Commit graph

279 commits

Author SHA1 Message Date
Inseob Kim
09b27c7109 Add "DO NOT ADD statements" comments to public
For visibility

Bug: 232023812
Test: N/A
Change-Id: I0bc6dc568210b81ba1f52acb18afd4bcc454ea1c
2024-03-28 11:27:43 +09:00
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Peter Collingbourne
4912d266e1 Mount /tmp as tmpfs.
/tmp is a volatile temporary storage location for the shell user.
As with /data/local/tmp, it is owned by shell:shell and is chmod 771.

Bug: 311263616
Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a
2023-12-15 16:46:46 -08:00
Nate Myren
0e15f2d9c5 Add appcompat override files and contexts to SELinux
This also allows the zygote to bind mount the system properties

Bug: 291814949
Test: manual
Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434
2023-10-23 18:34:12 +00:00
Seungjae Yoo
1b2d9de08d Add rules for reading VM DTBO by vfio_handler
Bug: 291191362
Test: m

Merged-In: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd
Change-Id: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd
2023-08-18 01:17:23 +00:00
Steven Moreland
f3722d5a71 strengthen app_data_file neverallows
There are more types of apps now.

Bug: 281877578
Test: boot
Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd
2023-05-23 00:01:27 +00:00
Yi-Yo Chiang
d59c75884d overlayfs: Rules for mounting overlays from second stage init
Overlayfs failed to mount during second stage init because init is
lacking these permissions.
These permissions are asserted by the overlayfs driver during mount
operation, see fs/overlayfs/super.c:ovl_check_rename_whiteout
(https://source.corp.google.com/kernel-upstream/fs/overlayfs/super.c;l=1182;bpv=1;bpt=1)

Bug: 243501054
Test: adb remount && check that overlay is active after reboot
Change-Id: I258646b65a49487e6f22a6742ff59e9a0d57b5c0
2022-12-13 15:53:10 +08:00
Maciej Żenczykowski
4a960869e0 sepolicy - move proc bpf writes from bpfloader.rc to bpfloader binary
As a reminder, per:
  https://source.corp.google.com/search?q=p:aosp-master%20file:sepolicy%20-file:prebuilts%20proc_bpf%20file:genfs

we currently have:
  aosp-master system/sepolicy/private/genfs_contexts

genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0

So the above are the files which will no longer be writable by init.

A cs/ search for p:android$ (/sys/kernel/bpf_|/sys/kernel/unprivileged_bpf_|/sys/net/core/bpf_) file:[.]rc

only finds bpfloader.rc init script as actually doing these writes.

Those writes are removed in:
  https://android-review.git.corp.google.com/c/platform/system/bpf/+/2325617
  'bpfloader - move sysctl setting from rc to binary'

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I19ccdf293966dd982e1d36836b0b962d99ed7275
2022-12-03 15:22:29 +00:00
Maciej Żenczykowski
ebb45f9dea remove init/vendor_init access to bpffs_type
There should be no need for this and it fixes a long outstanding TODO.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id1764cbc713addbbda6827fe6c6689e45e8f584c
2022-12-02 12:26:03 +00:00
Jeff Vander Stoep
b07c12c39d Iorapd and friends have been removed
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.

Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
2022-05-18 12:07:39 +02:00
Jooyung Han
945c072d12 Merge "Allow init to read apex-info-list.xml" 2022-05-13 01:47:40 +00:00
Eric Biggers
17369bef4a Remove init's write access to /data/user and /data/media
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file.  This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.

Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
2022-05-12 00:19:29 +00:00
Jooyung Han
61079e06f2 Allow init to read apex-info-list.xml
init should use subcontext (vendor_init) for actions/services from
/{vendor, odm} partitions. However, when configs are from vendor APEXes,
init can't tell whether the APEXes are from /{vendor, odm} just by
looking at the config file paths.

Instead, init can look up /apex/apex-info-list.xml for APEXes
preinstalled paths to tell APEXes' original partition.

Bug: 232021354
Test: atest CtsBluetoothTestCases
  (Cuttlefish has BT HAL APEX in /vendor)
Change-Id: I8cb5d9eb3970790499ef1eb1ee00851591a42e98
2022-05-10 10:35:56 +09:00
Eric Biggers
9a5992336e Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug.  Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()".  Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories.  Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.

This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible.  This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories.  This
is similar to what https://r.android.com/1117297 did for /data itself.

Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.

