cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.
Bug: 111307099
Test: builds, boots
Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Some runtime properties require reboots and should be in the
native_boot namespace instead of native.
Bug: 120794191
Bug: 123524494
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: I1d1e984dcba26dd04d34a7d30fc63e1b75a8a311
Different devices can have /sys/* labeled differently. This allows
apexd, to traverse /sys directory tree agnostic of device-specific
labeling.
Bug: 122876102
Test: m selinux_policy
Change-Id: I08f2eb2242913e3a7d532d36a452cf111fd4e4c4
Installd will read one of these properties as a feature flag.
(cherry-picked from commit e59e731dd1)
Bug: 116059983
Bug: 123524494
Test: adb shell /data/nativetest64/installd_dexopt_test/installd_dexopt_test
Change-Id: I6c5c058ba316b98f58d8d08f7cb13828cf311833
Merged-In: I6c5c058ba316b98f58d8d08f7cb13828cf311833
In the kernel, sdcardfs wraps the contents of /data/media, which has
the label "media_rw_data_file". As part of this wrapping, it should
change the label to be "sdcardfs", but we've seen evidence that this
isn't always happening.
To temporarily unblock dogfooding while we continue investigating,
relax rules to allow Zygote to mount from either "sdcardfs" or
"media_rw_data_file", which as described above, are equivalant.
Bug: 123533205
Test: manual
Change-Id: Id633337095c0a3b69d9b8652bcc3327810339cf3
mini-keyctl is a binary used to load channel keys to .fsverity keyring.
This CL creates a new domain for mini-keyctl and a type for /proc/keys
and adds allow rules needed by this binary.
Bug: 112038861
Test: manual
Merged-In: I3b744d302859a02dfe63c81c7f33bb30912d7994
Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
Allow `otapreopt_chroot` to:
- bind-mount Bionic artifacts from the Runtime APEX
(`/postinstall/apex/com.android.runtime`) into `/postinstall/bionic/`;
- read the `/postinstall/system/bin/linker(64)` symlink to
`/postinstall/bionic/bin/linker(64)` when executing
`/postinstall/system/bin/otapreopt`.
Allow `otapreopt` (running as `postinstall_dexopt`) to:
- read directories under `/postinstall`.
Test: m otapreopt_chroot
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120266448
Change-Id: I6de9df12d5fd84f1dd92798efed5f2d8b72d3ebe
init now creates two mount namespaces one for pre-apexd processes and
the other for post-apexd processes. This is to mount different files to
the same mount point at /bionic. For pre-apexd processes, the bootstrap
Bionic is mounted. For post-apexd processes, the default Bionic (from
the runtime APEX) is mounted.
Using unshare and setns, init first starts with the mount namespace for
the pre-apexd and then switches to the other mount namespace when APEXes
are ready. It then occasionally switches to pre-apexd mount namespace
when it has to re-launch a pre-apexd process (e.g. the process has
crashed, etc.)
In doing so, read access to /proc/self/ns/mnt is granted to init as
well.
Bug: 120266448
Bug: 122717176
Test: m device boots
Change-Id: Idbf15cbf5cc36b9993d718d4d887cd8f23a94666
Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.
Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.
In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.
Bug: 120266448
Test: device boots to the UI
Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1
Dynamic_android service is a proxy running in SystemServer to the
gsi_service daemon. It provides a set of SystemApi's to manage
installation of a new system image to the device while keeping the
original system image intact.
Bug: 122929007
Test: manual; see dynamic_android service start in logcat
Change-Id: Idb9b0475677dad13b7864ca0cf6041dcab04b4e3
system/sepolicy commit ffa2b61330
introduced the runas_app SELinux domain, which changed how we perform
debugging of Android applications. This broke Android Studio's lldb.
From bugreport:
Debugging an app containing native code using ndk-gdb or Android
Studio's lldb currently fails. There is an selinux error in logcat
about a sigchld denial. Studio can still debug Java-only apps.
In Android Studio, starting the debugger on an app with native
code produces this selinux denial:
01-30 06:58:02.089 13449 13449 W lldb-server: type=1400 audit(0.0:831): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tcontext=u:r:runas_app:s0:c167,c256,c512,c768 tclass=process permissive=0 app=com.android.ndktestapp
With "set enforce 0", I also see a sigstop denial:
01-30 07:31:12.209 15672 15672 I lldb-server: type=1400 audit(0.0:1290): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c167,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tclass=process permissive=1 app=com.android.ndktestapp
In gdb-server.log, Studio reports this error while trying to start lldb-server:
1548831482.091491938 GDBRemoteCommunicationServerLLGS::Handle_vAttach attempting to attach to pid 13379
1548831482.091519117 GDBRemoteCommunicationServerLLGS::AttachToProcess pid 13379
1548831482.092242956 GDBRemoteCommunicationServerLLGS::Handle_vAttach failed to attach to pid 13379: Permission denied
Using ndk-gdb (e.g. on the NdkGdbSample) produces the same sort
of selinux denial:
01-30 07:11:26.742 13926 13926 W arm64-gdbserver: type=1400 audit(0.0:833): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tcontext=u:r:runas_app:s0:c166,c256,c512,c768 tclass=process permissive=0 app=com.android.developer.ndkgdbsample
If I use "setenforce 0", I see more denials logged (signal and
sigstop):
01-30 07:30:23.346 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1287): avc: denied { signal } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample
01-30 07:30:23.349 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1288): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample
ndk-gdb times out and prints an error:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ /x/android-ndk-r19/ndk-gdb --launch
Redirecting gdbserver output to /tmp/gdbclient.log
...
