Commit graph

395 commits

Author SHA1 Message Date
Tri Vo
2a510b9d98 Merge "sepolicy: allow hal_omx to access audio devices" into qt-dev
am: ab2e89a695

Change-Id: I13ba841855501390680b242e2c08bd369956f7dc
2019-05-22 16:15:40 -07:00
Tri Vo
ab2e89a695 Merge "sepolicy: allow hal_omx to access audio devices" into qt-dev 2019-05-22 21:49:49 +00:00
Alec Mouri
264eff1efe Merge "Add support_kernel_idle_timer to sepolicy" into qt-dev
am: 63ab8cd63c

Change-Id: I3edcc2b1c2e49d7222d9a90a90832ca67f9b06df
2019-05-22 14:29:22 -07:00
Tao Bao
2f205a5519 Merge changes from topic "darkboot-sepolicy" into qt-dev
am: 0ad88f096a

Change-Id: Ia3ab63ac9a6c32cdf8764d08dacab3e938cf1e3e
2019-05-22 14:28:15 -07:00
Tao Bao
60f509097a Add persist.sys.device_provisioned change to API 29 prebuilts.
am: ab8db0999c

Change-Id: Iff1c05b9144d6cbb1b2c25d60952bb78a3b0a161
2019-05-22 14:27:07 -07:00
TreeHugger Robot
63ab8cd63c Merge "Add support_kernel_idle_timer to sepolicy" into qt-dev 2019-05-22 18:47:52 +00:00
Tao Bao
0ad88f096a Merge changes from topic "darkboot-sepolicy" into qt-dev
* changes:
  Add vendor_misc_writer change to API 29 prebuilts.
  Add vendor_misc_writer.
  Add persist.sys.device_provisioned change to API 29 prebuilts.
  Set persist.sys.device_provisioned vendor-init-readable.
2019-05-22 18:35:19 +00:00
Vignesh Kulothungan
ce9fc89865 sepolicy: allow hal_omx to access audio devices
hal_omx needs to access audio devices to use OMX HW decoders and
encoders. Allow hal_omx to access audio devices.

authored-by: Banajit Goswami <bgoswami@codeaurora.org>

Bug: 133224154
Change-Id: I742c29c4105e5647ca1a7e017e311559a0567b52
(cherry picked from commit 155ca12879)
2019-05-22 10:35:16 -07:00
TreeHugger Robot
41372ad8b8 Merge "atrace: debug: allow notifying camera HAL of a change in sysprops" into qt-dev 2019-05-22 16:48:22 +00:00
Nikita Ioffe
84044e5078 selinux: Allow dumpstate send signals to vold
am: f7c3d19d29

Change-Id: I998299e0adfa91d7f6841a9c2bec5542562d9ff0
2019-05-21 13:40:41 -07:00
TreeHugger Robot
dc42fed227 Merge "Allow init to set context for super_block_device" into qt-dev 2019-05-21 20:10:56 +00:00
Hridya Valsaraju
6d66c0214f Allow init to set context for super_block_device
Fixes the following denial during boot:

[    1.358156] selinux: SELinux: Could not set context for
/dev/block/platform/soc/1d84000.ufshc/by-name/super:  Permission denied\x0a
[    1.358275] audit: type=1400 audit(951562.676:7):
avc:  denied  { relabelto } for  pid=1 comm="init" name="super"
dev="tmpfs" ino=17657 scontext=u:r:init:s0 tcontext=u:object_r:super_block_device:s0
tclass=lnk_file permissive=0

Bug: 124410201
Test: make
Change-Id: Ib6752b8a6ae4211ba8c0a7417295b8144a2fed67
Merged-In: Ib6752b8a6ae4211ba8c0a7417295b8144a2fed67
2019-05-21 16:53:39 +00:00
Tao Bao
e618874192 Add vendor_misc_writer change to API 29 prebuilts.
This is a matching change for commit 8f39cce73a ("Add
vendor_misc_writer."), which updates the prebuilts for API 29.

Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
      /vendor/bin/misc_writer to write data to /misc.
Change-Id: Id12a1ed45c8cef6e4039a9dda6a1fb41f9e014de
2019-05-21 07:11:36 -07:00
Tao Bao
ab8db0999c Add persist.sys.device_provisioned change to API 29 prebuilts.
This is a matching change for commit 97d4561941 ("Set
persist.sys.device_provisioned vendor-init-readable."), which updates
the prebuilts for API 29.

Bug: 131702833
Bug: 132906936
Test: Set an init trigger that waits on `persist.sys.device_provisioned`.
      Check that there's no longer a denial.
Change-Id: I2cea3d000b7faa471fa524dcd7a3d4843ae5960f
2019-05-21 07:04:37 -07:00
Nikita Ioffe
f7c3d19d29 selinux: Allow dumpstate send signals to vold
Test: adb bugreport
Test: verified vold stacktrace is present in bugreport
Bug: 132344997
Change-Id: I0ebf7f171d854b9aaf894ccb8c7a5f68f18e692b
2019-05-21 13:03:55 +01:00
Alec Mouri
2e4dd2b6f2 Add support_kernel_idle_timer to sepolicy
Bug: 130684082
Test: boots
Change-Id: I7ee84a5ff1024162037634d6f5efe7b09557e18a
2019-05-20 10:34:40 -07:00
Ryan Savitski
37f0662413 atrace: debug: allow notifying camera HAL of a change in sysprops
Similar to aosp/961857, but enables the logging of atrace events from
the camera HAL (primarily HIDL interactions, but also a couple of ION
events).

Keeping it confined to userdebug_or_eng. Longer-term planning belongs on
b/78136428.

Not adding fwk_camera_hwservice, as it is a HIDL interface to
cameraserver (which is already covered above).

Plus slight reorganization of existing atrace.te contents, and donaudits
to reduce logspam from denials (including pre-existing ones that were
hitting the rate limiter).

Specific denials addressed (listing HALs, finding camera HAL, notifying it):
05-15 18:07:19.684   618   618 E SELinux : avc:  denied  { list } for  scontext=u:r:atrace:s0 tcontext=u:r:hwservicemanager:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.701   618   618 E SELinux : avc:  denied  { find } for interface=android.hardware.camera.provider::ICameraProvider sid=u:r:atrace:s0 pid=10137 scontext=u:r:atrace:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.698 10137 10137 I atrace  : type=1400 audit(0.0:273): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=1

Bug: 130543265
Tested: flashed blueline-userdebug, took a trace with perfetto, confirmed HIDL atrace slices present in camera hal trace.
Merged-In: I0f8ce989355603e41d6c05c3de07e7dd615555eb
Change-Id: I0f8ce989355603e41d6c05c3de07e7dd615555eb
(cherry picked from commit 19459a3802)
2019-05-19 16:50:59 +01:00
Ady Abraham
24f80d1d50 Merge "Add ro.surface_flinger.set_touch_timer_ms to sepolicy" into qt-dev
am: 676d9590f4

Change-Id: Iee0fd3f4844b21faabca2a25a1d045afe622424d
2019-05-17 10:45:51 -07:00
Ady Abraham
676d9590f4 Merge "Add ro.surface_flinger.set_touch_timer_ms to sepolicy" into qt-dev 2019-05-17 17:20:12 +00:00
Ady Abraham
a6ba39bde1 Add ro.surface_flinger.set_touch_timer_ms to sepolicy
Test: set ro.surface_flinger.set_touch_timer_ms from init
Bug: 131906818
Change-Id: If489ae4ac993984305f764fb172014f42c41df67
2019-05-16 14:07:32 -07:00
Ryan Savitski
fb897428f6 atrace.te: allow notifying cameraserver of a change in sysprops
This allows the atrace cmd to notify cameraserver (the host of
media.camera service) that the set of tracing-related system properties
have changed. This allows the cameraserver to notice that it might need
to enable its trace events.

