Commit graph

744 commits

Author SHA1 Message Date
Primiano Tucci
512bdb9c1b Create directory for shell<>perfetto interaction
Users are unable to pass config files directly to
perfetto via `perfetto -c /path/to/config` and have to
resort to awkward quirks like `cat config | perfetto -c -'.
This is because /system/bin/perfetto runs in its own SELinux
domain for reasons explained in the bug.
This causes problem to test infrastructures authors. Instead
of allowing the use of /data/local/tmp which is too ill-scoped
we create a dedicated folder and allow only shell and perfetto
to operate on it.

Bug: 170404111
Test: manual, see aosp/1459023
Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 21:27:27 +00:00
Yifan Hong
f5f4c1207a Revert "Add /boot files as ramdisk_boot_file."
This reverts commit 2576a2fc30.

Reason for revert: conflict with device-specific sepolicy

Bug: 170411692
Change-Id: Ie5fde9dd91b603f155cee7a9d7ef432a05dc6827
Test: pass
2020-10-08 22:13:44 +00:00
Yifan Hong
2576a2fc30 Add /boot files as ramdisk_boot_file.
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.

The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.

Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
2020-10-08 07:55:12 -07:00
Yifan Hong
73f9b6cc84 Add /second_stage_resources tmpfs.
At build time, the directory is created as an empty directory. At
runtime, init mounts tmpfs at this path to preserve files from first
stage init to second stage init.

Right now, first stage init copies the following file to this tmpfs
before switching root:
- /boot/etc/build.prop -> /second_stage_resources/boot/etc/build.prop

After init property service finishes loading all properties, this tmpfs
is umounted, and this directory is left empty.

Bug: 169169031
Test: run and init loads props properly.
Change-Id: Ic6e62b10d8aec446b51c6bc67fdc2dbc943096ba
2020-10-07 11:55:20 -07:00
Orion Hodson
76ce7f5eaa Remove policy for deprecated ART apex update scripts
Earlier changes removed the scripts for ART APEX pre- and post-install
hooks (I39de908ebe52f06f19781dc024ede619802a3196) and the associated
boot integrity checks (I61b8f4b09a8f6695975ea1267e5f5c88f64a371f), but
did not cleanup the SELinux policy.

Bug: 7456955
Test: Successful build and boot
Test: adb install com.android.art.debug && adb reboot
Change-Id: I1580dbc1c083438bc251a09994c28107570c48c5
2020-09-30 16:14:41 +01:00
Jack Yu
dd64813204 Add sepolicy to allow read/write nfc snoop log data
Bug: 153704838
Test: nfc snoop log could be accessed
Change-Id: I694426ddb776114e5028b9e33455dd98fb502f0a
2020-09-24 17:36:07 +08:00
Treehugger Robot
714e134b25 Merge changes If936c556,Ief48165c
* changes:
  Add permissions required for new DMA-BUF heap allocator
  Define a new selinux label for DMABUF system heap
2020-09-21 17:59:16 +00:00
Yifan Hong
38a901df56 Revert "Add modules partition"
Revert submission 1413808-modules_partition

Reason for revert: modules partition no longer needed
Reverted Changes:
Iceafebd85:Add modules partition
I2fa96199a:rootdir: Add modules directory
Ie397b9ec6:Add modules partition.
I4200d0cf5:fastboot: add modules partition

Bug: 163543381

Change-Id: I613d4efa346b217e0131b14424bc340ad643e1d6
2020-09-15 19:08:24 +00:00
Hridya Valsaraju
a7cd26e664 Define a new selinux label for DMABUF system heap
Define the label dmabuf_system_heap_device for /dev/dma_heap/system.
This the default DMA-BUF heap that Codec2 will use one ION is
deprecated.
Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162

Change-Id: Ief48165cd804bde00e1881a693b5eb44a45b633b
2020-09-11 14:27:41 -07:00
Yifan Hong
648d956cc0 Add modules partition
Add updateable_module_file that describes all files under /modules. If
more directories (e.g. /modules/apex etc.) are added in the future,
separate labels should be applied to them.

Bug: 163543381
Test: on CF check /proc/mounts

Change-Id: Iceafebd85a2ffa47a73dce70d268d8a6fb5a5103
2020-09-08 16:35:51 -07:00
Yi Kong
fbb6546cbd Merge "Policies for profcollectd" 2020-09-08 13:44:17 +00:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Colin Cross
da4e51b71f Add shell_test_data_file for /data/local/tests
Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.

Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c
2020-09-01 11:17:19 -07:00
Gavin Corkery
ed62b31812 Selinux policy for new userspace reboot logging dir
Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.

Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211
2020-08-26 21:00:09 +01:00
Chris Weir
f5f23b7e03 Merge "Enable CAN HAL Configuration Service" 2020-08-13 16:18:27 +00:00
Janis Danisevskis
ff98459989 Prepare sepolicy for launching Keystore 2.0 service
This patch labels /system/bin/keystore2 as a keystore executable and
allows keystore to register "system.security.keystore2" with the service
manager.

Bug: 160623310
Test: None
Change-Id: I1812e565438c2b8ae55c8d10bcc8450d27717697
2020-08-10 14:40:20 -07:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
chrisweir
7063650dbb Enable CAN HAL Configuration Service
Enable the CAN HAL configuration service to start on boot.

Bug: 142653776
Test: Manual
Change-Id: If4180ab729cf92be05ab817ae1fb27d3151d32f9
2020-07-24 14:43:31 -07:00
Yifan Hong
dc9c4561f5 Correct labels on files / props in odm_dlkm.
All files under odm_dlkm are tagged vendor_file.
All build props for odm_dlkm are mapped as build_vendor_prop.

Test: build and
    `ls /odm_dlkm -lZ`
    `adb shell getprop -Z | grep odm_dlkm`

Bug: 154633114

Change-Id: Ifca69d0b7a8da945910a9cb0fa907735cd866f12
2020-07-15 17:16:40 -07:00
Yifan Hong
85aba14765 Correct labels on files / props in vendor_dlkm.
All files under vendor_dlkm are tagged vendor_file.
All build props for vendor_dlkm are mapped as build_vendor_prop.

Test: build and
    `ls /vendor_dlkm -lZ`
    `adb shell getprop -Z | grep vendor_dlkm`

Bug: 154633114

Change-Id: Ie9dc26d948357767fec09aca645606310ad3425c
2020-07-09 15:02:00 -07:00
Jooyung Han
8c18009ae2 allow apexd to mount apex-info-list.xml file
apexd runs in two separate mount namespaces: bootstrap & default.
To support separate apex-info-list.xml for each mount namespaces, apexd
needs to emit separate .xml file according to the mount namespace and
then bind-mount it to apex-info-list.xml file.

Bug: 158964569
Test: m & boot
      nsenter -m/proc/1/ns/mnt -- ls -lZ /apex/apex-info-list.xml
      nsenter -m/proc/2/ns/mnt -- ls -lZ /apex/apex-info-list.xml
      => shows the label apex_info_file correctly
Change-Id: I25c7445da570755ec489edee38b0c6af5685724b
2020-07-02 22:22:05 +09:00
Justin Yun
088587886c Label /system_ext/lib(64)/* as system_lib_file
This needs to be updated to api 30.0 which introduced the system_ext.

Bug: 160314910
Test: build and boot
Change-Id: I08c4aed640467d11482df08613039726e7395be0
2020-07-02 04:07:12 +00:00
Yi Kong
239c85dd0d Add sepolicy for profcollectd
This does not yet list all the required capabilities for profcollectd,
but it at least allows the service to start under permissive mode.

Bug: 79161490
Test: start profcollectd
Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030
2020-07-01 23:44:37 +08:00
linpeter
87c7261f0a sepolicy: label vendor_service_contexts as vendor_service_contexts_file
Due to AIDL HAL introduction, vendors can publish services
with servicemanager. vendor_service_contexts is labeled as
vendor_service_contexts_file, not nonplat_service_contexts_file.
And pack it to vendor partition.

Bug: 154066722

Test: check file label
Change-Id: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
2020-06-15 17:09:46 +08:00
Mohammad Samiul Islam
476d616e43 Create sepolicy for allowing system_server rw in /metadata/staged-install
Bug: 146343545
Test: presubmit
Change-Id: I4a7a74ec4c5046d167741389a40da7f330d4c63d
Merged-In: I4a7a74ec4c5046d167741389a40da7f330d4c63d
(cherry picked from commit be5c4de29f)
2020-06-03 10:59:02 +01:00
Jiyong Park
93a99cf8fc Introduce apex_info_file type
/apex/apex-info-file.xml is labeled as apex_info_file. It is
created/written by apexd once by apexd, and can be read by zygote and
system_server. The content of the file is essentially the same as the
return value of getAllPackages() call to apexd.

