Commit graph

4786 commits

Author SHA1 Message Date
Ashwini Oruganti
fe746ae453 Allow gmscore to write to /cache
Bug: 142672293
Test: TH
Change-Id: If3c2a5c91ffb497330531ad8a57ac5840d602d34
2019-12-17 14:55:01 -08:00
Suren Baghdasaryan
a8ca12d1c0 Merge "allow system_server to access files under /sys/kernel/ion/" 2019-12-17 22:21:17 +00:00
Suren Baghdasaryan
4da970f372 allow system_server to access files under /sys/kernel/ion/
In order for system_server to report ION allocations in dumpsys meminfo
report it needs access to ION sysfs nodes.

Bug: 138148041
Test: dumpsys meminfo
Change-Id: I8b1efebe8f4b06a3975e96ddd6a8cbcacdb52fb2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-12-17 18:36:25 +00:00
Songchun Fan
024bc59798 [incremental] allow system server to read /proc/filesystems
Also allow binder service "incremental_service" to be found by service
manager.

Test: boots
BUG: 136132412
Change-Id: I3584a9b69a7e1909f096e3c4579c1834bdfba22e
2019-12-17 09:57:42 -08:00
Treehugger Robot
f1f79242f3 Merge "Allow application to find tethering service" 2019-12-17 10:45:45 +00:00
Songchun Fan
d2b6c685b7 [incremental] allow service manager to find incremental_service
Test: boots
BUG: 136132412
Change-Id: I8728be360d4b37c6bc846a60bfef33af495ba289
2019-12-16 20:55:21 +00:00
Jeffrey Huang
215dd2aa9b system_server: create StatsManagerService
Refactor to split the logic within statscompanion_service
The goal of the refactor is to simplify the binder calls to statsd

This service will talk to statsd.

At the end of the refactor, this service should be the only
service that talks to statsd.

Bug: 146074223
Test: Manual by creating the service with empty implementation
Change-Id: Ib9c2e10ec195d41062f1001e5a82b374696de939
2019-12-16 11:50:16 -08:00
Ashwini Oruganti
384858e0ec Allow gmscore_app to write to /data/ota_package for OTA packages
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.

Bug: 142672293
Test: TH
Change-Id: I57f887e96d721ca69a7228df0a75515596776778
2019-12-16 10:00:07 -08:00
markchien
9cc39d9acf Allow application to find tethering service
Mark tethering_service as app_api_service to allow applications to find
tethering service. Apps should able to use tethering service to
know tethering state if they have ACCESS_NETWORK_STATE permission, but
they may need privileged permission if they want to change tethering.

Bug: 144320246
Test: -build, flash, boot
      -ON/OFF hotspot

Change-Id: Ie414618766144c4a4ad89c5cf03398a472638e71
2019-12-16 21:32:04 +08:00
Jeff Vander Stoep
607bc67cc9 Prevent apps from causing presubmit failures
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.

These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.

Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
2019-12-16 11:19:05 +01:00
Treehugger Robot
a75fa8058c Merge "Create new system property type for Factory OTA could write system property" 2019-12-15 19:26:39 +00:00
Treehugger Robot
9b624df22c Merge "priv_app.te: Remove auditallow for privapp_data_file" 2019-12-14 00:44:36 +00:00
Ashwini Oruganti
b975142b1a priv_app.te: Remove auditallow for privapp_data_file
Looking at go/sedenials, we have learnt a lot of other priv-apps rely on
this permission. The auditallow has served its purpose and can now be
removed.

Bug: 142672293
Test: Treehugger
Change-Id: Iba81773b223d2bddbd32a0594c5aa01829252847
2019-12-13 13:57:10 -08:00
Ashwini Oruganti
60c6d4e0a3 priv_app.te: Remove auditallow for statsd
From go/sedenials, we see that com.android.vending needs this
permission. The auditallow was in place to see if any priv-apps other
than GMS core need this, and now we know.

Bug: 142672293
Test: Treehugger
Change-Id: Iad6caeb648bc23e85571b758a35649924cdeec69
2019-12-13 13:33:02 -08:00
Treehugger Robot
a48a2f185e Merge "selinux config for Incremental service" 2019-12-13 19:41:39 +00:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Henry Tung
6d57b494c0 Create new system property type for Factory OTA could write system property
Due to Factory OTA client install in product partition but it also declare coredomian in
its sepolicy setting. That will let Factory OTA unable to find a property type could write system property.
But now Factory OTA have a restore NFC wake function need to write system property for communicate with bootloader.
So we need to create a new property type in system framework which could allow Factory OTA client to write system property.

Bug: 145178094
Test: Manual
Change-Id: Ic549cc939893ec67a46bf28a23ebeb9f9b81bd0b
2019-12-13 09:39:19 +00:00
Treehugger Robot
e8419e5832 Merge "gmscore_app: suppress denials for system_data_file" 2019-12-13 08:17:26 +00:00
David Anderson
7c3a3d8182 Merge "Enable gsid to read /sys/fs/f2fs" 2019-12-13 01:26:18 +00:00
Kiyoung Kim
b8f4e9280c Merge "Allow linkerconfig to be executed from recovery" 2019-12-13 01:09:58 +00:00
Ashwini Oruganti
e80d00ff34 gmscore_app: suppress denials for system_data_file
This denial is generally a sign that apps are attempting to access
encrypted storage before the ACTION_USER_UNLOCKED intent is delivered.
Suppress this denial to prevent logspam.

While gmscore_app is running in permissive mode, there might be other
denials for related actions (that won't show up in enforcing mode after
the first action is denied). This change adds a bug_map entry to track
those denials and prevent presubmit flakes.

Bug: 142672293
Test: Happy builds
Change-Id: Id2f8f8ff5cde40e74be24daa0b1100b91a7a4dbb
2019-12-12 14:38:40 -08:00
Songchun Fan
f3380b151d selinux config for Incremental service
BUG: 136132412
Test: boots
Change-Id: I0bff222af54d617b7c849bbed6fa52b96d945e32
2019-12-12 22:01:00 +00:00
Ytai Ben-tsvi
8f7a81ef5d Merge changes I7620902b,Ia7cb4f84,Iff95982d
* changes:
  Allow audio_server to access soundtrigger_middleware service
  Allow soundtrigger_middleware system service
  Allow system service to access audio HAL (for soundtrigger)
2019-12-12 21:42:23 +00:00
Songchun Fan
7a9f01d159 Merge "selinux config for data loader manager service" 2019-12-12 19:50:40 +00:00
Ytai Ben-Tsvi
43a474271f Allow audio_server to access soundtrigger_middleware service
In order to update it when external capture is taking place.

Change-Id: I7620902bfdd93b3f80f3ab2921b6adae2e77166f
Bug: 142070343
2019-12-12 10:56:35 -08:00
Ytai Ben-Tsvi
29c819c015 Allow soundtrigger_middleware system service
New system service, intended to replace all of the soundtrigger
middleware.

Change-Id: Ia7cb4f8436719ca3bf71ea4c2bc32995568ff01d
Bug: 142070343
2019-12-12 10:56:35 -08:00
Ytai Ben-Tsvi
3b1a106957 Allow system service to access audio HAL (for soundtrigger)
Change-Id: Iff95982db276d3622cbfaf7bf7d04e7e1427926c
Bug: 142070343
2019-12-12 10:56:35 -08:00
Treehugger Robot
a5328d2614 Merge "Allow gmscore to ptrace itself" 2019-12-12 15:40:37 +00:00
Treehugger Robot
7e5c0ec673 Merge "Allow tethering find netork stack service" 2019-12-12 12:31:26 +00:00
markchien
c5aa4845d0 Allow tethering find netork stack service
Allow tethering service which is running in the same process as network
stack service "find" network stack service. Original design is passing
network_stack binder to tethering service directly when tethering
service is created. To allow creating tethering service and network
stack service in parallel. Let tethering service query network_stack
binder instead.

Bug: 144320246
Test: boot, flash, build
      OFF/ON hotspot

Change-Id: Ife0c2f4bdb2cfee4b5788d63d1cfc76af0ccc33c
2019-12-12 12:54:57 +08:00
Songchun Fan
c111e5a9b3 selinux config for data loader manager service
Test: boots
Change-Id: If489054a51838d4215202b5768d46c6278ed1aa2
2019-12-11 17:09:44 -08:00
Ashwini Oruganti
9ba277df83 Allow gmscore to ptrace itself
This is needed to debug native crashes within the gmscore app.

Now that GMS core is running in gmscore_app and not in the priv_app
domain, we need this rule for the new domain. This also adds an
auditallow to the same rule for priv_app, so we can delete it once no
logs show up in go/sedenials for this rule triggerring.

