Add SEPolicy for the ThreadNetworkService
Add Fuzzer exception, thread_network service is java only
FR: b/235016403
Test: build and start thread_network service
bug: 262683651
Change-Id: Ifa2e9500dd535b0b4f2ad9af006b8dddaea900db
Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked. Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary. Their presence or absence makes no difference.
Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
As part of Treble, enforce that vendor's seapp_contexts can't label apps
using coredomains. Apps installed to system/system_ext/product should be
labeled with platform side sepolicy.
This change adds the violators attribute that will be used to mark
violating domains that need to be fixed.
Bug: 280547417
Test: manual
Change-Id: I64f3bb2880bd19e65450ea3d3692d1b424402d92
This reverts commit 70d70e6be4.
Reason for revert: See internal bug for clarification: http://b/291191362
Change-Id: If37670f7d71635314c618f7ac88802bfbc6fa007
Add SEPolicy for the RemoteAuth Manager/Service
Add Fuzzer exception, remote_auth service is going to be in Java and
Rust only
Design doc: go/remote-auth-manager-fishfood-design
Test: loaded on device.
Bug: 290092977
Change-Id: I4decb29b863170aed5e7c85da9c4b50c0675d3bd
During mountFstab call, vold might need to wipe and re-format a device.
See code in system/vold/model/PublicVolume.cpp , PublicVolume::doFormat
Allow IOCTLs such as BLKDISCARDZEROES for wiping.
Test: th
Bug: 279808236
Change-Id: I0bebf850aa45ece6227fa5c3e9c3fdb38164f79e
to get the list of active APEXes.
Bug: 293949266
Bug: 293546778
Test: CtsPackageSettingHostTestCases
Change-Id: I86f58158b97463206fb76a0c31f29b78874f4c35
Adds a policy to run the virtual_camera process which:
- registers a service implementing the camera HAL
- registers a service to reveive communicate with virtual cameras via
system_server
Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera
Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b
Test: Manually validated that GmsCore can access the properties, but not a test app.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
(cherry picked from commit c97b3a244f)
To fully close a race condition where processes can access per-user
directories before an encryption policy has been assigned, vold is going
to start creating these directories under temporary names and moving
them into place once fully prepared. To make this possible, give vold
permission to rename directories with type system_data_file.
Bug: 156305599
Bug: 285239971
Change-Id: Iae2c8f7d2dc343e7d177e6fb2e893ecca1796f7f
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.
Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.
Bug: 286011429
Test: libdm_test, treehugger
(cherry picked from https://android-review.googlesource.com/q/commit:e09c0eee36d58894bb0d30b9af4e33ee7dd7011c)
Merged-In: I36b9b460a0fa76a37950d3672bd21b1c885a5069
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
Change-Id: I1197d0051a9ce96b7edd87347b5db266b1643d30
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.
Previously, these entries were labelled as system_file even for vendor
apexes.
Bug: 285075529
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
The majority of code for media encoding and decoding occurs within the
context of client app processes via linking with libstagefright. This
code needs access to server-configurable flags to configure
codec-related features.
Bug: 234833109
Test: manual test with 'adb shell device_config' commands
Change-Id: I95aa6772a40599636d109d6960c2898e44648c9b
To run external firmware handler, ueventd should wait for apexd activation
by reading 'apexd.status' property.
Test: loading firmware from vendor apex using external firmware handler
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Ic2057ab2d014540ce5eeb26bcac35d39294b5dc9
These were unnecessarily lax. Some additional places
additionally exclude only the generic proc type, but
we don't care about those places.
Bug: 281877578
Test: boot
Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0
This is needed to load GKI leaf modules like zram.ko.
Bug: 279227085
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8a8205e50aa00686f478aba5336299e03490bbb5
Merged-In: I8a8205e50aa00686f478aba5336299e03490bbb5
This is needed to load GKI leaf modules like zram.ko.
Bug: 279227085
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8a8205e50aa00686f478aba5336299e03490bbb5
no writing to system_file_type is the intention
here, but they only restricted system_file.
this does not touch the untrusted_app lock
neverallow, because it's specific to a single
system_file, and r_file_perms includes 'lock'.
Bug: 281877578
Test: build (neverallow only change)
Change-Id: I6c6078bc27c49e5a88862eaa330638f442dba9ee
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.
Bug: 270183812
Test: libdm_test, treehugger
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
In tetherStop(), netd will send SIGKILL to dnsmasq if SIGTERM is failed.
But there is no corresponding sepolicy in netd.te.
