The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.
Upstream, the support for that access vector was removed from kernel
5.16 onwards.
It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).
Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.
Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
(cherry picked from commit 99a4cbcee7)
Merged-In: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to
use for this purpose.
Bug: 325709490
Bug: 285854379
Test: m
Merged-In: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
(cherry picked from commit d2a0892121)
Description:
Since the Android N project uses Keymaster 1.5 and added full disk encryption support in vold when upgrading to Android T, the SELinux rules need to allow vold to use the keymaster HAL directly.
Bug: 319506037
Change-Id: Ib21c59156a6de0c2b148e33de2fe8efb3606e697
Looks like we missed this, and so non-rooted locked devices can't override the persistent sysprops. On Pixel 8 for example, we ship with 'persist.arm64.memtag.system_server=off' by default (from some droidfood carry-overs), and this can't be edited (https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html).
We should allow these advanced users to set all the MTE properties on the device that they own, and they can already control the non-persistent properties.
Test: N/A
Bug: N/A
(cherry picked from https://android-review.googlesource.com/q/commit:980c33614e691dde070b59bc746bd252b6edb189)
Merged-In: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Change-Id: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Bug: 309888546
type=1400 audit(0.0:835): avc: denied { read }
for path="/data/app/vmdl1923101285.tmp/base.apk"
dev="dm-37" ino=29684
scontext=u:r:isolated_app:s0:c512,c768
tcontext=u:object_r:apk_tmp_file:s0 tclass=file
permissive=0
Bug: 308775782
Bug: 316442990
Test: Flashed to device with and without this change, confirmed that this
change allows an isolated process to read already opened staged apk file
(cherry picked from https://android-review.googlesource.com/q/commit:cf2694bf863fc31ac5862b92bb9258136de57932)
Merged-In: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.
Bug: 301372559
Bug: 301250938
Bug: 308043377
Fixes: 308043377
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b
(cherry picked from commit 1b32bccc1a)
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.
Previously, these entries were labelled as system_file even for vendor
apexes.
Bug: 285075529
Bug: 308058980
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
Merged-In: Icc234bf604e3cafe6da81d21db744abfaa524dcf
sys.boot.reason.last needs to be readable by SysUI to correctly display the reason why authentication is required to unlock the phone.
Bug: 299327097
Bug: 308058980
Test: presubmit
Change-Id: I9f83ade92858056609bc665ecb6ce9b93eb051e4
Merged-In: I9f83ade92858056609bc665ecb6ce9b93eb051e4
Bug: 228638448
Bug:313817413
Test: Manually following face virtual hal provisioning procedure
Change-Id: I1f61b687be4abe53c62c21769fb57dc9cf9daf45
Merged-In: I1f61b687be4abe53c62c21769fb57dc9cf9daf45
This reverts commit e2bd44d48d.
Reason for revert: 2nd attempt to add the policy change
Bug: 308058980
Test: m selinux_policy
Change-Id: I5b9a102879a65917d496ba2194187ddd2b4545d1
Merged-In: I5b9a102879a65917d496ba2194187ddd2b4545d1
The enable_rkpd property is no longer needed. This change removes the
vestigial property.
Test: Successful build
Change-Id: I810d5a21cbe01b43a37244959e21febd0880be59
This reverts commit c6227550f7.
Reason for revert: Faulty merging paths have been removed
Change-Id: Icf56c2e977c5517af63e206a0090159e43dd71eb
Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272
This reverts commit a41bfab758.
Reason for revert: Automerger path causing the regression is no more
Change-Id: I4c9ab6f2e18c9d8157f5667bc98fcce00e78f93d
am skip reason: Merged-In I72670ee42c268dd5747c2411d25959d366dd972c with SHA-1 6d3e772828 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762385
Change-Id: If027337f7e703fe5b80e18ecddeabbac29011c5f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I72670ee42c268dd5747c2411d25959d366dd972c with SHA-1 6d3e772828 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762385
Change-Id: I9f39e5b28001ed8307bb444b46e846b9d8767d76
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I72670ee42c268dd5747c2411d25959d366dd972c with SHA-1 6d3e772828 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762385
Change-Id: Ib82db36340060d01bf9284135768cb4cb6744e73
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.
Bug: 301372559
Bug: 301250938
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I72670ee42c268dd5747c2411d25959d366dd972c
am skip reason: Merged-In I72670ee42c268dd5747c2411d25959d366dd972c with SHA-1 1b32bccc1a is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762618
Change-Id: Ic5d201f979fb6160b8ded5dbd8e07e7ba213ed80
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I72670ee42c268dd5747c2411d25959d366dd972c with SHA-1 1b32bccc1a is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762618
Change-Id: I556bbfb35c7aeb3564e63cd9ed993aae15e2baae
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.
Bug: 301372559
Bug: 301250938
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I72670ee42c268dd5747c2411d25959d366dd972c
am skip reason: Merged-In I95aa6772a40599636d109d6960c2898e44648c9b with SHA-1 3c818406c4 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2762467
Change-Id: I8b7c5cf421f70df6518fc0711924510c2c3086a9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Relaxation of SELinux policies to allow users of libstagefright and
MediaCodec to be able to query server-side configurable flags.
Bug: 301372559
Bug: 301250938
Test: run cts -m CtsSecurityHostTestCases
Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c
Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.
Bug: 286011429
Test: libdm_test, treehugger
(cherry picked from https://android-review.googlesource.com/q/commit:e09c0eee36d58894bb0d30b9af4e33ee7dd7011c)
Merged-In: I36b9b460a0fa76a37950d3672bd21b1c885a5069
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
Change-Id: I1197d0051a9ce96b7edd87347b5db266b1643d30
Add drmserver(32|64) for supporting 64-bit only devices. The patch is
for setting up the sepolicy for drmserver(32|64).
Bug: 282603373
Test: make gsi_arm64-user; Check the sepolicy
Ignore-AOSP-First: depend on an internal project
Change-Id: If8451de8120372b085de1977ea8fd1b28e5b9ab0
Setup tethering_u_or_later_native namespace
Test: adb shell device_config put tethering_u_or_later_native test 1
Test: Read persist.device_config.tethering_u_or_later_native.test property
Test: from system server and Tethering.apk
Ignore-AOSP-First: topic has CL that updates DeviceConfig
Bug: 281944942
Change-Id: I2862974dc1a15f6768a34763bb9e2bad93eaf4ca
The majority of code for media encoding and decoding occurs within the
context of client app processes via linking with libstagefright. This
code needs access to server-configurable flags to configure
codec-related features.
Bug: 234833109
Test: manual test with 'adb shell device_config' commands
Ignore-AOSP-First: cherry pick from AOSP
Change-Id: I95aa6772a40599636d109d6960c2898e44648c9b
