal timing window that triggers init
process fatal abort, when the zygote service crashes repeatedly in it.
Bug: 146818493
Change-Id: Ibd371be0daf6510df8b4d1a1f12f0aab8d6392c7
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].
[1] 4cbffc461e/kernel/sysctl.c (L2254)
Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882
Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
Bug: 168571434
Test: 1. Install a DSU system.
2. Boot the DSU system and reboot back to the host system.
3. Wipe the DSU installation.
4. DSU metadata key dir /metadata/vold/metadata_encryption/dsu/dsu is
destroyed.
Change-Id: I229a02abb7bd1f070bb078bdaf89fb27cc4bfa47
Before, we completely dissallowed any untrusted app to access a service
operated by vendor. However, sometimes this is needed in order to
implement platform APIs. So now, vendor services which aren't explicitly
marked as 'protected_service' (like protected_hwservice in HIDL) are
blocked from being used by apps. This gives everyone a mechanism for
apps to directly access vendor services, when appropriate.
For instance:
VINTF
|
vendor.img/etc | system.img/etc
|
(vendor HAL) <----AIDL---|--> (public lib <-- loaded by app
| or platform
| component)
|
|
Fixes: 163478173
Test: neverallow compiles
Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
Per http://cs/aosp-master/system/sepolicy/private/genfs_contexts?l=21
genfscon proc /net u:object_r:proc_net:s0
/proc/net/... portion of proc should be 'proc_net' not the default of 'proc'
For example on a bonito:
$ adbb shell ls -alZd /proc /proc/net/xt_quota
dr-xr-xr-x 757 root root u:object_r:proc:s0 0 1969-12-31 16:00 /proc
dr-xr-xr-x 2 root root u:object_r:proc_net:s0 0 2020-10-20 11:02 /proc/net/xt_quota
This already mostly works, but occasionally on 4.19 devices we see
(apparently spurious) denials (my gut feeling is kernel behaviour
changed and/or is racy):
[ 37.434457] type=1400 audit(1574821413.359:2102): avc: denied { associate } for comm="Binder:762_1" name="globalAlert" scontext=u:object_r:proc_net:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=1
Presumably caused by a binder rpc into netd:
http://cs/aosp-master/system/netd/server/BandwidthController.cpp?l=635&rcl=cdd79f13c670605819333de2d7b67d7f8a42210c
Things seem to work anyway, presumably because eventually it does somehow
get set to 'proc_net' anyway...
This patch will allow the removal of:
allow proc_net proc:filesystem { associate };
and
dontaudit proc_net proc:filesystem associate;
from device specific configs.
Bug: 145579144
Bug: 170265025
Test: treehugger will
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46294d8b1526e846a5eddb350adf51c76634b8f1
It will be used to dump system_server data that is not associated
with any service.
Test: adb shell dumpsys system_server
Bug: 163921395
Change-Id: I5719f7cd3a9022dc0ab12a3b3b22487e2b4866e0
Every property should have an appropriate owner attribute, which can be
one of: system_property_type, product_property_type, or
vendor_property_type. This will be enforced for devices launching with S
or later. Devices launching with R or eariler can relax this by setting
following under BoardConfig.mk:
BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true
Bug: 131162102
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I7914ef1b7463c9ec00812b9720094531fd63f0c7
Test:IPeopleManager.Stub.asInterface(ServiceManager.getService(Context.PEOPLE_SERVICE) is
not null when called from another process
Bug: 169783793
Change-Id: I280568955c50f9deef0a35ad1b9864ffc0a82db4