Bug: 256784822
Test: atest netd_integration_test:NetdBinderTest#TetherStartStopStatus
with aosp/2591245 => fail
atest netd_integration_test:NetdBinderTest#TetherStartStopStatus
with aosp/2591245 + this commit => pass
Change-Id: I16a19a95c3c8ffb35dcc394b4dc329b20ecb26a3
This reverts commit 489abecf67.
Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules
Change-Id: I19d1da02baf8cc4b5182a3410111a0e78831d7f8
Merged-In: I0c2bfe55987949ad52f62e468c84df954f39a4ad
Revert submission 22899490-euicc_selinux_fix
Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules
Reverted changes: /q/submissionid:22899490-euicc_selinux_fix
Change-Id: I0c2bfe55987949ad52f62e468c84df954f39a4ad
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
(ag/23125728)
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.
Ignore-AOSP-First: Cherry-pick
Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
Merged-In: I2f47c1048aad4565cb13d4289b9a018734d18c07
vendor_init needs to set graphics_config_writable_prop, moving it to
system_public_prop.
Bug: b/270994705
Test: atest CtsAngleIntegrationHostTestCases
Test: m && boot
Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07
Test: Manually validated that GmsCore can access the properties, but not a test app.
Ignore-AOSP-First: Change is targeted at Google devices.
Change-Id: I2fa520dc31b328738f9a5fd1bcfc6632b61ad912
Bug: 280330984
snapuserd logs are important when OTA failures happen. To make debugging
easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs ,
and capture these logs in bugreport.
Bug: 280127810
Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0
When CTS test app tries to get broadcastradio_service from context, it
is considered as untrusted app by sepolicy since broadcastradio_service
is not app_api_service. Made it as app_api_service so that CTS for
broadcastradio can be ran on devices.
Bug: 262191898
Test: atest CtsBroadcastRadioTestCase
Ignore-AOSP-First: fix CTS issue
Change-Id: I0583f549eb5b781ff23f81b2073baa0390009f9e
This can be used as a side channel to observe when an application
is launched.
Gate this restriction on the application's targetSdkVersion to
avoid breaking existing apps. Only apps targeting 34 and above will
see the new restriction.
Remove duplicate permissions from public/shell.te. Shell is
already appdomain, so these permissions are already granted to it.
Ignore-AOSP-First: Security fix
Bug: 231587164
Test: boot device, install/uninstall apps. Observe no new denials.
Test: Run researcher provided PoC. Observe audit messages.
Change-Id: Ic7577884e9d994618a38286a42a8047516548782
Define the selinux domain to apply to SDK runtime for
targetSdkVersion=34.
The existing sdk_sandbox domain has been renamed to sdk_sandbox_next.
Future CLs will add logic to apply one of these to the SDK runtime
processes on the device, based on a flag.
auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.
Bug: 270148964
Test: make and boot the test device, load SDK using test app
Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d
This will allow vendor customization of isolated_compute_app. New permissions added should be associated with isolated_compute_allowed.
Bug: 274535894
Test: m
Change-Id: I4239228b80544e6f5ca1dd68ae1f44c0176d1bce
This new system property will be read and written
by a new developer option switch, through gpuservice.
Based on the value stored in persis.graphics.egl,
we will load different GLES driver.
e.g.
persist.graphics.egl == $ro.hardware.egl: load native GLES driver
persist.graphics.egl == angle: load angle as GLES driver
Bug: b/270994705
Test: m; flash and check Pixel 7 boots fine
Change-Id: Idec4b947d0c69c52cd798df4f834053bd306cf5f
This change gives a new type (dalvik_dynamic_config_prop) to some ART
properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to
allow system server to set them.
Bug: 274530433
Test: Locally added some code to set those properties and saw it being
successfull.
Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089
Introduce hypervisor-generic type for VM managers:
vm_manager_device_type.
Bug: 274758531
Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c
Suggested-by: Steven Moreland <smoreland@google.com>
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
We want to allow both the VM and ART to contribute to the VM config
(e.g. memory size), so define labels for 2 sets of properties and
grant the necessary access.
Bug: 274102209
Test: builds
Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568
Dumpstate already has permissions to get these services to dump their
stack and they are listed in dump_utils.cpp.
Test: adb shell bugreport && check bugreport
Bug: 273937310
Change-Id: I4128f4285da2693242aa02fec1bb2928e34cfcbf
Wi-Fi vendor AIDL service uses NDK to register itself to service
manager. AServiceManager_registerLazyService registers an
IClientCallback to service manager. The callback is invoked when there
is a transition between having >= 1 clients and having 0 clients (or
vice versa). Please check IClientCallback.aidl. As a result servicemanager may
make binder call to Wi-Fi vendor AIDL service. Since this is not allowed
per current SE policies, "avc denied" occurred:
servicemanager: type=1400 audit(0.0:248): avc: denied { call } for scontext=u:r:servicemanager:s0 tcontext=u:r:hal_wifi_default:s0 tclass=binder permissive=0
We add SE policy for hal_wifi_default to allow binder call like this.
