This is useful for certain tests. Note that it is already possible to
access these files without root via adb pull, since adbd has
access. Shell also already has access to non-updated APEXes on
/system/apex.
Bug: 220918654
Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex
Change-Id: I35725499365b297a64c9005c8e45325531d3991d
These domains already can't transition to crash_dump, but also need to
make sure crash_dump can't be run and pointed at them.
Bug: 218494522
Test: Builds
Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928
perfetto traced_probes executes atrace with a pipe for stdout/stderr.
That aleady works because atrace can `write` onto traced_probes's pipes.
Now traced_probes needs to invoke atrace at boot time. This revealed a
problem (I'm pretty sure it was an existing problem and it was
completely harmless):
```
02-23 22:00:41.951 605 605 I auditd : type=1400 audit(0.0:94): avc:
denied { getattr } for comm="atrace" path="pipe:[17964]" dev="pipefs"
ino=17964 scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0
tclass=fifo_file permissive=0
```
atrace doesn't just need `write` permissions on its
stdout/stderr pipes, it also needs `getattr` permissions (probably
because of [this][1]?)
[1]: https://cs.android.com/android/platform/superproject/+/master:bionic/libc/bionic/libc_init_common.cpp;l=156;drc=7a2386bf89f9bfd4e53eba9304e4239b3fdf0d06)
Bug: 219393750
Change-Id: I53b0f60cdd763863c834a883fbb77664e528dd15
Any virtualization service client should be able to use a pipe for the
VM log fds.
We previously had some support for this in crosvm (but appdomain is
the wrong label), but not for virtualizationservice. Instead I've
centralised it in the virtualizationservice_use macro so it applies to
exactly those things that can start a VM.
I've removed read permission from crosvm; it doesn't seem to be
needed, and logically it shouldn't be.
Test: Patch in https://r.android.com/1997004, see no denials
Change-Id: Ia9cff469c552dd297ed02932e9e91a5a8cc2c13f
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.
Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
We would like SurfaceFlinger to be able to create a pipe and provide
the write-end to the graphics composer to dump debug info for dumpsys.
Bug: 220171623
Test: atest VtsHalGraphicsComposer3_TargetTest
Test: adb shell dumpsys SurfaceFlinger
Test: adb shell dumpsys android.hardware.graphics.composer3.IComposer/default
Change-Id: Ie2cbe76fb0d224235a8ea99f68a20e2139e1cc56
Make sure all the permissions are granted to let the HAL do its work
properly.
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I54c633b8163ea313c87856fb0513074a76ac86a1
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
Bootloader properties are available to all domains so don't need special
policy rules for microdroid_manager.
Test: atest MicrodroidTests
Change-Id: I0ccf6b28467a47c0f3cf7715b9ff34d01e8ac970
This property is set in the bootconfig to reflect the debuggability of
the payload app. It is consumed microdroid_manager as a DICE input and
by compos to make choices based on the debuggability, e.g. not doing
test builds in non-debug states.
Bug: 219740340
Test: atest ComposHostTestCases
Test: atest MicrodroidTests
Change-Id: If84710f1fdbab957f5d19ce6ba3daad7e3e65935
Treble sepolicy tests check whether previous versions are compatible to
ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it,
but it also includes a compat test whether ToT sepolicy + {ver} mapping
+ {ver} plat_pub_versioned.cil can be built together or not. We
definitely need such tests, but we already have a test called "compat
test" which does exactly that, and testing it again with Treble sepolicy
tests is just redundant. The only difference between those two is that
Treble sepolicy tests can also test system_ext and product compat files,
which was contributed by a partner.
The ultimate goal here is to migrate *.mk to Soong, thus merging these
two tests (compat, Treble) into one. As we've already migrated the
compat test to Soong, this change removes the compat test part from
treble sepolicy tests. Instead, the compat test will be extended so it
can test system_ext and product compat files too.
prebuilts/api/{ver}/plat_pub_versioned.cil and
prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't
used anymore: vendor_sepolicy.cil is an empty stub, and
plat_pub_versioned.cil can be built from the prebuilt source files.
Bug: 33691272
Test: m selinux_policy
Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
By default, HAL's services are not accessible by dumpstate. HIDL
implementations were silenced via a dontaudit on hwservice_manager. But
AIDL implementations will trigger a denial, unless authorized via
`dump_hal`. Mark all HAL services with a new attribute
`hal_service_type` so they can be ignored by dumpstate.
Test: m selinux_policy
Bug: 219172252
Change-Id: Ib484368fdeff814d4799792d57a238d6d6e965fd
