Commit graph

33648 commits

Author SHA1 Message Date
Yabin Cui
40d41f7639 Merge "Add sepolicy for simpleperf_boot." 2022-01-25 00:29:09 +00:00
Treehugger Robot
9acd00484b Merge "Fix virtualizationservice denials" 2022-01-25 00:26:11 +00:00
Treehugger Robot
db8d838e5a Merge "Update compos permissions" 2022-01-24 17:01:52 +00:00
Andrew Scull
9d34085078 Merge "Make the DICE HAL a bootstrap process" 2022-01-24 14:33:31 +00:00
Jiyong Park
0120813598 Merge changes from topic "diced"
* changes:
  Allow microdroid_manager to talk to diced
  Make servicemanager and diced bootstrap processes
2022-01-24 10:24:03 +00:00
Inseob Kim
cbc95ea5e2 compat_generator: find new types and removed types
To generate compat files, we need:

- base plat sepolicy
- old plat sepolicy
- base plat pub sepolicy
- mapping file from the device
- latest compat files

Generator now triggers the build system itself to get necessary base
files, and then uses the artifacts to extract new types and removed
types.

For the next step, the new/removed types will be mapped to old types,
based on the latest compat files.

Bug: 214336258
Test: sepolicy_generate_compat --branch sc-v2-dev --target-version \
    32.0 --latest-version 31.0 -vvvv --build latest
Change-Id: I1f228233c1e3638e78bc0630ae51e48667a12ef5
2022-01-24 10:51:18 +09:00
Treehugger Robot
4ec796aa2f Merge "Add new goal for compat file generator" 2022-01-24 01:10:37 +00:00
Treehugger Robot
7423beb1bd Merge "Remove system/bin/clatd from clatd_exec" 2022-01-23 13:25:16 +00:00
George Chang
95113bbbed Merge "Add hal_nfc_service" 2022-01-22 01:46:41 +00:00
Sharon Su
0cd7ba7617 Merge "Change in SELinux Policy for wallpaper effects generation API. Test: presubmit tests" 2022-01-22 00:06:00 +00:00
Treehugger Robot
c23930818d Merge "Add sepolicy for IInputProcessor HAL" 2022-01-21 22:45:52 +00:00
Kathy Chen
7bb9120ba7 Merge "SELinux policy changes for AmbientContext system API." 2022-01-21 21:51:09 +00:00
Yu Shan
dd50991924 Merge "Allow AIDL VHAL service." 2022-01-21 20:12:58 +00:00
Kathy Chen
082263f3bc SELinux policy changes for AmbientContext system API.
Context about this is on ag/16302285

Test: Ensure no build failures, ensure no SecurityException on boot
Bug: 192476579
Change-Id: If5ba2fa41975acf91c0002a0f301da11eaebd6d2
2022-01-21 20:12:54 +00:00
Treehugger Robot
158927ed5c Merge "Add selinux policy for new BinaryTransparencyService" 2022-01-21 19:10:31 +00:00
Andrew Scull
f94a381585 Make the DICE HAL a bootstrap process
This HAL starts before APEXs are activated so needs access to the
bootstrap bionic libraries.

Bug: 214231981
Test: run microdroid
Change-Id: If82729eb2eff812916f257d24ce206e371be0c56
2022-01-21 18:19:21 +00:00
Hungming Chen
740b0669f0 Remove system/bin/clatd from clatd_exec
Since clatd is shipped by mainline module, remove the following privs
/system/bin/clatd      u:object_r:clatd_exec:s0

Test: build
Change-Id: Id98470fc5e641acc7e5635af02a520d2ed531cd8
2022-01-21 18:19:05 +00:00
Jiyong Park
f252d81ec9 Allow microdroid_manager to talk to diced
microdroid_manager needs to give the measurements to diced and get
per-VM secret from it for encrypting/decrypting the instance disk.

Bug: 214231981
Test: run microdroid
Change-Id: Ia4cab3f40263619e554466433cbb065e70ae0f07
2022-01-21 18:19:03 +00:00
Florian Mayer
06337c4260 Merge "Add policy for command line tool to control MTE boot state." 2022-01-21 18:11:00 +00:00
Alan Stokes
7409470917 Update compos permissions
We no longer use keystore, nor do we run dex2oat directly.

But we do now use IDiceNode::derive() to get our CDI_seal for key
derivation.

