Commit graph

909 commits

Author SHA1 Message Date
David Anderson
bf5b6ce422 Add new snapuserd socket and property rules.
This adds a new property prefix owned by snapuserd, for communicating
when the service is ready to accept connections (snapuserd.ready and
snapuserd.proxy_ready).

This also adds a new socket context. This is a seqpacket socket used to
communicate with a special instance of snapuserd that bridges to the
first-stage daemon.

Bug: 193833730
Test: no denials after OTA applies and boots
Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b
2021-07-27 10:50:59 -07:00
Amos Bianchi
f778a0bd89 SELinux policy for lazy AIDL/HIDL testing services.
These services are used for running tests on Cuttlefish.

Bug: 191781736
Test: atest aidl_lazy_test
Test: atest hidl_lazy_test
Change-Id: Iec43c3d19ba5072dbfa6573a6d74106672f94972
2021-07-21 12:24:43 -07:00
Alan Stokes
10fbf239b8 Add policy for CompOS APEX data files.
Grant access to odsign to read & delete pending key files. Eventually
we will grant the CompOS daemon write access.

Bug: 190166662
Test: Via odsign; no denials seen.
Change-Id: I6d3c3e5b2aec8ef65bd28cbb274d18263534ce66
2021-07-13 15:35:53 +01:00
Alan Stokes
fa10a14fac Refactor apex data file types.
We ended up with 4 labels for specific APEX files that were all
identical; I've replaced them with a single one
(apex_system_server_data_file).

Additionally I created an attribute to be applied to a "standard" APEX
module data file type that establishes the basics (it can be managed
by vold_prepare_subdirs and apexd), to make it easier to add new such
types - which I'm about to do.

Fix: 189415223
Test: Presubmits
Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
2021-07-12 14:41:04 +01:00
Keith Mok
a216b0d1b9 Add vehicle_binding_util SELinux context
Adds required context for 'vehicle_binding_util' to 'vold' interactions.
The vehicle_binding_util actually fork/execvp vdc.
And vdc will call vold to set the binding seed value.

Test: manual 'make'
Bug: 157501579
Change-Id: I5194c9cd0f5a910b1309b547aabf66bb9c397738
2021-06-28 22:17:50 +00:00
Paul Crowley
4a7945290d Remove wait_for_keymaster and references
No longer needed now init listens for property changes on a
separate thread.

Some references to wait_for_keymaster survive: in order to avoid
trouble downstream, we keep the definition of the `wait_for_keymaster`
and `wait_for_keymaster_exec` types, but remove all their permissions,
and of course prebuilds and compat cil files are unchanged.

Bug: 186580823
Test: Cuttlefish boots successfully
Change-Id: Id97fc2668743fb58dfd10c75a4f4c4d0348284ce
2021-06-17 11:12:16 -07:00
Alexander Dorokhine
0b2553a32b Allow the appsearch apex access to the apexdata misc_ce dir.
Bug: 177685938
Test: AppSearchSessionCtsTest
Change-Id: I727860a02cb9e612ce6c322662d418cddc2ff358
2021-05-26 09:47:19 -07:00
Andrew Walbran
654c5b0ea8 Set sepolicy for VirtualizationService data directory and mk_cdisk.
Bug: 184131523
Test: atest VirtualizationTestCases
Test: flashed on VIM3L and ran microdroid manually
Change-Id: I6d1b69b63debf44431cd542a0ee85748fcc4191b
2021-05-20 15:00:49 +00:00
Hridya Valsaraju
791dc49d96 Allow multiple heaps to use the system-secure vendor heap category
The ABI for system-secure heap was originally created to allow codec2 to
continue allocation in protected heaps by specifying the heap name via
the C2 HAL's ComponentStore interface. This patch make the ABI
expandable to accommodate multiple heaps both for usage by codec2 as well
as to allow unbinderized SP HALs to allocate in protected heaps.

Bug: 175697666
Test: manual

Change-Id: Ia8c1797c16441e73398c46d8727eee99614a35f1
2021-04-28 12:41:09 -07:00
Andrew Walbran
3b6a385137 Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." 2021-04-22 18:57:15 +00:00
Jeff Vander Stoep
bf49a89ba5 Move install_recovery.sh file_contexts mapping
The type is declared in vendor policy, so the mapping should live
there as well.

Fixes: 185288751
Test: TH
Change-Id: Ia446d7b5eb0444cdbd48d3628f54792d8a6b2786
2021-04-20 11:32:24 +02:00
Treehugger Robot
1c996021a5 Merge "Allow apexd to access a new dev_type: virtual disk" 2021-04-16 00:54:40 +00:00
Andrew Walbran
a995e84c18 Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-04-13 09:30:20 +00:00
Jooyung Han
b62be12176 Allow apexd to access a new dev_type: virtual disk
In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.

Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
  when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
2021-04-13 15:46:16 +09:00
Orion Hodson
7c6b3eb963 Add odrefresh_data_file for odrefresh metrics
Metrics are written to /data/misc/odrefresh by odrefresh during early
boot, then native code in ART system_server initialization passes them
to statsd and deletes the metrics files. This hand-off is necessary
because statsd does not start until after odsign and odrefresh have run.

Bug: 169925964
Test: manual
Change-Id: I8054519a714907819886dd6e5e78f3b5796d0898
2021-04-09 15:50:28 +01:00
Kalesh Singh
326fc27064 Sepolicy for mm_events
Allow mm_events to periodically arm the mm_events
perfetto trace config if mm_events is enabled.

