This commit adds sepolicy on user build so that Thread HAL simulation
can run on cuttlefish user builds.
Bug: 342154029
Test: presubmit
Change-Id: I576f52a1bdf5b0966e73ee93e4b68bed613b0796
I locked down binderfs in Android V (this release still), but
part of it was opened up too much, so transactions restricted
to userdebug.
transaction_log and failed_transaction_log are not used in AOSP,
but they are requested by partners.
Bug: 316970771 for transactions
Bug: 336711420 for request to open up transaction history logs
Test: boot, bugreport, also:
:) adb shell ls -Z /dev/binderfs/binder_logs
u:object_r:binderfs_logs_transaction_history:s0 failed_transaction_log
u:object_r:binderfs_logs_proc:s0 proc
u:object_r:binderfs_logs:s0 state
u:object_r:binderfs_logs_stats:s0 stats
u:object_r:binderfs_logs_transaction_history:s0 transaction_log
u:object_r:binderfs_logs_transactions:s0 transactions
:) adb shell cat /dev/binderfs/binder_logs/transaction_log
10058502: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 36:0 ret 0/0 l=0
10058503: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 116:0 ret 0/0 l=0
10058504: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 12:0 ret 0/0 l=0
10058505: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 84:0 ret 0/0 l=0
...
:) adb shell cat /dev/binderfs/binder_logs/failed_transaction_log
26418: reply from 584:1568 to 0:0 context binder node 0 handle -1 size 20:0 ret 29189/0 l=3194
57265: async from 2978:4304 to 3039:0 context binder node 40111 handle 6 size 96:0 ret 29189/-3 l=3465
57269: call from 4437:4613 to 670:0 context binder node 57183 handle 44 size 116:0 ret 29189/-3 l=3465
57288: async from 4252:4450 to 3039:0 context binder node 34895 handle 1 size 92:0 ret 29189/-3 l=3465
...
Change-Id: I73e570dee8e59e76acaf0def615701e0e85e207f
We need to maintain the Pre-reboot Dexopt state across system server
crashes and restarts, but not across reboots. System properties are
suitable for this use case. The state includes whether the job has run
and the OTA slot.
Bug: 311377497
Change-Id: I527d4ba6064c1600d97ce2efc8be211b9460a8f0
Test: Presubmit
Define new classes and access vectors recognised by the kernel.
Bug: 340491179
Test: boot and check logs for undefined class or permission
Change-Id: I9b32916ea231cf396aa326ed7e08cb14e4eb2c9b
Symlink the access vectors and classes definitions of microdroid
reqd_mask to microdroid platform.
These definitions are not yet linked to the generic platform policy.
Bug: 340491179
Bug: 215093641
Test: build & TH
Change-Id: I7c4771dedfd2f35a7dda7d78bf863cbc0c288e67
dumpstate may be executed by apps in different domains. Notably, a
system_app needs to be able to save the output in its own directory.
avc: denied { append } for comm="binder:575_1" dev="dm-50"
ino=10712 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_app_data_file:s0 tclass=file
Using the app_data_file_type attribute to capture all the potential app
data types. For info, the current Cuttlefish policy has:
$ seinfo -x -a app_data_file_type cf_policy
attribute app_data_file_type;
app_data_file
bluetooth_data_file
nfc_data_file
privapp_data_file
radio_data_file
sdk_sandbox_data_file
shell_data_file
storage_area_app_dir
storage_area_content_file
storage_area_dir
system_app_data_file
Test: bugreport
Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01
When odsign spawns compos_verify it has our stdin/out connected to its
console. But none of the VM processes use stdin/out at all; they log
to logcat instead.
So instead of allowing the access (which immediately leads to the same
denials in virtualizationmanager), just suppress the audit logs.
Bug: 293259827
Test: Exercise isolated compilation successfully with no denials seen.
Change-Id: I454bb2fe106b656a9695511cbf09350402b30bdd
Some entries in Tests were not matching their actual function (e.g.,
TestSystemTypeViolators instead of TestSystemTypeViolations).
Automatically generate the list of tests, based on the 'Test' prefix in
their name.
Test: sepolicy_tests -h
Change-Id: I1865e24c6cc1bfe15f633263897ea7530140c41d
This commit adds necessary permissions for ot-rcp to bind
to a network interface specified by its address or name.
Test: presubmit
Bug: 329188649
Change-Id: I6731df79c04eeeb2c39017b99b9c2acf315256e2
Pixel has /dev/usb-ffs/adb, /dev/usb-ffs/mtp, and /dev/usb-ffs/ptp in
type functionfs.
Bug: 311377497
Change-Id: Id9388a0d420c712962804f6441c86cfb3c4e9e62
Test: adb shell cmd jobscheduler run android 27873781
This will allow the CTS get the WifiScanner to test. Also WifiScanner is
a system API and all APIs are protected by the priviliged permissions.
Bug: 339527374
Test: CtsWifiTestCases
Change-Id: Ic06a5804fa81a952e9e8792e93df489a9d47d521
This is used to determine if the device has been in 16k page size mode
to help debug issues with that.
Test: debuggerd_test with ro.misctl.16kb_before="1"
Bug: 335247092
Change-Id: I7b5fcd39cc5b3247d866814fbcf53299d68846c2
In practice only bpf programs are critical to device security...
Normally there is basically no use for creating bpf maps outside
of the bpfloader, since they have to be tied directly into the bpf
programs (which is only ever done by the bpfloader during the boot
process) to be of any use.
This means that bpf maps created after the bpfloader is done,
can't actually be used by any bpf code...
Hence we had this restriction.
However, map-in-map support changes this:
It becomes possible to define a boot-time (bpfloader loaded)
bpf program which accesses an (initially empty) outer map
(created by the bpfloader).
This outer map can be populated with inner maps at run time by various
bpf using userspace code. While it can be populated with bpfloader
created 'static' maps, it also makes sense to be able to create/destroy
these inner maps on demand 'dynamically'.
This allows bpf map memory utilization to be driven by actual runtime
device needs. For example scaling with the number of users, apps,
or connected networks.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I93223c660463596c9e50065be819e2fd865da923
The dynamic linker needs to read this node to determine how it should
load ELF files.
Allow the node to be enabled/disabled by init.
Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Test: Free Fire Chaos App launches
Test: no avc deined in logcat
Change-Id: I2b35d6aebe39bf3e1e7489b47f23a817e477ef72
During storage migration, we need to route aconfig flag write requests
from settingsprovider to aconfig storage daemon via aconfigd unix domain
socket.
Bug: b/312444587
Test: m and avd
Change-Id: I051d1ed42bf51f2ebd90cbd590237cd9213f0bde
These have been added to the kernel and to Android sepolicy, but not
yet here. This doesn't make much difference, but it does avoid some
(harmless) warnings at policy load time.
While I'm here, remove some userspace classes which don't exist in
Microdroid and probably never will.
Bug: 215093641
Test: Policy still builds; TH
Change-Id: Id2f778919e492162c1a7d77822d74d7978522118
This is a no-op now but it will make vintf finalization easier because
we'll only need system/sepolicy changes.
Bug: 337978860
Test: atest CtsSecurityHostTestCases
Change-Id: I242dcad7511e7c880b1e5434ba3de622f56bc1b3
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.
Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
