fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading. Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
- lpdump is a binary on the device that talks to lpdumpd
via binder.
- lpdumpd is a daemon on the device that actually reads
dynamic partition metadata. Only lpdump can talk to it.
Bug: 126233777
Test: boots (sanity)
Test: lpdump
Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474
The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.
Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590
Set the apex_key context for files in
/product/etc/security/apex/ and
/system/product/etc/security/apex/.
The apexd code is already looking for public keys in these locations,
but the apex_key context needs to be set to make them accessible from
apexd.
Bug: 127690808
Test: manual - verified that key files had proper SE-Linux label
Change-Id: Ib15728fa97eb438ea97a9743a06fa46e4d54f1cd
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.
/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.
The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.
Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.
Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.
To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.
Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.
Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.
This CL also remove some stale rules being addressed since.
Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
This sets up a selinux domain (notify_traceur) that can be called from
init and has the permissions to run the activitymanager script.
Bug: 116754134
Test: manual
Change-Id: Ia371bafe5d3d354efdf8cd29365cd74ed3e5cdfd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.
Bug: 111307099
Test: builds, boots
Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.
Bug: 111307099
Test: builds, boots
Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
mini-keyctl is a binary used to load channel keys to .fsverity keyring.
This CL creates a new domain for mini-keyctl and a type for /proc/keys
and adds allow rules needed by this binary.
Bug: 112038861
Test: manual
Merged-In: I3b744d302859a02dfe63c81c7f33bb30912d7994
Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
mini-keyctl is a binary used to load channel keys to .fsverity keyring.
This CL creates a new domain for mini-keyctl and a type for /proc/keys
and adds allow rules needed by this binary.
Bug: 112038861
Test: manual
Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.
Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.
In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.
Bug: 120266448
Test: device boots to the UI
Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1