Bug: 183037386
Test: boot; setprop persist.mm_events.enabled true; No avc denials
Change-Id: Ia9760001e7fb591f18e3e816a63281167a658c74
2021-04-06 22:46:32 -04:00
Treehugger Robot
da7889276f Merge "Use postinstall file_contexts" 2021-03-30 18:01:34 +00:00
Yi-Yo Chiang
806898db48 Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-29 03:09:35 +00:00
Alex Light
16dfb432b3 Use postinstall file_contexts
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.

Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
2021-03-24 17:00:35 -07:00
satayev
afc9791f21 Revert^2 "Introduce derive_classpath."
5fd85de907

Bug: 180105615
Test: manual boot of cuttlefish and gphone emulator
Change-Id: I9e43268d3b745e65b5ccc0a4896a7e55a253659d
2021-03-19 11:23:00 +00:00
Orion Hodson
660cf864c8 Merge "Revert "Introduce derive_classpath."" 2021-03-18 19:18:02 +00:00
Orion Hodson
5fd85de907 Revert "Introduce derive_classpath."
Revert submission 1602413-derive_classpath

Bug: 180105615
Fix: 183079517
Reason for revert: SELinux failure leading to *CLASSPATH variables not being set in all builds

Reverted Changes:
I6e3c64e7a:Introduce derive_classpath service.
I60c539a8f:Exec_start derive_classpath on post-fs-data.
I4150de69f:Introduce derive_classpath.

Change-Id: I17e2cd062d8fddc40250d00f02e40237ad62bd6a
2021-03-18 17:00:43 +00:00
satayev
ba22487f86 Merge "Introduce derive_classpath." 2021-03-17 10:58:30 +00:00
Artur Satayev
d62193e9df Introduce derive_classpath.
The service generates /data/system/environ/classpath with values for
BOOTCLASSPATH, SYSTEMSERVERCLASSPATH, and DEX2OATCLASSPATH to be
exported by init.

See go/updatable-classpath for more details.

Bug: 180105615
Test: manual
Change-Id: I4150de69f7d39f685a202eb4f86c27b661f808dc
2021-03-11 07:20:25 +00:00
Howard Chen
55665d63da Support copy-on-write persistent data block when running a DSU
The persistent data block is protected by a copy-on-write scratchpad when
running a Dynamic System Update (DSU). The copy-on-write scratchpad
uses a backing file for write operations. This CL adds permissions
to write the backing file for the PersistentDataBlockService.

Bug: 175852148
Test: gsi_tool install & vts_kernel_net_tests

Change-Id: Id0efe407e707fc382679c0eee249af52f877f5d2
2021-03-10 13:02:02 +08:00
Collin Fijalkovich
4f7a435b71 Merge "Remove sepolicy surrounding notify_traceur" 2021-03-09 19:13:26 +00:00
Collin Fijalkovich
d6cd6279bf Remove sepolicy surrounding notify_traceur
We no longer use this sysprop-based interface for communication between
Traceur and Perfetto, this change removes the associated policy.

Test: atest TraceurUiTests
Bug: 179923899
Change-Id: Ic59d866d3c75a3f804f6c19a703d6d10560c627a
2021-02-25 13:24:31 -08:00
Randall Huang
869f63a202 SELinux policy for /dev/sys/block/by-name/userdata
Bug: 180874192
Test: no denials on boot
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: If9374b1cfad21f6c070ebccf3043582ca485a65a
2021-02-23 13:41:13 +00:00
Kelvin Zhang
a1e58814a8 Add necessary sepolicy for update_engine to reserve space on data
Test: serve an OTA, make sure /data/apex/reserved is present
Bug: 172911822

Change-Id: I9f7967c9047ae834eb55a48d56ffc34a7b37f5db
2021-02-19 11:30:50 +00:00
Randall Huang
10d42cec51 sepolicy: Add label to userdata file node
The userdata file node should be labeled to
avoid avc denied.

Bug: 171760673
Bug: 177364376
Test: build pass
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: I9ba89c75c120864c64ea278934b15edc3ba18a6c
2021-02-19 07:45:02 +08:00
Gavin Corkery
3bb3559e2e Merge "Add sepolicy for scheduling module data directories" 2021-02-18 20:51:51 +00:00
Hongming Jin
58f83415ea Add /data/misc/a11ytrace folder to store accessibility trace files.
Bug: 157601519
Test: adb shell cmd accessibility start-trace
      adb shell cmd accessibility stop-trace
Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
2021-02-16 09:35:09 -08:00
Gavin Corkery
cd3bb575ab Add sepolicy for scheduling module data directories
Test: Manually test writing and reading files
Bug: 161353402
Change-Id: Ifbc0e4db0ec51f6565a0f52df06b1d148577b788
2021-02-15 22:31:27 +00:00
Mohammad Islam
1a2a3bd369 Merge "Allow apexd to relabel files in /data/apex/decompressed" 2021-02-12 10:16:55 +00:00
Martijn Coenen
6afdb72cbb SELinux policy for on-device signing binary.
Bug: 165630556
Test: no denials on boot
Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3
2021-02-03 16:15:48 +01:00
Mohammad Samiul Islam
12b7ccd8f7 Allow apexd to relabel files in /data/apex/decompressed
We have created a new directory called /data/apex/decompressed. All
files under this directory will have staging_data_file label, but
the directory itself needs to have apex_data_file label. This is
because apexd needs to write inside this directory and we don't want
to give apexd write access to staging_data_file label.