Bug: 270511173
Test: manually build and test, check logs for avc denied
Change-Id: Ia6fcf5fc1cafff0381fc9857805bdc61cc838c1e
Allow timedetector_service access for ephemeral apps.
The service call behind currentNetworkTimeClock() moved from
AlarmManager to TimeDetector.
Before this change, alarm_service is accessible by ephemeral apps but
timedetector_service is not. After this change, timedetector_service is
accessible by ephemeral apps, unbreaking the call.
The breakage was not previously noticed because the test involved does
not run in the ephemeral case because of restrictions around what test
infra can do in the ephemeral case. A recent test refactor tests the
method in a different way, revealing the issue.
Bug: 270788539
Test: run cts -m CtsOsTestCases -t android.os.cts.SystemClockNetworkTimeTest#testCurrentNetworkTimeClock
Change-Id: Iafdfb9f13d473bcc65c4e60733e57f1d25c511ab
This ioctl can be used to avoid a race condition between key
reinstallation and busy files clean up.
Test: Trigger busy file clean-up and ensure that the ioctl succeeds
Bug: 140762419
Change-Id: I153c2e7b2d5eb39e0f217c9ef8b9dceba2a5a487
Bug: 260366497
Bug: 264600011
Test: Take bugreport and check dmesg for avc error
Test: Reboot and check shutdown-checkpoints
Change-Id: Ifcc7de30ee64e18f78af147cd3da39d7c6dc6f5f
In order for ART code to call perfetto DataSource::Trace() we need to
wait for all data source instances to have completed their setup. To do
so, we need to know how many of them exist.
This introduces a new sysprop traced.oome_heap_session.count, writeable
by perfetto traced and readable by apps and system_server that can be
used to communicate this.
See go/art-oom-heap-dump for more details
Test: manual, atest HeapprofdJavaCtsTest
Bug: 269246893
Change-Id: Ib8220879a40854f98bc2f550ff2e7ebf3e077756
The new android property namespace will store the configurations which are set on the server side and read by the EdgeTpu HAL.
Notes:
* This CL is similar to nnapi_native CL: https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/1844919
* The read permission of EdgeTpu HAL will be added in another internal CL.
Test: mm
Bug: 243553703
Bug: 246401730
Change-Id: I5705f679148b313d919f334c51e31f7645aca82a
A new mainline module that will have the device config logic requires a new service (device_config_updatable).
Bug: 252703257
Test: manual because logic that launches service is behind flag
Change-Id: I4ffba0c7d2afc44af8438b7d84d836e42388bd7d
Similarly to fs_type, fusefs_type accesses are ignored. It may be
triggered by tradefed when listing mounted points.
Bug: 177481425
Bug: 240632971
Bug: 239090033
Bug: 238971088
Bug: 238932200
Bug: 239085619
Test: presubmit boot tests
Change-Id: Ic96140d6bf2673d0de6c934581b3766f911780b6
This patch:
* allows for heap and perf profiling of all processes on the system
(minus undumpable and otherwise incompatible domains). For apps, the
rest of the platform will still perform checks based on
profileable/debuggable manifest flags. For native processes, the
profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
writers (=perfetto_producer) for the ART java heap graph plugin
(perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
graphs.
Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
DeviceAsWebcam is a new service that turns an android device into a
webcam. It requires access to all services that a
regular app needs access to, and it requires read/write permission to
/dev/video* nodes which is how the linux kernel mounts the UVC gadget.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the service can access all the nodes it
needs, and no selinux exceptions are reported for the service
when running.
Change-Id: I45c5df105f5b0c31dd6a733f50eb764479d18e9f
This is a rather large, single change to the SEPolicies, as fuseblk
required multiple new domains. The goal is to allow any fuseblk
drivers to also use the same sepolicy.
Note the compartmentalized domain for sys_admin and mount/unmount
permissions.
Bug: 254407246
Test: Extensive testing with an ADT-4 and NTFS USB drives.
Change-Id: I6619ac77ce44ba60edd6ab10e8436a8712459b48
The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow vendor_init to set these properties and allow Zygote to access
them.
Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Change-Id: I5666524a9708c6fefe113ad4109b8a344405ad57
This CL the selinux rules for the property ro.usb.uvc.enabled which will
be used to toggle UVC Gadget functionality on the Android Device.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the property can only be read at runtime,
not written to.