Bug: 142672293
Test: TH
Change-Id: I7d28bb5df1a876d0092758aff321e62fa2979694
2019-12-11 17:09:05 -08:00
Treehugger Robot
84307d501f Merge "Allow GMS core to call dumpsys storaged" 2019-12-11 22:25:55 +00:00
Chris Weir
6ad4f3207a Merge "Modify SEPolicy to support SLCAN" 2019-12-11 21:25:14 +00:00
Ashwini Oruganti
7493bb52c1 Allow GMS core to call dumpsys storaged
Now that GMS core is running in gmscore_app and not priv_app, we need
this rule for the new domain. This also adds an auditallow to the same
rule for priv_app, so we can delete it once no logs show up in
go/sedenials for this rule triggerring.

Bug: 142672293
Test: TH
Change-Id: I308d40835156e0c19dd5074f69584ebf1c72ad58
2019-12-11 12:49:04 -08:00
Nikita Ioffe
8330719908 Merge "Allow init to read /sys/block/dm-XX/dm/name" 2019-12-11 18:40:21 +00:00
Jeffrey Vander Stoep
9a38c23cee Merge "system_server: allow signull signal on zygote" 2019-12-11 08:42:22 +00:00
Kiyoung Kim
2c271aab42 Allow linkerconfig to be executed from recovery
Add extra policy to enable linkerconfig to be executed from recovery.

Bug: 139638519
Test: Tested from crosshatch recovery
Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
2019-12-11 15:50:35 +09:00
Kiyoung Kim
cd74ef82fd Merge "Move linker config under /linkerconfig" 2019-12-11 02:55:06 +00:00
Treehugger Robot
45bc889a23 Merge "Allow telephony access to platform_compat" 2019-12-11 00:35:28 +00:00
David Anderson
d2a70f100b Enable gsid to read /sys/fs/f2fs
gsid needs access to /sys/fs/f2fs/<dev>/features to detect whether
pin_file support is enabled in the kernel.

Bug: 134949511
Test: libsnapshot_test gtest
Change-Id: I5c7ddba85c5649654097aa51285d7fa5c53f4702
2019-12-10 16:28:59 -08:00
Treehugger Robot
898a71352c Merge "Allow PermissionController app to to request and collect incident reports" 2019-12-10 18:25:44 +00:00
Kenny Root
6a9f7b265a Merge "Support Resume on Reboot" 2019-12-10 12:59:35 +00:00
Jeff Vander Stoep
4ae2aa7895 system_server: allow signull signal on zygote
This can be used as an existence check on a process
before calling kill (which is already granted).

Addresses:
avc: denied { signull } for comm="Binder:1328_1"
scontext=u:r:system_server:s0 tcontext=u:r:webview_zygote:s0
tclass=process permissive=0

Bug: 143627693
Test: build
Change-Id: I01dfe3c0cb2f4fec2d1f1191ee8243870cdd1bc6
2019-12-10 11:40:10 +01:00
Ashwini Oruganti
73e1229c96 Allow PermissionController app to to request and collect incident reports
This change adds rules related to incidentd and incident_service.

Bug: 142672293
Test: TH
Change-Id: I578ad5f1d893b9f640983d44eed770d0933ebf60
2019-12-09 16:38:20 -08:00
Kenny Root
76ea325a3d Support Resume on Reboot
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.

Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
2019-12-09 14:25:04 -08:00
Nikita Ioffe
23ba976f34 Allow init to read /sys/block/dm-XX/dm/name
In order to remount ext4 userdata into checkpointing mode, init will
need to delete all devices from dm-stack it is mounted onto (e.g.
dm-bow, dm-crypto). For that it needs to get name of a dm-device by
reading /sys/block/dm-XX/dm/name file.

Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
2019-12-09 21:21:55 +00:00
Oli Lan
91ce5b9c22 Add type for directories containing snapshots of apex data.
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.

Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.

Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-09 11:16:24 +00:00
Oli Lan
79b4e1af4a Add type for APEX data directories.
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.

Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.

See go/apex-data-directories.

Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-12-09 11:14:38 +00:00
Hridya Valsaraju
004539ef7c Add sepolicy for binderfs
/dev/binder, /dev/hwbinder and /dev/vndbinder are relocating
to /dev/binderfs/binder /dev/binderfs/hwbinder and
/dev/binderfs/vndbinder. This patch adds the sepolicy to
allow the switch.

The following are some of the denials that get taken care of by this
patch(there are too many to copy).

audit(1575835230.863:16): avc: denied { search } for comm="servicemanager" name="/" dev="binder" ino=1 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
audit(1575835230.863:16): avc: denied { read } for comm="servicemanager" name="binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:17): avc: denied { write } for comm="servicemanager" name="binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:17): avc: denied { open } for comm="servicemanager" path="/dev/binderfs/binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:18): avc: denied { ioctl } for comm="servicemanager" path="/dev/binderfs/binder" dev="binder" ino=4 ioctlcmd=0x6209 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:19): avc: denied { map } for comm="servicemanager" path="/dev/binderfs/binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:20): avc: denied { search } for comm="vndservicemanag" name="/" dev="binder" ino=1 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
audit(1575835230.867:20): avc: denied { read } for comm="vndservicemanag" name="vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:21): avc: denied { write } for comm="vndservicemanag" name="vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:21): avc: denied { open } for comm="vndservicemanag" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:22): avc: denied { ioctl } for comm="vndservicemanag" path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6209 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:23): avc: denied { map } for comm="vndservicemanag" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.871:25): avc: denied { search } for comm="hwservicemanage" name="/" dev="binder" ino=1 scontext=u:r:hwservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
audit(1575835238.351:72): avc: denied { search } for comm="android.hardwar" name="proc" dev="binder" ino=1048586 scontext=u:r:hal_configstore_default:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1

Test: boots without any issues when binderfs in enabled.
Bug: 136497735

Change-Id: Ib0f8f2156c960eb7b394dd7c79ae96c7da8bc213
2019-12-08 13:14:04 -08:00
Jing Ji
dd1b53c143 Merge "Allow system_server to send signull to appdomain" 2019-12-06 21:25:35 +00:00
Hall Liu
d29fc6a99a Allow telephony access to platform_compat
Allow telephony to access platform_compat in order to log app failures
related to security fixes that we've made.

Bug: 144631034
Test: manual
Change-Id: Ibf783f0eb306061136fe0a57023d01344253eef0
2019-12-06 13:18:21 -08:00
Jing Ji
debb1d523f Allow system_server to send signull to appdomain
In order to check the process existence by using kill(pid, 0)

Bug: 141857656
Test: manual
Change-Id: I7b9f3e5294449a521ef92b2054b4409afbf4306b
2019-12-06 11:07:23 -08:00
Treehugger Robot
09ecf475e9 Merge "Add sepolicy for AppIntegrityService." 2019-12-06 18:37:02 +00:00
Tomasz Wasilczyk
e7f2a17b2e Merge "Allow vendor-init selecting Vehicle HAL instance to use." 2019-12-06 16:55:48 +00:00
Anton Hansson
902f4fe2e6 Merge "Add sepolicy for sdkext module prop" 2019-12-06 11:13:03 +00:00
Treehugger Robot
b1e670c24c Merge "[Tether15] Allow system app to find TetheringManager" 2019-12-06 03:32:50 +00:00
Chong Zhang
c10a9eadd8 allow mediaserver to use appdomain_tmpfs
mediaserver and mediaextractor both need this.

bug: 145607042
bug: 145355521
test: run modified android.media.cts.HeifWriterTest
to use the new android.Os.memfd_create, the test
should pass; shouldn't fail in verification step
due to MediaMetadataRetriever can't access the memfd.

Change-Id: I47dabb9d98c77b647521884c7b5fadf04eae3b41
2019-12-05 12:14:13 -08:00
Tomasz Wasilczyk
d9999bebc9 Allow vendor-init selecting Vehicle HAL instance to use.
Bug: 143779011
Test: added PRODUCT_PROPERTY_OVERRIDES for ro.vehicle.hal
Change-Id: I01ec302f3aedae0b021aa34952805e764d45f431
2019-12-05 08:49:49 -08:00
Treehugger Robot
4c8a849f25 Merge "sepolicy: allow rules for apk verify system property" 2019-12-05 16:08:37 +00:00
Anton Hansson
e822545909 Add sepolicy for sdkext module prop
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).

Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
2019-12-05 14:11:50 +00:00
Song Pan
8be46bf2e0 Add sepolicy for AppIntegrityService.
CL that adds the service: http://ag/9554748

BUG:145674997
Test: Manually flash the device. Without this change, the devices goes into a
bootloop (http://gpaste/5033431010377728) if I uncommit the guard in
http://ag/c/platform/frameworks/base/+/9652133/21/services/core/java/com/android/server/integrity/AppIntegrityManagerService.java

Change-Id: Ib2daf9191900d94abeae207e18a77a5914d14783
2019-12-05 12:22:51 +00:00
Jooyung Han
870c448ace Merge "Allow system_server to read/open apex_mnt_dir" 2019-12-05 08:55:31 +00:00
Kiyoung Kim
00cf2fbe50 Move linker config under /linkerconfig
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig

Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
2019-12-05 12:42:29 +09:00
Jooyung Han
41870be726 Allow system_server to read/open apex_mnt_dir
PackageManager tries to scan /apex (apex_mnt_dir) for flattened apexes.

Previously, because /apex was blindly bind-mounted to /system/apex for
"flattened" apexes, the label for /apex is the same as /system/apex,
which is oaky for system_server to handle it.

But to support flattened apexes from other partitions such as /vendor or
/system_ext, every apex should be mounted under /apex individually,
which leaves the se-label of /apex unchanged (apex_mnt_dir).

Bug: 144732372
Test: boot with flattened apexes
      see if there are errors "denied system_server with apex_mnt_dir"
Change-Id: I81bd6ab152770c3c569b22274a6caa026615303e
2019-12-05 08:26:26 +09:00
chrisweir
cd40aa0ab7 Modify SEPolicy to support SLCAN
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.

In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.

Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
2019-12-04 14:06:09 -08:00
Mathieu Chartier
60d75c2b04 Merge "Allow iorapd to access the runtime native boot feature flag properties" 2019-12-04 22:01:29 +00:00
Mathieu Chartier
7bc626ae42 Allow iorapd to access the runtime native boot feature flag properties
Test: adb shell device_config put runtime_native_boot iorap_perfetto_enable true
Test: inspect lodcat to validate

Bug: 141377208
Change-Id: Iaef1197decff37512f107774ea0f0f09a4dcd72d
2019-12-04 20:56:54 +00:00
Hangyu Kuang
4c1e76adcb Merge "MediaTranscodingService: Add sepolicy for MediaTranscodingService." 2019-12-03 23:55:20 +00:00
Victor Hsieh
8b65b0b12d sepolicy: allow rules for apk verify system property
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.

ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split.  It is also read by system_server and installd
currently.

Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
2019-12-03 10:09:35 -08:00
Hangyu Kuang
ee3a8ea798 MediaTranscodingService: Add sepolicy for MediaTranscodingService.
Bug:145233472
Test: Build and flash the phone.
"adb shell dumpsys -l | grep media" shows media.transcoding service.

Change-Id: I48a42e7b595754989c92a8469eb91360ab6db7c6
2019-12-02 13:57:28 -08:00
Ashwini Oruganti
b7c81c04c0 Don't run vzwomatrigger_app in permissive mode
This change enforces all the defined rules for the vzwomatrigger_app
domain and unsets permissive mode. There have not been any new denials
in the past weeks for this domain (source: go/sedenials), and hence this
domain appears to not need any new permissions.

Bug: 142672293
Test: Green builds
Change-Id: I588b4e3038a3e8188d97183a592f9023a95dd3a8
2019-12-02 09:41:54 -08:00
Jeff Vander Stoep
a213e0c3c5 gmscore_app: add bug map
De-flake tests.

Test: build
Bug: 145267097
Change-Id: I7c21229d8577ffb9283a94290b3cfe575868d348
2019-12-02 13:42:11 +01:00
Mark Chien
9dfaa7dcc6 [Tether15] Allow system app to find TetheringManager
Bug: 144320246
Test: -build, flash, boot
      -OFF/ON hotspot

Change-Id: I8ce7ac5eb8198f0df4a2da426e3c56e8915e746a
2019-12-02 18:01:33 +08:00
Shuo Qian
584234e8b1 Merge "Setting up SELinux policy for Emergency number database" 2019-11-27 19:14:50 +00:00
Jeff Vander Stoep
99d5970dcf Whitelist app->storage denials
Make presubmit less flaky.

Bug: 145267097
Test: build
Change-Id: Id3e8c636f9ebda0dd07a0dcf5211f4a73bd3e3c2
2019-11-27 15:01:05 +01:00
Treehugger Robot
d16a3968f3 Merge changes Ifa33dae9,I69ccc6af,Ibb4db9d9
* changes:
  Revert "sepolicy: Permission changes for new wifi mainline module"
  Revert "wifi_stack: Move to network_stack process"
  Revert "sepolicy(wifi): Allow audio service access from wifi"
2019-11-27 00:41:35 +00:00
Treehugger Robot
63fb238052 Merge "Audit GMS core related allow rules in priv_app.te" 2019-11-26 23:00:25 +00:00
David Sehr
453ed17a61 Merge "Revert^2 "SELinux policy for system server JVMTI"" 2019-11-26 22:19:11 +00:00
Ashwini Oruganti
e6ed127dcb Audit GMS core related allow rules in priv_app.te
We've moved GMS core to its own domain, and these permissions should be
removed from the priv_app domain. This change adds auditallow to these
permissions so we know if it's safe to check if any other privapps are
relying on these.

Bug: 142672293
Test: Green builds
Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 13:16:21 -08:00
Shuo Qian
9322cb088a Setting up SELinux policy for Emergency number database
Test: Manual; https://paste.googleplex.com/6222197494382592
Bug: 136027884
Change-Id: I29214de6b5b5a62bff246c1256567844f4ce55c7
2019-11-26 12:51:02 -08:00
Colin Cross
e84bef4647 Merge "bug_map: track bluetooth storage_stub_file denial" 2019-11-26 18:33:37 +00:00
Colin Cross
b24b629ed3 bug_map: track bluetooth storage_stub_file denial
Bug: 145212474
Test: none
Change-Id: I64e7e73907637e100d59b735c57cc40996044607
2019-11-26 10:31:46 -08:00
Treehugger Robot
e91bdc73d8 Merge "[Tether12] Give network stack permission for tetheroffload" 2019-11-26 13:34:38 +00:00
David Sehr
fa67ec4126 Revert^2 "SELinux policy for system server JVMTI"
This reverts commit baa06ee2cd.

Reason for revert: Added missing property name in vendor_init.te.

Bug: none
Test: none (other than neverallow checking)
Change-Id: I9e93bf4ea6ca3a4634f8f4cbce2f13c5f410883b
2019-11-25 15:53:52 -08:00
Robert Shih
cc8a4d3bf2 allow mediaserver to access drm hidl
Previously mediaserver could only access hidl via mediadrmserver.
Required because mediadrmserver will be removed in R.

Bug: 134787536
Bug: 144731879
Test: MediaPlayerDrmTest
Change-Id: If0ae1453251e88775a43750e24f7dac198294780
2019-11-25 11:24:44 -08:00
Ashwini Oruganti
8f079fb0e2 Merge "Create a separate SELinux domain for gmscore" 2019-11-25 16:59:10 +00:00
Martijn Coenen
d1460a1111 Merge changes Ide8fc07c,Ia1f51db4
* changes:
  Allow vold to mount on top of /data/media.
  Revert "Temporarily relax Zygote storage mounting rules."
2019-11-23 09:10:34 +00:00
Raman Tenneti
9f793aff87 Merge "Revert submission" 2019-11-22 21:17:29 +00:00
Raman Tenneti
baa06ee2cd Revert submission
Reason for revert: BUG: 145006573

Change-Id: I87f640383ab0fc4005ce31f938e81dcfa6572058
2019-11-22 21:07:49 +00:00
Ashwini Oruganti
c46a7bc759 Create a separate SELinux domain for gmscore
This change creates a gmscore_app domain for gmscore. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update the gmscore_app rules
accordingly.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.gms runs in the gmscore_app domain. Tested different
flows on the Play Store app, e.g., create a new account, log in, update
an app, etc. and verified no new denials were generated.
Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
2019-11-22 10:39:19 -08:00
David Sehr
c0bb680fee Merge "SELinux policy for system server JVMTI property" 2019-11-22 18:36:20 +00:00
Roshan Pius
d804a76d03 Revert "sepolicy: Permission changes for new wifi mainline module"
This reverts commit 3aa1c1725e.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 09:49:32 -08:00
Roshan Pius
a483b5df72 Revert "wifi_stack: Move to network_stack process"
This reverts commit 1086c7d71d.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: I69ccc6afbe15db88f516cdc64e13d8cfdb0c743c
2019-11-22 09:48:54 -08:00
Roshan Pius
845b10c3db Revert "sepolicy(wifi): Allow audio service access from wifi"
This reverts commit 386cf9d957.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ibb4db9d92c8d9f1170fcc047fa3377eef2acfce6
2019-11-22 09:48:01 -08:00
Martijn Coenen
357eb193e9 Revert "Temporarily relax Zygote storage mounting rules."
This reverts commit 9f02b30a72.

This is no longer needed, because we never shipped app storage
sandboxes.

