We are not forbidding system_writes_vendor_properties_violators in P,
i.e. this neverallow rule is not strictly enforced.
Bug: 80466516
Bug: 78598545
Test: build policy
Change-Id: Iaf0ebbd2b27adf8c48082caa874e53f32bf999fc
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.
Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.
Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.
Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.
Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
apns downloaded will enter a new directory that
TelephonyProvider can access.
Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
Merged-In: I1e7660adf020dc7052da94dfa03fd58d0386ac55
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.
Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.
Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.
Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
(cherry picked from commit 98ef2abb12)
This allows Android Keystore to statically register support for 3DES
during zygote initialization based on the device's support for hardware
backed 3DES keys.
Bug: b/79986680
Test: keystore CTS
Change-Id: Ic9a6653cdd623a3ab10e0efbcdb37c437e6c59b9
System properties can be abused to get around Treble requirements of
having a clean system/vendor split. This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.
Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.
Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
(cherry picked from commit 37ab7c0917)
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
abbb65899a%5E%21/#F3
for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html
Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.
Bug: 79528964
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit
Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit 64ff9e9523)
Merged-In: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Mtp needs access to this path in order to
change files on an sdcard.
Fixes denial:
05-14 17:40:58.803 3004 3004 W MtpServer: type=1400 audit(0.0:46):
avc: denied { search } for name="media_rw" dev="tmpfs" ino=10113
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
b/77925342 app=com.android.providers.media
Bug: 77849654
Test: no denials using mtp with emulated sdcard
Change-Id: I27b5294fa211bb1eff6d011638b5fdc90334bc80
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build
Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
--skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
-t android.security.cts.SELinuxHostTest
Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9
This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file. The rules above it still prevent it
from doing anything other than relabelto and getattr.
Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
The property is set on builds which profile the boot image.
Test: m
Bug: 73313191
(cherry-pick form commit d99f4acf2d)
Merged-In: Ie0cd54f23250df02850c38bb14e92d4b1fa04f16
Change-Id: Ie0cd54f23250df02850c38bb14e92d4b1fa04f16
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.
The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.
Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"
W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)
Had to use precise property definition as com.android.phone accesses
test properties as well.
Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
This should help fix presubmit tests.
Bug: 79414024
Test: Built policy.
Change-Id: Ic840150767ff6c2799ac3b5ef22ba139108c94dd
(cherry picked from commit 06e09abd25)
Bug: 71430241
Test: build/flash, grep for "avc: denied { read }" for mediacodec, should be empty on walleye
Change-Id: I12e1b11a969d3f979ca0cfbe4ca7db2bc5e46165
Let the audioserver record metrics with media.metrics service.
This is for 'audiopolicy' metrics.
Bug: 78595399
Test: record from different apps, see records in 'dumpsys media.metrics'
Change-Id: I63f9d4ad2d2b08eb98a49b8de5f86b6797ba2995
On userdebug builds we can now profile system server without disabling
selinux. This is the final piece, and allows the system server to save its
own profile.
Test: manual, on a device with system server profiling enabled
Bug: 73313191
(cherry picked from commit 71d8467b75)
Change-Id: I93e7e01bfbd3146a8cfd26a1f6e88b640e9c4e0f
It's used in build-time tests and in CTS.
Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
(cherry picked from commit beeb122405070a5b4cee326a0cdae92a1a791fbc)
This file is /vendor/etc/selinux/nonplat_sepolicy.cil from aosp_arm64-eng
from mr1-dev
Bug: 69390067
Test: prebuilt only change
Change-Id: I717513ae66e806afe0071cf5b42e9f709264d0b6
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.
Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
The following commits were cherry-picked from internal master to AOSP,
but to avoid merge-conflicts we'll do a large diff instead of individual
cherry-picks:
521742e9799aefc916f53686efcadbde51e7decefff3fe2f08
Bug: 37916906
Test: angler builds and boots.
Merged-In: Ie010cc12ae866dbb97c387471f433158d3b699f3
Change-Id: I5126ebe88b9c76a74690ecf95851d389cfc22d1f
In order to bring AOSP development back in-line with master development,
some CLs were cherry-picked individually from internal master to AOSP,
which were then merged back into internal master (MERGED-IN was missing).
Due to merge-conflict pain, these are being reverted in favor of one
big diff. This CL reverts the changes that were auto-merged in as a result,
and can be used as the target of MERGED-IN when reverting the individual
cherry-picks in AOSP.
This reverts commit a08fe91ee5, reversing
changes made to 11481d1d95.
This reverts commit 7ec5ecfbb7, reversing
changes made to 6fecbbb27e.
Bug: 37916906
Test: Builds 'n' boots.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
(Originally commited in a015186fab)
(cherry-pick of commit: 3458ec135e)
Bug: 37916906
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I83aa392f49bb412d96534925fb02921a8f4731fa
More changes went into oc-dev after the freeze-date. Reflect them.
