Contexts must have this permission to fetch remotely provisioned
attestation key blobs. It is expected that only credstore will have
this permission.
Test: manual, build and run cuttlefish
Bug: 194696876
Change-Id: Ieebd552129bc8be6b8831ec2e38eb6bda522b216
Since the clatd has some code cleanup, these privs are not required
anymore.
Bug: 212345928
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Change-Id: Ib801a190f9c14ee488bc77a43ac59c78c44773ab
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.
Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
Allow rules in public/*.te can only reference types defined in
public/*.te files. This can be quite cumbersome in cases a rule needs to
be updated to reference a type that is only defined in private/*.te.
This change moves all the allow rules from public/app.te to
private/app.te to make it possible to reference private types in the
allow rules.
Bug: 211761016
Test: m
Test: presubmit
Change-Id: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
Merged-In: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
This is required for listing all key aliases of other APP domains' keys
in order to migrate keys on behalf of the updated app by PMS.
Test: builds
Bug: 211665859
Change-Id: I541fb81e6186288a1e852ce60882651f838e36dc
The logd binder service is on logd side.
The logcat binder service is on system_server side.
These two binder services facilitate the binder RPC
between logd and system_server.
Bug: 197901557
Test: manual
Change-Id: I5f08bbb44a88dc72302331ab11c7d54f94db16ac
We run it in our domain since it requires fairly minimal access.
Bug: 210472252
Test: atest virtualizationservice_device_test
Test: composd_cmd test-compile
Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b
If the directory is non-empty when we start we need to delete
everything in it, but didn't have enough access:
avc: denied { getattr } for
path="/data/misc/apexdata/com.android.art/staging/boot-framework.art"
dev="dm-37" ino=57755 scontext=u:r:composd:s0
tcontext=u:object_r:apex_art_staging_data_file:s0 tclass=file
permissive=0
Bug: 205750213
Test: create files in staging/, composd_cmd test-compile
Change-Id: I3a66db7f5fbff82abcf547cb1c2b24e9c53ab158
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.
Like we do with cgroup_v2, we set attribute permission to cgroup
as well.
Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 211037424
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
Merged-In: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.
Like we do with cgroup_v2, we set attribute permission to cgroup
as well.
Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 209933729
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
IR interface is converted to AIDL and this contains the necessary
permissions for the default service to serve the interface.
Test: atest VtsHalIrTargetTest hal_implementation_test
Test: check for permission issues after tests
Bug: 205000342
Change-Id: I8d9d81d957bf6ef3c6d815ce089549f8f5337555
We need to remove any existing files (and the directory) to allow
odrefresh in the VM to re-create them via authfs.
But we don't need, and shouldn't have, any other access to them.
Bug: 210460516
Test: composd_cmd async-odrefresh
Change-Id: Iaafe33934146a6b8dda7c28cc1239c2eed167379
This should be read-only and corresponds to apexd.payload_metadata.path
Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases
Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
Added Bluetooth sysprop to be able to remove calls to
SystemProperty.set in Bluetooth module.
Tag: #feature
Bug: 197210455
Test: set/get sysprop with SystemProperties
Merged-In: I8070a493fa082ddaa16cd793ed25ad99971950c0
Change-Id: Ia390bd8b3bb064fcae252edb6307e26f07bd53e7
Bug: 209713977
Bug: 193467627
Test: local build and manual check.
Signed-off-by: Super Liu <supercjliu@google.com>
Change-Id: Ib1d2d6dcc7d6ddc6243c806a883d9252d7c081af
Previously this was always done by odrefresh. But now we are running
odrefresh in the VM we need to allow FD server to do it as its proxy.
Bug: 209572241
Bug: 209572296
Test: composd_cmd forced-oderefresh
Change-Id: I4bc10d6a3ec73789721a0541f04dd7e3865fe826
Don't need these permission anymore because the raw and packet
socket setup are moved from clatd to netd.
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Change-Id: I07d890df2d1b8d9c1736aa5e6dc36add4f46345b
Needed because the raw and packet socket setup are moved from
clatd to netd. Netd pass the configured raw and packet sockets
to clatd. clatd needs the permission to access inherited
objects.
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Test:
Change-Id: If6479f815a37f56715d7650c714202fcc1ec466b
Update policy for new system service, used for Apps to present the
toolbar UI.
Bug: 190030331
Bug: 205822301
Test: manual. Can boot to home and get manager successfully.
Change-Id: Iee88681a93ae272a90896ccd2a6b64c26c809e82
Add selinux policy for AIDL Vehicel HAL service.
This CL mostly follows https://android-review.googlesource.com/c/platform/system/sepolicy/+/1541205/.
