Partial revert of:
commit 3e1dc57bf4
commit 30ae427ed0
The current file contexts could break potential implementations of NTFS
by partners in future. I am not rolling back the adjoining
fuseblkd_exec andfuseblkd_untrusted_exec code, because secure
implementations of fuseblk drivers should still endeavour to use the
more compartmentalised policies.
However, as we don't support NTFS officially, we should give
implementors the choices whether to use it or not, even if it will open
the door to potentially less secure implementations.
NTFS Context: http://b/254407246,
https://docs.google.com/document/d/1b5RjdhN2wFFqmLCK0P_chVyiEhiYqNlTn52TFBMNwxk
Bug: 294925212
Test: Builds and boot.
Change-Id: I6d3858517e797b3f7388f9d3f18dd4a11770d5bc
/data/bootanim location is changed to /data/misc/bootanim as a follow up
change to aosp/q/topic:"bootanim_data_folder". The label is updated for the new file location.
Bug: 210757252
Test: /data/misc/bootanim is labeled correctly. BootAnimation can access this folder.
Change-Id: I9a54cf0dba470302df4180fb17fb104fb483b23d
It will be used to mount bootstrap APEXes. (with bind-mount to /apex)
Bug: 290148078
Test: atest VendorApexHostTestCases
Change-Id: I1a82af37db368a0eb2bf3a002a47439fb1f8b61d
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.
For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched. It turns out to actually
be needed for a bit more than that. We should be able to replace it
with something more precise, but we need to be careful.
Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
Add drmserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for drmserver(32|64).
Bug: 282603373
Test: make gsi_arm64-user; Check the sepolicy
Change-Id: If8451de8120372b085de1977ea8fd1b28e5b9ab0
Merged-In: If8451de8120372b085de1977ea8fd1b28e5b9ab0
snapuserd logs are important when OTA failures happen. To make debugging
easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs ,
and capture these logs in bugreport.
Bug: 280127810
Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0
Bug: 218588089
Bug: 273324345
Test: 1. m -j selinux_policy
2. Build cf_x86_64_auto lunch target.
3. Launch cvd in the accelerated graphics mode.
4. Run evs_app and confirm the color bar pattern is shown on the
display.
> adb root && adb shell evs_app --test
6. Do the same on sdk_car_x86_64 lunch target.
Change-Id: I1f570e7d43981ce2f5a7ae0d78ee3d5bfa8c7576
Bug: 260366497
Bug: 264600011
Test: Take bugreport and check dmesg for avc error
Test: Reboot and check shutdown-checkpoints
Change-Id: Ifcc7de30ee64e18f78af147cd3da39d7c6dc6f5f
This is a rather large, single change to the SEPolicies, as fuseblk
required multiple new domains. The goal is to allow any fuseblk
drivers to also use the same sepolicy.
Note the compartmentalized domain for sys_admin and mount/unmount
permissions.
Bug: 254407246
Test: Extensive testing with an ADT-4 and NTFS USB drives.
Change-Id: I6619ac77ce44ba60edd6ab10e8436a8712459b48
We plan to move canhalconfigurator from system to system_ext partition.
So let's update its sepolicy file context first.
Bug: 263516803
Test: build selinux policy for aosp_cf_x86_64_auto target
Change-Id: Ic4bd69489fa2f94ba33665a2cf1359e9fa487ea6
Zoned block device will be used along with userdata_block_device
for /data partition.
Bug: 197782466
Change-Id: I777a8b22b99614727086e72520a48dbd8306885b
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
The automotive display service is moved to /system_ext partition.
Bug: 246656948
Test: Build selinux policy for aosp_cf_x86_64_only_auto target.
> lunch aosp_cf_x86_64_only_auto-userdebug
> m -j selinux_policy
Change-Id: If822e54aa99053c1aaee9f41d067860ea965c2f2
This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.
Bug: 254407246
Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
See other cl in this topic for more information.
Bug: 198619163
Test: adb root; adb shell /system/bin/migrate_legacy_obb_data; adb logcat | grep obb shows "migrate_legacy_obb_data: No legacy obb data to migrate."
Change-Id: Ic2fb4183f80b36463f279b818e90c203e9a51422
Add mediaserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for mediaserver(32|64).
Bug: 236664614
Test: make gsi_arm64-user; Check the sepolicy
Change-Id: I61c69588b84305b9863a72b5a466d4185f7f1958
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
Remove mention of the /system/bin/idmap binary: the file no longer
exists.
Remove interaction between the domains installd and idmap to interact:
installd used to fork and exec the idmap binary, but the idmap2 binary
has its own binder service.
Bug: 118711077
Bug: 119264713
Test: atest FrameworksServicesTests:com.android.server.om OverlayDeviceTests OverlayHostTests CtsAppSecurityHostTestCases:OverlayHostTest
Change-Id: I06d22057308984e43cb84ff365dbdd1864c7064b
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
odsign will be writing(metrics) to file
/data/misc/odsign/metrics/odsign-metrics.txt & system_server needs from it.
Test: adb pull /data/misc/odsign/metrics/odsign-metrics.txt after reboot
Bug: 202926606
Change-Id: I020efcee8ca7f5b81f1aa3374bbf2b3a7403186d
