debug/eng builds.
This change is to allow SystemUI, a platform_app, to start, stop,
and share Perfetto/Winscope traces.
Bug: 305049544
Test: Verified everything works on my local device.
Change-Id: I8fc35a5a570c2199cfdd95418a6caf0c48111c46
sys.boot.reason.last needs to be readable by SysUI to correctly display the reason why authentication is required to unlock the phone.
Bug: 299327097
Test: presubmit
Change-Id: I9f83ade92858056609bc665ecb6ce9b93eb051e4
Adds persist.syui.notification.ranking_update_ashmem property and
associated permissions, which will be used to flag guard a change in
core/...NotificationRankingUpdate.java.
Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because NotificationRankingUpdate.java
is a core library), but setting should only be possible internally (and
via debug shell).
Test: manual flash+adb setprop/getprop
Bug: 249848655
Change-Id: I661644893714661d8c8b5553c943fa17d08c000c
Adds persist.sysui.notification.builder_extras_override property
and associated permissions, which will be used to flag guard
a change in core/...Notification.java.
Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because Notification.java
is a core library), but setting should only be possible
internally (and via debug shell).
Test: manual flash+adb setprop/getprop
Bug: 169435530
Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d
This patch:
* allows for heap and perf profiling of all processes on the system
(minus undumpable and otherwise incompatible domains). For apps, the
rest of the platform will still perform checks based on
profileable/debuggable manifest flags. For native processes, the
profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
writers (=perfetto_producer) for the ART java heap graph plugin
(perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
graphs.
Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
This is enabled on debuggable builds only, includes
- Grant mlstrustedsubject typeattribute to wm_trace_data_file
- Grant platform_app (like systemui) the write access to
wm_trace_data_file
Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
WMShell protolog [start | stop]
Change-Id: I9f77f8995e4bf671616ce6c49eeb93720e31430e
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.
Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
Remove access from untrusted apps and instead grant it to platform_app
(but on user builds as well as debug).
Also restrict any app from creating a vsock_socket; using an already
created one is fine.
Bug: 193373841
Test: Microdroid demo app now gets a denial
Test: Rebuild demo with certifcate: platform, adb install, no denial
Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d
This addresses the following SELinux failure:
trigger_perfett: type=1400 audit(0.0:331): avc: denied { write }
for name="traced_producer" dev="tmpfs" ino=35064
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:traced_producer_socket:s0
tclass=sock_file permissive=0 app=com.android.systemui
This is necessary so that, on user builds, system apps like systemui can
trigger Perfetto traces. This is already allowed on userdebug/end by the
capability in app.te.
In a follow up, we'll probably remove all the perfetto_producer in the
*_app.te and remove the userdebug_or_eng in app.te.
Bug: 190620348
Change-Id: I715979970cde760efdf4497c7cd2a2039ca86c85
Revert submission 1582845-qemu-prop
Reason for revert: aosp_hawk-userdebug is broken on an RVC branch
Reverted Changes:
Idfc2bffa5:Add qemu.hw.mainkeys to system property_contexts
If013ff33f:Remove qemu.hw.mainkeys from vendor_qemu_prop
Bug: 180412668
Change-Id: I335afb931eaeb019f66e3feedea80b0c8888f7a3
debugfs_tracing can only be accessed by tracing tools provided by the
platform.
Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
keyguard.no_require_sim becomes keyguard_config_prop to remove
exported*_default_prop
Bug: 155844385
Test: boot and see no denials
Change-Id: Icffa88b650a1d35d8c1cd29f89daf0644a79ddd3
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).
This is a re-landing of https://r.android.com/1210143, which was
reverted due to http://b/142942524. The actual fix was done in
http://ag/10234812.
Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
Revert "Add new permissions to test"
Revert submission 1210143-platformcompat-permissions
Reason for revert: http://b/142942524
Reverted Changes:
I3601b12d5: Add new permissions to test
I65d425aac: Make platform_compat discoverable everywhere
I1c8cbb656: Add permissions for using PlatformCompat methods
Change-Id: I356c1d1c4d1213eea6e5585b23faa40722b1a01a
This is required for the Debug UI within the Settings app.
The Platform Compat API prevents callers from overriding the compat
config for non-debuggable apps on user builds, among other restrictions
(see https://r.android.com/1178263 for the full list).
Test: use Setting's debug UI on a user build
Bug: 144552011
Bug: 138280620
Change-Id: Ia11a6523feab5cfac2dd6a04d269c59f28f667b7
Refactor to split the logic within statscompanion_service
The goal of the refactor is to simplify the binder calls to statsd
This service will talk to statsd.
At the end of the refactor, this service should be the only
service that talks to statsd.
Bug: 146074223
Test: Manual by creating the service with empty implementation
Change-Id: Ib9c2e10ec195d41062f1001e5a82b374696de939
Mark tethering_service as app_api_service to allow applications to find
tethering service. Apps should able to use tethering service to
know tethering state if they have ACCESS_NETWORK_STATE permission, but
they may need privileged permission if they want to change tethering.
Bug: 144320246
Test: -build, flash, boot
-ON/OFF hotspot
Change-Id: Ie414618766144c4a4ad89c5cf03398a472638e71
This exception is needed for overriding gated changes in tests.
Bug: 140367850
Test: http://aosp/1113771
Change-Id: I2a76f92fe06c1c759a537dea7539a8899f02b15e
Since this service no longer exists.
Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.
Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
To create symbolic link by unstrusted app raise the security
issue. To allow platform_app to create symbolic link prevent
the functionality from not working.
Fixes: 123555031
Test: atest DocumentsUITests
Bug: 123350324
Change-Id: Idb23c3e813c66bd284d42b8040deeea762f99a0f
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.
Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
There will likely be no need for platform apps
to call the timedetector_service; it was added
in error.
Bug: 78217059
Test: build / boot
Change-Id: Ie299c92a60f26fe6cb00562219e386a9f13e459f
This commit contains the changes needed to add the new
time detector system server service.
Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"
W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)
Had to use precise property definition as com.android.phone accesses
test properties as well.
Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"
W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)
Test: compile
Bug: 78245377
Change-Id: Id21436d281bab27823969a9f7e92318d70b5a2d6
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.
While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.
Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat. Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".
Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.
Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.
This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c
Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.
Addresses:
avc: denied { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f
Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.
Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
manual: marlin and <redacted> with artificially low temperature
threshold and logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629
Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629
