As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).
Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
Looking at go/sedenials, we see this permission being used by
MediaProvider like so:
type=1400 audit(0.0:3651): avc: granted { getattr } for comm=4173796E635461736B202331 path="/sys/fs/selinux/class/tipc_socket/perms/recvfrom" dev="selinuxfs" ino=67111391 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file app=com.google.android.providers.media.module
... and numerous other directories, apparently from a filesystem walk.
It appears that this permission should not be granted to all priv-apps
now that GMS core has been split out into its own domain. This change
removes the permission for the priv_app domain and the corresponding
auditallow.
Bug: 147833123
Test: TH
Change-Id: I88146785c7ac3a8c15fe9b5f34f05d936f08ea48
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.
Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.
Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
This reverts commit a1aa2210a9.
Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission
Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
Linkerconfig should generate multiple linker configurations for APEX
with binaries. To meet this requirement, linkerconfig should be able to
create sub-directories per APEX module with binary, and also
linkerconfig should be able to scan APEX directories.
Bug: 147987608
Test: m -j passed && No sepolicy error from cuttlefish
Change-Id: I804a8e6121f647dfb1778c564649a33e4547a24a
Allow incidentd to run incident-helper-cmd, a Java program spawn by
app_process.
Allow incidentd to read /data/misc/logd and its files on userdebug
and eng build.
Bug: 147924172
Test: Build, flash and verify "adb shell incident -p EXPLICIT 1116"
can parse persisted logs.
Change-Id: Id0aa4286c304a336741ce8c0949b12ec559c2e16
For vndk related properties, use vndk_prop context.
vndk_prop can be defined by 'init' and 'vendor_init', but free to
read by any processes.
Bug: 144534640
Test: check boot to see if the VNDK properties are readable
Change-Id: Ifa2bb0ce6c301ea2071e25ac4f7e569ea3ce5d83
System_server will listen on incoming packets from zygotes.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
We added an auditallow for this permission on 12/17/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 147833123
Test: TH
Change-Id: I96f810a55e0eb8f3778aea9598f6437de0f65c7f
We added auditallows for these permissions on 12/16/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 147833123
Test: TH
Change-Id: I4789b29462ef561288aeaabbdb1e57271d5fcd2a
CAP_MAC_ADMIN was originally introduced into the kernel for use
by Smack and not used by SELinux. However, SELinux later appropriated
CAP_MAC_ADMIN as a way to control setting/getting security contexts
unknown to the currently loaded policy for use in labeling filesystems
while running a policy that differs from the one being applied to
the filesystem, in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b29f34558b9b45a2c6eabd4f3c6be939a3980f
circa v2.6.27.
Hence, the comment about mac_admin being unused by SELinux is inaccurate.
Remove it.
The corresponding change to refpolicy is:
5fda529636
Test: policy builds
Change-Id: Ie3637882200732e498c53a834a27284da838dfb8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This will let an app delegate network operations to an
isolatedProcess=true service. Chromium will use this to separate out
network protocol parsing of untrusted Internet data from the main app
process into a sandboxed service process.
Bug: 147444459
Test: Build and boot sargo. Chromium runs.
Change-Id: Ia7f54d481676a03b96f512015e6adcf920a014c3
