It was missing when migrating definitions.mk to Android.bp module.
Test: m selinux_policy on sc-arc
Change-Id: I3c943440295bc9064d50e1a2f9025715c76b539e
These neverallow rules have grown over the years, and there are now some
duplicated rules. For example,
neverallow scon tcon:tcls ~{ read };
really isn't doing anything due to the
neverallow scon tcon:tcls *;
banning every actions already.
Remove these rules to make them more manageable, and make the follow-up
changes simpler to review.
Bug: 181110285
Test: Build pass
Change-Id: I82f2bbb54436153507b451a61b3075f223522028
We're not doing anything special with device files, so no point
excluding them from the neverallow rules.
Principle of KISS.
Bug: 181110285
Test: Build pass
Change-Id: I0e203665aa2134579d97b580cb9301755edb62b1
Some details here are copied from hal_attribute_hwservice but
no longer make sense here.
Bug: N/A
Test: N/A
Change-Id: Ia4a4d6731b5e5270922d32b7854d36bd726d202b
This node ID will be used to uniquely and anonymously identify a device
by profcollectd on engineering (userdebug or eng) builds.
Test: build
Change-Id: If01f71c62479d63d4d19aac15da24bc835621e66
IKeystoreService is a VINTF stability interface, and keystore2 is now
using this interface correctly from Rust.
Test: m && adb shell start keystore2
Bug: 179907868
Change-Id: I3b583df2fac7e6bca7c1875efb7650f9ea0a548c
qemu.hw.mainkeys exists both in plat_property_contexts and
vendor_property_contexts. This would cause breakage in GSI build
for certain vendors. To fix, add `exact {type}` to make the property
defined in system takes precedence.
Bug: 180412668
Signed-off-by: Weilun Du <wdu@google.com>
Change-Id: I1268e6a202d561a1e43f3d71fb38c6000042306b
As data and obbs are already mounted to lowerfs, and we need per app visibility isolation to mount
on those directories.
Here's the warning if we do not add it.
3094 3094 W main : type=1400 audit(0.0:36): avc: denied { mounton } for path="/storage/emulated/0/Android/obb" dev="dm-5" ino=9206 scontext=u:r:zygote:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0
Bug: 182997439
Test: No selinux warnings during boot.
Change-Id: Id78d793e70acf0d7699c006e19db6d7fda766bf1
This reverts commit d869d02758.
Reason for revert: fixed breakage
The breakage was due to the difference between plat_sepolicy.conf and
microdroid_vendor_sepolicy.conf. Now vendor_sepolicy.conf is built with
se_policy_conf module, so it is synced with plat_sepolicy.conf
Test: boot microdroid with and without SANITIZE_TARGET=address
Change-Id: Ia7d79f5a1eba323b23682d2322a61159dd170441
Introduce the convert_storage_key_to_ephemeral permission to the
keystore2_key access vector and give vold permission to use it. This
permission must be checked when a caller wants to get a per-boot
ephemeral key from a long lived wrapped storage key.
Bug: 181806377
Bug: 181910578
Change-Id: I542c084a8fab5153bc98212af64234e62e9ad032
* Permits setting the sys.drop_caches property from shell.
* Permits init to read and write to the drop_caches file.
* Can only be set to 3 (drop_caches) and 0 (unset).
Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
Revert submission 1602413-derive_classpath
Bug: 180105615
Fix: 183079517
Reason for revert: SELinux failure leading to *CLASSPATH variables not being set in all builds
Reverted Changes:
I6e3c64e7a:Introduce derive_classpath service.
I60c539a8f:Exec_start derive_classpath on post-fs-data.
I4150de69f:Introduce derive_classpath.
Change-Id: I17e2cd062d8fddc40250d00f02e40237ad62bd6a
This replaces the following policy files with Android.bp modules:
- reqd_policy_mask.cil
- plat_sepolicy.cil
- system_ext_sepolicy.cil
- product_sepolicy.cil
- plat_pub_policy.cil
- system_ext_pub_policy.cil
- pub_policy.cil
- general_sepolicy.conf (for CTS)
Also microdroid's system policy now uses above.
Bug: 33691272
Bug: 178993690
Test: policy files stay same
Test: boot normal device and microdroid, see sepolicy works
Test: build CtsSecurityHostTestCases
Change-Id: I908a33badee04fbbdadc6780aab52e989923ba57
This adds a new module se_policy_cil. It will consume the policy.conf
file (usually built with se_policy_conf) and outputs a compiled cil
policy file, which will be shipped to devices.
Bug: 33691272
Test: try building se_policy_cil from se_policy_conf
Change-Id: I7a33ab6cb5978e1a7d991be7514305c5e9f8159b
This adds a new soong module that transforms selinux policy files to
policy.conf file. It uses m4 macro with various variables, and replaces
transform-policy-to-conf macro in system/sepolicy/definitions.mk.
The module will be used when building:
- policy cil files shipped to the device
- CTS tests that needs general_policy.conf
Bug: 33691272
Test: try building se_policy_conf with se_build_files
Change-Id: Ie1082a8193c2205992b425509b9d5bfa4b495b2f
The lockdown hook defines 2 modes: integrity and confidentiality [1].
The integrity mode ensures that the kernel integrity cannot be corrupted
by directly modifying memory (i.e. using /dev/mem), accessing PCI
devices, interacting with debugfs, etc. While some of these methods
overlap with the current policy definition, there is value in enforcing
this mode for Android to ensure that no permission has been overly
granted. Some of these detection methods use arbitrary heuristic to
characterize the access [2]. Adapt part of the policy to match this
constraint.
The confidentiality mode further restricts the use of other kernel
facilities such as tracefs. Android already defines a fine-grained
policy for these. Furthermore, access to part of tracefs is required in
all domains (see debugfs_trace_marker). Allow any access related to this
mode.
[1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/
[2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/
Bug: 148822198
Test: boot cuttlefish with patched kernel; check logcat for denials.
Test: run simpleperf monitor to exercise tracefs; check logcat for denials.
Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.
Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
When a device define BOARD_SHIPPING_API_LEVEL with an API level, it
sets a vendor property ro.board.first_api_level in vendor/build.prop.
This property is initiated by vendor_init and read-only.
Bug: 176950752
Test: getprop ro.board.first_api_level
Change-Id: Ia09d2e80f1ca4a79dbe4eb0dc11b189644819cad
