Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.
A follow up change will flesh out the access policy on these
directories in more detail.
Test: make, manual
Bug: 112431924
Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
update_engine no longer needs a standalone bspatch executable since [1]
(which first landed into O). And we don't ship /system/bin/bspatch on
device by default.
[1] https://android-review.googlesource.com/c/platform/system/update_engine/+/327365
Test: Verify that /system/bin/bspatch doesn't exist on device.
Test: Trigger an A/B OTA install for aosp_walleye-userdebug:
`m dist`;
`system/update_engine/scripts/update_device.py out/dist/aosp_walleye-ota.zip`.
No update_engine related denial.
Change-Id: Iff578bdb0b1909092dd19feff069755a44d29398
This was a regression in Q, and the file is an implementation of
liblog.
Bug: 113083310
Test: use tags from vendor and see no denials
Change-Id: I726cc1fcfad39afc197b21e431a687a3e4c8ee4a
Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
Make /(product|system/product)/vendor_overlay/<ver> have the vendor
file context.
If vendor_overlay requires to mount on the vendor directories other
than 'vendor_file', the contexts must be defined in the device
specific sepolicy files.
Bug: 119076200
Test: build and check if the files are overided and have the required
sepolicy contexts.
Change-Id: I69ed38d4ea8e7d89f56865b1ca1e26f290e9892d
rss_hwm_reset is binary that reset RSS high-water mark counters for all
currently running processes. It runs in a separate process because it
needs dac_override capability.
Bug: 119603799
Test: no errors in logcat
Change-Id: I6221a5eca3427bf532830575d8fba98eb3e65c29
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.
Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.
This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.
Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.
Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.
This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
Bug: 118510237
Test: Boot and test callback on ThermalHAL 1.1 and ThermalHAL 2.0
(cherry picked from commit 75cc6bf2d5)
Change-Id: Iafb376e61dc579c3bfd173ac34a4d525b83d8e5c
After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.
Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be
This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause
the same issue.
Test: vold is able to create directories, ag/5534962
Bug: 116528212
Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
This reverts commit 92bde4b941.
Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.
Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.
This change set SELinux rules for these properties and files.
For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).
This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.
Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.
Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".
Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
With Treble, cameraserver no longer depends on camera devices directly.
Moreover, pixel 3 doesn't have /dev/cam node.
We still keep "camera_device" type around since vendor policy uses it to
label its /dev nodes.
Bug: 110962171
Test: boot aosp_walleye
Test: camera app still works
Change-Id: If12d640c2a0006b9fc3c9f6704285eb8eb66c626
mtd_device does not label any /dev node present on walleye, and the only
permission to that type is:
allow hal_telephony_server mtd_device:dir search;
I suspect there is no need to keep mtd_device around.
Bug: 110962171
Test: boot aosp_walleye
Change-Id: If74b1258b21edeca38c8b7dc07a3a10b751a7e85
No coredomain domain has access to these types and corresponding /dev
nodes don't exist on the device:
audio_seq_device
audio_timer_device
full_device
i2c_device
vcs_device
Bug: 110962171
Test: m selinux_policy
Test: boot walleye
Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672
These rules mirror those for /vendor/overlay and /odm/overlay, including
the possilibity of a symlink like /system/vendor -> /vendor.
Test: builds, boots
Change-Id: I323e48fcc13c4ac7779902506539c2600708cc88
Historically GPU service lives in SurfaceFlinger as a convenient hack.
Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU
capability, and shouldn't know about anything about GPU. This patch moves GPU
service out of SurfaceFlinger.
GPU service is a service that accesses to GPU driver, queries GPU capabilities
and reports back. Currently we use this information in CTS and some benchmarks.
BUG: 118347356
Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify
Change-Id: I007989e0f3f73b5caf80277979986820dd127c32
These /dev nodes are device-specific and should be labeled from device
policy. Moreover, pixels don't have these /dev nodes.
Bug: 110962171
Test: boot pixel 3
Change-Id: I37ca9a956130eb4763c75f5e8a0decbd4f7b97a7
/dev/tegra.* is not used in android platform and is device-specific
Bug: 110962171
Test: boot walleye
Change-Id: I4cc790d28457b429a3ed9829de223dae357eb498
Copied from device/google/crosshatch-sepolicy.
Test: diff files in system/etc/selinux before and after for aosp_marlin
Change-Id: I518c43af9c217483bdab02424e4aef0270aad366
Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").
However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important
Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc
This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.
Bug: 117762471
Bug: 117761873
Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4
We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.
Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0
Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.
Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.
Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
Set up a new service for sw media codec services.
Bug: 111407413
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
A default set of options are available, but can override in a fstab
overlay entry with upperdir=, lowerdir= to the same mount point,
workdir=. The default is a valid /mnt/scratch/overlay/
or /cache/overlay/ directory, with .../<mount_point>/upper and
.../<mount_point>/work, associated with each system partition
<mount_point>.
Test: manual
Bug: 109821005
Change-Id: I5662c01fad17d105665be065f6dcd7c3fdc40d95
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.
Create a separate label for /system/usr/share/zoneinfo.
Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*
Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
Attempting to reduce the number of different spellings we have for
"product services" partition in the codebase.
Bug: 112431447
Test: m
Change-Id: I1499c60e3d6c6c9fbe2e3f30f097f83b1e837c1c
Merged-In: I1499c60e3d6c6c9fbe2e3f30f097f83b1e837c1c