Error: unable to connect to device.
Remote communication error. Target disconnected.: Connection reset by peer.
gdbclient.log shows that gdbserver hasn't started listening to its Unix socket yet:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log
Attached; pid = 14232
Normal output looks like this:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log
Attached; pid = 27799
Listening on Unix domain socket '/data/data/com.android.developer.ndkgdbsample/debug_socket'
Remote debugging from host 127.0.0.0
Test: compiles and builds
Bug: 123612207
Change-Id: Ia9a711cc54cc044c0817a7c17eb4506015adb393
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.
Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.
Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
To create symbolic link by unstrusted app raise the security
issue. To allow platform_app to create symbolic link prevent
the functionality from not working.
Fixes: 123555031
Test: atest DocumentsUITests
Bug: 123350324
Change-Id: Idb23c3e813c66bd284d42b8040deeea762f99a0f
The convention for native properties is to use _native suffix.
Bug: 123524494
Bug: 120794191
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: I69feab9be78f24d812b8f953d3ec06a5d8d18f15
Directory `/postinstall/apex` is used as a mount point for a tmpfs
filesystem during A/B OTA updates. APEX packages from the new system
partition are mounted ("activated") in subdirectories of
`/postinstall/apex`, so that they are available when `otapreopt` is
running.
Directory `/postinstall/apex` used to be of type `tmpfs` for SELinux
purposes. The new `postinstall_apex_mnt_dir` label is more
restrictive, and tightens permissions granted to `otapreopt_chroot`,
`otapreopt` (running as `postinstall_dexopt`), and `dex2oat`,
regarding the apexd logic recently added to `otapreopt_chroot`.
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I03f0b0433d9c066a0c607f864d60ca62fc68c990
Bug: 120794191
Bug: 123524494
Test: set a property and ensure it can be read in AndroidRuntime.cpp
Change-Id: Ib37102f35e9987d3d9baff83c45571a5d632ad50
Extend the auditing of native code loading from non-priv app home
directories to user builds. Only applies to apps targeting SDK <= 28.
Bug: 111338677
Test: Builds
Change-Id: I6fbbd80626a1c87dd7ece689f9fecd7c0a1a59d6
The test was failing because of a selinux denial.
This adds the required rule.
Test: atest (previously failing CTS test passed)
Change-Id: Ieb99f9ab4c6014a3d0aa1fe6c6fb6b82fa9b7631
RcsService will die continously without the setting.
Bug: 123325711
Test: boot aosp_arm64_ab-userdebug on a blueline device
Change-Id: Ic140cb3e6466428bf62f0065c78aaf16f957f4d5
Allow netd to send network events to the NetworkStack, and allow the
NetworkStack to interact with netlink_route_socket for neighbor
monitoring.
Test: built, booted, WiFi works, no more violations
Bug: 112869080
Change-Id: If212b2897e37e9d249f81ba8139461bce461528e
It is a side channel for dumpstate and incidentd to communicate
status and get user authorization to share bugreports by calling
system_server.
Test: atest PermissionControllerTest / atest GooglePermissionControllerTest
Change-Id: I995a43a25f375e5c97dba1deb92ebe893ca8585d
Fixes build breakage:
system/sepolicy/private/traced.te:36:ERROR 'unknown type iorapd_tmpfs' at token ';' on line 43166:
Bug: 123445058
Test: build marlin-userdebug
Change-Id: Iefeba03ed2efee92fb0d61214514338c6d999bd1
(cherry picked from commit 426ff11951)
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
An app should never follow a symlink provided by another app.
Test: build, boot Taimen, install some apps, watch youtube, browse
chrome.
Bug: 123350324
Change-Id: Iedd42fe1c27d406f7f58293c20d05e1b7646d8a2
* changes:
Allow `oatpreopt_chroot` to deactivate APEX packages in `/postinstall/apex`.
Allow `oatpreopt` to run `dex2oat` from the Runtime APEX.
Allow `otapreopt_chroot` to mount APEX packages using `apexd` logic.
Bug: 123367055
Test: used Traceur to take a trace on a user build and verified the
tracepoints are in the resultant trace
Change-Id: I39e963762bf2b9f0e427ee217a3b2a246f970902
