This change gives the shell process the needed permissions to call the
rkp_factory_extraction_tool without also granting the ability to access
the KeyMint HAL service.
To run the tool from a shell accessible folder, push
rkp_factory_extraction_tool to /data/local/tmp with:
adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \
/data/local/tmp
Test: the tool can be executed in SELinux enforcing mode
Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
This reverts commit f4ab6c9f3c.
Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.
Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
This CL allows dumpstate to signal evsmanagerd, which is another
android.hardware.automotive.evs.IEvsEnumerator implementation, to dump
its stack.
Fix: 243335867
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I37b4cf0ae45f8196f92088cf07a2b45c44f50ee8
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.
Bug: 210811873
Test: m -j, boot device
Change-Id: I55e3a4b76cabb6f47cee0972e6bad30565f0db7a
This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.
Bug: 254407246
Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
There are still some paths (potentially obsolete) on non-treble devices
where hal_keymint_client domains have the hal_keymint typeattribute
applied. In these cases, those domains also pick up the file access
permissions currently granted to hal_keymint.
Clean this up by limiting the permissions to hal_keymint_server only.
Test: VtsAidlKeyMintTargetTest
Change-Id: If1a437636824df254da245e7587df825b6963ed9
This reverts commit a87c7be419.
Reason for revert: I was mistaken and this isn't a property that the vendor should set, but the OEM should override from the product partition. That doesn't require sepolicy changes.
Bug: 256109167
Change-Id: Idebfb623dce960b2b595386ade1e4c4b92a6e402
Vendors should be able to set the `remote_provisioning.tee.rkp_only` and
`remote_provisioning.strongbox.rkp_only` properties via
PRODUCT_VENDOR_PROPERTIES so grant `vendor_init` the permission to set
them.
The property wasn't able to use `system_vendor_config_prop()` as
`remote_prov_app` has tests which override the properties.
Bug: 256109167
Test: manual test setting the property from device.mk for cuttlefish
Change-Id: I174315b9c0b53929f6a11849efd20bf846f8ca29
aosp/2215361 added the collection of update_engine preferences by
dumpstate. Add the corresponding policy. The /data/misc/update_engine
directory only contains the prefs/ subdirectory (see
DaemonStateAndroid::Initialize in update_engine).
Bug: 255917707
Test: m selinux_policy
Change-Id: I8c80f319d97f22f29158dd67352c3429d3222a35
While running the MicrodroidTests I noticed denials like these:
avc: denied { getattr } for comm="virtualizations" path="pipe:[86794]"
dev="pipefs" ino=86794 scontext=u:r:virtualizationservice:s0
tcontext=u:r:untrusted_app:s0:c122,c256,c512,c768 tclass=fifo_file
permissive=0
These are harmless, so we could dontaudit them, but it is also fine
to simply allow getattr.
Test: atest MicrodroidTests, no denials seen
Change-Id: I53a2967eb6e396979a86715b3d5a7681f48dcb63
Secondary dex files are in app data directories. In order to perform
secondary dex compilation, artd needs permissions to:
- Read secondary dex files
- Create "oat" dir
- Create a reference profile in "oat" dir
- Rename the reference profile
- Delete the reference profile
- Read the current profile in "oat" dir
- Delete the current profile
- Create compilation artifacts in "oat" dir
- Rename compilation artifacts
- Delete compilation artifacts
Bug: 249984283
Test: -
1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms
2. See no SELinux denial.
Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc
Limit processes that can change global settings system properties.
Only system server and shell (for tests) should be able to set the
affected system properties.
Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
Reduce use of "exported_system_prop" by defining 2 new (currently
identical) "locale_prop" and "timezone_prop" types for the system
properties that are for "global system settings". See the comments in
private/property_contexts for details.
Initially the rights of the new types should be identical to
exported_system_prop but they will be reduced with a follow-up commit to
enable easier rollback / progress to be made on related work.
Bug: 236612872
Test: treehugger
Change-Id: I8d818342023bc462376c091b8a522532ccaf15d3
VintfObject will monitor for /apex directory for VINTF data.
