public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
Three properties are declared as vendor-init-settable:
ro.media.xml_variant.codecs
ro.media.xml_variant.codecs_performance
ro.media.xml_variant.profiles
media_codecs.xml can now be named
media_codecs${ro.media.xml_variant.codecs}.xml
media_codecs_performance.xml can now be named
media_codecs_performance${ro.media.xml_variant.codecs_performance}.xml
media_profiles_V1_0 can now be named
media_profiles${ro.media.xml_variant.profiles}.xml
Test: Rename "media_codecs.xml" to "media_codecs_test.xml",
set ro.media.xml_variant.codecs to "_test", then
call "stagefright -i".
Test: Rename "media_codecs_performance.xml" to
"media_codecs_performance_test.xml",
set ro.media.xml_variant.codecs_performance to "_test", then
run android.media.cts.VideoDecoderPerfTest.
Test: Rename "media_profiles_V1_0.xml" to "media_profiles_test.xml",
set ro.media.xml_variant.profiles to "_test", then
run vts_mediaProfiles_validate_test.
Bug: 142102953
Change-Id: I407a0a327fcc8e799bb4079b11048a497565be48
CAN HAL needs access to /sys/devices to search for USB serial numbers
for SocketCAN devices and for USB serial devices.
Bug: 142654031
Test: Manual + VTS
Change-Id: I3d9bff94f8d8f936f7d859c01b9ff920fcbc5130
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1
Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8
(cherry picked from commit 3bd53a9cee)
Add a vendor-specified system property to allow GPU fallback composition to occur at a lower resolution than the display mode resolution. This is required on platforms like TVs which have, for example, 2k GPUs but 4k capabilities, or 4k GPUs but 8k capabilities.
Bug: 144574809
Test: Tested with sysprop disabled, and tested backport in Android Q with sysprop enabled. Unable to test on Android R due to device issues.
Change-Id: Ife63c21a6e959d16e796d57956dd7dda2f5d383e
Originally public/property_contexts was introduced to create a whitelist
of system properties which can be accessed from vendor, and to be used
from VTS to ensure that the whitelist isn't modified. But it doesn't fit
well on sepolicy public/private split as the split isn't for stability,
but for letting vendor compile their sepolicy with public types. Also it
doesn't make sense only to check the whitelist on VTS, because platform
internal ones must also be unchanged.
This commit merges public/property_contexts into private as before. This
gives consistency with other context files such as file_contexts which
are already containing entries for vendor but are only defined in
private. This also simplifies property_contexts as there will be only one
property_contexts file. Another benefit is that VTS will check all
entries defined by system, not only exported ones.
Bug: 150331497
Test: m && run VtsTrebleSysProp manually
Change-Id: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
Merged-In: Ib9429e27b645ef21a36946fbaea069a718c3c6eb
(cherry picked from commit 31391fa78e)
The previous attempt (aosp/1225417) had a missing piece: while we
allowed traced to use the shared memory, we haven't allowed it to use
the file descriptors in the producers' domains. Since the shared memory
is being transferred as an fd (obtained from memfd_create), the service
ends up hitting a denial (see below for an example).
We ended up missing the general case as we only tested with the shell
domain at the time, and traced is already allowed to use shell's fds for
other reasons.
To reiterate, the tracing service treats producers as inherently
untrusted/adversarial, so its implementation should never attempt to use
a file descriptor that isn't otherwise validated (such as checking seals
for the memfds).
Example denial from a chromium apk that is exercising this path:
traced : type=1400 audit(0.0:80): avc: denied { use } for
path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429
dev="tmpfs" ino=151536 scontext=u:r:traced:s0
tcontext=u:r:untrusted_app_29:s0:c136,c256,c512,c768 tclass=fd
permissive=0
(deobfuscated path in the denial: /memfd:perfetto_shmem (deleted))
Tested: experimental chromium apk no longer crashes when trying to hand
over shared memory to traced
Bug: 148841422
Change-Id: I7390fb174e2083ba7693c3160da44b4cfa7b1c8b
See discussion in aosp/1233645. There was a concern about this
filesystem automounting when enabled, so this change adds sepolicy to
preemptively lock it down.
I'm not confident it actually automounts. If it does, it'll land in
/sys/kernel/security, which is also protected with the sysfs policy.
Test: Builds
Bug: 148102533
Change-Id: I78a246a5c18953f2471f84367ab383afb2742908
This is useful for tools like dumpsys, so that they work on all services
equally as well. Also, so that there is no difference with the regular
service manager.
Bug: 150579832
Test: 'adb shell /vendor/bin/dumpsys -l' shows 'manager'
Test: denial is no longer present:
03-05 12:23:47.346 221 221 E SELinux : avc: denied { add } for pid=221 uid=1000 name=manager scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:service_manager_vndservice:s0 tclass=service_manager permissive=0
Change-Id: Id6126e8277462a2c4d5f6022ab67a4bacaa3241e
This is needed for the following denial:
type=1400 audit(0.0:124): avc: denied { map } for
comm=54696D652D6C696D69746564207465 path="/mnt/appfuse/10182_2/2"
dev="fuse" ino=2 scontext=u:r:untrusted_app:s0:c182,c256,c512,c768
tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0
Bug: 150801745
Test: atest CtsBlobStoreTestCases:com.android.cts.blob.BlobStoreManagerTest#testOpenBlob -- --abi x86
Merged-In: Ib7ca64e11b24f8835874698df15a9a0fdce67454
Change-Id: I4dc4ce91da3513a2d1f08ada401741f6d5a090c3
This is previously needed by snapshotctl to initiate the merge,
but now update_engine is responsible for initiating the merge.
Bug: 147696014
Test: no selinux denial on boot.
Change-Id: I7804af1354d95683f4d05fc5593d78602aefe5a7
public/property_contexts needs to be included regardless of
API level so that the property *labels* are always included.
Else, devices without PRODUCT_COMPATIBLE_PROPERTY (shipping
API level <27) will run into denials because the props are
labeled `default_prop`.
As a side benefit, this reduces deviation in test matrices.
The guard was originally introduced in:
e49714542e "Whitelist exported platform properties"
Test: Build for device without PRODUCT_COMPATIBLE_PROPERTY,
no more denials for accessing `default_prop` from e.g. HALs.
Change-Id: I5bbe5d078040bb26dd48d353953661c9375d2009
Signed-off-by: Felix <google@ix5.org>
For system prop flags from DeviceConfig namespace "Configuration".
Test: Build and run on local device
Bug: 149420506
Change-Id: If4196b4bf231e7c52f98b92cc0031a08dad06120