Adds a context for telephony related cache properties and changes
the bluetooth and system_server properties to match off of prefix
instead of exact string matches.
Test: Flashed phone with PowerManager caches enabled and verified
that the phone boots.
Change-Id: I9110192a12bb6222e49a8fb6b266d6067ef2ea92
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.
Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
Define two property_context.
1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.
2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.
Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
libnetd_client can read both properties
libnetd_client can't set both properties
Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).
Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.
Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)
simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.
runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).
system-wide profiling is effectively constrained to "su" on debug
builds.
See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.
Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
The binder_cache_system_server_prop context allows any user to read the
property but only the system_server to write it. The only property with
this context is currently binder.cache_key.has_system_feature but users
will be added.
Bug: 140788621
Test: this was tested on an image with a binder cache implementation. No
permission issues were found. The implementation is not part of the current
commit.
Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043
This reverts commit f536a60407.
Reason for revert: Resubmit the CL with the fix in vendor_init.te
Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
Define a new property_context vndk_prop for ro.product.vndk.version.
It is set by init process but public to all modules.
Bug: 144534640
Test: check if ro.product.vndk.version is set correctly.
Change-Id: If739d4e25de93d9ed2ee2520408e07a8c87d46fe
Previously mediaserver could only access hidl via mediadrmserver.
Required because mediadrmserver will be removed in R.
Bug: 134787536
Bug: 144731879
Test: MediaPlayerDrmTest
Change-Id: If0ae1453251e88775a43750e24f7dac198294780
incident report contains similar data as in a bugreport, but in proto
format. Currently ro.serialno is not captured due to selinux settings.
Test: adb shell incident -p LOCAL 1000
Bug: 143372261
Change-Id: I6a89308c1347fba2ce4f7b469f9a02b119d4aeb7
Vendor can only do module load in vendor_file, which is a large area.
Changing vendor_file to vendor_file_type allows vendor to use different
labels and restrict it to smaller area.
Bug: 143338171
Change-Id: If8e0c088f2d49b7fbffff062dcae3b4084016b03
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup
See also go/android-iorap-security for the design doc
Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
This duplicated ashmem device is intended to replace ashmemd.
Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.
Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.
Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
Remove everyone's ability to read /proc/sys/vm/overcommit_memory.
Android's jemalloc implementation no longer uses this file.
init.te had multiple rules which allowed writing to this file. Get rid of
the duplicate rule.
Bug: 140736217
Test: compiles and boots
Test: bypass setup wizard and start the browser, browse the web
Change-Id: I5a2d5f450f5dde5dd55a0cedd7fbd55a6ac0beed
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.
coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.
Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
Since non-full-Treble devices aren't guaranteed to have coredomain
applied to all system processes, this is breaking some downstream
non-Treble devices.
Bug: 140076135
Test: N/A
Change-Id: I2942506cb0cfd8096c631281389a16aa48b4da08
This reverts commit 6b2eaade82.
Reason for revert: reland original CL
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.
Bug: 138352500
Test: Manually via custom handlers (compiled binary + shell script).
Change-Id: Ib1330cd3b049e23ef066c6e08d3785b344d1feed
![](/avatar/ef4a85532a29218c6b19b60e782b0746?size=56 "Harpreet \\"Eli\\" Sangha"){kind=small}