- lpdump is a binary on the device that talks to lpdumpd
via binder.
- lpdumpd is a daemon on the device that actually reads
dynamic partition metadata. Only lpdump can talk to it.
Bug: 126233777
Test: boots (sanity)
Test: lpdump
Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
Previously we dumped the data into dropbox. This improves a couple
things:
- We write into dropbox via the fd, so dropbox doesn't pull from the
incidentd directory anymore.
- There is a new API to for priv apps to explicitly read incident
reports. That gives incidentd finer grained control over who can
read it (specifically, it only allows apps to access the incident
reports they requested, or were requested for them via statsd,
instead of getting DUMP and reading whatever they want from
dropbox).
Test: bit incident_test:* GtsIncidentManagerTestCases:*
Bug: 123543706
Change-Id: I9a323e372c4ff95d91419a61e8a20ea5a3a860a5
Logical partitions are handled through libdm. Allow access to
device-mapper.
Bug: 128867786
Test: m
Change-Id: I6979487b91d24b7309c876f2bdc26a827e2fcd1e
No semantic changes. Just trying to make this easier to understand:
- Separate out common bundles of services from individual services
(the naming doesn't make this obvious).
- Comment the common ones.
- Put related binder_call and service_manager:find rules together.
Test: Builds
Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
This is needed because some oat dex files are generated without world
readable permissions. See the bug for details.
We are still constrained by the SELinux rules above.
Bug: 129048073
Change-Id: I84e34f83ceb299ff16b29a78f16c620fc0aa5d68
Dexoptanalyzer is getting a new mode to instruct installd on which dex
files it needs to open for itself and dex2oat from class loader context.
The file list is communicated by a pipe from a forked dexoptanalyzer
process to the installd parent. Give dexoptanalyzer permission to write
to installd's pipes.
Bug; 126674985
Test: atest installd_dexopt_test
Change-Id: Ic415e2dc543099d26681103c9d368c941d21b49a
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
- persist.bluetooth.bluetooth_audio_hal.disabled
Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
Allow the zygote to pick up integrity-checked boot classpath
artifacts from the dalvik cache.
Bug: 125474642
Test: m
Test: manual
Merged-In: I45d760c981c55a52bd0b22c79a9cba4868a09528
Change-Id: I45d760c981c55a52bd0b22c79a9cba4868a09528
Allow the startup domain to pick up integrity-checked artifacts
from the dalvik-cache. The corresponding framework code will
only load the system server classpath.
Bug: 128688902
Test: m
Test: manual
Merged-In: Ib37f8d7c39431e2792eeb4dac1cd732307519827
Change-Id: Ib37f8d7c39431e2792eeb4dac1cd732307519827
- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
execute `dex2oat` from `/postinstall` -- this is for the case where
it is located in a flattened Runtime APEX in
`/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
`/postinstall/system/apex` (which are bind-mounted in
`/postinstall/apex`).
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
The following denial caused a presubmit failure:
06-15 15:16:24.176 956 956 I auditd : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.
Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507
After moving IpMemoryStore service to network stack module(aosp/906907),
the following untracked SELinux denials are observed on boot.
W id.networkstack: type=1400 audit(0.0:63): avc: denied { write } for
name="com.android.networkstack" dev="sda13" ino=704810
scontext=u:r:network_stack:s0:c49,c260,c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
Add radio_data_file type for network stack user configuration and
relevant permission to allow access to its data, as the network stack
is a privileged app.
Test: m -j passed
Change-Id: I6eab528714df6a17aae0cb546dcc3ad4bb21deea
The linker is behind a symlink. Allow to read and follow.
Bug: 128840749
Test: m
Test: manual a/b ota
Test: DexoptOtaTests
Change-Id: I15bd76e517ab3cebf13ebd42ff6e5dae42364c83
Move complete domain to private/. Move referencing parts in domain
and kernel to private.
Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
The file descriptors for /dev/zero are no longer open. However,
a descriptor to the shell is still inherited. Update the comment.
Bug: 126787589
Test: m
Test: manual
Change-Id: I0d4518d2ba771622ea969bbf02827db45788bc09
This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474
The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.
Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590
Set the apex_key context for files in
/product/etc/security/apex/ and
/system/product/etc/security/apex/.
