Commit graph

68 commits

Author SHA1 Message Date
Alexei Nicoara
957e8f37a1 Making sys.boot.reason.last restricted
sys.boot.reason.last needs to be readable by SysUI to correctly display the reason why authentication is required to unlock the phone.

Bug: 299327097
Test: presubmit
Change-Id: I9f83ade92858056609bc665ecb6ce9b93eb051e4
2023-09-11 18:29:24 +01:00
Alexander Roederer
584a862df6 persist.sysui.notification.ranking_update_ashmem
Adds persist.syui.notification.ranking_update_ashmem property and
associated permissions, which will be used to flag guard a change in
core/...NotificationRankingUpdate.java.

Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because NotificationRankingUpdate.java
is a core library), but setting should only be possible internally (and
via debug shell).

Test: manual flash+adb setprop/getprop
Bug: 249848655
Change-Id: I661644893714661d8c8b5553c943fa17d08c000c
2023-06-07 22:31:00 +00:00
Alexander Roederer
829d974505 Add persist.sysui.notification.builder_extras_ovrd
Adds persist.sysui.notification.builder_extras_override property
and associated permissions, which will be used to flag guard
a change in core/...Notification.java.

Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because Notification.java
is a core library), but setting should only be possible
internally (and via debug shell).

Test: manual flash+adb setprop/getprop
Bug: 169435530
Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d
2023-03-29 16:35:39 +00:00
Ryan Savitski
941ba723ba sepolicy: rework perfetto producer/profiler rules for "user" builds
This patch:
* allows for heap and perf profiling of all processes on the system
  (minus undumpable and otherwise incompatible domains). For apps, the
  rest of the platform will still perform checks based on
  profileable/debuggable manifest flags. For native processes, the
  profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
  writers (=perfetto_producer) for the ART java heap graph plugin
  (perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
  graphs.

Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
2023-02-03 15:05:14 +00:00
Hongwei Wang
9372026ad2 Allow platform_app:systemui to write protolog file
This is enabled on debuggable builds only, includes
- Grant mlstrustedsubject typeattribute to wm_trace_data_file
- Grant platform_app (like systemui) the write access to
  wm_trace_data_file

Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
      WMShell protolog [start | stop]
Change-Id: I9f77f8995e4bf671616ce6c49eeb93720e31430e
2023-01-24 16:30:57 -08:00
Ryan Savitski
babba5e83b Revert system app/process profileability on user builds
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: builds successfully (barbet-userdebug)
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
2022-07-01 12:41:01 +00:00
Neil Fuller
37888b33ba Remove TZUvA feature.
The feature was superseded by tzdata mainline module(s).

Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
2022-06-13 11:45:50 +00:00
Evan Rosky
5cfdf2bd6e Add a persist.wm.debug property type and associated permissions
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.

Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
2022-03-07 19:44:59 +00:00
Lalit Maganti
bb197bba02 sepolicy: Allow system domains to be profiled
Bug: 217368496
Doc: go/field-tracing-t
Change-Id: Ie95c0cc2b1f9e8fa03f6112818936af692edf584
2022-02-01 16:27:26 +00:00
Beth Thibodeau
a279bdba64 Fix error in systemui when toggling airplane mode
Fixes: 197722115
Test: manual - toggle, no avc: denied message
Change-Id: I17929f7cb77a4ba4f9720783c9913243f74db080
2021-10-04 15:34:19 +00:00
Alan Stokes
f96cd6557e Restrict VM usage to platform_app.
Remove access from untrusted apps and instead grant it to platform_app
(but on user builds as well as debug).

Also restrict any app from creating a vsock_socket; using an already
created one is fine.

Bug: 193373841
Test: Microdroid demo app now gets a denial
Test: Rebuild demo with certifcate: platform, adb install, no denial
Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d
2021-09-09 02:30:43 +00:00
Chris Wailes
3486acb3e2 Add SELinux policy to allow testing of artd
Test: m ArtdIntegrationTests
Bug: 177273468
Change-Id: I087e70bee7539c755da15579edc164a3588dc31d
2021-06-16 15:54:28 -07:00
Lalit Maganti
d6ff0c7062 sepolicy: add perfetto_producer for platform_app and system_app
This addresses the following SELinux failure:
trigger_perfett: type=1400 audit(0.0:331): avc: denied { write }
  for name="traced_producer" dev="tmpfs" ino=35064
  scontext=u:r:platform_app:s0:c512,c768
  tcontext=u:object_r:traced_producer_socket:s0
  tclass=sock_file permissive=0 app=com.android.systemui

This is necessary so that, on user builds, system apps like systemui can
trigger Perfetto traces. This is already allowed on userdebug/end by the
capability in app.te.

In a follow up, we'll probably remove all the perfetto_producer in the
*_app.te and remove the userdebug_or_eng in app.te.

