This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.
It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.
Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
Create a new folder for connectivity blobs, to be used by
ConnectivityBlobStore for VPN and WIFI to replace legacy
keystore.
System server will need permissions to manage databases in the
folder and system server will create the folder in init.rc.
Bug: 307903113
Test: checkfc -t private/file_contexts contexts/plat_file_contexts_test
Test: build and manual test.
Change-Id: Ib51632af9624d8c3ebf2f752547e162a3fbbb1b0
policy
system, system_ext, product and vendor partitions have aconfig storage
files under /<partition>/etc/aconfig dir. need to grant access to
aconfigd.
Bug: b/312459182
Test: m and tested with AVD
Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a
debug/eng builds.
This change is to allow SystemUI, a platform_app, to start, stop,
and share Perfetto/Winscope traces.
Bug: 305049544
Test: Verified everything works on my local device.
Change-Id: I8fc35a5a570c2199cfdd95418a6caf0c48111c46
This is causing denials in case the fence fd comes from
graphic composer.
Bug: 301023410
Test: atest CtsCameraTestCases with test virtual camera enabled
Change-Id: I14cb26c058342470aa2dc214ab47cc61aa2f3255
The tracing filesystem used to be mounted on /sys/kernel/debug/tracing,
but is nowaways available at /sys/kernel/tracing.
Since debugfs itself is no longer mounted on release devices, there is
no need for rules that relax specific .../debug/tracing/... files to be
available on release devices. Leave them as debugfs_tracing_debug.
Not touching other labels such as debugfs_tracing_printk_formats in case
there are debug-only tools that grant themselves access to just that
label. Might revisit those in a different patch.
Bug: 303590268
Change-Id: Ic234c73ac7256117179c4b3eb35da0eac9a50eaa
This is a tracing control file that userspace can read/write an ascii
number (e.g. "50"). In turn, it controls the behaviour of blocking
read(), splice(), and poll() on the tracing kernel ring buffer fds.
A blocked syscall will only be woken up once the kernel fills the buffer
past the "buffer_percent" watermark (so 50% -> half-full).
We'll be using this file in perfetto's traced_probes, but it should also
be safe to expose to other users of the tracing file system (aka
debugfs_tracing in sepolicy) on release builds.
Added to linux in:
https://android.googlesource.com/kernel/common/+/03329f99
Change-Id: Ifcdc73cb0162e8cdadf2e7c16b0215410134ccae
This new property is to set an apex name when input configuration files
are bundled in an apex.
libinput checks the new sysprop when loading input configuration.
This removes hard-coded apex name (com.android.input.config).
Bug: 315080500
Test: adb shell dumpsys input
# set "touch.orientationAware = 0" in Touchscreen_0.idc
# build/install the input config apex
# Observe the Input configuration
# "Touch Input Mapper" shows "OrientationAware: false"
Change-Id: Ie0bf30bff2ed7f983caa5b893994a5bd2759e192
The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.
Upstream, the support for that access vector was removed from kernel
5.16 onwards.
It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).
Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.
Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
misctrl can set properties which can be injected into
bugreports.
Limit visibility of these properties so that no device
code can branch based off these properties.
Bug: 317262681
Test: bugreport
Change-Id: I74f6f240b08b2681540bca262dcc76bcdca9cdad
Give perfetto rw dir and create file permissions for new directory.
Give system server control to read, write, search, unlink files from new directory.
Test: locally ensure traces can be written by perfetto and accessed and deleted by system server
Bug: 293957254
Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
This reverts commit 7ee66a0391.
Reason for revert: The change is supposed to be a noop, trying it as a separate CL now
Change-Id: I0a1befb0015f39596423da7049040de6be18db65
This is an AIDL service exposed by Virtualization Service to system
server (VirtualizationSystemService).
The implementation is Rust so no fuzzer is required.
I've put this behind the flag on general principle.
Bug: 294177871
Test: atest MicrodroidTests
Change-Id: Ia867fe27fb2e76d9688e4ba650ebf7b3f51ee597
Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.
Also allow mediaserver and app to read this new label as they can access
/oem/media folder.
Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb
Allow device-specific domains to access stats_service. All access must
be done over proper APIs (StatsManager, AStatsManager) instead of
accessing the AIDL interfaces directly.
Test: build
Bug: 318788254
Change-Id: I98ddc1900350daf755372be7249f25a462e3242d
This property is used by libaudiohal@aidl to detect whether
the system_ext partition provides an instance of
IHalAdapterVendorExtension. This is a "system internal"
property because it belongs to `system_ext`.
Bug: 323989070
Test: atest audiorouting_test
Ignore-AOSP-First: coupled with Pixel change, will upstream
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:17406cd0a723cb89a03705709ec78d37b3d66042)
Merged-In: I81267da070958a70f2f3c4882718cac4600e3476
Change-Id: I81267da070958a70f2f3c4882718cac4600e3476
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)
2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.
Context to why we are hosting flag data on /metadata partition:
Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.
In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.
Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
Resources now cache open idmap fds to speed up the up-to-date
checks, and this requires zygote processes to be able to access
them
Bug: 282215580
Test: atest android.text.cts.EmojiTest
Change-Id: I808be8a5d321a01193e7f76e316f5f64d4235753
For testing purpose, now we need to use microdroid vendor image for the
production due to vendor hashtree digest value comes from the
bootloader. In the past, we've used distinguished image file for testing
purpose, but we can't now.
Bug: 323768068
Test: atest MicrodroidTests#bootsWithVendorPartition
Test: atest MicrodroidBenchmarks#testMicrodroidDebugBootTime_withVendorPartition
Change-Id: Ic58e51466da0273cf27219d9228f33000e0ecb88
This includes rules for starting Perfetto as well as rules for
communicating over stdio between Perfetto and system_server.
Bug: 293957254
Test: Presubmit & tested in conjunction with internal change
Change-Id: I7e4c044a6a2afb48c33d65cc421e797d77aacc12
Add policies to control ro.lmkd.direct_reclaim_threshold_ms lmkd property.
Test: m
Bug: 244232958
Change-Id: Ic2438a17569ef12925c45ee2f15a05449c77f205
Signed-off-by: Carlos Galo <carlosgalo@google.com>
Bug: 311377497
Test: manual - Call
getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
ro.llndk.api_level is included in system/build.prop.
It must have the system build_prop context instead of the vendor prop.
Bug: 312098788
Test: TH
Change-Id: I223ae2cd56490a2cfd6f6454ad685d23d90d9329
Open up CAP_SYS_NICE policies so that crosvm can adjust uclamp on its
vCPU threads to provide a boost in performance.
Bug: 322197421
Test: Booted device and processes that checked that the correct
capabilites are given with no sepolicy denials.
Change-Id: I089bf26caf862c32e85440575800bb095bb9087b
Signed-off-by: David Dai <davidai@google.com>
This is used for mapper sphal library which is defined in VINTF and
queried via servicemanager.
Bug: 317178925
Test: cuttlefish loads mapper.minigbm
Change-Id: Ibddc0239e52065a89c656f885f34835406665009
Memhealth driver has been removed from all android kernels.
Test: m
Bug: 315560026
Change-Id: Ia4f91bde3a999a490b42b57abcd521ff9cc94633
Signed-off-by: Carlos Galo <carlosgalo@google.com>
Revert submission 2929484-fix-b-321651892-ihaladapter
Reason for revert: possible cause of b/323385784
Reverted changes: /q/submissionid:2929484-fix-b-321651892-ihaladapter
Change-Id: I9664f8f9dd6eec159be7fbf3b148a12d44cef582
When running a VM from a root shell (e.g. via vm_shell), we see
frequent ipc_lock denials:
avc: denied { ipc_lock } for comm="crosvm" capability=14
scontext=u:r:crosvm:s0 tcontext=u:r:crosvm:s0 tclass=capability
permissive=0
These don't appear for non-root crosvm, and don't prevent the VM from
working. Suppress them to reduce log spam.
Test: Run vm_shell
Change-Id: I3b68ca9e3f15709a1f0fce285ba8916419ee82e8
Although /proc/device-tree is symlink to /sys/firmware/devicetree/base,
/proc/device-tree is the stable API but the absolute path may be
changed in the future.
Bug: 322465386
Test: atest CustomPvmfwHostTestCases
Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378
Restricting that properties can only be written by platform and module.
It will be read and written from init and sytem_server.
Bug: b/289203818
Test: m
Change-Id: Ie6b44d1222ec1a9fbfc9b90e0455588f9defe848
Legacy VPNs are removed, including the usage of mtpd/pppd.
Only the type ppp and mtp remain as there are usages elsewhere.
Bug: 161776767
Test: m, presubmit
Change-Id: I556b0daa55f9ea7bf844f6a52d10dda02e324ee0
This service is used by the audio server for translating
between legacy string KV pairs and AIDL vendor parameters.
It resides on the system_ext partition.
Since it has to be implemented by every SoC vendor, provide
an example implementation. This example service is added
to CF and GSI system_ext. Vendors can use their own names
and policy labels, the only thing that the audio server
depends on is the AIDL interface.
There is no fuzzer for this service because the example
implementation only contains trivial code (interface
methods are stubbed out).
Bug: 321651892
Test: atest audiorouting_tests
Change-Id: I8ab922660a30ffd44772987204ac4a28c1007c66
crosvm calls mlock. It used to need this capability, but now we remove
the rlimit (in Virtualization Manager via Virtualization Service) so
it no longer needs it and in fact is no longer granted it.
(This was previously removed in
commit 88f98d96da, but accidentally
re-introduced in commit 88f98d96dae3fb2616e93969685cbd737c364a0f.)
Bug: 322197421
Test: atest MicrodroidTests
Change-Id: I091170d0cb9b5617584b687e7f24cff153e06c85
EnhancedConfirmationService is a new SystemService.
These changes are required before the service will boot.
