apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.
The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.
Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists
Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67
Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").
However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important
Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.
Bug: 111407413
Bug: 117290290
Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.
Bug: 117762471
Bug: 117761873
Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4
same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.
Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.
Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0
Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.
Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.
Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
Set up a new service for sw media codec services.
Bug: 111407413
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
The auditallow added in 7a4af30b3 has not triggered. This is safe to
remove.
Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.
Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.
Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
Add ians service contexts
Bug: 113106744
Test: verified from service list that ianas is
registered
Change-Id: Iea653416ffa45cba07a544826e0a2395d31cedca
Merged-In: Iea653416ffa45cba07a544826e0a2395d31cedca
This patch gives global access to asan libraries. This is not ideal since the
labeling is not symmetric with standard locations, but this approach is easy to
maintain.
Fixes: 117555408
Test: processes on asan builds load /data/asan/* libs correctly
Change-Id: If54558c1808d8b16e06073c150c9f3eb358dda67
Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.
Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2
This reverts commit 9899568f6c.
Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.
Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.
Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b
We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.
Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc
A default set of options are available, but can override in a fstab
overlay entry with upperdir=, lowerdir= to the same mount point,
workdir=. The default is a valid /mnt/scratch/overlay/
or /cache/overlay/ directory, with .../<mount_point>/upper and
.../<mount_point>/work, associated with each system partition
<mount_point>.
Test: manual
Bug: 109821005
Change-Id: I5662c01fad17d105665be065f6dcd7c3fdc40d95
