I locked down binderfs in Android V (this release still), but
part of it was opened up too much, so transactions restricted
to userdebug.
transaction_log and failed_transaction_log are not used in AOSP,
but they are requested by partners.
Bug: 316970771 for transactions
Bug: 336711420 for request to open up transaction history logs
Test: boot, bugreport, also:
:) adb shell ls -Z /dev/binderfs/binder_logs
u:object_r:binderfs_logs_transaction_history:s0 failed_transaction_log
u:object_r:binderfs_logs_proc:s0 proc
u:object_r:binderfs_logs:s0 state
u:object_r:binderfs_logs_stats:s0 stats
u:object_r:binderfs_logs_transaction_history:s0 transaction_log
u:object_r:binderfs_logs_transactions:s0 transactions
:) adb shell cat /dev/binderfs/binder_logs/transaction_log
10058502: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 36:0 ret 0/0 l=0
10058503: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 116:0 ret 0/0 l=0
10058504: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 12:0 ret 0/0 l=0
10058505: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 84:0 ret 0/0 l=0
...
:) adb shell cat /dev/binderfs/binder_logs/failed_transaction_log
26418: reply from 584:1568 to 0:0 context binder node 0 handle -1 size 20:0 ret 29189/0 l=3194
57265: async from 2978:4304 to 3039:0 context binder node 40111 handle 6 size 96:0 ret 29189/-3 l=3465
57269: call from 4437:4613 to 670:0 context binder node 57183 handle 44 size 116:0 ret 29189/-3 l=3465
57288: async from 4252:4450 to 3039:0 context binder node 34895 handle 1 size 92:0 ret 29189/-3 l=3465
...
Change-Id: I73e570dee8e59e76acaf0def615701e0e85e207f
This will allow the CTS get the WifiScanner to test. Also WifiScanner is
a system API and all APIs are protected by the priviliged permissions.
Bug: 339527374
Test: CtsWifiTestCases
Change-Id: Ic06a5804fa81a952e9e8792e93df489a9d47d521
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.
Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
To prevent these types from being released in 24Q3, which must be same
as 202404 release.
Bug: 330670954
Test: build
Change-Id: Ibb124fbb069f2025a572bc09c73c241f808676c3
This reverts commit 840041d5d2.
Reason for revert: 202404 prebuilts must not be changed since freeze.
Change-Id: I320fde8de611ad4ae1546f4ce754871a0646dcc4
This is for more information on binder threads during ANRs.
Test: adb shell am hang
Bug: 316970771
Change-Id: I905c8b605540aabb7463cb0e1b3a9a8b07f8d5cb
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
Vendor_init needs to read this property to process event triggers
depending on ro.product.build.16k_page.enabled .
Test: th
Bug: 319335586
Change-Id: I4f52073fbd2a138d84162710c925f65cc705c356
- Add pm.dexopt.* properties.
- Add rules for running artd in chroot.
Bug: 311377497
Test: manual - Run Pre-reboot Dexopt and see no denial.
Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
While testing aconfig storage file read by a demo app. We discovered
the need to do metadata_file:dir search in logcat log.
Bug: b/312459182
Test: demo app start
Change-Id: I0872ff192280228cc2270ae4a04755bc5cfbd9cc
Allow camera server to switch the scheduling policy
for certain time critical threads.
Bug: 323292530
Test: Manual using camera application,
Camera CTS
Change-Id: Ib665009c095efc21f65b1d8b3ddd9c2528c1c794
Just allow aconfig_storage_metadata_file:file read permission is not
enough to read the pb file, we also need
aconfig_storage_metadata_file:dir search permission.
Bug: b/312459182
Test: audit2allow after having demo app access the file
Change-Id: I1790ea84a56e83f43313af82378f245e2bb6597e
LMKD needs to be able to attach BPF tracepoints. It needs to be able to
access tracefs, attach and run bpf programs.
Test: m
Test: Verified no denials with lmkd and libmemevents integration
Bug: 244232958
Change-Id: I57248b729c0f011937bec139930ca9d24ba91c3b
Signed-off-by: Carlos Galo <carlosgalo@google.com>
It is used by profcollectd to notify vendor_init to trigger
a manual probe of coresight etr.
Bug: 321061072
Test: build and run on device
Change-Id: I5aa65f8d5a25f1284f09111c940f0a2c1a62ac18
This new property is to set an apex name when input configuration files
are bundled in an apex.
libinput checks the new sysprop when loading input configuration.
This removes hard-coded apex name (com.android.input.config).
Bug: 315080500
Test: adb shell dumpsys input
# set "touch.orientationAware = 0" in Touchscreen_0.idc
# build/install the input config apex
# Observe the Input configuration
# "Touch Input Mapper" shows "OrientationAware: false"
Change-Id: Ie0bf30bff2ed7f983caa5b893994a5bd2759e192
The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.
Upstream, the support for that access vector was removed from kernel
5.16 onwards.
It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).
Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.
Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
This reverts commit f77cf6780c.
Reason for revert: sepolicy change is still necessary. (won't break things)
Change-Id: If47218b39ac34c21f3e09d29a5e713b240c4f0a6
Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.
Also allow mediaserver and app to read this new label as they can access
/oem/media folder.
Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb
Since 202404, vendor components will use /system/bin/sh for system(3),
popen(3), etc.
Bug: 324142245
Test: system("readlink /proc/$$/exe") in vendor HALs
Change-Id: I521499678e87a7d0216a276e014888867f495803
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)
2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.
Context to why we are hosting flag data on /metadata partition:
Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.
In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.
Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
Grant bootanimation all read permissions on oem using
r_dir_file macro instead of specifying individual permissions.
This prevents failure to read the bootanimation on oem if
partition has been remounted.
After remount, bootanimation will log violation for the
/oem/media directory when reading an existing file (boot animation can
is still played).
avc: denied { read } for pid=2820 comm="bootanimation" name="media"
dev="sda75" ino=152 scontext=u:r:bootanim:s0
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0
After remount, if modifying/adding file in /oem/media directory,
bootanimation will fail to read the bootanimation zip, now with
violation:
avc: denied { read } for pid=2838 comm="bootanimation" name="media"
dev="dm-8" ino=70 scontext=u:r:bootanim:s0 tcontext=u:object_r:oemfs:s0
tclass=dir permissive=0
Bug: 324437684
Test: adb remount
replace /oem/media/bootanimation.zip with custom animation
adb reboot
confirm that expected bootanimation is played
confirm no selinux violations are seen in logcat
Change-Id: Iaafdeeacaf88d8f5c1214700edc8eec2824b0159
Bug: 311377497
Test: manual - Call
getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
This is used for mapper sphal library which is defined in VINTF and
queried via servicemanager.
Bug: 317178925
Test: cuttlefish loads mapper.minigbm
Change-Id: Ibddc0239e52065a89c656f885f34835406665009
