Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.
Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Microdroid_manager creates a vsock socket and app's output is redirected
to it.
Bug: 195751698
Test: MicrodroidHostTestCases
Change-Id: I66759067169cc97a6c1fc084395761e06c6e20f6
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.
Don't prevent crosvm from reading such a SoC-specific VM disk images.
Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.
Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
crash_dump need to read process uptime
which need to be calc by minus the system uptime
Bug: 193159611
Bug: 183575981
Test: manual
Change-Id: I9f071007f31b8101d2d67db19b5d2b2835e6c5a4
authfs_service is a binder service on microdroid. Upon a request by the
client, the service will create the mount directory, execute authfs to
mount the FUSE, and finally unmount and delete the mount directory.
authfs currently requires more privileges than it should, but it's ok
because the client owns the VM, and all input will be verified by
signatures. But there is plan to keep the privileges isoated in the
service (b/195554831).
Bug: 194717985
Bug: 195554831
Test: Start the service from init, use a test executable to call the
service API. Only observed denial from the test executable.
Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef
Microdroid_manager should verify payloads(APK/APEXes). APK is mounted to
dm_device first and then verified. So, microdroid_manager needs to read
it.
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: I530fb8d2394952486f0bad7fb3bed770611cd311
The shell context can invoke app_process (ART runtime), which in turn
reads odsign_prop to determine whether we determined that the generated
artifacts are valid. Since this was denied until now, app processes
invoked through shell would fall back to JIT Zygote. This is probably
fine, but since fixing the denial is really simple (and not risky), this
option might be preferred over adding it to the bug map.
Bug: 194630189
Test: `adb shell sm` no longer generates a denial
Change-Id: Ia7c10aec53731e5fabd05f036b12e10d63878a30
Add a new build prop for the new Vritual AB Compression with XOR
feature. This allows each lunch target to control if they want to use
the new feature.
Test: th
Bug: 177104308
Change-Id: Ibafc231daecef5e482652d1769ad0f3729206c0f
snapuserd uses an inotify watch to detect when /dev/socket/snapuserd has
been created.
Bug: N/A
Test: no denials after applying OTA on cuttlefish
Change-Id: I2ca16aee84ce7648bceea5c5de32a561b932f528
The init process configures swapping over zram over a loop device. An
I/O scheduler is associated with the loop device. Tests have shown that
no I/O scheduler works better than the default, mq-deadline. Hence
allow the init process to configure the loop device I/O scheduler.
Without this patch, the following SELinux denials are reported during
boot:
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
Bug: 194450129
Test: Built Android images and installed these on an Android device.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Change-Id: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
This is the only blocker for SELinux denial test on microdroid. Rather
than consuming more time, this temporarily suppresses the audit message
to turn on the test.
Bug: 193118220
Test: atest MicrodroidHostTestCases -c
Change-Id: Id703107cbaae42352bebe34d0a6373f0701c0f6f
Add selinux policy to allow snapuserd to search
through /dev/block/ and read /sys/block directory.
Bug: 193863442
Test: OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I656aee69f4c07ed7caeb1c3c14e44e1a25bd1ba1
Previously vendor_sched is put under product area which will be replaced
by GSI. To solve it, move it to system/sepolicy.
Bug: 194656257
Test: build pass
Change-Id: Ia0b855e3a876a58b58f79b4fba09293419797b47
keystore uses sqlite3. sqlite3 calls F2FS_IOC_GET_FEATURES. As
microdroid has nothing to do with that, we just suppress the audit.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: I1da00d1fd4b7e208e80a1d9bc5f49c21af684516
Also guard all profcollect related entries with userdebug/eng only and
move them into one place.
Test: manual
Bug: 183487233
Bug: 194155753
Change-Id: If3399bb78b60f0367267e67573007ed72508279a
It's a test tool which is generally run as root, and will be deleted
eventually. It doesn't need its own label; system_file works fine.
We never actually allowed it anything, nor defined a transition into
the domain.
Bug: 194474784
Test: Device boots, no denials
Test: compos_key_cmd run from root works
Change-Id: If118798086dae2faadeda658bc02b6eb6e6bf606
