Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.
Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.
Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
apns downloaded will enter a new directory that
TelephonyProvider can access.
Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
Merged-In: I1e7660adf020dc7052da94dfa03fd58d0386ac55
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.
Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.
Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.
Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
(cherry picked from commit 98ef2abb12)
This allows Android Keystore to statically register support for 3DES
during zygote initialization based on the device's support for hardware
backed 3DES keys.
Bug: b/79986680
Test: keystore CTS
Change-Id: Ic9a6653cdd623a3ab10e0efbcdb37c437e6c59b9
System properties can be abused to get around Treble requirements of
having a clean system/vendor split. This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.
Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.
Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
(cherry picked from commit 37ab7c0917)
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
abbb65899a%5E%21/#F3
for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html
Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.
Bug: 79528964
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit
Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit 64ff9e9523)
Merged-In: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Mtp needs access to this path in order to
change files on an sdcard.
Fixes denial:
05-14 17:40:58.803 3004 3004 W MtpServer: type=1400 audit(0.0:46):
avc: denied { search } for name="media_rw" dev="tmpfs" ino=10113
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
b/77925342 app=com.android.providers.media
Bug: 77849654
Test: no denials using mtp with emulated sdcard
Change-Id: I27b5294fa211bb1eff6d011638b5fdc90334bc80
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build
Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
--skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
-t android.security.cts.SELinuxHostTest
Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9
This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file. The rules above it still prevent it
from doing anything other than relabelto and getattr.
Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
The property is set on builds which profile the boot image.
Test: m
Bug: 73313191
(cherry-pick form commit d99f4acf2d)
Merged-In: Ie0cd54f23250df02850c38bb14e92d4b1fa04f16
Change-Id: Ie0cd54f23250df02850c38bb14e92d4b1fa04f16
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.
The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.
Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"
W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)
Had to use precise property definition as com.android.phone accesses
test properties as well.
Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
This should help fix presubmit tests.
Bug: 79414024
Test: Built policy.
Change-Id: Ic840150767ff6c2799ac3b5ef22ba139108c94dd
(cherry picked from commit 06e09abd25)
Bug: 71430241
Test: build/flash, grep for "avc: denied { read }" for mediacodec, should be empty on walleye
Change-Id: I12e1b11a969d3f979ca0cfbe4ca7db2bc5e46165
Let the audioserver record metrics with media.metrics service.
This is for 'audiopolicy' metrics.
Bug: 78595399
Test: record from different apps, see records in 'dumpsys media.metrics'
Change-Id: I63f9d4ad2d2b08eb98a49b8de5f86b6797ba2995
On userdebug builds we can now profile system server without disabling
selinux. This is the final piece, and allows the system server to save its
own profile.
Test: manual, on a device with system server profiling enabled
Bug: 73313191
(cherry picked from commit 71d8467b75)
Change-Id: I93e7e01bfbd3146a8cfd26a1f6e88b640e9c4e0f
It's used in build-time tests and in CTS.
Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
(cherry picked from commit beeb122405070a5b4cee326a0cdae92a1a791fbc)
This file is /vendor/etc/selinux/nonplat_sepolicy.cil from aosp_arm64-eng
from mr1-dev
Bug: 69390067
Test: prebuilt only change
Change-Id: I717513ae66e806afe0071cf5b42e9f709264d0b6
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.
Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
The following commits were cherry-picked from internal master to AOSP,
but to avoid merge-conflicts we'll do a large diff instead of individual
cherry-picks:
521742e9799aefc916f53686efcadbde51e7decefff3fe2f08
Bug: 37916906
Test: angler builds and boots.
Merged-In: Ie010cc12ae866dbb97c387471f433158d3b699f3
Change-Id: I5126ebe88b9c76a74690ecf95851d389cfc22d1f
In order to bring AOSP development back in-line with master development,
some CLs were cherry-picked individually from internal master to AOSP,
which were then merged back into internal master (MERGED-IN was missing).
Due to merge-conflict pain, these are being reverted in favor of one
big diff. This CL reverts the changes that were auto-merged in as a result,
and can be used as the target of MERGED-IN when reverting the individual
cherry-picks in AOSP.
This reverts commit a08fe91ee5, reversing
changes made to 11481d1d95.
This reverts commit 7ec5ecfbb7, reversing
changes made to 6fecbbb27e.
Bug: 37916906
Test: Builds 'n' boots.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
(Originally commited in a015186fab)
(cherry-pick of commit: 3458ec135e)
Bug: 37916906
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I83aa392f49bb412d96534925fb02921a8f4731fa
More changes went into oc-dev after the freeze-date. Reflect them.
(cherry-pick of commit: 148578a623)
Bug: 37916906
Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483
commit: 5c6a227ebb added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.
(cherry-pick of commit: 5e4e0d7fba)
Bug: 37916906
Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f
Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.
(cherry-pick of commit: 5c6a227ebb)
Bug: 37896931
Bug: 37916906
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
The treble compatibility tests check for policy differences between old
and new policy. To do this correctly, we must not modify the policy which
represents the older policies. Move the files meant to be changed to a
different location from the ones that are not meant to be touched to avoid
any undesired changes to old policy, e.g. commit:
2bdefd65078d890889672938c6f0d2accdd25bc5
Bug: 36899958
Test: Build-time tests build.
Change-Id: I8fa3947cfae756f37556fb34e1654382e2e48372
untrusted_app_visible_hwservice was an attribute that was meant to
give partners time to add their HALs to AOSP. It was removed from mr1
and so needs to be accounted for in the compatibility mapping.
Bug: 64321916
Test: Builds with treble policy tests.
Change-Id: I359a842083016f0cf6c9d7ffed2116feb9e159c6
On Full Treble devices, servicemanager should only service
services from the platform service_contexts file.
Created new type to separate plat_ and nonplat_service_contexts,
and added new type to mapping (although I don't think this type
should have been used by vendors).
Bug: 36866029
Test: Marlin/Taimen boot
Change-Id: Ied112c64f22f8486a7415197660faa029add82d9
Commit: 2490f1adad meant to add
thermalserviced_tmpfs to the new_object list in the mapping file,
but copy-paste error resulted in thermalserviced_exec_tmpfs being
recorded instead. Fix this.
(cherry-pick of commit: fbacc656be)
Bug: 62573845
Test: None. prebuilt change.
Change-Id: Iab4eaef04742187d6397a539aae854651caa9935