When a file is written under this directory, it gets its parent's label.
So we need to restore the proper labeling. Hence, we are allowing apexd
labeling permissions.

Bug: 172911820
Test: atest ApexCompressionTests#testCompressedApexIsActivated
Change-Id: I0a910fa5591b2aace70804701545eb4ac510ec24
2021-02-01 13:39:44 +00:00
Andrei Onea
850842f77c Add data directory for appcompat
This directory is used to store override config, so that they can
persist across reboot.

Test: atest CompatConfigTest
Bug: 145509340
Change-Id: I5e8f2b3093daeccd6c95dff24a8c6c0ff31235ca
2021-01-27 15:04:31 +00:00
Seigo Nonaka
9c3707f76a Add /data/fonts/files directory
The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).

Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
2021-01-22 11:58:55 -08:00
Yurii Zubrytskyi
80dfa06984 IncFS: update SE policies for the new API
IncFS in S adds a bunch of new ioctls, and requires the users
to read its features in sysfs directory. This change adds
all the features, maps them into the processes that need to
call into them, and allows any incfs user to query the features

Bug: 170231230
Test: incremental unit tests
Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
2021-01-19 12:57:15 -08:00
Orion Hodson
74b129b77c Merge "Permissions for odrefresh and /data/misc/apexdata/com.android.art" 2021-01-19 09:37:36 +00:00
Primiano Tucci
9dd873d725 Merge "Allow dumpstate to snapshot traces and attach them to bug reports" 2021-01-14 18:59:40 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Primiano Tucci
2f99809c43 Allow dumpstate to snapshot traces and attach them to bug reports
Feature description: if a background trace is happening at the
time dumpstate is invoked, the tracing daemon will snapshot
the trace into a fixed path (/data/misc/perfetto-traces/bugreport/).
Dumpstate will attach the trace, if present, to the bugreport.
From a SELinux viewpoint this involves the following permissions:
- Allow dumpstate to exec+trans perfetto --save-for-bugreport
  (this will just send an IPC to traced, which will save the trace).
- Allow dumpstate to list, read and unlink the trace file.
- Create a dedicated label for bugreport traces, to prevent that
  dumpstate gets access to other traces not meant for bug reporting.

Note that this does NOT allow dumpstate to serialze arbitary traces.
Traces must be marked as "eligible for bugreport" upfront in the
trace config (which is not under dumpstate control), by
setting bugreport_score > 0.

Design doc: go/perfetto-betterbug

Bug: 170334305
Test: manual:
      1. start a perfetto trace with bugreport_score > 0
      2. adb shell dumpstate
      3. check that the bugreport zip contains the trace

Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-12 14:06:24 +00:00
Gavin Corkery
b46e956d97 Merge "Add sepolicy for /metadata/watchdog" 2021-01-08 08:20:45 +00:00
Chun-Wei Wang
e88e8a679e Merge "Relabel /data/rollback files as enabling rollback (4/n)" 2021-01-08 04:46:23 +00:00
Gavin Corkery
b0aae28b41 Add sepolicy for /metadata/watchdog
See go/rescue-party-reboot for more context.

One integer will be stored in a file in this
directory, which will be read and then deleted at the
next boot. No userdata is stored.

Test: Write and read from file from PackageWatchdog
Bug: 171951174

Change-Id: I18f59bd9ad324a0513b1184b2f4fe78c592640db
2021-01-07 19:42:56 +00:00
Shubang Lu
ba4e6b89aa Merge "SE policy for tuner service." 2021-01-07 18:34:36 +00:00
JW Wang
65480a460f Relabel /data/rollback files as enabling rollback (4/n)
We will link files under /data/apex/active and /data/app to
/data/rollback when enabling rollbacks to avoid copy.

When creating hard links, we have to enusre source and target have the
same label to avoid subtle bugs.

We will assign apk_data_file to *.apk files and
staging_data_file to *.apex files under /data/rollback.

Also allow system_server to link /data/apex/active files.

Bug: 168562373
Test: m
Change-Id: I4be38cc8c84494c4ddfa03e37f2af3958bff5dfb
2021-01-07 11:11:54 +08:00
Chiachang Wang
bd15e9ac63 Merge "Add new selinux type for radio process" 2020-12-29 00:24:12 +00:00
Chiachang Wang
813c25fc91 Add new selinux type for radio process
ConnectivityService is going to become mainline and can not
access hidden APIs. Telephony and Settings were both accessing
the hidden API ConnectivityManager#getMobileProvisioningUrl.
Moving #getMobileProvisioningUrl method into telephony means
that there is one less access to a hidden API within the overall
framework since the Connectivity stack never needed this value.
Thus, move getMobileProvisioningUrl parsing to telephony surface
and provide the corresponding sepolicy permission for its access.

The exsting radio_data_file is an app data type and may allow
more permission than necessary. Thus create a new type and give
the necessary read access only.