Bug: 190620348
Change-Id: I715979970cde760efdf4497c7cd2a2039ca86c85
2021-06-10 13:16:25 +00:00
Weilun Du
e2a8a145ec Revert^2 "Add qemu.hw.mainkeys to system property_contexts"
509b35e5d9

Bug: 180412668
Merged-In: I4067bba36613fa41e3c7a085da76cda4784753ad
Change-Id: I4067bba36613fa41e3c7a085da76cda4784753ad
2021-02-17 18:29:59 +00:00
Ram Muthiah
509b35e5d9 Revert "Add qemu.hw.mainkeys to system property_contexts"
Revert submission 1582845-qemu-prop

Reason for revert: aosp_hawk-userdebug is broken on an RVC branch
Reverted Changes:
Idfc2bffa5:Add qemu.hw.mainkeys to system property_contexts
If013ff33f:Remove qemu.hw.mainkeys from vendor_qemu_prop
Bug: 180412668
Change-Id: I335afb931eaeb019f66e3feedea80b0c8888f7a3
2021-02-16 18:58:10 +00:00
Weilun Du
180a277d67 Add qemu.hw.mainkeys to system property_contexts
Bug: 178143857

Signed-off-by: Weilun Du <wdu@google.com>
Change-Id: Idfc2bffa52016d1e880974bb193025400e90a538
2021-02-11 04:18:54 +00:00
Adam Shih
2543715187 never allow untrusted apps accessing debugfs_tracing
debugfs_tracing can only be accessed by tracing tools provided by the
platform.

Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
2020-12-07 16:33:59 +08:00
Inseob Kim
04f435ca52 Add keyguard_config_prop for keyguard property
keyguard.no_require_sim becomes keyguard_config_prop to remove
exported*_default_prop

Bug: 155844385
Test: boot and see no denials
Change-Id: Icffa88b650a1d35d8c1cd29f89daf0644a79ddd3
2020-07-07 12:46:24 +09:00
Yiwei Zhang
3db5a3140f sepolicy: clean up redundant rules around gpuservice
Test: m selinux_policy
Change-Id: I67389253aa3c6071a553e123fa9883cbdb331614
2020-04-15 09:24:16 -07:00
Andrei Onea
25b39acefe Make platform_compat discoverable everywhere
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).

This is a re-landing of https://r.android.com/1210143, which was
reverted due to http://b/142942524. The actual fix was done in
http://ag/10234812.

Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
2020-02-06 12:11:37 +00:00
Andrei-Valentin Onea
8a40e7c132 Revert "Make platform_compat discoverable everywhere"
Revert "Add new permissions to test"

Revert submission 1210143-platformcompat-permissions

Reason for revert: http://b/142942524
Reverted Changes:
I3601b12d5: Add new permissions to test
I65d425aac: Make platform_compat discoverable everywhere
I1c8cbb656: Add permissions for using PlatformCompat methods

Change-Id: I356c1d1c4d1213eea6e5585b23faa40722b1a01a
2020-01-30 21:38:35 +00:00
Andrei Onea
59da5e821f Make platform_compat discoverable everywhere
The binder's methods are protected by signature
permissions (READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).

Bug: 142650523
Test: atest PlatformCompatTest
Test: atest CompatConfigTest
Test: atest OverrideValidatorImplTest
Change-Id: I65d425aacb120c6481076431151cf43ecab2509f
2020-01-24 17:01:37 +00:00
Andrei-Valentin Onea
5e4a45f403 Merge "Make platform_compat accessible on release builds." 2020-01-08 18:42:44 +00:00
Andrei Onea
85dd43db87 Make platform_compat accessible on release builds.
This is required for the Debug UI within the Settings app.

The Platform Compat API prevents callers from overriding the compat
config for non-debuggable apps on user builds, among other restrictions
(see https://r.android.com/1178263 for the full list).

Test: use Setting's debug UI on a user build
Bug: 144552011
Bug: 138280620
Change-Id: Ia11a6523feab5cfac2dd6a04d269c59f28f667b7
2019-12-18 14:47:29 +00:00
Jeffrey Huang
cfe10227fc Merge "system_server: create StatsManagerService" 2019-12-17 23:22:25 +00:00
Jeffrey Huang
215dd2aa9b system_server: create StatsManagerService
Refactor to split the logic within statscompanion_service
The goal of the refactor is to simplify the binder calls to statsd

This service will talk to statsd.

At the end of the refactor, this service should be the only
service that talks to statsd.

Bug: 146074223
Test: Manual by creating the service with empty implementation
Change-Id: Ib9c2e10ec195d41062f1001e5a82b374696de939
2019-12-16 11:50:16 -08:00
markchien
9cc39d9acf Allow application to find tethering service
Mark tethering_service as app_api_service to allow applications to find
tethering service. Apps should able to use tethering service to
know tethering state if they have ACCESS_NETWORK_STATE permission, but
they may need privileged permission if they want to change tethering.

