Commit graph

322 commits

Author SHA1 Message Date
Josh Gao
98545f075c system_server: allow appending to debuggerd -j pipe.
am: 5ca755e05e

Change-Id: I92b326f5f1c9f1db083c329ecc8eca952039dc06
2018-07-17 15:25:36 -07:00
Josh Gao
5ca755e05e system_server: allow appending to debuggerd -j pipe.
Test: debuggerd -j `pidof system_server`
Change-Id: I6cca98b20ab5a135305b91cbb7c0fe7b57872bd3
2018-07-17 12:46:01 -07:00
Eino-Ville Talvala
67bd625c19 Make system property audio.camerasound.force a vendor-writable property,
am: 3ac71f8d82

Change-Id: Ia0db4d6a305d7f815f38a119475ebb346e873249
2018-06-25 22:00:50 -07:00
Eino-Ville Talvala
3ac71f8d82 Make system property audio.camerasound.force a vendor-writable property,
This property is read by the audio service in system server to toggle
camera shutter sound enforcement on a device-specific basis.

Test: Camera shutter sound enforcement works when audio.camerasound.force is set
Bug: 110126976
Change-Id: I2720d3c699c4712d1a328f59dde0b16bbf1016f3
2018-06-25 22:50:14 +00:00
Neil Fuller
43d2c3d0b5 Add label for time (zone) system properties
am: b794ad0f8d

Change-Id: I46c7aa4b511da69d7f852023cff23871b6c8468e
2018-06-25 13:31:29 -07:00
Neil Fuller
b794ad0f8d Add label for time (zone) system properties
This adds a label for system properties that will affect system-wide
time / time detection logic.

The first example will be something like:
persist.time.detection_impl_version

Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a
2018-06-25 17:59:56 +01:00
Mark Salyzyn
6b2715cc0d Merge "persist.sys.boot.reason is cleared once read by bootstat"
am: 752bde548f

Change-Id: Ifbd311d8425fcd9caffe61c41400fbbfedb356c7
2018-06-12 14:10:01 -07:00
Mark Salyzyn
a1bce77973 persist.sys.boot.reason is cleared once read by bootstat
To ensure a surprise reboot does not take the last boot reason on
face value especially if coming from more than one boot sessions ago.
We shift and clear the value from persist.sys.boot.reason to
sys.boot.reason.last and establish a correct last reboot reason in
the canonical sys.boot.reason property.  As a result, the power
manager should read the canonical sys.boot.reason for a definitive
result rather than relying on the possibly incorrect values in the
persistent storage.  sys.boot.reason should be a core property as
it represents the canonical boot reason API.

Test: compile
Bug: 86671991
Bug: 63736262
Change-Id: If3742c487d6c0ab69c464f056bf48c786b66a945
2018-06-11 09:30:25 -07:00
Steven Moreland
d0c4d4e7db mediacodec->mediacodec+hal_omx{,_server,_client} am: 7baf725ea6
am: 6ad7e65447

Change-Id: I9b60e71be957d43f66605958915d3cfb45d42573
2018-05-30 13:51:23 -07:00
Steven Moreland
7baf725ea6 mediacodec->mediacodec+hal_omx{,_server,_client}
(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-30 18:12:32 +00:00
Chong Zhang
bcb6cc20f4 Allow system_server to adjust cpuset for media.codec
Bug: 72841545
Change-Id: I30c1758e631a57f453598e60e6516da1874afcbf
(cherry picked from commit ec0160a891)
2018-05-17 10:09:57 -07:00
Andreas Gampe
a94441b4d0 Merge "Sepolicy: Fix perfprofd permissions" am: bdac534cc0
am: 09fd609d33

Change-Id: Id7ba0fb239c2f902682976cb65986961f2edcaab
2018-05-14 16:01:17 -07:00
Andreas Gampe
835881aaa4 Sepolicy: Fix perfprofd permissions
Let statsd find the service. The system server wants to read file
attributes for the perfprofd dropbox file.

Bug: 73175642
Test: m
Test: manual
Change-Id: I0c0b1dac057af90fff440286226093ec15b5e247
2018-05-10 15:07:09 -07:00
Calin Juravle
91989fcea5 Merge "Allow system server to write profile snapshots in /data/misc/profman" into pi-dev
am: dfaf39154f

Change-Id: I6f12c21a6c1cfda7d4a3b556e7f6066d0c2782c0
2018-05-09 14:49:25 -07:00
Calin Juravle
6ff0f490db Allow system server to write profile snapshots in /data/misc/profman
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.

The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.

Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010

(cherry picked from commit 687d5e46ce)

Merged-In: I54690305284b92c0e759538303cb98c93ce92dd5
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
2018-05-09 14:42:59 -07:00
Calin Juravle
687d5e46ce Allow system server to write profile snapshots in /data/misc/profman
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.

The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.

Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
2018-05-09 11:41:39 -07:00
Jeff Vander Stoep
1279a7ae85 resolve merge conflicts of bc34fa26ac to pi-dev-plus-aosp
Bug: None
Test: None
Change-Id: Ie9d2f35efd5bf39d0282ccc41fdd3f974d7c01bf
2018-05-04 19:03:03 -07:00
Pawin Vongmasa
19a74ec88a Put in sepolicies for Codec2.0 services
Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be2889477)
2018-05-04 21:36:41 +00:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Roshan Pius
d7b34a48ff sepolicy(hostapd): Add a HIDL interface for hostapd
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
2018-05-04 21:36:24 +00:00
Calin Juravle
035fcc46cc Allow system server to record its own profile
On userdebug builds we can now profile system server without disabling
selinux. This is the final piece, and allows the system server to save its
own profile.

Test: manual, on a device with system server profiling enabled
Bug: 73313191

(cherry picked from commit 71d8467b75)

Change-Id: I93e7e01bfbd3146a8cfd26a1f6e88b640e9c4e0f
2018-05-04 13:38:49 -07:00
Calin Juravle
6d0b0605ab Merge "Allow system server to record its own profile" am: 6ff840033c
am: 6349325dfc

Change-Id: Id463d93fb7321bebc44495c8f5ebffb0d2aa67f2
2018-05-04 08:20:07 -07:00
Calin Juravle
71d8467b75 Allow system server to record its own profile
On userdebug builds we can now profile system server without disabling
selinux. This is the final piece, and allows the system server to save its
own profile.

Test: manual, on a device with system server profiling enabled
Bug: 73313191
Change-Id: Iaf9575d3cda19ae4c38f1e20a8e1b9288b7abc83
2018-05-03 20:15:18 -07:00
android-build-prod (mdb)
def10bbc6f Merge "Sepolicy: Fix system server calling perfprofd" am: fc9afc4d2b
am: 9938a72f6e

Change-Id: I35335a2d0d767b5cc6b45d3414129ece987bd93c
2018-05-03 13:27:25 -07:00
Andreas Gampe
986b9af4fa Sepolicy: Fix system server calling perfprofd
Give all the right permissions to find and send a message to
perfprofd from the system server.

Bug: 73175642
Test: m
Test: manual
Change-Id: I82b63ec097dcd445d9e8169fe0df4398d62ac184
2018-05-03 10:57:30 -07:00
android-build-prod (mdb)
5afce15046 Merge "Audit generic debugfs access for removal" am: 65352c904a
am: 810ad5f27b

Change-Id: I8e5cf7eaf9eb290090adfb5c2821a7efdd9e1acf
2018-05-01 23:11:36 -07:00
Jeff Vander Stoep
72edbb3e83 Audit generic debugfs access for removal
Bug: 78784387
Test: adb bugreport with no "granted" messages.
Change-Id: Iaea67f356a47a9fbf6b8649fc8e8dad772996ba7
2018-04-27 13:46:34 -07:00
Chong Zhang
fad90d552f Merge "Allow system_server to adjust cpuset for media.codec" into pi-dev
am: ad3529a855

Change-Id: I739cc56d8fa130a4d1dca7db55fe1cfd968d0113
2018-04-19 11:23:08 -07:00
Jeff Vander Stoep
df6d77cd45 Protect dropbox service data with selinux am: 4d3ee1a5b6
am: 1874950d21

Change-Id: Id2e5359054ae6d1882b0c99011ee09d1b75fa604
2018-04-18 15:05:34 -07:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-18 19:53:03 +00:00
Chong Zhang
ec0160a891 Allow system_server to adjust cpuset for media.codec
Bug: 72841545
Change-Id: I30c1758e631a57f453598e60e6516da1874afcbf
2018-04-17 14:24:57 -07:00
Kweku Adams
0fa3d2766f Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
(cherry picked from commit 985db6d8dd)
2018-04-05 16:37:05 -07:00
Kweku Adams
49733255fb Allowing incidentd to get stack traces from processes. am: 985db6d8dd
am: 5f98693a77

Change-Id: Iaeaaeb8195e2ffcbf148b1764d57d4e1c7da6f4f
2018-04-04 09:13:58 -07:00
Kweku Adams
985db6d8dd Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-04-04 16:00:23 +00:00
Jeff Vander Stoep
51ebb60113 Remove deprecated tagSocket() permissions am: 0d1e52a50f
am: c1753b7a14

Change-Id: I5ae0c1791c2e588e6cdd177a4f1a8758cb2de3ad
2018-04-03 10:53:35 -07:00
Jeff Vander Stoep
0d1e52a50f Remove deprecated tagSocket() permissions
tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb
2018-04-03 13:56:58 +00:00
yro
bcefa8ba03 Merge "Update sepolicy to have system_server access stats_data" into pi-dev
am: 199637ebce