Bug: 321053639
Change-Id: I15a4004ca57deb5c6f8757913c1894ba0ced399d
On Android, unix sockets are located in /dev/socket/ and managed by
init. This commit follows the convention for ot-daemon
Bug: 320451788
Test: verified that ot-daemon can create socket
/dev/socket/ot-daemon/thread-wpan.sock
Change-Id: I6b0fe45602bb54d6d482f5be46ddb5402bea477b
This is needed to allow vendor xt_bpf programs.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7ff8a0319bec2f3a57c7ce48939b13b2fca182de
NFC stack is becoming an unbundled apex which embeds the existing NFC
APK. Unbundling requires the apex & apk to be signed by non-platform
certificates, hence adding new seapp_contexts rule for the NFC stack.
The old rule is also left behing to support `-next` config builds where
we are still using the platform signed NFC APK.
Ignore-AOSP-First: All of the NFC mainline work is only present in
internal master. Will cherry-pick this CL once we cherry-pick all its
dependencies.
Bug: 320583956
Test: Bootup test with signed NFC APK (within NFC apex)
Merged-In: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33
Change-Id: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33
There will not be separate private/public BPF directories. All BPFs will
be under a uprobestats/ directory.
Bug: 296108553
Test: m selinux_policy
Change-Id: I00934cb14ead44c457ccee6957763dc01370dac6
This CL adds sepolicy for the system property
threadnetwork.country_code. This system property
is set by init and be read by the ThreadNetworkService.
Bug: b/309357909
Test: Configure the system property in ini.product.rc and
check the configured country code via the command
`dumpsys thread_network`.
Change-Id: I6f067ced24842755f2c5519169ba9a94df17829f
Allow system_app to call update engine and update engine
to call callback registered by system app.
Test: m Settings && adb install -r
$ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk,
Update using 16k dev option.
Bug: 295573133
Change-Id: Ice7e75f86283637ad67a675682ecd0d27038d9e7
Add initial sepolicy for suspend.debug.wakestats_log.enabled
Allow set from init
Allow read by system suspend
Bug: 301657457
Test: manual
Change-Id: I1123e169d69eadb909ed474c0c246a8a45eab2f0
Signed-off-by: Radu Solea <radusolea@google.com>
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
As virtualizationmanager holds references to IBoundDevice returned by
vfio_handler, virtualizationmanager should also have permission to
binder_call.
Bug: 278008519
Test: boot microdroid with assigned devices
Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c
Post OTA reboot, snapshot-merge threads will be run in the background cgroup so that they don't run on big cores. Hence, use SetTaskProfiles() API to move the thread to the relavant cgroup.
When setting SetTaskProfile API, /dev/cpuset/background/tasks path
is accessed which requires process to be in system group.
Use setgid to move the task to system group.
Bug: 311233916
Test: OTA on Pixel 6 - Verify that merge threads are not run on big
cores
Change-Id: Ie4921910985292b0b05f4ffc70b0d08ad9e4a662
Signed-off-by: Akilesh Kailash <akailash@google.com>
codecs.
This is required to allow Surface originating from
virtual_camera to be used by mediaserver & writen
to by codecs(for example to decode video into the
surface usign MediaPlayer).
Bug: 301023410
Test: Virtual Camera Test app
Change-Id: I2cac88accd4e1777f6c441c012cd0d36579a55e5
Use our standard macro for granting all the necessary permissions
instead of copying a part of it.
Add ioctl access for all clients for Unix stream sockets & pipes; this
allows them to be used for stdin/stdout without triggering
denials. (Only unpriv_sock_ioctls can be used.)
Together this allows a root shell to use `vm run` without getting
spurious denials such as:
avc: denied { ioctl } for comm="crosvm" path="socket:[835168]"
dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0
tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0
Bug: 316048644
Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: atest MicrodroidTests
Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d
Allow r_file_perms rather than just open+read, mainly because I saw
this denial:
avc: denied { getattr } for comm="binder:11247_2"
path="/sys/firmware/devicetree/base/avf/guest/common/log"
dev="sysfs" ino=16469 scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:sysfs_dt_avf:s0 tclass=file permissive=0
Also refactor slightly in microdroid_manager.te.
Test: TH
Change-Id: If2963441b3490a502c293c7a7cdd204d9db7d48a
This prop is read in its .rc file to stop the service. Otherwise,
evertyime the service exits, it is restarted.
We don't want it to be `oneshot` because under normal operation, it
should be restarted if it exits/crashes.
Test: remove kTempHidlSupport && m && launch_cvd
Bug: 218588089
Change-Id: I9a4c61778c244a08ff753689604e79168058dd4c
Being a system_api_service prevents non-privileged apps from getting a reference to WearableSensingManager via Context#getSystemService (it returns null). CTS tests are run as non-privileged apps, so we need this change to properly test the API.
The API methods are protected by a signature|privileged permission. CTS tests can gain this permission by adopting the Shell's permission identity, but it can't get around the SELinux policy.
wearable_sensing_service is mostly modelled after ambient_context_service, which is an app_api_service, so we believe this change is fine from a security's perspective.
Test: A CTS test can get a WearableSensingManager via Context#getSystemService after this change.
Change-Id: I9d854353f48ff7b3fa5a07527bee0bcc83cb6236
/tmp is a volatile temporary storage location for the shell user.
As with /data/local/tmp, it is owned by shell:shell and is chmod 771.
Bug: 311263616
Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a
