Commit graph

47369 commits

Author SHA1 Message Date
Ján Sebechlebský
f8ab94fa08 Merge "Allow virtual camera to use fd's from graphic composer" into main 2024-03-04 15:20:49 +00:00
Jiakai Zhang
625c4a9543 Allow postinstall script to invoke pm shell commands.
Bug: 311377497
Change-Id: I46653dcbbe1d1b87b3d370bee80aae2d60998fbe
Test: manual - Install an OTA package and see the hook called.
2024-02-29 23:12:32 +00:00
Dennis Shen
1bfa2552ad Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main am: 3041c33c91
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2982791

Change-Id: I3c601bb71699e80fb052b9d5c087fe792ec87f52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-29 19:32:49 +00:00
Dennis Shen
3041c33c91 Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main 2024-02-29 19:03:00 +00:00
Kangping Dong
90495cc79f [Thread] limit ot-daemon socket to ot-ctl
It's better to explicitly disallow access to ot-daemon from other than
ot-ctl.

Bug: 323502847
Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815
2024-02-29 23:43:34 +08:00
Dennis Shen
f008c29e47 aconfig_storage: setup RO partitions aconfig storage files SELinux
policy

system, system_ext, product and vendor partitions have aconfig storage
files under /<partition>/etc/aconfig dir. need to grant access to
aconfigd.

Bug: b/312459182
Test: m and tested with AVD
Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a
2024-02-29 15:28:48 +00:00
Thiébaud Weksteen
c1b65e5d53 Grant lockdown integrity to all processes
The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.

Upstream, the support for that access vector was removed from kernel
5.16 onwards.

It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).

Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.

Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
(cherry picked from commit 99a4cbcee7)
Merged-In: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
2024-02-28 18:10:29 -08:00
Stefan Andonian
ff413fd7d0 Enable platform_app to use perfetto/trace_data_file permissions in
debug/eng builds.

This change is to allow SystemUI, a platform_app, to start, stop,
and share Perfetto/Winscope traces.

Bug: 305049544
Test: Verified everything works on my local device.
Change-Id: I8fc35a5a570c2199cfdd95418a6caf0c48111c46
2024-02-28 20:31:44 +00:00
Dennis Shen
154a08ef7e Merge "aconfigd: create aconfig daemon selinux policy" into main am: 067f7db593
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2976451

Change-Id: Ib86e806430e8decea25e8de9b5f314891561e521
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-28 13:21:35 +00:00
Dennis Shen
067f7db593 Merge "aconfigd: create aconfig daemon selinux policy" into main 2024-02-28 12:31:26 +00:00
Carmen Jackson
6475d3676b [automerger skipped] Add rules for Perfetto to be used from system_server am: 77b2e52f74 -s ours am: 7fdf451d8d -s ours
am skip reason: Merged-In I7e4c044a6a2afb48c33d65cc421e797d77aacc12 with SHA-1 28b811df1c is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2977032

Change-Id: I674060405e05470708ce20d95cf828ab9c5b2b17
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-28 03:47:26 +00:00
Carmen Jackson
7fdf451d8d [automerger skipped] Add rules for Perfetto to be used from system_server am: 77b2e52f74 -s ours
am skip reason: Merged-In I7e4c044a6a2afb48c33d65cc421e797d77aacc12 with SHA-1 28b811df1c is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2977032

Change-Id: Ie115d6f1b4683ddc625809756a7caf824cd406d4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-28 03:06:01 +00:00
Matt Buckley
52c9b3b9a9 Allow apps to access PowerHAL for FMQ
This patch allows apps to access PowerHAL FMQ memory to send ADPF
messages.

Test: n/a
Bug: 315894228
Change-Id: I2733955807c40e63b688fcb0624db8acc8f9a139
2024-02-27 16:35:55 -08:00
Maciej Żenczykowski
a4208e9f10 sepolicy: allow netutils_wrapper access to fs_bpf_vendor
This is needed to allow vendor xt_bpf programs.

Bug: 325709490
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de
(cherry picked from commit 37ca69e5c8)
Merged-In: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de
2024-02-27 23:46:04 +00:00
Thiébaud Weksteen
30404a42b8 Grant lockdown integrity to all processes
The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.