Bug: 154823184
Test: m
Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
(cherry picked from commit f1de4c02cc)
Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
2020-05-27 09:35:11 +09:00
Luca Stefani
ddcbbd7644 Escape '.' in com.android.permission
Change-Id: I83d7f81855b0facee3a07ad6fd2068e5e114db30
2020-04-10 19:22:50 +00:00
Peter Collingbourne
e432c093b7 Merge "Update sepolicy to account for crash_dump move." 2020-03-30 19:03:42 +00:00
Steven Moreland
e4f0ccf29c Add rules for hidl_lazy_test*
eng/userdebug rules added for integration testing of hidl_lazy_test,
similar to aidl_lazy_test.

This is required in sepolicy since the test requires defining a service
in an init.rc file, and so there needs to be sepolicy for init to start
this service.

Bug: 148114689
Test: hidl_lazy_test
Change-Id: Id6549cbb89b62d3f6de1ae2690ce95c3e8656f66
2020-03-24 18:34:58 -07:00
Alistair Delva
d5a222d75a Merge "Add gnss_device dev_type" 2020-03-23 18:58:59 +00:00
Songchun Fan
19a5cc2bab [sepolicy] remove vendor_incremental_module from global sepolicy rules
(Cherry-picking)

Moving to coral-sepolicy

BUG: 150882666
Test: atest PackageManagerShellCommandIncrementalTest
Merged-Id: I55f5d53ee32d0557e06c070961526631e1bb1fc5
Change-Id: Ia9c4d8240787b0d2b349764cac9d61b9d8731fa2
2020-03-19 16:31:44 -07:00
Jeffrey Huang
94452b2a50 Merge "Allow statsd to access a new metadata directory" 2020-03-18 22:22:24 +00:00
Peter Collingbourne
a7179b5668 Update sepolicy to account for crash_dump move.
Bug: 135772972
Change-Id: I740954a20656f69b00d75f804fd898179b6df878
Merged-In: I740954a20656f69b00d75f804fd898179b6df878
2020-03-18 10:38:40 -07:00
Alistair Delva
1a3ee382ec Add gnss_device dev_type
This grants default access to the new GNSS subsystem for Linux to the
GNSS HAL default implementation. The GNSS subsystem creates character
devices similar to ttys but without much unneeded complexity. The GNSS
device class is specific to location use cases.

Bug: 151670529
Change-Id: I03b27aa5bbfdf600eb830de1c8748aacb9bf4663
2020-03-17 20:25:51 +00:00
Jeffrey Huang
687aa037f6 Allow statsd to access a new metadata directory
Test: m -j
Bug: 149838525
Change-Id: I8633d21feb827c67288eb2894bafae166b103f92
2020-03-04 15:09:54 -08:00
Keun-young Park
aa6dba2770 Merge "Add resize2fs to fsck_exec file context" 2020-02-27 03:02:02 +00:00
Keun young Park
e6e5f32ea0 Add resize2fs to fsck_exec file context
- This allows init to access it.

Bug: 149039306
Test: Flash and confirm that file system can run resize2fs when metadata_csum is enabled.
Change-Id: Id91d8fb6800b254b12eaf93a0e8cb019b55d2702
2020-02-25 08:37:35 -08:00
Changyeon Jo
17b38d526d Update automotive display service rules
This change updates sepolicies for automotive display service to make it
available to the vendor processes.

Bug: 149017572
Test: m -j selinux_policy
Change-Id: I48708fe25e260f9302e02749c3777c0ca0d84e4b
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-02-25 02:02:54 +00:00
Roshan Pius
0f6852b342 Merge "sepolicy(wifi): Allow wifi service access to wifi apex directories" 2020-02-22 03:56:55 +00:00
Roshan Pius
8f84cc32a8 sepolicy(wifi): Allow wifi service access to wifi apex directories
Bug: 148660313
Test: Compiles
Change-Id: I4a973c4516fda5f96f17f82cd3a424b0ca89004b
2020-02-21 10:40:32 -08:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00
David Zeuthen
1948c11d13 Merge "Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL." 2020-02-19 21:14:40 +00:00
David Zeuthen
02bf814aa2 Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL.
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.

Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
2020-02-19 13:46:45 -05:00
Treehugger Robot
281afd81fa Merge "Fixup dalvikcache_data_file on external storage." 2020-02-17 14:34:33 +00:00
Martijn Coenen
4c43eeac63 Fixup dalvikcache_data_file on external storage.
The label also needs to be applied in case of the new 2-level deep
app-data directories.

