am skip reason: Merged-In Ie495f6f9ad43146a0bfcd5bb291fca3760467370 with SHA-1 980c33614e is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2895200
Change-Id: If342c7411a202b239631bf90ac5083223bfe6656
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
security_state service manages security state (e.g. SPL) information across partitions, modules, etc.
Bug: 315895055
Test: N/A
Change-Id: Iee761f8a33f70e8c6bc03849c021f4e165c6f6db
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
Looks like we missed this, and so non-rooted locked devices can't override the persistent sysprops. On Pixel 8 for example, we ship with 'persist.arm64.memtag.system_server=off' by default (from some droidfood carry-overs), and this can't be edited (https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html).
We should allow these advanced users to set all the MTE properties on the device that they own, and they can already control the non-persistent properties.
Test: N/A
Bug: N/A
(cherry picked from https://android-review.googlesource.com/q/commit:980c33614e691dde070b59bc746bd252b6edb189)
Merged-In: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Change-Id: Ie495f6f9ad43146a0bfcd5bb291fca3760467370
Bug: 309888546
As virtualizationmanager holds references to IBoundDevice returned by
vfio_handler, virtualizationmanager should also have permission to
binder_call.
Bug: 278008519
Test: boot microdroid with assigned devices
Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c
Post OTA reboot, snapshot-merge threads will be run in the background cgroup so that they don't run on big cores. Hence, use SetTaskProfiles() API to move the thread to the relavant cgroup.
When setting SetTaskProfile API, /dev/cpuset/background/tasks path
is accessed which requires process to be in system group.
Use setgid to move the task to system group.
Bug: 311233916
Test: OTA on Pixel 6 - Verify that merge threads are not run on big
cores
Change-Id: Ie4921910985292b0b05f4ffc70b0d08ad9e4a662
Signed-off-by: Akilesh Kailash <akailash@google.com>
Use our standard macro for granting all the necessary permissions
instead of copying a part of it.
Add ioctl access for all clients for Unix stream sockets & pipes; this
allows them to be used for stdin/stdout without triggering
denials. (Only unpriv_sock_ioctls can be used.)
Together this allows a root shell to use `vm run` without getting
spurious denials such as:
avc: denied { ioctl } for comm="crosvm" path="socket:[835168]"
dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0
tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0
Bug: 316048644
Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: atest MicrodroidTests
Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d
Allow r_file_perms rather than just open+read, mainly because I saw
this denial:
avc: denied { getattr } for comm="binder:11247_2"
path="/sys/firmware/devicetree/base/avf/guest/common/log"
dev="sysfs" ino=16469 scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:sysfs_dt_avf:s0 tclass=file permissive=0
Also refactor slightly in microdroid_manager.te.
Test: TH
Change-Id: If2963441b3490a502c293c7a7cdd204d9db7d48a
This prop is read in its .rc file to stop the service. Otherwise,
evertyime the service exits, it is restarted.
We don't want it to be `oneshot` because under normal operation, it
should be restarted if it exits/crashes.
Test: remove kTempHidlSupport && m && launch_cvd
Bug: 218588089
Change-Id: I9a4c61778c244a08ff753689604e79168058dd4c
sepolicy versioning is for system <-> vendor compatibility. This changes
sepolicy version format from sdk version (e.g. 34.0) to vendor api
version (e.g. 202404.0).
Bug: 314010177
Test: build and boot
Change-Id: I2422c416b7fb85af64c8c835497bbecd2e10e2ab
am skip reason: Merged-In I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1 with SHA-1 cf2694bf86 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2879648
Change-Id: I266f1286f87d37d3d48429e36bbab6fb174050ed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Being a system_api_service prevents non-privileged apps from getting a reference to WearableSensingManager via Context#getSystemService (it returns null). CTS tests are run as non-privileged apps, so we need this change to properly test the API.
The API methods are protected by a signature|privileged permission. CTS tests can gain this permission by adopting the Shell's permission identity, but it can't get around the SELinux policy.
wearable_sensing_service is mostly modelled after ambient_context_service, which is an app_api_service, so we believe this change is fine from a security's perspective.
Test: A CTS test can get a WearableSensingManager via Context#getSystemService after this change.
Change-Id: I9d854353f48ff7b3fa5a07527bee0bcc83cb6236
type=1400 audit(0.0:835): avc: denied { read }
for path="/data/app/vmdl1923101285.tmp/base.apk"
dev="dm-37" ino=29684
scontext=u:r:isolated_app:s0:c512,c768
tcontext=u:object_r:apk_tmp_file:s0 tclass=file
permissive=0
Bug: 308775782
Bug: 316442990
Test: Flashed to device with and without this change, confirmed that this
change allows an isolated process to read already opened staged apk file
(cherry picked from https://android-review.googlesource.com/q/commit:cf2694bf863fc31ac5862b92bb9258136de57932)
Merged-In: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
/tmp is a volatile temporary storage location for the shell user.
As with /data/local/tmp, it is owned by shell:shell and is chmod 771.
Bug: 311263616
Change-Id: Ice0229d937989b097971d9db434d5589ac2da99a
It ferries SecretManagement messages to/from Sk. Reflect this is
sepolicies.
Test: With topic, check selinux denials
Bug: 291213394
Change-Id: Ia0d25e46232d56c59fb18f8642767bfa2d5ffab1
This reverts commit 5e1d7f1c85.
Reason for revert: retry with a fix to the failed tests
Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
