When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.
Process:
- Paste in all the neverallow rules from public/domain.te in Android
policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,
I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)
And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.
Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
Add selinux policy for AIDL Vehicel HAL service.
This CL mostly follows https://android-review.googlesource.com/c/platform/system/sepolicy/+/1541205/.
Test: Manually test on emulator, verify AIDL VHAL service is up and
accessible by client.
Bug: 209718034
Change-Id: Icad92e357dacea681b8539f6ebe6110a8ca8b357
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.
Currently only payload can read the files.
Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
This is the context when health HAL runs in offline
charging mode.
This has the same permissions as the health HAL, but
is also able to do charger specific things.
Also restrict neverallow rules in charger_type.
Test: manual in offline charging mode
Bug: 203246116
Change-Id: I6034853c113dff95b26461153501ad0528d10279
- Allow to use binder.
- Allow to talk to health HAL.
Test: manual in recovery
Test: fastboot getvar battery-voltage
Bug: 177269435
Change-Id: Ic3b1619ac34a10cb6007b8e011a01841343e9e8b
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
# With SELinux enforced in the VM, plus some hacks in ART,
# observed odrefresh exited 80.
Change-Id: I81ab0a73314fdcea69c69350c792ff7acab5aab8
Besides the basic execution that is similar to the (deprecating)
odrefresh case, fd_server also needs to be able to create and change
files in the output directory.
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
# Saw composd started the fd_server and the VM
Change-Id: Ia66015b72c4bd232c623604be326c7d7145c0a38
The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.
Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.
Bug: 205750213
Test: No denials
Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
... so that it can ensure that the bootconfig hasn't changed since the
last boot.
Bug: 208639280
Test: m
Change-Id: I2310a0df0ebbef9d6fe47dbad2538ecbe7bc84e6
PEM files are ASCII-encoded, open them as text file (as opposed to
binary). Avoid relying on __del__. Introduce a prologue and epilogue
methods to emit the <policy> tag only once per output.
Test: build plat_mac_permissions.xml on bramble and compare with
previous version; identical
Test: build product_mac_permissions.xml on bramble and compare with
previous version; identical
Test: build system_ext_mac_permissions.xml on bramble and compare with
previous version; identical
Test: build vendor_mac_permissions.xml on bramble and compare with
previous version; identical
Bug: 200119288
Change-Id: Iced0acf75bff756453918a411aecb9f4ef8f825d
Only ro.zygote is currently used, though we'll need to a few others of
the same property context.
Bug: 205750213
Test: composd_cmd forced-odrefresh # less SELinux denial
Change-Id: I2efbbc1637142f522a66c47bdd17471c4bde227a
Treble doesn't support T system + O vendor, so removing 26.0 (N) and
27.0 (O) prebuilts and compat files.
Bug: 207815515
Test: build
Change-Id: I98d5972221a8e77f3c45fc48ff50bb2b8eb94275
In general, it appears that libselinux and libsepol interpret paths and
contexts as bytes. For instance, selabel_file(5) mentions about the path
field of file_contexts:
Strings representing paths are processed as bytes (as opposed to
Unicode), meaning that non-ASCII characters are not matched
by a single wildcard.
libsepol also uses primitives such as strchr[1], which explicitly
operate at the byte level (see strchr(3)). However, practically, Android
paths and contexts all uses ASCII characters.
Use the str type (i.e., Unicode) for all Python code to avoid a larger
refactoring. Ensure we convert to bytes for inputs and outputs of
libsepolwrap.so. The encoding "ascii" is used, which will raise an error
should a context or type contain non-ASCII characters.
Update headers to match development/docs/copyright-templates.
[1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4
Bug: 200119288
Test: lunch aosp_bramble-userdebug && m
Test: atest --host fc_sort_test
Test: manually run searchpolicy
Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
