These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.
Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
This CL adds rules to allow artd to delete optimized artifacts.
In general, some functionalities from installd are being migrated to
artd, so artd needs permissions to do what installd is doing: managing
profiles and compilation artifacts that belong to individual apps.
Bug: 225827974
Test: adb shell pm art delete-optimized-artifacts com.google.android.youtube
Change-Id: I1780cdfb481175fd3b0bc9031fdabb8e7cd71a12
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
This is necessary for vendor code to be able to send trace packets to
Perfetto, which we are doing as part of an effort to provide more
detailed profiling of some vendor code.
Bug: 222684359
Test: (with downstream policy updates) m selinux_policy
Change-Id: I5ab1c04290f69e391d66a76c262d75cadb794f8d
This is useful for certain tests. Note that it is already possible to
access these files without root via adb pull, since adbd has
access. Shell also already has access to non-updated APEXes on
/system/apex.
Bug: 220918654
Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex
Change-Id: I35725499365b297a64c9005c8e45325531d3991d
Because mtectrl is a system internal domain, and we don't need to expose
the type to vendor.
Test: build and boot
Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.
Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
We need to remove any existing files (and the directory) to allow
odrefresh in the VM to re-create them via authfs.
But we don't need, and shouldn't have, any other access to them.
Bug: 210460516
Test: composd_cmd async-odrefresh
Change-Id: Iaafe33934146a6b8dda7c28cc1239c2eed167379
Previously this was always done by odrefresh. But now we are running
odrefresh in the VM we need to allow FD server to do it as its proxy.
Bug: 209572241
Bug: 209572296
Test: composd_cmd forced-oderefresh
Change-Id: I4bc10d6a3ec73789721a0541f04dd7e3865fe826
composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.
Bug: 205750213
Test: No denials
Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
New type added in sepolicy to restrict Vendor defined uuid mapping
config file access to SecureElement.
Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: I81d715fa5d5a72c893c529eb542ce62747afcd03
Virtualizationservice queries "package_native" service to get staged
apex info and then reads staged apexes to VM.
Bug: 199146189
Test: MicrodroidHostTestCases
Change-Id: Icbfe5b9a05abc08d3e0270d15969f632b3f57c66
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.
Don't prevent crosvm from reading such a SoC-specific VM disk images.
Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.
Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.
Below is the summary of the added rules.
* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
- permission_service: to check Android permission
- apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.
Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json
without disabling selinux.
Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
Virtualizationservice should be able to read
* /apex/apex-info-list.xml: apex_info_file
* /data/apex/{active, uncompressed}: staging_data_file,
apex_data_file
and pass them to guest OS.
Bug: n/a
Test: atest MicrodroidHostTestCases
(see logcat for denials)
Change-Id: Ia9dab957a6f912aa193d58e2817a00d4a39b4536
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
These are moved to packages/modules/Virtualization.
Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
Microdroid_manager should execute a command passed via a VM payload
config. Ideally, the spawned process should be in a dedicated domain
which has the right set of permissions.
For now, it is allowed to execute shell/toybox for testing/debuging. And
also it is allowed to access fusefs to load a library or a config file.
Bug: 189301496
Test: MicrodroidHostTestCases
Change-Id: I7872514b40a9e23bbbed2b3e1ccd322f4e9cf832
Microdroid_launcher is an executable in microdroid. It's role is to load
a shared library in an APK that is shared from the host Android and
execute it by calling an entry point (android_native_main) in it.
For now, it is executed from shell, but will eventually be executed from
a binder service (which also is running in microdroid) called
microdroid_manager.
Bug: 188513012
Test: atest MicrodroidHostTestCases
Change-Id: I150a958c1ed0e3e960f4b4b577e808e54e898644
zipfuse is a FUSE implementation that runs in microdroid. In the virtual
machine, it reads a block device (/dev/vd* via the symlink
/dev/block/by-name/microdroid-apk) whose content is read from an apk
in the host side. Then the makes the entries in the zip file (apk is
also a zip) as regular files in the virtual machine.
Note that the filesystem is mounted as default 'fuse:filesystem' because
it's mounted without the `fcontext` option, which is due to the libfuse
library we are importing from crosvm (b/188400186).
Bug: 188388851
Test: atest MicrodroidHostTestCases
Change-Id: Ide9bac88088535f4f335f2725fa929d23015e6e1
It is important that fastbootd is able to mount /metadata in recovery, in
order to check whether Virtual A/B snapshots are present. This is
enabled on userdebug builds, but currently fails on user builds.
Fixes:
audit: type=1400 audit(7258310.023:24): avc: denied { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 181097763
Test: fastboot flash on user build
Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc
This reverts commit 231c04b2b9.
Now that b/186727553 is fixed, it should be safe to revert this revert.
Test: build
Bug: 184381659
Change-Id: If26ba23df19e9854a121bbcf10a027c738006515
This reverts commit e95e0ec0a5.
Now that b/186727553 is fixed, it should be safe to revert this revert.
Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call
Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.
Bug: 166559473
Test: run profcollectd.
Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
Allow mm_events to periodically arm the mm_events
perfetto trace config if mm_events is enabled.
Bug: 183037386
Test: boot; setprop persist.mm_events.enabled true; No avc denials
Change-Id: Ia9760001e7fb591f18e3e816a63281167a658c74
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.
Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes
This reverts commit aa8bb3a29b.
Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
a54bed6907
Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery
Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.
Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).
There are two types of change here:
1) enabling odrefresh to run dex2oat and write updated boot class path
and system server AOT artifacts into the ART APEX data directory.
2) enabling the zygote and assorted diagnostic tools to use the
updated AOT artifacts.
odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.
Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
This simplifies operation by removing a special case for user builds.
Test: atest CtsPerfettoTestCases on user
Test: atest CtsPerfettoTestCases on userdebug
Test: atest perfetto_integrationtests on userdebug
Bug: 153139002
Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
During staged installation, we no longer create duplicate sessions for
verification purpose. Instead, we send the original files in
/data/app-staging folder to package verifiers for verification. That
means, Phonesky needs access to /data/app-staging folder to be able to
verify the apks inside it.
Bug: 175163376
Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir
Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps
Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.
Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files
Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.
Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
We no longer allow apps with mlstrustedsubject access to app_data_file
or privapp_data_file. For compatibility we grant access to all apps on
vendor images for SDK <= 30, whether mlstrustedsubject or not. (The
ones that are not already have access, but that is harmless.)
Additionally we have started adding categories to system_data_file
etc. We treat these older vendor apps as trusted for those types only.
The result is that apps on older vendor images still have all the
access they used to but no new access.
We add a neverallow to prevent the compatibility attribute being
abused.
Test: builds
Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