Bug: 214233409
Bug: 210998077
Test: atest ComposKeyTestCase
Change-Id: Id8ba882e7c250ad0365a7f493801e02cb5a0b700
2022-01-21 15:15:19 +00:00
Treehugger Robot
439f17558c Merge "Allow system_server read and open access to sys/class/net." 2022-01-21 14:47:52 +00:00
Treehugger Robot
f53bb875bb Merge "Add Bluetooth Audio HAL rules" 2022-01-21 14:40:12 +00:00
Alan Stokes
8a881c14bf Fix virtualizationservice denials
Allow logging to statsd - see
commit 3ffa832c6325bc9640baea66192e4e2c64349bc8.

Allow ioctl on /dev/kvm (allowxperm isn't enough) - see
commit 2dd48d0400.

Ignore spurious errors on /proc/fd/1 when running derive_classpath - see
commit 3fad86bb8a.

This fixes these denials:
avc: denied { write } for name="statsdw" dev="tmpfs" ino=984 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0
avc: denied { ioctl } for path="/dev/kvm" dev="tmpfs" ino=766 ioctlcmd=0xae03 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:kvm_device:s0 tclass=chr_file permissive=0
avc: denied { write } for name="fd" dev="proc" ino=63285 scontext=u:r:virtualizationservice:s0 tcontext=u:r:virtualizationservice:s0 tclass=dir permissive=0

Bug: 209008347
Bug: 210472252
Bug: 210803811
Test: Start VM, don't see denials.
Change-Id: I4c67746c1312553ee1155098ac27fc0d46c6f521
2022-01-21 13:44:38 +00:00
Jiyong Park
92382fe69f Make servicemanager and diced bootstrap processes
The two are now started before APEXes are activated. Therefore they need
access to the bootstrap bionic libraries.

file_contexts is also updated because their file names are changed to
avoid the conflict with their non-bootstrap variants.

Bug: 214231981
Test: m
Change-Id: I30fb1422f228b71251d6618dd7f6e4e5422717f8
2022-01-21 13:41:26 +00:00
Treehugger Robot
e939178d89 Merge "clatd: remove spurious privs" 2022-01-21 11:46:55 +00:00
Inseob Kim
eec3919969 Add new goal for compat file generator
To generate compat files, we need the following files.

- base_plat_sepolicy: to get all types
- base_plat_pub_policy.cil: to get public types
- {ver}_plat_sepolicy: to get old types

This creates a new dist goal, base-sepolicy-files-for-mapping, to
conveniently generate and gather desired files under out/dist.

Bug: 214336258
Test: build/soong/soong_ui.bash --make-mode dist \
      base-sepolicy-files-for-mapping \
      TARGET_PRODUCT=aosp_arm64 TARGET_BUILD_VARIANT=userdebug
Change-Id: I2f210ab47be777cd91346d635f75064845821144
2022-01-21 19:36:37 +09:00
Sharon Su
cedde105ae Change in SELinux Policy for wallpaper effects generation API.
Test: presubmit tests

Change-Id: I02f9545376534d1570cfa270dfe15c9df6f81d47
2022-01-21 09:28:49 +00:00
Badhri Jagan Sridharan
001b47c547 Merge "Add selinux rules for android.hardware.usb.IUsb AIDL migration" 2022-01-21 05:33:33 +00:00
Wayne Ma
27abad0dc8 Allow system_server read and open access to sys/class/net.
system_server needs search/read/open access to the directory.
This change gives system_server permissions to fetching the
information from sys/class/net.

Bug: 202086915
Test: build, flash, boot
Change-Id: I7b245510efbc99427f3491c9234c45c8cc18fea1
2022-01-21 03:20:10 +00:00
Treehugger Robot
8d149e3294 Merge "Make NearbyManager available as System API." 2022-01-21 01:18:27 +00:00
Siarhei Vishniakou
c655bece6a Add sepolicy for IInputProcessor HAL
This sepolicy is needed so that the vendor can launch a new HAL process,
and then this HAL process could join the servicemanager as an impl for
IInputProcessor. This HAL will be used to contain the previous impl of
InputClassifier and also new features that we are going to add.

Bug: 210158587
Test: use together with a HAL implementation, make sure HAL runs
Change-Id: I476c215ad622ea18b4ce5cba9c07ae3257a65817
2022-01-20 23:40:05 +00:00
Badhri Jagan Sridharan
c887ea3965 Add selinux rules for android.hardware.usb.IUsb AIDL migration
Covers the rules needed for the default AIDL implementation.

