- Adapt installd rules for app compilation.
- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.
Bug: 229268202
Test: -
1. adb shell pm art optimize-package -m speed-profile -f \
com.google.android.youtube
2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
If something starts before servicemanager does,
intelligently wait for servicemanager to start rather
than sleeping for 1s.
Bug: 239382640
Test: boot
Change-Id: If0380c3a1fce937b0939cd6137fcb25f3e47d14c
Removes all references to vendor_service in policy except the
definition of this type, which also needs to be removed by
clients.
We don't need this because interface type shouldn't be associated
with where they are served. We can serve HALs from anywhere if they are
implemented in software.
Bug: 237115222
Test: builds
Change-Id: If370a904af81e015e7e1f7a408c4bfde2ebff9a4
inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.
Denial: avc: denied { read } for pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0
Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
Tests around Virtual A/B, DSUs, remount etc need to create loop devices
and write to them, which requires the kernel domain to have file write
access. However there are very few contexts where this is allowed, and
most are for testing. These testing locations are not consistently
available (eg, /data/nativetest does not always exist).
We already allow readonly loop devices in /data/local/tmp for testing
purposes, so this adds write support as well (userdebug/eng only).
Bug: 218976943
Test: fiemap_image_test
Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
Currently, vendor_service is excluded from this neverallow
for the same reason. However, the current plan is to remove
vendor_service. Since some vendor HAL services are not
marked as hal_service_type, this part of the change needs
to be submitted independently in order to clean them up.
Bug: 237115222
Test: build
Change-Id: I7893184c4d1011881b721d0b851e07c17f73732b
In order to see the HAL state in bugreports, we need to allow the HAL to
write to file where the dump is going.
Bug: 237233372
Test: adb shell dumpsys android.hardware.input.processor.IInputProcessor/default
Change-Id: Idf78269e4ee9798c078ac3b7ee4f375515d7aadc
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.
In the future, we will also add a 'dump' facility to this HAL.
Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Ignore-AOSP-First: will be cherrypicked from tm-dev to aosp/master
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
This enables users to run "fastboot getvar dmesg" which is important to
debugging flashing failures in automation. The command is only allowed on
unlocked devices running userdebug builds.
Bug: 230269532
Test: fastboot getvar dmesg
Change-Id: Ia27268fd984f903ca73e69b5717f4206a3cf1ae9
These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.
Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
Remove mention of the /system/bin/idmap binary: the file no longer
exists.
Remove interaction between the domains installd and idmap to interact:
installd used to fork and exec the idmap binary, but the idmap2 binary
has its own binder service.
Bug: 118711077
Bug: 119264713
Test: atest FrameworksServicesTests:com.android.server.om OverlayDeviceTests OverlayHostTests CtsAppSecurityHostTestCases:OverlayHostTest
Change-Id: I06d22057308984e43cb84ff365dbdd1864c7064b
Netd is now serving an AIDL HAL to replace the old HIDL HAL.
Bug: 205764585
Test: Boot and check for avc denials
Change-Id: I1ca5ed4ff3b79f082ea2f6d3e81f60a64ca04855
Adding a new system property that will act as a toggle
enabling/disabling the framework changes that were submitted to prevent
leaked animators.
Bug: 233391022
Test: manual.
Merged-In: I57225feb50a3f3b4ac8c39998c47f263ae211b66
Change-Id: Ifc339efc1c3a5e19920b77d1f24bef19c39d5f44
CTS testcase is failing because of the AVC denails for dumpstate
trying to search mnt_product.
Bug:234086759
Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I794de8c296992b1d3cdafdb802376870a0eecce7
This is required for testing new ethernet APIs in T.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 171872016
Merged-In: I1e6024d7d649be50aa2321543b289f81fcdfc483
(cherry picked from commit 02b55354bd)
Change-Id: I1d620bcd9b3d02c6acb45636bb862f40282f636d
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.
Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99
(cherry picked from commit ab02397814)
Merged-In: I9559185081213fdeb33019733654ce95af816d99
Adding a new system property that will act as a toggle
enabling/disabling the framework changes that were submitted to prevent
leaked animators.
Bug: 233391022
Test: manual.
Ignore-AOSP-First: planning to commit to tm-dev then cherry-pick over to
AOSP later.
Change-Id: I57225feb50a3f3b4ac8c39998c47f263ae211b66
This patch allows ioctls() to support zoned device.
Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I69b322ceffd45c7e191d3a37e67ac7324c5b7ee2
Commit ea9921f4f5b9 ("f2fs-tools: support zoned device in Android") in
f2fs-tools supports zoned device in Android. When detecting the disk
supports zoned device with proper types, we need to access its sysfs
entry. Note that, we need to check sysfs entries by default for
non-zoned disks in general as well.
If a product doesn't use metadata encryption which sets a device mapper, vendor
selinux needs to allow sysfs entries for raw disks such as sysfs_scsi_devices or
sysfs_devices_block.
avc: denied { search } for comm="fsck.f2fs" name="dm-44" dev="sysfs" ino=82102 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=dir permissive=0
avc: denied { read } for comm="fsck.f2fs" name="zoned" dev="sysfs" ino=82333 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=file permissive=0
Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Iaa4dc9826b614b71b928c33ebc207afab96e586a
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
Let vendor_init can react Vendor System Native Experiment
changes via persist.device_config.vendor_system_native.* properties.
Bug: 223685902
Test: Build and check no avc denied messages in dmesg
Change-Id: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
Merged-In: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
Let vendor_init can react Vendor System Native Experiment
changes via persist.device_config.vendor_system_native.* properties.
Ignore-AOSP-First: Will cherry-pick
Bug: 223685902
Test: Build and check no avc denied messages in dmesg
Change-Id: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
... as this is needed for the hal to access and map
gralloc buffers on devices such as Cuttlefish. Previously,
this sepolicy is added in device specific directories but
the Cuttlefish team is looking at centralizing the sepolicy.
Bug: b/161819018
Test: `atest CtsNNAPITestCases`
Test: `atest VtsHalNeuralnetworksV1_0TargetTest`
Change-Id: Ia5b2704e2cdeedfa19d160e546d811b7d1c21aa9
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file. This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.
Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
All domains using libbinder need access to this new ioctl in order to
pull precise information upon failed binder operations.
Bug: 28321379
Tested: clients can now use the ioctl through libbinder
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I8d6e5ca6b133b934855a7545cc1a9786e2c4ad65
init should use subcontext (vendor_init) for actions/services from
/{vendor, odm} partitions. However, when configs are from vendor APEXes,
init can't tell whether the APEXes are from /{vendor, odm} just by
looking at the config file paths.
Instead, init can look up /apex/apex-info-list.xml for APEXes
preinstalled paths to tell APEXes' original partition.
Bug: 232021354
Test: atest CtsBluetoothTestCases
(Cuttlefish has BT HAL APEX in /vendor)
Change-Id: I8cb5d9eb3970790499ef1eb1ee00851591a42e98
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
These ioctls don't need to be allowed, as they'd only be needed to set
project quota IDs. But this is only done by other domains (installd,
vold, and mediaprovider_app). Probably it was originally planned for an
init script to run 'chattr -p ID', but this didn't end up happening.
This is a basically revert of commit 4de3228c46 ("Allow toolbox to set
project quota IDs.") (https://r.android.com/1224007).
Also remove an outdated comment at the top of the file.
Test: booted Cuttlefish, no denials seen.
Change-Id: If61179a35f419c6cbfcf1432a86b2c1375db71ed
Since Android 12, vold goes through the keystore daemon instead of using
the keymaster HAL directly. Therefore, the SELinux rules that allow
vold to use the keymaster HAL directly are no longer needed.
Bug: 181910578
Change-Id: I8ecc47530cba82128c869ffd2fed9009dd7d5e05
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Ignore-AOSP-First: must be submitted in internal as a topic first to
avoid having duplicate definitions of sysfs_gpu
in projects that are only available in internal
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it. Remove two rules that are no longer
needed. Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons. Finally, fix some outdated documentation links.
Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);
This is an intended behavior and the log is useless for debugging so I
suppress them.
Bug: 226717429
Test: do bugreport with relevant error gone.
Change-Id: Ide03315c1189ae2cbfe919566e6b97341c5991bb
This adds the two top interfaces: IConfig and IModule
to service context, allows the HAL service to call
Binder, and registers the example implementation
service executable.
Bug: 205884982
Test: m
Change-Id: I322e813c96123167ea29b6c25a08ec9677c9b4d1
Relevant error logs show up when dumpstate do lsof using su identity:
RunCommand("LIST OF OPEN FILES", {"lsof"}, CommandOptions::AS_ROOT);
This is an intended behavior and the log is useless for debugging so I
suppress them.
Bug: 225767289
Test: do bugreport with no su related avc errors
Change-Id: I0f322cfc8a461da9ffb17f7493c6bbdc58cce7b6