Add permissions for service managers to read this data.
Bug: 239055387
Test: m && boot
Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
Sepolicy changes for confirmationui while converting from hidl
to aidl.
Bug: b/205760172
Test: run vts -m VtsHalConfirmationUIV1_0Target
Change-Id: Ib21038fd89789755b978489f5293725b221d86c4
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
Will add fuzzer once the service is implemented.
Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
Add selinux policy so the healthconnect system service
can be accessed by other processes.
Bug: 246961138
Test: build
Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850
Conversion of the gatekeeper hidl interface to stable aidl interface.
Bug: 205760843
Test: run vts -m VtsHalGatekeeperTarget
Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c
Since the property is supposed to be used by vendor-side .rc file as
read-only (especially by vendor apex), it should be "system_restricted".
Also allow vendor_init to read the property.
Bug: 232172382
Test: boot cuttlefish (with vendor apex using the property)
Change-Id: I502388e550e0a3c961a51af2e2cf11335a45b992
ro.tuner.lazyhal: system_vendor_config_prop to decide whether the lazy
tuner HAL is enabled.
tuner.server.enable: system_internal_prop to decide whether tuner server
should be enabled.
Bug: 236002754
Test: Check tuner HAL and framework behavior
Change-Id: I6a2ebced0e0261f669e7bda466f46556dedca016
When a kernel panic occurs in a debug-enabled VM, a crashdump is created
in the VM and then it is flushed to the per-VM host-side file
/data/misc/virtualizationservice/<cid>/ramdump. Virtualizationservice
then opens the file and sends the FD to the owning client. This change
allows the client to read the ramdump via the FD.
A client accessing ramdump of other VM is prohibited since opening the
ramdump file is not allowed for the client; only virtualizationservice
can do it. Furthermore, ramdumping will be enabled only for the
debuggable VMs, which means reading it doesn't actually reveal any
(true) secret.
Bug: 238278104
Test: do the ramdump
Change-Id: I50e1fa83b99e8f24c849e278710b38f6ff9a25be
ro.secure and ro.debuggable system properties are not intended
to be visible via Android SDK. This change blocks untrusted
apps from reading these properties.
Test: android.security.SELinuxTargetSdkTest
Bug: 193912100
Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native boot experiments.
Bug: 241730607
Test: Build
Merged-In: Idc2334534c2d42a625b451cfce488d7d7a651036
Change-Id: I3e98f1b05058245cad345061d801ecd8de623109
Before the addition of sepolicy:
Error with service 'android.hardware.drm.IDrmFactory/widevine' while dumping: FAILED_TRANSACTION
Success after change.
Test: adb shell dumpsys android.hardware.drm.IDrmFactory/widevine
Bug: 238682056
Change-Id: I3817c9487bdec0c812690823cbb941cff80f394f
- Adapt installd rules for app compilation.
- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.
Bug: 229268202
Test: -
1. adb shell pm art optimize-package -m speed-profile -f \
com.google.android.youtube
2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
If something starts before servicemanager does,
intelligently wait for servicemanager to start rather
than sleeping for 1s.
Bug: 239382640
Test: boot
Change-Id: If0380c3a1fce937b0939cd6137fcb25f3e47d14c
Removes all references to vendor_service in policy except the
definition of this type, which also needs to be removed by
clients.
We don't need this because interface type shouldn't be associated
with where they are served. We can serve HALs from anywhere if they are
implemented in software.
Bug: 237115222
Test: builds
Change-Id: If370a904af81e015e7e1f7a408c4bfde2ebff9a4
inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.
Denial: avc: denied { read } for pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0
Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
Tests around Virtual A/B, DSUs, remount etc need to create loop devices
and write to them, which requires the kernel domain to have file write
access. However there are very few contexts where this is allowed, and
most are for testing. These testing locations are not consistently
available (eg, /data/nativetest does not always exist).
We already allow readonly loop devices in /data/local/tmp for testing
purposes, so this adds write support as well (userdebug/eng only).
Bug: 218976943
Test: fiemap_image_test
Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