Bug: 200993386
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: Ib152d12686e225e3c1074295a70c624a5115e9bd
2022-01-20 23:03:26 +00:00
Treehugger Robot
85387aa219 Merge "Remove odrefresh privileges no longer needed for CompOS" 2022-01-20 20:45:43 +00:00
Florian Mayer
23173455ab Add policy for command line tool to control MTE boot state.
Bug: 206895651

Change-Id: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16
2022-01-20 17:30:09 +00:00
John Reck
423f4c7e93 Merge "Add IAllocator stable-aidl" 2022-01-20 17:05:56 +00:00
Eric Lin
3d482ca579 Make NearbyManager available as System API.
As the Fastpair in Mainline Module design, we intend to let OEM to:
* Support Fast Pair initial pairing by setting up its own server to
  sync and serve certified Fast Pair devices’ metadata.
* Support Fast Pair subsequent pairing by associating already
  paired Fast Pair devices to OEM’s accounts.
We also want to migrate GMS Fast Pair to use this mainline
implementation in the future and let our test signed with "platform"
can access to the NearbyManager.
Therefore, we need to make NearbyManager available as System API.

Bug: 214495869
Test: build, flash, boot, check "nearby_service" available for "privileged apps"
Change-Id: Icda959a33ba61eb39a3b584fc3b7a8b340fba11e
2022-01-20 07:54:36 +00:00
George Chang
0ddfebb4e1 Add hal_nfc_service
Bug: 204868826
Test: atest VtsAidlHalNfcTargetTest
Change-Id: If01d1d0a74f5c787805d3744772d40a7aa7db9cb
2022-01-20 03:48:57 +00:00
Yu Shan
8ea307d300 Allow AIDL VHAL service.
Test: None
Bug: 215419573
Change-Id: Iaeb91e06a1a8e2218ab5cb98f05c024546c0c2e7
2022-01-19 19:01:44 -08:00
Billy Lau
8bb3ed7451 Add selinux policy for new BinaryTransparencyService
Bug: 197684182

Test: Manually verified that BinaryTransparencyService is correctly
started and running.

Change-Id: I4eaf5698dd2edb428205afcd57c22502d56d2ec2
2022-01-19 14:45:45 -08:00
Victor Hsieh
2413e27cc6 Merge "Remove compos_internal_service" 2022-01-19 21:53:03 +00:00
Treehugger Robot
dd75a576c5 Merge "Remove deprecated ToMakePath calls" 2022-01-19 10:07:45 +00:00
Josh Wu
759b4ef0df Add Bluetooth Audio HAL rules
Test: manual
Bug: 203490261
Change-Id: Ic9994cdb8ed690996d83b46cfefbc228e35d34c3
2022-01-19 01:32:42 -08:00
John Reck
22903f0435 Add IAllocator stable-aidl
Test: Builds & boots; no sepolicy errors logged
Bug: 193558894
Change-Id: I11e162310548b67addc032ccc0d499cbf391e7f9
2022-01-18 19:40:26 -05:00
John Wu
ce225f8bfb Merge "Add keystore2 LIST permission to system_server" 2022-01-19 00:05:29 +00:00
Victor Hsieh
88d93b984a Remove odrefresh privileges no longer needed for CompOS
Bug: 210998077
Test: m; TH
Change-Id: I4188a52c42ede9fb248b889596b91c965696fb2d
2022-01-18 12:56:27 -08:00
Victor Hsieh
6f6815efde Remove compos_internal_service
Bug: 210998077
Test: m; TH
Change-Id: Id3c7fcab56de5f71b00e21bd53829b2471e07d77
2022-01-18 12:51:55 -08:00
Treehugger Robot
bcc280963d Merge "Revert "use dalvik.vm.boot-dex2oat-threads inside microdroid"" 2022-01-18 18:40:13 +00:00
Gabriel Biren
8f86dd4eef Merge "Add supplicant service to the dumpstate exceptions and dontaudit lists." 2022-01-18 18:15:46 +00:00
Jiyong Park
c9a7de49ea Revert "use dalvik.vm.boot-dex2oat-threads inside microdroid"
This reverts commit eee72d6cb3d9f5c6001192247861b28cb0787827.

REASON: not needed. See the other CL in the same topic.
Bug: 197358423
Test: m
Change-Id: Ice0813ed9e349e37c83b163e2c21f17bb1105013
2022-01-19 01:37:18 +09:00
Treehugger Robot
4da68c0fe4 Merge "use dalvik.vm.boot-dex2oat-threads inside microdroid" 2022-01-18 13:40:30 +00:00