Upstream, the support for that access vector was removed from kernel
5.16 onwards.

It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).

Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.

Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
(cherry picked from commit 99a4cbcee7)
Merged-In: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
2024-02-27 22:10:53 +00:00
Carmen Jackson
77b2e52f74 Add rules for Perfetto to be used from system_server
This includes rules for starting Perfetto as well as rules for
communicating over stdio between Perfetto and system_server.

This is a cherrypick of aosp/2958867 with prebuilts updated.

Bug: 325709490
Test: Presubmit
Change-Id: I7e4c044a6a2afb48c33d65cc421e797d77aacc12
Merged-In: I7e4c044a6a2afb48c33d65cc421e797d77aacc12
2024-02-27 04:22:31 +00:00
Florian Mayer
9ceda37b18 Merge "Allow shell and adb to read tombstones" into main am: 9d7d3c4a0e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974016

Change-Id: I2fdfb22d91512d081d1760952e23611a1d2e4917
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-26 22:02:00 +00:00
Florian Mayer
9d7d3c4a0e Merge "Allow shell and adb to read tombstones" into main 2024-02-26 21:12:25 +00:00
Dennis Shen
2659257c76 aconfigd: create aconfig daemon selinux policy
Bug: b/312444587
Test: m and launch avd
Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9
2024-02-26 19:58:48 +00:00
Jan Sebechlebsky
fd7e285504 Allow virtual camera to use fd's from graphic composer
This is causing denials in case the fence fd comes from
graphic composer.

Bug: 301023410
Test: atest CtsCameraTestCases with test virtual camera enabled
Change-Id: I14cb26c058342470aa2dc214ab47cc61aa2f3255
2024-02-26 11:55:16 +01:00
Seungjae Yoo
41b4349206 [automerger skipped] Introduce vendor_microdroid_file for microdroid vendor image am: c3052c9ab0 -s ours am: 803f20b5a3 -s ours
am skip reason: Merged-In I6c966c92b238a2262d2eb7f41041ed4c359e9e0a with SHA-1 d2a0892121 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974133

Change-Id: Ic9437442074bbdc06daa44a2d4041074ed2357d7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-26 02:21:02 +00:00
Seungjae Yoo
803f20b5a3 [automerger skipped] Introduce vendor_microdroid_file for microdroid vendor image am: c3052c9ab0 -s ours
am skip reason: Merged-In I6c966c92b238a2262d2eb7f41041ed4c359e9e0a with SHA-1 d2a0892121 is already in history

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974133

Change-Id: I6a8242a6da2ede1f9d3f27cfb3fc52bb452e7510
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-26 01:39:54 +00:00
Thiébaud Weksteen
66bb617447 Merge "Grant lockdown integrity to all processes" into main am: 1fc3a6f955
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2971071

Change-Id: I21f3e67d0b697a532f65e4e21b8a193accca521a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-26 00:34:52 +00:00
Jooyung Han
a53593f6fa Merge "Add input_device.config_file.apex property" into main am: 615aaf5998
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974852

Change-Id: I08eec3e2cd297b70d84ea92aa07159bd1b70d91e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-26 00:34:01 +00:00
Thiébaud Weksteen
1fc3a6f955 Merge "Grant lockdown integrity to all processes" into main 2024-02-26 00:11:52 +00:00
Jooyung Han
615aaf5998 Merge "Add input_device.config_file.apex property" into main 2024-02-25 23:51:05 +00:00
Ryan Savitski
ce8959c851 tracefs: remove debugfs/tracing rules on release devices
The tracing filesystem used to be mounted on /sys/kernel/debug/tracing,
but is nowaways available at /sys/kernel/tracing.

Since debugfs itself is no longer mounted on release devices, there is
no need for rules that relax specific .../debug/tracing/... files to be
available on release devices. Leave them as debugfs_tracing_debug.

Not touching other labels such as debugfs_tracing_printk_formats in case
there are debug-only tools that grant themselves access to just that
label. Might revisit those in a different patch.

