Commit graph

47566 commits

Author SHA1 Message Date
Jiakai Zhang
7a257541e9 Allow system_server to reopen its own memfd.
Bug: 311377497
Test: Run Pre-reboot Dexopt.
Change-Id: Ic6e273732a042f0906fad7ffa73a3e45af2adde5
2024-05-22 17:09:06 +01:00
Dennis Shen
2f5774f756 Merge "selinux: allow aconfig to read /aepx" into main 2024-05-21 14:39:44 +00:00
Thiébaud Weksteen
e138fe460b Merge changes I9b32916e,I7c4771de into main
* changes:
  Define new kernel security classes
  Symlink microdroid access_vectors and security_classes
2024-05-21 10:26:46 +00:00
Seungjae Yoo
e5df7418a4 Merge "Set sepolicy for vmnic in AVF" into main 2024-05-21 04:40:55 +00:00
Treehugger Robot
4fa0ed2bc1 Merge "statsd: allow misctl property" into main 2024-05-21 01:25:32 +00:00
Seungjae Yoo
f60a1e0b90 Set sepolicy for vmnic in AVF
Bug: 340376951
Test: Presubmit
Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466
2024-05-20 14:15:22 +09:00
Inseob Kim
23c543c0ed Remove 1000000.0 mapping files
It's a workaround for -with-phones branch and redundant now.

Test: TH
Change-Id: I0ec9e00a8ee1e3c929f33cbba3b8339c7e42b885
2024-05-20 10:23:55 +09:00
Dennis Shen
f6106361f1 selinux: allow aconfig to read /aepx
Bug: b/312444587
Test: m and avd
Change-Id: I6ac81dd211ad7669952f97f9541c44e14680bec6
2024-05-20 00:44:56 +00:00
Yakun Xu
60f55289f8 Merge "Thread: allow ot-rcp to bind a specific netif" into main 2024-05-17 03:52:14 +00:00
Thiébaud Weksteen
1b85ead322 Merge "Grant dumpstate append to app_data_file_type" into main 2024-05-16 23:29:39 +00:00
Treehugger Robot
ca83352d1b Merge "Adjust policy that allows virtualizationservice to access RKPD" into main 2024-05-15 16:05:38 +00:00
Alice Wang
f7fc9f921a Adjust policy that allows virtualizationservice to access RKPD
Test: atest AvfRkpdAppIntegrationTests
Change-Id: I4f946326af3ce96466bb2c7de1762fbed056ec09
2024-05-15 14:33:36 +00:00
Jiakai Zhang
1a3775bbb8 Add a system property namespace for Pre-reboot Dexopt.
We need to maintain the Pre-reboot Dexopt state across system server
crashes and restarts, but not across reboots. System properties are
suitable for this use case. The state includes whether the job has run
and the OTA slot.

Bug: 311377497
Change-Id: I527d4ba6064c1600d97ce2efc8be211b9460a8f0
Test: Presubmit
2024-05-15 14:20:22 +00:00
Maciej Żenczykowski
6e95ee78e3 Merge "allow non bpfloader creation of bpf maps" into main 2024-05-15 07:37:07 +00:00
Thiébaud Weksteen
6772c50574 Define new kernel security classes
Define new classes and access vectors recognised by the kernel.

Bug: 340491179
Test: boot and check logs for undefined class or permission
Change-Id: I9b32916ea231cf396aa326ed7e08cb14e4eb2c9b
2024-05-15 04:45:20 +00:00
Thiébaud Weksteen
4b79c66714 Symlink microdroid access_vectors and security_classes
Symlink the access vectors and classes definitions of microdroid
reqd_mask to microdroid platform.

These definitions are not yet linked to the generic platform policy.

