The system property "vold.post_fs_data_done" is used by init and vold to
communicate with each other in order to set up FDE on devices that use
FDE. It needs to be gettable and settable by vold, and settable by init
and vendor_init. This was the case in Android 11 and earlier; however,
the change
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1277447
("Rename exported and exported2 vold prop") broke this by giving this
property the type "vold_config_prop", which made it no longer settable
by vold.
Since none of the existing property types appear to be appropriate for
this particular property, define a new type "vold_post_fs_data_prop" and
grant the needed domains permission to get/set it.
This is one of a set of changes that is needed to get FDE working again
so that devices that launched with FDE can be upgraded to Android 12.
Bug: 186165644
Test: Tested FDE on Cuttlefish
Change-Id: I2fd8af0091f8b921ec37381ad3b85a156d074566
* changes:
Revert "Add a neverallow for debugfs mounting"
Revert "Add neverallows for debugfs access"
Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
Revert "Check that tracefs files are labelled as tracefs_type"
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: I04f8bfdc0e5fe8d2f7d6596ed7b840332d611485
* changes:
Check that tracefs files are labelled as tracefs_type
Exclude vendor_modprobe from debugfs neverallow restrictions
Add neverallows for debugfs access
Add a neverallow for debugfs mounting
Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call
Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
vendor_modprobe loads kernel modules which may create files in
debugfs during module_init().
Bug: 179760914
Test: build
Change-Id: I743a81489f469d52f94a88166f8583a7d797db16
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).
This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
BINDER_ENABLE_ONEWAY_SPAM_DETECTION is used to enable/disable oneway
spamming detection in binder driver, and can be set per-proc.
Bug: 181190340
Change-Id: Id799b19ee5a74b458e286dc29122c140a047bdad
This allows NNAPI users to pass in model data from the asset folder.
Bug: 184880878
Test: nnapi demo app with model data from asset file
Test: NNAPI benchmark CTS
Change-Id: I79ded4e9f35eb15e1f9f0d91308840e8b318d218
- Add dir read access to /sys/class/devfreq/
- Add file read access to /sys/class/devfreq/$DEVICE/cur_freq
Resolves the following denials:
W traced_probes: type=1400 audit(0.0:8):
avc: denied { read } for name="devfreq" dev="sysfs"
ino=28076 scontext=u:r:traced_probes:s0
tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
W traced_probes: type=1400 audit(0.0:226):
avc: denied { read } for name="cur_freq" dev="sysfs"
ino=54729 scontext=u:r:traced_probes:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
See ag/14187061 for device specific sysfs_devfreq_cur labels
Bug: 181850306
Test: ls -Z, record perfetto trace
Change-Id: I23cebb16505313160e14b49e82e24da9b81cad70
This patch adds ro.product.enforce_debugfs_restrictions to
property_contexts. When the property is set to true in non-user builds,
init mounts debugfs in early-init to enable boot-time debugfs
initializations and unmounts it on boot complete. Similarly dumpstate
will mount debugfs to collect information from debugfs during bugreport
collection via the dumpstate HAL and unmount debugfs once done. Doing
so will allow non-user builds to keep debugfs disabled during runtime.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS, adb shell am
bugreport
Bug: 184381659
Change-Id: Ib720523c7f94a4f9ce944d46977a3c01ed829414
Add property & property context to configure whether the bootanimation
should be played in a quiescent boot.
Bug: 185118020
Test: Set property through PRODUCT_PRODUCT_PROPERTIES
Test: Read property from bootanimation process
Change-Id: Ib9e88444da7f5e8000d7367199f5230f1e4d26d9
Add "ro.camerax.extensions.enabled" vendor-specific property.
Allow public apps to read this property.
Bug: 171572972
Test: Camera CTS
Change-Id: Id5fadedff6baaaebe5306100c2a054e537aa61ed
Allow keystore to call statsd.
Allow statsd to call back to keystore to pull atoms.
Bug: 172013262
Test: atest system/keystore/keystore2
Test: statsd_testdrive 10103
Change-Id: I2d1739e257e95b37cc61f655f98f7a2724df7d76
The su domain is always permissive. Operations which occur in this
domain should never be logged.
Addresses the following denials:
avc: denied { bpf } for comm="bpf_module_test" capability=39
scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1
Bug: 185230825
Test: builds
Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5
In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.
Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
This service will intercept all UwbManager API calls and then perform
necessary permission checks before forwarding the call to the vendor
UWB service. Adding sepolicy permissions for exposing the service that
handles all public API's.
Bug: 183904955
Test: atest android.uwb.cts.UwbManagerTest
Change-Id: Icce4d2f586926421c06e8902a91533002c380b8d
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.
Bug: 166559473
Test: run profcollectd.
Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
When a bug causes us to leak a file descriptor or resource in the OTA
path, it can cause unremovable device-mapper devices. The companion CL
in this topic attempts to diagnose such problems by performing a quick
scan for things depending on an unremovable block device: mounts, loop
devices, and other device-mapper nodes.
To detect mounts it would normally be enough to scan /proc/mounts, but
with MNT_DETACH the filesystem may still be mounted but not visible to
update_engine. This is exactly what happened in b/184715543.
To scan for such cases, we look for /sys/fs/ext4/<name> or
/sys/fs/f2fs/<name> where <name> is the block device. To make this work,
we grant update_engine r_dir_perms to sysfs and sysfs_f2fs_dir. It
doesn't actually need to read the contents of any files, the presence of
the inode is good enough.
Bug: N/A
Test: manual test
Change-Id: Ib085c9c814180b360e2170135011261bbb7e35b6
