/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.
The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.
Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
This allows to profile binaries pushed by the user.
Test: run profile of out of tree perfetto on flame userdebug.
Bug: 170208766
Change-Id: I152d6d244cc5065ee2de24f839e4ad467bc22cdc
This CL changes a neverallow for /vendor apps accessing vendor_service.
Originally, /vendor apps ({appdomain -coredomain}) were disallowed from
accessing all AIDL services since they are platform implementation
details that may change over time, and these apps run in a system
context. However, now, vendor services can be stable. So, in order to
give the flexibility needed for vendor framework components installed to
the /vendor partition to access AIDL HALs, opening this up.
Bug: 163478173
Test: build (validates neverallows)
Change-Id: Ic2280021e875671ad99e3f1ba820c6e4408fd645
In addition, allow shell to read this property.
Test: getprop -Z
Test: cts-tradefed run cts -m CtsGestureTestCases
and check /sdcard/device-info-files/PropertyDeviceInfo.deviceinfo.json
Bug: 169169031
Change-Id: Ib71b01bac326354696e159129f9dea4c2e918c51
This will allow SystemServer to add the new vibrator manager service.
Bug: 166586119
Test: manually build and install on test device
Change-Id: I496f46e2f5482aaa7bfba31d6c6b2967486941cc
The purpose of misc_writer is to write misc partition. However,
when it includes libfstab, it will probe files like kernal command
line (proc/cmdline) and metadata, which are permissions it does not
need.
Bug: 170189742
Test: Boot under permissive mode and find the errors gone.
Change-Id: Icda3200660a3bee5cadb6f5e0026fa71941ae5dc
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.
Test: N/A
Merged-In: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
TimeZoneDetectorService will be accessed as part of a new @SystemApi,
TimeManager.
For CTS testing, the TimeZoneDetectorService needs to be accessible by
the CTS test app, this means the sepolicy for the service needs to be
expanded to less trusted clients. During tests we can expand the Android
permissions to those of the Shell process, but it looks like selinux
still needs this change even though "real" clients will be privileged
apps.
It's probable that the time / time detector services will be used in
public SDK TimeManager APIs in the future.
Bug: 159891384
Test: build only (and CTS tests not yet submitted in AOSP)
Change-Id: Ieb4b40505aa990e572435c098a66c489746d4c45
Denial when not listed in priv_app.te:
E SELinux : avc: denied { find } for pid=3213 uid=10170 name=music_recognition scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:music_recognition_service:s0 tclass=service_manager permissive=0
Bug: 158194857
Test: patched and tested on internal master
Change-Id: I30e9ea79a57d9c353b732b629bd5a829c89bbcb0
Add ro.build.ab_update.gki.prevent_downgrade_{version,spl} for
update_engine to determine whether downgrade in kernel version or SPL is
considered an error or not.
Bug: 162623577
Test: update_engine_unittest
Test: apply OTA
Change-Id: If602924d50a2d5cfb3c256b82491c413a9d39f9d
Following Hridya's patches, I found one more place where
dmabuf system heap access is needed in order to play back video
without ION
Audit error:
09-22 05:34:36.545 478 478 W NPDecoder-CL: type=1400 audit(0.0:65): avc: denied { read } for name="system" dev="tmpfs" ino=631 scontext=u:r:mediaserver:
s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I016a260b936a343a29f0e3bbb565b52bbcb0133a
Certain classes of 3rd party apps aren't untrusted_app_domain, but
some comments surrounding this are either outdated or wrong.
Bug: 168753404
Test: N/A
Change-Id: I019c16e26a3778536132f22c37fbea5ae7781af4
There is no need for this type to be declared because it is never
registered with hwservicemanager.
This has been removed in the past but it seems it didn't automerge.
Bug: 109802374
Test: N/A
Change-Id: Id9bbc5762b6dcc8066c8543cb93db937cc4fc858
The LocationTimeZoneManagerService is being added as a "true" service so
that it can be invoked by a shell command (i.e. adb shell cmd). This
also means it will be dumped as part of dumpsys.
Test: Build only
Bug: 149014708
Change-Id: Ie60c4bea3af27a89b88ed753f9cf6e74aab04cd3
the new ioctl allows system server to verfiry the state of a frozen
binder inderface before unfreezing a process.
