Bluetooth stack needs to read persist.logd.security and
ro.organization_owned sysprop (via __android_log_security())
to control security logging for Bluetooth events.
Bug: 232283779
Test: manual
Change-Id: Ic8162cd4a4436981a15acea6ac75079081790525
(cherry picked from commit a274858e3b)
Merged-In: Ic8162cd4a4436981a15acea6ac75079081790525
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Ignore-AOSP-First: Already merged in aosp
Change-Id: Ie8fd1f478fd12141bd6240cee96d0c3da55ba7a0
Merged-In: I28d1709ab4601f0fb1788435453ed19d023dc80b
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Ignore-AOSP-First: Test is missing in AOSP. Will cherry-pick to AOSP
once merged here.
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
This reverts commit 2140c74523.
Reason for revert: Added a fix for that (to update the 33.0 sepolicy api)
Change-Id: I2e738618026df6475de7baf1551a031b86c28590
Bug: 231579544
Test: see allowlisted system properties in the VM
Ignore-AOSP-First: Cherry-pick from AOSP
Change-Id: Idb263087639e4677e437ac2fcd2726ee71547f48
Merged-In: Idb263087639e4677e437ac2fcd2726ee71547f48
We might want to change this in later android versions.
Ignore-AOSP-First: Already merged via aosp/2051365
Bug: b/228159127
Bug: b/227745962
Bug: b/229251344
Test: Manual
Change-Id: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Merged-In: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Merged-In: I2e308ca9ce58e71ac9d7d9b0fa515bdf2f5dfa1f
(cherry picked from commit 13bdca21d5)
(cherry picked from commit ce2b6da673)
The compliance tests rely on this.
Ignore-AOSP-First: will cherry-pick to AOSP
Bug: 230660133
Test: run MicrodroidHostTests on a user build
Change-Id: Ic061632d80285182ec2ae7d31f3527948702cf32
This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.
Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.
Ignore-AOSP-First: will cherry-pick to AOSP
Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice.
Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Ignore-AOSP-First: Needed in T, will CP to aosp
Change-Id: I4a31e437344974597fc5280d898f23780a820f16
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.
Test: Manual
Bug: b/227745962
Bug: b/227581095
Ignore-AOSP-First: Already merged via aosp/2051365
Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
Merged-In: If7bcb8b8de62d408bd4af848b43abca853c93758
(cherry picked from commit 48b2b33844)
Test: adb shell am hang --allow-restart, check Last ANR for stacks
Fixes: 211998169
Ignore-AOSP-First: Cherry-pick to T
Change-Id: I7cad1e57caed5eb8a5c0092548362fd0a6b1d98d
The properties for rkp_only are no longer read only.
This allows remote provisioner unit tests to enable/disable the remote
provisioning only mode, which is required to fully verify functionality.
Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I8006712a49c4d0605f6268068414b49714bbd939
It will be used by system_server only (i.e., not even Shell) to let
developers change the system user mode (to be headless or full).
Test: sesearch --allow -t system_user_mode_emulation_prop $ANDROID_PRODUCT_OUT/vendor/etc/selinux/precompiled_sepolicy
Bug: 226643927
Change-Id: Iaba42fd56dce0d8d794ef129634df78f9599260f
Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.
Note that the open access is still disallowed in user builds.
Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Ignore-AOSP-First: must be submitted in internal as a topic first to
avoid having duplicate definitions of sysfs_gpu
in projects that are only available in internal
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it. Remove two rules that are no longer
needed. Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons. Finally, fix some outdated documentation links.
Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
