Revert "Updates tests for untrusted app MAC address restrictions"
Revert submission 1450615-mac-address-restrictions
Reason for revert: DroidMonitor: Potential culprit for Bug 173243616 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted
Reverted Changes:
I08c709b2b:Enforce RTM_GETLINK restrictions on all 3p apps
I95d124ae8:Soft-enables new MAC address restrictions.
I5392f8339:Updates tests for untrusted app MAC address restri...
I9d214c5d0:Return anonymized MAC for apps targeting SDK < 30
Change-Id: I987dfc86dfba56a2d2a45075dc19885ca6f0a4ad
We want to tweak some device params at runtime via shell (alleviates the
need to recompile HAL for changing device configuration). This will help
us test/teamfood couple of new features under development.
Bug: 173044646
Test: Wifi HAL can read persist.vendor.debug.wifi properties.
Change-Id: Iabd07e72aa5f0d97519a37d0ebb1e0a3458b6d06
This tracing daemon interfaces with perf_events, and is used for
callstack sampling. Currently, we only handle userspace stacks. We
have the ability to collect kernel frame addresses (as unwound
by the kernel itself), but need /proc/kallsyms to symbolize them.
This patch mirrors what was done for traced_probes (ftrace event
kptr symbolization) in aosp/1455337 - the daemon can set a sysprop
that causes "init" to temporarily relax kptr_restrict, then the daemon
can open and read /proc/kallsyms. After the file is parsed, the
kptr_restrict value is restored.
To reiterate, this is confined to userdebug_or_eng due to the reasons
outlined in go/perfetto-kallsyms.
Bug: 173124818
Change-Id: I9077bbfe6fea3318f4c37947a5c455061ca43d8d
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.
To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.
Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
Any partitions should be able to write this property with build.prop.
This adds a new context for ro.product.property_source_order so it can
be set from any build.prop, e.g. vendor/build.prop, product/build.prop,
etc.
Bug: 172459064
Test: PRODUCT_VENDOR_PROPERTIES can set this property
Change-Id: Ibf85a4ad02d8454f621428b271e8e298067aa126
Extend check_seapp to check that all types specified in seapp_contexts
files have the attribute, to ensure that the neverallow rules apply to
them. As a small bonus, also verify that domain and type values are
actually types not attributes.
Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: I951d6f993445e8ba11c30a504b8de281fdd93c4a
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.
Apply the label to all the existing types, then refactor rules to use
the new attribute.
This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
nfc_data_file;
- We allow zygote limited access to system_app_data_file.
This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.
Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
Now that we have an attribute for all app data files, make use of
it. It's cleaner.
The net effect here is a slight loosening of permissions - we now
allow open fds for any app_data_file_type to be passed to a different
process, rather than just app_data_file and privapp_data_file.
Bug: 171795911
Test: presubmits
Merged-In: I4cf812d01577b923efbe1ea3f276c209844d8858
Change-Id: I4cf812d01577b923efbe1ea3f276c209844d8858
Now running ps requires the read permission for /proc/sys/kernel/pid_max.
Also, grant the binder_call permission for recently added profcollectd.
Bug: 170070222
Change-Id: I5bc0f89a0538091de40647777ff6bf47f47dc066
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.
Apply the label to all the existing types, then refactor rules to use
the new attribute.
This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
nfc_data_file;
- We allow zygote limited access to system_app_data_file.
Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.
Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
This allows calling tcsetattr() with TCSAFLUSH, in addition to TCSANOW
and TCSADRAIN.
Fixes: 172740382
Test: manual
Change-Id: Idd2e9e0db2e0210df515f46d9d0323c6b517dd39
Commit 67c36884 changed the label of service.adb.tcp.port to allow
vendor init to set it, but accidentally prevented adbd from setting it,
which broke `adb tcpip`.
Bug: http://b/171280882
Test: `adb tcpip`
Change-Id: I154e2f43a4d3b72b27508ce02d66298673939738
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.
This adds some missing properties to property_contexts. Newly added
property contexts are:
- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.
- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.
- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.
Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.
Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
Test: ls -lZ /sys/kernel/tracing/printk_formats
[...] u:object_r:debugfs_tracing_printk_formats:s0 [...]
Test: setenforce 0;
runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
logcat complains about /sys/kernel/tracing/printk_formats
Test: setenforce 0;
runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
logcat does not complain about /sys/kernel/tracing/printk_formats
(need to setenforce 0, because otherwise the exec of ls is denied).
Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
ro.actionable_compatible_property.enabled and ro.treble.enabled are in
system/build.prop, so they are assigned as build_prop. The other added
properties are introduced by build/make/core/sysprop.mk.
Bug: 170590987
Test: boot and see default_prop
Change-Id: I2ec1df99985ca81d27e657750eb8895fe4b85b35
Merged-In: I2ec1df99985ca81d27e657750eb8895fe4b85b35
Since many files can correspond to the same error, it can be hard to see
which file is causing the error for an attribute
Example, here I couldn't find which file was 'vendor_file':
The following types on / must be associated with the "no_fs_type"
attribute: vendor_file
corresponding to files: /cache/overlay/oem/upper
Bug: 154851797
Test: see above example
Change-Id: Ic96536da3ce55ccc5f600579b9f6b1b4f56fc93d
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
This is required for ART's Checker tests, which are part of
(host-driven) ART run-tests, and will also be required to run ART
run-tests via TradeFed in AOT-compilation modes in the future.
Test: Run `atest art-run-test-004-checker-UnsafeTest18` with
https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1484277
merged in, on a device where `adb` commands are not run as root
Bug: 162408889
Bug: 147812905
Change-Id: I3e4824bf15bdbad1ddf26601f871feec11313ecc
Adds missing partitions to Treble sepolicy tests, and makes exceptions
explicit.
Bug: 154851797
Test: build runs this test
Change-Id: I93f3e633981383d3d215d3a850f6ade12c910415