A significant limitation is that /data/user/0 is currently being created
by init during early boot.  Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories.  As the
next step, I'll try to eliminate the /data/user/0 quirk.  Anyway, this
CL is needed regardless of whether we're able to do that.

Test: Booted cuttlefish.  Ran 'sm partition disk:253,32 private', then
      created and deleted a user.  Used 'ls -lZ' to check the relevant
      SELinux labels on both internal and adoptable storage.  Also did
      similar tests on raven, with the addition of going through the
      setup wizard and using an app that creates media files.  No
      relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 04:12:46 +00:00
Jaegeuk Kim
3a45ffec11 Allow shutdown /data
Bug: 229406072
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I7bdd9acd2e85311ecb59b3f0eb1f503a93e240ef
2022-04-22 09:34:02 -07:00
Eric Biggers
9bf0a0c141 Remove some FDE rules and update comments
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it.  Remove two rules that are no longer
needed.  Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons.  Finally, fix some outdated documentation links.

Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
2022-04-15 21:06:51 +00:00
Kalesh Singh
98f63495b2 Add sepolicy for Multi-Gen LRU sysfs control
init is allowed to enable/disable MG-LRU.

Bug: 227651406
Bug: 228525049
Test: setprop persist.device_config.mglru_native.lru_gen_config
Test: verify no avc denials in logcat
Change-Id: I20223f3628cb6909c3fd2eb2b821ff2d52202dd2
2022-04-08 13:37:50 -07:00
Inseob Kim
85091cd806 Allow init to relabelto console_device
Init will try restorecon /dev/console, together with /dev, at the second
stage boot.

Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ie9796368b54bb0773eabf5ff6feb2b4aa41d0bfa
2022-03-22 22:11:03 +09:00
Jaegeuk Kim
be66c59171 SELinux policy for /dev/sys/block/by-name/rootdisk
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I550dfb5649ccb5ca61ea5abbf730bd84756f047e
2022-03-16 11:04:39 -07:00
Ramji Jiyani
4a556890f9 system_dlkm: sepolicy: add system_dlkm_file_type
Add new attribute system_dlkm_file_type for
/system_dlkm partition files.

Bug: 218392646
Bug: 200082547
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3
2022-02-11 04:19:33 +00:00
Jiyong Park
16c1ae3a3d Add use_bionic_libs macro
... to dedupe rules for allowing access to bootstrap bionic libraries.

Bug: N/A
Test: m
Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4
2022-01-25 09:47:56 +09:00
Maciej Żenczykowski
3702f3385e introduce new 'proc_bpf' for bpf related sysctls
What to tag chosen based on output of:
  find /proc 2>/dev/null | egrep bpf
on a 5.10 kernel.

Tagged with prefixes to be more likely not require changes in the future

  $ adb root
  $ adb shell 'ls -lZ /proc/sys/net/core/bpf_* /proc/sys/kernel/*bpf*'

Before:
  -rw-r--r-- 1 root root u:object_r:proc:s0      0 2021-11-11 02:11 /proc/sys/kernel/bpf_stats_enabled
  -rw-r--r-- 1 root root u:object_r:proc:s0      0 2021-11-11 02:11 /proc/sys/kernel/unprivileged_bpf_disabled
  -rw-r--r-- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_enable
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_harden
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_kallsyms
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_limit

After:
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/kernel/bpf_stats_enabled
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/kernel/unprivileged_bpf_disabled
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_enable
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_harden
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_kallsyms
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_limit

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46ea81ff42d3b915cf7a96735dc2636d9808ead6
2021-11-11 02:54:21 -08:00
Alistair Delva
6092d633b0 Allow init to write to /proc/cpu/alignment
The root init.rc does "write /proc/cpu/alignment 4", but we don't
actually allow this write in core sepolicy. This seems to be a 32-bit
ARM only proc file.

Noticed when booting 32-bit ARM Cuttlefish.

Bug: 145371497
Change-Id: Ic099395708f7236bcc2fc5c561809a7e129786de
2021-11-01 10:17:26 -07:00
Bart Van Assche
398b0af20f Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these attributes since these will be removed soon.

