Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Green builds, no new selinux denials.
Change-Id: Idaaf2f7aa88b2981f9fab2f74350a934fe415d71
This reverts commit f536a60407.
Reason for revert: Resubmit the CL with the fix in vendor_init.te
Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
Define a new property_context vndk_prop for ro.product.vndk.version.
It is set by init process but public to all modules.
Bug: 144534640
Test: check if ro.product.vndk.version is set correctly.
Change-Id: If739d4e25de93d9ed2ee2520408e07a8c87d46fe
Noticed denials in go/sedenials. This permission is currently granted to
priv_app via app_api_service.
Bug: 142672293
Test: TH
Change-Id: I9834044b2ba13b12694e88ae5cec8eb5c38c658c
This type will be used for read-only properties used to configure
userspace reboot behaviour (e.g. whenever device supports it, watchdog
timeout, etc.).
Test: adb shell getprop ro.init.userspace_reboot.is_supported
Bug: 135984674
Change-Id: I387b2f2f6e3ca96c66c8fa3e6719d013d71f76c7
In order for services registered with LazyServiceRegistrar to dynamically stop, servicemanager needs to be able to call into client processes (to notify them and trigger shutdown).
Bug: 143108344
Test: aidl_lazy_test
Change-Id: I402d0bcc5e668bf022162c7ce7393d5b77256479
Adding two labels: "incfs" for the incremental filesystem and
"incremental_root_file" for file paths /data/incremental/*.
Doc: go/incremental-selinux
Test: manual
Change-Id: I7d45ed1677e3422119b2861dfc7b541945fcb7a2
More historical context in http://b/18504118
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggering.
Bug: 142672293
Test: TH
Change-Id: I5729b89af83090e6e31c012c8acb0f0114c87d3d
This is required for the Debug UI within the Settings app.
The Platform Compat API prevents callers from overriding the compat
config for non-debuggable apps on user builds, among other restrictions
(see https://r.android.com/1178263 for the full list).
Test: use Setting's debug UI on a user build
Bug: 144552011
Bug: 138280620
Change-Id: Ia11a6523feab5cfac2dd6a04d269c59f28f667b7
As part of extending linkerconfig execution based on mount namespace and
APEX status, linkerconfig will be executed from init with logwrap. To
support this there should be an extra sepolicy to allow linkerconfig to
be executed with logwrap.
Bug: 144664390
Test: m -j passed & cuttlefish booted
Change-Id: Ia8b970a1c396a769eff4b102afbf4d33802923cf
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.
Bug: 142672293
Test: TH
Change-Id: I554e0cb00a53fd254c450c20e6c632e58472c3c8
In order for system_server to report ION allocations in dumpsys meminfo
report it needs access to ION sysfs nodes.
Bug: 138148041
Test: dumpsys meminfo
Change-Id: I8b1efebe8f4b06a3975e96ddd6a8cbcacdb52fb2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Also allow binder service "incremental_service" to be found by service
manager.
Test: boots
BUG: 136132412
Change-Id: I3584a9b69a7e1909f096e3c4579c1834bdfba22e
Refactor to split the logic within statscompanion_service
The goal of the refactor is to simplify the binder calls to statsd
This service will talk to statsd.
At the end of the refactor, this service should be the only
service that talks to statsd.
Bug: 146074223
Test: Manual by creating the service with empty implementation
Change-Id: Ib9c2e10ec195d41062f1001e5a82b374696de939
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.
Bug: 142672293
Test: TH
Change-Id: I57f887e96d721ca69a7228df0a75515596776778
Mark tethering_service as app_api_service to allow applications to find
tethering service. Apps should able to use tethering service to
know tethering state if they have ACCESS_NETWORK_STATE permission, but
they may need privileged permission if they want to change tethering.
Bug: 144320246
Test: -build, flash, boot
-ON/OFF hotspot
Change-Id: Ie414618766144c4a4ad89c5cf03398a472638e71
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
Looking at go/sedenials, we have learnt a lot of other priv-apps rely on
this permission. The auditallow has served its purpose and can now be
removed.
Bug: 142672293
Test: Treehugger
Change-Id: Iba81773b223d2bddbd32a0594c5aa01829252847
From go/sedenials, we see that com.android.vending needs this
permission. The auditallow was in place to see if any priv-apps other
than GMS core need this, and now we know.
Bug: 142672293
Test: Treehugger
Change-Id: Iad6caeb648bc23e85571b758a35649924cdeec69
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes
Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
Due to Factory OTA client install in product partition but it also declare coredomian in
its sepolicy setting. That will let Factory OTA unable to find a property type could write system property.
But now Factory OTA have a restore NFC wake function need to write system property for communicate with bootloader.
So we need to create a new property type in system framework which could allow Factory OTA client to write system property.
