Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
This is required for testing new ethernet APIs in T.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 171872016
(cherry picked from commit 02b55354bd)
(cherry picked from commit 69fa8ca6f2)
Change-Id: I036e48530e37f7213a21b250b858a37fba3e663b
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.
This patch updates the prebuilts, in addition to the changes to the
master source.
Bug: 233392908
Test: Compiled
(cherry picked from commit b25b4bf53f)
(cherry picked from commit 8b7c1cbd5e)
Change-Id: I55e03a3ca7793b09688f603c973c38bd2f6e7c7f
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 233300834
(cherry picked from commit ab02397814)
(cherry picked from commit d0478822ce)
Change-Id: Ic98c6fc631ee98bef4b5451b6b52d94e673b4f3c
This change allows remote_prov_app to find mediametrics. This is a
permission that all apps have. It is now needed for remote_prov_app due
to a new feature related to provisioning Widevine through the MediaDrm
framework.
Bug: 235491155
Test: no selinux denials related to remote_prov_app
Change-Id: Id3057b036486288358a9a84100fe808eb56df5fe
Merged-In: Id3057b036486288358a9a84100fe808eb56df5fe
Adding a new system property that will act as a toggle
enabling/disabling the framework changes that were submitted to prevent
leaked animators.
Bug: 233391022
Test: manual.
Merged-In: I57225feb50a3f3b4ac8c39998c47f263ae211b66
Change-Id: Ifc339efc1c3a5e19920b77d1f24bef19c39d5f44
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Let vendor_init can react Vendor System Native Experiment
changes via persist.device_config.vendor_system_native.* properties.
Bug: 223685902
Test: Build and check no avc denied messages in dmesg
Change-Id: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
Merged-In: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
This CL partially cherry-picks ag/18350151 to
update prebuilts. Other parts are already included by
aosp/2083463.
Bug: 226456604
Bug: 223685902
Test: Build
Change-Id: I1ddb1db855a13671e7b76b48d84e4f1ab5a63374
This CL partially cherry-picks ag/18156623 to
update prebuilts. Other parts are already included by
aosp/2069127.
Test: m
Bug: 230289468
Change-Id: If52dea348c01113fe1504eb7e51f6780f0ed4a11
Bluetooth stack needs to read persist.logd.security and
ro.organization_owned sysprop (via __android_log_security())
to control security logging for Bluetooth events.
Bug: 232283779
Test: manual
Change-Id: Ic8162cd4a4436981a15acea6ac75079081790525
This allows MediaProvider call certain MediaCodec APIs
Also update prebuilts for API 32.
Test: atest TranscodeTest
Bug: 190422448
(cherry picked from commit 57401bc71f)
(cherry picked from commit c38b81ce4f)
Merged-In: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
Change-Id: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
Treble sepolicy tests check whether previous versions are compatible to
ToT sepolicy or not. treble_sepolicy_tests_for_release.mk implements it,
but it also includes a compat test whether ToT sepolicy + {ver} mapping
+ {ver} plat_pub_versioned.cil can be built together or not. We
definitely need such tests, but we already have a test called "compat
test" which does exactly that, and testing it again with Treble sepolicy
tests is just redundant. The only difference between those two is that
Treble sepolicy tests can also test system_ext and product compat files,
which was contributed by a partner.
The ultimate goal here is to migrate *.mk to Soong, thus merging these
two tests (compat, Treble) into one. As we've already migrated the
compat test to Soong, this change removes the compat test part from
treble sepolicy tests. Instead, the compat test will be extended so it
can test system_ext and product compat files too.
prebuilts/api/{ver}/plat_pub_versioned.cil and
prebuilts/api/{ver}/vendor_sepolicy.cil are also removed as they aren't
used anymore: vendor_sepolicy.cil is an empty stub, and
plat_pub_versioned.cil can be built from the prebuilt source files.
Bug: 33691272
Test: m selinux_policy
Change-Id: I72f5ad0e8bbe6a7c0bbcc02f0f902b953df6ff1a
The bootchart problem need the selinux policy fix.
But it is missing API 32
Bug: 218729155
Test: Build
Change-Id: Ia011f8bcd52403980c2a6751bb612dd5b770e130
This is a port of If44653f436d4e5dcbd040af24f03b09ae8e7ac05 which
made this change to prebuilts/api/31.0/private/mediatranscoding.te.
This is required to pass CTS test.
Test: run cts -m CtsMediaTranscodingTestCases -t android.media.mediatranscoding.cts.MediaTranscodingManagerTest#testAddingClientUids
Bug: 207821225
Bug: 213141904
Change-Id: Iefe9f326572976e230eeeec74e612b6e20b31887
Should system_server kill zygote on crashes, it will attempt to kill any
process in the same process group. This ensures that no untracked
children are left.
Bug: 216097542
Test: m selinux_policy
Change-Id: Ie16074f76e351d80d9f17be930a731f923f99835
(cherry picked from commit 6390b3f090)
Ignore-AOSP-First: backport with update to prebuilts
This allows MediaProvider call certain MediaCodec APIs
Also update prebuilts for API 32.
Test: atest TranscodeTest
Bug: 190422448
Merged-In: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
Change-Id: Ied609152e6a9ba6d17b70db325ca33f1cb345eb8