Bug: 340491179
Bug: 215093641
Test: build & TH
Change-Id: I7c4771dedfd2f35a7dda7d78bf863cbc0c288e67
2024-05-15 13:47:25 +10:00
Thiébaud Weksteen
76f7261d14 Grant dumpstate append to app_data_file_type
dumpstate may be executed by apps in different domains. Notably, a
system_app needs to be able to save the output in its own directory.

  avc:  denied  { append } for comm="binder:575_1" dev="dm-50"
  ino=10712 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:system_app_data_file:s0 tclass=file

Using the app_data_file_type attribute to capture all the potential app
data types. For info, the current Cuttlefish policy has:

  $ seinfo -x -a app_data_file_type cf_policy
    attribute app_data_file_type;
        app_data_file
        bluetooth_data_file
        nfc_data_file
        privapp_data_file
        radio_data_file
        sdk_sandbox_data_file
        shell_data_file
        storage_area_app_dir
        storage_area_content_file
        storage_area_dir
        system_app_data_file

Test: bugreport
Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01
2024-05-15 10:55:37 +10:00
Steven Moreland
0ae9148a35 statsd: allow misctl property
For detecting 16 KB issues.

Bug: 332406754
Test: build
Change-Id: I27f7044133dad54b91bbab5911b05a6cc254be36
2024-05-14 20:31:11 +00:00
Alan Stokes
8b80dacadc Suppress denials for odsign console
When odsign spawns compos_verify it has our stdin/out connected to its
console. But none of the VM processes use stdin/out at all; they log
to logcat instead.

So instead of allowing the access (which immediately leads to the same
denials in virtualizationmanager), just suppress the audit logs.

Bug: 293259827
Test: Exercise isolated compilation successfully with no denials seen.
Change-Id: I454bb2fe106b656a9695511cbf09350402b30bdd
2024-05-14 17:07:35 +01:00
Thiébaud Weksteen
70cf2cd6e3 Collect test names in sepolicy_tests.py
Some entries in Tests were not matching their actual function (e.g.,
TestSystemTypeViolators instead of TestSystemTypeViolations).
Automatically generate the list of tests, based on the 'Test' prefix in
their name.

Test: sepolicy_tests -h
Change-Id: I1865e24c6cc1bfe15f633263897ea7530140c41d
2024-05-14 13:42:13 +10:00
Yakun Xu
c5f8e959d3 Thread: allow ot-rcp to bind a specific netif
This commit adds necessary permissions for ot-rcp to bind
to a network interface specified by its address or name.

Test: presubmit
Bug: 329188649
Change-Id: I6731df79c04eeeb2c39017b99b9c2acf315256e2
2024-05-09 17:05:04 +08:00
Treehugger Robot
fff886e374 Merge "Allow mounting and unmounting functionfs." into main 2024-05-09 08:46:08 +00:00
Jiakai Zhang
be2e719598 Allow mounting and unmounting functionfs.
Pixel has /dev/usb-ffs/adb, /dev/usb-ffs/mtp, and /dev/usb-ffs/ptp in
type functionfs.

Bug: 311377497
Change-Id: Id9388a0d420c712962804f6441c86cfb3c4e9e62
Test: adb shell cmd jobscheduler run android 27873781
2024-05-09 04:03:18 +00:00
Nate Jiang
229807f032 Change WifiScanner from system_api_service to app_api_service
This will allow the CTS get the WifiScanner to test. Also WifiScanner is
a system API and all APIs are protected by the priviliged permissions.

Bug: 339527374
Test: CtsWifiTestCases

Change-Id: Ic06a5804fa81a952e9e8792e93df489a9d47d521
2024-05-09 00:13:26 +00:00
Devin Moore
ba99b14c5c Merge "Allow crash_dump to read misctrl properties" into main 2024-05-07 19:55:51 +00:00
Eric Laurent
df665c694b Allow native audio server to access the virtual device manager service
This is needed when accessing SensorManager since commit 71db5f82

Bug: 336860810
Test: make
Ignore-AOSP-First: needed on internal branch first
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:caad49e71d927e021575c3051d7d10ff7917e09c)
Merged-In: I303c6e3418ca5179c615c2c643fdf9783d323c78
Change-Id: I303c6e3418ca5179c615c2c643fdf9783d323c78
2024-05-07 00:21:30 +00:00
Devin Moore
49a4a06264 Allow crash_dump to read misctrl properties
This is used to determine if the device has been in 16k page size mode
to help debug issues with that.