(cherry-pick of commit: 148578a623)
Bug: 37916906
Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483
commit: 5c6a227ebb added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.
(cherry-pick of commit: 5e4e0d7fba)
Bug: 37916906
Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f
Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.
(cherry-pick of commit: 5c6a227ebb)
Bug: 37896931
Bug: 37916906
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
The treble compatibility tests check for policy differences between old
and new policy. To do this correctly, we must not modify the policy which
represents the older policies. Move the files meant to be changed to a
different location from the ones that are not meant to be touched to avoid
any undesired changes to old policy, e.g. commit:
2bdefd65078d890889672938c6f0d2accdd25bc5
Bug: 36899958
Test: Build-time tests build.
Change-Id: I8fa3947cfae756f37556fb34e1654382e2e48372
untrusted_app_visible_hwservice was an attribute that was meant to
give partners time to add their HALs to AOSP. It was removed from mr1
and so needs to be accounted for in the compatibility mapping.
Bug: 64321916
Test: Builds with treble policy tests.
Change-Id: I359a842083016f0cf6c9d7ffed2116feb9e159c6
On Full Treble devices, servicemanager should only service
services from the platform service_contexts file.
Created new type to separate plat_ and nonplat_service_contexts,
and added new type to mapping (although I don't think this type
should have been used by vendors).
Bug: 36866029
Test: Marlin/Taimen boot
Change-Id: Ied112c64f22f8486a7415197660faa029add82d9
Commit: 2490f1adad meant to add
thermalserviced_tmpfs to the new_object list in the mapping file,
but copy-paste error resulted in thermalserviced_exec_tmpfs being
recorded instead. Fix this.
(cherry-pick of commit: fbacc656be)
Bug: 62573845
Test: None. prebuilt change.
Change-Id: Iab4eaef04742187d6397a539aae854651caa9935
A new API [getNamesForUids] was recently added to the PackageManager
and this API needs to be accessible to native code. However, there
were two constraints:
1) Instead of hand-rolling the binder, we wanted to auto generate
the bindings directly from the AIDL compiler.
2) We didn't want to expose/annotate all 180+ PackageManager APIs
when only a single API is needed.
So, we chose to create a parallel API that can be used explicitly
for native bindings without exposing the entirety of the
PackageManager.
Bug: 62805090
Test: Manual
Test: Create a native application that calls into the new service
Test: See the call works and data and returned
Change-Id: I0d469854eeddfa1a4fd04b5c53b7a71ba3ab1f41
Commit: ec3b6b7e25 added a new daemon
and corresponding types to sepolicy. The explicitly declared types
were added to 26.0.ignore.cil to reflect the labeling of new objects,
but another type, thermalserviced_tmpfs was created by macro and was
missed in code review. Add it as well.
Bug: 62573845
Test: None. prebuilt change.
Change-Id: Ia8968448eea0be889911f46fe255f581659eb548
(cherry picked from commit 2490f1adad)
Commit: 5aef6a9469 added a new type,
system_net_netd_hwservice, for a new hwservice. Record this in the
compatibility infrastructure as labeling a new object, rather than
relabeling one from O.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: If360eb9e05684d9b47316d53e494aa773485e93f
Commit: 3eed3eacfb added the compatibility
statement for the new mediaprovider app domain, but it missed another
new, private type, mediaprovider_tmpfs, that is automatically created for
all appdomains. It replaces priv_app_tmpfs, but since both types are
private, they do not need to be added to the actual mapping (vendor policy
cannot use it).
Bug: 62573845
Test: None. Prebuilt-only change.
Change-Id: I62229a5be74cd928fe0ca82a45b73cb61d6f5223
Commit: 632bc494f1 added hwservice labeling
and was cherry-picked to oc-dev, but the hal_wifi_offload_hwservice type
was not part of the cherry-pick because the service was not in oc-dev.
Record the type for compatibility purposes.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: Ib2c0fe862eddb566fbe6b0287238fa93dddae7b8
This type was removed in commit: 93166cefce
and no longer needs to be included in compatibility infrastructure.
Bug: 62573845
Test: None, prebuilt change.
Change-Id: I9dc05512c7fcb3ef4445c4c6b040809a1d595282
Prevent files in /proc from incorrectly having sysfs_type attribute.
Rework neverallows so that ueventd has write access to all of
/sys which it needs to handle uevents.
Bug: 63147833
Test: Build. Flash angler, verify files are correctly labeled and no
new denials are in the logs.
Change-Id: Ib94d44e78cee0e83e2ac924f1c72e611e8e73558
This reinstates the exception for netd_stable_secret_prop, which
was added after O sepolicy freeze. This exception, along with the
corresponding core sepolicy change, was reverted in order to
allow these policies to be added to per-device sepolicy.
