This node ID will be used to uniquely and anonymously identify a device
by profcollectd on engineering (userdebug or eng) builds.
Test: build
Change-Id: If01f71c62479d63d4d19aac15da24bc835621e66
IKeystoreService is a VINTF stability interface, and keystore2 is now
using this interface correctly from Rust.
Test: m && adb shell start keystore2
Bug: 179907868
Change-Id: I3b583df2fac7e6bca7c1875efb7650f9ea0a548c
qemu.hw.mainkeys exists both in plat_property_contexts and
vendor_property_contexts. This would cause breakage in GSI build
for certain vendors. To fix, add `exact {type}` to make the property
defined in system takes precedence.
Bug: 180412668
Signed-off-by: Weilun Du <wdu@google.com>
Change-Id: I1268e6a202d561a1e43f3d71fb38c6000042306b
As data and obbs are already mounted to lowerfs, and we need per app visibility isolation to mount
on those directories.
Here's the warning if we do not add it.
3094 3094 W main : type=1400 audit(0.0:36): avc: denied { mounton } for path="/storage/emulated/0/Android/obb" dev="dm-5" ino=9206 scontext=u:r:zygote:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0
Bug: 182997439
Test: No selinux warnings during boot.
Change-Id: Id78d793e70acf0d7699c006e19db6d7fda766bf1
Introduce the convert_storage_key_to_ephemeral permission to the
keystore2_key access vector and give vold permission to use it. This
permission must be checked when a caller wants to get a per-boot
ephemeral key from a long lived wrapped storage key.
Bug: 181806377
Bug: 181910578
Change-Id: I542c084a8fab5153bc98212af64234e62e9ad032
* Permits setting the sys.drop_caches property from shell.
* Permits init to read and write to the drop_caches file.
* Can only be set to 3 (drop_caches) and 0 (unset).
Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
Revert submission 1602413-derive_classpath
Bug: 180105615
Fix: 183079517
Reason for revert: SELinux failure leading to *CLASSPATH variables not being set in all builds
Reverted Changes:
I6e3c64e7a:Introduce derive_classpath service.
I60c539a8f:Exec_start derive_classpath on post-fs-data.
I4150de69f:Introduce derive_classpath.
Change-Id: I17e2cd062d8fddc40250d00f02e40237ad62bd6a
The lockdown hook defines 2 modes: integrity and confidentiality [1].
The integrity mode ensures that the kernel integrity cannot be corrupted
by directly modifying memory (i.e. using /dev/mem), accessing PCI
devices, interacting with debugfs, etc. While some of these methods
overlap with the current policy definition, there is value in enforcing
this mode for Android to ensure that no permission has been overly
granted. Some of these detection methods use arbitrary heuristic to
characterize the access [2]. Adapt part of the policy to match this
constraint.
The confidentiality mode further restricts the use of other kernel
facilities such as tracefs. Android already defines a fine-grained
policy for these. Furthermore, access to part of tracefs is required in
all domains (see debugfs_trace_marker). Allow any access related to this
mode.
[1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/
[2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/
Bug: 148822198
Test: boot cuttlefish with patched kernel; check logcat for denials.
Test: run simpleperf monitor to exercise tracefs; check logcat for denials.
Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.
Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
When a device define BOARD_SHIPPING_API_LEVEL with an API level, it
sets a vendor property ro.board.first_api_level in vendor/build.prop.
This property is initiated by vendor_init and read-only.
Bug: 176950752
Test: getprop ro.board.first_api_level
Change-Id: Ia09d2e80f1ca4a79dbe4eb0dc11b189644819cad
FYI: running networking tests needs extra privs:
#============= su ==============
allow su self:capability2 bpf;
#============= untrusted_app ==============
allow untrusted_app self:key_socket create;
allow untrusted_app self:netlink_route_socket { bind nlmsg_readpriv };
allow untrusted_app self:packet_socket create;
But obviously we can't add the last three, and not even sure about the first.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I778ccaf5d100cb26f167a0c690e0125594d477c3
These properties are used to communicate odsign status, and allow init
to evict keys and start zygote at the correct moments in time.
Bug: 165630556
Test: no denials from init/odsign
Change-Id: I813e5c1c93d6f00a251a9cce02d0b74e5372c1ce
This type is used for properties that provides per-device configuration
for apexd behaviour (so far - timeouts for creating/deleting dm device).
Test: builds
Bug: 182296338
Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
This CL adds a new keystore2 permission "get_auth_token"and grants this
permission to credstore which needs to call keystore2 to obtain
authtokens.
Bug: 159475191
Test: CtsVerifier
Change-Id: I1c02ea73afa6fe0b12a2d74e51fb4a8a94fd4baf
In order to test the platform in emulators that are orders of magnitude
slower than real hardware we need to be able to avoid hitting timeouts
that prevent it from coming up properly. For this purpose introduce
a system property, ro.hw_timeout_multiplier, which may be set to
an integer value that acts as a multiplier for various timeouts on
the system.