The atrace cmd has the necessary permission when running as shell, but
not when it is running as the "atrace" domain (notably when exec'd by
perfetto's traced_probes).

We're adding cameraserver to the whitelist as it contains important
events for investigating the camera stack.

Example denial:
05-14 22:29:43.501  8648  8648 W atrace  : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0

Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
Bug: 130543265
Merged-In: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
(cherry picked from commit 232295e8db)
2019-05-16 14:45:55 +01:00
Ian Pedowitz
94b7372534 SEPolicy Prebuilts for Q
Bug: 129943426
Test: Build
Change-Id: I3e091652fa8d1757b1f71f7559186d5b32f000d5
2019-05-14 21:42:22 -07:00
Xin Li
64a0fe3eee DO NOT MERGE - Merge pi-platform-release (PPRL.190505.001) into stage-aosp-master
Bug: 132622481
Change-Id: Iaee0bd41f640b57a58560c01708ba6ce327b46bb
2019-05-14 12:16:13 -07:00
Xin Li
9bdc97c311 DO NOT MERGE - Merge pi-dev@5234907 into stage-aosp-master
Bug: 120848293
Change-Id: I01c03ddd0caed61851b3bf5b4fbb26de15248577
2019-02-21 09:25:13 -08:00
Xin Li
27205a2847 DO NOT MERGE - Merge pi-platform-release (PPRL.190205.001) into stage-aosp-master
Bug: 124234733
Change-Id: Ic9a486e029115f3c42c1c0f139890bc744eb14bf
2019-02-12 09:53:58 -08:00
Wei Wang
c63f4c2579 Fix prebuilt policy from pi-dev
Bug: 118468011
Bug: 121439388
Test: Build
Change-Id: I208f9f5450ba72f5ed62e9d944c07e25d77ec259
2019-01-23 09:53:09 -08:00
Wei Wang
aadedb2051 Allow lmkd to renice process before killing
Bug: 118468011
Bug: 121439388
Test: mem-pressure test
Change-Id: Icf387a02243af60a3bfffba912711f037669fa7f
Merged-In: Icf387a02243af60a3bfffba912711f037669fa7f
2019-01-23 10:36:21 +08:00
Branden Archer
05477957eb Allow init to set powerctl property
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.

The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.

Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
      to fail the device rebooted into the bootloader, as
      expected.
Change-Id: I2108bf6c345a5804ebd1e2206f9b8fde21a58e64
Merged-In: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
2019-01-11 15:18:38 -08:00
Tim Van Patten
3293abb67f Create System Property to Indicate ANGLE Support
Create the system property ro.gfx.angle.supported that indicates if the
device supports ANGLE.   The current planned use of this property is to
allow CTS to validate ANGLE functionality if the device indicates ANGLE
is supported.

Bug: 80239516
Test: Flash the build and verify the property is 'false' for marlin.
Test: Flash the build and verify the property is 'true' for walleye.
Change-Id: I00387db9ade34152f79d75453ea17d5ea7b063cd
2019-01-10 11:35:58 -07:00
Hector Dearman
63d07d7586 Make system_server atrace category work with traced_probes
Historically most uses of atrace happen via the shell domain.

There are two exceptions:
- boot tracing
- traced_probes

We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.

For more use cases see b/113127224

[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)

Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.

Cherry-picked from aosp/747608

Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
Merged-In: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
2018-09-26 18:04:51 +00:00
Tri Vo
6c32e0624f Merge "Add mapping files for 28.0.[ignore.]cil"
am: 13e60ed1fa

Change-Id: I5b19874975830ddcb2765851544eebc9848d3df4
2018-07-19 18:03:05 -07:00
Jae Shin
1fa9634896 Add mapping files for 28.0.[ignore.]cil
Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
2018-07-18 20:08:38 -07:00
Tri Vo
690de22d48 resolve merge conflicts of d07ab2fe93 to stage-aosp-master
BUG: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: I58fff9dc7826eb60520b087d08ecd931cba63bf0
2018-07-18 13:08:55 -07:00
Tri Vo
afdfeeb506 Add 28.0 prebuilts
Bug: n/a
Test: n/a
Change-Id: I11e6baaa45bcb01603fc06e8a16002727f4e5a00
2018-07-17 15:31:47 -07:00
Jeff Vander Stoep
573d333589 crash_dump: disallow ptrace of TCB components
Remove permissions.

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: If8b9c932af03a551e40e786d591544ecdd4e5c98
Merged-In: If8b9c932af03a551e40e786d591544ecdd4e5c98
(cherry picked from commit f1554f1588)
2018-07-12 11:33:30 -07:00
Eino-Ville Talvala
fef2be8130 Merge "Make system property audio.camerasound.force a vendor-writable property," into pi-dev 2018-06-25 17:39:17 +00:00
Peiyong Lin
a0b52c6fa5 Allow SurfaceFlinger to use Power HAL.
When we have wide color gamut content, SurfaceFlinger might want to send a
PowerHint through Power Hal to boost GPU to higher frequency, to make sure GPU
composition can finish in time.

BUG: 110112323
Test: adb shell cat /sys/class/kgsl/kgsl-3d0/devfreq/cur_freq
Change-Id: If60c13aedc4ff84eaefd3430794dc15a478c5a73
(cherry picked from commit 02be5975d6)
2018-06-22 13:31:56 -07:00
Eino-Ville Talvala
d375e733fe Make system property audio.camerasound.force a vendor-writable property,
This property is read by the audio service in system server to toggle camera shutter sound
enforcement on a device-specific basis.

Test: Camera shutter sound enforcement works when audio.camerasound.force is set
Bug: 110126976
Change-Id: I2720d3c699c4712d1a328f59dde0b16bbf1016f3
2018-06-21 13:12:48 -07:00
Joel Galenson
f41d85ca64 Merge "Allow ephemeral_app to execute system_file." into pi-dev
am: 398f72e3fd

Change-Id: Ib41908cbbf800bc1f3c2c4f639ab11c4b900d638
2018-06-05 21:07:16 -07:00
TreeHugger Robot
398f72e3fd Merge "Allow ephemeral_app to execute system_file." into pi-dev 2018-06-06 03:31:50 +00:00
Tri Vo
986f9ef5f3 Merge "Revert "Remove neverallow coredomain to set vendor prop."" into pi-dev
am: c75bef086f

Change-Id: If12976c0cd028c2e4cb35323019d953221998f30
2018-06-05 19:48:45 -07:00
Tri Vo
c75bef086f Merge "Revert "Remove neverallow coredomain to set vendor prop."" into pi-dev 2018-06-06 02:07:50 +00:00
Joel Galenson
f2afca7cf0 Allow ephemeral_app to execute system_file.
Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
2018-06-05 17:56:30 -07:00
TreeHugger Robot
c0ee12ea82 Merge "ephemeral_app: disallow access to qtaguid files" into pi-dev 2018-06-05 21:14:18 +00:00
Jeff Vander Stoep
069f3cff50 ephemeral_app: disallow access to qtaguid files
Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid

Instant apps should also be excluded from access.

