The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
This change allows first-stage init to mount a tmpfs under
/debug_ramdisk to preserve files from the debug ramdisk, for
second-stage init to load sepolicy and property files.
This is to allow adb root on a USER build if the device is unlocked.
Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: Iad3b84d9bdf5d8e789219126c88701bf969253ef
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/
Apps targeting R+ must NOT use that symlink.
For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.
Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
While the directory is not present anymore in Q, it has been shipped on
Q Beta 2 and the absence of such label might cause issues to devices
with pending installs which receive an OTA > Beta 2.
Bug: 130184133
Test: m
Merged-In: Ie3e77eebd2e7fd7b3a6a940d189cbc2bb386dc0e
Change-Id: Ie3e77eebd2e7fd7b3a6a940d189cbc2bb386dc0e
/system/bin/auditctl is executed by init to set the kernel audit
throttling rate limit. Grant the rules necessary for this to happen.
Test: compiles and boots
Test: Perform an operation which generates lots of SELinux denials,
and count how many occur before and after the time period.
Bug: 118815957
Change-Id: Id9df65497d1172ab7c2e84ff6a43722f11c61620
We no longer have /system/etc/security/apex/* as the public keys are all
bundled in APEXes. Removing the selinux label and policies for it.
Bug: 936942
Test: device is bootable
Change-Id: I6b6144a8d15910d1ba8584a0778244ed398dc615
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading. Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
- lpdump is a binary on the device that talks to lpdumpd
via binder.
- lpdumpd is a daemon on the device that actually reads
dynamic partition metadata. Only lpdump can talk to it.
Bug: 126233777
Test: boots (sanity)
Test: lpdump
Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474
The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.
Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590
Set the apex_key context for files in
/product/etc/security/apex/ and
/system/product/etc/security/apex/.
The apexd code is already looking for public keys in these locations,
but the apex_key context needs to be set to make them accessible from
apexd.
Bug: 127690808
Test: manual - verified that key files had proper SE-Linux label
Change-Id: Ib15728fa97eb438ea97a9743a06fa46e4d54f1cd
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.
/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.
The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.
Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.
Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.
To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.
Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.
Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.
This CL also remove some stale rules being addressed since.
Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
This sets up a selinux domain (notify_traceur) that can be called from
init and has the permissions to run the activitymanager script.
Bug: 116754134
Test: manual
Change-Id: Ia371bafe5d3d354efdf8cd29365cd74ed3e5cdfd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.
Bug: 111307099
Test: builds, boots
Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
mini-keyctl is a binary used to load channel keys to .fsverity keyring.
This CL creates a new domain for mini-keyctl and a type for /proc/keys
and adds allow rules needed by this binary.
Bug: 112038861
Test: manual
Merged-In: I3b744d302859a02dfe63c81c7f33bb30912d7994
Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.
Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.
In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.
Bug: 120266448
Test: device boots to the UI
Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1
Directory `/postinstall/apex` is used as a mount point for a tmpfs
filesystem during A/B OTA updates. APEX packages from the new system
partition are mounted ("activated") in subdirectories of
`/postinstall/apex`, so that they are available when `otapreopt` is
running.
Directory `/postinstall/apex` used to be of type `tmpfs` for SELinux
purposes. The new `postinstall_apex_mnt_dir` label is more
restrictive, and tightens permissions granted to `otapreopt_chroot`,
`otapreopt` (running as `postinstall_dexopt`), and `dex2oat`,
regarding the apexd logic recently added to `otapreopt_chroot`.
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I03f0b0433d9c066a0c607f864d60ca62fc68c990
We will generate precompiled layouts as part of the package install or upgrade
process. This means installd needs to be able to invoke viewcompiler. This
change gives installd and viewcompiler the minimal set of permissions needed for
this to work.
Bug: 111895153
Test: manual
Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
This patch adds the necessary SELinux contexts for the blastula pool
sockets.
Topic: zygote-prefork
Test: make & flash & check log for message
Bug: 68253328
Change-Id: I46d62e5ab8c573cb7704feec2b1d42d91a990fd9
The backup system service will move its storage location to per-user CE
directories to support multiple users. Add additional iterations on the
existing rules to support the new location.
/data/backup -> /data/system_ce/[user id]/backup
Previously covered by rule backup_data_file
/cache/backup -> /data/system_ce/[user id]/backup_stage
Previously covered by rule cache_backup_file
Also add support for vold to create and perform restorecon on the new
locations.
Example denials and detailed proposal in the doc on the linked bug.
Bug: 121197420
Test: 1) Boot device; check dirs created with correct label; run backup
successfully on system user
2) Create secondary user; check dirs created with correct label; run
backup successfully
Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.
A follow up change will flesh out the access policy on these
directories in more detail.
Test: make, manual
Bug: 112431924
Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
update_engine no longer needs a standalone bspatch executable since [1]
(which first landed into O). And we don't ship /system/bin/bspatch on
device by default.
[1] https://android-review.googlesource.com/c/platform/system/update_engine/+/327365
Test: Verify that /system/bin/bspatch doesn't exist on device.
Test: Trigger an A/B OTA install for aosp_walleye-userdebug:
`m dist`;
`system/update_engine/scripts/update_device.py out/dist/aosp_walleye-ota.zip`.
No update_engine related denial.
Change-Id: Iff578bdb0b1909092dd19feff069755a44d29398
This was a regression in Q, and the file is an implementation of
liblog.
Bug: 113083310
Test: use tags from vendor and see no denials
Change-Id: I726cc1fcfad39afc197b21e431a687a3e4c8ee4a
Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
Make /(product|system/product)/vendor_overlay/<ver> have the vendor
file context.
If vendor_overlay requires to mount on the vendor directories other
than 'vendor_file', the contexts must be defined in the device
specific sepolicy files.
Bug: 119076200
Test: build and check if the files are overided and have the required
sepolicy contexts.
Change-Id: I69ed38d4ea8e7d89f56865b1ca1e26f290e9892d
