Commit graph

10509 commits

Author SHA1 Message Date
Steven Moreland
9956cdff2f fix bugreport denial for new binderfs log type
Bug: 342311206
Test: SELinuxHostTest#testNoBugreportDenials
Change-Id: I0c28f1353fb0663167ecbc219d5e98fd214121eb
2024-05-23 20:05:33 +00:00
Treehugger Robot
ab0272ccb4 Merge "Allow system_server to reopen its own memfd." into main 2024-05-23 13:45:23 +00:00
Treehugger Robot
6f388111e0 Merge "Update transaction log permissions." into main 2024-05-22 19:21:00 +00:00
Ellen Arteca
19208cb0e3 Merge "Fix installd not having permission to delete storage area keys" into main 2024-05-22 17:03:15 +00:00
Jiakai Zhang
7a257541e9 Allow system_server to reopen its own memfd.
Bug: 311377497
Test: Run Pre-reboot Dexopt.
Change-Id: Ic6e273732a042f0906fad7ffa73a3e45af2adde5
2024-05-22 17:09:06 +01:00
Ellen Arteca
1c7e529242 Fix installd not having permission to delete storage area keys
Bug: 325129836
Test: atest StorageAreaTest
Change-Id: I6dd1678fe1b184372221b479aaeba17c1ab4788c
2024-05-21 17:58:05 +00:00
Dennis Shen
2f5774f756 Merge "selinux: allow aconfig to read /aepx" into main 2024-05-21 14:39:44 +00:00
Thiébaud Weksteen
e138fe460b Merge changes I9b32916e,I7c4771de into main
* changes:
  Define new kernel security classes
  Symlink microdroid access_vectors and security_classes
2024-05-21 10:26:46 +00:00
Seungjae Yoo
e5df7418a4 Merge "Set sepolicy for vmnic in AVF" into main 2024-05-21 04:40:55 +00:00
Treehugger Robot
4fa0ed2bc1 Merge "statsd: allow misctl property" into main 2024-05-21 01:25:32 +00:00
Seungjae Yoo
f60a1e0b90 Set sepolicy for vmnic in AVF
Bug: 340376951
Test: Presubmit
Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466
2024-05-20 14:15:22 +09:00
Dennis Shen
f6106361f1 selinux: allow aconfig to read /aepx
Bug: b/312444587
Test: m and avd
Change-Id: I6ac81dd211ad7669952f97f9541c44e14680bec6
2024-05-20 00:44:56 +00:00
Steven Moreland
248f0e069a Update transaction log permissions.
I locked down binderfs in Android V (this release still), but
part of it was opened up too much, so transactions restricted
to userdebug.

transaction_log and failed_transaction_log are not used in AOSP,
but they are requested by partners.

Bug: 316970771 for transactions
Bug: 336711420 for request to open up transaction history logs
Test: boot, bugreport, also:

:) adb shell ls -Z /dev/binderfs/binder_logs
u:object_r:binderfs_logs_transaction_history:s0 failed_transaction_log
u:object_r:binderfs_logs_proc:s0                proc
u:object_r:binderfs_logs:s0                     state
u:object_r:binderfs_logs_stats:s0               stats
u:object_r:binderfs_logs_transaction_history:s0 transaction_log
u:object_r:binderfs_logs_transactions:s0        transactions
:) adb shell cat /dev/binderfs/binder_logs/transaction_log
10058502: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 36:0 ret 0/0 l=0
10058503: call  from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 116:0 ret 0/0 l=0
10058504: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 12:0 ret 0/0 l=0
10058505: call  from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 84:0 ret 0/0 l=0
...
:) adb shell cat /dev/binderfs/binder_logs/failed_transaction_log
26418: reply from 584:1568 to 0:0 context binder node 0 handle -1 size 20:0 ret 29189/0 l=3194
57265: async from 2978:4304 to 3039:0 context binder node 40111 handle 6 size 96:0 ret 29189/-3 l=3465
57269: call  from 4437:4613 to 670:0 context binder node 57183 handle 44 size 116:0 ret 29189/-3 l=3465
57288: async from 4252:4450 to 3039:0 context binder node 34895 handle 1 size 92:0 ret 29189/-3 l=3465
...