Fixes: 92796393
Test: make -j cts_instant
    cts-instant-tradefed run commandAndExit cts-instant-dev \
    -m CtsPermissionTestCases \
    --test android.permission.cts.FileSystemPermissionTest

Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
2018-06-04 21:56:55 -07:00
Steven Moreland
1c6d0b2eb1 Merge "Add context for ro.boot.product.hardware.sku." into pi-dev
am: ce944f0294

Change-Id: I0ae38bc922a057ae0a49d4b228cb280961c0b956
2018-06-04 11:04:27 -07:00
TreeHugger Robot
ce944f0294 Merge "Add context for ro.boot.product.hardware.sku." into pi-dev 2018-06-04 17:26:58 +00:00
huans
3265c6efb2 emulator: Whitelist ro.kernel.qemu. parameters
am: 66b55782b8

Change-Id: I1315d4150230ef4e2b513c582f824bca97600d30
2018-06-04 10:14:50 -07:00
Steven Moreland
5516acc6ab Add context for ro.boot.product.hardware.sku.
This was defined, but it had no users in the Android tree.
Because of this, ODM manifests required extra sepolicy to be applied
in vendor. Before this, there was no policy split, so that was okay,
but now it is impossible.

Bug: 91735839
Test: add an odm manifest for SE conditional on
    a system property (ro.boot.product.hardware.sku)
    and make sure it is read into the manifest (using
    the vintf tool) and also that a client can get the
$ lshal | grep secure
Y android.hardware.secure_element@1.0::ISecureElement/SIM1                                  0/2        881    2262 567

Change-Id: I94a2928943be6a17416b8bbd78106809c0c21198
2018-06-01 18:23:55 -07:00
huans
66b55782b8 emulator: Whitelist ro.kernel.qemu. parameters
And ro.kernel.android.bootanim (used to en/disable boot-anim)

Bug: 79941736
Test: Manual
Change-Id: Ib486903dec92df88b4d33bad6262cbcfc2aa1c4c
2018-06-01 10:48:31 -07:00
Tri Vo
ba79e154e5 Revert "Remove neverallow coredomain to set vendor prop."
Bug: 80466516
Bug: 78598545
This reverts commit 6f6fbebcef.

Change-Id: I3c0f374b846241571b5db6f061503f0ea2d6396a
2018-06-01 16:37:38 +00:00
Tri Vo
b4fe8e1feb Remove neverallow coredomain to set vendor prop.
am: 6f6fbebcef

Change-Id: Ie793eff4736f8a9b351114c3fd9bd1bdcd22ab49
2018-05-31 17:56:37 -07:00
Jiyong Park
029f415d48 Merge "add extended_core_property_type" into pi-dev
am: d009682c2e

Change-Id: Ie821be484067f0ff5d06aac66a3b020d6e853d1a
2018-05-31 17:08:35 -07:00
Tri Vo
6f6fbebcef Remove neverallow coredomain to set vendor prop.
We are not forbidding system_writes_vendor_properties_violators in P,
i.e. this neverallow rule is not strictly enforced.

Bug: 80466516
Bug: 78598545
Test: build policy
Change-Id: Iaf0ebbd2b27adf8c48082caa874e53f32bf999fc
2018-05-31 23:46:02 +00:00
TreeHugger Robot
d009682c2e Merge "add extended_core_property_type" into pi-dev 2018-05-31 22:45:21 +00:00
Jiyong Park
c0f8f2f82a add extended_core_property_type
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.

Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.

Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
2018-05-30 17:38:09 +09:00
Jeff Vander Stoep
b16d0e1272 Merge "Use non-expanded types in prop neverallows" into pi-dev
am: b5e493d821

Change-Id: Ib877668feb90ab58b21e5d62735f1bb03fc5eb9a
2018-05-24 16:57:07 -07:00
Joel Galenson
24b6158118 Hide bpfloader sys_admin denials.
am: d65f26f1b0

Change-Id: I0435b600f5a163089650c02417646109a97e3e56
2018-05-23 14:28:48 -07:00
TreeHugger Robot
b5e493d821 Merge "Use non-expanded types in prop neverallows" into pi-dev 2018-05-23 19:08:01 +00:00
Jeff Vander Stoep
7745770bca Use non-expanded types in prop neverallows
Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.

Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.

Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da
2018-05-23 10:03:15 -07:00
Joel Galenson
d65f26f1b0 Hide bpfloader sys_admin denials.
Bug: 79524845
Test: Boot device and see no denials.
Change-Id: I9316bfd0e3718818a7613a421aedff7da8c87108
2018-05-23 08:36:40 -07:00
Jordan Liu
7af4a1f110 Merge "Setup policy for downloaded apns directory" into pi-dev 2018-05-22 21:12:31 +00:00
Tom Cherry
7b8be35ddf Finer grained permissions for ctl. properties
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
2018-05-22 13:47:16 -07:00
Tom Cherry
e21e9e6373 Merge "Finer grained permissions for ctl. properties" into pi-dev
am: 0e403c8242

Change-Id: I778a16ae2bcc5713ba3ca1c81fd90c97b0a5d64d
2018-05-22 13:26:42 -07:00
Tom Cherry
0e403c8242 Merge "Finer grained permissions for ctl. properties" into pi-dev 2018-05-22 20:15:07 +00:00
Alan Stokes
491a095435 Remove fixed bug from bug_map.
am: c8711592ad

Change-Id: Ib622f35e8adb682c5a2b0eef9ae02857d028597c
2018-05-22 10:52:15 -07:00
Tom Cherry
2208f96e9e Finer grained permissions for ctl. properties
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions

Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
2018-05-22 09:13:16 -07:00
Alan Stokes
c8711592ad Remove fixed bug from bug_map.
Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af
(cherry picked from commit 62913dbfd2)
2018-05-22 08:41:23 -07:00
Tom Cherry
bab2435a06 Merge "neverallow coredomain from writing vendor properties" into pi-dev
am: e5cc744d18

Change-Id: I66f2965200090a4ded857c6eb9ac6b79ee5b596c
2018-05-21 22:10:10 -07:00
TreeHugger Robot
e5cc744d18 Merge "neverallow coredomain from writing vendor properties" into pi-dev 2018-05-22 05:04:40 +00:00
Bowgo Tsai
eb2ff1cbdd Merge "ueventd: allow reading kernel cmdline" into pi-dev
am: fd00fd123d

Change-Id: I9421816a71b08b24f652f61dec994a153354e2df
2018-05-21 16:28:37 -07:00
TreeHugger Robot
fd00fd123d Merge "ueventd: allow reading kernel cmdline" into pi-dev 2018-05-21 23:14:38 +00:00
Niklas Lindgren
780cd6df4b Setup policy for downloaded apns directory
apns downloaded will enter a new directory that
TelephonyProvider can access.

Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
Merged-In: I1e7660adf020dc7052da94dfa03fd58d0386ac55
2018-05-21 15:58:16 -07:00
Carmen Jackson
8640cffa1e Merge "Add sync and fence tracepoints to user-visible list of tracepoints." into pi-dev
am: 09648d9ae3

Change-Id: I1821400703aa5dc41a485d3430946345978045c0
2018-05-21 14:12:20 -07:00
TreeHugger Robot
09648d9ae3 Merge "Add sync and fence tracepoints to user-visible list of tracepoints." into pi-dev 2018-05-21 21:06:39 +00:00
Carmen Jackson
f47f0c3869 Add sync and fence tracepoints to user-visible list of tracepoints.
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.

Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.

Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
2018-05-21 12:18:18 -07:00
Paul Crowley
c9e9b326d0 Merge "Move more metadata policy from device to here" into pi-dev
am: 5252ad93e2

Change-Id: I591f253f82a91b1e953f46ff2c29e48e4929665b
2018-05-21 10:46:45 -07:00
TreeHugger Robot
5252ad93e2 Merge "Move more metadata policy from device to here" into pi-dev 2018-05-21 17:36:12 +00:00
Bowgo Tsai
282fc3e48e ueventd: allow reading kernel cmdline
This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.

Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
(cherry picked from commit 98ef2abb12)
2018-05-21 09:55:41 +08:00
Frank Salim
956b93623a Merge "Add ro.hardware.keystore_desede" into pi-dev
am: a0f9509908

Change-Id: I8fed87b5514516d2dcb8d1796ee42ca081ee490d
2018-05-18 16:04:36 -07:00
Frank Salim
a0f9509908 Merge "Add ro.hardware.keystore_desede" into pi-dev 2018-05-18 22:49:00 +00:00
Paul Crowley
bb3ba3e5d9 Move more metadata policy from device to here
Test: booted metadata-encrypted device
Bug: 79781913
Change-Id: Ib4cb4a04145e5619994083da055f06fe7ae0137a
2018-05-18 14:12:40 -07:00
Frank Salim
6fe4ef7e8c Add ro.hardware.keystore_desede
This allows Android Keystore to statically register support for 3DES
during zygote initialization based on the device's support for hardware
backed 3DES keys.

Bug: b/79986680
Test: keystore CTS
Change-Id: Ic9a6653cdd623a3ab10e0efbcdb37c437e6c59b9
2018-05-18 18:25:44 +00:00
Tom Cherry
cdb1624c27 neverallow coredomain from writing vendor properties
System properties can be abused to get around Treble requirements of
having a clean system/vendor split.  This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.

Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
2018-05-18 20:15:19 +09:00
Jaegeuk Kim
5580a18255 Merge "dumpstate: allow /metadata for df" into pi-dev
am: e2f70ebc07

Change-Id: Ic56b485f0297178d45061c0b6b7fb44fbb0b0fa5
2018-05-17 18:14:01 -07:00
TreeHugger Robot
e2f70ebc07 Merge "dumpstate: allow /metadata for df" into pi-dev 2018-05-18 00:38:09 +00:00
Jin Qian
e11d499475 storaged: add storaged_pri service
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.

Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
(cherry picked from commit 37ab7c0917)
2018-05-17 10:02:08 -07:00
TreeHugger Robot
4c2e89baf8 Merge "domain.te & kernel.te: allow kernel to write nativetest_data_file" into pi-dev 2018-05-16 16:36:26 +00:00
Yongqin Liu
8c3a74ad64 domain.te & kernel.te: allow kernel to write nativetest_data_file
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
abbb65899a%5E%21/#F3

for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html

Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.

Bug: 79528964
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit

Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit 64ff9e9523)
Merged-In: I3f46ff874d3dbcc556cfbeb27be21878574877d1
2018-05-16 07:46:17 -07:00
Logan Chien
921a881bf8 Merge "Add ro.vndk.lite to property_contexts" into pi-dev
am: 52fd4141b8

Change-Id: Ia4d8ebc74987c18a6390884a71ad0ea9b497b1cf
2018-05-16 02:46:03 -07:00
Logan Chien
52fd4141b8 Merge "Add ro.vndk.lite to property_contexts" into pi-dev 2018-05-16 09:38:57 +00:00
Jerry Zhang
afe305d489 Merge "Allow mediaprovider to search /mnt/media_rw" into pi-dev
am: 6002126f88

Change-Id: I2774c1fe619e2872805d9188ee3c3df9dcc68568
2018-05-15 14:55:35 -07:00
Jerry Zhang
6002126f88 Merge "Allow mediaprovider to search /mnt/media_rw" into pi-dev 2018-05-15 21:35:43 +00:00
Jerry Zhang
31c4b4eabf Allow mediaprovider to search /mnt/media_rw
Mtp needs access to this path in order to
change files on an sdcard.

Fixes denial:

05-14 17:40:58.803  3004  3004 W MtpServer: type=1400 audit(0.0:46):
avc: denied { search } for name="media_rw" dev="tmpfs" ino=10113
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
b/77925342 app=com.android.providers.media

Bug: 77849654
Test: no denials using mtp with emulated sdcard
Change-Id: I27b5294fa211bb1eff6d011638b5fdc90334bc80
2018-05-15 11:46:52 -07:00
Pavel Maltsev
236085406b Merge "Allow to use sockets from hal server for auto" into pi-dev
am: 175f23eca4

Change-Id: Icf339629d09ddf5a316e21e39a05e42cb63c9b85
2018-05-14 18:29:06 -07:00
TreeHugger Robot
175f23eca4 Merge "Allow to use sockets from hal server for auto" into pi-dev 2018-05-15 01:18:18 +00:00
Joel Galenson
f8e1cf4354 Merge "Allow vendor_init to getattr vold_metadata_file." into pi-dev
am: e2c2a85e60

Change-Id: Ie09ba0e54a005eef0aacf159fd5795acfddf54cc
2018-05-14 16:55:39 -07:00
TreeHugger Robot
e2c2a85e60 Merge "Allow vendor_init to getattr vold_metadata_file." into pi-dev 2018-05-14 23:42:19 +00:00
Pavel Maltsev
4cafae77a4 Allow to use sockets from hal server for auto
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9
2018-05-14 14:36:19 -07:00
Joel Galenson
597be44e96 Allow vendor_init to getattr vold_metadata_file.
This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file.  The rules above it still prevent it
from doing anything other than relabelto and getattr.

Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
2018-05-14 13:08:46 -07:00
Joel Galenson
f222b1bbeb Merge "Track cppreopts SELinux denial." into pi-dev
am: ce52208134

Change-Id: Iceb3a1d039719b53f1a18f317a7a4e4fde5c5960
2018-05-14 12:31:33 -07:00
TreeHugger Robot
ce52208134 Merge "Track cppreopts SELinux denial." into pi-dev 2018-05-14 19:23:42 +00:00
Logan Chien
9f55f3455f Add ro.vndk.lite to property_contexts
Bug: 78605339
Test: aosp_walleye-userdebug builds
Change-Id: I37c84e20f2284d50cbe29bfa1b7597dd2c01fb4b
2018-05-14 14:46:47 +08:00
Jaegeuk Kim
18096f9c64 dumpstate: allow /metadata for df
[  196.680228] type=1400 audit(1526230655.786:26): avc: denied { getattr } for
 pid=7159 comm="df" path="/metadata" dev="sda20" ino=2 scontext=u:r:dumpstate:s0
 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0

Bug: 66967195
Bug: 79552162
Test: adb bugreport
Change-Id: Ib2abbc35e04a69992fa09a596694f428d3adc7c1
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2018-05-13 10:13:59 -07:00
TreeHugger Robot
d9c7a6068c Merge "Whitelist dalvik.vm.profilebootimage" into pi-dev 2018-05-12 04:08:03 +00:00
Calin Juravle
54fc209a48 Whitelist dalvik.vm.profilebootimage
The property is set on builds which profile the boot image.

