Test: ensure no build failures;
add RoleManagerService as a boot phase
ensure no SecurityException in logcat on boot
Change-Id: Ia0803c0fb084fe2b12f5c20f5e46354d0dd1aedf
system/sepolicy commit 619c1ef2ac started
enforcing ioctl whitelisting requirements for /dev/tun. Bluetooth needs
the ability to issue TUNSETIFF on /dev/tun, so allow access. We also
allow access to TUNGETIFF for good measure.
Addresses the following denial:
avc: denied { ioctl } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=20047 ioctlcmd=0x54ca scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0
Test: policy compiles
Change-Id: Ie4c138fc774373cec266c59de6663db147d60423
No coredomain domain has access to these types and corresponding /dev
nodes don't exist on the device:
audio_seq_device
audio_timer_device
full_device
i2c_device
vcs_device
Bug: 110962171
Test: m selinux_policy
Test: boot walleye
Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672
These rules mirror those for /vendor/overlay and /odm/overlay, including
the possilibity of a symlink like /system/vendor -> /vendor.
Test: builds, boots
Change-Id: I323e48fcc13c4ac7779902506539c2600708cc88
Historically GPU service lives in SurfaceFlinger as a convenient hack.
Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU
capability, and shouldn't know about anything about GPU. This patch moves GPU
service out of SurfaceFlinger.
GPU service is a service that accesses to GPU driver, queries GPU capabilities
and reports back. Currently we use this information in CTS and some benchmarks.
BUG: 118347356
Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify
Change-Id: I007989e0f3f73b5caf80277979986820dd127c32
In earlier kernel versions (<4.0), the loopback driver issues
requests from a kernel thread. Therefore, the kernel needs access
to APEX file descriptors and data files (which are loopback
mounted).
Bug: 119220815
Test: mounting works on sailfish
Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
apexd_prop is also defined in private/propery_contexts in order to make
the type to exist even when PRODUCT_COMPATIBLE_PROPERTY is false (i.e.,
Pixel 1).
Bug: 119220815
Test: m plat_property_contexts for sailfish
the built plat_property_contexts has apexd_prop defined
Change-Id: I9ef71410533c1f64fc6a3112cfcb199d23aaf3db
Pass LOCAL_ADDITIONAL_M4DEFS to m4 when building vendor_file_contexts
and odm_file_contexts. The build command attempts to use
PRIVATE_ADDITIONAL_M4DEFS - but this is not set in the target-specific
variables.
This allows using custom M4 macros when building non-platform
file_contexts.
Change-Id: I5fa8d9ec91f1a97bee1dd735ba85af93eef91252
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.
Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
These /dev nodes are device-specific and should be labeled from device
policy. Moreover, pixels don't have these /dev nodes.
Bug: 110962171
Test: boot pixel 3
Change-Id: I37ca9a956130eb4763c75f5e8a0decbd4f7b97a7
As b/116344577 is fixed, we no longer need the compatbility mapping any
more.
Test: build passed. Boot succeeded.
Change-Id: I0d7f02c59853d34bdabaad6841d87e9ca1ee25d7
Mark the ADB service as a system_api_service so that SystemUI can tell
it that the device is accepted. Refactoring split the AdbService out of
the UsbService. UsbService is marked as an app_api_service which SystemUI
is allowed to connect to; AdbService must be marked similarly as either
system_api_service or app_api_service. However, only system apps should
talk to AdbService currently.
SELinux : avc: denied { find } for service=adb pid=1737 uid=10041 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:adb_service:s0 tclass=service_manager permissive=0
Introduced in Change-Id Ibf23964665a115a5bc835820dcff98aaf7ba610f
Test: Flash userdebug, accept ADB key, and replug USB
Bug: 118999282
Change-Id: I47b5090908ed84d0ba7a9fca100b299011bf8796
Allow sgdisk to force the kernel to re-read the partition table.
Addresses the following denial:
avc: denied { ioctl } for path=/dev/block/vold/disk:7,0 dev=tmpfs ino=710640 ioctlcmd=125f scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
Bug: 118890056
Test: policy compiles
Test:
1) adb shell sm set-force-adoptable on
2) adb shell sm set-virtual-disk true
3) On device, pick the drop-down notification and
choose "use as phone/internal storage" to adopt the virtual SD card.
Change-Id: I6825cf526cc48aa2a17afab14eadb6134bfc56f9
A sysprop apexd.status is set by apexd, to that other components (i.e.
init) can determine whether APEXs are all successfully mounted or no
(i.e., being mounted).
The sysprop is only writable by apexd.
Bug: 117403679
Test: adb shell getprop apexd.status returns 'ready'.
Change-Id: I81bcb96e6c5cb9d899f29ffa84f91eab3820be25
Update access_vectors to support newer kernel functionality.
This change does not grant any new access.
Inspired by the following refpolicy commits:
* 25a5b24274
* 109ab3296b
* 437e48ac53
Bug: 118843234
Test: policy compiles
Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.
Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.
Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.
The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
11cee2be0c%5E%21
Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.
Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
Emulator device can not be considered a full treble device even though
it has PRODUCT_SHIPPING_API_LEVEL = 28. This is prevents us from merging
neverallow rules that implement Treble requirements (aosp/798433). As a
temporary workaround, disable the checks on that variable.
Bug: 112933807
Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I9a29c01dfcbc70e4ba1e4eef233355bc18ec2108
Add support for the HDIO_GETGEO and BLKGETSIZE ioctls when operating on
/dev/block/vold/ block devices.
HDIO_GETGEO is needed by the sgdisk code to get the number of heads on
the disk drive, likely a side effect of the age of this code.
646af625ce/diskio-unix.cc (193)
Addresses the following denial:
audit(0.0:1775): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x301 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Technically we don't need to grant this, as the sgdisk code will
fall back to using BLKGETSIZE64 if BLKGETSIZE fails.
646af625ce/diskio-unix.cc (430)
Addresses the following denial:
audit(0.0:1778): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x1260 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
Test: policy compiles.
Change-Id: Iaa5274721e8a7d1741591570e9e5305723aad640
Already has permissions to remove the scratch partition, but to allow
more refined cleansing (eg: just remove vendor override), need the
ability to mount and scrub overlay directories.
Test: manual
Bug: 117605276
Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f
Vendor need to hook bugreport propery as well as dumpstatez.
This CL exports it.
Test: Confirmed verndor can get property trigger hook manually
Bug: 118718191
Change-Id: I64a0e38716fb863ccd8923c6c41a776ea341f2d1
Signed-off-by: Minchan Kim <minchan@google.com>