Change-Id: I73e570dee8e59e76acaf0def615701e0e85e207f
2024-05-17 22:35:55 +00:00
Thiébaud Weksteen
1b85ead322 Merge "Grant dumpstate append to app_data_file_type" into main 2024-05-16 23:29:39 +00:00
Treehugger Robot
ca83352d1b Merge "Adjust policy that allows virtualizationservice to access RKPD" into main 2024-05-15 16:05:38 +00:00
Alice Wang
f7fc9f921a Adjust policy that allows virtualizationservice to access RKPD
Test: atest AvfRkpdAppIntegrationTests
Change-Id: I4f946326af3ce96466bb2c7de1762fbed056ec09
2024-05-15 14:33:36 +00:00
Jiakai Zhang
1a3775bbb8 Add a system property namespace for Pre-reboot Dexopt.
We need to maintain the Pre-reboot Dexopt state across system server
crashes and restarts, but not across reboots. System properties are
suitable for this use case. The state includes whether the job has run
and the OTA slot.

Bug: 311377497
Change-Id: I527d4ba6064c1600d97ce2efc8be211b9460a8f0
Test: Presubmit
2024-05-15 14:20:22 +00:00
Maciej Żenczykowski
6e95ee78e3 Merge "allow non bpfloader creation of bpf maps" into main 2024-05-15 07:37:07 +00:00
Thiébaud Weksteen
6772c50574 Define new kernel security classes
Define new classes and access vectors recognised by the kernel.

Bug: 340491179
Test: boot and check logs for undefined class or permission
Change-Id: I9b32916ea231cf396aa326ed7e08cb14e4eb2c9b
2024-05-15 04:45:20 +00:00
Thiébaud Weksteen
76f7261d14 Grant dumpstate append to app_data_file_type
dumpstate may be executed by apps in different domains. Notably, a
system_app needs to be able to save the output in its own directory.

  avc:  denied  { append } for comm="binder:575_1" dev="dm-50"
  ino=10712 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:system_app_data_file:s0 tclass=file

Using the app_data_file_type attribute to capture all the potential app
data types. For info, the current Cuttlefish policy has:

  $ seinfo -x -a app_data_file_type cf_policy
    attribute app_data_file_type;
        app_data_file
        bluetooth_data_file
        nfc_data_file
        privapp_data_file
        radio_data_file
        sdk_sandbox_data_file
        shell_data_file
        storage_area_app_dir
        storage_area_content_file
        storage_area_dir
        system_app_data_file

Test: bugreport
Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01
2024-05-15 10:55:37 +10:00
Steven Moreland
0ae9148a35 statsd: allow misctl property
For detecting 16 KB issues.

Bug: 332406754
Test: build
Change-Id: I27f7044133dad54b91bbab5911b05a6cc254be36
2024-05-14 20:31:11 +00:00
Alan Stokes
8b80dacadc Suppress denials for odsign console
When odsign spawns compos_verify it has our stdin/out connected to its
console. But none of the VM processes use stdin/out at all; they log
to logcat instead.

So instead of allowing the access (which immediately leads to the same
denials in virtualizationmanager), just suppress the audit logs.

Bug: 293259827
Test: Exercise isolated compilation successfully with no denials seen.
Change-Id: I454bb2fe106b656a9695511cbf09350402b30bdd
2024-05-14 17:07:35 +01:00
Jiakai Zhang
be2e719598 Allow mounting and unmounting functionfs.
Pixel has /dev/usb-ffs/adb, /dev/usb-ffs/mtp, and /dev/usb-ffs/ptp in
type functionfs.

