This is useful for certain tests. Note that it is already possible to
access these files without root via adb pull, since adbd has
access. Shell also already has access to non-updated APEXes on
/system/apex.
Bug: 220918654
Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex
Change-Id: I35725499365b297a64c9005c8e45325531d3991d
perfetto traced_probes executes atrace with a pipe for stdout/stderr.
That aleady works because atrace can `write` onto traced_probes's pipes.
Now traced_probes needs to invoke atrace at boot time. This revealed a
problem (I'm pretty sure it was an existing problem and it was
completely harmless):
```
02-23 22:00:41.951 605 605 I auditd : type=1400 audit(0.0:94): avc:
denied { getattr } for comm="atrace" path="pipe:[17964]" dev="pipefs"
ino=17964 scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0
tclass=fifo_file permissive=0
```
atrace doesn't just need `write` permissions on its
stdout/stderr pipes, it also needs `getattr` permissions (probably
because of [this][1]?)
[1]: https://cs.android.com/android/platform/superproject/+/master:bionic/libc/bionic/libc_init_common.cpp;l=156;drc=7a2386bf89f9bfd4e53eba9304e4239b3fdf0d06)
Bug: 219393750
Change-Id: I53b0f60cdd763863c834a883fbb77664e528dd15
Any virtualization service client should be able to use a pipe for the
VM log fds.
We previously had some support for this in crosvm (but appdomain is
the wrong label), but not for virtualizationservice. Instead I've
centralised it in the virtualizationservice_use macro so it applies to
exactly those things that can start a VM.
I've removed read permission from crosvm; it doesn't seem to be
needed, and logically it shouldn't be.
Test: Patch in https://r.android.com/1997004, see no denials
Change-Id: Ia9cff469c552dd297ed02932e9e91a5a8cc2c13f
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.
Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
Because Traceur is being signed with the platform key in aosp/1961100,
the platform seinfo identifier is being added to Traceur so that SELinux
will correctly identify it as a platform app.
Bug: 209476712
Test: - Checked that Traceur can still take normal and long traces on
AOSP userdebug and internal user/userdebug.
- Checked that the Traceur app is now located in /system/app/
instead of /system/priv-app/.
Change-Id: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
Merged-In: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
dmesgd is a daemon that collects kernel memory error reports.
When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.
Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.
Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)
Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea
This CL updates hal_evs_default to be sufficient for the defautl EVS HAL
implementation and modifies other services' policies to be able to
communicate with EVS HAL implementations
Bug: 217271351
Test: m -j selinux_policy and Treehugger
Change-Id: I2df8e10f574d62f8b84e0ff0381656ab1b18b52f
Require all domains which can be used for BPF to be marked as
bpfdomain, and add a restriction for these domains to not
be able to use net_raw or net_admin. We want to make sure the
network stack has exclusive access to certain BPF attach
points.
Bug: 140330870
Bug: 162057235
Test: build (compile-time neverallows)
Change-Id: I29100e48a757fdcf600931d5eb42988101275325