Bug: 130812417
Test: builds
Change-Id: Ia1f51db4904742d2ef15222f2350c67af0dd4a28
2019-11-22 16:02:07 +01:00
Ashwini Oruganti
a227509173 Merge "Update permissioncontroller_app domain rules" 2019-11-22 01:10:02 +00:00
David Sehr
38f6e59bd6 SELinux policy for system server JVMTI property
Add the SELinux policy to implement a no-write persistent property
controlling whether to launch a JVMTI agent in the system server.

Bug: none
Test: none (other than the neverallow)
Change-Id: Ic70ee5b05c5507b4159ef4c825a360be47bc02b0
2019-11-21 15:50:37 -08:00
Treehugger Robot
b7098cb480 Merge "Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng"" 2019-11-21 22:27:37 +00:00
Ashwini Oruganti
5064189c23 Update permissioncontroller_app domain rules
This adds permissions for content_capture_service,
incidentcompanion_service, media_session_service, and telecom_service.
These were observed via sedenials on dogfood builds.

Bug: 142672293
Bug: 144677148
Test: Green builds, no more denials show up for these services.
Change-Id: Ifd93c54fb3ca3f0da781cd2038217a29e812a40f
2019-11-21 12:59:33 -08:00
Victor Hsieh
7a4064c5ee Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng"
Reason for revert: Kernel fix has been backported to coral kernel.

Bug: 132323675
Change-Id: Ie797e5cf212b15c6fff34d2a096ac96de31ce627
2019-11-21 18:37:52 +00:00
Ashwini Oruganti
288c14f137 PermissionController goes to the permissioncontroller_app domain
This change adds a rule for com.android.permissioncontroller to run in
the previously defined permissioncontroller_app.
com.android.permissioncontroller would require similar permissions to
com.google.android.permissioncontroller.

Bug: 142672293
Test: Green builds
Change-Id: I92e7175526380c0711f52fafe8d1f8d9531d07f8
2019-11-21 09:48:01 -08:00
markchien
e9bb9a4c98 [Tether12] Give network stack permission for tetheroffload
Tethering module would run in network stack process. Add network_stack
as client of tetheroffload hidl and give it permission to create and share
netlink_netfilter_sockets

Bug: 144320246
Test: -build, flas, boot
      -OFF/ON hotspot

Change-Id: Id961fd4af0d30f902eb0115aa15db612aaa8bb91
2019-11-21 12:58:31 +08:00
Treehugger Robot
82eca37afa Merge "Revert "Don't run permissioncontroller_app in permissive mode"" 2019-11-21 04:18:39 +00:00
Ashwini Oruganti
6f795f3dc6 Revert "Don't run permissioncontroller_app in permissive mode"
This reverts commit 9076b9c541.

This is breaking incidentcompanion_service and preventing taking bug
reports from work profile.

Bug: 144677148
Bug: 142672293
Test: Green builds.
Change-Id: I7a82522a5bb21c05fbabd3f3f1c05d4a8c6ca8f4
2019-11-20 22:47:22 +00:00
Nikita Ioffe
a0bba66aac Merge "Add selinux rules for userspace reboot related properties" 2019-11-20 13:04:16 +00:00
Terry Wang
a7795f5e77 Merge "Add a new system service for app search management." 2019-11-19 22:06:20 +00:00
Nikita Ioffe
7065e46b5d Add selinux rules for userspace reboot related properties
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.

Only init should be allowed to set userspace reboot related properties.

Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
2019-11-19 17:41:28 +00:00
Mike Yu
c205104505 Allow system server to dump netd stack traces
Bug: 144415436
Test: built, flashed, booted
      verified watchdog dumped netd stack traces during ANR

Change-Id: Ib013dd3b7e5a0fa1731559b9e056c74f30acd3cd
2019-11-19 14:55:00 +08:00
Terry Wang
9a2296252f Add a new system service for app search management.
This change app-search-service to sepolicy system service.

Bug: 142567528
Test: Manual
Change-Id: Ife7b09365d667da0ad370e586af828f8f4423660
2019-11-18 16:06:58 -08:00
Tianjie Xu
a54c82a1fc Merge "Add a new context for property ota.warm_reset" 2019-11-18 23:15:43 +00:00
Ilya Matyukhin
517fee8781 Merge "Add AuthService to sepolicy" 2019-11-18 20:45:38 +00:00
Ilya Matyukhin
d2309dafcb Add AuthService to sepolicy
AuthService is introduced in ag/9700446.

Bug: 141025588
Test: can successfully publish AuthService with publishBinderService(...)
Change-Id: I0f9fceac0c555d05a29467e4ab1380f389b60af4
2019-11-16 02:24:30 +00:00
Treehugger Robot
e2aabe5012 Merge "Add new time zone detection service" 2019-11-15 19:55:49 +00:00
Neil Fuller
dcda8d0bb7 Add new time zone detection service
Add entries necessary for the new time zone detection service.

Bug:140712361
Test: See related frameworks/base change
Change-Id: Ide4244104e2add843c1d699d528328dd71a6b525
2019-11-15 13:33:23 +00:00
David Anderson
899d721779 Merge "Allow recovery and fastbootd to interact with libfiemap." 2019-11-15 04:27:59 +00:00
Treehugger Robot
a1f3cae304 Merge "sepolicy: Allow system_server to use execmem in emulator builds with software rendering." 2019-11-15 02:48:43 +00:00
Ashwini Oruganti
c77ff3727c Create a separate domain for VzwOmaTrigger
This creates a new vzwomatrigger_app domain. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update permissions.
Bug: 142672293
Test: Build, flash, boot successfully

Change-Id: I552df772b66e8e7edb1ccee754d1ea8dd1acece0
2019-11-14 16:13:00 -08:00
Tianjie Xu
f5ddc0444b Add a new context for property ota.warm_reset
The property is set to inform kernel to do a warm_reset on the next
reboot. This is useful to persist the logs to debug device boot
failures. More details in http://go/rvc-ota-persist-logs.

The property is set to 1 by update_engine after an OTA. And it's set to
0 by update_verifier or vold after we mark the current slot boot
successful.
The property is read by vendor_init. And according to its value,
vendor_init writes a particular sysfs file to schedule a warm reset
on the following reboot.

Without the new context, the denial message says:
[   13.423163] audit: type=1107 audit(1746393.166:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc:  denied  { read } for property=ota.warm_reset pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0'
[   23.096497] init: Unable to set property 'OTA.warm_reset' from uid:0 gid:2001 pid:841: SELinux permission check failed
[   23.096574] type=1107 audit(1573768000.668:42): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=OTA.warm_reset pid=841 uid=0 gid=2001 scontext=u:r:update_verifier:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
[   23.108430] update_verifier: Failed to reset the warm reset flag

Bug: 143489994
Test: check the property can be set by update_engine, and read by vendor_init
Change-Id: I87c12a53a138b72ecfed3ab6a4d846c20f5a8484
2019-11-14 15:24:25 -08:00
Ashwini Oruganti
64e36cf38d Merge "Don't run permissioncontroller_app in permissive mode" 2019-11-14 23:09:41 +00:00
Nikita Ioffe
8a4805265b Allow apexd to be fork_execvp'ed from init during userspace reboot
Test: builds
Test: adb reboot userspace
Bug: 135984674
Change-Id: I089078232c40d533b712736b83a5ed757dde689e
2019-11-14 15:31:47 +00:00
David Anderson
b45bbe2e55 Allow recovery and fastbootd to interact with libfiemap.
In normal Android, libsnapshot interacts with libfiemap over binder (via
IGsid). There is no binder in recovery, so instead, we directly link to
the library and therefore need appropriate sepolicy changes.

Bug: 139154945
Test: no denials in recovery or fastbootd
Change-Id: I356d7b5b906ac198e6f32c4d0cdd206c97faeb84
2019-11-13 18:46:57 -08:00
Ashwini Oruganti
9076b9c541 Don't run permissioncontroller_app in permissive mode
Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Build successfully, flashed a phone and basic usage of Permission Manager seemed to work well.

Change-Id: I3fb9cfaa216ddbd865b56e72124374eb1c75dea8
2019-11-13 16:37:49 -08:00
Tri Vo
c03def15ed Merge "system_suspend: sysfs path resolution" 2019-11-13 00:25:26 +00:00
Jing Ji
fd043c7065 Merge "Allow system_server to read system_lmk_prop" 2019-11-12 23:49:08 +00:00
Tri Vo
e3e77ed264 system_suspend: sysfs path resolution
/sys/class/wakeup/wakeupN can point to an arbitrary path in sysfs. Add
"search" permission for path resolution.