Test: m
Bug: 73313191

(cherry-pick form commit d99f4acf2d)

Merged-In: Ie0cd54f23250df02850c38bb14e92d4b1fa04f16
Change-Id: Ie0cd54f23250df02850c38bb14e92d4b1fa04f16
2018-05-12 01:52:19 +00:00
Mark Salyzyn
2cdcdc6ec0 Merge "FrameworksServicesTests: allow access to test.sys.boot.reason property" into pi-dev 2018-05-10 23:06:17 +00:00
Chris Fries
bb5b0a1e8f Merge "Add wait_for_keymaster" into pi-dev 2018-05-10 06:49:59 +00:00
Calin Juravle
dfaf39154f Merge "Allow system server to write profile snapshots in /data/misc/profman" into pi-dev 2018-05-09 21:35:08 +00:00
Paul Crowley
6af7af151b Add wait_for_keymaster
Bug: 79228237
Test: audit2allow finds no relevant denials on boot
Change-Id: Ia80b77ba9a1ec2354127cd0ef68d50ebcf593fb0
2018-05-09 12:57:52 -07:00
Calin Juravle
687d5e46ce Allow system server to write profile snapshots in /data/misc/profman
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.

The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.

Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
2018-05-09 11:41:39 -07:00
Mark Salyzyn
1b748766e3 FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Had to use precise property definition as com.android.phone accesses
test properties as well.

Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
2018-05-09 11:01:39 -07:00
Joel Galenson
8e6b2d551c Track cppreopts SELinux denial.
This should help fix presubmit tests.

Bug: 79414024
Test: Built policy.
Change-Id: Ic840150767ff6c2799ac3b5ef22ba139108c94dd
(cherry picked from commit 06e09abd25)
2018-05-09 10:36:00 -07:00
android-build-team Robot
351b9a3796 Merge "Allow sdcardfs:file read access on mediaextractor" into pi-dev 2018-05-08 22:25:41 +00:00
android-build-team Robot
adf00fa82e Merge "Whitelist reading property ro.aac_drc_effect_type" into pi-dev 2018-05-07 21:55:21 +00:00
Jean-Michel Trivi
41795cdf6d Whitelist reading property ro.aac_drc_effect_type
Bug: 71430241
Test: build/flash, grep for "avc: denied { read }" for mediacodec, should be empty on walleye
Change-Id: I12e1b11a969d3f979ca0cfbe4ca7db2bc5e46165
2018-05-07 12:28:17 -07:00
Ray Essick
2306cc040a give audioserver access to media.metrics
Let the audioserver record metrics with media.metrics service.
This is for 'audiopolicy' metrics.

Bug: 78595399
Test: record from different apps, see records in 'dumpsys media.metrics'
Change-Id: I63f9d4ad2d2b08eb98a49b8de5f86b6797ba2995
2018-05-07 16:31:44 +00:00
android-build-team Robot
7ea7f12d14 Merge "Allow system server to record its own profile" into pi-dev 2018-05-04 22:43:22 +00:00
Josh Gao
d018b5ce2c Merge changes from topic "tombstoned_empty" into pi-dev
* changes:
  Update sepolicy prebuilts for tombstoned.
  tombstoned: allow linking tombstones.
2018-05-04 21:37:22 +00:00
Calin Juravle
035fcc46cc Allow system server to record its own profile
On userdebug builds we can now profile system server without disabling
selinux. This is the final piece, and allows the system server to save its
own profile.

Test: manual, on a device with system server profiling enabled
Bug: 73313191

(cherry picked from commit 71d8467b75)

Change-Id: I93e7e01bfbd3146a8cfd26a1f6e88b640e9c4e0f
2018-05-04 13:38:49 -07:00
Yao Chen
78e3ed447a Allow lmkd to log to statsd
Bug: 78603347
Test: build and locally tested
Change-Id: I7e4eb8ebb2c1a0b7d684b471141da991a19bc98d
2018-05-03 16:15:38 -07:00
Josh Gao
c754b990a0 Update sepolicy prebuilts for tombstoned.
Bug: http://b/77729983
Test: treehugger
Change-Id: Ic8ce31396e5cad2e9b1f7aab2ace2f6c8e962d6d
2018-05-03 13:14:39 -07:00
Pavel Maltsev
53c6578ff2 Merge "Allow auto HAL clients to access hw services" into pi-dev 2018-05-03 16:58:58 +00:00
android-build-team Robot
d8d7a3f7cc Merge "Never expand proc_type attribute" into pi-dev 2018-05-03 14:29:48 +00:00
Jeff Vander Stoep
db6218417c Never expand proc_type attribute
It's used in build-time tests and in CTS.

Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
(cherry picked from commit beeb122405070a5b4cee326a0cdae92a1a791fbc)
2018-05-02 15:00:55 -07:00
Andrew Sapperstein
b12ca61e9c Merge "Add ro.oem.key1 to SELinux policy." into pi-dev 2018-05-02 21:10:41 +00:00
android-build-team Robot
9d4573c448 Merge changes Ic3f85992,I33f47db7 into pi-dev
* changes:
  Sepolicy: Modify postinstall_dexopt
  Sepolicy: Modify postinstall_dexopt
2018-05-02 18:52:02 +00:00
Andrew Sapperstein
99bfd8efdf Add ro.oem.key1 to SELinux policy.
vendor-init-settable|public-readable

Change-Id: I8262cc03150931080c0982350cd990ee8f5422bc
Fixes: 78636965
Test: adb shell getprop ro.oem.key1
2018-05-02 11:48:30 -07:00
Pavel Maltsev
368ae61fc7 Allow auto HAL clients to access hw services
Bug: 70637118
Test: m && emulator ; also verified on bat_land
Change-Id: I39dd17d20acc8d380f36e207679b8b1eba63a72e
2018-05-02 09:54:40 -07:00
Jaekyun Seok
21b1015db3 Update prebuilts/api/28.0/public/property_contexts
Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: Ie098b839a050058424673f0d8961b7a194a2caab
2018-05-02 09:08:13 +09:00
Dongwon Kang
e993b62c68 Allow sdcardfs:file read access on mediaextractor
Test: pass Multimedia File Compatibility test
Test: time to start playing mid file with GPM: ~10s => ~1.2s
Bug: 76422052, Bug: 67480585, Bug: 30751071
Change-Id: I4e9824b21dab1dafdcca5824367a7fe39a37e2f7
2018-05-01 13:25:24 -07:00
Andreas Gampe
8cbe674345 Sepolicy: Modify postinstall_dexopt
Update prebuilts for API 28.

