Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: I53984e8a973eff15de0653916203020dbabe9c03
ro.crypto.fde_algorithm
ro.crypto.fde_sector_size
ro.crypto.volume.contents_mode
These properties were not added to sepolicy export2vold. vold can't access
crypto algorithm type when flashing a GSI image and when the properties are in
/vendor/build.prop. This prevents FDE from working.
Bug: 141518844
Change-Id: I234bda439f6be7a2211a194856baf75800396232
Signed-off-by: yuguoxu <yuguoxu@allwinnertech.corp-partner.google.com>
This is the flag for when sepolicy is split. Also removed other
commented-out heuristics around fake-treble. We should aim to remove it
entirely instead.
Fixes: 141348590
Test: build w/ and without adding binder_in_vendor_violators to a vendor
process (and see the expected error there)
Change-Id: I29fb335cc5b5d6e117d93038fe458b8c74acf321
To aid in debugging if there are failures.
Bug: 137267623
Test: add prints to boringssl_self_test and see them
Change-Id: I34b20225514898911b3f476d4517430433eb379e
The 'stdio_to_kmsg' option will print stdout and stderr to
kmsg_debug. This requires init to be able to open kmsg_debug.
Test: services with stdio_to_kmsg can print to kmsg_debug
Change-Id: I63f0af8f079f7327c1224aa9e46f19d6549d875b
This is part of a series of updates to bug_map across all of android
tree.
Bug: 141014771
Test: Generated a denial, verified that the bug id in the dmesg logs
remains unchanged.
Change-Id: I852e8ac38a162cc074232f15d919212548d485bf
applypatch (called by install_recovery) used to back up the source
partition to /cache when installing the recovery image on non-A/B
devices. The change from the same topic drops the backup behavior.
The access to /cache was also the reason for having dac_override_allowed
(applypatch runs as root:root, while /cache is owned by system:cache
with 0770).
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Change-Id: I0533ba82260d0adb23b328e6eef8bd6dda3d0439
This introduces some attributes that can be used to restrict access to
exported properties so that one can easily check from which the
properties can be accessed, and that OEMs can extend their own exported
properties.
Bug: 71814576
Bug: 131162102
Test: boot aosp_cf_x86_phone-userdebug
Test: logcat | grep "avc: "
Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
Allow dumpsys to dump process information for bug reports.
Test: build
Test: adb bugreport
Bug: 140541614
Change-Id: Ia361e8c8de2cc5f798e746dffcf067393fd6bcae
This new apex is a VNDK APEX which is going to replace /system/lib/vndk
libraries.
Bug: 134357236
Bug: 139772411
Test: m com.android.vndk
Change-Id: I9bdda5bc7862917a196b894cc562e0351db76c52
The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
when init is executing other binaries. The use of LD_PRELOAD for init spawned
services is generally considered a no-no, as it injects libraries which the
binary was not expecting. This is especially problematic for APEXes. The use
of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
code into a process which wasn't expecting that code, with potentially
unexpected side effects.
Test: compiles
Bug: 140789528
Change-Id: Ia781ec7318e700cddfd52df97c504b771f413504
This reverts commit a9b718a1ed.
Reason for revert: No longer be necessary after
http://r.android.com/1120246 lands as this causes BoringSSL to only write
flag files if a particular environment variable is set, and this variable
will only be set for the self test binaries which have permission to
write to /dev/boringssl.
Bug: 140918050
Test: Manually observed audit log after change
Change-Id: I851f4aea991d91c67b64535829eea5b9594a3e2c
Bug: 136592946
Bug: 138261472
Test: Ran with the patch applied, confirmed surface flinger can access
the system property.
Change-Id: I259a488399c5e698de384322852ea81ea1a96e7d
Merged-In: I259a488399c5e698de384322852ea81ea1a96e7d
Binaries other than boringssl_self_test_exec are not allowed
to create marker files /dev/boringssl/selftest/[hash].
Right now, some processes still attempt to because:
- Some binaries run so early during early-init that
boringssl_self_test{32,64} hasn't had a chance to
run yet, so the marker file doesn't exist yet, so
the unprivileged process attempts to create it.
- Some binaries statically link libcrypto so their
[hash] is different from that used by
boringssl_self_test{32,64}.
There's some ongoing work to stop those binaries even
attempting to create the marker files but it's not a
big deal if they do. Similarly, there is ongoing work
to minimize or eliminate static linking of this library.
For now, this CL turns off audit logs for this behavior
since it is harmless (a cosmetic issue) and in order to
not hold up the bulk of the logic being submitted.
Bug: 137267623
Test: Treehugger
Change-Id: I3de664c5959efd130f761764fe63515795ea9b98
app_zygote used by for example Google Chrome needs access
to at least search /oem partition.
Google chrome version: 76.0.3809.132 is running in app_zygote
and the following access is blocked by selinux causing Chrome
to hang.
avc: denied { search } for pid=813 comm="d.chrome_zygote"
name="/" dev="sda42" ino=2 scontext=u:r:app_zygote:s0:c214,c256,c512,c768
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0 ppid=798
pcomm="d.chrome_zygote" pgid=798 pgcomm="d.chrome_zygote"
Change-Id: Idcce1a5ad1a8be3d7bd057c12ec477baa9669235
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.
Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
Remove everyone's ability to read /proc/sys/vm/overcommit_memory.
Android's jemalloc implementation no longer uses this file.
init.te had multiple rules which allowed writing to this file. Get rid of
the duplicate rule.
Bug: 140736217
Test: compiles and boots
Test: bypass setup wizard and start the browser, browse the web
Change-Id: I5a2d5f450f5dde5dd55a0cedd7fbd55a6ac0beed
These properties should no longer be specified in the vendor rom.
Bug: 139883463
Test: manual
(cherry picked from commit 1f6eda4111)
Exempt-From-Owner-Approval: Cherry-pick from master
Merged-In: I510c917fa3c60dcbd3f104ebe619f34c69c821e6
Change-Id: I8b7cf03d7a2faceb03b83edcb47e831fbc8c8918
Include coredomain in initial definition of boringssl_self_test
rather than adding it later. This addresses an outstanding review
comment from http://r.android.com/1110523
Test: Treehugger
Bug: 137267623
Change-Id: I4e8d4e2e76b1c3a9b5a1f806e43e885b51cb7a60
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.
This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.
All the hwservice context that were not in the whitelist are now put
to blacklist.
This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.
Bug: 139645938
Test: m
Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)
Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