The apexd code is already looking for public keys in these locations,
but the apex_key context needs to be set to make them accessible from
apexd.
Bug: 127690808
Test: manual - verified that key files had proper SE-Linux label
Change-Id: Ib15728fa97eb438ea97a9743a06fa46e4d54f1cd
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.
This set of permissions is analogous to allowances for the fscrypt
keyring and keys.
Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
This CL add new label for files created by fsverity.
Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.
/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.
The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.
Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.
Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1
Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
Remove unnecessary rules which will be added from 28.0.cil automatically
by the build process.
Bug: 111308141
Test: builds
Change-Id: I02064785cac1ed6d8b4e462604a1b8db10c1a25a
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Update copy-paste comment header. Fix file access to the right
type.
Follow-up to commit 1845b406fc.
Bug 125474642
Test: m
Test: boot
Change-Id: I33bfef51c78ca581063c0f950e1837546d013050
Allows power rail data to be logged in the trace, allowing
high fidelity attribution of battery power use.
Matching feature CL: aosp/891533
SELinux denials that lead to this:
avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder
Test: checked data in a trace
Bug: 122584217
Change-Id: I7e0f4e825be3f54bc78d91da1cb85c2f61465a44
Lmkd needs read access to /proc/pressure/memory, proc/pressure/cpu
and proc/pressure/io nodes to read current psi levels.
Lmkd needs write access to /proc/pressure/memory to set psi monitor
triggers.
Bug: 111308141
Test: modified lmkd to use PSI and tested using lmkd_unit_test
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Merged-In: I9efd60c7fbb89cc08938fa5119b13d794813b52b
Change-Id: I9efd60c7fbb89cc08938fa5119b13d794813b52b
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.
Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.
To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.
Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
In userdebug, for better diagnostics, allow crash_dump to "connect
to" apexd.
Considering apexd is quite powerful, user devices remain restricted.
Bug: 118771487
Test: m
Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.
Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.
This CL also remove some stale rules being addressed since.
Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c
The sysfs path for controlling dma fence events changed yet again in
Linux 4.10, see kernel commit f54d1867005c3.
Test: adb shell atrace --list_categories | grep sync
Change-Id: Id6332f794ee4e350c936e1e777e9d94fc7cd6d11
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.
Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem
Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.
Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.
Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.
Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).
Test: adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.
Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
In preparation for additions that should be private-only, move the
types to private. Both have to be moved as they are dependent.
Bug: 125474642
Test: m
Change-Id: I6a76eba41b036bc6fb83588adbe9d63767d3e159
In preparation for moving other components to private, so that
private-only components can stay private.
Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
In some scenarios (native watchdog finding a regression, apexd failing
to mount apexes), a rollback of apexd will be triggered which requires
device reboot.
Bug: 123622800
Test: manually triggered apexd rollback and verified it reboots phone
Change-Id: I4c5d785a69dd56a63348c75c1897601749db9bc5
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.
Addresses the following denial:
audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0
Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
In order to support deleting session files after a staged session reaches
a final state, installd will need to delete the session directories from
/data/staging.
Bug: 123624108
Test: triggered 2 flows in which a staged session reaches a final state
and made sure installd can delete the session files
Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
In preparation for additions that should be private-only, move
the neverallows to domain's private part.
Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e
And add neverallow so that it's removed from partner policy if
it was added there due to denials.
Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
sdcardfs will automatically try to create .nomedia file
under Android/{data,obb} and this is being attributed
to whoever is trying to create Android/{data,obb} dirs.
Earlier this is used to done from app context but now
zygote handles the creation of these dirs.
Bug: 124345887
Test: manual
Change-Id: I96feada2f5edff2ece2586a532b069a58a36dd3b
Update the seinfo to the new network_stack seinfo, as the network stack
is now using its own certificate.
Remove the hard-coded package name, which may differ depending on
devices, and specify (uid, signature, priv-app) instead.
Bug: 124033493
Test: m
Change-Id: If3bbc21cf83f5d17406e9615833ee43011c9c9bc
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.
Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
system/sepolicy commit ffa2b61330
introduced the runas_app SELinux domain, which changed how we perform
debugging and profiling of Android applications. This broke Android
Studio's profiling tool.