Bug: 149396179
Bug: 148844589
Test: atest AdoptableHostTest

Change-Id: I0f6f41df54e6f74696039b41b4a0c7e5aae1fd84
2020-02-17 13:56:23 +01:00
Mark Salyzyn
79f9ca6789 bootstat: enhance last reboot reason property with file backing
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.  For now, label this file metadata_bootstat_file.

Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
2020-02-14 13:30:21 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
2020-02-13 12:52:51 -08:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Songchun Fan
99d9374760 selinux rules for loading incremental module
Defining incremental file system driver module, allowing vold to load
and read it.

=== Denial messages ===
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1

Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
2020-02-07 09:52:34 -08:00
Jerry Chang
5594f307c8 sepolicy: new prereboot_data_file type
This adds the type and permissions for dumping and appending prereboot
information.

Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
2020-02-07 10:22:47 +08:00
Yifan Hong
28d5e87d39 Merge "snapshotctl better logging" 2020-02-04 22:18:33 +00:00
Yifan Hong
589bb6f369 snapshotctl better logging
Test: snapshotctl merge --log-to-file
Bug: 148818798
Change-Id: I0e9c8ebb6632a56670a566f7a541e52e0bd24b08
2020-02-04 10:09:24 -08:00
Songchun Fan
f09db16c56 [selinux] properly labeling dirs under /data/incremental
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.

Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].

2. /data/incremental/[random]/backing_mount -> hold incfs backing image.

3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.

Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
2020-02-03 14:28:37 -08:00
Jon Spivack
499e0173b5 Merge "Revert^2 "Move aidl_lazy_test_server to system_ext"" 2020-01-31 00:04:08 +00:00
Jon Spivack
988e381b6b Revert^2 "Move aidl_lazy_test_server to system_ext"
4eae75c9d4

Reason for revert: This undoes the previous reversion, which was made to fix b/148282665.

Change-Id: I70d6e60a0468abea19f5efd7fde10207a251cf61
2020-01-29 02:09:34 +00:00
Zimuzo Ezeozue
5119becf5d Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through" 2020-01-28 22:26:58 +00:00
Zim
fcf599c89c Grant vold, installd, zygote and apps access to /mnt/pass_through
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
 access to the lower filesystem (or sdcardfs).

At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory  with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.

The following components need varying sepolicy privileges:

Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink

zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold

installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through

priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through

Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
2020-01-28 20:56:36 +00:00
Songchun Fan
7de88d73b6 Change selinux path config for oat files
We are updating apps' apk path to have a two-level structure.
Default apk path of an installed app:
Before: /data/app/[packageName]-[randomString]/base.apk
After: /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk

As a result, the oat files will be two levels below /data/app.

Test: manual
BUG: 148237378
Change-Id: If8e1fed46096f2e5f4150f6eedf74af76ac9d4b4
2020-01-28 10:33:13 -08:00
Jon Spivack
5f11b2e0ed Merge "Revert "Move aidl_lazy_test_server to system_ext"" 2020-01-25 21:29:45 +00:00
Jon Spivack
4eae75c9d4 Revert "Move aidl_lazy_test_server to system_ext"
Revert submission 1209453-aidl-lazy-presubmit

Reason for revert: b/148282665. A test has begun to fail on git_stage-aosp-master, and I need to verify whether these changes are responsible.

Reverted Changes:
Ib09a2460e: Add aidl_lazy_test to general-tests
Ib08989356: Move aidl_lazy_test_server to system_ext
I694e6ad35: Add aidl_lazy_test_server to Cuttlefish
I65db12c63: Add aidl_lazy_test to presubmit
I7ec80a280: Dynamically stop services with multiple interfaces...

Change-Id: I55f6b0f7800f348259787f62c6faa19a90f8bdcc
2020-01-25 02:55:04 +00:00
Jon Spivack
65028a3609 Merge "Move aidl_lazy_test_server to system_ext" 2020-01-24 01:30:49 +00:00
Jon Spivack
eb57c756c2 Move aidl_lazy_test_server to system_ext
This allows it to be installed and run during presubmit.

Bug: 147380480
Test: aidl_lazy_test
Change-Id: Ib08989356d02f2bf041d0780ec6c5bf65899c597
2020-01-22 17:36:05 -08:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Haoxiang Li
741b9cd5ac Sepolicy update for Automotive Display Service
Bug: 140395359
Test: make sepolicy -j
Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-01-21 18:43:27 +00:00
Treehugger Robot
4f0bf97b41 Merge "Add policies for permission APEX data directory." 2020-01-17 23:45:54 +00:00
Jing Ji
2b12440ff7 Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.

Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
2020-01-16 16:09:48 -08:00
Hai Zhang
f301cd299b Add policies for permission APEX data directory.
Bug: 136503238
Test: presubmit
Change-Id: I636ab95070df4c58cf2c98b395d99cb807a7f243
2020-01-16 16:08:55 -08:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Jon Spivack
ae2df6b5de Add aidl_lazy_test_server
This is a test service for testing dynamic start/stop of AIDL services. In order to test realistic use cases with SELinux enabled, it requires the same permissions as a regular service.

Bug: 147153962
Test: aidl_lazy_test aidl_lazy_test_1 aidl_lazy_test_2
Change-Id: Ifc3b2eaefba9c06c94f9cf24b4474107d4e26563
2020-01-07 15:11:03 -08:00
Songchun Fan
743f9eddf6 [incremental] labels for incfs and directory root
Adding two labels: "incfs" for the incremental filesystem and
"incremental_root_file" for file paths /data/incremental/*.

Doc: go/incremental-selinux

Test: manual
Change-Id: I7d45ed1677e3422119b2861dfc7b541945fcb7a2
2019-12-18 16:59:31 -08:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Chris Weir
6ad4f3207a Merge "Modify SEPolicy to support SLCAN" 2019-12-11 21:25:14 +00:00
Kiyoung Kim
cd74ef82fd Merge "Move linker config under /linkerconfig" 2019-12-11 02:55:06 +00:00
Oli Lan
91ce5b9c22 Add type for directories containing snapshots of apex data.
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.

Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.

Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-09 11:16:24 +00:00
Oli Lan
79b4e1af4a Add type for APEX data directories.
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.

Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.

See go/apex-data-directories.

Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-12-09 11:14:38 +00:00
Kiyoung Kim
00cf2fbe50 Move linker config under /linkerconfig
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig

Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
2019-12-05 12:42:29 +09:00
chrisweir
cd40aa0ab7 Modify SEPolicy to support SLCAN
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.

In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.

Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
2019-12-04 14:06:09 -08:00
Hangyu Kuang
ee3a8ea798 MediaTranscodingService: Add sepolicy for MediaTranscodingService.
Bug:145233472
Test: Build and flash the phone.
"adb shell dumpsys -l | grep media" shows media.transcoding service.

Change-Id: I48a42e7b595754989c92a8469eb91360ab6db7c6
2019-12-02 13:57:28 -08:00
Shuo Qian
584234e8b1 Merge "Setting up SELinux policy for Emergency number database" 2019-11-27 19:14:50 +00:00
Shuo Qian
9322cb088a Setting up SELinux policy for Emergency number database
Test: Manual; https://paste.googleplex.com/6222197494382592
Bug: 136027884
Change-Id: I29214de6b5b5a62bff246c1256567844f4ce55c7
2019-11-26 12:51:02 -08:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Treehugger Robot
f0a9150deb Merge "file_contexts: Include legacy /system/vendor paths" 2019-10-16 06:53:13 +00:00
Bill Peckham
d0dc1a057d Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.

The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.

* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)

This change includes the sepolicy changes to move the recovery resources from
system to vendor. The big change is renaming install_recovery*.te to
vendor_install_recovery*.te to emphasize the move to vendor. Other changes
follow from that. The net result is that the application of the recovery patch
has the same permissions that it had when it lived in system.

Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: If29cb22b2a7a5ce1b25d45ef8635e6cb81103327
2019-10-04 14:40:27 -07:00
Tri Vo
f53c57287d Merge "sepolicy: fix missing label on vendor_service_contexts" 2019-10-03 22:29:53 +00:00
Felix
e6a3c9929b file_contexts: Include legacy /system/vendor paths
Probably flew under the radar because Google only tests on devices that
include devices with a physical /vendor partition.

