Commit graph

106 commits

Author SHA1 Message Date
Alexander Potapenko
0a64d100b8 dmesgd: sepolicies
dmesgd is a daemon that collects kernel memory error reports.

When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.

Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.

Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
  read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
  find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)

Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea
2022-02-10 17:42:52 +00:00
Yabin Cui
f17fb4270c Add sepolicy for simpleperf_boot.
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.

Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
2022-01-15 16:12:51 -08:00
Florian Mayer
11db93a15b Merge "[MTE] Allow system_app to write memtag property." 2022-01-10 21:12:02 +00:00
Florian Mayer
39f29f758e [MTE] Allow system_app to write memtag property.
Bug: 206895651
Change-Id: I6463965c094b9b3c4f3f70929a09e109ee9c84b9
2022-01-07 11:39:10 -08:00
Matt Buckley
964c68b02d Make surface_flinger_native_boot_prop a system_restricted_prop for ADPF
Test: manual
Bug: b/195990840
Change-Id: Icb758c48a1faa8901a1d2c2c442451c42fc3b5b1
2021-12-27 18:24:12 +00:00
Richard Fung
0c7c2679b0 Add apexd_payload_metadata_prop
This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
2021-12-16 03:00:06 +00:00
Andrew Scull
aedd65ac20 Allow vendor_init to read AVF device configs
Bug: 192819132
Test: build
Change-Id: Iefa4d2d2dc0a13a9a6c95779d6ebde5cb2834295
2021-10-08 14:51:30 +00:00
Beth Thibodeau
79485f5e45 Merge "make ril.cdma.inecmmode system property internal so that it cannot reveal a system api that requires READ_PRIVILEGED_PHONE_STATE" 2021-10-01 22:58:31 +00:00
Nazanin
b373dd0df2 make ril.cdma.inecmmode system property internal
so that it cannot reveal a system api that requires
READ_PRIVILEGED_PHONE_STATE

Bug: 183410189
Bug: 197722115
Test: adb shell getprop -Z
Change-Id: I65f4121fc300447af7d516676166bc8b0b53b727
Merged-In: I65f4121fc300447af7d516676166bc8b0b53b727
2021-10-01 21:36:49 +00:00
Jiyong Park
b804de2943 Add virtualizationservice.state.last_cid
It is a system property that keeps the last CID used by the
virtualizationservice. Although the information is local to the
process, a new system property is justified because the information has
to be kept across multiple runs of the process. A file however is not
desirable because the information shouldn't be persisted.

Bug: 196015427
Test: atest MicrodroidHostTestCases
Change-Id: If8ca4b6ad8d9c8cb3bb33dc9ef45de0ae6481d15
2021-09-17 09:35:58 +09:00
Suren Baghdasaryan
592e06c910 sepolicy updates for adding native flag namespace for lmkd
sepolicy updates for running lmkd experiments.

Bug: 194316048
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I21df3b76cce925639385111bd23adf419f026a65
2021-08-09 17:35:09 -07:00
David Anderson
f595435798 Merge "Add new snapuserd socket and property rules." 2021-07-28 21:59:59 +00:00
Martijn Coenen
5f21a0fa92 Allow odsign to stop itself.
Carve out a label for the property, and allow odsign to set it.

Bug: 194334176
Test: no denials
Change-Id: I9dafefabc27c679ed9f36e617e824f44f3b16bbd
2021-07-28 10:50:35 +02:00
David Anderson
bf5b6ce422 Add new snapuserd socket and property rules.
This adds a new property prefix owned by snapuserd, for communicating
when the service is ready to accept connections (snapuserd.ready and
snapuserd.proxy_ready).

This also adds a new socket context. This is a seqpacket socket used to
communicate with a special instance of snapuserd that bridges to the
first-stage daemon.

Bug: 193833730
Test: no denials after OTA applies and boots
Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b
2021-07-27 10:50:59 -07:00
Hasini Gunasinghe
4fa6b1a037 Allow keystore to read and write keystore.crash_count system property.
Additionally, remove the obsolete permission which allows keystore to
register callbacks with statsd. There's no direct communication between
keystore and statsd now.

Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: statsd TestDrive script.
Merged-In: I31d202751ba78bb547822020260a7e366cb8826e

Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
2021-07-08 17:54:58 +00:00
rnlee
b6142ecc22 Add sepolicy SF native boot namespace.
Following go/android-native-flag-api-manual.

