Because we want to collect early kernel logs, before apexd is run.
Bug: 236451404
Test: atest MicrodroidTests
Change-Id: Id84f5b36df00394eb3444fdef5654c6ec0759faf
(to be able to stat() nodes in /sys/fs/bpf)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic71ebea683844a8d5ac0b542da815bae2816973a
A crosvm instance running a protected VM contains a memory mapping of
the VM's protected memory. crash_dump can trigger a kernel panic if it
attaches to such crosvm instance and tries to dump this memory region.
Until we have a means of excluding only the protected memory from
crash_dump, prevent crash_dump from dumping crosvm completely by taking
away its SELinux permission to ptrace crosvm.
Bug: 236672526
Test: run 'killall -s SIGSEGV crosvm' while running crosvm
Change-Id: I6672746c479183cc2bbe3dce625e5b5ebcf6d822
Access to this functionality is gated elsewhere e.g. by
allowing/disallowing access to the service.
Bug: 237512474
Test: IpSecManagerTest
Test: Manual with GMSCore + PPN library
Change-Id: Ibb00b7c470a4cb148cfdcfb6b147edde45e49b1a
Like the non-persistent variants, should be settable by shell without
root to allow external developer use on locked bootloaders.
Bug: 236738714
Test: atest bionic-unit-tests
Change-Id: Id9fc4abe491f560134267b06dd53c2dacca9422d
* changes:
sepolicy: allow TUNSETLINK and TUNSETCARRIER
Add xfrm netlink permissions for system server
Fix system server and network stack netlink permissions
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
This is required for testing new ethernet APIs in T.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 171872016
(cherry picked from commit 02b55354bd)
(cherry picked from commit 69fa8ca6f2)
Change-Id: I036e48530e37f7213a21b250b858a37fba3e663b
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.
This patch updates the prebuilts, in addition to the changes to the
master source.
Bug: 233392908
Test: Compiled
(cherry picked from commit b25b4bf53f)
(cherry picked from commit 8b7c1cbd5e)
Change-Id: I55e03a3ca7793b09688f603c973c38bd2f6e7c7f
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 233300834
(cherry picked from commit ab02397814)
(cherry picked from commit d0478822ce)
Change-Id: Ic98c6fc631ee98bef4b5451b6b52d94e673b4f3c
This enables users to run "fastboot getvar dmesg" which is important to
debugging flashing failures in automation. The command is only allowed on
unlocked devices running userdebug builds.
Bug: 230269532
Test: fastboot getvar dmesg
Change-Id: Ia27268fd984f903ca73e69b5717f4206a3cf1ae9
Previously I've resisted granting write access to these files, since
it allows the instance image to be altered. But that doesn't allow an
attacker to do anything other than render it invalid, since it's
protected by the VM key.
Note that logs are only written when the VM is debuggable, which is
currently only when only non-protected VMs are available.
Bug: 235350758
Test: Force debug on, stage APEX, compile, reboot -> see vm logs
Test: Presubmit
Change-Id: I17c9a17db83d15adfab97b8cfe4ccd67393a08c1
This change allows remote_prov_app to find mediametrics. This is a
permission that all apps have. It is now needed for remote_prov_app due
to a new feature related to provisioning Widevine through the MediaDrm
framework.
Bug: 235491155
Test: no selinux denials related to remote_prov_app
Change-Id: Id3057b036486288358a9a84100fe808eb56df5fe
Merged-In: Id3057b036486288358a9a84100fe808eb56df5fe
These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.
Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
Init attempts to rm -rf these files, to ensure any that are owned by
the old virtualizationservice UID get deleted. This fails for newer
directories, now we use the system UID, which is harmless. But rm
attempts to chmod the directories since it can't read them, which also
fails and generates a spurious audit. So here we suppress that.
Bug: 235338094
Test: No denials seen even when there are stale directories present
Change-Id: If55fbe151174ee08a12b64b301e4aa86ffc1a5bf
Android 13 moved to using AIDL for HALs, which have different version
and naming conventions as compared to the new deprecated HIDL. This CL
updates the regex to include camera provider implementations that follow
AIDL naming conventions in the allowlist.
Bug: 219974678
Test: Manually tested that AIDL implementation is allowed to run
Change-Id: Ic005703bdaaa6376ca4714f22f89271b2a8878f2
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
A serial device is used to pass failure reason to host.
Bug: 220071963
Test: atest MicrodroidTests
Change-Id: I085e902b4f0a79d3c8d2cd5c737ad169caac3659