Bug: 175177794
Test: verify that the radio process could read
      /data/misc/radio/provisioning_urls.xml successfully
Change-Id: I191261a57667dc7936c22786d75da971f94710ef
2020-12-24 15:11:15 +08:00
Treehugger Robot
831fddd794 Merge "Allow coredomain access to only approved categories of vendor heaps" 2020-12-21 20:34:06 +00:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
shubang
f8ab3eb1bb SE policy for tuner service.
Test: make; acloud;  tuner sample input
Change-Id: I651632ec7f4ba79d94738c11c343f63510e59aa6
2020-12-16 06:05:04 +00:00
Alan Stokes
63d875612f Merge "Split user_profile_data_file label." 2020-12-15 14:25:51 +00:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
John Stultz
f30cc10961 sepolicy: Add the dmabuf system-uncached heap
This should match policy for the system heap as they both map to
the ION system heap with the ION_FLAG_CACHED flag on or off.

Change-Id: Ib2929b84a2f8092adcf2f874ad6ccdfe068fe6dc
Signed-off-by: John Stultz <john.stultz@linaro.org>
2020-12-11 07:07:51 +00:00
Kiyoung Kim
357f5c4b1b Support linkerconfig in Runtime APEX
Add additional sepolicy so linkerconfig in Runtime APEX can be executed
from init.

Bug: 165769179
Test: Cuttlefish boot succeeded
Change-Id: Ic08157ce4c6a084db29f427cf9f5ad2cb12e50dd
2020-12-02 11:41:38 +09:00
Suren Baghdasaryan
37f1a137b6 Add rules for per-API level task profiles and cgroup description files
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.

Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
2020-11-23 09:30:26 -08:00
David Anderson
09bb944221 Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-19 21:03:30 +00:00
David Anderson
45ac6e8400 Merge "Add sepolicy for dm-user devices and the snapuserd daemon." 2020-10-27 16:39:14 +00:00
David Anderson
fe30369efb Add sepolicy for dm-user devices and the snapuserd daemon.
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.

snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.

Bug: 168259959
Test: ctl.start snapuserd, no denials
      vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
2020-10-26 23:23:01 -07:00
Orion Hodson
8dfb408cdf private/file_contexts: delist ART binaries under /system/bin
These are in the ART APEX and covered by
apex/com.android.art.{debug,release}-file_contexts.

Bug: 160683548
Test: boot and check no avc denied messages logcat
Change-Id: I8024b3e37bb3e680739c45b08e4a846f2adea98c
2020-10-20 17:06:12 +01:00
Yifan Hong
c24059c98b Add /second_stage_resources tmpfs. am: 73f9b6cc84
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1451818

Change-Id: I9380b667fbb7d09eac8a8a1324bd396e5ac2c149
2020-10-16 22:16:28 +00:00
Treehugger Robot
b178fe826c Merge changes from topic "ramdisk_timestamp_runtime_load"
* changes:
  Add ro.bootimage.* property contexts
  Add /second_stage_resources tmpfs.
2020-10-16 19:23:08 +00:00
Jack Yu
dd5c5d7960 Merge "Add sepolicy to allow read/write nfc snoop log data" 2020-10-16 07:56:10 +00:00
Primiano Tucci
512bdb9c1b Create directory for shell<>perfetto interaction
Users are unable to pass config files directly to
perfetto via `perfetto -c /path/to/config` and have to
resort to awkward quirks like `cat config | perfetto -c -'.
This is because /system/bin/perfetto runs in its own SELinux
domain for reasons explained in the bug.
This causes problem to test infrastructures authors. Instead
of allowing the use of /data/local/tmp which is too ill-scoped
we create a dedicated folder and allow only shell and perfetto
to operate on it.

Bug: 170404111
Test: manual, see aosp/1459023
Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 21:27:27 +00:00
Yifan Hong
f5f4c1207a Revert "Add /boot files as ramdisk_boot_file."
This reverts commit 2576a2fc30.

Reason for revert: conflict with device-specific sepolicy

Bug: 170411692
Change-Id: Ie5fde9dd91b603f155cee7a9d7ef432a05dc6827
Test: pass
2020-10-08 22:13:44 +00:00
Yifan Hong
2576a2fc30 Add /boot files as ramdisk_boot_file.
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.

The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.

Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
2020-10-08 07:55:12 -07:00
Yifan Hong
73f9b6cc84 Add /second_stage_resources tmpfs.
At build time, the directory is created as an empty directory. At
runtime, init mounts tmpfs at this path to preserve files from first
stage init to second stage init.

Right now, first stage init copies the following file to this tmpfs
before switching root:
- /boot/etc/build.prop -> /second_stage_resources/boot/etc/build.prop

After init property service finishes loading all properties, this tmpfs
is umounted, and this directory is left empty.

Bug: 169169031
Test: run and init loads props properly.
Change-Id: Ic6e62b10d8aec446b51c6bc67fdc2dbc943096ba
2020-10-07 11:55:20 -07:00
Orion Hodson
76ce7f5eaa Remove policy for deprecated ART apex update scripts
Earlier changes removed the scripts for ART APEX pre- and post-install
hooks (I39de908ebe52f06f19781dc024ede619802a3196) and the associated
boot integrity checks (I61b8f4b09a8f6695975ea1267e5f5c88f64a371f), but
did not cleanup the SELinux policy.

