Commit graph

749 commits

Author SHA1 Message Date
Alex Klyubin
68e6109d4a Vendor domains must not use Binder am: f5446eb148 am: 2fe065d708
am: 49ce439425

Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26
2017-03-24 15:03:44 +00:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Kevin Schoedel
bccb0b89bf Allow vrmanager to connect to vr_window_manager.
The vrmanager system service connects to vr_window_manager to
provide access to controller data for 2d embedding. This is
intended to be removed when the relevant parts of vr_window_manager
are moved into VrCore (b/36506799).

Bug: 35619424
Test: manual on device
Change-Id: I9c645882bf1a14a85bbc4c2312164381b23aaa54
2017-03-23 20:00:57 +00:00
Jeff Vander Stoep
3ee107ff5e Merge "Grant additional permissions for ASAN builds" am: 63211f8da2 am: 1c05f80071
am: 8f0abfec15

Change-Id: Id2a898b91932fa74389586bb534cb1dba3bfe26c
2017-03-22 23:14:43 +00:00
Jeff Vander Stoep
7443484831 Grant additional permissions for ASAN builds
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
2017-03-22 14:03:07 -07:00
Roshan Pius
66cf8ebe9a Merge "wpa_supplicant: Remove unnecessary permissions from system_server" am: e1a350a035 am: 790052147c
am: 180a688261

Change-Id: Ic5e8018fd106a645d24f52b8502fff3e4c603f7e
2017-03-22 20:26:02 +00:00
Roshan Pius
f27e8f09c2 wpa_supplicant: Remove unnecessary permissions from system_server
Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c
2017-03-22 17:43:38 +00:00
Alex Klyubin
2438804719 Merge "Switch Boot Control HAL policy to _client/_server" am: 51a2238c9e am: 2a887bfb3d
am: 4abc2d23d5

Change-Id: I6602b883078cbf5778f9843d68263633de351dbc
2017-03-20 19:46:41 +00:00
Alex Klyubin
09d13e734d Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 17:22:06 -07:00
Alex Klyubin
578e2b8bcc Merge "Annotate most remaining HALs with _client/_server" am: 37f7ffa388 am: c067607bc3
am: 026679e3a1

Change-Id: Ia8f7ad357ce34068f0c1b4bfe54723e3ae05e2bc
2017-03-17 05:16:19 +00:00
Alex Klyubin
9e6b24c6a5 Annotate most remaining HALs with _client/_server
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-16 19:55:16 -07:00
Yifan Hong
2a995233af Merge "Allow system_server binder_call into hal_graphics_allocator" am: 08900a01d0 am: ed156c3ace
am: 009ca7bbaf

Change-Id: Ia47fdd896b43634af791d524c1157dfb121e4ce0
2017-03-16 01:34:53 +00:00
Yifan Hong
3107a6c370 Allow system_server binder_call into hal_graphics_allocator
Test: no log spam for graphics allocator
Test: dmesg | audit2allow does not show denial for
hal_graphics_allocator_default
Test: system is responsive after boot (because
      android.hardware.graphics.allocator@2.0::IAllocator getService()
      will not be blocked)

Bug: 36220026
Change-Id: I3e103f88988fe4a94888e92ee8c5b1f27845ad9e
2017-03-15 15:54:50 -07:00
Fyodor Kupolov
05765ed98c Merge "Split preloads into media_file and data_file" am: 2d22fd814f am: 82d5e46eaf
am: b1e3910a21

Change-Id: I6ddf641d6649f2978c9f8ac70a97156709fea8bd
2017-03-15 17:25:01 +00:00
Fyodor Kupolov
b238fe6662 Split preloads into media_file and data_file
Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-15 00:49:37 +00:00
Alex Klyubin
c2d6acfe5e Switch Sensors HAL policy to _client/_server am: 41518bec25 am: 6a0ba6c580
am: 37ec9b0a86

Change-Id: Iab8c116dc92313a7d987fd3c4b370da6d9483772
2017-03-14 22:10:57 +00:00
Alex Klyubin
41518bec25 Switch Sensors HAL policy to _client/_server
This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.

Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.

Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.