Bug: 190769260
Test: make.
Change-Id: I84fe7e9d046fbbe737f09043589b19e71981f521
2021-06-30 14:07:44 -07:00
hkuang
de370e5161 Allow mediaserver start transcoding service.
Bug: 187271658
Test: atest MediaTranscodeManagerTest; unit tests
Change-Id: I847a83ec3e0d852266b7b0c624767e72d48b45d5
2021-05-17 13:52:38 -07:00
Benjamin Schwartz
c171a1d9b6 Make suspend_prop system_vendor_config_prop
Bug: 185810834
Test: adb shell getprop suspend.short_suspend_threshold_millis
Change-Id: I270057e5f81b220b7168573b516dd102650f11e1
2021-04-20 09:13:02 -07:00
Yabin Cui
bd4c9e8530 Add permissions in profcollectd to parse kernel etm data.
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.

Bug: 166559473
Test: run profcollectd.

Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
2021-04-08 16:03:59 -07:00
Treehugger Robot
e3c3dd3786 Merge "sepolicy: export SuspendProperties.short_suspend_threshold_millis" 2021-03-24 12:09:28 +00:00
Denny cy Lee
b23b3cf5ad sepolicy: export SuspendProperties.short_suspend_threshold_millis
Bug: 182546466
Test: Test with getprop code outside system img
Change-Id: I4817c22ecc0a143ea818e0850fb721cbdf1d5ae5
Signed-off-by: Denny cy Lee <dennycylee@google.com>
2021-03-24 07:27:48 +00:00
Yi Kong
9b65845b4a Allow profcollectd to store and read its application specific node ID in properties
This node ID will be used to uniquely and anonymously identify a device
by profcollectd on engineering (userdebug or eng) builds.

Test: build
Change-Id: If01f71c62479d63d4d19aac15da24bc835621e66
2021-03-22 19:40:03 +00:00
Michael Rosenfeld
133496f8a4 Merge "Permit dropping caches from the shell through sys.drop_caches." 2021-03-22 16:04:32 +00:00
Michael Rosenfeld
3ccbebb415 Permit dropping caches from the shell through sys.drop_caches.
*   Permits setting the sys.drop_caches property from shell.
*   Permits init to read and write to the drop_caches file.
*   Can only be set to 3 (drop_caches) and 0 (unset).

Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-03-19 10:55:51 -07:00
Janis Danisevskis
b488a8fe1a Keystore 2.0: Remove keystore2.enable property.
Bug: 171563717
Test: N/A
Change-Id: I85819a71dc24777a9d54f0c83b8b29da9f48cec1
2021-03-19 10:07:49 -07:00
Martijn Coenen
0b47552028 Merge "Add odsign status properties." 2021-03-19 10:30:20 +00:00
Martijn Coenen
f2e4ee6498 Add odsign status properties.
These properties are used to communicate odsign status, and allow init
to evict keys and start zygote at the correct moments in time.

Bug: 165630556
Test: no denials from init/odsign
Change-Id: I813e5c1c93d6f00a251a9cce02d0b74e5372c1ce
2021-03-16 09:14:29 +01:00
Hasini Gunasinghe
a3031eccca Merge changes from topic "keystore_api_for_credstore"
* changes:
  Credstore: Add rules to allow credstore read keystore2_enable property.
  Add get_auth_token permission to allow credstore to call keystore2.
2021-03-15 16:02:20 +00:00
Nikita Ioffe
360e0f91c3 Add apexd_config_prop type
This type is used for properties that provides per-device configuration
for apexd behaviour (so far - timeouts for creating/deleting dm device).

Test: builds
Bug: 182296338
Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
2021-03-15 00:35:38 +00:00
Hasini Gunasinghe
1d34bd7fd3 Credstore: Add rules to allow credstore read keystore2_enable property.
This is temporary, until keystore2 lands.

Test: CtsVerifier.
Change-Id: I8335e0eb48da682e66fceff9e31696d61235424b
2021-03-12 20:32:06 +00:00
Treehugger Robot
b9b067ce5e Merge "Fix broken neverallow rules" 2021-03-11 07:33:30 +00:00
Lorenzo Colitti
26d3d4a5a2 Properly set the property_context for net.tcp_init_rwnd.
This property is many years old and it does not have a property
context associated with it. It is set by the system server (in
particular, ConnectivityService code, in the Tethering module)
and read by init, which does:

on property:net.tcp_def_init_rwnd=*
    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}

There is no need to add read access to init because init can read
and write any property.

Test: m
Fix: 170917042
Change-Id: I594b09656a094cd2ef3e4fd9703e46bf7b2edd4c
2021-03-10 20:28:26 +09:00
Lorenzo Colitti
082ebd2107 Add selinux policy for the new net.464xlat.cellular.enabled prop.
This property is written by an .rc file - see aosp/1553819 - and
read by the connectivity mainline code in the system server.

Test: m
Bug: 182333299
Change-Id: Ibac622f6a31c075b64387aadb201ad6cdd618ebd
2021-03-10 15:58:48 +09:00
Inseob Kim
85acf6ef70 Fix broken neverallow rules
neverallow rules with allowlist should look like:

    neverallow { domain -allow1 -allow2 } ...

