Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason. For now, label this file metadata_bootstat_file.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
To send statistics about snapshot merge times, snapshotctl will take
care of packing and sending all the information.
Allow snapshotctl to do so by creating an sepolicy exception.
Bug: 138817833
Test: statsd_testdrive
Change-Id: If805a522898cb6c9838779be23df6078f77d0cdc
Signed-off-by: Alessio Balsini <balsini@google.com>
so that it can change the uid/gid of pinned bpf progs and maps
Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1d873c7799e1d9fa5d4bde145e89254dabb75a01
Add a new nfc_cfg persist property for nfc features
Bug: 142626304
Test: set property and load target files.
Change-Id: I853c97e8113dbcf729cf59ad45895402b0c82b3e
Define two property_context.
1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.
2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.
Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
libnetd_client can read both properties
libnetd_client can't set both properties
Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395
This reverts commit 34240604aa.
Reason for revert: Droidcop: Potential culprit for Bug149218822- verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: Iaba9f6e9125ac456a5787b1fcbb67d68c91c5f42
This adds the type and permissions for dumping and appending prereboot
information.
Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.
Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd
The binder call to statsd can be removed after the migration.
Test: m -j
Bug: 148641240
Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).
This is a re-landing of https://r.android.com/1210143, which was
reverted due to http://b/142942524. The actual fix was done in
http://ag/10234812.
Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
adbd started calling shutdown and waiting for EOF before closing
sockets in commit 74b7ec72, because closing a TCP socket while you have
pending data to read is specified to send a TCP RST to the other end,
which can result in data that we've written into the socket to be
prematurely thrown away on the other end. Not being able to do so on a
Unix domain socket is benign, aside from the denial showing up in the
log.
Fixes the following selinux denial when installing a package:
avc: denied { shutdown } for scontext=u:r:adbd:s0 tcontext=u:r:shell:s0 tclass=unix_stream_socket permissive=0
Test: manual
Change-Id: I266092a8323ac02bfe96738a8f4a8021f3a10387
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd
The binder call to statsd can be removed after the migration.
Test: m -j
Bug: 148641240
Change-Id: If6cf7eb77aa229751c44e5291d49f05177dbb8dd
Only write snapshotctl_log_data_file for userdebug_or_eng.
Test: boot, still see log
Bug: 148818798
Change-Id: I03e979efd65e3992bd8ef30e6408768a14aa1de2
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.
Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
This concerns the data transfer between an untrusted producer process,
and the tracing service (traced daemon). They communicate over a
combination of a unix socket and shared memory.
Normally, the service creates the shared memory region, and hands it off
to the producer process (see perfetto_producer() macro). This patch
allows for an alternative scheme, where the producer process is allowed
to create the shared memory region, which will then be adopted by the
tracing service. The service already inherently doesn't trust the
producer, so it'll validate that the shared memory is appropriately
sealed before using it.
The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But
this mode has advantages (e.g. being able to write to the shared memory
before connecting) for other producer domains as well.
Bug: 148841422
Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.
Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].
2. /data/incremental/[random]/backing_mount -> hold incfs backing image.
3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.
Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
In order to track time in state data using eBPF, system_server needs
to be able to attach BPF programs to tracepoints, which involves:
- calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl
- running BPF programs
- reading tracepoint ids from tracefs
Grant system_server the necessary permissions for these tasks
Test: modify system_server to try to attach programs; check for
denials
Bug: 138317993
Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328
Signed-off-by: Connor O'Brien <connoro@google.com>
Revert "Add new permissions to test"
Revert submission 1210143-platformcompat-permissions
Reason for revert: http://b/142942524
Reverted Changes:
I3601b12d5: Add new permissions to test
I65d425aac: Make platform_compat discoverable everywhere
I1c8cbb656: Add permissions for using PlatformCompat methods
Change-Id: I356c1d1c4d1213eea6e5585b23faa40722b1a01a
webview_zygote inherits tmpfs files from zygote and needs to stat
them after fork.
Bug: 138851227
Test: run walleye_jitzygote config, fork webview_zygote.
Change-Id: I092b942c0426f3f5731536ae9f2f5886a9196d3d
As apexd now has dac_override, it should also have dac_read_search to
avoid spurious denials.
Bug: 141148175
Test: Build, run apex installation, check denials.
Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
This allows apexd to execute "cp" to perform snapshot and
restore operations.
Other rules for this were added in aosp/1217340, but this one was
missed.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
4eae75c9d4
Reason for revert: This undoes the previous reversion, which was made to fix b/148282665.
Change-Id: I70d6e60a0468abea19f5efd7fde10207a251cf61
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
access to the lower filesystem (or sdcardfs).
At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.
The following components need varying sepolicy privileges:
Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink
zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold
installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through
priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through
Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
We are updating apps' apk path to have a two-level structure.
Default apk path of an installed app:
Before: /data/app/[packageName]-[randomString]/base.apk
After: /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk
As a result, the oat files will be two levels below /data/app.
Test: manual
BUG: 148237378
Change-Id: If8e1fed46096f2e5f4150f6eedf74af76ac9d4b4
pmem uses a block file while access_ramoops uses a char file. Allow both for
now until we can unify on pmem.
Additionally allow the reading of vendor properties so it can read the
path to the character or block device to open.
Test: atest VtsHalRebootEscrowTargetTest
Bug: 146400078
Change-Id: Ief61534e0946480a01c635ce1672579959ec8db5
This adds rules required for apexd to perform snapshot and restore
of the new apex data directories.
See go/apex-data-directories for more information on the feature.
See the chain of CLs up to ag/10169468 for the implementation of
snapshot and restore.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce
Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
Looking at go/sedenials, we see this permission being used by
MediaProvider once like so:
type=1400 audit(0.0:569759): avc: granted { getattr } for comm=4173796E635461736B202331 path="/proc/config.gz" dev="proc" ino=4026532157 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:config_gz:s0 tclass=file app=com.google.android.providers.media.module
This permission should not be granted to all priv-apps now that GMS core
has been split out into its own domain. This change removes the
permission for the priv_app domain and the corresponding auditallow.
Bug: 147833123
Test: TH
Change-Id: I4f60daefcbdd4991c5d2c32330e907a03bfe6fe5
Revert submission 1209453-aidl-lazy-presubmit
Reason for revert: b/148282665. A test has begun to fail on git_stage-aosp-master, and I need to verify whether these changes are responsible.
Reverted Changes:
Ib09a2460e: Add aidl_lazy_test to general-tests
Ib08989356: Move aidl_lazy_test_server to system_ext
I694e6ad35: Add aidl_lazy_test_server to Cuttlefish
I65db12c63: Add aidl_lazy_test to presubmit
I7ec80a280: Dynamically stop services with multiple interfaces...
Change-Id: I55f6b0f7800f348259787f62c6faa19a90f8bdcc
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).
Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
Looking at go/sedenials, we see this permission being used by
MediaProvider like so:
type=1400 audit(0.0:3651): avc: granted { getattr } for comm=4173796E635461736B202331 path="/sys/fs/selinux/class/tipc_socket/perms/recvfrom" dev="selinuxfs" ino=67111391 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file app=com.google.android.providers.media.module
... and numerous other directories, apparently from a filesystem walk.
It appears that this permission should not be granted to all priv-apps
now that GMS core has been split out into its own domain. This change
removes the permission for the priv_app domain and the corresponding
auditallow.
Bug: 147833123
Test: TH
Change-Id: I88146785c7ac3a8c15fe9b5f34f05d936f08ea48