Bug: 144095608
Test: m selinux_policy
Change-Id: I033d15b4ca56656f144189f5c2b1b885f30155a3
2019-11-12 13:47:26 -08:00
Wenjie Zhou
b438d4527a Merge "Enable incidentd access to ro.serialno" 2019-11-09 01:05:18 +00:00
Treehugger Robot
eefca2bfd8 Merge "snapshotctl: talk to bootcontrol HAL" 2019-11-08 23:36:21 +00:00
zhouwenjie
c8ae8fa616 Enable incidentd access to ro.serialno
incident report contains similar data as in a bugreport, but in proto
format. Currently ro.serialno is not captured due to selinux settings.

Test: adb shell incident -p LOCAL 1000
Bug: 143372261
Change-Id: I6a89308c1347fba2ce4f7b469f9a02b119d4aeb7
2019-11-08 14:09:52 -08:00
Yifan Hong
667b71010a snapshotctl: talk to bootcontrol HAL
Test: OTA then merge
Change-Id: Ifdb23070de4e7d8ae4a7ef7d5a6435f101c8b410
2019-11-07 14:49:25 -08:00
Tri Vo
5f1ac02157 system_suspend access to suspend, wakeup stats
Android is moving away from debugfs. Information from /d/wakeup_sources
and /d/suspend_stats is now also exposed in sysfs under
/sys/class/wakeup/* and /sys/power/suspend_stats/* respectively:

  https://lkml.org/lkml/2019/7/31/1349
  https://lkml.org/lkml/2019/8/6/1275

Allow SystemSuspend to read those sysfs nodes.

One caveat is that /sys/class/wakeup/wakeupN can be a symlink to a
device-specific location. In this case, device sepolicy should label
that the files appropriately. This is similar to how device policy
applies "sysfs_net" and "sysfs_batteryinfo" labels.

Bug: 144095608
Bug: 129087298
Test: boot cuttlefish; system_suspend is able to read
/sys/power/suspend_stats/* and /sys/class/wakeup/*
Change-Id: I350c88a271c0f422d0557aeb5e05e1537dc97bc9
2019-11-07 13:50:32 -08:00
Sudheer Shanka
426f2e77c0 Merge "Add a new system service "blob_store"." 2019-11-07 18:04:24 +00:00
James Lin
bd0628f347 Merge "[RCS] Add service context of sepolicy of Context.TELEPHONY_IMS_SERVICE" 2019-11-07 03:26:08 +00:00
Ashwini Oruganti
0febe659aa Merge "Don't require seinfo for priv-apps" 2019-11-07 01:05:09 +00:00
Ashwini Oruganti
04f771dee4 Don't require seinfo for priv-apps
Relax the requirement to have both seinfo and name specified for
privapps. The original reason for requiring both was because, normally,
a package can only be uniquely specified by both name and signature,
otherwise package squatting could occur. However, privapps are
pre-installed, so the concerns about the potential for package squatting
are eliminated. This change will drastically simplify sepolicy
configuration for priv-apps.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller still  runs in the
permissioncontroller_app domain.
Change-Id: I5bb2bf84b9db616c4492bd1402550821c70fdd07
2019-11-06 08:37:03 -08:00
James.cf Lin
b5a0c1c0a2 [RCS] Add service context of sepolicy of Context.TELEPHONY_IMS_SERVICE
Bug: 139260938
Test: Manual
Change-Id: I335a955ee7cc2b8e82acd2987c93076fc50dc20a
2019-11-06 21:17:23 +08:00
Treehugger Robot
20daed135d Merge "Update permissioncontroller_app domain rules" 2019-11-05 01:56:39 +00:00
Ashwini Oruganti
c557ca61dd Update permissioncontroller_app domain rules
Add some rules based on the SELinux denials observed.

Bug: 143905061
Bug: 142672293
Test: Green builds, no more denials for the 7 services added.
Change-Id: I27e4634cb1df03166e734f6c12c8cb9147568d72
2019-11-04 16:03:54 -08:00
Yifan Hong
73554435ed Merge "Allow snapshotctl to create ota_metadata_file." 2019-11-04 22:10:06 +00:00
Hector Dearman
5b43f023dc Merge "Allow Perfetto to log to statsd" 2019-11-04 13:04:11 +00:00
Hector Dearman
776a6169a0 Allow Perfetto to log to statsd
Denial:
10-31 21:17:11.150  8148  8148 W perfetto: type=1400 audit(0.0:135): avc: denied { write } for name="statsdw" dev="tmpfs" ino=33205 scontext=u:r:perfetto:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0

Bug: b/139351286
Test: adb shell perfetto -c :test --dropbox perfetto, watch logcat
  for denials
Change-Id: I401f1625212f85831ce54116271752578db29578
2019-11-04 12:23:27 +00:00
Jing Ji
861c3475f9 Allow system_server to read system_lmk_prop
System_server will read this property to determine if it should
expect the lmkd sends notification to it on low memory kills.

Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: Iff90f7d28dc7417994f5906333d58fb18cb4a04c
2019-11-01 17:45:45 -07:00
Peter Collingbourne
330ee2ca22 sepolicy: Allow system_server to use execmem in emulator builds with software rendering.
In emulator builds without OpenGL passthrough, we use software rendering
via SwiftShader, which requires JIT support. Therefore, we need to allow
system_server to use execmem so that it can run JITed code. These builds
are never shipped to users.

Bug: 142352330
Change-Id: I4d55b5a1b4ebae2fc8198ef66107c22bde41ad7e
2019-11-01 15:27:29 -07:00
Steven Moreland
a71c74c188 Merge "stable aidl vibrator policy" 2019-11-01 21:09:52 +00:00
Yifan Hong
070d35916f Allow snapshotctl to create ota_metadata_file.
When snapshotctl merge is called on sys.boot_completed
and /metadata/ota/state does not exist, it now tries
to initialize it by creating one.

Test: no selinux denials on boot
Bug: 143551390
Change-Id: I6ee268270e8f788d90610d7a1a90f252ea9baa3a
2019-11-01 11:55:54 -07:00
Chong Zhang
0ee3eecbfa allow mediaserver to access configstore
This is needed to use graphics RenderEngine, creation will
try to access configstore.

bug: 135717526
test: run MediaMetadataRetrieverTest, there shouldn't be any
avc denials in logcat.

Change-Id: Ie26ffe4844edd52684f254e77d9f515550dc82fb
2019-11-01 10:07:36 -07:00
Treehugger Robot
38c47f1bc0 Merge "dumpstate: reads ota_metadata_file" 2019-11-01 01:34:48 +00:00
David Anderson
69e3af2d70 Merge "Add fastbootd to the sys_rawio whitelist." 2019-10-31 20:20:39 +00:00
Ashwini Oruganti
9a85143b4d Merge "Create a separate domain for permissioncontroller" 2019-10-31 16:38:56 +00:00
Ashwini Oruganti
9bc81125ef Create a separate domain for permissioncontroller
This creates an SELinux domain for permissioncontroller and moves it out of the
priv_app SELinux domain.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller runs in the
permissioncontroller_app domain.
Change-Id: Ieb2e4cb806d18aaeb2e5c458e138975d1d5b64fe
2019-10-30 14:59:12 -07:00
Steven Moreland
d87649c645 stable aidl vibrator policy
Bug: 141828236
Test: boot, dumpsys -l
Change-Id: Id3fc8724238883116e840794309efbf6c91226c9
2019-10-29 16:39:55 -07:00
Roshan Pius
8e9b37da04 Merge "sepolicy: Move wifi keystore HAL service to wificond" 2019-10-29 23:09:12 +00:00
Sudheer Shanka
c9d3f222e7 Add a new system service "blob_store".
Bug: 143559646
Test: manual
Change-Id: Id13566e9efc815f4a6ebb7228a1145aa91d6d526
2019-10-29 15:34:11 -07:00
Yifan Hong
91709db313 dumpstate: reads ota_metadata_file
Bug: 137757435
Test: bugreport
Change-Id: I72a7d1e01e2f4a050220f77d62e5592a14925e17
2019-10-29 14:29:54 -07:00
Treehugger Robot
1007f1b742 Merge "priv_app: supress more snet selinux denial on sysfs" 2019-10-29 10:08:49 +00:00
Roshan Pius
31f511ae08 sepolicy: Move wifi keystore HAL service to wificond
Bug: 142969896
Test: Verified connecting to passpoint networks.
Change-Id: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
Merged-In: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
2019-10-28 14:06:17 -07:00
David Anderson
74affd1403 Add fastbootd to the sys_rawio whitelist.
A similar problem was previously encountered with the boot control HAL
in bug 118011561. The HAL may need access to emmc to implement
set_active commands.

fastbootd uses the boot control HAL in passthru mode when in recovery,
so by extension, it needs this exception as well.

