This commit contains the changes needed to add the new
time detector system server service.
Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.
Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
Before, it was possible to access a hwservice without declaring
that you were a client.
This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)
which makes sure the above implication holds using a neverallow rule.
Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.
In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.
Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
After https://android-review.googlesource.com/688488
BOARD_PLAT_PUBLIC[PRIVATE]_SEPOLICY_DIR can now specify multiple
directories.
Bug: n/a
Test: build sepolicy
Change-Id: Ie2af81a4f9462cd05352db71fd1e515531d42334
The bug_map file is only used whitelisting known test failures. It
needs to change fairly often to fix new failures and it doesn't affect
users, so it shouldn't matter if it diverges from prebuilts.
Test: Enable this test and build with and without different bug_maps.
Change-Id: I9176a6c7e9f7852a0cd7802fd121b1e86b216b22
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.
Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.
Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
Merged-In: I793c6f54cd9364f33853983f8c5dfb28b98c2708
apns downloaded will enter a new directory that
TelephonyProvider can access.
Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.
Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
(cherry picked from commit 37ab7c0917)
This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.
Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04
(cherry picked from commit 60d1767459)
Changes 2d626fd84ea0246c963ce2c87ae62461a60f8826 and
869562e9e3 are the same
commit, but with a different comment. Fix them up to be
the same.
Test: build
Change-Id: I6311413357f457d6ba95886b729ffa53ab80e016
shipping API version:
For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...
Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.
Support for /data/vendor_de and /data/vendor_ce has been added to vold.
Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa71a)
For automotive (and I assume for other verticals) it make sense to keep
vertical-specific policies outside of /system/sepolicy as those not used
by the phones. However, there's no way to do it rather than using
BOARD_PLAT_{PUBLIC|PRIVATE}_SEPOLICY_DIR build variables.
Bug: 70637118
Test: lunch device && m
Test: verify it builds, boots and logs seems to be reasonable
Test: enable full treble for aosp_car_x86 - verify it builds, boots and
no denials in the logs
Change-Id: Ia5fd847f7a6152ff6cf99bbbc12e1e322f7946ab
(cherry picked from commit 34f233640a)
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build
Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
--skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
-t android.security.cts.SELinuxHostTest
Merged-In: I27976443dad4fc5b7425c089512cac65bb54d6d9
(cherry picked from commit 4cafae77a4)
Change-Id: I58e25a0f86579073aa568379b10b6599212134c6
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
abbb65899a%5E%21/#F3
for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html
Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit
Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file. The rules above it still prevent it
from doing anything other than relabelto and getattr.
Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
(cherry picked from commit 597be44e96)
hwservicemanager lost the permission to tell init to
start the dumpstate HAL when dumpstate was given this
permission exclusively.
Bug: 77489941 # problem introduced
Bug: 78509314 # converting dumpstate to lazy hals
Test: convert an instance of dumpstate into a lazy HAL,
run bugreport, see denial, then add permission, and
see bugreport start to work again.
Change-Id: I033701d8306200bebc0f250afe3d08f9e6ab98a1
(cherry picked from commit 0b1797b852)
Merged-In: I033701d8306200bebc0f250afe3d08f9e6ab98a1