Bug: 145178094
Test: Manual
Change-Id: Ic549cc939893ec67a46bf28a23ebeb9f9b81bd0b
This denial is generally a sign that apps are attempting to access
encrypted storage before the ACTION_USER_UNLOCKED intent is delivered.
Suppress this denial to prevent logspam.
While gmscore_app is running in permissive mode, there might be other
denials for related actions (that won't show up in enforcing mode after
the first action is denied). This change adds a bug_map entry to track
those denials and prevent presubmit flakes.
Bug: 142672293
Test: Happy builds
Change-Id: Id2f8f8ff5cde40e74be24daa0b1100b91a7a4dbb
* changes:
Allow audio_server to access soundtrigger_middleware service
Allow soundtrigger_middleware system service
Allow system service to access audio HAL (for soundtrigger)
Allow tethering service which is running in the same process as network
stack service "find" network stack service. Original design is passing
network_stack binder to tethering service directly when tethering
service is created. To allow creating tethering service and network
stack service in parallel. Let tethering service query network_stack
binder instead.
Bug: 144320246
Test: boot, flash, build
OFF/ON hotspot
Change-Id: Ife0c2f4bdb2cfee4b5788d63d1cfc76af0ccc33c
This is needed to debug native crashes within the gmscore app.
Now that GMS core is running in gmscore_app and not in the priv_app
domain, we need this rule for the new domain. This also adds an
auditallow to the same rule for priv_app, so we can delete it once no
logs show up in go/sedenials for this rule triggerring.
Bug: 142672293
Test: TH
Change-Id: I7d28bb5df1a876d0092758aff321e62fa2979694
Now that GMS core is running in gmscore_app and not priv_app, we need
this rule for the new domain. This also adds an auditallow to the same
rule for priv_app, so we can delete it once no logs show up in
go/sedenials for this rule triggerring.
Bug: 142672293
Test: TH
Change-Id: I308d40835156e0c19dd5074f69584ebf1c72ad58
Add extra policy to enable linkerconfig to be executed from recovery.
Bug: 139638519
Test: Tested from crosshatch recovery
Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
gsid needs access to /sys/fs/f2fs/<dev>/features to detect whether
pin_file support is enabled in the kernel.
Bug: 134949511
Test: libsnapshot_test gtest
Change-Id: I5c7ddba85c5649654097aa51285d7fa5c53f4702
This can be used as an existence check on a process
before calling kill (which is already granted).
Addresses:
avc: denied { signull } for comm="Binder:1328_1"
scontext=u:r:system_server:s0 tcontext=u:r:webview_zygote:s0
tclass=process permissive=0
Bug: 143627693
Test: build
Change-Id: I01dfe3c0cb2f4fec2d1f1191ee8243870cdd1bc6
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.
Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
In order to remount ext4 userdata into checkpointing mode, init will
need to delete all devices from dm-stack it is mounted onto (e.g.
dm-bow, dm-crypto). For that it needs to get name of a dm-device by
reading /sys/block/dm-XX/dm/name file.
Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.
Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.
Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.
Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.
See go/apex-data-directories.
Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
Allow telephony to access platform_compat in order to log app failures
related to security fixes that we've made.
Bug: 144631034
Test: manual
Change-Id: Ibf783f0eb306061136fe0a57023d01344253eef0
mediaserver and mediaextractor both need this.
bug: 145607042
bug: 145355521
test: run modified android.media.cts.HeifWriterTest
to use the new android.Os.memfd_create, the test
should pass; shouldn't fail in verification step
due to MediaMetadataRetriever can't access the memfd.
Change-Id: I47dabb9d98c77b647521884c7b5fadf04eae3b41
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).
Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
PackageManager tries to scan /apex (apex_mnt_dir) for flattened apexes.
Previously, because /apex was blindly bind-mounted to /system/apex for
"flattened" apexes, the label for /apex is the same as /system/apex,
which is oaky for system_server to handle it.
But to support flattened apexes from other partitions such as /vendor or
/system_ext, every apex should be mounted under /apex individually,
which leaves the se-label of /apex unchanged (apex_mnt_dir).
Bug: 144732372
Test: boot with flattened apexes
see if there are errors "denied system_server with apex_mnt_dir"
Change-Id: I81bd6ab152770c3c569b22274a6caa026615303e
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.
In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.
Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.
ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split. It is also read by system_server and installd
currently.
Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
This change enforces all the defined rules for the vzwomatrigger_app
domain and unsets permissive mode. There have not been any new denials
in the past weeks for this domain (source: go/sedenials), and hence this
domain appears to not need any new permissions.
Bug: 142672293
Test: Green builds
Change-Id: I588b4e3038a3e8188d97183a592f9023a95dd3a8