Test: Manually test on emulator, verify AIDL VHAL service is up and
accessible by client.
Bug: 209718034
Change-Id: Icad92e357dacea681b8539f6ebe6110a8ca8b357
This is the context when health HAL runs in offline
charging mode.
This has the same permissions as the health HAL, but
is also able to do charger specific things.
Also restrict neverallow rules in charger_type.
Test: manual in offline charging mode
Bug: 203246116
Change-Id: I6034853c113dff95b26461153501ad0528d10279
Besides the basic execution that is similar to the (deprecating)
odrefresh case, fd_server also needs to be able to create and change
files in the output directory.
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
# Saw composd started the fd_server and the VM
Change-Id: Ia66015b72c4bd232c623604be326c7d7145c0a38
The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.
Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.
Bug: 205750213
Test: No denials
Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
Only ro.zygote is currently used, though we'll need to a few others of
the same property context.
Bug: 205750213
Test: composd_cmd forced-odrefresh # less SELinux denial
Change-Id: I2efbbc1637142f522a66c47bdd17471c4bde227a
Treble doesn't support T system + O vendor, so removing 26.0 (N) and
27.0 (O) prebuilts and compat files.
Bug: 207815515
Test: build
Change-Id: I98d5972221a8e77f3c45fc48ff50bb2b8eb94275
Steps taken to produce the mapping files:
1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil
as an empty file.
When adding plat_pub_versioned.cil, leave only type and typeattribute
statements, removing the other statements: allow, neverallow, role, etc.
2. Add new file private/compat/32.0/32.0.cil by doing the following:
- copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev
aosp_arm64-eng device to private/compat/32.0/32.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 32 sepolicy.
Find all such types using treble_sepolicy_tests_32.0 test.
- for all these types figure out where to map them by looking at
31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_32.0 and installs
32.0.cil mapping file onto the device.
Bug: 206330997
Test: m treble_sepolicy_tests_32.0
Test: m 32.0_compat_test
Test: m selinux_policy
Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.
Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
Currently BetterBug (privileged app) cannot access the details form
/data/misc/wmtrace.
Test: access a trace from /data/misc/wmtrace/ in betterbug
Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
Overlayfs product/overlay in init first stage is allowed in AndroidS.
product/overlay directory contains RRO apks, it is plausible to allow
dumpstate to access it since dumpstate will call df command.
Or there will be an avc denial:
01-01 07:09:37.234 13582 13582 W df : type=1400 audit(0.0:1717): avc: denied { getattr } for path="/product/overlay"
dev="overlay" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0
Actually, it is more reasonable to set /product/overlay to u:object_r:system_file:s0 since
there already had definiitions releated to /product/overlay
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
Bug: https://b.corp.google.com/u/0/issues/186342252
Signed-off-by: sunliang <sunliang@oppo.com>
Change-Id: I493fab20b5530c6094bd80767a24f3250d7117a8
Needed because the packet socket setup has been moved from clatd
to netd.
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Change-Id: If6c3ba70cd7b3a44a31b8deab088303c22838da8
This seems like an oversight when system_server_startup was
introduced (commit caf42d615d).
Test: Presubmits
Change-Id: Ia371caa8dfc2c250d6ca6f571cf002e25703e793
- Add hal_dumpstate_service AIDL service to hal_dumpstate.te,
service.te
- Add default example hal_dumpstate service to file_contexts,
service_contexts
- Adde hal_dumpstate_service to API level 31 compatibility
ignore list (31.0.ignore.cil)
Bug: 205760700
Test: VtsHalDumpstateTargetTest, dumpstate, dumpstate_test, dumpsys
Change-Id: If49fa16ac5ab1d3a1930bb800d530cbd32c5dec1
Add badge for gsm.operator.iso-country and gsm.sim.operator.iso-country.
Test: Manual test
Bug: 205807505
Ignore-AOSP-First: already merged in AOSP; this is a reland
Change-Id: If4f399cd97b2297094ef9431450f29e0a91e5300
Merged-In: If4f399cd97b2297094ef9431450f29e0a91e5300
Add badge for gsm.operator.iso-country and gsm.sim.operator.iso-country.
Test: Manual test
Bug: 205807505
Change-Id: If4f399cd97b2297094ef9431450f29e0a91e5300
system_ext_userdebug_plat_sepolicy.cil is a copy of
userdebug_plat_sepolicy.cil (debug_ramdisk) that's installed in the
system_ext partition.
The build rule is gated by a BoardConfig variable, so products other
than GSI cannot accidentally install this module.
*Unclean cherry-pick* prebuilts/api/32.0/private/file_contexts is
updated in this change, which is not in the original change.
