If the directory is non-empty when we start we need to delete
everything in it, but didn't have enough access:
avc: denied { getattr } for
path="/data/misc/apexdata/com.android.art/staging/boot-framework.art"
dev="dm-37" ino=57755 scontext=u:r:composd:s0
tcontext=u:object_r:apex_art_staging_data_file:s0 tclass=file
permissive=0
Bug: 205750213
Test: create files in staging/, composd_cmd test-compile
Change-Id: I3a66db7f5fbff82abcf547cb1c2b24e9c53ab158
A new module type se_neverallow_test is added, to migrate
sepolicy_neverallow modules. se_neverallow_test is affected by
SELINUX_IGNORE_NEVERALLOWS.
Bug: 33691272
Test: m selinux_policy
Test: intentionally create neverallow violations and m selinux_policy
Change-Id: I1582353f99f064ff78f3c547a0c13f2b772d54df
Although it's not needed for Treblized devices, some targets are still
requiring it due to PRODUCT_SEPOLICY_SPLIT := false. To mitigate build
breakage, this change revives the sepolicy module.
Bug: 211936491
Test: build/soong/soong_ui.bash --make-mode dist \
TARGET_PRODUCT=bertha_x86_64 ndk_translation_all
Change-Id: Ie64c223db8900967cfb54897f5366ad5ef13d4d9
Because Android.bp is getting bigger and bigger.
Test: build and boot
Test: set OVERRIDE_TARGET_FLATTEN_APEX=true and build
Change-Id: I397ce084bfbc98449d177dd553ff73fdfbdddcaf
For now, contexts modules have been using se_filegroup modules, which
makes the build system logic unnecessarily complex. This change
refactors it to se_build_files modules and normal `android:"path"`
logic.
Test: build and boot
Change-Id: I52e557e2dc8300186869a97fddfd3a74183473f7
sepolicy is a module which outputs precompiled sepolicy and performs
permissive domain check on user builds. se_policy_binary module is
updated so it checks permissive domain in user builds.
sepolicy module is removed since we don't need it anymore. Instead,
precompiled_sepolicy is used.
Bug: 33691272
Test: build
Test: add "permissive adbd;" and build on aosp_arm64-user
Change-Id: I3dcf0c32d2fc1312dfceeee74894c08b38395d19
Because we should ignore neverallow when SELINUX_IGNORE_NEVERALLOWS is
true.
Test: add a fake rule and build with/without SELINUX_IGNORE_NEVERALLOWS
Change-Id: I7811f5cef2243dae5b5de1154a36ab167871dc4f
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.
Like we do with cgroup_v2, we set attribute permission to cgroup
as well.
This is the same fix as
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1927857/
but it applies it to the prebuilts for api 32.0.
Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 211037424, 211514318
Change-Id: Ib57c94d72d50317619aa513e9f784582e0c45862
The following files are built with Android.bp:
- vendor_sepolicy.cil
- odm_sepolicy.cil
- prebuilt_sepolicy
Also, prebuilt_policy.mk is removed as it's now redundant.
Bug: 33691272
Test: build and compare artifacts
Test: build with rvc-dev sepolicy
Change-Id: I7bf79c9c85c63cd942b36f7cf5ddda1860626c0b
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.
Like we do with cgroup_v2, we set attribute permission to cgroup
as well.
Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 209933729
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
IR interface is converted to AIDL and this contains the necessary
permissions for the default service to serve the interface.
Test: atest VtsHalIrTargetTest hal_implementation_test
Test: check for permission issues after tests
Bug: 205000342
Change-Id: I8d9d81d957bf6ef3c6d815ce089549f8f5337555
We need to remove any existing files (and the directory) to allow
odrefresh in the VM to re-create them via authfs.
But we don't need, and shouldn't have, any other access to them.
Bug: 210460516
Test: composd_cmd async-odrefresh
Change-Id: Iaafe33934146a6b8dda7c28cc1239c2eed167379
CompOS needs to read the artifacts on authfs that odrefresh has
created and write signature files for them.
(But it no longer needs to create any directories, so removed that.)
Fixes:
avc: denied { open } for comm="compsvc"
path="/data/misc/authfs/1/11/test-artifacts/...art" dev="fuse" ino=81
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
avc: denied { create } for comm="compsvc" name="compos.info"
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
Bug: 161471326
Test: composd_cmd async_odrefresh (with microdroid selinux enforced)
Change-Id: Ie02dedf1f18926cdbbd39e4a950c5aec80adee32
It's a no-op for now, but it will be used when migrating vendor sepolicy
to Android.bp.
Bug: 33691272
Test: build and boot
Change-Id: Ie0015d31e4929e7bd3316505bfd6d338a5e9eada
This should be read-only and corresponds to apexd.payload_metadata.path
Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases
Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
If FD use is not allowed, execve(2) returns EACCESS and the process is
killed by SIGSEGV.
Minijail closes any FDs by default and open /dev/null for FD 0-2. For
now, odrefresh doesn't use any FD. But until we could tell minijail to
not create FD 0-2 (which could be arguable), allow the permission.
Bug: 210909688
Test: composd_cmd async-odrefresh # exit 80 in enforced mode
Change-Id: I8643d8bfc8da03439a04491fba5ba6de663760eb
dex2oat checks $ANDROID_ROOT exist, which is a directory in an authfs
mount. Give it permission to search along the path.
Strictly speaking, this isn't change how dex2oat execute in this
particular case, for now. Functions like LocationIsOnSystemFramework
make sure getenv(ANDROID_ROOT) exists. But either way, for those kind of
location checks, it won't match the mount path in /data/misc/authfs
anyway.
Bug: 205750213
Test: no more SELinux denials from dex2oat
Change-Id: I1b52dfdeb057443304f02784b6aa180d7db28bd8
dex2oat currently uses some properties as flags (see
art/libartbase/base/flags.cc). For CompOS, we don't really need such
properties, and actually should avoid global state. So dontaudit
explicitly.
Bug: 210030607
Test: no more default_prop denials for dex2oat
Change-Id: I10852f2a7df4dac7a9389eab3f53f91328104f96
The two properties are not just prefixes. See __android_log_level in
system/logging/liblog/properties.cpp.
Bug: 210030607
Test: no longer seeing denials with default_prop in odrefresh
Change-Id: If2c9cba7aa65802e81c79c7d3d9735cbf14a6efa
The `__builtin_available` macro is used in used in several libraries in
microdroid, including liblog. The macro internally uses
ro.build.version.{codename,sdk}[1]. This change defines the context for
these properties.
[1] https://reviews.llvm.org/rG516a01b5f36d4188778a34202cd11856d70ac808
Bug: 210030607
Test: No longer seeing denied access of default_prop from odrefresh
Change-Id: I51bc52f679a174daccc05a1e2d6c9fda9e6b12cb