Bug: 178231152
Change-Id: I6d7710beed0c4c5b1720e74e7abe3a586778c678
Merged-In: I6d7710beed0c4c5b1720e74e7abe3a586778c678
The service generates /data/system/environ/classpath with values for
BOOTCLASSPATH, SYSTEMSERVERCLASSPATH, and DEX2OATCLASSPATH to be
exported by init.
See go/updatable-classpath for more details.
Bug: 180105615
Test: manual
Change-Id: I4150de69f7d39f685a202eb4f86c27b661f808dc
This property is many years old and it does not have a property
context associated with it. It is set by the system server (in
particular, ConnectivityService code, in the Tethering module)
and read by init, which does:
on property:net.tcp_def_init_rwnd=*
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}
There is no need to add read access to init because init can read
and write any property.
Test: m
Fix: 170917042
Change-Id: I594b09656a094cd2ef3e4fd9703e46bf7b2edd4c
This property is written by an .rc file - see aosp/1553819 - and
read by the connectivity mainline code in the system server.
Test: m
Bug: 182333299
Change-Id: Ibac622f6a31c075b64387aadb201ad6cdd618ebd
The persistent data block is protected by a copy-on-write scratchpad when
running a Dynamic System Update (DSU). The copy-on-write scratchpad
uses a backing file for write operations. This CL adds permissions
to write the backing file for the PersistentDataBlockService.
Bug: 175852148
Test: gsi_tool install & vts_kernel_net_tests
Change-Id: Id0efe407e707fc382679c0eee249af52f877f5d2
The connectivity service manager gets a reference to the tethering
service in its constructor. This causes SELinux denials when the
RemoteProvisioner app attempts to use the connectivity service manager
to figure out when a network is available in order to provision keys.
Test: No SELinux denials!
Change-Id: Icbd776a9b81ee9bb22a2ac6041198fe0a6d3a0d0
A number of things have changed, such as how the linkerconfig is
managed. Update permissions to reflect the changes.
Bug: 181182967
Test: Manual OTA of cuttlefish
Change-Id: I32207eb7c5653969e5cef4830e18f8c8fb330026
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
As part of the keystore2 requirement, we give the keys used for
resume on reboot a separate context in keystore. And grant system
server the permission to generate, use and delete it.
Bug: 172780686
Test: resume on reboot works after using keystore2
Change-Id: I6b47625a0864a4aa87b815c6d2009cc19ad151a0
Now that we have proper API using which update_engine can ask apexd to
reserve space, we no longer need to allow update_engine access to
directories at /data/apex.
Instead, apexd should get those permission.
Bug: 172911822
Test: atest ApexHandlerAndroidTest
Change-Id: I3a575eead0ac2fef69e275077e5862e721dc0fbf
Zygote will trigger sdcardfs to read and open media_rw_data_file:dir.
We can safely ignore this message.
Bug: 177248242
Test: Able to boot without selinux warning.
Change-Id: Ie9723ac79547bf857f55fc0e60b461210a4e4557
This allows the FUSE daemon handle FUSE_LOOKUP requests across user boundaries.
Workaround to support some OEMs for their app cloning feature in R
Bug: 162476851
Bug: 172177780
Test: Manual
Change-Id: Ic1408f413ec3dc4917d3acfda2c5f62f9c16f187
Revert submission 1572240-kernel_bootreceiver
Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance
Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
The policies allow system server to register a pac_proxy_service.
Bug: 177035719
Test: FrameworksNetTests
Change-Id: Idf64dc6e491f5bce66dcab2dbf15823c8d0c2403
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.
This gives us insights into how hard linking fails where
it shouldn't.
Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
This is required in addition to reading files under the dir, so that
profcollectd can generate profiles for them.
Test: presubmit
Bug: 166559473
Change-Id: Ic46acab3cfc01c549e2f3ba5e765cb2c4ac8a197
This is required for it to be able to create DEVMAP/DEVMAP_HASH maps.
See kernel source code in kernel/bpf/devmap.c:
static struct bpf_map *dev_map_alloc(union bpf_attr *attr) {
...
if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM);
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2fc5b1541133859857fc9baa7564965f240c842a
odrefresh should setattr on generated artifacts. This is apparent now
that it is now launched from init which sets a restrictive umask on
forked processes.
Bug: 181397437
Test: manually apply ART APEX update
Change-Id: I8e30c1ef1e42b3b68b3c07e860abb4dc2728e275
We no longer use this sysprop-based interface for communication between
Traceur and Perfetto, this change removes the associated policy.
Test: atest TraceurUiTests
Bug: 179923899
Change-Id: Ic59d866d3c75a3f804f6c19a703d6d10560c627a
qemu.sf.lcd_density is rerefenced by surfaceflinger
and zygote.
Bug: 178144237
Test: presubmit
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Iede75d1170aeac9d020d60a3a66a1f69cee46abf
Merged-In: Iede75d1170aeac9d020d60a3a66a1f69cee46abf
Vendor boot hal, init, and vold processes all require permission.
