To remove bad context names, two contexts are added.
- telephony_config_prop
- telephony_status_prop
exported_radio_prop, exported2_radio_prop are removed. Cleaning up
exported3_radio_prop will be a follow-up task.
Exempt-From-Owner-Approval: cherry-pick
Bug: 152471138
Bug: 155844385
Test: boot and see no denials
Test: usim works on blueline
Change-Id: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
Merged-In: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
(cherry picked from commit 4d36eae8af)
Exported properties init.svc.* were world-readable, so making them
world-readable again to fix selinux denials.
Bug: 157474281
Test: m selinux_policy
Change-Id: I6d5a28b68061896e9cd2584c47aa60f6d36ed53f
1) build_odm_prop and build_vendor_prop are added
These contexts will contain world-readable properties from
/odm/build.prop and /vendor/build.prop, respectively.
2) move more properties to build_prop
Following properties are set by /system/build.prop and now assigned as
build_prop:
- ro.adb.secure
- ro.build.type
- ro.product.cpu.abi
- ro.product.cpu.abilist
- ro.product.cpu.abilist32
- ro.product.cpu.abilist64
- ro.secure
Following properties are set by init/property_service.cpp and now
assigned as build_prop:
- ro.product.brand
- ro.product.device
- ro.product.manufacturer
- ro.product.model
- ro.product.name
Bug: 71814576
Bug: 155844385
Test: boot device and see no denials
Change-Id: Idd4f81de4d2d0fc4bdec2d7ecb08bb8e078dab58
Add a neverallow to prevent coredomain from accessing entrypoint for
files other than system_file_type and postinstall_file. Add the
complementary neverallow to prevent domains other than coredomain from
accessing entrypoint for files other than vendor_file_type and
init_exec (for vendor_init).
Bug: 155124994
Test: build
Change-Id: I6e0cb7fb445b96b82e434e949b59c299aee1ad8b
The ro.surface_flinger.* properties are using instead of configstore.
Add get_prop (domain, surfaceflinger_prop) to domain.te so that it can
be used on all systems in the same way as configstore.
Bug: 124531214
Test: read properties in java (ag/11226921)
Change-Id: Ifc8a53ea544c761d85e370e177913db91d8a33a2
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
Adds a context for telephony related cache properties and changes
the bluetooth and system_server properties to match off of prefix
instead of exact string matches.
Test: Flashed phone with PowerManager caches enabled and verified
that the phone boots.
Change-Id: I9110192a12bb6222e49a8fb6b266d6067ef2ea92
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.
Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
Define two property_context.
1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.
2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.
Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
libnetd_client can read both properties
libnetd_client can't set both properties
Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).
Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.
Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)
simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.
runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).
system-wide profiling is effectively constrained to "su" on debug
builds.
See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.
Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
The binder_cache_system_server_prop context allows any user to read the
property but only the system_server to write it. The only property with
this context is currently binder.cache_key.has_system_feature but users
will be added.
Bug: 140788621
Test: this was tested on an image with a binder cache implementation. No
permission issues were found. The implementation is not part of the current
commit.
Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043
This reverts commit f536a60407.
Reason for revert: Resubmit the CL with the fix in vendor_init.te
Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
Define a new property_context vndk_prop for ro.product.vndk.version.
It is set by init process but public to all modules.
Bug: 144534640
Test: check if ro.product.vndk.version is set correctly.
Change-Id: If739d4e25de93d9ed2ee2520408e07a8c87d46fe
Previously mediaserver could only access hidl via mediadrmserver.
Required because mediadrmserver will be removed in R.
Bug: 134787536
Bug: 144731879
Test: MediaPlayerDrmTest
Change-Id: If0ae1453251e88775a43750e24f7dac198294780
incident report contains similar data as in a bugreport, but in proto
format. Currently ro.serialno is not captured due to selinux settings.
Test: adb shell incident -p LOCAL 1000
Bug: 143372261
Change-Id: I6a89308c1347fba2ce4f7b469f9a02b119d4aeb7
Vendor can only do module load in vendor_file, which is a large area.
Changing vendor_file to vendor_file_type allows vendor to use different
labels and restrict it to smaller area.
Bug: 143338171
Change-Id: If8e0c088f2d49b7fbffff062dcae3b4084016b03
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup
See also go/android-iorap-security for the design doc
Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
This duplicated ashmem device is intended to replace ashmemd.
Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.
Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.
Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
Remove everyone's ability to read /proc/sys/vm/overcommit_memory.
Android's jemalloc implementation no longer uses this file.
init.te had multiple rules which allowed writing to this file. Get rid of
the duplicate rule.
Bug: 140736217
Test: compiles and boots
Test: bypass setup wizard and start the browser, browse the web
Change-Id: I5a2d5f450f5dde5dd55a0cedd7fbd55a6ac0beed