Bug: 7456955
Test: Successful build and boot
Test: adb install com.android.art.debug && adb reboot
Change-Id: I1580dbc1c083438bc251a09994c28107570c48c5
2020-09-30 16:14:41 +01:00
Jack Yu
dd64813204 Add sepolicy to allow read/write nfc snoop log data
Bug: 153704838
Test: nfc snoop log could be accessed
Change-Id: I694426ddb776114e5028b9e33455dd98fb502f0a
2020-09-24 17:36:07 +08:00
Treehugger Robot
714e134b25 Merge changes If936c556,Ief48165c
* changes:
  Add permissions required for new DMA-BUF heap allocator
  Define a new selinux label for DMABUF system heap
2020-09-21 17:59:16 +00:00
Yifan Hong
38a901df56 Revert "Add modules partition"
Revert submission 1413808-modules_partition

Reason for revert: modules partition no longer needed
Reverted Changes:
Iceafebd85:Add modules partition
I2fa96199a:rootdir: Add modules directory
Ie397b9ec6:Add modules partition.
I4200d0cf5:fastboot: add modules partition

Bug: 163543381

Change-Id: I613d4efa346b217e0131b14424bc340ad643e1d6
2020-09-15 19:08:24 +00:00
Hridya Valsaraju
a7cd26e664 Define a new selinux label for DMABUF system heap
Define the label dmabuf_system_heap_device for /dev/dma_heap/system.
This the default DMA-BUF heap that Codec2 will use one ION is
deprecated.
Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162

Change-Id: Ief48165cd804bde00e1881a693b5eb44a45b633b
2020-09-11 14:27:41 -07:00
Yifan Hong
648d956cc0 Add modules partition
Add updateable_module_file that describes all files under /modules. If
more directories (e.g. /modules/apex etc.) are added in the future,
separate labels should be applied to them.

Bug: 163543381
Test: on CF check /proc/mounts

Change-Id: Iceafebd85a2ffa47a73dce70d268d8a6fb5a5103
2020-09-08 16:35:51 -07:00
Yi Kong
fbb6546cbd Merge "Policies for profcollectd" 2020-09-08 13:44:17 +00:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Colin Cross
da4e51b71f Add shell_test_data_file for /data/local/tests
Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.

Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c
2020-09-01 11:17:19 -07:00
Gavin Corkery
ed62b31812 Selinux policy for new userspace reboot logging dir
Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.

Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211
2020-08-26 21:00:09 +01:00
Chris Weir
f5f23b7e03 Merge "Enable CAN HAL Configuration Service" 2020-08-13 16:18:27 +00:00
Janis Danisevskis
ff98459989 Prepare sepolicy for launching Keystore 2.0 service
This patch labels /system/bin/keystore2 as a keystore executable and
allows keystore to register "system.security.keystore2" with the service
manager.

Bug: 160623310
Test: None
Change-Id: I1812e565438c2b8ae55c8d10bcc8450d27717697
2020-08-10 14:40:20 -07:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
chrisweir
7063650dbb Enable CAN HAL Configuration Service
Enable the CAN HAL configuration service to start on boot.

Bug: 142653776
Test: Manual
Change-Id: If4180ab729cf92be05ab817ae1fb27d3151d32f9
2020-07-24 14:43:31 -07:00
Yifan Hong
dc9c4561f5 Correct labels on files / props in odm_dlkm.
All files under odm_dlkm are tagged vendor_file.
All build props for odm_dlkm are mapped as build_vendor_prop.

Test: build and
    `ls /odm_dlkm -lZ`
    `adb shell getprop -Z | grep odm_dlkm`

Bug: 154633114

Change-Id: Ifca69d0b7a8da945910a9cb0fa907735cd866f12
2020-07-15 17:16:40 -07:00
Yifan Hong
85aba14765 Correct labels on files / props in vendor_dlkm.
All files under vendor_dlkm are tagged vendor_file.
All build props for vendor_dlkm are mapped as build_vendor_prop.

Test: build and
    `ls /vendor_dlkm -lZ`
    `adb shell getprop -Z | grep vendor_dlkm`

Bug: 154633114

Change-Id: Ie9dc26d948357767fec09aca645606310ad3425c
2020-07-09 15:02:00 -07:00
Jooyung Han
8c18009ae2 allow apexd to mount apex-info-list.xml file
apexd runs in two separate mount namespaces: bootstrap & default.
To support separate apex-info-list.xml for each mount namespaces, apexd
needs to emit separate .xml file according to the mount namespace and
then bind-mount it to apex-info-list.xml file.

Bug: 158964569
Test: m & boot
      nsenter -m/proc/1/ns/mnt -- ls -lZ /apex/apex-info-list.xml
      nsenter -m/proc/2/ns/mnt -- ls -lZ /apex/apex-info-list.xml
      => shows the label apex_info_file correctly
Change-Id: I25c7445da570755ec489edee38b0c6af5685724b
2020-07-02 22:22:05 +09:00
Justin Yun
088587886c Label /system_ext/lib(64)/* as system_lib_file
This needs to be updated to api 30.0 which introduced the system_ext.

Bug: 160314910
Test: build and boot
Change-Id: I08c4aed640467d11482df08613039726e7395be0
2020-07-02 04:07:12 +00:00
Yi Kong
239c85dd0d Add sepolicy for profcollectd
This does not yet list all the required capabilities for profcollectd,
but it at least allows the service to start under permissive mode.

Bug: 79161490
Test: start profcollectd
Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030
2020-07-01 23:44:37 +08:00
linpeter
87c7261f0a sepolicy: label vendor_service_contexts as vendor_service_contexts_file
Due to AIDL HAL introduction, vendors can publish services
with servicemanager. vendor_service_contexts is labeled as
vendor_service_contexts_file, not nonplat_service_contexts_file.
And pack it to vendor partition.

