`persist.sys.device_provisioned` is set (more precisely, "will be set",
via internal change in ag/7567585) by system_server based on device
privisioning state. This CL grants vendor_init to set up action triggers
based on the property value.
avc: denied { read } for property=persist.sys.device_provisioned pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:system_prop:s0 tclass=file permissive=0
Bug: 131702833
Bug: 132906936
Test: Set an init trigger that waits on `persist.sys.device_provisioned`.
Check that there's no longer a denial.
Change-Id: I64e50bd31c90db4b3bdd3bd014a90d7bef708b57
Merged-In: I64e50bd31c90db4b3bdd3bd014a90d7bef708b57
(cherry picked from commit 264a929edb)
This allows the atrace cmd to notify cameraserver (the host of
media.camera service) that the set of tracing-related system properties
have changed. This allows the cameraserver to notice that it might need
to enable its trace events.
The atrace cmd has the necessary permission when running as shell, but
not when it is running as the "atrace" domain (notably when exec'd by
perfetto's traced_probes).
We're adding cameraserver to the whitelist as it contains important
events for investigating the camera stack.
Example denial:
05-14 22:29:43.501 8648 8648 W atrace : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0
Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
Bug: 130543265
Merged-In: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
(cherry picked from commit 232295e8db)
installd has been deleting files on the primary (emulated) storage
device for awhile now, but it was lacking the ability to delete files
on secondary (physical) storage devices.
Even though we're always going through an sdcardfs layer, the
kernel checks our access against the label of the real underlying
files.
Instead of tediously listing each possible storage label, using
"sdcard_type" is more descriptive and future-proof as new
filesystems are added.
avc: denied { read open } for path="/mnt/media_rw/1B82-12F6/Android/data/com.android.cts.writeexternalstorageapp" dev="loop9p1" ino=1224 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { write search } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { remove_name } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { unlink } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
avc: denied { rmdir } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
Bug: 113277754
Test: atest android.appsecurity.cts.StorageHostTest
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/pm/
Change-Id: Id79d8f31627c0bfb490b4280c3b0120d0ef699bf
ART generically locks profile files, and this avoids
special casing the ART code for read-only partitions.
An example on how ART does it:
https://android-review.googlesource.com/c/platform/art/+/958222/3/runtime/jit/jit.cc#731
Bug: 119800099
Test: system server locking a system file, no denial
(cherry picked from commit db3fde05b5)
Change-Id: I5623f5d548dd1226e5788e369333922a27f14021
Merged-In: I4339f19af999d43e07995ddb77478a2384bbe209
bpf programs/maps are now loaded by the bpfloader, not netd
Test: built/installed on crosshatch which uses eBPF - no avc denials
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0)
No longer needed, since this is now done by netd.
In a separate commit so it can potentially not be backported to Q
if we so desire.
Test: build/installed on crosshatch with netd/clatd changes,
and observed functioning ipv4 on ipv6 only network with no
avc denials
Bug: 65674744
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Merged-In: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
(cherry picked from commit 3e41b297d2)
This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.
This fixes:
type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0
Test: built and observed no more avc denials on crosshatch
Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
Merged-In: Ieab51aeb67ebb85b6c778410ba96963612277ae4
(cherry picked from commit afa10f7223)
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
These denials are intermittent and unnecessary. Hide them while we
investigate how to properly fix the issue.
Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.
Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Merged-In: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
Merged-In: I8ac4c2f98f823120060e51438b39254898f4a27e
(cherry picked from commit 8fa5ebdee7)
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the ppp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Addresses the following denials:
04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
Bug: 130852066
Test: compiles
Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc
Merged-In: I00cc07108acaac5f2519ad0093d9db9572e325dc
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
These properties were moved to /vendor as part of b/130025216.
Allow them to be set by vendor_init, too.
Bug: 130025216
Bug: 131066061
Test: no SELinux warnings for said props at boot
Change-Id: I5293831bedb89e9c8d3ddf13cf7babde26872f28
Merged-In: I5293831bedb89e9c8d3ddf13cf7babde26872f28
Bug: 130509605
Test: No avc denial log and NFC works with hal v1.2
Change-Id: If54884f76a32705d11f2085f66fe83b9e0354f79
Merged-In: If54884f76a32705d11f2085f66fe83b9e0354f79
(cherry picked from commit a5dde796b5)
add the new ro properties added to surfaceflinger:
ro.surface_flinger.set_idle_timer_ms
ro.surface_flinger.use_smart_90_for_video
Bug: 131054357
Test: Boot with SELinux enforcing
Change-Id: I887b318a95db200280344a11fcf7deaadafdeca9
mediaserver uses libaudioclient (via libmediaplayerservice).
The code in libaudioclient may access IAudioManager.
For that, mediaserver has to be allowed to find "audio" service.
Bug: 123312504
Test: MediaRecorderTest#testAudioRecordInfoCallback
Merged-In: Iaa3651c692fd550f72e7ce6eafbf3386ee07a0c0
Change-Id: Iaa3651c692fd550f72e7ce6eafbf3386ee07a0c0
The userdebug sepolicy will be installed into debug ramdisk.
When the ramdisk is used, the device must be unlocked and init will load
this userdebug version of platform sepolicy to allow adb root.
Bug: 126493225
Test: 'make' and checks that the userdebug sepolicy is in debug ramdisk
Change-Id: I9df514054a86d63449b3ebfd1afdee2aee649418
Merged-In: I9df514054a86d63449b3ebfd1afdee2aee649418
(cherry picked from commit e763667ee1)
Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d
(cherry picked from commit 1d34b8cc31)