Bug: 144320246
Test: -build, flash, boot
      -ON/OFF hotspot

Change-Id: Ie414618766144c4a4ad89c5cf03398a472638e71
2019-12-16 21:32:04 +08:00
Mark Chien
9dfaa7dcc6 [Tether15] Allow system app to find TetheringManager
Bug: 144320246
Test: -build, flash, boot
      -OFF/ON hotspot

Change-Id: I8ce7ac5eb8198f0df4a2da426e3c56e8915e746a
2019-12-02 18:01:33 +08:00
Joel Galenson
4321551734 Cleanup: use binder_call macro.
Test: Compile.
Change-Id: Ic05ed96f50d5139b12a28565a0dc697476874a22
2019-10-22 13:08:10 -07:00
Andrei Onea
87c885b135 Allow platform signed apps to access platform_compat service
This exception is needed for overriding gated changes in tests.
Bug: 140367850
Test: http://aosp/1113771
Change-Id: I2a76f92fe06c1c759a537dea7539a8899f02b15e
2019-09-13 12:38:37 +01:00
Steven Moreland
8a7bed9e1e Remove mediacodec_service.
Since this service no longer exists.

Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
2019-08-21 01:14:15 +00:00
joshmccloskey
6f5a7b85b2 Allowing sysui to access statsd.
Test: Manual.
Change-Id: Iae63806bd5a8435e759694c0f84a3da8d463549d
2019-02-11 14:09:42 -08:00
Yiwei Zhang
544d6b34ec Game Driver: sepolicy update for plumbing GpuStats into GpuService
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.

Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-08 18:15:17 -08:00
felkachang
0c402012e6 add create link permission for platform_app
To create symbolic link by unstrusted app raise the security
issue. To allow platform_app to create symbolic link prevent
the functionality from not working.

Fixes: 123555031
Test: atest DocumentsUITests
Bug: 123350324

Change-Id: Idb23c3e813c66bd284d42b8040deeea762f99a0f
2019-01-30 16:03:27 +08:00
Jeff Vander Stoep
6026a4adb9 app: Allow all apps to read dropbox FDs
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
2018-09-04 20:23:43 +00:00
Neil Fuller
63c904601b Remove unnecessary permission
There will likely be no need for platform apps
to call the timedetector_service; it was added
in error.

Bug: 78217059
Test: build / boot
Change-Id: Ie299c92a60f26fe6cb00562219e386a9f13e459f
2018-06-19 12:58:09 +01:00
Neil Fuller
e1dd6d07b5 selinux changes to add time detector service
This commit contains the changes needed to add the new
time detector system server service.

Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7
2018-06-04 19:40:37 +01:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Mark Salyzyn
3443cafa98 FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Had to use precise property definition as com.android.phone accesses
test properties as well.

Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
2018-05-04 07:33:56 -07:00
Jeffrey Vander Stoep
9c6749d772 Revert "FrameworksServicesTests: allow access to test.sys.boot.reason property"
This reverts commit 0ab13a8dff.

Reason for revert: broken presubmit tests
https://sponge.corp.google.com/target?show=FAILED&sortBy=STATUS&id=83e847b2-8e30-4417-9b15-8e66af4b2bc3&target=DeviceBootTest

Change-Id: Id173c8e7fa28ba04070f507098f301f076e4aae7
2018-05-04 06:23:42 +00:00
Mark Salyzyn
0ab13a8dff FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Test: compile
Bug: 78245377
Change-Id: Id21436d281bab27823969a9f7e92318d70b5a2d6
2018-05-03 16:45:36 +00:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-18 19:53:03 +00:00
Jeff Sharkey
000cafc701 Add exFAT support; unify behind "sdcard_type".
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
2018-04-13 14:08:10 -06:00
Nathan Harold
252b015365 Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-04-03 21:52:14 +00:00
Tri Vo
06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00
Nathan Harold
ee268643c1 Allow More Apps to Recv UDP Sockets from SystemServer
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2018-01-15 23:10:42 +00:00
Jeff Vander Stoep
63f4677342 Allow vendor apps to use surfaceflinger_service
Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f
2017-11-09 15:41:37 +00:00
Todd Poynor
bbc692c6d9 PowerUI access to thermalservice
Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.

Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
      manual: marlin and <redacted> with artificially low temperature
      threshold and logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629
Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629
2017-10-14 01:05:58 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
d22cbc8ffb Merge "domain_deprecated is dead"
am: f1b06df3d6

Change-Id: I0d98e192600c94f983d7b0347715e2ba6a8b8dab
2017-07-28 23:22:43 +00:00