Bug: 77958490
Test: m
Test: manual
Change-Id: Ic3f8599266ff8fffdff1492a5600a10f6fecbe88
2018-05-01 10:47:35 -07:00
Ian Pedowitz
c170107ae0 Fixing build as SEPolicy changed during merge of P-Finalization
Bug: 77589980
Test: diff -r system/sepolicy/public system/sepolicy/prebuilts/api/28.0/public is empty
Change-Id: I5ecb003e893d87e36e096208e505ad1264c288aa
2018-04-30 18:36:35 -07:00
Ian Pedowitz
763dcc3175 SEPolicy Prebuilts for P
Bug: 77589980
Test: Build
Change-Id: I5395314006f42dd3c925fed554c04d182ddde2c5
2018-04-30 15:09:29 -07:00
Wale Ogunwale
49b79029cb Finalizing P SDK
Bug: 77588754
Test: builds
Change-Id: I61ceb438cd532584847ddd55c0eeaefebdcfa51c
2018-04-13 06:50:59 -07:00
Tri Vo
cbfc73a834 Merge "Add prebuilts/api/27.0/nonplat_sepolicy.cil." am: a7b63e4e44 am: fdd314d72c
am: b917f3587c

Change-Id: I9f8245938c8d243957b38199ee1fd830cdc7277b
2018-02-02 20:51:48 +00:00
Tri Vo
9bcce08b14 Add prebuilts/api/27.0/nonplat_sepolicy.cil.
This file is /vendor/etc/selinux/nonplat_sepolicy.cil from aosp_arm64-eng
from mr1-dev

Bug: 69390067
Test: prebuilt only change
Change-Id: I717513ae66e806afe0071cf5b42e9f709264d0b6
2018-01-31 16:26:16 -08:00
Dan Cashman
de4ddd6146 Merge "Commit 27.0 sepolicy prebuilts to master." am: bffa911d6b am: 792a40e0a7
am: b7b36b35bb

Change-Id: Ic0115773986fcf1fa8f07832641be168a9edcbe0
2017-12-08 00:23:19 +00:00
Treehugger Robot
bffa911d6b Merge "Commit 27.0 sepolicy prebuilts to master." 2017-12-07 01:52:56 +00:00
Dan Cashman
805824884f Commit 27.0 sepolicy prebuilts to master.
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: I62304b342a8b52fd505892cc2d4ebc882148224b
2017-12-06 09:23:36 -08:00
Jin Qian
37ab7c0917 storaged: add storaged_pri service
"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.

Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
2017-10-16 13:57:06 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Daniel Cashman
46f41134e7 Bug revert AOSP cherry-picks to enable big diff.
The following commits were cherry-picked from internal master to AOSP,
but to avoid merge-conflicts we'll do a large diff instead of individual
cherry-picks:
521742e979
9aefc916f5
3686efcadb
de51e7dece
fff3fe2f08

Bug: 37916906
Test: angler builds and boots.
Merged-In: Ie010cc12ae866dbb97c387471f433158d3b699f3
Change-Id: I5126ebe88b9c76a74690ecf95851d389cfc22d1f
2017-09-19 14:14:58 -07:00
Dan Cashman
c3f9ebda33 Bulk-revert changes caused by AOSP cherry-picks.
In order to bring AOSP development back in-line with master development,
some CLs were cherry-picked individually from internal master to AOSP,
which were then merged back into internal master (MERGED-IN was missing).
Due to merge-conflict pain, these are being reverted in favor of one
big diff.  This CL reverts the changes that were auto-merged in as a result,
and can be used as the target of MERGED-IN when reverting the individual
cherry-picks in AOSP.

This reverts commit a08fe91ee5, reversing
changes made to 11481d1d95.

This reverts commit 7ec5ecfbb7, reversing
changes made to 6fecbbb27e.

Bug: 37916906
Test: Builds 'n' boots.
2017-09-19 09:47:59 -07:00
Josh Gao
313a472d85 Add /dev/kmsg_debug. am: 521742e979 am: 1176de8e70
am: b9eba1d022

Change-Id: I5a324c714f30cbbd76fda809c01cdbb44a533d52
2017-09-09 01:45:07 +00:00
Dan Cashman
df7e9eb74c Add mapping compatibility file for sepolicy api lvl 26.0 am: de51e7dece am: 97cfd1fded
am: 1b29c5bb67

Change-Id: Ia4afe4dbc01bac08ad2603466c5130c209b481dd
2017-09-09 00:04:26 +00:00
Josh Gao
521742e979 Add /dev/kmsg_debug.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

(Originally commited in a015186fab)
(cherry-pick of commit: 3458ec135e)

Bug: 37916906
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I83aa392f49bb412d96534925fb02921a8f4731fa
2017-09-08 15:43:31 -07:00
Dan Cashman
9aefc916f5 Update sepolicy 26.0 prebuilts again, again.
(cherry-pick of commit: 55c7750482)

Bug: 37916906
Bug: 37896931
Test: none, just prebuilt update.
Change-Id: I55b5179f98703026699a59cce4b2e1afb166fd1d
2017-09-08 15:35:55 -07:00
Dan Cashman
3686efcadb Update 26.0 SELinux prebuilts.
More changes went into oc-dev after the freeze-date.  Reflect them.
(cherry-pick of commit: 148578a623)

Bug: 37916906
Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483
2017-09-08 15:30:38 -07:00
Dan Cashman
de51e7dece Add mapping compatibility file for sepolicy api lvl 26.0
commit: 5c6a227ebb added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.
(cherry-pick of commit: 5e4e0d7fba)

Bug: 37916906
Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f
2017-09-08 15:25:49 -07:00
Dan Cashman
fff3fe2f08 Commit oc-dev sepolicy to prebuilts.
Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.

(cherry-pick of commit: 5c6a227ebb)

Bug: 37896931
Bug: 37916906
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
2017-09-08 15:19:30 -07:00
Dan Cashman
78b3d573da Move compatibility files out of prebuilts dir.
The treble compatibility tests check for policy differences between old
and new policy.  To do this correctly, we must not modify the policy which
represents the older policies.  Move the files meant to be changed to a
different location from the ones that are not meant to be touched to avoid
any undesired changes to old policy, e.g. commit:
2bdefd65078d890889672938c6f0d2accdd25bc5

Bug: 36899958
Test: Build-time tests build.
Change-Id: I8fa3947cfae756f37556fb34e1654382e2e48372
2017-08-14 09:47:37 -07:00
Martijn Coenen
346a913c34 Merge "Prevent access to nonplat_service_contexts on full_treble." into oc-mr1-dev 2017-08-12 12:14:08 +00:00
TreeHugger Robot
12d1c4f757 Merge "Add missing attribute to compatibility file." into oc-mr1-dev 2017-08-11 20:36:34 +00:00
Dan Cashman
758d256138 Add missing attribute to compatibility file.
untrusted_app_visible_hwservice was an attribute that was meant to
give partners time to add their HALs to AOSP.  It was removed from mr1
and so needs to be accounted for in the compatibility mapping.

Bug: 64321916
Test: Builds with treble policy tests.
Change-Id: I359a842083016f0cf6c9d7ffed2116feb9e159c6
2017-08-11 10:46:50 -07:00
Steven Moreland
f27bba93d1 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-11 09:43:04 -07:00
Martijn Coenen
431a03bb9f Prevent access to nonplat_service_contexts on full_treble.
On Full Treble devices, servicemanager should only service
services from the platform service_contexts file.

Created new type to separate plat_ and nonplat_service_contexts,
and added new type to mapping (although I don't think this type
should have been used by vendors).

