Dumpstate already has permissions to get these services to dump their
stack and they are listed in dump_utils.cpp.
Test: adb shell bugreport && check bugreport
Bug: 273937310
Change-Id: I4128f4285da2693242aa02fec1bb2928e34cfcbf
Bug: 260366497
Bug: 264600011
Test: Take bugreport and check dmesg for avc error
Test: Reboot and check shutdown-checkpoints
Change-Id: Ifcc7de30ee64e18f78af147cd3da39d7c6dc6f5f
This reverts commit f4ab6c9f3c.
Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.
Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
This CL allows dumpstate to signal evsmanagerd, which is another
android.hardware.automotive.evs.IEvsEnumerator implementation, to dump
its stack.
Fix: 243335867
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I37b4cf0ae45f8196f92088cf07a2b45c44f50ee8
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
aosp/2215361 added the collection of update_engine preferences by
dumpstate. Add the corresponding policy. The /data/misc/update_engine
directory only contains the prefs/ subdirectory (see
DaemonStateAndroid::Initialize in update_engine).
Bug: 255917707
Test: m selinux_policy
Change-Id: I8c80f319d97f22f29158dd67352c3429d3222a35
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.
In the future, we will also add a 'dump' facility to this HAL.
Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
CTS testcase is failing because of the AVC denails for dumpstate
trying to search mnt_product.
Bug:234086759
Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I794de8c296992b1d3cdafdb802376870a0eecce7
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).
After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.
Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.
Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
By default, HAL's services are not accessible by dumpstate. HIDL
implementations were silenced via a dontaudit on hwservice_manager. But
AIDL implementations will trigger a denial, unless authorized via
`dump_hal`. Mark all HAL services with a new attribute
`hal_service_type` so they can be ignored by dumpstate.
Test: m selinux_policy
Bug: 219172252
Change-Id: Ib484368fdeff814d4799792d57a238d6d6e965fd
exceptions and dontaudit lists.
wpa_supplicant does not have a dump() method, so
dumpstate shouldn't need to access this HAL.
Bug: 213616004
Test: Treehugger tests
Change-Id: I5a0d80725434b56c9663948c3727faea9fb38db6
This reverts commit e95e0ec0a5.
Now that b/186727553 is fixed, it should be safe to revert this revert.
Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).
This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes
This reverts commit aa8bb3a29b.
Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
a54bed6907
Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery
Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
Allow non-system apps to get an instance through
Context#getSystemService, and then dumpstate also needs permissions to
append to public apps' files.
Most carrier apps are not pre-installed, but we still want to allow them
to request connectivity bug reports, which are well-scoped to contain
limited PII and all info should directly relate to connectivity
(cellular/wifi/networking) debugging.
BugreportManager underneath validates that the calling app has carrier
privileges before actually starting the bug report routine. User consent
is requested for every bugreport requested by carrier apps.
Without the dumpstate.te change, the following error will occur:
01-14 20:08:52.394 1755 1755 I auditd : type=1400 audit(0.0:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0
[ 1167.128552] type=1400 audit(1610654932.394:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0
Bug: 161393541
Test: atest CtsCarrierApiTestCases:BugreportManagerTest
Change-Id: I443b1f6cd96223ed600c4006bc344c2a8663fdc7
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.
But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.
Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.
Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.
Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files
Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
Now running ps requires the read permission for /proc/sys/kernel/pid_max.
Also, grant the binder_call permission for recently added profcollectd.
Bug: 170070222
Change-Id: I5bc0f89a0538091de40647777ff6bf47f47dc066
audiocontrol_hal, vehicle_hal and evs_hal were added to dump_util.cpp in
b/148098383. But the coresponding dumpstate.te is not updated to relfect
the changes, causing denials when dumpstate attempts to dump auto hal servers.
This CL updates dumpstate.te to allow dumpstate to access auto hal servers.
Bug: 162537916
Test: sesearch -A -s dumpstate -t hal_audiocontrol_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_vehicle_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_evs_server -p signal sepolicy
Change-Id: If6d6e4d9c547da17817f2668dc4f2a093bddd632
Bug: 156710131
Test: tested in userdebug with dumpstate.unroot set to true
Change-Id: Iabd636f109e719753fdd650f05e1a7af835c49d7
Signed-off-by: TeYuan Wang <kamewang@google.com>
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
