Commit graph

15 commits

Author SHA1 Message Date
Nicolas Geoffray
78f0250077 Allow dex2oat to read /apex/apex-info-list.xml
Test: ART tests
Bug: 182465342
Change-Id: Ied9f41d59795fa72b9806c71241ae0c9bc05ce48
2021-04-28 13:37:27 +01:00
Treehugger Robot
baf84ee461 Merge "Add SELinux policy for using userfaultfd" 2021-03-17 15:04:51 +00:00
Lokesh Gidra
06edcd8250 Add SELinux policy for using userfaultfd
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.

Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
2021-03-17 04:57:22 -07:00
Jeff Vander Stoep
4c0259d5c7 Fix otapreopt_chroot
A number of things have changed, such as how the linkerconfig is
managed. Update permissions to reflect the changes.

Bug: 181182967
Test: Manual OTA of cuttlefish
Change-Id: I32207eb7c5653969e5cef4830e18f8c8fb330026
2021-03-05 14:50:29 -08:00
Martijn Coenen
6afdb72cbb SELinux policy for on-device signing binary.
Bug: 165630556
Test: no denials on boot
Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3
2021-02-03 16:15:48 +01:00
Roland Levillain
d7227d8816 Allow dex2oat to read runtime native flag properties.
This is in prevision of future `dex2oat` feature / experiments flags
set in namespaces `runtime_native` and `runtime_native_boot`.

In Android S, ART is becoming an updatable Mainline module (which will
include `dex2oat`). In the future, we may want to run experiments or
test new features using the Android Experiments framework. Such
experiments/features are enabled via feature flags, implemented as
Android system properties for native code.

To be able to read such properties, we need to give the read
permission to the relevant binaries. At the moment, this can only be
done in the SELinux policy of the Android platform, which cannot be
updated via a Mainline update. To give us the opportunity to conduct
such experiments in `dex2oat` via an ART Mainline Module update after
Android S has shipped (e.g. by having `dex2oat` query a system
property in `persist.device_config.runtime_native.*` ), we need to
have this permission set in the Android S platform now.

Test: mmma system/sepolicy
Change-Id: I0a83e9f0ec19884a99ef9693d55084376bff8762
2021-02-02 15:55:48 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Orion Hodson
76ce7f5eaa Remove policy for deprecated ART apex update scripts
Earlier changes removed the scripts for ART APEX pre- and post-install
hooks (I39de908ebe52f06f19781dc024ede619802a3196) and the associated
boot integrity checks (I61b8f4b09a8f6695975ea1267e5f5c88f64a371f), but
did not cleanup the SELinux policy.

Bug: 7456955
Test: Successful build and boot
Test: adb install com.android.art.debug && adb reboot
Change-Id: I1580dbc1c083438bc251a09994c28107570c48c5
2020-09-30 16:14:41 +01:00
Victor Hsieh
3fcc046e14 Clean up old policy used for patchoat
Patchoat used to generate symlinks in /data/dalvik-cache that is later
referred by dex2oat. Since patchoat has been removed in Q, it should be
safe to remove the policy for reading symlinks.

Test: reboot; dmesg  # no new denial
Test: cmd package compile -m speed -f com.test.app  # no denial
Change-Id: Iad8c48c8bf0d31dcd19d6b321c8c15d3548a9190
2020-06-22 12:38:38 -07:00
Roland Levillain
66f40a8b2d Allow otapreopt_chroot to use a flattened Runtime APEX package.
- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
  execute `dex2oat` from `/postinstall` -- this is for the case where
  it is located in a flattened Runtime APEX in
  `/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
  `/postinstall/system/apex` (which are bind-mounted in
  `/postinstall/apex`).

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
2019-03-19 14:44:22 +00:00
Andreas Gampe
ae127d8340 Sepolicy: Add base runtime APEX preinstall policies
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.

Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
2019-02-28 05:12:56 -08:00
Andreas Gampe
6d5baca452 Sepolicy: Move dex2oat and postinstall_dexopt to private
In preparation for additions that should be private-only, move the
types to private. Both have to be moved as they are dependent.

Bug: 125474642
Test: m
Change-Id: I6a76eba41b036bc6fb83588adbe9d63767d3e159
2019-02-26 13:13:45 -08:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00