Bug: 202520796
Test: (AOSP) source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Test: (sc-v2-dev) source build/envsetup.sh && lunch ...-userdebug && m && install-images-on-phone && adb root && adb dmesg | grep 'avc.*comm=.init'
Change-Id: I9f5a4c5c4d6c44fefa8e66c69fec62c99f9a728d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-14 09:13:58 -07:00
Liangcai Fan
486be79cb7 allow init to set status on loop device
Bug: 200904398

Change-Id: I02b0a4edcd47e325da7ec8200d5167485e4084c9
Signed-off-by: Liangcai Fan <liangcai.fan@unisoc.com>
2021-10-01 10:49:40 +08:00
Martin Liu
4db56b0b52 allow init to access watermark_boost_factor
Bug: 189938926
Test: boot
Signed-off-by: Martin Liu <liumartin@google.com>
Change-Id: I07c8490c94c837952921e95f12efa6213edbf056
2021-07-01 12:24:52 +08:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
a885dd84c7 Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
2021-05-02 21:41:53 -07:00
Hridya Valsaraju
7362f58895 Merge changes from topic "revert-1668411-MWQWEZISXF"
* changes:
  Revert "Add a neverallow for debugfs mounting"
  Revert "Add neverallows for debugfs access"
  Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
  Revert "Check that tracefs files are labelled as tracefs_type"
2021-04-23 22:06:31 +00:00
Hridya Valsaraju
f9dbb72654 Revert "Add a neverallow for debugfs mounting"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Andrew Walbran
3b6a385137 Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." 2021-04-22 18:57:15 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
Hridya Valsaraju
1c3d898d87 Add a neverallow for debugfs mounting
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
2021-04-21 14:13:02 -07:00
Andrew Walbran
a995e84c18 Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-04-13 09:30:20 +00:00
Devin Moore
840d4f3bf3 Add sepolicy for /proc/bootconfig
Vendor boot hal, init, and vold processes all require permission.

Test: build and boot aosp_cf_x86_64_phone
Bug: 173815685
Change-Id: I15692dcd39dfc9c3a3b7d8c12d03eff0a7c96f72
2021-02-23 07:42:06 -08:00
Randall Huang
10d42cec51 sepolicy: Add label to userdata file node
The userdata file node should be labeled to
avoid avc denied.

Bug: 171760673
Bug: 177364376
Test: build pass
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: I9ba89c75c120864c64ea278934b15edc3ba18a6c
2021-02-19 07:45:02 +08:00
Elliott Hughes
adaf4fe7a9 Merge "init/ueventd and system_server no longer need access to /dev/hw_random." 2021-02-16 20:08:39 +00:00
Elliott Hughes
5aaf7f3461 init/ueventd and system_server no longer need access to /dev/hw_random.
We let the kernel worry about that now.

Bug: http://b/179086242
Test: treehugger
Change-Id: I51bdfaf7488717cc4e4c642261e31d1801cfba68
2021-02-12 09:33:22 -08:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Treehugger Robot
b8e865e1ee Merge "sepolicy: allow init to mount debugfs in userdebug builds" 2021-01-13 04:24:22 +00:00
Hridya Valsaraju
90eadaac59 sepolicy: allow init to mount debugfs in userdebug builds
This change will help debug builds with keeping debugfs
disabled during run time. Instead, debugfs will be mounted by init
to enable boot time initializations to set up debug data collection
and unmounted after boot. It will be also be mounted by dumpstate
for bug report generation and unmounted after.

It resolves the following avc denial:
avc: denied { mounton } for comm="init" path="/sys/kernel/debug" dev="debugfs"
 ino=1 scontext=u:r:init:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0

Bug: 176936478
Test: make && boot
Change-Id: I5bc819eb0cc36bdc32565c17a16da8838baf946a
2021-01-07 21:32:24 -08:00
David Anderson
f4cba7eed5 Add a kernel transition to snapuserd.
The initial launch of snapuserd happens in first-stage init, before
sepolicy is loaded, since snapuserd is needed to mount initial
partitions. After sepolicy is loaded, we immediately re-launch snapuserd
in the correct context. This requires a transition similar to init.

The "allow" lines for the kernel happen in permissive mode, since we
need to relabel critical parts of /dev/block in order to re-launch
snapuserd.

Bug: 173476209
Test: OTA applies with ro.virtual_ab.compression.enabled = true
Change-Id: I80184e737ccb558107a14b384a61f7fec31c9428
2020-12-14 23:48:08 -08:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Suren Baghdasaryan
37f1a137b6 Add rules for per-API level task profiles and cgroup description files
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.

Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
2020-11-23 09:30:26 -08:00
David Anderson
09bb944221 Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-19 21:03:30 +00:00