Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.
Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
VTS tests require access to cgroups.json system and vendor files. Enable
read access to these files from shell.
Bug: 172868075
Test: vts_processgroup_validate_test
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I16ad13729e10c4e033499351761b163cad7cef34
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.
Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
I've not caught any crashes in practice, but believe there's a
possibility that the zygote forks while holding a non-whitelisted fd
due to the signal handler.
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.
Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.
Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
This property is used for testing purposes when verifying the
behavior when an OTA occurs. It should be readable by the
system server, and be settable by the shell.
Test: Set property from shell, read with PackageManager
Bug: 140992644
Change-Id: I39ad9b7961208f02fa45011215c2ff5ac03b7380
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.
Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
Needed for the bionic stdlib.getloadavg test.
Access to /proc/loadavg was inadvertantly removed when a new label was
assigned to that file in system/sepolicy commit
8c2323d3f9.
Addresses the following denial:
CtsBionicTestCa: type=1400 audit(0.0:188192): avc: denied { read } for name="loadavg" dev="proc" ino=4026531959 scontext=u:r:shell:s0 tcontext=u:object_r:proc_loadavg:s0 tclass=file permissive=0
Bug: 124024827
Test: compiles
Change-Id: Iadb5c98cb96f69ddc9418a64720370adae1bb51f
Apps now all share the appdomain_tmpfs type.
Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: I5eac0adc7ecd10d19aa1bdf5f72efc7ed2a3a548
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
This is analoguous to what Perfetto does with persist.traced.enable.
Test: m
Test: flash walleye
Test: setprop persist.heapprofd.enable 1
setprop persist.heapprofd.enable 0
Change-Id: I997272ef8c6fe078aca2388ed0cf2ecc3de612a5
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.
Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest
Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.
Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.
Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.
Bug: 30861057
Test: auditallow statement added in
f617a404c2 hasn't triggered.
Test: ran getevent, saw correct output, played with device
Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99
Test to see if anyone is writing to /dev/input from the shell.
Bug: 30861057
Test: device boots and no avc granted messages.
Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f
/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices. Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.
Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
The shell is now available directly in the recovery ramdisk. We no
longer need to mount system.img to /system as the recovery ramdisk is
self-contained. However, there is a problem that every file in the
ramdisk is labeled as rootfs because the ramdisk does not support xattr.
This CL adds several recovery-only rules that are required to make the
recovery ramdisk self-contained. Most importantly, adbd is allowed to
domain_trans to shell. Also shell is allowe to execute files of type
rootfs. Finally, the recovery is allowed to mount on tmpfs since it now
mounts system.img to /mnt/system.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.
Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.
The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.
Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
(cherry picked from commit 687d5e46ce)
Merged-In: I54690305284b92c0e759538303cb98c93ce92dd5
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.
Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e
This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.
Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files
Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49
And grant explicit exemption from system_executes_vendor_violators
neverallow rules.
This does not change the policy, but is needed to test the violator
attribute for emptiness.
Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791
Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.
Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.
Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
This CL lists all the exported platform properties in
private/exported_property_contexts.
Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.
Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
This will allow bionic cts test to list network interfaces in
/sys/class/net.
Bug: 70537905
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=ifaddrs.getifaddrs_interfaces
Change-Id: Ie07425fc54f9101e911962142824697e64d2bc45
Added access to proc_uptime and proc_asound to address these denials:
avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1
avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1
Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.
Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
Switch from /data/misc/reboot/last_reboot_reason to persistent
Android property persist.sys.boot.reason for indicating why the
device is rebooted or shutdown.
Introduce protection for all boot reason properties
Protect the following properties with these labels
ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
sys.boot.reason u:object_r:sys_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
Setup the current as-need access rules for each.
ToDo: Remove u:object_r:reboot_data_file after internal fixes.
Test: system/core/bootstat/boot_reason_test.sh
Bug: 64687998
Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
Currently ro.device_owner and persist.logd.security aren't accessible
without root, so "adb shell getprop" returns empty reply which is
confusing. Also these properties aren't seen from bugreport unless
their change happened recently.
Bug: 37053313
Test: manual, took bugreport and ran getprop after "adb unroot".
Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d