Test: debuggerd_test with ro.misctl.16kb_before="1"
Bug: 335247092
Change-Id: I7b5fcd39cc5b3247d866814fbcf53299d68846c2
2024-05-06 15:40:12 +00:00
Maciej Żenczykowski
28960d319a allow non bpfloader creation of bpf maps
In practice only bpf programs are critical to device security...

Normally there is basically no use for creating bpf maps outside
of the bpfloader, since they have to be tied directly into the bpf
programs (which is only ever done by the bpfloader during the boot
process) to be of any use.

This means that bpf maps created after the bpfloader is done,
can't actually be used by any bpf code...

Hence we had this restriction.

However, map-in-map support changes this:

It becomes possible to define a boot-time (bpfloader loaded)
bpf program which accesses an (initially empty) outer map
(created by the bpfloader).

This outer map can be populated with inner maps at run time by various
bpf using userspace code.  While it can be populated with bpfloader
created 'static' maps, it also makes sense to be able to create/destroy
these inner maps on demand 'dynamically'.

This allows bpf map memory utilization to be driven by actual runtime
device needs.  For example scaling with the number of users, apps,
or connected networks.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I93223c660463596c9e50065be819e2fd865da923
2024-05-04 11:02:13 +00:00
Treehugger Robot
18eb855a0f Merge "Use no_full_install: true instead of installable: false" into main 2024-05-04 00:04:03 +00:00
Treehugger Robot
07dc4933ac Merge "Add policies for hal_codec2" into main 2024-05-03 17:20:45 +00:00
Treehugger Robot
c567076228 Merge "Add some new classes and access vectors" into main 2024-05-03 12:19:14 +00:00
Inseob Kim
93da5387e8 Merge "Move prebuilt_sepolicy_cts_data to system/sepolicy" into main 2024-05-03 01:47:42 +00:00
Dennis Shen
2ae5d42a79 Merge "selinux: allow system server access aconfigd socket" into main 2024-05-02 23:49:25 +00:00
Kalesh Singh
5f805d057e Merge "sepolicy: Add rules for /sys/kernel/mm/pgsize_migration/enabled" into main 2024-05-02 19:38:08 +00:00
Kalesh Singh
3a4c68dd83 sepolicy: Add rules for /sys/kernel/mm/pgsize_migration/enabled
The dynamic linker needs to read this node to determine how it should
load ELF files.

Allow the node to be enabled/disabled by init.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Test: Free Fire Chaos App launches
Test: no avc deined in logcat
Change-Id: I2b35d6aebe39bf3e1e7489b47f23a817e477ef72
2024-05-02 19:34:36 +00:00
Pawan Wagh
c9b15f596b Merge "Allow system app and update_engine to read OTA from /vendor" into main 2024-05-02 19:28:44 +00:00
Dennis Shen
62f4363b39 selinux: allow system server access aconfigd socket
During storage migration, we need to route aconfig flag write requests
from settingsprovider to aconfig storage daemon via aconfigd unix domain
socket.

Bug: b/312444587
Test: m and avd
Change-Id: I051d1ed42bf51f2ebd90cbd590237cd9213f0bde
2024-05-02 18:20:25 +00:00
Alan Stokes
86a85c4e77 Add some new classes and access vectors
These have been added to the kernel and to Android sepolicy, but not
yet here. This doesn't make much difference, but it does avoid some
(harmless) warnings at policy load time.

While I'm here, remove some userspace classes which don't exist in
Microdroid and probably never will.

Bug: 215093641
Test: Policy still builds; TH
Change-Id: Id2f778919e492162c1a7d77822d74d7978522118
2024-05-02 14:03:29 +01:00
Inseob Kim
6faaf139a7 Move prebuilt_sepolicy_cts_data to system/sepolicy
This is a no-op now but it will make vintf finalization easier because
we'll only need system/sepolicy changes.

