Few domains are granted access to this, but they should have access
from any user.
Also add some neverallows to prevent misuse.
Bug: 170622707
Test: presubmits
Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
This reverts commit 6c99a6781c.
Reason for revert: build breaks on build test
Bug: 171847597
Test: None
Change-Id: I7d3556aa0f06684b43f80f09e4c8194c6c44336c
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.
snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.
Bug: 168259959
Test: ctl.start snapuserd, no denials
vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
Devices launched with S must use the new variable naming
scheme introduced in If8188feb365eb9e500f2270241fa190a20e9de01
"Android.mk: Support SYSTEM_EXT* sepolicy".
The old variable name
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR` does no longer
accurately reflect its usage and as such is deprecated.
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=26
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe additions in `$(TARGET_COPY_OUT_SYSTEM_EXT)/etc/selinux`
Test: `make selinux_policy` with PRODUCT_SHIPPING_API_LEVEL=31
`BOARD_PLAT_{PUBLIC,PRIVATE}_SEPOLICY_DIR}` set,
observe error
Signed-off-by: Felix Elsner <google@ix5.org>
Change-Id: Ic4d1164be611836f6aa697fbf1cb1f1c73a3cd39
This property controls the minimal timing window that triggers init
process fatal abort, when the zygote service crashes repeatedly in it.
Bug: 146818493
Change-Id: Ibd371be0daf6510df8b4d1a1f12f0aab8d6392c7
Add proc_net rules into prebuilts/api/30.0/public/file.te to fix build
errors
After applying AOSP/1468206, TH complains a build error:
Files system/sepolicy/prebuilts/api/30.0/public/file.te and
system/sepolicy/public/file.te differ
Bug: 145579144
Bug: 170265025
Test: build pass and reboot to check avc message in bugreport
Change-Id: I2085366b345c044e1b69f726809100fa43336c34
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].
[1] 4cbffc461e/kernel/sysctl.c (L2254)
Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882
Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
Bug: 168571434
Test: 1. Install a DSU system.
2. Boot the DSU system and reboot back to the host system.
3. Wipe the DSU installation.
4. DSU metadata key dir /metadata/vold/metadata_encryption/dsu/dsu is
destroyed.
Change-Id: I229a02abb7bd1f070bb078bdaf89fb27cc4bfa47
system_property_type and vendor_property_type can't be assigned
together. For example, the following policy snippet will fail.
system_public_prop(foo_prop)
typeattribute foo_prop vendor_property_type;
product_property_type is currently synonym for system_property_type, so
we only check those two.
Bug: 171437654
Test: m selinux_policy
Test: add "typeattribute default_prop vendor_property_type;" to
property.te and then "m selinux_policy"
Change-Id: I1cdbf3d04264bb045568c30f19339dfe3889dbb4
Before, we completely dissallowed any untrusted app to access a service
operated by vendor. However, sometimes this is needed in order to
implement platform APIs. So now, vendor services which aren't explicitly
marked as 'protected_service' (like protected_hwservice in HIDL) are
blocked from being used by apps. This gives everyone a mechanism for
apps to directly access vendor services, when appropriate.
For instance:
VINTF
|
vendor.img/etc | system.img/etc
|
(vendor HAL) <----AIDL---|--> (public lib <-- loaded by app
| or platform
| component)
|
|
Fixes: 163478173
Test: neverallow compiles
Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
Per http://cs/aosp-master/system/sepolicy/private/genfs_contexts?l=21
genfscon proc /net u:object_r:proc_net:s0
/proc/net/... portion of proc should be 'proc_net' not the default of 'proc'
For example on a bonito:
$ adbb shell ls -alZd /proc /proc/net/xt_quota
dr-xr-xr-x 757 root root u:object_r:proc:s0 0 1969-12-31 16:00 /proc
dr-xr-xr-x 2 root root u:object_r:proc_net:s0 0 2020-10-20 11:02 /proc/net/xt_quota
This already mostly works, but occasionally on 4.19 devices we see
(apparently spurious) denials (my gut feeling is kernel behaviour
changed and/or is racy):
[ 37.434457] type=1400 audit(1574821413.359:2102): avc: denied { associate } for comm="Binder:762_1" name="globalAlert" scontext=u:object_r:proc_net:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=1
Presumably caused by a binder rpc into netd:
http://cs/aosp-master/system/netd/server/BandwidthController.cpp?l=635&rcl=cdd79f13c670605819333de2d7b67d7f8a42210c
Things seem to work anyway, presumably because eventually it does somehow
get set to 'proc_net' anyway...
This patch will allow the removal of:
allow proc_net proc:filesystem { associate };
and
dontaudit proc_net proc:filesystem associate;
from device specific configs.
Bug: 145579144
Bug: 170265025
Test: treehugger will
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46294d8b1526e846a5eddb350adf51c76634b8f1
These are in the ART APEX and covered by
apex/com.android.art.{debug,release}-file_contexts.
Bug: 160683548
Test: boot and check no avc denied messages logcat
Change-Id: I8024b3e37bb3e680739c45b08e4a846f2adea98c
As SystemSuspend will provide wakeup reasons along with wakeup
notification, it is no longer needed for BatteryStats, which lives
on system_server to access the kernel wakeup reason file.
Test: adb logcat -b all -d | audit2allow -p policy
Bug: 171021049
Change-Id: Idfbc7bb6f9a68d70ac89bfe838cda06739de403c
It will be used to dump system_server data that is not associated
with any service.
Test: adb shell dumpsys system_server
Bug: 163921395
Change-Id: I5719f7cd3a9022dc0ab12a3b3b22487e2b4866e0
Every property should have an appropriate owner attribute, which can be
one of: system_property_type, product_property_type, or
vendor_property_type. This will be enforced for devices launching with S
or later. Devices launching with R or eariler can relax this by setting
following under BoardConfig.mk:
BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true
Bug: 131162102
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I7914ef1b7463c9ec00812b9720094531fd63f0c7
Test:IPeopleManager.Stub.asInterface(ServiceManager.getService(Context.PEOPLE_SERVICE) is
not null when called from another process
Bug: 169783793
Change-Id: I280568955c50f9deef0a35ad1b9864ffc0a82db4