Bug: 154066722

Test: check file label
Change-Id: Ic74b12e4c8e60079c0872b6c27ab2f018fb43969
2020-06-15 17:09:46 +08:00
Mohammad Samiul Islam
476d616e43 Create sepolicy for allowing system_server rw in /metadata/staged-install
Bug: 146343545
Test: presubmit
Change-Id: I4a7a74ec4c5046d167741389a40da7f330d4c63d
Merged-In: I4a7a74ec4c5046d167741389a40da7f330d4c63d
(cherry picked from commit be5c4de29f)
2020-06-03 10:59:02 +01:00
Jiyong Park
93a99cf8fc Introduce apex_info_file type
/apex/apex-info-file.xml is labeled as apex_info_file. It is
created/written by apexd once by apexd, and can be read by zygote and
system_server. The content of the file is essentially the same as the
return value of getAllPackages() call to apexd.

Bug: 154823184
Test: m
Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
(cherry picked from commit f1de4c02cc)
Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
2020-05-27 09:35:11 +09:00
Luca Stefani
ddcbbd7644 Escape '.' in com.android.permission
Change-Id: I83d7f81855b0facee3a07ad6fd2068e5e114db30
2020-04-10 19:22:50 +00:00
Peter Collingbourne
e432c093b7 Merge "Update sepolicy to account for crash_dump move." 2020-03-30 19:03:42 +00:00
Steven Moreland
e4f0ccf29c Add rules for hidl_lazy_test*
eng/userdebug rules added for integration testing of hidl_lazy_test,
similar to aidl_lazy_test.

This is required in sepolicy since the test requires defining a service
in an init.rc file, and so there needs to be sepolicy for init to start
this service.

Bug: 148114689
Test: hidl_lazy_test
Change-Id: Id6549cbb89b62d3f6de1ae2690ce95c3e8656f66
2020-03-24 18:34:58 -07:00
Alistair Delva
d5a222d75a Merge "Add gnss_device dev_type" 2020-03-23 18:58:59 +00:00
Songchun Fan
19a5cc2bab [sepolicy] remove vendor_incremental_module from global sepolicy rules
(Cherry-picking)

Moving to coral-sepolicy

BUG: 150882666
Test: atest PackageManagerShellCommandIncrementalTest
Merged-Id: I55f5d53ee32d0557e06c070961526631e1bb1fc5
Change-Id: Ia9c4d8240787b0d2b349764cac9d61b9d8731fa2
2020-03-19 16:31:44 -07:00
Jeffrey Huang
94452b2a50 Merge "Allow statsd to access a new metadata directory" 2020-03-18 22:22:24 +00:00
Peter Collingbourne
a7179b5668 Update sepolicy to account for crash_dump move.
Bug: 135772972
Change-Id: I740954a20656f69b00d75f804fd898179b6df878
Merged-In: I740954a20656f69b00d75f804fd898179b6df878
2020-03-18 10:38:40 -07:00
Alistair Delva
1a3ee382ec Add gnss_device dev_type
This grants default access to the new GNSS subsystem for Linux to the
GNSS HAL default implementation. The GNSS subsystem creates character
devices similar to ttys but without much unneeded complexity. The GNSS
device class is specific to location use cases.

Bug: 151670529
Change-Id: I03b27aa5bbfdf600eb830de1c8748aacb9bf4663
2020-03-17 20:25:51 +00:00
Jeffrey Huang
687aa037f6 Allow statsd to access a new metadata directory
Test: m -j
Bug: 149838525
Change-Id: I8633d21feb827c67288eb2894bafae166b103f92
2020-03-04 15:09:54 -08:00
Keun-young Park
aa6dba2770 Merge "Add resize2fs to fsck_exec file context" 2020-02-27 03:02:02 +00:00
Keun young Park
e6e5f32ea0 Add resize2fs to fsck_exec file context
- This allows init to access it.

Bug: 149039306
Test: Flash and confirm that file system can run resize2fs when metadata_csum is enabled.
Change-Id: Id91d8fb6800b254b12eaf93a0e8cb019b55d2702
2020-02-25 08:37:35 -08:00
Changyeon Jo
17b38d526d Update automotive display service rules
This change updates sepolicies for automotive display service to make it
available to the vendor processes.

Bug: 149017572
Test: m -j selinux_policy
Change-Id: I48708fe25e260f9302e02749c3777c0ca0d84e4b
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-02-25 02:02:54 +00:00
Roshan Pius
0f6852b342 Merge "sepolicy(wifi): Allow wifi service access to wifi apex directories" 2020-02-22 03:56:55 +00:00
Roshan Pius
8f84cc32a8 sepolicy(wifi): Allow wifi service access to wifi apex directories
Bug: 148660313
Test: Compiles
Change-Id: I4a973c4516fda5f96f17f82cd3a424b0ca89004b
2020-02-21 10:40:32 -08:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00
David Zeuthen
1948c11d13 Merge "Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL." 2020-02-19 21:14:40 +00:00
David Zeuthen
02bf814aa2 Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL.
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.

Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
2020-02-19 13:46:45 -05:00
Treehugger Robot
281afd81fa Merge "Fixup dalvikcache_data_file on external storage." 2020-02-17 14:34:33 +00:00
Martijn Coenen
4c43eeac63 Fixup dalvikcache_data_file on external storage.
The label also needs to be applied in case of the new 2-level deep
app-data directories.