Bug: 140367894
Test: fastbootd can use sys_rawio
Change-Id: I1040e314a58eae8a516a2e999e9d4e2aa51786e7
2019-10-25 22:32:32 +00:00
Jeff Vander Stoep
90bd1de368 priv_app: supress more snet selinux denial on sysfs
Bug: 143294492
Test: build
Change-Id: I55c9baf7f55d9ab36bf1509ca466e0747c49567d
2019-10-25 11:28:40 +02:00
Yifan Hong
175a317083 Merge "Give dumpstate access to gsid." 2019-10-25 00:34:15 +00:00
Treehugger Robot
91e58ac87b Merge "sepolicy: Add iorap_prefetcherd rules" 2019-10-23 17:46:42 +00:00
Steven Moreland
3057643aef Merge "Service context for servicemanager." 2019-10-23 17:02:08 +00:00
Joel Galenson
4321551734 Cleanup: use binder_call macro.
Test: Compile.
Change-Id: Ic05ed96f50d5139b12a28565a0dc697476874a22
2019-10-22 13:08:10 -07:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Shafik Nassar
6ff3c39b1f Merge "Add native flags namespace storage_native_boot" 2019-10-17 16:00:20 +00:00
Anna Trostanetski
e14e3bb21d Merge "Add rule for platform_compat_native service." 2019-10-17 13:19:59 +00:00
Chiachang Wang
336b68d68e Merge "Add permission for NetworkStack updatability" 2019-10-17 12:34:42 +00:00
Treehugger Robot
b49018d29c Merge "netlink_route_socket: add new nlmsg_readpriv perm" 2019-10-17 07:27:21 +00:00
Steven Moreland
48fbbbeae2 Service context for servicemanager.
Create a service context for manager itself and allow servicemanager to
register itself. This is so that tools like dumpsys can reference
servicemanager the same way they would reference other services.

That things can still get ahold of the servicemanager directly via
libbinder APIs since it is a context manager.

Bug: 136027762
Test: dumpsys -l
Change-Id: If3d7aa5d5284c82840ed1877b969572ce0561d2e
2019-10-16 16:31:42 -07:00
Dario Freni
aaebc33e40 Merge "Allow system server to read /vendor/apex." 2019-10-16 14:17:06 +00:00
Jeff Vander Stoep
fb69c8e64f netlink_route_socket: add new nlmsg_readpriv perm
Used when mapping RTM_GETLINK messages to this new permission.

Users of netlink_route_sockets that do not use the net_domain()
macro will need to grant this permission as needed. Compatibility
with older vendor images is preserved by granting all vendor domains
access to this new permission in *.compat.cil files.

Bug: 141455849
Test: build (this change is a no-op without kernel changes)
Change-Id: I18f1c9fc958120a26b7b3bea004920d848ffb26e
2019-10-16 16:14:16 +02:00
Orion Hodson
b4d7815fe4 Merge "Reland "sepolicy: rework ashmem_device permissions"" 2019-10-16 12:56:59 +00:00
Orion Hodson
ceaaa9b19f Merge "Reland "sepolicy: fix zygote JIT permissions w.r.t. ashmem"" 2019-10-16 12:56:59 +00:00
Dario Freni
4d3e9e7571 Allow system server to read /vendor/apex.
PackageManager needs to access these data to inspect APK signatures.

Test: installed apex.test under /vendor/apex and verified it is
recognized.
Change-Id: I657958631939d67ee04c0836001f52c212a0a35d
2019-10-16 12:45:38 +00:00
Florian Mayer
ede8b7e39d Merge "Allow Java domains to be Perfetto producers." 2019-10-16 12:37:09 +00:00
Gavin Corkery
59c02dc100 Merge "Add label for persist.pm.mock-upgrade" 2019-10-16 09:39:10 +00:00
Jeffrey Vander Stoep
dc560e0921 Merge "untrusted_app_25: remove access to net.dns properties" 2019-10-16 08:57:57 +00:00
Treehugger Robot
f0a9150deb Merge "file_contexts: Include legacy /system/vendor paths" 2019-10-16 06:53:13 +00:00
Tri Vo
b554a950f4 Reland "sepolicy: rework ashmem_device permissions"
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials

Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
2019-10-15 22:27:28 +00:00
Tri Vo
f25025f6ff Reland "sepolicy: fix zygote JIT permissions w.r.t. ashmem"
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.

Bug: 134434505
Change-Id: I3b5eeac1ec06d8d70da327743174ca83eec6b41c
Test: boot crosshatch
2019-10-15 22:26:56 +00:00
Ram Muthiah
dd8bc1b897 Merge "Revert "sepolicy: rework ashmem_device permissions"" 2019-10-15 22:14:55 +00:00
Ram Muthiah
f2d5dad65c Merge "Revert "sepolicy: fix zygote JIT permissions w.r.t. ashmem"" 2019-10-15 22:14:55 +00:00
Orion Hodson
5527d706c7 Revert "sepolicy: rework ashmem_device permissions"
This reverts commit d9dcea570c.

Reason for revert: http://b/142742451

Change-Id: If46d6dcbb5df21bad8b6a8215d8c21c6b6733476
2019-10-15 21:16:06 +00:00
Orion Hodson
09d9076513 Revert "sepolicy: fix zygote JIT permissions w.r.t. ashmem"
This reverts commit 7120b72a9b.

Reason for revert: http://b/142742451

Change-Id: Ib857e0a56a83c0466b92f944421e3bd11c9279b4
2019-10-15 21:15:44 +00:00
Jeff Vander Stoep
28903d9829 untrusted_app_25: remove access to net.dns properties
Bug: 33308258
Test: build
Test: atest CtsSelinuxTargetSdk25TestCases
Change-Id: I0bd3dc60dd95e9fb621933f45115a42bbcbc2ccc
2019-10-15 21:17:29 +02:00
Tri Vo
0ba37c9e81 Merge "bug_map: track mediaswcodec ashmem denial" 2019-10-15 17:08:43 +00:00
Tri Vo
145130670f bug_map: track mediaswcodec ashmem denial
Bug: 142679232
Test: n/a
Change-Id: Ie6a8e65ad175e2c2ab444381d3b05d0191cc0302
2019-10-15 09:57:55 -07:00
Tri Vo
bb77532a38 Merge changes from topic "ashmem_sepolicy"
* changes:
  sepolicy: fix zygote JIT permissions w.r.t. ashmem
  sepolicy: rework ashmem_device permissions
2019-10-14 19:33:24 +00:00
Gavin Corkery
b2f34bfa5a Add label for persist.pm.mock-upgrade
This property is used for testing purposes when verifying the
behavior when an OTA occurs. It should be readable by the
system server, and be settable by the shell.

Test: Set property from shell, read with PackageManager
Bug: 140992644
Change-Id: I39ad9b7961208f02fa45011215c2ff5ac03b7380
2019-10-14 18:09:11 +01:00
atrost
17a18faf63 Add rule for platform_compat_native service.
Bug: 138275545
Test: Call the service from dumpsys.cpp (http://aosp/1142055)
Change-Id: I259ceb5092d2f1d3e2130ea678ee7fb59cf9e6be
2019-10-14 16:22:55 +01:00
Treehugger Robot
e1aa506b0d Merge "overlayfs: deflake presubmit tests" 2019-10-14 10:52:53 +00:00
Jeff Vander Stoep
ee036a9fc4 overlayfs: deflake presubmit tests
Bug: 142390309
Test: build
Change-Id: Ibf12d5acba39436cf79b7eb3a1fbadb2296b68c4
2019-10-14 11:20:50 +02:00
Chiachang Wang
e063585bbf Add permission for NetworkStack updatability
NetworkStack will need to use netlink_tcpdiag_socket to get tcp
info. In order to support updatability for NetworkStack as it's
a mainline module, get the information from kernel directly to
reduce the dependecy with framework.

Test: Build and test if NetworkStack can get the tcp_info without
SEPolicy exception
Bug: 136162280

Change-Id: I8f584f27d5ece5e97090fb5fafe8c70c5cbbe123
2019-10-12 21:21:10 +09:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Tri Vo
7120b72a9b sepolicy: fix zygote JIT permissions w.r.t. ashmem
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.

Bug: 134434505
Test: boot crosshatch
Change-Id: I0a54d64bd4656fafd2f03701d7828cfa94c08f04
2019-10-08 11:31:46 -07:00
Tri Vo
d9dcea570c sepolicy: rework ashmem_device permissions
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
2019-10-07 14:13:35 -07:00
Bill Peckham
d0dc1a057d Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.

The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.

* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)

This change includes the sepolicy changes to move the recovery resources from
system to vendor. The big change is renaming install_recovery*.te to
vendor_install_recovery*.te to emphasize the move to vendor. Other changes
follow from that. The net result is that the application of the recovery patch
has the same permissions that it had when it lived in system.

Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: If29cb22b2a7a5ce1b25d45ef8635e6cb81103327
2019-10-04 14:40:27 -07:00
shafik
55a54d3ff9 Add native flags namespace storage_native_boot
Grant SEPolicy write permissions for device_config_storage_native_boot.

Test: build and flash - device successfully boots
Bug: 140803239
Change-Id: I6e4f5889aee9384b47faacb31e2b1938250428ef
2019-10-04 11:05:48 +00:00
Tri Vo
f53c57287d Merge "sepolicy: fix missing label on vendor_service_contexts" 2019-10-03 22:29:53 +00:00
Felix
e6a3c9929b file_contexts: Include legacy /system/vendor paths
Probably flew under the radar because Google only tests on devices that
include devices with a physical /vendor partition.

Test: "make selinux_policy", confirm correct labels on a legacy device

Change-Id: I1aa856c6e3774912d1f4c0a09bbc2d174016f59d
Signed-off-by: Felix <google@ix5.org>
2019-10-03 22:34:19 +02:00
Tri Vo
e10ff1e709 Merge "sepolicy: allow zygote to use ashmem fds" 2019-10-03 19:43:48 +00:00
Yifan Hong
8cbaad3e4c Merge changes Idfe99d40,I3cba28cc,Ibd53cacb
* changes:
  Add rules for snapshotctl
  dontaudit update_engine access to gsi_metadata_file.
  update_engine: rules to apply virtual A/B OTA
2019-10-03 18:58:07 +00:00
Treehugger Robot
2641969674 Merge "sepolicy(wifi): Allow audio service access from wifi" 2019-10-03 17:53:22 +00:00
Roshan Pius
386cf9d957 sepolicy(wifi): Allow audio service access from wifi
Denial log:
10-03 13:37:05.726   603   603 I auditd  : avc:  denied  { find }
for pid=5443 uid=1073 name=media.audio_policy scontext=u:r:network_stack:s0
`1tcontext=u:object_r:audioserver_service:s0 tclass=service_manager permissive=0

Bug: 142053371
Bug: 135691051
Test: Device boots up and connects to network. No selinux denial seen
from network_stack

Change-Id: I0907504d02c987398467148c26a0847b5f8a7a8c
2019-10-03 08:19:17 -07:00
Roshan Pius
2a6c860a94 Merge "wifi_stack: Move to network_stack process" 2019-10-03 01:26:07 +00:00
Yifan Hong
f375337cc8 Add rules for snapshotctl
snapshotctl is a shell interface for libsnapshot. After rebooting
into an updated build, on sys.boot_completed, init calls
snapshotctl to merge snapshots. In order to do that, it needs to:
  - Talk to gsid to mount and unmount COW images
  - read the current slot suffix to do checks (and avoid merging
    snapshots when it shouldn't).
  - read / write OTA metadata files to understand states of
    the snapshot
  - delete OTA metadata files once a snapshot is merged
  - collapse the snapshot device-mapper targets into a plain
    dm-linear target by re-mapping devices on device-mapper

Test: reboot after OTA, see merge completed without denials
Bug: 135752105

Change-Id: Idfe99d4004e24805d56cd0ab2479557f237c2448
2019-10-02 16:30:00 -07:00
Tri Vo
08bf97db8c sepolicy: allow zygote to use ashmem fds
Ashmem FD selinux labels have recently been changed (aosp/1127917) from
"ashmemd" to the label of the whichever process opens the fd, which
resulted in the following denial:

avc: denied { use } for
path="/dev/ashmemf5dc2dbf-d1e7-457e-b694-93c84704135e" dev="tmpfs"
ino=18972 ioctlcmd=0x7704 scontext=u:r:zygote:s0
tcontext=u:r:system_server:s0 tclass=fd permissive=1

Test: m selinux_policy
Change-Id: I4880420014bda21cd4f83e3d6190c3cfaa76822f
2019-10-02 15:25:48 -07:00
David Anderson
14eaa6c3de Give dumpstate access to gsid.
Bug: 140204341
Test: dumpstate
Change-Id: If06e334ade2c4bab8ca6726747aa6d30f4fe4ad6
2019-10-02 15:18:01 -07:00
Yifan Hong
07a99e16e4 update_engine: rules to apply virtual A/B OTA
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
  during an OTA, update_engine uses libsnapshot to talk to gsid
  to create these images as a backing storage of snapshots. These
  "COW images" stores the changes update_engine has applied to
  the partitions.
  If the update is successful, these changes will be merged to the
  partitions, and these images will be teared down. If the update
  fails, these images will be deleted after rolling back to the
  previous slot.

- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
  during an OTA, update_engine and gsid stores update states and
  information of the created snapshots there. At next boot, init
  reads these files to re-create the snapshots.

Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.

Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-10-02 12:46:47 -07:00
Roshan Pius
1086c7d71d wifi_stack: Move to network_stack process
The wifi stack APK will run inside the network_stack process. So, move
the sepolicy rules for wifi stack inside the network stack rules.

Bug: 135691051
Test: Manual tests
- manual connect to wifi networks
- Remove networks
Test: Will send for ACTS wifi regression testing
Change-Id: I9d5da80852f22fa1d12b2dbbc76b9e06c1275310
(cherry-picked from b83abf7af3df64e0d3c1b22548f2344b55aece28)
2019-10-02 11:49:43 -07:00
Treehugger Robot
2b23101ee5 Merge "Allow platform signed apps to access platform_compat service" 2019-10-02 16:49:40 +00:00
Treehugger Robot
f9d23a0dd2 Merge "Allow fsverity_init to load key from keystore" 2019-10-02 16:17:47 +00:00
Treehugger Robot
cc3f943436 Merge "Mark mediacodec_2{6,7,8} as hal_omx_server" 2019-10-02 01:50:32 +00:00
Treehugger Robot
977b097fbf Merge "SEPolicy changes to allow vendor BoringSSL self test." 2019-10-01 22:38:19 +00:00
Tri Vo
3e70db526e sepolicy: fix missing label on vendor_service_contexts
Vendors can publish services with servicemanager only on non-Treble
builds. vendor_service_contexts is not meant to be read by
servicemanager.

5bccbfefe4/public/servicemanager.te (22)

Bug: 141333155
Test: create /vendor/etc/selinux/vendor_service_contexts and make sure it is
correctly labeled.
Change-Id: Ib68c50e0cdb2c39f0857a10289bfa26fa11b1b3c
2019-10-01 15:23:27 -07:00
Pierre-Hugues Husson
1019870fba Mark mediacodec_2{6,7,8} as hal_omx_server
The commit 7baf725ea6 broke OMX on O/O-MR1(/P?) vendors.
Previous to this commit, all OMX codecs had to use "mediacodec" type,
after this commit, omx codecs just had to get hal_omx_server attribute.
This commit left to the vendor the charge of adding "hal_omx_server"
attribute to mediacodec.

However this can't work on non-Q vendors.

On P vendor, versioned_plat_pub contains the appdomain <=> mediacodec
allows, so OMX isn't technically broken on those devices.
But to ensure it won't break in the future, mark 28's mediacodec as
hal_omx_server as well

This fixes broken OMX decoding on O/O-MR1 vendors, failing with the
following denial:
avc: denied { call } for comm=4E444B204D65646961436F6465635F scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:mediacodec:s0 tclass=binder permissive=0

Bug: 141186440

Change-Id: I018f8d9aabc77e7ea86ca14734b1ab2edfdf8ed1
2019-10-01 20:48:01 +00:00
Tri Vo
b398dbb9ea Merge "sepolicy: remove ashmemd" 2019-10-01 16:22:57 +00:00
Pete Bentley
90eb9b0e04 SEPolicy changes to allow vendor BoringSSL self test.
Introduces new domain vendor_boringssl_self_test and runs
/vendor/bin/boringssl_self_test(32|64) in it. New domain
required because boringssl_self_test needs to be in
coredomain in order to reboot the device, but vendor code
may not run in coredomain.

Bug: 141150335
Test: flashall && manually verify no selinux errors logged and that
    four flag files are created in /dev/boringssl, two by the
    system self tests and two by the vendor.

Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a
2019-10-01 14:14:36 +01:00
Robert Shih
75c0fa4517 Merge "Allow apps to access hal_drm" 2019-09-30 18:08:32 +00:00
Florian Mayer
d54f4487bc Merge "Allow shell to unlink perfetto_traces_data_file." 2019-09-30 17:40:01 +00:00
Eric Biggers
35cd1c6f37 Merge "Allow shell to get encryption policy for CTS" 2019-09-30 17:14:29 +00:00
Florian Mayer
c069bc134e Allow shell to unlink perfetto_traces_data_file.
Bug: 141704436
Test:
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 186
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0    3488 2019-09-30 14:12 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0             3488 2019-09-30 14:08 ..
-rw-------  1 shell  shell u:object_r:perfetto_traces_data_file:s0  180467 2019-09-30 14:12 profile-shell
blueline:/ $ rm /data/misc/perfetto-traces/profile-shell
rm ro /data/misc/perfetto-traces/profile-shell (y/N):y
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 6
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0  3488 2019-09-30 14:13 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0           3488 2019-09-30 14:08 ..
blueline:/ $


Change-Id: Ia710068c3cca53a415347fb0a7064740e500d15d
2019-09-30 13:13:14 +00:00
Robert Shih
f58be478de Allow apps to access hal_drm
Bug: 134787536
Test: MediaDrmClearkeyTest#testClearKeyPlaybackCenc
Change-Id: I931ccdfa3b78c7210f9f94e94b48d2d6908a371d
Merged-In: I931ccdfa3b78c7210f9f94e94b48d2d6908a371d
2019-09-30 04:51:24 +00:00
Treehugger Robot
3cda2d5c2b Merge changes from topic "system_ext_sepolicy"
* changes:
  Separate system_ext_mac_permissions.xml out of system sepolicy.
  Separate system_ext_service_contexts out of system sepolicy.
  Separate system_ext_property_contexts out of system sepolicy.
  Separate system_ext_hwservice_contexts out of system sepolicy.
  Separate system_ext_seapp_contexts out of system sepolicy.
  Separate system_ext_file_contexts out of system sepolicy.
  Separate system_ext_sepolicy.cil out of system sepolicy
2019-09-28 00:28:57 +00:00
Eric Biggers
b57af5d0e6 Allow shell to get encryption policy for CTS
Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.

The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.

For more details see change I9082241066cba82b531e51f9a5aec14526467162

Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
2019-09-27 15:24:27 -07:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Victor Hsieh
369d35d531 Allow fsverity_init to load key from keystore
Also, since fsverity_init has been rewriten in C++, shell execution is no
longer needed.

Test: no denial is generated
Bug: 112038744
Change-Id: I7e409cadd68cb6d5d8557a126a3b9e78063190be
2019-09-26 11:05:20 -07:00
Treehugger Robot
e612ecd6ed Merge "sepolicy: ashmem entry point for libcutils" 2019-09-26 17:56:53 +00:00
Bowgo Tsai
a3429fcc2b Separate system_ext_mac_permissions.xml out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
      /system_ext/etc/selinux are identical to previous contents in
      /product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9
2019-09-26 21:29:36 +08:00
Bowgo Tsai
9823116355 Separate system_ext_service_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: If483e7a99dc07f082dd0ecd0162a54140a3267de
2019-09-26 21:29:30 +08:00
Bowgo Tsai
1864cd02fc Separate system_ext_property_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I27db30edfd9948675793fdfec19081288f8017eb
2019-09-26 21:29:22 +08:00
Bowgo Tsai
241d36eedd Separate system_ext_hwservice_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: Ic5774da74e200b9d7699ac2240a12e7616dc512a
2019-09-26 21:29:15 +08:00
Bowgo Tsai
7bc47f4ba7 Separate system_ext_seapp_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I2c2acbcf234861feb39834c867a4eb74c506692d
2019-09-26 21:29:05 +08:00
Bowgo Tsai
86a048d4df Separate system_ext_file_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
2019-09-26 21:28:07 +08:00
Tom Cherry
38dfd3080a Merge changes from topic "boringssl-kmsg"
* changes:
  Redirect boringssl_self_test stdio to kmsg
  allow init to open kmsg_debug
2019-09-25 19:56:03 +00:00
Tri Vo
a7f61021b7 sepolicy: ashmem entry point for libcutils
This duplicated ashmem device is intended to replace ashmemd.

Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.

Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
2019-09-25 11:26:18 -07:00
Treehugger Robot
4ab718a216 Merge "Update bug_map to explicitly have the b/ prefix" 2019-09-24 21:50:58 +00:00
Tom Cherry
80b85f0ecd Redirect boringssl_self_test stdio to kmsg
To aid in debugging if there are failures.

Bug: 137267623
Test: add prints to boringssl_self_test and see them
Change-Id: I34b20225514898911b3f476d4517430433eb379e
2019-09-24 12:45:57 -07:00
Treehugger Robot
3af73fdf1f Merge "Allow dumpstate to call incident CLI" 2019-09-24 01:01:31 +00:00
Ashwini Oruganti
a661148bc0 Update bug_map to explicitly have the b/ prefix
This is part of a series of updates to bug_map across all of android
tree.

Bug: 141014771
Test: Generated a denial, verified that the bug id in the dmesg logs
remains unchanged.

Change-Id: I852e8ac38a162cc074232f15d919212548d485bf
2019-09-23 14:28:07 -07:00
Tao Bao
987aa96d30 install_recovery no longer needs to access /cache.
applypatch (called by install_recovery) used to back up the source
partition to /cache when installing the recovery image on non-A/B
devices. The change from the same topic drops the backup behavior.

The access to /cache was also the reason for having dac_override_allowed
(applypatch runs as root:root, while /cache is owned by system:cache
with 0770).

Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
      is installed successfully without denials.
Change-Id: I0533ba82260d0adb23b328e6eef8bd6dda3d0439
2019-09-23 11:35:47 -07:00
Treehugger Robot
93b9db56aa Merge "app_zygote need access to oem partition" 2019-09-20 12:22:20 +00:00
Andrei Onea
87c885b135 Allow platform signed apps to access platform_compat service
This exception is needed for overriding gated changes in tests.
Bug: 140367850
Test: http://aosp/1113771
Change-Id: I2a76f92fe06c1c759a537dea7539a8899f02b15e
2019-09-13 12:38:37 +01:00
Pete Bentley
aada820069 Revert "SEPolicy: dontaudit attempts to create marker files."
This reverts commit a9b718a1ed.

Reason for revert: No longer be necessary after
http://r.android.com/1120246 lands as this causes BoringSSL to only write
flag files if a particular environment variable is set, and this variable
will only be set for the self test binaries which have permission to
write to /dev/boringssl.

Bug: 140918050
Test: Manually observed audit log after change
Change-Id: I851f4aea991d91c67b64535829eea5b9594a3e2c
2019-09-13 12:25:13 +01:00
Tobias Thierer
a9b718a1ed SEPolicy: dontaudit attempts to create marker files.
Binaries other than boringssl_self_test_exec are not allowed
to create marker files /dev/boringssl/selftest/[hash].

Right now, some processes still attempt to because:
 - Some binaries run so early during early-init that
   boringssl_self_test{32,64} hasn't had a chance to
   run yet, so the marker file doesn't exist yet, so
   the unprivileged process attempts to create it.
 - Some binaries statically link libcrypto so their
   [hash] is different from that used by
   boringssl_self_test{32,64}.

There's some ongoing work to stop those binaries even
attempting to create the marker files but it's not a
big deal if they do. Similarly, there is ongoing work
to minimize or eliminate static linking of this library.

For now, this CL turns off audit logs for this behavior
since it is harmless (a cosmetic issue) and in order to
not hold up the bulk of the logic being submitted.

Bug: 137267623
Test: Treehugger

Change-Id: I3de664c5959efd130f761764fe63515795ea9b98
2019-09-11 19:37:40 +01:00
Henrik Baard
8c94186ca5 app_zygote need access to oem partition
app_zygote used by for example Google Chrome needs access
to at least search /oem partition.

Google chrome version: 76.0.3809.132 is running in app_zygote
and the following access is blocked by selinux causing Chrome
to hang.

avc:  denied  { search } for  pid=813 comm="d.chrome_zygote"
name="/" dev="sda42" ino=2 scontext=u:r:app_zygote:s0:c214,c256,c512,c768
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0 ppid=798
pcomm="d.chrome_zygote" pgid=798 pgcomm="d.chrome_zygote"

Change-Id: Idcce1a5ad1a8be3d7bd057c12ec477baa9669235
2019-09-11 13:31:12 +02:00
David Anderson
ff8cd0bee9 Merge "Give dumpstate access to run lpdump." 2019-09-10 21:36:39 +00:00
Treehugger Robot
535d297a5f Merge "Root of /data belongs to init (re-landing)" 2019-09-10 04:14:17 +00:00
David Anderson
dc2a7873bd Give dumpstate access to run lpdump.
Bug: 140204341
Test: adb bugreport
Change-Id: I33e544dfced7589e995223cc88084f2849efe18b
2019-09-09 17:33:20 -07:00
Treehugger Robot
aa31e64e83 Merge "Access to HALs from untrusted apps is blacklist-based" 2019-09-10 00:22:07 +00:00
Paul Crowley
aed0f76ee9 Root of /data belongs to init (re-landing)
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.

Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-09-09 14:42:01 -07:00