Bug: 143717177
Test: verified ActivityManager could access the ioctl
Change-Id: Id9d90d072ce997ed20faa918ec68f1110e2bac8f
Define the label dmabuf_system_heap_device for /dev/dma_heap/system.
This the default DMA-BUF heap that Codec2 will use one ION is
deprecated.
Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162
Change-Id: Ief48165cd804bde00e1881a693b5eb44a45b633b
Bug: 167636754
Test: on a device that has triggers configured for this property
Test: adb shell setprop power.battery_input.suspended true to disable charging
Test: adb shell setprop power.battery_input.suspended false to reenable charging
Merged-In: I79209530d5355a59a1cb7a61c629339cd62f8eb1
Merged-In: I4692d84d5c137d11c6f648d15083614e707fdd07
Change-Id: I7a20c0d561a21fa958cf71c499604d70efdbe979
Bug: 167636754
Test: on a device that has triggers configured for this property
Test: adb shell setprop power.battery_input.suspended true to disable charging
Test: adb shell setprop power.battery_input.suspended false to reenable charging
Merged-In: I79209530d5355a59a1cb7a61c629339cd62f8eb1
Merged-In: I4692d84d5c137d11c6f648d15083614e707fdd07
Change-Id: I4692d84d5c137d11c6f648d15083614e707fdd07
Like HIDL HALs, if we have a service which is allowed to access
hal_<foo>_service, we want that service to have the attribute
hal_<foo>_client.
Unlike HIDL HALs, some AIDL services are allowed to get ahold of all
HALs, so these have to be exempted from this check.
Fixes: 168152053
Test: neverallows pass
Change-Id: I4bce6d9441c2921c3ea40f2b01fef4030c02a28a
Add updateable_module_file that describes all files under /modules. If
more directories (e.g. /modules/apex etc.) are added in the future,
separate labels should be applied to them.
Bug: 163543381
Test: on CF check /proc/mounts
Change-Id: Iceafebd85a2ffa47a73dce70d268d8a6fb5a5103
BINDER_FREEZE is used to block ipc transactions to frozen processes, so
only system_server must be allowed to use it.
Bug: 143717177
Test: manually verified that attempts to use BINDER_FREEZE by processes
other
than system_server receive a sepolicy denial
Test: verified that system_server can enable/disable the freezer in
binder
Change-Id: I0fae3585c6ec409809e8085c1cc9862be4755889
Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.
Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c
We need to add an exception for a private type, it can only be
recognised if these are private policies.
Bug: 79161490
Test: TreeHugger
Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.
Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.
Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211
After change Ia7437b8297794502d496e9bd9998dddfdcb747ef, some build
targets are broken. This change fixes it.
Bug: 166334688
Test: build
Change-Id: Iaf6ca1ae5c461bd3c5059b27a148c7858679f795
This allows Incremental Service (part of system_server) to query the
filled blocks of files on Incremental File System.
Test: atest service.incremental_test
BUG: 165799231
Change-Id: Id63f8f325d92fef978a1ad75bd6eaa8aa5e9e68b
hardware/interfaces/dumpstate/1.1 refers to this property,
so it must be defined in system/sepolicy.
Bug: 163759751
Test: atest VtsHalDumpstateV1_1TargetTest
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I058100eacd05e32de56e0ff9de465625a2e71e9c
cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy
will be mounted by init under /sys/fs/cgroup hence proper access rights
are necessary for sysfs. After mounting, the cgroup v2 kernfs will use
the label cgroup_v2 and system_manager will handle the freezer
Bug: 154548692
Test: verified that files undes sysfs and cgroup v2 kernfs are accessed
as required to allow proper functioning for the freezer.
Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960
This is a new ioctl for configuring loop devices, and is used by apexd.
Bug: 148607611
Bug: 161575393
Test: boot on device with/without LOOP_CONFIGURE
Change-Id: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Merged-In: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.
Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
The context name exported3_radio_prop is ambiguous and does not reflect
the usage and role of the properties. This changes its name to
radio_control_prop.
Some downstream branches are still using exported3_radio_prop, so
get_prop(domain, radio_control_prop) is added to avoid regression. It's
just a workaround and to be removed soon, after all exported3_radio_prop
are cleaned up.
Bug: 162214733
Test: boot a device with a sim and see basic functions work
Change-Id: If5fe3be7c64b36435c4ad0dc9a8089077295d502
Merged-In: If5fe3be7c64b36435c4ad0dc9a8089077295d502
This is the stable AIDL binder interface that update_engine exposes in
addition to update_engine_service.
