Commit graph

108 commits

Author SHA1 Message Date
Mitch Phillips
26477ab5a0 Merge "Allow permissive MTE to be set by non-root users" into main 2024-03-19 19:06:13 +00:00
Dennis Shen
89a2c6988a update aconfigd selinux policy
For aconfigd test, for atest to work, the shell domain needs to be able
to connect to aconfigd_socket. In addition, aconfigd needs to be able to
access the test storage files as shell_data_file. All these policies are
only needed for userdebug_or_eng build.

Bug: 312459182
Test: m, launch avd, atest, then audit2allow, no avc denials found
Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c
2024-03-19 12:24:23 +00:00
Mitch Phillips
98b3e4bfd3 Allow permissive MTE to be set by non-root users
Found when making the tests for permissive MTE, which are part of the
CTS test suite because I really, really don't want to fork hundreds of
lines of Java glue. But, CTS tests aren't supposed to only run on rooted
devices (even though there's examples of this in the tree already).

I think either way, ideologically, we should allow non-root users to
enable permissive MTE. This would be useful for a person who wants to
dogfood MTE with all apps on, but use a retail build. I can think of at
least a few researchers that would probably find this useful.

Bug: 328793166
Test: adb unroot && adb shell setprop persist.sys.mte.permissive 1
Change-Id: Ie905e23c9600986cb436e1cc7490e28678710696
2024-03-15 16:26:31 +01:00
Alice Ryhl
6b9aa6dc33 kcmdlinectrl: define system property for kcmdlinectrl
This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.

It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.

Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
2024-03-06 12:05:24 +00:00
Florian Mayer
6c689e8438 Allow shell and adb to read tombstones
tombstones are now openable by these domains:

allow adbd tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow adbd tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow dumpstate tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow dumpstate tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow init tombstone_data_file:dir { add_name create getattr ioctl open read relabelfrom relabelto remove_name rmdir search setattr write };
allow init tombstone_data_file:fifo_file { create getattr open read relabelfrom relabelto setattr unlink };
allow init tombstone_data_file:file { create getattr map open read relabelfrom relabelto setattr unlink write };
allow init tombstone_data_file:sock_file { create getattr open read relabelfrom relabelto setattr unlink };
allow shell tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow shell tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow system_server tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write };
allow system_server tombstone_data_file:file { append create getattr ioctl lock map open read rename setattr unlink watch watch_reads write };
allow tombstoned tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write };
allow tombstoned tombstone_data_file:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };

Test: adb unroot, ls, cat, adb pull
Bug: 312740614
Change-Id: I4a1af4fbdc48c5c5f4b0b33f124cea31af74dd87
2024-02-23 15:44:20 -08:00
Yu-Ting Tseng
43cae4ea24 Revert^2 "Update uprobestats SELinux policy"
This reverts commit 5e1d7f1c85.

Reason for revert: retry with a fix to the failed tests

Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
2023-12-14 17:17:18 -08:00
Treehugger Robot
40552f0902 Merge "Allow shell to set persist.logd.audit.rate" into main 2023-11-21 08:56:43 +00:00
Seungjae Yoo
d2a0892121 Introduce vendor_microdroid_file for microdroid vendor image
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose.

Bug: 285854379
Test: m
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
2023-11-16 16:44:15 +09:00
Snild Dolkow
ef0f3692d7 Allow shell to set persist.logd.audit.rate
This can be useful, for both platform and app developers, when there
are lots of SELinux violations.

The property is only read by init, so no get_prop macros are needed.

Bug: 304313777
Test: set, `for x in $(seq 100); do ls /cache; done`, observe logs
Reference: Ib5352dcf3a85836ae5544c9feeb5222c97c50ecd
Change-Id: Ib23c008ed89e078a20ae136ba97e853f699e2050
2023-11-13 10:42:23 +01:00
Wilson Sung
679b7cb04a Allow shell access to attestation properties
The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow app to access them from 'adb shell am'

Bug: 296168846
Test: m selinux_policy
Change-Id: Ie749cf5d621c03c21aa538f96a06d21680a61569
2023-09-12 11:33:14 +08:00
Alexander Roederer
49b818497f Merge "persist.sysui.notification.ranking_update_ashmem" 2023-06-08 00:58:04 +00:00
Alexander Roederer
584a862df6 persist.sysui.notification.ranking_update_ashmem
Adds persist.syui.notification.ranking_update_ashmem property and
associated permissions, which will be used to flag guard a change in
core/...NotificationRankingUpdate.java.

Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because NotificationRankingUpdate.java
is a core library), but setting should only be possible internally (and
via debug shell).

Test: manual flash+adb setprop/getprop
Bug: 249848655
Change-Id: I661644893714661d8c8b5553c943fa17d08c000c
2023-06-07 22:31:00 +00:00
Jooyung Han
b6211b88cf Introduce vendor_apex_metadata_file
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
2023-06-05 17:17:51 +09:00
Alexander Roederer
829d974505 Add persist.sysui.notification.builder_extras_ovrd
Adds persist.sysui.notification.builder_extras_override property
and associated permissions, which will be used to flag guard
a change in core/...Notification.java.

Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because Notification.java
is a core library), but setting should only be possible
internally (and via debug shell).

Test: manual flash+adb setprop/getprop
Bug: 169435530
Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d
2023-03-29 16:35:39 +00:00
Seth Moore
d3bd68607e Allow shell to change RKP properties
This way, we can change things like the RKP hostname or enablement
from the shell for tests.

Bug: 265196434
Test: manual (adb shell setprop ...)
Change-Id: Ib853eaf29b395705eba57d241df064152220457e
2023-02-24 13:33:36 -08:00
Max Bires
37992dce8d Merge "Allow shell to call IRemotelyProvisionedComponent" 2022-11-12 00:20:34 +00:00
Max Bires
4d3dcd64d3 Allow shell to call IRemotelyProvisionedComponent
This change gives the shell process the needed permissions to call the
rkp_factory_extraction_tool without also granting the ability to access
the KeyMint HAL service.

To run the tool from a shell accessible folder, push
rkp_factory_extraction_tool to /data/local/tmp with:

adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \
/data/local/tmp

Test: the tool can be executed in SELinux enforcing mode
Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
2022-11-09 12:42:28 -08:00
Yi-Yo Chiang
686d77913d remount: Allow 'shell' to run 'remount_exec' domain
The domain of 'remount' used to be 'system_file', which is
read-executable by 'shell'. However when I submitted aosp/1878144, the
domain of 'remount' became 'remount_exec', and I forgot to allow
'shell' to read-execute the new 'remount_exec' domain.
This makes `adb remount` w/o root to produce sub-par error message:
  $ adb remount [-h]
  /system/bin/sh: remount: inaccessible or not found

Allow 'shell' to read-execute 'remount_exec', so that the user can get a
proper error message when not running as root, and help (-h) message can
be displayed:
  $ adb remount
  Not running as root. Try "adb root" first.
  $ adb remount -h
  Usage: remount ...

Bug: 241688845
Test: adb unroot && adb remount [-h]
Change-Id: I5c105eaffa7abddaf14a9d0120fd6b71749c7977
2022-11-01 15:39:49 +08:00
Neil Fuller
8fa264d60c Revert "Limit processes that can change settings sysprops"
This reverts commit c5980699a4.

Reason for revert: Vendor code is setting timezone_prop

Change-Id: Ib09e618745924bd95b4b9aa7106eb2e4cc7895eb
2022-09-28 08:52:46 +00:00
Neil Fuller
c5980699a4 Limit processes that can change settings sysprops
Limit processes that can change global settings system properties.

Only system server and shell (for tests) should be able to set the
affected system properties.

Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
2022-09-27 16:08:59 +00:00
Mitch Phillips
800e948e61 Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it." 2022-04-21 18:12:43 +00:00
Martin Stjernholm
1e0b4a5b98 /apex/com.android.art/bin/dex2oat is a symlink, so allow reading it
from the shell.