Change-Id: I0fd6051666d9554037acc68fa81226503f514a45
Introduce isolated_app_all typeattribute to share policies between
isolated_app and future similar apps that wish to be enforced with
isolation properties.
Bug: 255597123
Test: m && presubmit
Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89
Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.
In more detail, this change:
* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.
* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].
* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.
This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/
Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)
Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
ro.secure and ro.debuggable system properties are not intended
to be visible via Android SDK. This change blocks untrusted
apps from reading these properties.
Test: n/a for cherry-pick
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
Merged-In: I40ac5d43da5778b5fa863b559c28e8d72961f831
The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.
Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
Transfers access permissions into the system policy which
would otherwise be setup on a per-device basis in exactly
the same recurring way.
For surfacefliner it avoids errors when it
(via its dependent graphics libraries) tries to allocate
memory from the protected heap, e.g. when operating on a
Vulkan device with protected memory support.
Bug: 235618476
Change-Id: I7f9a176c067ead2f3bd38b8c34fc55fa39d87655
Zoned block device will be used along with userdata_block_device
for /data partition.
Bug: 197782466
Change-Id: I777a8b22b99614727086e72520a48dbd8306885b
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.
The virtualizationservice domain remains responsible for:
* allocating CIDs (access to props)
* creating temporary VM directories (virtualization_data_file, chown)
* receiving tombstones from VMs
* pushing atoms to statsd
* removing memlock rlimit from virtmgr
The new virtualizationmanager domain becomes responsible for:
* executing crosvm
* creating vsock connections, handling callbacks
* preparing APEXes
* pushing ramdumps to tombstoned
* collecting stats for telemetry atoms
The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.
Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
Organize the HDMI packages into CEC, EArc and connection under a common
hdmi package.
Bug: 261729059
Test: atest vts_treble_vintf_framework_test
atest vts_treble_vintf_vendor_test
Change-Id: Ief5bff996028775ea355b392a4028a091fb83b99
This CL adds a new cameraservice type to allow vendor clients of
cameraservice to query and find the stable cameraservice
implementation.
Bug: 243593375
Test: Manually tested that cameraservice can register a vendor facing
instance.
Change-Id: I61499406d4811c898719abcb89c51b4b8a29f4a7
This new service is exposed by system_server and available to all apps.
Bug: 259175720
Test: atest and check the log
Change-Id: I522a3baab1631589bc86fdf706af745bb6cf9f03
Start a new security domain for virtmgr - a child proces of an app that
manages its virtual machines.
Add permissions to auto-transition to the virtmgr domain when the client
fork/execs virtmgr and to communicate over UDS and pipe.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: I7624700b263f49264812e9bca6b83a003cc929be
aosp/2291528 should have had the `binder_call` macro in hal_can.te be a
`binder_use` macro instead. This fixes that.
Bug: 170405615
Test: AIDL CAN HAL starts up and configures
Change-Id: I7b18c25afef5a243bf0bba7c77a682f7cff092a3
Otherwise, we will encounter SELinux denials like:
W binder:6200_7: type=1400 audit(0.0:327): avc: denied { read } for name="PrebuiltGmsCoreNext_DynamiteLoader.apk" dev="dm-51" ino=2576 scontext=u:r:artd:s0 tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=lnk_file permissive=0
Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iccb97b1973f8efbe859b59e729f7a0194d05ba5e
Overlayfs failed to mount during second stage init because init is
lacking these permissions.
These permissions are asserted by the overlayfs driver during mount
operation, see fs/overlayfs/super.c:ovl_check_rename_whiteout
(https://source.corp.google.com/kernel-upstream/fs/overlayfs/super.c;l=1182;bpv=1;bpt=1)
Bug: 243501054
Test: adb remount && check that overlay is active after reboot
Change-Id: I258646b65a49487e6f22a6742ff59e9a0d57b5c0
As a reminder, per:
https://source.corp.google.com/search?q=p:aosp-master%20file:sepolicy%20-file:prebuilts%20proc_bpf%20file:genfs
we currently have:
aosp-master system/sepolicy/private/genfs_contexts
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
So the above are the files which will no longer be writable by init.
A cs/ search for p:android$ (/sys/kernel/bpf_|/sys/kernel/unprivileged_bpf_|/sys/net/core/bpf_) file:[.]rc
only finds bpfloader.rc init script as actually doing these writes.