Test: run update_engine
Bug: 160996544
Change-Id: I28ba11810844373d48c8c203f79e98150f932942
This is to allow people service to publish a binder service that expose
system private APIs to retrive and manage the recent cached
conversations.
Test: build and run on a test device
Bug: 162593584
Change-Id: I31b5d8bc851ea7225e215b3f86ed6d47b32b1ba4
audiocontrol_hal, vehicle_hal and evs_hal were added to dump_util.cpp in
b/148098383. But the coresponding dumpstate.te is not updated to relfect
the changes, causing denials when dumpstate attempts to dump auto hal servers.
This CL updates dumpstate.te to allow dumpstate to access auto hal servers.
Bug: 162537916
Test: sesearch -A -s dumpstate -t hal_audiocontrol_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_vehicle_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_evs_server -p signal sepolicy
Change-Id: If6d6e4d9c547da17817f2668dc4f2a093bddd632
adbd and apps (SystemUI and CTS test apps) need to read it.
BUG: 162205386
Test: Connect to device which sets service.adb.tcp.port in vendor
partition through TCP adb.
Change-Id: Ia37dd0dd3239381feb2a4484179a0c7847166b29
This cleans up remaining exported2_default_prop. Three properties are
changed.
- ro.arch
It becomes build_prop.
- hal.instrumentation.enable
It becomes hal_instrumentation_prop.
- ro.property_service.version
It becomes property_service_version_prop.
Bug: 155844385
Test: selinux denial test on Pixel devices
Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
ro.boot. properties assigned as "exported2_default_prop" are now
"bootloader_prop", to remove bad context name "exported2_default_prop".
Two things to clarify:
1) We have both the prefix entry and the exact entries. Although the
exact entries may be redundant, we may want to keep them. Vendors are
still allowed to have properties starting with "ro.boot." on
vendor_property_contexts file. The exact entries can prevent vendors
from modifying them to random contexts.
2) ro.boot. is special as it is originally for kernel command line
"androidboot.". But some ro.boot. properties are being used as if they
were normal. To avoid regression, ro.boot. properties having contexts
other than "exported2_default_prop" are not changed here. They will be
tracked later.
Bug: 155844385
Test: m selinux_policy
Change-Id: Ic0f4117ae68a828787304187457b5e1e105a52c7
Merged-In: Ic0f4117ae68a828787304187457b5e1e105a52c7
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).
This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.
Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).
This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.
A neverallow rule is added to ensure this remains true.
Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.
Test: builds, boots, no new denials.
Bug: 141677108
Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
This is to remove exported3_default_prop. Contexts of these properties
are changed.
- ro.boot.wificountrycode
This becomes wifi_config_prop
- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.
- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.
Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.
- ro.config.per_app_memcg
This becomes lmkd_config_prop.
- ro.zygote
This becomes dalvik_config_prop.
- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.
- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.
- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.
There are still 3 more exported3_default_prop, which are going to be
tracked individually.
Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
To remove bad context names "exported*_prop"
Bug: 155844385
Test: boot and see no denials
Change-Id: Icd30be64355699618735d4012461835eca8cd651
Merged-In: Icd30be64355699618735d4012461835eca8cd651
(cherry picked from commit 37c2d4d0c9)
(cherry picked from commit 3b66e9b9f8)
To remove bad context names "exported*_prop"
Bug: 155844385
Test: boot and see no denials
Change-Id: Icd30be64355699618735d4012461835eca8cd651
Merged-In: Icd30be64355699618735d4012461835eca8cd651
(cherry picked from commit 37c2d4d0c9)
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.
Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
A few netd avc denials are observed. Supress audit messages since they
don't cause a problem.
Bug: 77870037
Test: build, flash, boot
Change-Id: I019c5af62630fcd0a35e22c560b9043bba58f6f1
ro.enable_boot_charger_mode and sys.boot_from_charger_mode are moved to
new property contexts for charger props to remove exported*_prop.
