hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.
Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.
Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.
Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
commit 552fb53712 fixed an undefined
module error by removing the module when not defined (on non-treble
devices), but the sepolicy build on non-treble devices was changed
to rely on the split treble files, even though the split is not used.
Change this so that the file is always present, to allow policy
compilation.
Test: policy fully builds.
Change-Id: Ia0934c739336cea54228bbff8d6644aa3ae501e5
Specifying an empty module causes a build error, so make sure that
if there is no $(platform_mapping_file) the MODULE is not included.
Test: Makefiles parsed without error.
Change-Id: Ie99e6534c388a3d42bf90cdfef5ee64d5c640fa0
The original purpose of BOARD_SEPOLICY_VERS_DIR was to allow the
specification of an alternate platform public policy, primarily for
testing purposes. This should not be a part of the released platform,
since the only public policy and corresponding mapping file construction
should be based on the current public platform policy, with compatibility
with vendor policy targeting previous versions provided by static mapping
files. Its continued presence muddles the generation of mapping files by
potentially introducing a situation in which an incorrect mapping file is
generated. Remove it.
Bug: 36783775
Test: Device boots with compiled SELinux policy (SHA256s don't match for
precompiled policy).
Change-Id: I9e2100a7d709c9c0949f4e556229623961291a32
Recovery is not meant to be versioned in the treble model, but rather
provided as part of the platform/framework component and self-sufficient.
Simplify its compilation by removing the attribute versioning steps, but
maintain device-specific policy, which is currently required for full
functionality.
Bug: 37240781
Bug: 36783775
Test: recovery boots and is able to select commands. Also tried:
reboot system, boot to bootloader, factory reset, sideload, view logs,
run graphics test, and power off.
Change-Id: I637819844d9a8ea5b315404f4abd03e8f923303a
As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions. This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this. Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.
Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.
Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4
With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.
Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
(cherry picked from commit 665128fac3)
Only privileged apps are supposed to be able to get unique IDs from
attestation.
Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
Follow-up to commit 1b5f81a2d2.
Bug: 36681210
Bug: 37158297
Test: lunch sailfish-userdebug && m
Test: Manually run OTA
Change-Id: Ifb4808c9255842a51a660c07ffd924cef52024c5
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.
Bug: 36463595
Test: Boot sailfish without any new denials
Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
The kernel modules under /vendor partition has been relabeled to vendor_file.
This CL allows for the modprobe to load modules labeled vendor_file.
Kernel modules are loaded in init.rc with following commands:
exec u:r:modprobe:s0 -- /system/bin/modprobe -d /vendor/lib/modules MODULE
Bug: 35653245
Test: tested on sailfish
Change-Id: I2132ca4de01c5c60476dad8496e98266de5a1bb7
audioserver uses an always-passthrough Allocator HAL (ashmem / mapper)
whose .so is loaded from /system/lib64/hw.
Test: Modify hal_client_domain macro to not associate client of X HAL
with hal_x attribute. Play Google Play Movies move -- no denials
and AV playback works.
Bug: 37160141
Change-Id: I7b88b222aba5361a6c7f0f6bb89705503255a4b1
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.
Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
permissions for everything. Since RS drivers can be loaded into any
process, their vendor implementation and dependencies have been
marked as 'same process HALs' already.
Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
./cts-tradefed run cts -m CtsRenderscriptTestCases \
--skip-device-info --skip-preconditions --skip-connectivity-check \
--abi arm64-v8a
Result: Tests Passed: 743 Tests Failed: 0
Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>
This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:
exec u:r:modprobe:s0 -- /system/bin/modprobe \
-d /vendor/lib/modules mod
Bug: b/35653245
Test: sailfish with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d9493f)
The concept of VNDK-stable set is gone because they no longer need to be
stable across several Android releases. Instead, they are just small set
of system libraries (other than Low-Level NDK) that can be used by
same-process HALs. They need to be stable only during an Android release
as other VNDK libraries. However, since they are eligible for double
loading, we still need to distinguish those libs from other VNDK
libraries. So we give them a name vndk-sp, which means VNDK designed for
same-process HALs.
Bug: 37139956
Test: booting successful with vndk-sp libs in /vendor/lib(64)?/vndk-sp
Change-Id: I892c4514deb3c6c8006e3659bed1ad3363420732
http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file
anymore.
But zygote isn't transitioned into idmap when executing idmap_exec. So
we need to allow zygote to access dir/file under /vendor/overlay to
enable idmap_exec run by zygote to read static RRO.
Test: building succeeded and tested a static RRO on sailfish device.
Bug: 37173452
Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.
Make version_policy replace the '.' in version by '_' so secilc is
happy too.
This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.
Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.
This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.
This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.
Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
We should give appdomain the access to the /vendor/framework directory
since the jar in the directory is not dexopt-ed.AFAIK, jars which are
not in the bootclasspath are not dexopt-ed by default.
Bug: b/37129319
Test: built and confirmed that embms.apk not crashed
Change-Id: Ic2b1eef472f2fba53e26403dde8ad9ede8105a03
Vndk-stable libs are system libs that are used by same process HALs.
Since same process HALs can be loaded to any process, so are vndk-stable
libs.
Bug: 37138502
Test: none, because the directory is currently empty and thus this is
no-op. sailfish builds and boots.
Change-Id: I67a2c8c2e4c3517aa30b4a97dc80dc2800e47b5a