Test: build and boot aosp_cf_x86_64_phone
Bug: 173815685
Change-Id: I15692dcd39dfc9c3a3b7d8c12d03eff0a7c96f72
System files in recovery are labelled as rootfs, so we need an explicit
transition to snapuserd. Without this, factory data resets will fail
with a VABC OTA pending, with the following denial:
avc: denied { entrypoint } for pid=522 comm="init" path="/system/bin/snapuserd"
dev="rootfs" ino=1491 scontext=u:r:snapuserd:s0 tcontext=u:object_r:rootfs:s0
tclass=file permissive=0
Bug: 179336104
Test: factory data reset with VABC OTA pending
Change-Id: Ia839d84a48f2ac8ccb37d6ae3b1f8a8f7e619931
The RemoteProvisioner app builds a DeviceInfo CBOR object which is
eventually used as AAD to verify the authenticity of a signed MAC key in
the remote provisioning spec. One of those fields is vendor security
patch level, which this patch grants access for the remote_prov_app
domain to read.
Test: No denials! (atest RemoteProvisionerUnitTests)
Change-Id: Iab0426fb5ec184cda171d67451bf44cae897bf9b
When we serve compressed APEX via OTA, we need to ensure device has
enough space to decompress them during boot. In order to do that,
update_engine will need to pass metadata about the OTA to apexd so that
it can make calculation about space requirments. Update engine in return
will display warning to user if the space requirement can't be
fulfilled.
Bug: 172911822
Test: manual
Change-Id: Idff25ac8e5165da70c539edcf6b292e04299a5c6
odsign exec()'s odrefresh, which in turn exec()'s dexoptanalyzer.
Bug: 165630556
Test: No denials on boot
Change-Id: Ie97726cfbdbf09f75fa0b00d34ee10c9bdf5a5d7
This reverts commit 809eb75553.
Reason for revert: should allow shell to do it instead
Change-Id: Ie07b86d1308cb41885957d2214ed7ce190f5ae18
Test: pass
Bug: 179427873
Adding 'ro.surface_flinger.enable_layer_caching' to control
whether layer caching feature should be enabled or not.
Bug: 158790260
Change-Id: I3ceb84d2a9209b2c422ba93057e9323ca6816ca5
This primarily affects perfetto's traced_probes and shell-invoked
binaries like atrace, but also anyone with access to "debugfs_tracing".
These tracepoints are being actively collected in internal tracing, so
we would like to also make them available on release builds, as they
should be a source of useful system information there as well.
The ones we definitely need:
* sched_waking, sched_wakeup_new: both are similar to the
already-allowed sched_wakeup. The first differs in which exact process
context it occurs in, and the latter is the wakeup events of only the
fresh tasks.
* oom/mark_victim: contains only the pid of the victim. Useful for
memory-related tracing and analysis.
The other events in this patch are of lesser importance, but also are
fairly straightforward - clocks and priority for frequency/power tracing.
Small extra change: sched_process_free was only relabeled in the tracefs
block, so I've added it to debugfs to keep them in sync. (I wonder whether
debugfs is even necessary at this point... but that's outside of scope
here.)
See the attached bug for a longer explanation. There will also be a
separate patch for system/frameworks/native/atrace/atrace.rc for the
Unix file permissions of these files.
Bug: 179788446
Tested: I did not have access to a "user" build, but I've manually
checked the labels of events/.../enable tracefs files via ls -Z,
and strace'd traced_probes on a hacky debug build where I
commented out its SELinux allow-rule for debugfs_tracing_debug.
Change-Id: I15a9cb33950718757e3ecbd7c71de23b25f85f1d
Give it the u:object_r:ota_prop:s0 since the prop is only set
after an update.
Bug: 177625570
Test: boot the device, check the prop is written by update_engine
Change-Id: I4cf21d2a6af2a2083d4a5eba7751011cc6d0c522
Revert submission 1582845-qemu-prop
Reason for revert: aosp_hawk-userdebug is broken on an RVC branch
Reverted Changes:
Idfc2bffa5:Add qemu.hw.mainkeys to system property_contexts
If013ff33f:Remove qemu.hw.mainkeys from vendor_qemu_prop
Bug: 180412668
Change-Id: I335afb931eaeb019f66e3feedea80b0c8888f7a3
This SEPolicy change allows the hal_keymint domain to add
hal_remotelyprovisionedcomponent_service to hwservice_manager.
Test: The Keymint HAL can successfully start an instance of
IRemotelyProvisionedComponent
Change-Id: I15f34daf319e8de5b656bfacb8d050950bf8f250
system_server must be allowed to create process groups in behalf of
processes spawned by the app zygote
Bug: 62435375
Bug: 168907513
Test: verified that webview processes are migrated in their own process
group
Change-Id: Icd9cd53b759a79fe4dc46f7ffabc0cf248e6e4b8
We want to label /sys/fs/bpf/tethering/... with a new label distinct
from /sys/fs/bpf, as this will allow locking down the programs/maps
tighter then is currently possible with the existing system.
These programs and maps are provided via the tethering mainline module,
and as such their number, names, key/value types, etc. are all prone to
be changed by a tethering mainline module update.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifc4108d76a1106a936b941a3dda1abc5a65c05b0
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes
This reverts commit aa8bb3a29b.
Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