Bug: 303590268
Change-Id: Ic234c73ac7256117179c4b3eb35da0eac9a50eaa
2024-02-25 19:16:56 +00:00
Ryan Savitski
bdf0a56bf3 tracefs: allow using "/sys/kernel/tracing/buffer_percent" on release devices
This is a tracing control file that userspace can read/write an ascii
number (e.g. "50"). In turn, it controls the behaviour of blocking
read(), splice(), and poll() on the tracing kernel ring buffer fds.
A blocked syscall will only be woken up once the kernel fills the buffer
past the "buffer_percent" watermark (so 50% -> half-full).

We'll be using this file in perfetto's traced_probes, but it should also
be safe to expose to other users of the tracing file system (aka
debugfs_tracing in sepolicy) on release builds.

Added to linux in:
  https://android.googlesource.com/kernel/common/+/03329f99

Change-Id: Ifcdc73cb0162e8cdadf2e7c16b0215410134ccae
2024-02-25 19:00:07 +00:00
Florian Mayer
6c689e8438 Allow shell and adb to read tombstones
tombstones are now openable by these domains:

allow adbd tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow adbd tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow dumpstate tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow dumpstate tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow init tombstone_data_file:dir { add_name create getattr ioctl open read relabelfrom relabelto remove_name rmdir search setattr write };
allow init tombstone_data_file:fifo_file { create getattr open read relabelfrom relabelto setattr unlink };
allow init tombstone_data_file:file { create getattr map open read relabelfrom relabelto setattr unlink write };
allow init tombstone_data_file:sock_file { create getattr open read relabelfrom relabelto setattr unlink };
allow shell tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow shell tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow system_server tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write };
allow system_server tombstone_data_file:file { append create getattr ioctl lock map open read rename setattr unlink watch watch_reads write };
allow tombstoned tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write };
allow tombstoned tombstone_data_file:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };

Test: adb unroot, ls, cat, adb pull
Bug: 312740614
Change-Id: I4a1af4fbdc48c5c5f4b0b33f124cea31af74dd87
2024-02-23 15:44:20 -08:00
Kiyoung Kim
3259d12935 Mark libft2.so and libpng.so installed in /vendor/lib as sphal am: 96ba523a8d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2974851

Change-Id: I1dca4fd56c01a6a27785985341325b7e0cc2506b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-23 15:53:30 +00:00
Kiyoung Kim
96ba523a8d Mark libft2.so and libpng.so installed in /vendor/lib as sphal
libft2.so is removed from LLNDK, as it was LLNDK-private just because it is
referenced from VNDK-SPs, but it is no longer true because of VNDK
deprecation. This change adds libft2.so to have same sepolicy with other
sphal libraries, so it can be loaded from sphal libraries same as
before. Mark same to libpng.so as it is referenced from libft2.so

Bug: 326402649
Test: Barbet boot succeeded without sepolicy error
Change-Id: Id8c1194da478bd4fc02e701230fd1a3c0b3c00be
2024-02-23 05:31:59 +00:00
Jooyung Han
c6d75293b9 Add input_device.config_file.apex property
This new property is to set an apex name when input configuration files
are bundled in an apex.

libinput checks the new sysprop when loading input configuration.

This removes hard-coded apex name (com.android.input.config).

Bug: 315080500
Test: adb shell dumpsys input
  # set "touch.orientationAware = 0" in Touchscreen_0.idc
  # build/install the input config apex
  # Observe the Input configuration
  # "Touch Input Mapper" shows "OrientationAware: false"
Change-Id: Ie0bf30bff2ed7f983caa5b893994a5bd2759e192
2024-02-23 14:31:58 +09:00
Seungjae Yoo
c3052c9ab0 Introduce vendor_microdroid_file for microdroid vendor image
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to
use for this purpose.