Those writes are removed in:
https://android-review.git.corp.google.com/c/platform/system/bpf/+/2325617
'bpfloader - move sysctl setting from rc to binary'
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I19ccdf293966dd982e1d36836b0b962d99ed7275
There should be no need for this and it fixes a long outstanding TODO.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id1764cbc713addbbda6827fe6c6689e45e8f584c
1. Allow them to be configured by vendor_init.
2. Introduce a new system property
hypervisor.memory_reclaim.supported, which is configured by
vendor_init and accessed only by virtualizationservice, and is not
as widely accessible as the existing hypervisor sysprops.
Bug: 235579465
Test: atest MicrodroidTests
Change-Id: I952432568a6ab351b5cc155ff5eb0cb0dcddf433
With AIDL fastboot, wiping partition will be handled by new service.
Allow hal_fastboot_server to the exception to neverallow rule.
Bug: 260140380
Test: th
Test: fastboot -w
Change-Id: Ic38ad715cb097ccd9c8936bb8e2a04e3e70b3245
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
(cherry picked from commit e6da3b80d1)
when recording, the encoders need access to determine if on
a handheld and enable some quality standards.
Bug: 251205971
Test: atest android.media.recorder.cts.MediaRecorderTest
Change-Id: I534a6aa24c188002ab0baab9d891e07db0af81f2
This app talks to the remote provisioning HALs, and therefore requires
access to the tee_device domain.
Bug: 254112668
Test: Manually verify rkpd can run and find remote provisioning hals
Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.
Bug: 210811873
Test: m -j, boot device
Change-Id: Idbcc4928c8d0d433f819d8b114e84a5f09466ad0
Create adaptive haptics system property to store adaptive haptics enable
state.
Bug: 198239103
Test: Verified system property usage
Change-Id: I5d4f0a5c8ec4a5b0ce18bc03a6d30879dd76d58b
Signed-off-by: Chris Paulo <chrispaulo@google.com>
This change gives the shell process the needed permissions to call the
rkp_factory_extraction_tool without also granting the ability to access
the KeyMint HAL service.
To run the tool from a shell accessible folder, push
rkp_factory_extraction_tool to /data/local/tmp with:
adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \
/data/local/tmp
Test: the tool can be executed in SELinux enforcing mode
Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
This reverts commit f4ab6c9f3c.
Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.
Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
This CL allows dumpstate to signal evsmanagerd, which is another
android.hardware.automotive.evs.IEvsEnumerator implementation, to dump
its stack.
Fix: 243335867
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I37b4cf0ae45f8196f92088cf07a2b45c44f50ee8
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.
Bug: 210811873
Test: m -j, boot device
Change-Id: I55e3a4b76cabb6f47cee0972e6bad30565f0db7a
This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.
Bug: 254407246
Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
There are still some paths (potentially obsolete) on non-treble devices
where hal_keymint_client domains have the hal_keymint typeattribute
applied. In these cases, those domains also pick up the file access
permissions currently granted to hal_keymint.
Clean this up by limiting the permissions to hal_keymint_server only.
Test: VtsAidlKeyMintTargetTest
Change-Id: If1a437636824df254da245e7587df825b6963ed9
This reverts commit a87c7be419.
Reason for revert: I was mistaken and this isn't a property that the vendor should set, but the OEM should override from the product partition. That doesn't require sepolicy changes.
Bug: 256109167
Change-Id: Idebfb623dce960b2b595386ade1e4c4b92a6e402
Vendors should be able to set the `remote_provisioning.tee.rkp_only` and
`remote_provisioning.strongbox.rkp_only` properties via
PRODUCT_VENDOR_PROPERTIES so grant `vendor_init` the permission to set
them.
The property wasn't able to use `system_vendor_config_prop()` as
`remote_prov_app` has tests which override the properties.
Bug: 256109167
Test: manual test setting the property from device.mk for cuttlefish
Change-Id: I174315b9c0b53929f6a11849efd20bf846f8ca29
aosp/2215361 added the collection of update_engine preferences by
dumpstate. Add the corresponding policy. The /data/misc/update_engine
directory only contains the prefs/ subdirectory (see
DaemonStateAndroid::Initialize in update_engine).
Bug: 255917707
Test: m selinux_policy
Change-Id: I8c80f319d97f22f29158dd67352c3429d3222a35
While running the MicrodroidTests I noticed denials like these:
avc: denied { getattr } for comm="virtualizations" path="pipe:[86794]"
dev="pipefs" ino=86794 scontext=u:r:virtualizationservice:s0
tcontext=u:r:untrusted_app:s0:c122,c256,c512,c768 tclass=fifo_file
permissive=0
These are harmless, so we could dontaudit them, but it is also fine
to simply allow getattr.
Test: atest MicrodroidTests, no denials seen
Change-Id: I53a2967eb6e396979a86715b3d5a7681f48dcb63
