16d61d0383
Bug: 175345910
Bug: 171429297
Exempt-From-Owner-Approval: re-landing topic with no changes in this CL.
Change-Id: I1352c6b46b007dba3448b3c9cbdf454d7862a176
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.
But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.
Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.
Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
This is the service offered by Keystore 2.0 to provide APC service to
application. It was formerly part of the IKeystoreService interface.
Not it is an interface in ints own right.
Test: Keystore 2.0 can register the apc service interface.
Apps can lookup and call this interface.
Bug: 159341464
Change-Id: I058adf0021d9b89f4eac7534e366c29071f0f98b
- Update policy for new system service, used for Launcher/Apps to
fetch and render search results in their UI.
Bug: 162234997
Test: manual verification ($ adb shell service list)
Reference CL: aosp/831251
Change-Id: If3ae22aa2ad1d13aeac3dfefc5244db4b1734d96
The updatable and non-updatable permission manager cannot share one
AIDL, so we need to create a new system service for the non-updatable
legacy one, and add the SELinux policy for it.
Bug: 158736025
Test: presubmit
Change-Id: Ief8da6335e5bfb17d915d707cf48f4a43332f6ae
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.
Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
One day we won't need this mechanism any more & can remove all traces
of it.
Bug: 141677108
Test: builds
Change-Id: I95525a163ab4f19d8ca411c02a3c06498c6777ef
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.
update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.
This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.
Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.
Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
We no longer allow apps with mlstrustedsubject access to app_data_file
or privapp_data_file. For compatibility we grant access to all apps on
vendor images for SDK <= 30, whether mlstrustedsubject or not. (The
ones that are not already have access, but that is harmless.)
Additionally we have started adding categories to system_data_file
etc. We treat these older vendor apps as trusted for those types only.
The result is that apps on older vendor images still have all the
access they used to but no new access.
We add a neverallow to prevent the compatibility attribute being
abused.
Test: builds
Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
We want to tweak some device params at runtime via shell (alleviates the
need to recompile HAL for changing device configuration). This will help
us test/teamfood couple of new features under development.
Bug: 173044646
Test: Wifi HAL can read persist.vendor.debug.wifi properties.
Change-Id: Iabd07e72aa5f0d97519a37d0ebb1e0a3458b6d06
Any partitions should be able to write this property with build.prop.
This adds a new context for ro.product.property_source_order so it can
be set from any build.prop, e.g. vendor/build.prop, product/build.prop,
etc.
Bug: 172459064
Test: PRODUCT_VENDOR_PROPERTIES can set this property
Change-Id: Ibf85a4ad02d8454f621428b271e8e298067aa126
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.
This adds some missing properties to property_contexts. Newly added
property contexts are:
- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.
- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.
- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.
Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.
Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
Test: ls -lZ /sys/kernel/tracing/printk_formats
[...] u:object_r:debugfs_tracing_printk_formats:s0 [...]
Test: setenforce 0;
runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
logcat complains about /sys/kernel/tracing/printk_formats
Test: setenforce 0;
runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
logcat does not complain about /sys/kernel/tracing/printk_formats
(need to setenforce 0, because otherwise the exec of ls is denied).
Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.
snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.
Bug: 168259959
Test: ctl.start snapuserd, no denials
vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
This property controls the minimal timing window that triggers init
process fatal abort, when the zygote service crashes repeatedly in it.
Bug: 146818493
Change-Id: Ibd371be0daf6510df8b4d1a1f12f0aab8d6392c7
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].
[1] 4cbffc461e/kernel/sysctl.c (L2254)
Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882
Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
It will be used to dump system_server data that is not associated
with any service.
Test: adb shell dumpsys system_server
Bug: 163921395
Change-Id: I5719f7cd3a9022dc0ab12a3b3b22487e2b4866e0
This re-alignes aosp and internal master to avoid
conflicts when uploading CLs upstream.
Bug: 170126760
Change-Id: I9c087e70998cd529b71dec7428641c4bfef10d31
This is to support the addition of the device state manager service and
its associated binder service.
Test: Manual - Modify policy and verify binder service can be published.
Fixes: 170034199
Change-Id: Id63cb1db3ee80ec699e98443457c113d6be809fe
This patch adds the requisite permissions for the VcnManagementService.
Bug: 163431877
Test: Compiles, boots, FrameworksNetTests passes
Change-Id: I6e03ee798027b28f67d60c6e4280fb3410ec94c4
The framework_watchdog_config_prop properties control framework watchdog
configurations to handle watchdog timeout loop. The properties are
written only by vendor_init.
More details and background: go/break-sys-watchdog-loop
Bug: 141948707
Change-Id: I6c0da5fdafba8165e79d0f04e0a82874f605a06d
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.
The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.
Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
In addition, allow shell to read this property.
Test: getprop -Z
Test: cts-tradefed run cts -m CtsGestureTestCases
and check /sdcard/device-info-files/PropertyDeviceInfo.deviceinfo.json
Bug: 169169031
Change-Id: Ib71b01bac326354696e159129f9dea4c2e918c51
This will allow SystemServer to add the new vibrator manager service.
Bug: 166586119
Test: manually build and install on test device
Change-Id: I496f46e2f5482aaa7bfba31d6c6b2967486941cc
