For vndk related properties, use vndk_prop context.
vndk_prop can be defined by 'init' and 'vendor_init', but free to
read by any processes.
Bug: 144534640
Test: check boot to see if the VNDK properties are readable
Change-Id: Ifa2bb0ce6c301ea2071e25ac4f7e569ea3ce5d83
System_server will listen on incoming packets from zygotes.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
The code that uses the property has not been committed, so this change
has no impact on the codebase.
Bug: 140788621
Test: build an image that combines this change with the client code
and boot a phone. Verify that there are no policy violations.
Change-Id: Ie6c1a791578c61adae5b71a38e61a2f5b20bb817
We added an auditallow for this permission on 12/17/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 147833123
Test: TH
Change-Id: I96f810a55e0eb8f3778aea9598f6437de0f65c7f
We added auditallows for these permissions on 12/16/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 147833123
Test: TH
Change-Id: I4789b29462ef561288aeaabbdb1e57271d5fcd2a
CAP_MAC_ADMIN was originally introduced into the kernel for use
by Smack and not used by SELinux. However, SELinux later appropriated
CAP_MAC_ADMIN as a way to control setting/getting security contexts
unknown to the currently loaded policy for use in labeling filesystems
while running a policy that differs from the one being applied to
the filesystem, in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b29f34558b9b45a2c6eabd4f3c6be939a3980f
circa v2.6.27.
Hence, the comment about mac_admin being unused by SELinux is inaccurate.
Remove it.
The corresponding change to refpolicy is:
5fda529636
Test: policy builds
Change-Id: Ie3637882200732e498c53a834a27284da838dfb8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This will let an app delegate network operations to an
isolatedProcess=true service. Chromium will use this to separate out
network protocol parsing of untrusted Internet data from the main app
process into a sandboxed service process.
Bug: 147444459
Test: Build and boot sargo. Chromium runs.
Change-Id: Ia7f54d481676a03b96f512015e6adcf920a014c3
Add selinux contexts for the new system config service.
Test: atest -it -w SystemConfigTest
Bug: 143112379
Change-Id: Ibe67acb404b6951e1fda9ce28bd50a0efdd44c5f
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)
simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.
runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).
system-wide profiling is effectively constrained to "su" on debug
builds.
See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.
Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
As a result of commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7
("proc: restrict kernel stack dumps to root")
the userdebug feature where llkd can monitor for live lock
signatures in the stack traces broke.
So now userdebug variant of llkd requires sys_admin permissions.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Test: llkd_unit_test
Bug: 147486902
Change-Id: I31572afa08daa490a69783855bce55313eaed96c
The open, audit_access, execmod, and watch* permissions
are all defined in the COMMON_FILE_PERMS in the kernel
classmap and inherited by all the file-related classes;
we can do the same in the policy by putting them into the
common file declaration.
refpolicy recently similarly reorganized its definitions and added the
watch* permissions to common file, see:
e5dbe75276c656b97a283952ecb4dd
Adding new permissions to the end of the existing classes was only
required for kernels that predate the dynamic class/perm mapping
support (< v2.6.33).
Test: policy still builds
Change-Id: I44a2c3a94c21ed23410b6f807af7f1179e2c1747
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This property essentially implements
PowerManager.isRebootingUserspaceSupported[0] public API, hence apps
should be able to read it.
[0]: 73cab34d9f:core/java/android/os/PowerManager.java;l=1397
Test: m checkbuild
Test: atest CtsUserspaceRebootHostSideTestCases
Test: adb shell getprop ro.init.userspace_reboot.is_supported
Bug: 135984674
Change-Id: I09cab09735760529de81eb6d5306f052ee408a6e
Setup SELinux to allow the world to read, and system_server to write, a
property used as an indicator that we need to refresh local caches
for PowerManager.isPowerSaveMode and PowerManager.isInteractive.
Bug: 140788621
Test: Flashed build and tested that phone boots and does not crash
as PowerManager operations take place.
Change-Id: I3e7e513756c8d881295721c2729cd37ad3bec8b8
The binder_cache_system_server_prop context allows any user to read the
property but only the system_server to write it. The only property with
this context is currently binder.cache_key.has_system_feature but users
will be added.
Bug: 140788621
Test: this was tested on an image with a binder cache implementation. No
permission issues were found. The implementation is not part of the current
commit.
Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043