This fixes a regression from https://r.android.com/1921457, so that
dex2oat without a path can still be run from the adb shell. That CL
removed the symlink from /system/bin, which means the shell finds it in
/apex/com.android.art/bin instead, and hence it needs to be covered by
this sepolicy.

Test: adb unroot && adb shell dex2oat
Bug: 218986148
Bug: 124106384
Change-Id: Ic52b30e0974829b5e5cde5106e6c4eec9f61eec6
2022-04-14 17:52:51 +01:00
Mitch Phillips
8cd32cd93e [GWP-ASan] Add sysprop, allow shell and system apps to set it.
Bug: 219651032
Test: atest bionic-unit-tests

Change-Id: Ic4804ce0e4f3b6ba8eb8d82aca11b400b45c03dc
2022-04-12 13:20:05 -07:00
Evan Rosky
5cfdf2bd6e Add a persist.wm.debug property type and associated permissions
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.

Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
2022-03-07 19:44:59 +00:00
Alan Stokes
5490752cfc Allow shell to read updated APEXes
This is useful for certain tests. Note that it is already possible to
access these files without root via adb pull, since adbd has
access. Shell also already has access to non-updated APEXes on
/system/apex.

Bug: 220918654
Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex
Change-Id: I35725499365b297a64c9005c8e45325531d3991d
2022-02-25 12:16:14 +00:00
Michael Rosenfeld
5425c870f9 Allow the shell to disable charging.
Bug: 204184680
Test: manual and through instrumentation
Change-Id: I1fe9b35d51140eccba9c05c956875c512de447b1
2022-01-10 10:36:01 -08:00
Alan Stokes
39f497013c SEPolicy for compos_verify_key.
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.

Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.

Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.

As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).

I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)

Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-03 16:31:02 +01:00
Martijn Coenen
a194f2737e Merge "Allow shell to read odsign properties." 2021-08-09 06:45:56 +00:00
Martijn Coenen
fd6d708cc1 Allow shell to read odsign properties.
The shell context can invoke app_process (ART runtime), which in turn
reads odsign_prop to determine whether we determined that the generated
artifacts are valid. Since this was denied until now, app processes
invoked through shell would fall back to JIT Zygote. This is probably
fine, but since fixing the denial is really simple (and not risky), this
option might be preferred over adding it to the bug map.

Bug: 194630189
Test: `adb shell sm` no longer generates a denial
Change-Id: Ia7c10aec53731e5fabd05f036b12e10d63878a30
2021-08-06 08:40:40 +02:00
Allen Webb
8fcf4ca296 Merge "Add rules to cover memfd's for testing." 2021-08-03 13:12:07 +00:00
Yi Kong
b7bb6490df Allow shell to read profcollect data files
Also guard all profcollect related entries with userdebug/eng only and
move them into one place.

Test: manual
Bug: 183487233
Bug: 194155753
Change-Id: If3399bb78b60f0367267e67573007ed72508279a
2021-07-29 01:12:29 +08:00
Allen Webb
cda514a99b Add rules to cover memfd's for testing.
Bug: 193885716
Test: Presubmit passes for CL:1770125
Change-Id: I3a5c6be5e59169df4c5c513626106fb6f350a118
2021-07-20 11:58:37 -07:00
Jiyong Park
f408371097 Allow virtualizationservice to use vsock
... to connect to the programs running in the guest VM

Bug: 192904048
Test: atest MicrodroidHostTestCases
Change-Id: Iccb48c14ace11cc940bb9ab1e07cc4926182e06e
2021-07-12 15:08:08 +09:00
Treehugger Robot
05b6365178 Merge "Allow shell to read /vendor/apex/*" 2021-06-14 13:20:30 +00:00
Jiyong Park
abdc9739fc Allow shell to read /vendor/apex/*
It is used for future xTS tests to read the raw files.

Bug: 190858091
Test: m
Change-Id: If1c7fd92772ff84d92a95fbee74f6c1f8d1cd365
2021-06-14 08:30:43 +09:00
Nikita Ioffe
681ad260b4 Give adbd and shell read access to /apex/apex-info-list.xml
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.

Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.

Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
2021-06-10 19:57:17 +01:00
Inseob Kim
af2697a452 Merge "Remove microdroid specific rules and files" 2021-06-08 00:53:26 +00:00
Tej Singh
6550adcaed Merge "Make *-apex-info-list.xml readable by shell" 2021-06-08 00:47:33 +00:00
Tej Singh
75385efd27 Make *-apex-info-list.xml readable by shell
Enables CTS testing of the bootstrap apexes.

Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
2021-06-07 21:39:34 +00:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
2021-06-07 19:22:18 +09:00
Jooyung Han
d470ed7b47 Add rules for microdroid_manager
Microdroid_manager is an executable in microdroid. It's role is to manage tasks
in microdroid and communicate with host's virtualizationservice.

To execute a task in microdroid, microdroid_manager should
- read "metadata" partition
- read VM payload config
- exec a command

Bug: 189301496
Test: atest MicrodroidHostTestCases
Change-Id: Iabbe0d3c8832f00df5c545e6b13fc55afa820b33
2021-06-02 09:50:54 +09:00
Jiyong Park
6645ad3b1f Add rules for microdroid_launcher
Microdroid_launcher is an executable in microdroid. It's role is to load
a shared library in an APK that is shared from the host Android and
execute it by calling an entry point (android_native_main) in it.

For now, it is executed from shell, but will eventually be executed from
a binder service (which also is running in microdroid) called
microdroid_manager.

Bug: 188513012
Test: atest MicrodroidHostTestCases
Change-Id: I150a958c1ed0e3e960f4b4b577e808e54e898644
2021-05-25 17:22:01 +09:00
liuyg
04c85dcfc4 Revert "Allow the MediaProvider app to set FUSE passthrough property"
This reverts commit c1e2918fd9.

Reason for revert: Build broke

Change-Id: I4b95e977cf66c586b0d0b465f1b3654c01074152
2021-05-13 18:18:28 +00:00
Alessio Balsini
c1e2918fd9 Allow the MediaProvider app to set FUSE passthrough property
Allow the MediaProvider app to write the system property
fuse.passthrough.enabled in case FUSE passthrough is enabled.
The need for this additional system property is due to the ScopedStorage
CTS tests that are assuming FUSE passtrhough is always on for devices
supporting it, but there may be some cases (e.g., GSI mixed builds)
where this is not possible true and the feature is disabled at runtime,
thus causing the tests to fail.
This additional system property is only set when FUSE passthrough is
actually being used by the system.

Bug: 186635810
Test: CtsScopedStorageDeviceOnlyTest
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I623042d67399253a9167188c3748d93eb0f2d41f
2021-05-13 17:38:16 +00:00
Yi-Yo Chiang
694ab79207 Allow shell to read default fstab
CTS module CtsFsMgrTestCases (gtest) needs to read fstab.

Fixes: 184850580
Test: CtsFsMgrTestCases on user build
Change-Id: I0f04bb021d8732a1c5f987ba2984da2c98f40653
2021-04-12 04:46:06 +00:00
Michael Rosenfeld
3ccbebb415 Permit dropping caches from the shell through sys.drop_caches.
*   Permits setting the sys.drop_caches property from shell.
*   Permits init to read and write to the drop_caches file.
*   Can only be set to 3 (drop_caches) and 0 (unset).

Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-03-19 10:55:51 -07:00
Chun-Wei Wang
75e3fa6ead Merge "Add persist.rollback.is_test (6/n)" 2021-03-06 14:33:38 +00:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n)
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-03-03 10:34:06 +08:00
Yifan Hong
a18cf7ed0c Allow shell to read VAB props.
Bug: 179427873
Test: adb unroot and read the prop
Change-Id: Ib480903afae2e7180a59f8834dd7c54062acd947
2021-02-24 22:33:46 +00:00
Hongming Jin
58f83415ea Add /data/misc/a11ytrace folder to store accessibility trace files.
Bug: 157601519
Test: adb shell cmd accessibility start-trace
      adb shell cmd accessibility stop-trace
Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
2021-02-16 09:35:09 -08:00