This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.
Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.
This CL also remove some stale rules being addressed since.
Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c
The sysfs path for controlling dma fence events changed yet again in
Linux 4.10, see kernel commit f54d1867005c3.
Test: adb shell atrace --list_categories | grep sync
Change-Id: Id6332f794ee4e350c936e1e777e9d94fc7cd6d11
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.
Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem
Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.
Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.
Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.
Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
Fixes: 126604492
Test: Build userdebug and user.
Test: Test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules129
on userdebug.
Change-Id: I0716e566570114878842644339401331513bae22
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).
Test: adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.
Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
So it can dexopt these JARs.
Bug: 119800099
Test: DeviceBootTest.DeviceBootTest#SELinuxUncheckedDenialBootTest
Change-Id: I40b25319381654c607e17d6fc61e1a1c6fb0c1f1
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
In preparation for additions that should be private-only, move the
types to private. Both have to be moved as they are dependent.
Bug: 125474642
Test: m
Change-Id: I6a76eba41b036bc6fb83588adbe9d63767d3e159
In preparation for moving other components to private, so that
private-only components can stay private.
Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
In some scenarios (native watchdog finding a regression, apexd failing
to mount apexes), a rollback of apexd will be triggered which requires
device reboot.
Bug: 123622800
Test: manually triggered apexd rollback and verified it reboots phone
Change-Id: I4c5d785a69dd56a63348c75c1897601749db9bc5
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.
Addresses the following denial:
audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0
Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
In order to support deleting session files after a staged session reaches
a final state, installd will need to delete the session directories from
/data/staging.
Bug: 123624108
Test: triggered 2 flows in which a staged session reaches a final state
and made sure installd can delete the session files
Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