Test: "make selinux_policy", confirm correct labels on a legacy device

Change-Id: I1aa856c6e3774912d1f4c0a09bbc2d174016f59d
Signed-off-by: Felix <google@ix5.org>
2019-10-03 22:34:19 +02:00
Yifan Hong
8cbaad3e4c Merge changes Idfe99d40,I3cba28cc,Ibd53cacb
* changes:
  Add rules for snapshotctl
  dontaudit update_engine access to gsi_metadata_file.
  update_engine: rules to apply virtual A/B OTA
2019-10-03 18:58:07 +00:00
Yifan Hong
f375337cc8 Add rules for snapshotctl
snapshotctl is a shell interface for libsnapshot. After rebooting
into an updated build, on sys.boot_completed, init calls
snapshotctl to merge snapshots. In order to do that, it needs to:
  - Talk to gsid to mount and unmount COW images
  - read the current slot suffix to do checks (and avoid merging
    snapshots when it shouldn't).
  - read / write OTA metadata files to understand states of
    the snapshot
  - delete OTA metadata files once a snapshot is merged
  - collapse the snapshot device-mapper targets into a plain
    dm-linear target by re-mapping devices on device-mapper

Test: reboot after OTA, see merge completed without denials
Bug: 135752105

Change-Id: Idfe99d4004e24805d56cd0ab2479557f237c2448
2019-10-02 16:30:00 -07:00
Yifan Hong
07a99e16e4 update_engine: rules to apply virtual A/B OTA
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
  during an OTA, update_engine uses libsnapshot to talk to gsid
  to create these images as a backing storage of snapshots. These
  "COW images" stores the changes update_engine has applied to
  the partitions.
  If the update is successful, these changes will be merged to the
  partitions, and these images will be teared down. If the update
  fails, these images will be deleted after rolling back to the
  previous slot.

- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
  during an OTA, update_engine and gsid stores update states and
  information of the created snapshots there. At next boot, init
  reads these files to re-create the snapshots.

Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.

Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-10-02 12:46:47 -07:00
Treehugger Robot
977b097fbf Merge "SEPolicy changes to allow vendor BoringSSL self test." 2019-10-01 22:38:19 +00:00
Tri Vo
3e70db526e sepolicy: fix missing label on vendor_service_contexts
Vendors can publish services with servicemanager only on non-Treble
builds. vendor_service_contexts is not meant to be read by
servicemanager.

5bccbfefe4/public/servicemanager.te (22)

Bug: 141333155
Test: create /vendor/etc/selinux/vendor_service_contexts and make sure it is
correctly labeled.
Change-Id: Ib68c50e0cdb2c39f0857a10289bfa26fa11b1b3c
2019-10-01 15:23:27 -07:00
Tri Vo
b398dbb9ea Merge "sepolicy: remove ashmemd" 2019-10-01 16:22:57 +00:00
Pete Bentley
90eb9b0e04 SEPolicy changes to allow vendor BoringSSL self test.
Introduces new domain vendor_boringssl_self_test and runs
/vendor/bin/boringssl_self_test(32|64) in it. New domain
required because boringssl_self_test needs to be in
coredomain in order to reboot the device, but vendor code
may not run in coredomain.

Bug: 141150335
Test: flashall && manually verify no selinux errors logged and that
    four flag files are created in /dev/boringssl, two by the
    system self tests and two by the vendor.

Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a
2019-10-01 14:14:36 +01:00
Treehugger Robot
3cda2d5c2b Merge changes from topic "system_ext_sepolicy"
* changes:
  Separate system_ext_mac_permissions.xml out of system sepolicy.
  Separate system_ext_service_contexts out of system sepolicy.
  Separate system_ext_property_contexts out of system sepolicy.
  Separate system_ext_hwservice_contexts out of system sepolicy.
  Separate system_ext_seapp_contexts out of system sepolicy.
  Separate system_ext_file_contexts out of system sepolicy.
  Separate system_ext_sepolicy.cil out of system sepolicy
2019-09-28 00:28:57 +00:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Bowgo Tsai
a3429fcc2b Separate system_ext_mac_permissions.xml out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
      /system_ext/etc/selinux are identical to previous contents in
      /product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9
2019-09-26 21:29:36 +08:00
Bowgo Tsai
9823116355 Separate system_ext_service_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: If483e7a99dc07f082dd0ecd0162a54140a3267de
2019-09-26 21:29:30 +08:00
Bowgo Tsai
1864cd02fc Separate system_ext_property_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I27db30edfd9948675793fdfec19081288f8017eb
2019-09-26 21:29:22 +08:00
Bowgo Tsai
241d36eedd Separate system_ext_hwservice_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: Ic5774da74e200b9d7699ac2240a12e7616dc512a
2019-09-26 21:29:15 +08:00
Bowgo Tsai
7bc47f4ba7 Separate system_ext_seapp_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I2c2acbcf234861feb39834c867a4eb74c506692d
2019-09-26 21:29:05 +08:00
Bowgo Tsai
86a048d4df Separate system_ext_file_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
2019-09-26 21:28:07 +08:00