In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.
Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
* Permits setting the sys.drop_caches property from shell.
* Permits init to read and write to the drop_caches file.
* Can only be set to 3 (drop_caches) and 0 (unset).
Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
Revert submission 1572240-kernel_bootreceiver
Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance
Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
System files in recovery are labelled as rootfs, so we need an explicit
transition to snapuserd. Without this, factory data resets will fail
with a VABC OTA pending, with the following denial:
avc: denied { entrypoint } for pid=522 comm="init" path="/system/bin/snapuserd"
dev="rootfs" ino=1491 scontext=u:r:snapuserd:s0 tcontext=u:object_r:rootfs:s0
tclass=file permissive=0
Bug: 179336104
Test: factory data reset with VABC OTA pending
Change-Id: Ia839d84a48f2ac8ccb37d6ae3b1f8a8f7e619931
During first-stage init we spawn a daemon (snapuserd) to interact with
the dm-user kernel module. Immediately after sepolicy is loaded, we
launch the daemon again with the correct privileges, and kill the
original one.
In order for init to do this, it needs to be able to open and write to
the snapuserd socket (which is corrected to the "correct" daemon), as
well as call flock() on /metadata/ota which is how libsnapshot ensures
exclusive access to Virtual A/B snapshots.
Bug: 168259959
Test: no denials with Virtual A/B Compression enabled
Change-Id: Ic7fc78ca1a17673b878766e0f4dfe0265c1be768
This cleans up remaining exported2_default_prop. Three properties are
changed.
- ro.arch
It becomes build_prop.
- hal.instrumentation.enable
It becomes hal_instrumentation_prop.
- ro.property_service.version
It becomes property_service_version_prop.
Bug: 155844385
Test: selinux denial test on Pixel devices
Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
ro.boot. properties assigned as "exported2_default_prop" are now
"bootloader_prop", to remove bad context name "exported2_default_prop".
Two things to clarify:
1) We have both the prefix entry and the exact entries. Although the
exact entries may be redundant, we may want to keep them. Vendors are
still allowed to have properties starting with "ro.boot." on
vendor_property_contexts file. The exact entries can prevent vendors
from modifying them to random contexts.
2) ro.boot. is special as it is originally for kernel command line
"androidboot.". But some ro.boot. properties are being used as if they
were normal. To avoid regression, ro.boot. properties having contexts
other than "exported2_default_prop" are not changed here. They will be
tracked later.
Bug: 155844385
Test: m selinux_policy
Change-Id: Ic0f4117ae68a828787304187457b5e1e105a52c7
Merged-In: Ic0f4117ae68a828787304187457b5e1e105a52c7
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.
Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
There are probably more cases but this one blocks presubmit
for cuttlefish with mainline kernels.
Bug: 158304247
Change-Id: I6d769b16a230a113a804df61f8de4dcbce2193b6
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.
Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.
Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
Add extra policy to enable linkerconfig to be executed from recovery.
Bug: 139638519
Test: Tested from crosshatch recovery
Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
In order to remount ext4 userdata into checkpointing mode, init will
need to delete all devices from dm-stack it is mounted onto (e.g.
dm-bow, dm-crypto). For that it needs to get name of a dm-device by
reading /sys/block/dm-XX/dm/name file.
Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.
Only init should be allowed to set userspace reboot related properties.
Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.
/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.
The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.
Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.
Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.
The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.
Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
to fail the device rebooted into the bootloader, as
expected.
Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.
Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.
Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy
avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
cgroupfs doesn't allow files to be created, so this can't be needed.
Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.
Bug: 74182216
Test: Denials remain silenced.
Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f
(cherry picked from commit 8e8c109350)
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.
We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.
Bug: 72643420
Bug: 74182216
Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d077)
Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792
(cherry picked from commit 5f573ab2aa)
Bug: 63910933
Test: boot sailfish in normal mode, checks adbd is started
Test: boot sailfish in recovery mode, checks adbd is started
Test: boot bullhead in normal mode, checks adbd is started
Test: boot bullhead in recovery mode, checks adbd is started
Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
(cherry picked from commit e2423d149b)
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.
Bug: 37008075
Test: Build and boot sailfish
Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
vendor implementations need to be able to run modprobe as part of
init.rc scripts. They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.
Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.
Bug: b/38212864
Test: Boot sailfish
Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>
This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:
exec u:r:modprobe:s0 -- /system/bin/modprobe \
-d /vendor/lib/modules mod
Bug: b/35653245
Test: sailfish with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d9493f)
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.
Denials:
[ 16.986440] c0 437 audit: type=1400 audit(6138546.943:5): avc:
denied { read } for pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986521] c0 437 audit: type=1400 audit(6138546.943:6): avc:
denied { open } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986544] c0 437 audit: type=1400 audit(6138546.943:7): avc:
denied { getattr } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line
exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl
Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue
Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
userdebug logging
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.
While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.
Test: Tested all modes {recovery, charger-only, android} with new policy
Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c