Bug: 149396179
Bug: 148844589
Test: atest AdoptableHostTest

Change-Id: I0f6f41df54e6f74696039b41b4a0c7e5aae1fd84
2020-02-17 13:56:23 +01:00
Mark Salyzyn
79f9ca6789 bootstat: enhance last reboot reason property with file backing
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.  For now, label this file metadata_bootstat_file.

Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
2020-02-14 13:30:21 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
2020-02-13 12:52:51 -08:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Songchun Fan
99d9374760 selinux rules for loading incremental module
Defining incremental file system driver module, allowing vold to load
and read it.

=== Denial messages ===
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1

Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
2020-02-07 09:52:34 -08:00
Jerry Chang
5594f307c8 sepolicy: new prereboot_data_file type
This adds the type and permissions for dumping and appending prereboot
information.

Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
2020-02-07 10:22:47 +08:00
Yifan Hong
28d5e87d39 Merge "snapshotctl better logging" 2020-02-04 22:18:33 +00:00
Yifan Hong
589bb6f369 snapshotctl better logging
Test: snapshotctl merge --log-to-file
Bug: 148818798
Change-Id: I0e9c8ebb6632a56670a566f7a541e52e0bd24b08
2020-02-04 10:09:24 -08:00
Songchun Fan
f09db16c56 [selinux] properly labeling dirs under /data/incremental
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.

Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].

2. /data/incremental/[random]/backing_mount -> hold incfs backing image.

3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.

Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
2020-02-03 14:28:37 -08:00
Jon Spivack
499e0173b5 Merge "Revert^2 "Move aidl_lazy_test_server to system_ext"" 2020-01-31 00:04:08 +00:00
Jon Spivack
988e381b6b Revert^2 "Move aidl_lazy_test_server to system_ext"
4eae75c9d4

Reason for revert: This undoes the previous reversion, which was made to fix b/148282665.

Change-Id: I70d6e60a0468abea19f5efd7fde10207a251cf61
2020-01-29 02:09:34 +00:00
Zimuzo Ezeozue
5119becf5d Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through" 2020-01-28 22:26:58 +00:00
Zim
fcf599c89c Grant vold, installd, zygote and apps access to /mnt/pass_through
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
 access to the lower filesystem (or sdcardfs).

At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory  with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.

The following components need varying sepolicy privileges:

Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink

zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold

installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through

priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through

Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
2020-01-28 20:56:36 +00:00
Songchun Fan
7de88d73b6 Change selinux path config for oat files
We are updating apps' apk path to have a two-level structure.
Default apk path of an installed app:
Before: /data/app/[packageName]-[randomString]/base.apk
After: /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk

As a result, the oat files will be two levels below /data/app.

Test: manual
BUG: 148237378
Change-Id: If8e1fed46096f2e5f4150f6eedf74af76ac9d4b4
2020-01-28 10:33:13 -08:00
Jon Spivack
5f11b2e0ed Merge "Revert "Move aidl_lazy_test_server to system_ext"" 2020-01-25 21:29:45 +00:00
Jon Spivack
4eae75c9d4 Revert "Move aidl_lazy_test_server to system_ext"
Revert submission 1209453-aidl-lazy-presubmit

Reason for revert: b/148282665. A test has begun to fail on git_stage-aosp-master, and I need to verify whether these changes are responsible.

Reverted Changes:
Ib09a2460e: Add aidl_lazy_test to general-tests
Ib08989356: Move aidl_lazy_test_server to system_ext
I694e6ad35: Add aidl_lazy_test_server to Cuttlefish
I65db12c63: Add aidl_lazy_test to presubmit
I7ec80a280: Dynamically stop services with multiple interfaces...

Change-Id: I55f6b0f7800f348259787f62c6faa19a90f8bdcc
2020-01-25 02:55:04 +00:00
Jon Spivack
65028a3609 Merge "Move aidl_lazy_test_server to system_ext" 2020-01-24 01:30:49 +00:00
Jon Spivack
eb57c756c2 Move aidl_lazy_test_server to system_ext
This allows it to be installed and run during presubmit.

Bug: 147380480
Test: aidl_lazy_test
Change-Id: Ib08989356d02f2bf041d0780ec6c5bf65899c597
2020-01-22 17:36:05 -08:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Haoxiang Li
741b9cd5ac Sepolicy update for Automotive Display Service
Bug: 140395359
Test: make sepolicy -j
Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-01-21 18:43:27 +00:00
Treehugger Robot
4f0bf97b41 Merge "Add policies for permission APEX data directory." 2020-01-17 23:45:54 +00:00
Jing Ji
2b12440ff7 Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.

Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
2020-01-16 16:09:48 -08:00
Hai Zhang
f301cd299b Add policies for permission APEX data directory.
Bug: 136503238
Test: presubmit
Change-Id: I636ab95070df4c58cf2c98b395d99cb807a7f243
2020-01-16 16:08:55 -08:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Jon Spivack
ae2df6b5de Add aidl_lazy_test_server
This is a test service for testing dynamic start/stop of AIDL services. In order to test realistic use cases with SELinux enabled, it requires the same permissions as a regular service.