Bug: 36866029
Test: Marlin/Taimen boot
Change-Id: Ied112c64f22f8486a7415197660faa029add82d9
2017-08-11 14:49:56 +02:00
TreeHugger Robot
aaa94fa92e Merge "Fix thermalserviced_tmpfs compat recording mistake." into oc-mr1-dev 2017-08-08 20:07:22 +00:00
Dan Cashman
34f827fbe1 Fix thermalserviced_tmpfs compat recording mistake.
Commit: 2490f1adad meant to add
thermalserviced_tmpfs to the new_object list in the mapping file,
but copy-paste error resulted in thermalserviced_exec_tmpfs being
recorded instead.  Fix this.

(cherry-pick of commit: fbacc656be)

Bug: 62573845
Test: None. prebuilt change.
Change-Id: Iab4eaef04742187d6397a539aae854651caa9935
2017-08-08 10:15:38 -07:00
TreeHugger Robot
0e4e784c61 Merge "Allow PackageManager to create a new service" into oc-mr1-dev 2017-08-08 15:58:41 +00:00
Todd Kennedy
8bb80471b9 Allow PackageManager to create a new service
A new API [getNamesForUids] was recently added to the PackageManager
and this API needs to be accessible to native code. However, there
were two constraints:
1) Instead of hand-rolling the binder, we wanted to auto generate
the bindings directly from the AIDL compiler.
2) We didn't want to expose/annotate all 180+ PackageManager APIs
when only a single API is needed.
So, we chose to create a parallel API that can be used explicitly
for native bindings without exposing the entirety of the
PackageManager.

Bug: 62805090
Test: Manual
Test: Create a native application that calls into the new service
Test: See the call works and data and returned
Change-Id: I0d469854eeddfa1a4fd04b5c53b7a71ba3ab1f41
2017-08-04 13:33:42 -07:00
Dan Cashman
e772a5cfd7 Record thermalserviced_tmpfs for compat infrastructure.
Commit: ec3b6b7e25 added a new daemon
and corresponding types to sepolicy.  The explicitly declared types
were added to 26.0.ignore.cil to reflect the labeling of new objects,
but another type, thermalserviced_tmpfs was created by macro and was
missed in code review.  Add it as well.

Bug: 62573845
Test: None. prebuilt change.
Change-Id: Ia8968448eea0be889911f46fe255f581659eb548
(cherry picked from commit 2490f1adad)
2017-08-04 16:34:56 +00:00
Todd Poynor
e9b2def796 thermal: sepolicy for thermalservice and Thermal HAL revision 1.1
Add sepolicy for thermalserviced daemon, IThermalService binder
service, IThermalCallback hwservice, and Thermal HAL revision 1.1.

Test: manual: marlin with modified thermal-engine.conf
Bug: 30982366
Change-Id: I207fa0f922a4e658338af91dea28c497781e8fe9
(cherry picked from commit ec3b6b7e25)
2017-08-04 16:24:05 +00:00
Dan Cashman
3fc7f836a3 Record hal_wifi_offload_hwservice type for compatibility.
Commit: 5aef6a9469 added a new type,
system_net_netd_hwservice, for a new hwservice.  Record this in the
compatibility infrastructure as labeling a new object, rather than
relabeling one from O.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: If360eb9e05684d9b47316d53e494aa773485e93f
2017-07-31 14:25:09 -07:00
Dan Cashman
079a98b8eb Record mediaprovider_tmpfs type for compatibility.
Commit: 3eed3eacfb added the compatibility
statement for the new mediaprovider app domain, but it missed another
new, private type, mediaprovider_tmpfs, that is automatically created for
all appdomains.  It replaces priv_app_tmpfs, but since both types are
private, they do not need to be added to the actual mapping (vendor policy
cannot use it).

Bug: 62573845
Test: None.  Prebuilt-only change.
Change-Id: I62229a5be74cd928fe0ca82a45b73cb61d6f5223
2017-07-31 14:18:47 -07:00
Dan Cashman
0785a72cda Record hal_wifi_offload_hwservice type for compatibility.
Commit: 632bc494f1 added hwservice labeling
and was cherry-picked to oc-dev, but the hal_wifi_offload_hwservice type
was not part of the cherry-pick because the service was not in oc-dev.
Record the type for compatibility purposes.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: Ib2c0fe862eddb566fbe6b0287238fa93dddae7b8
2017-07-31 14:14:59 -07:00
Michael Butler
e9d07b9e5f Default sepolicy rules for initial upload of Neural Network API.
Bug: 63905942
Test: mm -j40
Change-Id: I354ee863475aedd2dc9d2b436a00bcd82931456f
(cherry picked from commit 4fc5fb5e521347d65dc921f8c1fb751c66f9a92c)
2017-07-25 20:42:26 +00:00
Dan Cashman
9d0737a5e3 rm memcg type from ignore list.
This type was removed in commit: 93166cefce
and no longer needs to be included in compatibility infrastructure.

Bug: 62573845
Test: None, prebuilt change.
Change-Id: I9dc05512c7fcb3ef4445c4c6b040809a1d595282
2017-07-18 10:19:53 -07:00
Lorenzo Colitti
e5e17b5a95 Merge changes I356c39a5,I20b52f1d
* changes:
  Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret."
  Revert "Temporarily remove netd_stable_secret_prop from compat infra."
2017-07-13 12:24:20 +00:00
Jeff Vander Stoep
ece21859fc create separate usermodehelper type for sysfs
Prevent files in /proc from incorrectly having sysfs_type attribute.

Rework neverallows so that ueventd has write access to all of
/sys which it needs to handle uevents.

Bug: 63147833
Test: Build. Flash angler, verify files are correctly labeled and no
    new denials are in the logs.

Change-Id: Ib94d44e78cee0e83e2ac924f1c72e611e8e73558
2017-07-12 12:26:12 -07:00
Lorenzo Colitti
98e96fac72 Revert "Temporarily remove netd_stable_secret_prop from compat infra."
This reinstates the exception for netd_stable_secret_prop, which
was added after O sepolicy freeze. This exception, along with the
corresponding core sepolicy change, was reverted in order to
allow these policies to be added to per-device sepolicy.

DO NOT SUBMIT until http://ag/2528214 has automerged to master.

This reverts commit 777c8ee0c2.

Bug: 17613910
Bug: 62573845
Test: make -j64 bootimage
Change-Id: I20b52f1d8e1c0cbb18a339bf45586dacbc7405ad
2017-07-13 01:41:08 +09:00
Lorenzo Colitti
777c8ee0c2 Temporarily remove netd_stable_secret_prop from compat infra.
This will allow removing the netd_stable_secret_prop from common
policy in master. It will be re-added after the wahoo-specific
sepolicy for netd_stable_secret_prop lands in oc-dr1-dev, is
automerged to master, and then is reverted in master.

This reverts commit ebea2b459c.

Bug: 17613910
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I1234326d2fe6446e7e09ba9e97187518fa9bce33
2017-07-11 23:45:23 +09:00
Dan Cashman
b04df6e309 Make sure platform policy builds with compatible versions.
Platform SELinux policy may be updated without a corresponding
update to non-platform policy.  This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.

Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it.  Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.

Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file.  Removed private type with no effect.  Removed
public type without corresponding mapping entry causes build to fail.