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I43adc6adad5e08dcc8e106d18fdacef962310883
Merged-In: I43adc6adad5e08dcc8e106d18fdacef962310883
(cherry picked from commit 814f3deb94)
This relaxes the neverallow so that it is possible to write a new
SELinux allow for system_server to read /dev/block/vd*. It still isn't
possible unless a vendor enables it.
Bug: 196965847
Test: m -j
local_test_runner arc.Boot.vm
Change-Id: Idad79284778cf02066ff0b982480082828f24e19
Steps taken to produce the mapping files:
1. Add prebuilts/api/31.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/31.0/vendor_sepolicy.cil
as an empty file.
2. Add new file private/compat/31.0/31.0.cil by doing the following:
- copy /system/etc/selinux/mapping/31.0.cil from sc-dev aosp_arm64-eng
device to private/compat/31.0/31.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 31 sepolicy.
Find all such types using treble_sepolicy_tests_31.0 test.
- for all these types figure out where to map them by looking at
30.0.[ignore.]cil files and add approprite entries to 31.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_31.0 and installs
31.0.cil mapping file onto the device.
Bug: 189161483
Bug: 207344718
Test: m treble_sepolicy_tests_31.0
Test: m 31.0_compat_test
Test: m selinux_policy
Change-Id: I6264b9cf77b80543dfea93157b45b864157e2b14
Merged-In: I6264b9cf77b80543dfea93157b45b864157e2b14
(cherry picked from commit 4f20ff73ee)
They are served by the same process but have different clients:
- the main interface is exposed to system server;
- the internal interface is called by odrefresh when spawned by composd.
Test: compos_cmd forced-compile-test
Bug: 199147668
Change-Id: Ie1561b7700cf633d7d5c8df68ff58797a8d8bced
New type added in sepolicy to restrict Vendor defined uuid mapping
config file access to SecureElement.
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: I81d715fa5d5a72c893c529eb542ce62747afcd03
Label defined for OMAPI Vendor Stable Interface
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: Ifa67a22c85ffb38cb377a6e347b0e1f18af1d0f8
This is to make the SafetyCenterManager usable in CTS tests.
Test: SafetyCenterManager CTS test in ag/16284943
Bug: 203098016
Change-Id: I28a42da32f1f7f93c45294c7e984e6d1fd2cdd8d
Context about this is on ag/16182563.
Test: Ensure no build failures, ensure no SecurityException on boot when
SafetyCenterService is added as boot phase
Bug: 203098016
Change-Id: I4c20980301a3d0f53e6d8cba0b56ae0992833c30
Bug: 202785178
Test: Along with rest of topic, file
/sys/fs/bpf/prog_fuse_media_fuse_media
appears on boot with fuse-bpf in kernel
Merged-In: Ibccdf177c75fef0314c86319be3f0b0f249ce59d
Change-Id: Ibccdf177c75fef0314c86319be3f0b0f249ce59d
This change adds a permission migrate_any_key that will help the system
server in migrating keys for an app that wants to leave a sharedUserId.
Bug: 179284822
Test: compiles
Change-Id: I2f35a1335092e69f5b3e346e2e27284e1ec595ec
Also allow composd to kill odrefresh (it execs it); this is necessary
for cancel() to work.
Bug: 199147668
Test: manual
Change-Id: I233cac50240130da2f4e99f452697c1162c10c40
Revert "Adds multi_install_skip_symbol_files field (default fals..."
Revert submission 1869814-vapex-multi-config
Bug: 206551398
Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.googleplex.com/builds/tests/view?invocationId=I55600009996329947&testResultId=TR93527797572038984, bug b/206551398
Reverted Changes:
I0cd9d748d:Adds multi_install_skip_symbol_files field (defaul...
I5912a18e3:Demonstrate multi-installed APEXes.
I0e6881e3a:Load persist props before starting apexd.
I932442ade:Adds a new prop context for choosing between multi...
I754ecc3f7:Allow users to choose between multi-installed vend...
Change-Id: I087bfe0dcf8d6ab38d861b82196bac4e9147e8e6
Access denial of Apexd would cause runtime abort and the
bootchart is not working on Android 12:
...
F nativeloader: Error finding namespace of apex: no namespace called com_android_art
F zygote64: runtime.cc:669] Runtime aborting...
F zygote64: runtime.cc:669] Dumping all threads without mutator lock held
F zygote64: runtime.cc:669] All threads:
F zygote64: runtime.cc:669] DALVIK THREADS (1):
F zygote64: runtime.cc:669] "main" prio=10 tid=1 Runnable (still starting up)
F zygote64: runtime.cc:669] | group="" sCount=0 ucsCount=0 flags=0 obj=0x0 self=0xb4000072de0f4010
...