Bug: 337978860
Test: atest CtsSecurityHostTestCases
Change-Id: I242dcad7511e7c880b1e5434ba3de622f56bc1b3
2024-05-02 17:40:00 +09:00
Sungtak Lee
8eed41c1aa Add policies for hal_codec2
Allow hal_codec2_server to read fifo_file from hal_codec2_client
Allow hal_codec2_client to find surfaceflinger_service:service_manager.

Bug: 337356582
Test: atest CtsMediaTranscodingTestCases
Change-Id: I76b2ca7d3caf7909d9d6df424eb5f68b1a0a6f03
2024-05-02 08:22:57 +00:00
Pawan Wagh
b071882d76 Allow system app and update_engine to read OTA from /vendor
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.

Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
2024-05-02 01:14:47 +00:00
Ellen Arteca
c1508ec794 Add read permission to storage_area_keys to installd
Installd needs the read permission on storage area
key directories. This only comes up in testing when the tests
are rerun on the same device.

Bug: 325129836
Test: atest StorageAreaTest
Change-Id: I74c776c52d66492552aaf8b61c7591fb19194f7a
2024-05-01 17:49:26 +00:00
Jiyong Park
2fcfc6f190 Use no_full_install: true instead of installable: false
So far, we have used `instalable: false` to avoid collision with the
other modules that are installed to the same path. A typical example was
<foo> and <foo>.microdroid. The latter is a modified version of the
former for the inclusion of the microdroid image. They however both have
the same instalation path (ex: system/bin) and stem (ex: foo) so that we
can reference them using the same path regardless of whether we are in
Android or microdroid.

However, the use of `installable: false` for the purpose is actually
incorrect, because `installable: false` also means, obviously, "this
module shouldn't be installed". The only reason this incorrect way has
worked is simply because packaging modules (ex: android_filesystem)
didn't respect the property when gathering the modules.

As packaging modules are now fixed to respect `installable: false`, we
need a correct way of avoiding the collision. `no_full_install: true` is
it.

If a module has this property set to true, it is never installed to the
full instal path like out/target/product/<partition>/... It can be
installed only via packaging modules.

Bug: 338160898
Test: m
Change-Id: I267031c68f2157a679a1fceb3ae684bb7580c77c
2024-05-01 21:14:22 +09:00
Treehugger Robot
77a8ac9ab4 Merge "Allow shell read access to cgroup state" into main 2024-04-30 20:54:07 +00:00
Ellen Arteca
7dd36bbb29 Merge "Add SELinux policy for storage areas" into main 2024-04-30 20:32:53 +00:00
Ellen Arteca
27b515e70a Add SELinux policy for storage areas
We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.

First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively).  This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.

Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
 that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
		storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
		storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
		storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
		storage_area_content_file

These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.

Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName

We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.

Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 20:26:55 +00:00
Suren Baghdasaryan
32342bf854 Merge "lmkd: Add ro.lmkd.lowmem_min_oom_score property policies" into main 2024-04-30 20:08:35 +00:00
Suren Baghdasaryan
5c5ff28912 lmkd: Add ro.lmkd.lowmem_min_oom_score property policies
Add policies to control ro.lmkd.lowmem_min_oom_score lmkd property.

Test: m
Bug: 334867461
Change-Id: I6a84d2d045fee431173374aab174e50f493e1858
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2024-04-30 11:40:12 -07:00
Treehugger Robot
e7bdf818fc Merge "Allow shell read access to MGLRU state" into main 2024-04-30 16:34:04 +00:00
T.J. Mercier
716260ac6b Allow shell read access to cgroup state
at /proc/cgroups.

Test: adb shell cat /proc/cgroups
Bug: 335278695
Change-Id: I52773c63200a2a048a4c5497c338ddcbe0f23593
2024-04-29 14:59:03 +00:00