Android Studio's profiling tool has the run-as spawned application
connect to an app created unix domain sockets in the
abstract namespace.
Note: this differs from system/sepolicy commit
3e5668f173, which allows connections in
the reverse direction (from app to runas_app). That change (b/123297648)
was made for a different part of Android Studio, Android Studio Instant
Run.
Addresses the following denial:
2019-02-08 00:59:14.563 15560-15560/? W/connector: type=1400 audit(0.0:645): avc: denied { connectto } for path=00436C69656E74 scontext=u:r:runas_app:s0:c188,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c188,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.hellojni
(hex decode of 00436C69656E74 is "Client")
2019-01-31 17:25:16.060 19975-19975/? W/transport: type=1400 audit(0.0:8146): avc: denied { connectto } for path=00416E64726F696453747564696F5472616E73706F72744167656E743139383839 scontext=u:r:runas_app:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.android.displayingbitmaps
(hex decode of
00416E64726F696453747564696F5472616E73706F72744167656E743139383839
is "AndroidStudioTransportAgent19889")
Bug: 120445954
Test: manual
Change-Id: I9ca1c338dcbc75cb3fbd7bf93a348f9276363dc1
This sets up a selinux domain (notify_traceur) that can be called from
init and has the permissions to run the activitymanager script.
Bug: 116754134
Test: manual
Change-Id: Ia371bafe5d3d354efdf8cd29365cd74ed3e5cdfd
Chrome Crashpad uses the the dynamic linker to load native executables
from an APK (b/112050209, crbug.com/928422)
Addresses the following denial:
avc: denied { execute_no_trans } for comm="Chrome_IOThread" path="/bionic/bin/linker" dev="loop5" ino=24 scontext=u:r:untrusted_app_27:s0:c106,c256,c512,c768 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0 app=com.android.chrome
Test: compiles and builds.
Change-Id: I14f80592a74c36754c28313e94399258b2c42170
Will be used to forcefully turn on memfd if device supports it.
Currently used only for debugging.
Change-Id: I46a1b7169677ea552d4b092e7501da587c42ba1a
Signed-off-by: Joel Fernandes <joelaf@google.com>
We're investigating a bug where vold gets wedged, and we need to
collect ANR stack traces from it to debug further.
avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
Bug: 122090837
Test: manual
Change-Id: I738e63717715189b9ae2317472f671e3563afaa9
Allow traced to read the format file for the print event on user.
This does not allow traced to enable any event it could not already
as the events under /d/tracing/events/ftrace/ are special and are
always enabled. Being able to read the format file means we don't have
to speculate on the id and layout of the print event.
Bug: 122471587
Test: atest CtsPerfettoTestCases:PerfettoTest#TestFtraceFlush
Change-Id: I39379f2fa13ab80bf3d14e244066c2ba1bd4d11b
This CL introduces allows traced to set the
sys.traceur.trace_end_signal property at the end
of the tracer. In turn that property notifies the
the Traceur app.
This is to allowing Traceur to be killed during
a long-trace and avoid wasting resources making
it a persistent service.
See aosp/886616 for the matching traceur change.
Test: manual
Bug: 116754732
Change-Id: I89e2f02b3f973813ce8ff3507d397a06502f84c1
In order to offload application tcp socket’s keepalive
message, system server must know if application's socket
is idle with no data in send/receive queues. Allow
system_server to use ioctl on all tcp sockets.
Bug: 114151147
Test: -build, flash, boot
Change-Id: I3f5a0e06bc22f8a64ae6180db48df2a31106c511
In order to support rollback for apex files, apexd will need to unlink
previously active apex files in /data/apex/active folder. Those files
are hardlinked from /data/staging/session_XXXX which means that they
have staging_data_file:file SELinux fields.
I double checked that this change won't allow apexd to unlink files in
/data/staging/session_XXXX folders, because it will lack write access,
logcat contains following entries:
avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0
Bug: 122339211
Test: verified that apexd can't unlink files in /data/staging/session_XXXX
Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
Add some missing fields, document undocumented fields, update
precedence rules, and attempt to give slightly more context.
Test: Builds
Change-Id: Id106ebe3aa6c18697db82a775cc54ed07b6c1a57