Bug: 181744894
Test: m selinux_policy
Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" .
Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 10:44:22 +09:00
Chun-Wei Wang
75e3fa6ead Merge "Add persist.rollback.is_test (6/n)" 2021-03-06 14:33:38 +00:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n)
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-03-03 10:34:06 +08:00
Paul Crowley
b0c5571da6 init sets keystore.boot_level, keystore reads
Bug: 176450483
Test: init can set, and keystore2 read, keystore.boot_level
Test: `adb shell getprop -Z | grep boot_level` returns
      [keystore.boot_level]: [u:object_r:keystore_listen_prop:s0]
Change-Id: Iedb37db19e9153995800fc97de6ee8c536179caa
2021-02-23 21:08:05 -08:00
Nick Chalko
81a4dd40d6 Add sepolicy swcodec native flag namespace.
Test: add sepolicy, build, check GetServerConfigurableFlag function
Bug: 179286276
Change-Id: Ia16d110900251b3fb3e3959d73524c8814199270
2021-02-16 09:22:16 -08:00
Xiao Ma
2d6c9f0fe8 Allow connectivity namespace to enable native level access flags.
Follow the steps: go/android-native-flag-api-manual

Bug: 179099277
Test: m -j
Test: manually verify connection to wifi after flash
Change-Id: Ieb5355d40aec9ed7a42b7ae5b250b696fcf00810
2021-02-04 05:31:33 +00:00
Inseob Kim
150355b1c3 Merge "Revert^2 "Make default_prop only readable from coredomain"" 2021-01-14 09:42:25 +00:00
Inseob Kim
5c011e57a5 Revert^2 "Make default_prop only readable from coredomain"
This reverts commit 32fbfbc016.

Reason for revert: Fixed breakages

Change-Id: I474ee7dd7b82b4f2e02353e8a3fb55e3c410941f
2021-01-14 04:08:16 +00:00
Mitch Phillips
eaf1404d8a [MTE] Add memtag sysprop sepolicy.
These flags should be writeable to the shell for both root and non-root
users. They should be readable everywhere, as they're read in libc
during initialization (and there's nothing secret to hide). We just
don't want to allow apps to set these properties.

These properties are non-persistent, are for local developer debugging
only.

Bug: 135772972
Bug: 172365548
Test: `adb shell setprop memtag.123 0` in non-root shell succeeds.
Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
2021-01-11 08:35:58 -08:00
Jackal Guo
32fbfbc016 Revert "Make default_prop only readable from coredomain"
This reverts commit 082ced1951.

Reason for revert: b/176784961

Change-Id: Ia85667216d63084e9e23aefe1d3bfd7942d51a2a
2021-01-05 08:47:57 +00:00
Inseob Kim
082ced1951 Make default_prop only readable from coredomain
default_prop has been readable from coredomain and appdomain. It's too
broad, because default_prop is a context for properties which don't have
matching property_contexts entries.

From now on, only coredomain can read default_prop. It's still broad,
but at least random apps can't read default_prop anymore.

Bug: 170590987
Test: SELinux denial boot test for internal devices
Change-Id: Ieed7e60d7e4448705c70e4f1725b2290e4fbcb4a
2020-12-14 16:58:23 +09:00
Inseob Kim
4c110ff19b Use attributes for exclusive property owners
tests/sepolicy_tests.py has been checking whether the property owner
attributes are mutually exclusive. This is because current policy
language can't express the following snippet:

    neverallow domain {
        system_property_type && vendor_property_type
    }:file no_rw_file_perms;

    neverallow domain {
        system_property_type && vendor_property_type
    }:property_service set;

This uses technical_debt.cil to workaround this.

Bug: 171437654
Test: Try to compile a type having both system_property_type and
      vendor_property_type
Change-Id: Ic65f2d00aa0f2fb7f5d78331b0a26e733fcd128e
2020-11-30 18:34:30 +09:00
Treehugger Robot
34211741dd Merge "Selinux changes for statsd flags" 2020-11-21 00:12:07 +00:00
David Anderson
09bb944221 Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-19 21:03:30 +00:00
Tej Singh
dd0988fb9b Selinux changes for statsd flags
Test: manually verified statsd can get values using
GetServerConfigurableFlag
Bug: 172842175

Change-Id: I05cb2242dc758e32a22ddf30cb6f09088b70f5d4
2020-11-17 19:28:41 -08:00
Inseob Kim
0cef0fe5ac Add contexts for sqlite debug properties
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.

Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-18 12:14:20 +09:00
Florian Mayer
b23d38c7a0 Merge "userdebug_or_eng: allow traced_perf to read kallsyms." 2020-11-13 10:02:27 +00:00