Bug: 325709490
Bug: 285854379
Test: m
Merged-In: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
(cherry picked from commit d2a0892121)
2024-02-23 11:36:29 +09:00
Steven Moreland
cfed32d4ff Merge changes from topic "misctrl" into main am: 9fca32695a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2966594

Change-Id: Id68b57052b905fd3aab14f17f1eb7e81913d7e05
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-22 19:16:50 +00:00
Steven Moreland
d7c3bf781e intro misctrl am: b4f42d449b
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2966593

Change-Id: Ie652cf5516fe3c1042931bb07162f39996180e66
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-22 19:16:46 +00:00
Steven Moreland
9fca32695a Merge changes from topic "misctrl" into main
* changes:
  misctrl: add a property
  intro misctrl
2024-02-22 18:57:01 +00:00
Alan Stokes
d02b052624 Merge "Add virtualization_maintenance_service" into main am: d2bc72b7eb
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967637

Change-Id: Ib5539a82cb00a141c3c4d9877acb7195f853107d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-22 10:33:00 +00:00
Alan Stokes
d2bc72b7eb Merge "Add virtualization_maintenance_service" into main 2024-02-22 09:45:13 +00:00
Treehugger Robot
444ca3ef45 Merge "Reland "[res] Allow accessing idmap files in all zygotes"" into main am: b4d6657a5c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2970351

Change-Id: I61de789991aeb6254b9d2f80bff9a65f06c4b533
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-22 09:07:53 +00:00
Treehugger Robot
b4d6657a5c Merge "Reland "[res] Allow accessing idmap files in all zygotes"" into main 2024-02-22 08:42:02 +00:00
Treehugger Robot
3fbbe8f2ab Merge "Allow shell/toolbox for all domains" into main am: b08b54e735
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2968882

Change-Id: I27a83570324b203d1c2eb86adc82dcc5fec1db8e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-22 06:19:57 +00:00
Treehugger Robot
b08b54e735 Merge "Allow shell/toolbox for all domains" into main 2024-02-22 05:48:44 +00:00
Thiébaud Weksteen
99a4cbcee7 Grant lockdown integrity to all processes
The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.

Upstream, the support for that access vector was removed from kernel
5.16 onwards.

It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).

Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.

Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
2024-02-22 12:20:38 +11:00
Yisroel Forta
dc79d84476 Add context that system server can access and perfetto can save traces to am: c5cb5a248d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2965922

Change-Id: I3e286eb5cfb4de9fc80eb8462fb183d67898db98
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-21 22:38:05 +00:00
Steven Moreland
9f41fc081f misctrl: add a property
misctrl can set properties which can be injected into
bugreports.

Limit visibility of these properties so that no device
code can branch based off these properties.

Bug: 317262681
Test: bugreport
Change-Id: I74f6f240b08b2681540bca262dcc76bcdca9cdad
2024-02-21 18:16:49 +00:00
Yisroel Forta
c5cb5a248d Add context that system server can access and perfetto can save traces to
Give perfetto rw dir and create file permissions for new directory.
Give system server control to read, write, search, unlink files from new directory.

Test: locally ensure traces can be written by perfetto and accessed and deleted by system server
Bug: 293957254
Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-21 16:43:57 +00:00
David Drysdale
bd6d03f58b Allow virtualizationservice to check parent dir am: a9d70d7ba8
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967573

Change-Id: I915ec4bc0144cc9a1a9ac20525f48ad1b33af3d7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-21 11:39:06 +00:00
Jooyung Han
66c5beaecc Allow shell/toolbox for all domains
Bug: 324142245
Test: m (presubmit)
Change-Id: If408294d31c66241eca938ee2a681e6a9cf37ee2
2024-02-21 11:13:14 +09:00
Yurii Zubrytskyi
9128735f1f Reland "[res] Allow accessing idmap files in all zygotes"
This reverts commit 7ee66a0391.

Reason for revert: The change is supposed to be a noop, trying it as a separate CL now

Change-Id: I0a1befb0015f39596423da7049040de6be18db65
2024-02-20 20:49:37 +00:00
Steven Moreland
b4f42d449b intro misctrl
Generic binary for managing the misc partition.

Bug: 317262681
Test: boot, check bugreport
Change-Id: Ib172d101d68409f2500b507df50b02953c392448
2024-02-20 18:56:05 +00:00