Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
Ignore, as it's a side effect of mounting /vendor.
Bug: 31116514
Change-Id: If94a27a26181e40de5c5e60f5446de9ce2ccdba0
(cherry picked from commit 0f81e06630)
No core android component needs access to /dev/snd/{seq,timer}, but
currently audioserver, bootanim, init, system_server and ueventd have
access. Seq and timer have been the source of many bugs in the past
[1]. Giving these files new labels without explicitly granting access
removes access from audioserver, bootanim, and system_server.
Init and ueventd still require access for /dev setup.
TODO: Explore unsetting CONFIG_SND_TIMER device kernels.
[1] https://github.com/google/syzkaller/wiki/Found-Bugs
Test: media CTS "cts-tradefed run cts -m CtsMediaTestCases" on Bullhead
and Dragon completed with no denials.
Bug: 29045223
(cherry picked from commit db4510d87a)
Change-Id: I2d069920e792ce8eef70c7b4a038b9e7000f39f5
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.
Bug: 28760354
Change-Id: I0a6363f094c41392469f438c4399c93ed53fb5ac
avc: granted { use } for pid=3067 comm="SoundPoolThread"
scontext=u:r:drmserver:s0 tcontext=u:r:system_server:s0 tclass=fd
Test: builds/boots on Angler. Adds permissions for all "granted" avc
messages observed in three months of log auditing.
Bug: 28760354
Change-Id: I51f13d7c7d40f479b1241dfcd5d925d28f74926b
As fallout from the corresponding fix in libselinux,
this patch adds the missing services without changing
semantics.
Test: bullhead builds and boots
Bug: 31353148
Change-Id: I21026c9435ffef956a59d61c4903174ac7b1ef95
Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.
Test: Angler builds and boots
Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88
This fixes the build error:
=====
libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by
allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl };
libsepol.check_assertions: 1 neverallow failures occurred
=====
Which is caused, in AOSP and downstream branches, by
I123e5d40955358665800fe3b86cd5f8dbaeb8717.
Test: builds.
Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
Allow hwservicemanager to set properties starting with the prefix
"hwservicemanager."
b/31458381
b/31240290
Test: passing build and runtime tests
Change-Id: Id92e2170f52893bbf236987ee59383df2264952f
Signed-off-by: Iliyan Malchev <malchev@google.com>
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.
Bug: 28760354
Change-Id: I76c2752f806b83a6c21fcb17b6f445368936f61b
Currently, we define 4 hardcoded init services to launch dumpstate with
different command-line options (since dumpstate must be launched by
root):
- bugreport
- bugreportplus
- bugreportwear
- bugreportremote
This approach does not scale well; a better option is to have just one
service, and let the framework pass the extra arguments through a system
property.
BUG: 31649719
Test: manual
Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5
Build serial is non-user resettable freely available device
identifier. It can be used by ad-netowrks to track the user
across apps which violates the user's privacy.
This change deprecates Build.SERIAL and adds a new Build.getSerial()
API which requires holding the read_phone_state permission.
The Build.SERIAL value is set to "undefined" for apps targeting
high enough SDK and for legacy app the value is still available.
bug:31402365
Change-Id: I6309aa58c8993b3db4fea7b55aae05592408b6e4
In anticipation of fixing a loophole in the Linux kernel that allows
circumventing the execmem permission by using the ptrace interface,
this patch grants execmem permission on debuggable domains to
debuggerd. This will be required for setting software break points
once the kernel has been fixed.
Bug: 31000401
Change-Id: I9b8d5853b643d24b94d36e2adbcb135dbaef8b1e
update_verifier calls bootcontrol HAL to mark the currently booting slot
as successfully booted.
avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
Bug: 29569601
Test: Device boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0.
Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f
(cherry picked from commit 23a276a295)
DRM 3rd party application with platform signature
requires the permission.
Bug: 30352348
Change-Id: Idd673506764ae435db1be8cc8c13658541ffa687
Add a macro to make this easier for other processes
as well.
Change-Id: I489d0ce042fe5ef88dc767a6fbdb9b795be91601
(cherry picked from commit c2b9c1561e4bd7ac86d78b44ca7927994e781da0)
(cherry picked from commit 88c5146585)
Allow the otapreopt rename script to read file attributes. This is
being used to print the aggregate artifact size for diagnostic
purposes.
Bug: 30832951
Change-Id: Iee410adf59dcbb74fa4b49edb27d028025cd8bf9
(cherry picked from commit eb717421b1)
The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.
Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.
Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b