P. S. This commit also removes
  allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.

Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
      lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
      and that the app can register to listen for updates for sensors
      and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
2017-03-14 12:43:29 -07:00
Calin Juravle
8e8f303197 SElinux: Clean up code related to foreign dex use am: 2b291121b9 am: 3227d2ce1f
am: 5fae2a0f9a

Change-Id: Ib59253654baa553a048074e65e48121d673824e5
2017-03-07 19:10:45 +00:00
Calin Juravle
2b291121b9 SElinux: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62
2017-03-07 10:59:26 -08:00
Roshan Pius
a976e64d89 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-03-07 01:34:28 +00:00
Roshan Pius
0008da43fe Merge "sepolicy: Allow hal_wifi to set wlan driver status prop" am: 32cc614866 am: e1eab9be95
am: 5e0bb9bcf6

Change-Id: I137efe4a9885266d301079db74add3c456f80c74
2017-03-03 19:28:29 +00:00
Roshan Pius
e62805d7cc sepolicy: Allow hal_wifi to set wlan driver status prop
The new wifi HAL manages the wlan driver and hence needs to be able to
load/unload the driver. The "wlan.driver.status" is used to indicate the
state of the driver to the rest of the system. There are .rc scripts for
example which wait for the state of this property.

Denials:
03-01 13:31:43.394   476   476 W android.hardwar: type=1400
audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0"
dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0
03-01 13:31:43.399   476   476 E libc    : Access denied finding
property "wlan.driver.status"

Bug: 35765841
Test: Denials no longer seen
Change-Id: I502494af7140864934038ef51cb0326ba3902c63
2017-03-03 09:32:03 -08:00
Chong Zhang
03e309d47a MediaCAS: adding media.cas to service am: 7291641803 am: ef213c5352
am: ce26ea40ff

Change-Id: I13d34de056ad0fdf2d11770e7ba06c5c9e111b13
2017-02-28 22:28:33 +00:00
Roshan Pius
97f64b9057 Merge "sepolicy: Make wpa_supplicant a HIDL service" 2017-02-28 22:14:24 +00:00
Chong Zhang
7291641803 MediaCAS: adding media.cas to service
Also allow media.extractor to use media.cas for descrambling.

bug: 22804304

Change-Id: Id283b31badecb11011211a776ba9ff5167a9019d
2017-02-28 12:31:45 -08:00
Roshan Pius
2a9595ede2 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-24 17:10:59 +00:00
mukesh agrawal
52de4db06d allow WifiService to use tracing on user builds am: 723364f136 am: 9d6237a88b
am: c24962c4c9

Change-Id: I83abd9596828acab7c8231c1716e0b05f67fa271
2017-02-24 01:52:13 +00:00
mukesh agrawal
723364f136 allow WifiService to use tracing on user builds
Previously, we'd restricted WifiService's use of
the kernel's tracing feature to just userdebug_or_eng
builds.

This restriction was in place because the feature
had not yet been reviewed from a privacy perspective.
Now that the feature has passed privacy review, enable
the feature on all builds.

Note that other safeguards remain in place (on all
builds):
- The set of events to be monitored is configured by
  init, rather than WifiService (part of system_server).
  This privilege separation prevents a compromised
  system_server from tracing additional information.
- The trace events are kept only in RAM, until/unless
  WifiService receives a dump request. (This would happen,
  for example, in the case of adb dumpsys, or generating
  a bugreport.)

Bug: 35679234
Test: manual (see below)

Manual test details:
- flash device
- connect device to a wifi network
$ adb shell dumpsys wifi | grep rdev_connect
  [should see at least one matching line]

Change-Id: I85070054857d75177d0bcdeb9b2c95bfd7e3b6bc
2017-02-23 17:42:48 -08:00
Alex Klyubin
567b490e1b Merge "Switch Wi-Fi HAL policy to _client/_server" am: 0aca0241dd am: 9ec226df59
am: 4c71423efd

Change-Id: I3affd2da7a7b3315b3e719ce0cf88424c53d1908
2017-02-23 01:15:09 +00:00
Alex Klyubin
1d2a1476ae Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.

Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.

Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.