Bug: 311377497
Change-Id: Id9388a0d420c712962804f6441c86cfb3c4e9e62
Test: adb shell cmd jobscheduler run android 27873781
2024-05-09 04:03:18 +00:00
Devin Moore
ba99b14c5c Merge "Allow crash_dump to read misctrl properties" into main 2024-05-07 19:55:51 +00:00
Eric Laurent
df665c694b Allow native audio server to access the virtual device manager service
This is needed when accessing SensorManager since commit 71db5f82

Bug: 336860810
Test: make
Ignore-AOSP-First: needed on internal branch first
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:caad49e71d927e021575c3051d7d10ff7917e09c)
Merged-In: I303c6e3418ca5179c615c2c643fdf9783d323c78
Change-Id: I303c6e3418ca5179c615c2c643fdf9783d323c78
2024-05-07 00:21:30 +00:00
Devin Moore
49a4a06264 Allow crash_dump to read misctrl properties
This is used to determine if the device has been in 16k page size mode
to help debug issues with that.

Test: debuggerd_test with ro.misctl.16kb_before="1"
Bug: 335247092
Change-Id: I7b5fcd39cc5b3247d866814fbcf53299d68846c2
2024-05-06 15:40:12 +00:00
Maciej Żenczykowski
28960d319a allow non bpfloader creation of bpf maps
In practice only bpf programs are critical to device security...

Normally there is basically no use for creating bpf maps outside
of the bpfloader, since they have to be tied directly into the bpf
programs (which is only ever done by the bpfloader during the boot
process) to be of any use.

This means that bpf maps created after the bpfloader is done,
can't actually be used by any bpf code...

Hence we had this restriction.

However, map-in-map support changes this:

It becomes possible to define a boot-time (bpfloader loaded)
bpf program which accesses an (initially empty) outer map
(created by the bpfloader).

This outer map can be populated with inner maps at run time by various
bpf using userspace code.  While it can be populated with bpfloader
created 'static' maps, it also makes sense to be able to create/destroy
these inner maps on demand 'dynamically'.

This allows bpf map memory utilization to be driven by actual runtime
device needs.  For example scaling with the number of users, apps,
or connected networks.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I93223c660463596c9e50065be819e2fd865da923
2024-05-04 11:02:13 +00:00
Treehugger Robot
07dc4933ac Merge "Add policies for hal_codec2" into main 2024-05-03 17:20:45 +00:00
Dennis Shen
2ae5d42a79 Merge "selinux: allow system server access aconfigd socket" into main 2024-05-02 23:49:25 +00:00
Kalesh Singh
5f805d057e Merge "sepolicy: Add rules for /sys/kernel/mm/pgsize_migration/enabled" into main 2024-05-02 19:38:08 +00:00
Kalesh Singh
3a4c68dd83 sepolicy: Add rules for /sys/kernel/mm/pgsize_migration/enabled
The dynamic linker needs to read this node to determine how it should
load ELF files.

Allow the node to be enabled/disabled by init.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Test: Free Fire Chaos App launches
Test: no avc deined in logcat
Change-Id: I2b35d6aebe39bf3e1e7489b47f23a817e477ef72
2024-05-02 19:34:36 +00:00
Pawan Wagh
c9b15f596b Merge "Allow system app and update_engine to read OTA from /vendor" into main 2024-05-02 19:28:44 +00:00
Dennis Shen
62f4363b39 selinux: allow system server access aconfigd socket
During storage migration, we need to route aconfig flag write requests
from settingsprovider to aconfig storage daemon via aconfigd unix domain
socket.

Bug: b/312444587
Test: m and avd
Change-Id: I051d1ed42bf51f2ebd90cbd590237cd9213f0bde
2024-05-02 18:20:25 +00:00
Sungtak Lee
8eed41c1aa Add policies for hal_codec2
Allow hal_codec2_server to read fifo_file from hal_codec2_client
Allow hal_codec2_client to find surfaceflinger_service:service_manager.

Bug: 337356582
Test: atest CtsMediaTranscodingTestCases
Change-Id: I76b2ca7d3caf7909d9d6df424eb5f68b1a0a6f03
2024-05-02 08:22:57 +00:00
Pawan Wagh
b071882d76 Allow system app and update_engine to read OTA from /vendor
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.

Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
2024-05-02 01:14:47 +00:00
Ellen Arteca
c1508ec794 Add read permission to storage_area_keys to installd
Installd needs the read permission on storage area
key directories. This only comes up in testing when the tests
are rerun on the same device.

Bug: 325129836
Test: atest StorageAreaTest
Change-Id: I74c776c52d66492552aaf8b61c7591fb19194f7a
2024-05-01 17:49:26 +00:00
Treehugger Robot
77a8ac9ab4 Merge "Allow shell read access to cgroup state" into main 2024-04-30 20:54:07 +00:00
Ellen Arteca
7dd36bbb29 Merge "Add SELinux policy for storage areas" into main 2024-04-30 20:32:53 +00:00
Ellen Arteca
27b515e70a Add SELinux policy for storage areas
We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.

First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively).  This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.

Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
 that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
		storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
		storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
		storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
		storage_area_content_file

These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.

Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName

We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.

Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 20:26:55 +00:00
Suren Baghdasaryan
32342bf854 Merge "lmkd: Add ro.lmkd.lowmem_min_oom_score property policies" into main 2024-04-30 20:08:35 +00:00
Suren Baghdasaryan
5c5ff28912 lmkd: Add ro.lmkd.lowmem_min_oom_score property policies
Add policies to control ro.lmkd.lowmem_min_oom_score lmkd property.

Test: m
Bug: 334867461
Change-Id: I6a84d2d045fee431173374aab174e50f493e1858
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2024-04-30 11:40:12 -07:00
Treehugger Robot
e7bdf818fc Merge "Allow shell read access to MGLRU state" into main 2024-04-30 16:34:04 +00:00
T.J. Mercier
716260ac6b Allow shell read access to cgroup state
at /proc/cgroups.

Test: adb shell cat /proc/cgroups
Bug: 335278695
Change-Id: I52773c63200a2a048a4c5497c338ddcbe0f23593
2024-04-29 14:59:03 +00:00
Treehugger Robot
66e2d56170 Merge "add internal vmlauncher into seapp_contexts" into main 2024-04-29 08:49:13 +00:00
Jeongik Cha
f256b80c2b add internal vmlauncher into seapp_contexts
Bug: 336718836
Test: build & run
Change-Id: I3d746eefef6971b3378dcb3e9a70a0da88f9702d
2024-04-29 16:17:27 +09:00
Victor Hsieh
6543cf9843 Allow priv_app to measure fs-verity on tmp apk files
An APK installing with .idsig gets fs-verity enabled during the package
install. As a step of package install, a package verifier may inspect
the APK. A v4 signature check requires calling FS_IOC_MEASURE_VERITY.
This change gives priv_app the permission (which appdomain already has).

Bug: 337307333
Test: no longer seeing the verifier error
Change-Id: I49b721f229c30677f633dc1e425022ac54801668
2024-04-26 13:04:00 -07:00
T.J. Mercier
12878e5f13 Allow shell read access to MGLRU state
at /sys/kernel/mm/lru_gen/enabled. This can be inferred without reading
the file anyways. Writes remain restricted to init.

Test: adb shell cat /sys/kernel/mm/lru_gen/enabled
Bug: 335516770
Change-Id: Ibc8d86f932ecad21c6a07b44aad3517c22fa7843
2024-04-26 19:30:17 +00:00
William Loh
38b57bcc47 Add policy for /data/app-metadata
Bug: 336618214
Test: manual
Change-Id: If2da435f6622c6bc28a867c9a70e8efafe6524b0
2024-04-25 04:06:45 +00:00
Martin Liu
13f4811f5e Allow vendor init to access compaction_proactiveness
Bug: 330670954
Test: boot
Change-Id: Id274910e84d36cb662cea45d3b701c5fecada327
Merged-In: Id274910e84d36cb662cea45d3b701c5fecada327
Signed-off-by: Martin Liu <liumartin@google.com>
2024-04-23 11:18:28 +00:00
Treehugger Robot
7ea1dd6dd1 Merge "c2: add default1 and default2" into main 2024-04-20 00:07:33 +00:00