DO NOT SUBMIT until http://ag/2528214 has automerged to master.
This reverts commit 777c8ee0c2.
Bug: 17613910
Bug: 62573845
Test: make -j64 bootimage
Change-Id: I20b52f1d8e1c0cbb18a339bf45586dacbc7405ad
This will allow removing the netd_stable_secret_prop from common
policy in master. It will be re-added after the wahoo-specific
sepolicy for netd_stable_secret_prop lands in oc-dr1-dev, is
automerged to master, and then is reverted in master.
This reverts commit ebea2b459c.
Bug: 17613910
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I1234326d2fe6446e7e09ba9e97187518fa9bce33
Platform SELinux policy may be updated without a corresponding
update to non-platform policy. This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.
Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it. Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.
Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file. Removed private type with no effect. Removed
public type without corresponding mapping entry causes build to fail.
Change-Id: I7994ed651352e2da632fc91e598f819b64c05753
Commit: e58a8de5e7 added a new type
which has no analogue in 26.0. Record it as such.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6b6d2aa64e0ac2c39c8d0427d333e6c7fc2b0bb1
Commit: 86cb521502 gave /dev/memcg a
new label, but also explicitly prohibited access to vendor domains.
Add the type to the 'new types' and don't map it to any other type
for backwards compatibility.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I8902716830b162ead69834544ace9e02a94c65b4
Commit: 38f0928fb0 added a type for a
new system service. This service did not exist previously, so mark
the type as not needing any compat entry.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I52d8e144c614b27f5c52fa99be6cfac87159bbcd
Commit: 78e595deab added a new hwservice,
which replaced a previous system service. This effectively means we are
deleting one object and creating a new one, so no compatibility mapping
should be necessary since previous vendor processes trying to access the
service will not be able to find it now independent of policy.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6882d968dccb55561379e940f6ecb62902bb1659
Commit: b8f7a40833 removed three
attributes from public policy. These attributes could be assigned
to vendor types, and so need to be kept in policy when combined with
vendor policy of that version.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I7d71ef7795f8b82c214c2ef72478c3ca84d1869c
Commit: 4dc88795d0 changed the label of
uid_time_in_state from proc to proc_uid_time_in_state. This file
could have been used by vendor services. Add a compat mapping.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I2e5222c4d4fe12cb0bbc4e85ba53c1f59b714d61
Commits 7fa51593c8 and
92fdd8954f removed the
tracing_shell_writable and tracing_shell_writable_debug types, and
relabeled the files with debugfs_tracing and debugfs_tracing_debug,
respectively. Record this in the compatibility file so that vendor
policy using these types will still work.
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: Ic6573518035514a86abe2081483431427612699e
Commit: abb1ba6532 added policy for a
new property, which was not present in O. This policy introduced a
new type. Record it as such.
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I7d90cd69a5e6e29677598cc109676d5b1ce5ba05
Commit: bde5c8013d added a new type,
mediaprovider, which is being applied to an object (process) formerly
labeled as priv_app. Add the new type to the versioned attribute for
priv_app so that any vendor policy written for interaction with
mediaprovider continues to work.
Bug: 62573845
Test: None. Prebuilt-only change.
Change-Id: Id98293369401a2af23c2328a1cb4a5bb2258aac8
Commit: 50889ce0eb added policy for a
new service, which was not present in O. This policy introduced a
new type. Record it as such.
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: If9cfaff813c47d3b1c8374e8abfb4aedb902d486
Commit: 11bfcc1e96 added policy for
a new socket which was not present in O. This socket has a new
type associated with it. Record the type as a new type so that
compatibility testing will not complain.
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I375fc9ca0bd201e277a0302d9b34c0da0eb40fbd
Commit 5f573ab2aa added policy for
the additions of upstream fs tools. Make sure the new types are
denoted as such (no object relabeling needs to be done) and that
objects which are relabeled are.
Bug: 35219933
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6515e05ebc60ca08e98029f471cf2861826036fc
domain_deprecated is a private attribute, which means that none of
its rules will be copied to vendor policy. Unfortunately, this
means that any public type that used the attribute now loses policy
rules on which a vendor may have been relying unknowingly. Add the
domain back in the compatiblity file so that O vendor policy remains
sufficient.
Bug: 62573845
Test: None, prebuilt change and prebuilt tests not in yet.
Change-Id: I2c4ce00ecb102f087472e183fa52d072fe6eb398
This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.
(Originally submitted in commit: 8c60f74dcc)
Bug: 38242876
Test: Builds and boots.
Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
(Originally commited in a015186fab)
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
More changes went into oc-dev after the freeze-date. Reflect them.
Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483
commit: 5c6a227ebb added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.
Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f
Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.
Bug: 37896931
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