Change-Id: I7994ed651352e2da632fc91e598f819b64c05753
2017-07-10 14:49:03 -07:00
TreeHugger Robot
e3aab4c8bd Merge "Update 26.0 prebuilts." 2017-07-10 21:28:34 +00:00
Dan Cashman
4d9f41d758 Record hal_tetheroffload_service for compatibility.
Commit: e58a8de5e7 added a new type
which has no analogue in 26.0.  Record it as such.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6b6d2aa64e0ac2c39c8d0427d333e6c7fc2b0bb1
2017-07-07 12:21:33 -07:00
Dan Cashman
d09005261c Record memcg_device type for compat.
Commit: 86cb521502 gave /dev/memcg a
new label, but also explicitly prohibited access to vendor domains.
Add the type to the 'new types' and don't map it to any other type
for backwards compatibility.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I8902716830b162ead69834544ace9e02a94c65b4
2017-07-07 12:21:33 -07:00
Dan Cashman
255a4a7265 Record new broadcast_service type.
Commit: 38f0928fb0 added a type for a
new system service.  This service did not exist previously, so mark
the type as not needing any compat entry.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I52d8e144c614b27f5c52fa99be6cfac87159bbcd
2017-07-07 12:21:33 -07:00
Dan Cashman
629c58b2d3 Record new cas hwservice type.
Commit: 78e595deab added a new hwservice,
which replaced a previous system service.  This effectively means we are
deleting one object and creating a new one, so no compatibility mapping
should be necessary since previous vendor processes trying to access the
service will not be able to find it now independent of policy.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6882d968dccb55561379e940f6ecb62902bb1659
2017-07-07 12:21:33 -07:00
Dan Cashman
30a29946d0 Update 26.0 prebuilts.
Bug: 37896931
Test: none, just update prebuilt.
Change-Id: Id940d1c2bc46deab1eb49bacebbb41069e2034e4
2017-07-07 10:17:30 -07:00
Dan Cashman
23425c8ea6 Add compat changes for hal_wifi_keystore attribute removal.
Commit: b8f7a40833 removed three
attributes from public policy.  These attributes could be assigned
to vendor types, and so need to be kept in policy when combined with
vendor policy of that version.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I7d71ef7795f8b82c214c2ef72478c3ca84d1869c
2017-07-06 09:51:31 -07:00
Dan Cashman
c72e3db454 Add compat changes for uid_time_in_state.
Commit: 4dc88795d0 changed the label of
uid_time_in_state from proc to proc_uid_time_in_state.  This file
could have been used by vendor services.  Add a compat mapping.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I2e5222c4d4fe12cb0bbc4e85ba53c1f59b714d61
2017-07-06 09:37:23 -07:00
Dan Cashman
2e8cebe6e7 Add compat changes for tracing_shell_writable removal.
Commits 7fa51593c8 and
92fdd8954f removed the
tracing_shell_writable and tracing_shell_writable_debug types, and
relabeled the files with debugfs_tracing and debugfs_tracing_debug,
respectively.  Record this in the compatibility file so that vendor
policy using these types will still work.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: Ic6573518035514a86abe2081483431427612699e
2017-07-05 09:41:49 -07:00
Dan Cashman
ebea2b459c Record netd_stable_secret_prop in compat infra.
Commit: abb1ba6532 added policy for a
new property, which was not present in O.  This policy introduced a
new type.  Record it as such.

Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I7d90cd69a5e6e29677598cc109676d5b1ce5ba05
2017-07-05 09:18:14 -07:00
Dan Cashman
3eed3eacfb Map mediaprovider to priv_app in 26.0 compat mapping
Commit: bde5c8013d added a new type,
mediaprovider, which is being applied to an object (process) formerly
labeled as priv_app. Add the new type to the versioned attribute for
priv_app so that any vendor policy written for interaction with
mediaprovider continues to work.

Bug: 62573845
Test: None.  Prebuilt-only change.
Change-Id: Id98293369401a2af23c2328a1cb4a5bb2258aac8
2017-07-05 09:16:48 -07:00
Dan Cashman
e78e8dcf11 Record timezone_service in compat infra.
Commit: 50889ce0eb added policy for a
new service, which was not present in O.  This policy introduced a
new type.  Record it as such.

Bug: 62573845
Test: None, prebuilt change only.
Change-Id: If9cfaff813c47d3b1c8374e8abfb4aedb902d486
2017-07-05 09:15:21 -07:00
Dan Cashman
b1c4967e8a Record tombstoned_java_trace_socket in compat record.
Commit: 11bfcc1e96 added policy for
a new socket which was not present in O.  This socket has a new
type associated with it.  Record the type as a new type so that
compatibility testing will not complain.

Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I375fc9ca0bd201e277a0302d9b34c0da0eb40fbd
2017-07-05 09:13:50 -07:00
Dan Cashman
f875ee074c Add compat changes for e2fs addition.
Commit 5f573ab2aa added policy for
the additions of upstream fs tools.  Make sure the new types are
denoted as such (no object relabeling needs to be done) and that
objects which are relabeled are.

Bug: 35219933
Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6515e05ebc60ca08e98029f471cf2861826036fc
2017-07-05 09:11:28 -07:00
Andreas Gampe
8c7514adb1 Sepolicy: Give asan_extract access to powerctl
rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

(orginally commit: 8267208921)

Bug: 36458146
Bug: 38241921
Test: Builds and boots.
Change-Id: I7d6e583f5e98b671986a2071abf157c86e288a10
2017-06-27 15:38:29 -07:00
Dan Cashman
c10e0e552f Add domain_deprecated to bluetooth domains in 26.0.
domain_deprecated is a private attribute, which means that none of
its rules will be copied to vendor policy.  Unfortunately, this
means that any public type that used the attribute now loses policy
rules on which a vendor may have been relying unknowingly.  Add the
domain back in the compatiblity file so that O vendor policy remains
sufficient.

Bug: 62573845
Test: None, prebuilt change and prebuilt tests not in yet.
Change-Id: I2c4ce00ecb102f087472e183fa52d072fe6eb398
2017-06-27 11:42:40 -07:00
Tom Cherry
cfc625d14a remove /dev/log
This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

(Originally submitted in commit: 8c60f74dcc)

Bug: 38242876
Test: Builds and boots.

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
2017-06-27 10:10:22 -07:00
Josh Gao
3458ec135e Add /dev/kmsg_debug.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

(Originally commited in a015186fab)
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
2017-06-27 07:20:44 -07:00
Dan Cashman
55c7750482 Update sepolicy 26.0 prebuilts again, again.
Bug: 37896931
Test: none, just prebuilt update.
Change-Id: I55b5179f98703026699a59cce4b2e1afb166fd1d
2017-06-22 14:32:21 -07:00
Dan Cashman
148578a623 Update 26.0 SELinux prebuilts.
More changes went into oc-dev after the freeze-date.  Reflect them.

Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483
2017-06-19 11:28:09 -07:00
Dan Cashman
5e4e0d7fba Add mapping compatibility file for sepolicy api lvl 26.0
commit: 5c6a227ebb added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.

Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f
2017-06-13 08:33:15 -07:00
Dan Cashman
5c6a227ebb Commit oc-dev sepolicy to prebuilts.
Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.

Bug: 37896931
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
2017-06-06 10:27:37 -07:00