Test: Setup Wizard (incl. adding a Google Account) completes fine with
      Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
      not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079

Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-22 15:12:19 -08:00
Alex Klyubin
435ed86f76 Merge "Switch Fingerprint HAL policy to _client/_server" am: 313dfe7dcf am: bb252e98b8
am: 58cc4a5013

Change-Id: I6b0739595152d4716a246bf032e1e926e8e9ba87
2017-02-22 04:20:07 +00:00
Alex Klyubin
f98650e4ab Switch Fingerprint HAL policy to _client/_server
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.

Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.

NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.

Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
      with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079

Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-21 16:11:25 -08:00
Alex Klyubin
66989abf49 Merge "Switch DRM HAL policy to _client/_server" am: 6b28742a49 am: 3879c107d3
am: 2e30dec25f

Change-Id: I893d885465d2e8df85ce74049a1f496495a58b95
2017-02-21 18:38:20 +00:00
Alex Klyubin
9b718c409f Switch DRM HAL policy to _client/_server
This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.

Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.

Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.

Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
2017-02-17 15:36:41 -08:00
Alex Klyubin
358bbd52a4 Merge "Switch Bluetooth HAL policy to _client/_server" am: bd86739682 am: 18894859e7
am: a0ed38b57d

Change-Id: I5ec5dcfe165c93dffe9e604371f7fb299520c120
2017-02-17 22:52:56 +00:00
Alex Klyubin
168435fe03 Switch Bluetooth HAL policy to _client/_server
This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.

Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.

Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
      over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
      speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
2017-02-17 11:32:00 -08:00
Nick Kralevich
b299e59395 Merge "system_server: replace sys_resource with sys_ptrace" 2017-02-16 17:24:44 +00:00
Nick Kralevich
448669540c system_server: replace sys_resource with sys_ptrace
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Add a neverallow rule to prevent system_server from using this
capability to ptrace attach to any other process. This limits the
capability of system_server to only reading sensitive /proc files, but
not ptrace() access.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
2017-02-15 15:10:59 -08:00
Eino-Ville Talvala
6d9be83119 System server: Allow get/setsched to hal_camera domain.
Much like audio, the camera HAL may need to have key threads running
in SCHED_FIFO or similar priority.  Allow system_server to raise
thread priority for camera HALs to make this possible.

Test: Video recording works, with EIS. No logspam about EIS failure.
Bug: 35389145
Change-Id: I1d92f9f10dc3aff22ce56b8b9cc57db043631919
2017-02-15 14:13:13 -08:00
Eino-Ville Talvala
6d53c9e1b3 System server: Allow get/setsched to hal_camera domain.
Much like audio, the camera HAL may need to have key threads running
in SCHED_FIFO or similar priority.  Allow system_server to raise
thread priority for camera HALs to make this possible.

Test: Video recording works, with EIS. No logspam about EIS failure.
Bug: 35389145
Change-Id: I1d92f9f10dc3aff22ce56b8b9cc57db043631919
2017-02-15 13:39:39 -08:00
Pawin Vongmasa
5559d21aa5 Sepolicy for OMX hal.
Bug: 31399200
Test: Compiles
Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57
2017-02-11 00:12:00 -08:00
Nick Kralevich
4e404290e4 Move net.dns* to it's own label.
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.

Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:

  * system_server
  * system_app (apps which run as UID=system)
  * netmgrd
  * radio

This change:

1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.

In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.

Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
2017-02-09 16:14:05 -08:00
Joe Onorato
41f93db9de Add incident command and incidentd daemon se policy.
Test: adb shell incident
Bug: 31122534
Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906
2017-02-07 15:52:07 -08:00
Alex Klyubin
59322f1aef Move system_server policy to private
This leaves only the existence of system_server domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with
      system_server_current except those created by other domains'
      allow rules referencing system_server domain from public and
      vendor policies.
Bug: 31364497

Change-Id: Ifd76fa83c046b9327883eb6f0bbcd2113f2dd1a4
2017-02-07 20:24:05 +00:00
Calin Juravle
e5a1f64a2e SElinux policies for compiling secondary dex files
This CLs adds SElinux policies necessary to compile secondary dex files.

When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).

What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.

Test: devices boots
      compilation of secondary dex files works without selinux denials
      cmd package compile --secondary-dex -f -m speed
com.google.android.gms

Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
2017-01-24 14:28:07 -08:00
Josh Gao
cb3eb4eef9 Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00
Nick Kralevich
b56e6ef894 Whitespace fix
Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
2016-12-09 20:14:31 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00