system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
Historically most uses of atrace happen via the shell domain.
There are two exceptions:
- boot tracing
- traced_probes
We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.
For more use cases see b/113127224
[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)
Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.
Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.
This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.
Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.
Bug: 64762598
Test: Successfully took traces in user mode.
Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
long live domain.te!
Remove all references.
Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
atrace and its atrace_exec now exist only in private policy.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with atrace_current
which is expected now that atrace cannot be referenced from
public or vendor policy.
Bug: 31364497
Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types. Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.
Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
