These neverallow rules are to prevent properties from crossing treble
boundary. As attributes like internal / restricted / public has been
landed, the neverallow rules are changed to use attributes to avoid
endless manual maintaining of the list.
Bug: 148181222
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0ba930f6c78852e785858fb069faf4f984643e34
pmem uses a block file while access_ramoops uses a char file. Allow both for
now until we can unify on pmem.
Additionally allow the reading of vendor properties so it can read the
path to the character or block device to open.
Test: atest VtsHalRebootEscrowTargetTest
Bug: 146400078
Change-Id: Ief61534e0946480a01c635ce1672579959ec8db5
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.
Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
For vndk related properties, use vndk_prop context.
vndk_prop can be defined by 'init' and 'vendor_init', but free to
read by any processes.
Bug: 144534640
Test: check boot to see if the VNDK properties are readable
Change-Id: Ifa2bb0ce6c301ea2071e25ac4f7e569ea3ce5d83
The binder_cache_system_server_prop context allows any user to read the
property but only the system_server to write it. The only property with
this context is currently binder.cache_key.has_system_feature but users
will be added.
Bug: 140788621
Test: this was tested on an image with a binder cache implementation. No
permission issues were found. The implementation is not part of the current
commit.
Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043
This property type will be used for read-only userspace reboot related
properties that are used to configure userspace reboot behaviour, e.g.:
* timeout for userspace reboot watchdog;
* timeout for services to terminate;
* timeout for services to shutdown;
* etc.
Since all this configuration is device specific, vendor_init should be
able to set these properties.
Test: build/soong/soong_ui.bash \
--make-mode \
TARGET_PRODUCT=full \
TARGET_BUILD_VARIANT=eng \
droid \
dist DIST_DIR=/tmp/buildbot/dist_dirs/aosp-master-linux-full-eng/funwithprops \
checkbuild
Bug: 135984674
Bug: 147374477
Change-Id: I1f69980aea6020e788d5d2acaf24c0231939907c
The module is getting renamed, so rename all the policy
relating to it at the same time.
Bug: 137191822
Test: presubmit
Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
(cherry picked from commit 6505573c36)
This had been settable by vendors up to and including Q release by
making config_prop avendor_init writeable. We don't allow this any
more. This should be a real vendor settable property now.
Bug: 143755062
Test: adb logcat -b all | grep cameraservice
Test: atest CtsCameraTestCases
Change-Id: Id583e899a906da8a8e8d71391ff2159a9510a630
This reverts commit f536a60407.
Reason for revert: Resubmit the CL with the fix in vendor_init.te
Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).
Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.
ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split. It is also read by system_server and installd
currently.
Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
This reverts commit baa06ee2cd.
Reason for revert: Added missing property name in vendor_init.te.
Bug: none
Test: none (other than neverallow checking)
Change-Id: I9e93bf4ea6ca3a4634f8f4cbce2f13c5f410883b
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.
Only init should be allowed to set userspace reboot related properties.
Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
The property is set to inform kernel to do a warm_reset on the next
reboot. This is useful to persist the logs to debug device boot
failures. More details in http://go/rvc-ota-persist-logs.
The property is set to 1 by update_engine after an OTA. And it's set to
0 by update_verifier or vold after we mark the current slot boot
successful.
The property is read by vendor_init. And according to its value,
vendor_init writes a particular sysfs file to schedule a warm reset
on the following reboot.
Without the new context, the denial message says:
[ 13.423163] audit: type=1107 audit(1746393.166:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=ota.warm_reset pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0'
[ 23.096497] init: Unable to set property 'OTA.warm_reset' from uid:0 gid:2001 pid:841: SELinux permission check failed
[ 23.096574] type=1107 audit(1573768000.668:42): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=OTA.warm_reset pid=841 uid=0 gid=2001 scontext=u:r:update_verifier:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
[ 23.108430] update_verifier: Failed to reset the warm reset flag
Bug: 143489994
Test: check the property can be set by update_engine, and read by vendor_init
Change-Id: I87c12a53a138b72ecfed3ab6a4d846c20f5a8484
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.
Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
Used to restrict properties init.svc_debug_pid.*
Bug: 138114550
Test: getprop | grep init.svc_debug_pid only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678
/metadata/ota will store critical bits necessary to reify
system and vendor partition state during an OTA. It will be accessed
primarily by first-stage init, recovery/fastbootd, and update_engine.
Bug: 136678799
Test: manual test
Change-Id: Ib78cb96ac60ca11bb27d2b2fe011482e64ba0cf8
This property will be set by system_server (to indicate the currently
selected theme for device), and can be accessed by vendor init.rc.
avc: denied { read } for property=persist.sys.theme pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:theme_prop:s0 tclass=file
Bug: 113028175
Test: Set a vendor init trigger that waits on `persist.sys.theme`. Check
that the trigger fires without denial.
Change-Id: Ia85b1a8dfc118efdbb9337ca017c8fb7958dc386
Merged-In: Ibb4e392d5059b76059f36f7d11ba82cd65cbe970
(cherry picked from commit 75182a1ea6)
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.
Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
Property is NNAPI client-readable and writeable only by init/build.prop.
Bug: 129666983
Bug: 120483623
Test: flashed crosshatch/Cts tests for NNAPI
Change-Id: Ic4c0f176440610a2c54c078863f3d5382323cc65
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.
Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.
04-28 06:15:22.290 618 618 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431 900 900 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316 1 1 W init : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
- persist.bluetooth.bluetooth_audio_hal.disabled
Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.
To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.
Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
Some runtime properties require reboots and should be in the
native_boot namespace instead of native.
Bug: 120794191
Bug: 123524494
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: I1d1e984dcba26dd04d34a7d30fc63e1b75a8a311
The convention for native properties is to use _native suffix.
Bug: 123524494
Bug: 120794191
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: I69feab9be78f24d812b8f953d3ec06a5d8d18f15
Bug: 120794191
Bug: 123524494
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: Ib37102f35e9987d3d9baff83c45571a5d632ad50
Whitelist the persistent system properties that will be used as
flags in activity manager experiments.
Bug: 120794810
Test: m, flash, test getting flag value in ActivityManagerService.java
Change-Id: I90a10bc87d6db3a64347b62fd02e6f0b12ac9fa8
For input experiments that are enabled at boot time, allow system_server
to read and write the device config flags.
Bug: 120794829
Test: presubmit
Change-Id: I0f075a7579c593d4e07c3e31be529e34554068a6
For experiment flag testing, we add a flag netd and have
SEPolicy updates.
Test: add sepolicy, m -j, check GetServerConfigurableFlag function in netd
Bug:122050512
Change-Id: I21c844c277afc358085d80447f16e4c0d4eba5b3
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.
This change set SELinux rules for these properties and files.
For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).
This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.
Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.
Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.
Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
This will be needed if vendors remove a label, as vendor_init would
need to relabel from it (which would be unlabeled) to the new label.
Test: Build policy.
Change-Id: Ieea0fcd7379da26b2864b971f7773ed61f413bb9