This is intended so apps that are allowed access to uhid_device can pass
the mls constraints.
Bug: 183449317
Test: n/a
Change-Id: I8ca87014ddfd7e9a02a2ac97a13f2c43841ee181
Crash_dump may not have access to files in /proc that are passed
across exec(). Rather than let these cause test failures, suppress
them.
Fixes: 183575981
Test: build
Change-Id: I285dc84ef8a43a8f5a34538143c6506c70540b03
Grant ReadDefaultFstab() callers
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.
Also tighten the neverallow rules in gsid.te.
Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.
Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
Address any denials in the log - currently just adding
the virtualization service.
Bug: 183583115
Test: ps -AZ | grep virtmanager
u: r:virtmanager:s0 virtmanager 2453 1 10930880 4544 0 0 S virtmanager
Change-Id: Ie034dcc3b1dbee610c591220358065b8508d81cf
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.
Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
Bug: 182546466
Test: Test with getprop code outside system img
Change-Id: I4817c22ecc0a143ea818e0850fb721cbdf1d5ae5
Signed-off-by: Denny cy Lee <dennycylee@google.com>
Some details here are copied from hal_attribute_hwservice but
no longer make sense here.
Bug: N/A
Test: N/A
Change-Id: Ia4a4d6731b5e5270922d32b7854d36bd726d202b
The lockdown hook defines 2 modes: integrity and confidentiality [1].
The integrity mode ensures that the kernel integrity cannot be corrupted
by directly modifying memory (i.e. using /dev/mem), accessing PCI
devices, interacting with debugfs, etc. While some of these methods
overlap with the current policy definition, there is value in enforcing
this mode for Android to ensure that no permission has been overly
granted. Some of these detection methods use arbitrary heuristic to
characterize the access [2]. Adapt part of the policy to match this
constraint.
The confidentiality mode further restricts the use of other kernel
facilities such as tracefs. Android already defines a fine-grained
policy for these. Furthermore, access to part of tracefs is required in
all domains (see debugfs_trace_marker). Allow any access related to this
mode.
[1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/
[2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/
Bug: 148822198
Test: boot cuttlefish with patched kernel; check logcat for denials.
Test: run simpleperf monitor to exercise tracefs; check logcat for denials.
Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.
Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
FYI: running networking tests needs extra privs:
#============= su ==============
allow su self:capability2 bpf;
#============= untrusted_app ==============
allow untrusted_app self:key_socket create;
allow untrusted_app self:netlink_route_socket { bind nlmsg_readpriv };
allow untrusted_app self:packet_socket create;
But obviously we can't add the last three, and not even sure about the first.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I778ccaf5d100cb26f167a0c690e0125594d477c3
This is needed to enable calls to KeyguardManager
APIs from clients e.g. CTS tests
Test: N/A
Bug: 182260585
Change-Id: Id8cf3f238f8ecab7c96a14d62003c85ab18e6ac0
This type is used for properties that provides per-device configuration
for apexd behaviour (so far - timeouts for creating/deleting dm device).
Test: builds
Bug: 182296338
Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
This CL adds a new keystore2 permission "get_auth_token"and grants this
permission to credstore which needs to call keystore2 to obtain
authtokens.
Bug: 159475191
Test: CtsVerifier
Change-Id: I1c02ea73afa6fe0b12a2d74e51fb4a8a94fd4baf
Commit e4d26ca32c75619c0b208db869873efbbcae262c added some lines to the
constructor of TimeManager to obtain the time_detector. This broke
the TimeManagerTest test, which uses the TimeManager via
instrumentation. Unclear why it wasn't noticed immediately but it has
been broken since then.
The simplest thing is to add app_api_service to time_detector. The
intention is for at least one time_detector service call to be called
from priv-apps so this will be needed.
Bug: 181080343
Test: atest CtsTimeTestCases:android.time.cts.TimeManagerTest#testManageConfiguration -- --abi x86_64
Change-Id: I1072409559aec02a61549c5dedeb27264c43b74f
There is a need to expose one of the methods as app API, so the SE
context needs to match.
Bug: 180955393
Change-Id: Id28f9b0dd5cfd760bbfdbd7c19cae5bedc22cbb1
In order to test the platform in emulators that are orders of magnitude
slower than real hardware we need to be able to avoid hitting timeouts
that prevent it from coming up properly. For this purpose introduce
a system property, ro.hw_timeout_multiplier, which may be set to
an integer value that acts as a multiplier for various timeouts on
the system.
Bug: 178231152
Change-Id: I6d7710beed0c4c5b1720e74e7abe3a586778c678
Merged-In: I6d7710beed0c4c5b1720e74e7abe3a586778c678
vendor_boot is labeled as boot_block_device. With
fastboot fetch command, fastbootd needs to read
the vendor_boot device and return it to the host.
Test: pass
Bug: 173654501
Change-Id: I197e39c9e7572dc9a714f36637c02ee9ead2e5f3
