We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.
Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
Gathering file contexts for all APEXes there for easier auditing.
Test: m com.android.resolv
Bug: 119527674
Change-Id: I0f06c21c77f4b537e7c7d590204569f4531b5302
grant rw_dir_perms of dir
/data/server_configurable_flags to flags_health_check.te, in order to
enable flags_health_check to record reset flags data as file under this
dir for later use. See function:
server_configurable_flags::ServerConfigurableFlagsReset for how the
permission is used.
Test: manual on device
Change-Id: I1df7b8cadfbe279f26bf828e9e725ce170a376f7
By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).
Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
Commit b4f17069b3 ("sepolicy: Drop
BOARD_SEPOLICY_IGNORE/REPLACE support.", Mar 2015) made it a compile
time failure to use BOARD_SEPOLICY_REPLACE or BOARD_SEPOLICY_IGNORE.
As these restrictions have been in place since 2015, we can safely
assume all usages of this have been cleaned up, and there is no further
need to check for this.
8 lines deleted from Android.mk, 1720 lines to go.
Test: compiles.
Change-Id: I23249e4b2e9ec83cb6356a6c5a6e187ae1fc9744
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.
Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.
Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
This reverts commit 92bde4b941.
Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.
Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
This is used for querying the installed packages, as well as
coordinating the installations of packages.
Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
This is world-readable so it can be checked in libc's process init.
Test: m
Test: flash sailfish
Bug: 117821125
Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
system server reads this property to keep track of whether server
configurable flags have been reset during current boot.
system server needs this information to decide whether to perform
following disaster recovery actions on framework level.
the get_prop added in this cl in system_server.te is not grouped
in the same place as the set_prop in system_server.te in another
cl (https://android-review.googlesource.com/c/platform/system/sepolicy/+/828284).
This is because these 2 properties are serving for different purposes:
device_config_flags_health_check_prop is used to control features(so will be
all the future set_prop added by other feature teams under "# server configurable flags properties"),
while device_config_reset_performed_prop is used by our API's internal implementation.
So I feel like it might be clearer if I put this get_prop in a different place rather than
appending to "# server configurable flags properties".
Test: build suceeded.
Change-Id: I64379aa8f0bbe093969b98d62093696a32aabe59
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.
This change set SELinux rules for these properties and files.
For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).
This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.
Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.
Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.
Silence the spam by allowing getattr on apex_mnt_dir.
Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable
Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
The auditallow added in commit
7a4af30b38 ("Start the process of locking
down proc/net", May 04 2018), has not been triggered. This is safe to
delete.
Test: Policy compiles
Test: no collected SELinux denials
Bug: 68016944
Change-Id: Ib45519b91742d09e7b93bbaf972e558848691a80
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".
Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.
Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
Add an InputFlinger service in system_server and allow SurfaceFlinger to
exchange sockets with it.
Test: None
Bug: 80101428
Bug: 113136004
Bug: 111440400
Change-Id: I1533ab7a1da0ca61d8a28037fffbc189d796f737
With Treble, cameraserver no longer depends on camera devices directly.
Moreover, pixel 3 doesn't have /dev/cam node.
We still keep "camera_device" type around since vendor policy uses it to
label its /dev nodes.
Bug: 110962171
Test: boot aosp_walleye
Test: camera app still works
Change-Id: If12d640c2a0006b9fc3c9f6704285eb8eb66c626
Changed the GPU service name back to be compatible with external
engines/tools' usage of vkjson cmd.
Bug: 118347356
Test: adb shell cmd gpu vkjson
Change-Id: Ie432fd8be63d33070ad037c509467c8367b42d39
Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.
Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
Also rename `file_contexts` for the "Debug" Runtime APEX module
(containing both release and debug variants, as well as additional
tools).
Test: make com.android.runtime
Test: make com.android.runtime.release
Test: make com.android.runtime.debug
Test: art/build/apex/runtests.sh
Bug: 113373927
Change-Id: I6b917d7f5b1734aeb717932081c7b03366ef2774
This will be needed if vendors remove a label, as vendor_init would
need to relabel from it (which would be unlabeled) to the new label.
Test: Build policy.
Change-Id: Ieea0fcd7379da26b2864b971f7773ed61f413bb9
This CL adds rules to allow traced_probes to dup a pipe as the stderr
for atrace and also send a sigkill to atrace after a timeout.
This fixes b/119656920
Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.
Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6
Add xdp_socket to various other neverallow rules.
Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
