We no longer allow apps with mlstrustedsubject access to app_data_file
or privapp_data_file. For compatibility we grant access to all apps on
vendor images for SDK <= 30, whether mlstrustedsubject or not. (The
ones that are not already have access, but that is harmless.)
Additionally we have started adding categories to system_data_file
etc. We treat these older vendor apps as trusted for those types only.
The result is that apps on older vendor images still have all the
access they used to but no new access.
We add a neverallow to prevent the compatibility attribute being
abused.
Test: builds
Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
This is unused currently & there are no concrete plans to use it
in the future.
Bug: 130080335
Test: Device boots up & connects to networks.
Test: Will send for regression tests
Change-Id: I785389bc2c934c8792c8f631362d6aa0298007af
Merged-In: I785389bc2c934c8792c8f631362d6aa0298007af
(cherry picked from commit 56dfc06397)
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason. For now, label this file metadata_bootstat_file.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
Define two property_context.
1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.
2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.
Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
libnetd_client can read both properties
libnetd_client can't set both properties
Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395
This reverts commit f536a60407.
Reason for revert: Resubmit the CL with the fix in vendor_init.te
Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
Define a new property_context vndk_prop for ro.product.vndk.version.
It is set by init process but public to all modules.
Bug: 144534640
Test: check if ro.product.vndk.version is set correctly.
Change-Id: If739d4e25de93d9ed2ee2520408e07a8c87d46fe
Due to Factory OTA client install in product partition but it also declare coredomian in
its sepolicy setting. That will let Factory OTA unable to find a property type could write system property.
But now Factory OTA have a restore NFC wake function need to write system property for communicate with bootloader.
So we need to create a new property type in system framework which could allow Factory OTA client to write system property.
Bug: 145178094
Test: Manual
Change-Id: Ic549cc939893ec67a46bf28a23ebeb9f9b81bd0b
Used when mapping RTM_GETLINK messages to this new permission.
Users of netlink_route_sockets that do not use the net_domain()
macro will need to grant this permission as needed. Compatibility
with older vendor images is preserved by granting all vendor domains
access to this new permission in *.compat.cil files.
Bug: 141455849
Test: build (this change is a no-op without kernel changes)
Change-Id: I18f1c9fc958120a26b7b3bea004920d848ffb26e
The commit 7baf725ea6 broke OMX on O/O-MR1(/P?) vendors.
Previous to this commit, all OMX codecs had to use "mediacodec" type,
after this commit, omx codecs just had to get hal_omx_server attribute.
This commit left to the vendor the charge of adding "hal_omx_server"
attribute to mediacodec.
However this can't work on non-Q vendors.
On P vendor, versioned_plat_pub contains the appdomain <=> mediacodec
allows, so OMX isn't technically broken on those devices.
But to ensure it won't break in the future, mark 28's mediacodec as
hal_omx_server as well
This fixes broken OMX decoding on O/O-MR1 vendors, failing with the
following denial:
avc: denied { call } for comm=4E444B204D65646961436F6465635F scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:mediacodec:s0 tclass=binder permissive=0
Bug: 141186440
Change-Id: I018f8d9aabc77e7ea86ca14734b1ab2edfdf8ed1
This property will be set by system_server (to indicate the currently
selected theme for device), and can be accessed by vendor init.rc.
avc: denied { read } for property=persist.sys.theme pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:theme_prop:s0 tclass=file
Bug: 113028175
Test: Set a vendor init trigger that waits on `persist.sys.theme`. Check
that the trigger fires without denial.
Change-Id: Ia85b1a8dfc118efdbb9337ca017c8fb7958dc386
Merged-In: Ibb4e392d5059b76059f36f7d11ba82cd65cbe970
(cherry picked from commit 75182a1ea6)
This property will be set by system_server (to indicate the currently
selected theme for device), and can be accessed by vendor init.rc.
avc: denied { read } for property=persist.sys.theme pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:theme_prop:s0 tclass=file
Bug: 113028175
Test: Set a vendor init trigger that waits on `persist.sys.theme`. Check
that the trigger fires without denial.
Change-Id: Ibb4e392d5059b76059f36f7d11ba82cd65cbe970
apexd stops itself when it finds that it is running on a device with
flattened APEXes (i.e. ro.apex.updatable = false).
Bug: 133907211
Test: launch sdk_phone_x86_64
adb logcat -d | grep apexd | wc -l
returns 3
Change-Id: I7fa161b069aa34adb028194b55f367fe740a0cfc
/system/apex/com.android.runtime is labeled as runtime_apex_dir
and init is allowed to mount on it.
When TARGET_FLATTEN_APEX is true (= ro.apex.updatable is unset or set to
false), apexd is not used to activate the built-in flattened APEXes.
Init simply bind-mounts /system/apex to /apex.
However, there is a special case here. The runtime APEX is installed as
either /system/apex/com.android.runtime.debug or
/system/apex/com.android.runtime.release, whereas it should be activated
on /apex/com.android.runtime - without the .debug or .release suffix.
To handle that case, the build system creates an empty directory
/system/apex/com.android.runtime and the .debug or .release directory
is bind-mounted to the empty directory by init at runtime.
Bug: 132413565
Test: marlin is bootable
Merged-In: I3fde5ff831429723fecd1fa5c10e44f636a63f09
Change-Id: I3fde5ff831429723fecd1fa5c10e44f636a63f09
(cherry picked from commit 99902a175b)
The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
Merged-In: I4c18d78171a839ae5497b3a61800193ef9e51b3b
(cherry picked from commit 42c05cfcc1)
The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
lmkd needs to read /proc/lowmemorykiller to send statslog events in response to
applications being killed.
Bug: 130017100
Change-Id: I929d5a372e1b2f63b7b5ed421f1898ebddaec01c
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