Change-Id: Ia6ce6b2955e2a848948eb429d29f1887f25fe43b
2018-04-03 00:01:00 +00:00
TreeHugger Robot
199637ebce Merge "Update sepolicy to have system_server access stats_data" into pi-dev 2018-04-02 19:27:16 +00:00
yro
866a240900 Merge "Update sepolicy to have system_server access stats_data" am: 8b11302e89
am: 7718295a7d

Change-Id: I1cd45d3bdc5a5826dd73376b7480375fefb3ca78
2018-03-31 03:01:33 +00:00
yro
7cacc85daf Update sepolicy to have system_server access stats_data
Bug: 75968642
Test: manual testing to check for sepolicy violation
Cherry-picked from aosp/652222

Change-Id: Idc83669feaf9fd17bed26f89dfce33e3f2f5424f
2018-03-30 18:40:30 -07:00
yro
36dd2a410c Update sepolicy to have system_server access stats_data
Test: manually tested to prevent sepolicy violation
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
2018-03-30 15:58:58 -07:00
Pawin Vongmasa
4be2889477 Put in sepolicies for Codec2.0 services
Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
2018-03-29 04:42:25 -07:00
Primiano Tucci
4f673cf4a9 Revert "Allow system server to set persist.traced.enable"
This reverts commit 6f2040f873.

Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that 
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.

Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784
2018-03-26 17:48:11 +00:00
Chenbo Feng
88ef20aa71 Allow system server to access bpf fs
The permission to allow system_server to access sys/fs/bpf/ directory
is missing. Add it back so it can get the bpf maps from the bpf_fs.

Test: device boot and no more denial information of system_server try to
searcg in fs_bpf
      atest android.net.cts.TrafficStatsTest
Bug: 75285088

Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6
(cherry picked from aosp commit f83bbd17b2)
2018-03-23 18:45:28 -07:00
Chenbo Feng
f83bbd17b2 Allow system server to access bpf fs
The permission to allow system_server to access sys/fs/bpf/ directory
is missing. Add it back so it can get the bpf maps from the bpf_fs.

Test: device boot and no more denial information of system_server try to
searcg in fs_bpf
      atest android.net.cts.TrafficStatsTest
Bug: 75285088

Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6
2018-03-23 16:01:10 -07:00
Andreas Gampe
0193620bec Sepolicy: Give system server fd rights to perfprofd
So that perfprofd can send larger packets to dropbox.

Follow-up of commit 3fa95acb1e.

(cherry picked from commit c9df843773)

Bug: 73175642
Test: m
Test: manual
Merged-In: I88d1f83962243589909ff1ce3d02195e7c494256
Change-Id: I88d1f83962243589909ff1ce3d02195e7c494256
2018-03-22 21:10:39 -07:00
Mikhail Naganov
b506a352e8 Allow system_server to update timerslack_ns for hal_audio_default
Based on the following audit message:

type=1400 audit(1521738979.005:385): avc: denied { write } for pid=1269
comm="Binder:1269_B" name="timerslack_ns" dev="proc" ino=254190
scontext=u:r:system_server:s0 tcontext=u:r:hal_audio_default:s0
tclass=file permissive=1

Bug: 74110604
Test: adb shell dmesg | grep hal_audio_default
Change-Id: I4c2e787588eb9d223d5e50e1bc8f67876de97c2e
2018-03-22 14:11:37 -07:00
Mikhail Naganov
e6293b1c0b Allow system_server to update timerslack_ns for hal_audio_default
Based on the following audit message:

type=1400 audit(1521738979.005:385): avc: denied { write } for pid=1269
comm="Binder:1269_B" name="timerslack_ns" dev="proc" ino=254190
scontext=u:r:system_server:s0 tcontext=u:r:hal_audio_default:s0
tclass=file permissive=1

Bug: 74110604
Test: adb shell dmesg | grep hal_audio_default
Change-Id: I4c2e787588eb9d223d5e50e1bc8f67876de97c2e
2018-03-22 14:10:04 -07:00
Andreas Gampe
c9df843773 Sepolicy: Give system server fd rights to perfprofd
So that perfprofd can send larger packets to dropbox.

Follow-up of commit 3fa95acb1e.

Bug: 73175642
Test: m
Test: manual
Change-Id: I88d1f83962243589909ff1ce3d02195e7c494256
2018-03-20 15:45:00 +00:00
Hector Dearman
6f2040f873 Allow system server to set persist.traced.enable
To enable/disable the traced and traced_probes deamons remotely we would
like system server to be able to set persist.traced.enable.
See also ag/3736001.

Denial:
selinux: avc: denied { set } for
property=persist.traced.enable
pid=1606 uid=1000 gid=1000
scontext=u:r:system_server:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service
permissive=0\x0a

Run:
$ adb shell 'ps -A | grep traced'
Should see traced.
$ adb shell 'settings put global sys_traced 0'
$ adb shell 'ps -A | grep traced'
Should no longer see traced.

Test: See above.
Change-Id: I245b7df3853cabeb0e75db41fb4facaa178ab8f1
2018-03-19 15:48:50 +00:00