Bug: 155844385
Test: boot device with ro.enable_boot_charger_mode
Change-Id: I17d195d3c9c002a42125d46a5efcdb890f1c2a5c
tombstoned.max_tombstone_coun becomes tombstone_config_prop to remove
exported*_default_prop
Bug: 155844385
Test: tombstoned is running and logcat shows no denials
Change-Id: I57bebb5766d790dc52d40a6d106f480e0e34fa4e
keyguard.no_require_sim becomes keyguard_config_prop to remove
exported*_default_prop
Bug: 155844385
Test: boot and see no denials
Change-Id: Icffa88b650a1d35d8c1cd29f89daf0644a79ddd3
To remove ambiguous context name exported_default_prop
Bug: 71814576
Test: boot and see no denials
Change-Id: I40eb92653fabc509419e07bb4bfa7301a8762352
To remove bad context names exported[23]_default_prop
Bug: 155844385
Test: m selinux_policy
Change-Id: Ic4bbc8e45d810368a96f6985c2234798e73be82d
Merged-In: Ic4bbc8e45d810368a96f6985c2234798e73be82d
(cherry picked from commit 072b01438e)
To clean up bad context name exported[23]_default_prop
Bug: 155844385
Test: m selinux_policy
Test: enter recovery mode
Change-Id: I312b6fa911a90dfc069a973c7916c67d92b7baa5
Due to AIDL HAL introduction, vendors can publish services
with servicemanager. vendor_service_contexts is labeled as
vendor_service_contexts_file, not nonplat_service_contexts_file.
And pack it to vendor partition.
Bug: 154066722
Test: check file label
Change-Id: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
1. Add surfaceflinger_display_prop property context
2. Set context for graphics.display.kernel_idle_timer.enabled
3. Context for system property that is get by surfaceflinger
and set by vendor_init and system_app.
W /system/bin/init: type=1107 audit(0.0:5): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.display.enable_kernel_idle_timer pid=2396 uid=1000 gid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_display_prop:s0 tclass=property_service permissive=0'
Bug:137064289
Test: $ make selinux_policy. Check kernel idle timer works correct.
Change-Id: I77a82b5abfe5a771418dab5d40b404a1cdca4deb
To allow vold to abort it.
Bug: 153411204
Test: vold can access it
Merged-In: I334eaf3459905c27d614db8eda18c27e62bea5fa
Change-Id: I334eaf3459905c27d614db8eda18c27e62bea5fa
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.
Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.
Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.
Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
There should be no need for this, and it allows probing for file existence.
Access to /data and more specifically labeled directories under it
(e.g. /data/app) is not affected.
Bug: 158088415
Test: Builds
Change-Id: Iac39629b1c7322dc2fd9a57c9f034cb2ba73793f
To remove bad context names, two contexts are added.
- telephony_config_prop
- telephony_status_prop
exported_radio_prop, exported2_radio_prop are removed. Cleaning up
exported3_radio_prop will be a follow-up task.
Exempt-From-Owner-Approval: cherry-pick
Bug: 152471138
Bug: 155844385
Test: boot and see no denials
Test: usim works on blueline
Change-Id: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
Merged-In: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
(cherry picked from commit 4d36eae8af)
To remove bad context names, two contexts are added.
- telephony_config_prop
- telephony_status_prop
exported_radio_prop, exported2_radio_prop are removed. Cleaning up
exported3_radio_prop will be a follow-up task.
Bug: 152471138
Bug: 155844385
Test: boot and see no denials
Test: usim works on blueline
Change-Id: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
The fstab_suffix can be passed as 'androidboot.fstab_suffix=' on the
kernel command line, or as an Android DT node. It specifies an
override suffix for the fsmgr fstab search:
/odm/etc/fstab.${fstab_suffix}
/vendor/etc/fstab.${fstab_suffix}
/fstab.${fstab_suffix}
Bug: 142424832
Change-Id: I9c0acf7a5ae3cdba505460247decf2de9997cac1
Merged-In: I9c0acf7a5ae3cdba505460247decf2de9997cac1
Exported properties init.svc.* were world-readable, so making them
world-readable again to fix selinux denials.
Bug: 157474281
Test: m selinux_policy
Change-Id: I6d5a28b68061896e9cd2584c47aa60f6d36ed53f
Test: manually make sure that boot animation is resizing
when display is changed
Bug: 156448328
Merged-In: I9f754900a0b32551f656ce2097a3a41245b02218
Change-Id: I9f754900a0b32551f656ce2097a3a41245b02218
/apex/apex-info-file.xml is labeled as apex_info_file. It is
created/written by apexd once by apexd, and can be read by zygote and
system_server. The content of the file is essentially the same as the
return value of getAllPackages() call to apexd.
Bug: 154823184
Test: m
Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
(cherry picked from commit f1de4c02cc)
Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2