This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.
Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.
Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
tagSocket() now results in netd performing these actions on behalf
of the calling process.
Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl
Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
-m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb
Update for debugfs labeling changes.
Update for simpleperf behavior with stack traces (temp file).
Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661
A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.
Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.
Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d
See also go/perfetto-io-tracing-security.
* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.
Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.
We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.
Bug: 72643420
Bug: 74182216
Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d077)
In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.
Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1
Bug: 72643420
Bug: 74182216
Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb4f)
We only need this change for aosp devices. Internal sepolicy for healthd
domain is different and does not need this.
Addresses this denial:
avc: denied { open } for path="/sys/class/power_supply" dev="sysfs"
ino=25340 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=1
Test: $OUT/vendor/etc/selinux/precompiled_sepolicy contains the new
permission.
Change-Id: Ie47c231af800026fd9d8a1f752253bb338768c13
The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.
Test: Device boots and no more denials when call back is delivered to
apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a
A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.
Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
This reverts commit 6f2040f873.
Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.
Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784
ro.config.low_ram should be set on Android Go devices by SoC vendors,
and the value can be read by vendor components.
Bug: 76132948
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
Kernel modules are not permitted to be on /system partition.
That was one of Treble requirements in O:
https://source.android.com/devices/architecture/kernel/modular-kernels#file-locations
Bug: 74069409
Test: pixel/nexus devices don't have LKMs in /system, so this change
shoudl be harmless.
Test: walleye boots without issues from modprobe.
Change-Id: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1
To enable/disable the traced and traced_probes deamons remotely we would
like system server to be able to set persist.traced.enable.
See also ag/3736001.
Denial:
selinux: avc: denied { set } for
property=persist.traced.enable
pid=1606 uid=1000 gid=1000
scontext=u:r:system_server:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service
permissive=0\x0a
Run:
$ adb shell 'ps -A | grep traced'
Should see traced.
$ adb shell 'settings put global sys_traced 0'
$ adb shell 'ps -A | grep traced'
Should no longer see traced.
Test: See above.
Change-Id: I245b7df3853cabeb0e75db41fb4facaa178ab8f1
Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/
This change allows dexopt operations to 'getattr' those symlinks during
OTA.
Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
Allow init the ability to relabel recovery block devices. In the case
where we have recovery as a chain partition, due to its presence in
early mount node, init, in first stage itself would require relabel
permissions for the restorecon operation on recovery block device.
Bug: 73642793
Test: On bootup, recovery partition gets the appropriate se-label.
Perform OTA on non-A/B device with recovery as chain partition,
now the recovery partition gets upgraded successfully, now that
it has the correct se-label.
Change-Id: I370c510320e78ab78c9c55573073415b4983d0f6
vendor-init-settable should be allowed to ro.enable_boot_charger_mode so
that SoC vendors can set its default value.
Bug: 74421250
Test: succeeded building and tested with taimen
Change-Id: I2859aab29fefb7882989413a089b0de55142d2f1
Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8)