Bug: 205880718
Test: bootchart test.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ia7d166605cd0b58849cb44d9a16dc3c73e1d4353
Grant system_server and flags_health_check permission to set the
properties that correspond to the AVF experiments.
Bug: 192819132
Test: m
Change-Id: I0e6fa73187abb4412d07ecfd42c1074b8afa5346
Test: ran on flame with ipv6 only wifi network
Bug: 144642337
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5610b5e446ed1f2288edb12c665a5bddd69d6dae
This is the selinux changes required to create
StatsBootstrapAtomService, a lightweight proxy service in system server
to allow processes in the bootstrap namespace to log atoms to statsd.
Test: statsbootstrap is successfully published
Bug: 204889815
Change-Id: I5e44f7a65b98b8eebd8da6d35ae6094ce5e177f2
This patch adds some ioctls for odex/vdex files.
Bug: 205257122
Test: Manual. Code runs.
Signed-off-by: Ken Bian <kenjc.bian@rock-chips.com>
Change-Id: Ibf7890f0910ed04e0355bef9c0bfb21b406fb7eb
rss_stat will be throttled using histogram triggers and synthetic trace
events. Add genfs context labels for the synthetic tracefs files.
Bug: 145972256
Test: Check log cat for avc denials
Change-Id: I7e183aa930bb6ee79613d011bed7174d553f9c1a
This is the common type for domains that executes charger's
functionalities, including setting and getting necessary properties,
permissions to maintain the health loop, writing to kernel log, handling
inputs and drawing screens, etc.
Permissions specific to the system charger is not moved.
Also enforce stricter neverallow rules on charger_{status,config}_prop.
For charger_config_prop, only init / vendor_init can set.
For charger_status_prop, only init / vendor_init / charger / health HAL
can set.
For both, only init / vendor_init / charger / dumpstate / health HAL
can get.
(Health HAL is determined by the intersection of charger_type and
hal_health_server.)
A follow up CL will be added to add charger_type to hal_health_default,
the default domain for health HAL servers. Vendors may add charger_type
to their domains that serves the health AIDL HAL as well.
Test: manual
Bug: 203246116
Change-Id: I0e99b6b68d381b7f73306d93ee4f8c5c8abdf026
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
Test: atest treble_sepolicy_tests
Change-Id: Iaa22af41a07b13adb7290f570db7a9d43b6e85cc
* init_daemon_domain because clean_scratch_files is executed by init
* gsid related plumbing for libfs_mgr_binder
Bug: 204836146
Test: Presubmit
Change-Id: Idd7eacd577f538d194252174ab1e3d8396f08fb1
The root init.rc does "write /proc/cpu/alignment 4", but we don't
actually allow this write in core sepolicy. This seems to be a 32-bit
ARM only proc file.
Noticed when booting 32-bit ARM Cuttlefish.
Bug: 145371497
Change-Id: Ic099395708f7236bcc2fc5c561809a7e129786de
Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.
The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This will allow apexd to determine if a staged apex contributes to
classpath or not.
Bug: 187444679
Test: atest ApexTestCases
Test: atest StagedInstallInternalTest
Change-Id: I336001ef1dab3aa45835662eecc02d63645b5980
The bufferhub daemon policy still remains, since it still needs to be
deleted. However, since the HAL no longer exists, removing policy
related to this.
Bug: 204068144
Test: build only
Change-Id: I96b96c77a39e2ba2024680ebaf3067283d0cfc65
This is not settable by vendor init at the moment, which appears to be a mistake
because it is often used as a board-level configuration.
Change-Id: I7a49d55712e9606446b3e6307627a208657d5da2
Test: adb shell getprop -Z | grep lmk
Bug: 184041905
Make Netlink Interceptor work when SELinux is enforcing
Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
Remove these SELinux attributes since the apexd and init SELinux policies
no longer rely on these attributes.
The only difference between a previous version of this patch and the
current patch is that the current patch moves these attributes to the
'compat' policy. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Change-Id: Id7d32a914e48bc74da63d87ce6a09f11e323c186
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Some devices might have the ODM partition so set those properties
as well.
Bug: 203720638
Test: Presubmit
Change-Id: I50ee65e21c471f0691f4c1dfc93be8eb1677ad1b
Move type to public so that it can be vendor customized. This
can be necessary if (for example) the gralloc/gpu same-process-HAL
requires additional permissions.
Bug: 199581284
Test: build
Change-Id: I61a5a3ad96112d4293fd4bf6d55f939c974643ce