Bug: 147153962
Test: aidl_lazy_test aidl_lazy_test_1 aidl_lazy_test_2
Change-Id: Ifc3b2eaefba9c06c94f9cf24b4474107d4e26563
2020-01-07 15:11:03 -08:00
Songchun Fan
743f9eddf6 [incremental] labels for incfs and directory root
Adding two labels: "incfs" for the incremental filesystem and
"incremental_root_file" for file paths /data/incremental/*.

Doc: go/incremental-selinux

Test: manual
Change-Id: I7d45ed1677e3422119b2861dfc7b541945fcb7a2
2019-12-18 16:59:31 -08:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Chris Weir
6ad4f3207a Merge "Modify SEPolicy to support SLCAN" 2019-12-11 21:25:14 +00:00
Kiyoung Kim
cd74ef82fd Merge "Move linker config under /linkerconfig" 2019-12-11 02:55:06 +00:00
Oli Lan
91ce5b9c22 Add type for directories containing snapshots of apex data.
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.

Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.

Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-09 11:16:24 +00:00
Oli Lan
79b4e1af4a Add type for APEX data directories.
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.

Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.

See go/apex-data-directories.

Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-12-09 11:14:38 +00:00
Kiyoung Kim
00cf2fbe50 Move linker config under /linkerconfig
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig

Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
2019-12-05 12:42:29 +09:00
chrisweir
cd40aa0ab7 Modify SEPolicy to support SLCAN
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.

In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.

Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
2019-12-04 14:06:09 -08:00
Hangyu Kuang
ee3a8ea798 MediaTranscodingService: Add sepolicy for MediaTranscodingService.
Bug:145233472
Test: Build and flash the phone.
"adb shell dumpsys -l | grep media" shows media.transcoding service.

Change-Id: I48a42e7b595754989c92a8469eb91360ab6db7c6
2019-12-02 13:57:28 -08:00
Shuo Qian
584234e8b1 Merge "Setting up SELinux policy for Emergency number database" 2019-11-27 19:14:50 +00:00
Shuo Qian
9322cb088a Setting up SELinux policy for Emergency number database
Test: Manual; https://paste.googleplex.com/6222197494382592
Bug: 136027884
Change-Id: I29214de6b5b5a62bff246c1256567844f4ce55c7
2019-11-26 12:51:02 -08:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Treehugger Robot
f0a9150deb Merge "file_contexts: Include legacy /system/vendor paths" 2019-10-16 06:53:13 +00:00
Bill Peckham
d0dc1a057d Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.

The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.

* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)

This change includes the sepolicy changes to move the recovery resources from
system to vendor. The big change is renaming install_recovery*.te to
vendor_install_recovery*.te to emphasize the move to vendor. Other changes
follow from that. The net result is that the application of the recovery patch
has the same permissions that it had when it lived in system.

Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: If29cb22b2a7a5ce1b25d45ef8635e6cb81103327
2019-10-04 14:40:27 -07:00
Tri Vo
f53c57287d Merge "sepolicy: fix missing label on vendor_service_contexts" 2019-10-03 22:29:53 +00:00
Felix
e6a3c9929b file_contexts: Include legacy /system/vendor paths
Probably flew under the radar because Google only tests on devices that
include devices with a physical /vendor partition.

Test: "make selinux_policy", confirm correct labels on a legacy device

Change-Id: I1aa856c6e3774912d1f4c0a09bbc2d174016f59d
Signed-off-by: Felix <google@ix5.org>
2019-10-03 22:34:19 +02:00
Yifan Hong
8cbaad3e4c Merge changes Idfe99d40,I3cba28cc,Ibd53cacb
* changes:
  Add rules for snapshotctl
  dontaudit update_engine access to gsi_metadata_file.
  update_engine: rules to apply virtual A/B OTA
2019-10-03 18:58:07 +00:00
Yifan Hong
f375337cc8 Add rules for snapshotctl
snapshotctl is a shell interface for libsnapshot. After rebooting
into an updated build, on sys.boot_completed, init calls
snapshotctl to merge snapshots. In order to do that, it needs to:
  - Talk to gsid to mount and unmount COW images
  - read the current slot suffix to do checks (and avoid merging
    snapshots when it shouldn't).
  - read / write OTA metadata files to understand states of
    the snapshot
  - delete OTA metadata files once a snapshot is merged
  - collapse the snapshot device-mapper targets into a plain
    dm-linear target by re-mapping devices on device-mapper

Test: reboot after OTA, see merge completed without denials
Bug: 135752105

Change-Id: Idfe99d4004e24805d56cd0ab2479557f237c2448
2019-10-02 16:30:00 -07:00
Yifan Hong
07a99e16e4 update_engine: rules to apply virtual A/B OTA
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
  during an OTA, update_engine uses libsnapshot to talk to gsid
  to create these images as a backing storage of snapshots. These
  "COW images" stores the changes update_engine has applied to
  the partitions.
  If the update is successful, these changes will be merged to the
  partitions, and these images will be teared down. If the update
  fails, these images will be deleted after rolling back to the
  previous slot.

- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
  during an OTA, update_engine and gsid stores update states and
  information of the created snapshots there. At next boot, init
  reads these files to re-create the snapshots.

Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.

Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-10-02 12:46:47 -07:00
Treehugger Robot
977b097fbf Merge "SEPolicy changes to allow vendor BoringSSL self test." 2019-10-01 22:38:19 +00:00
Tri Vo
3e70db526e sepolicy: fix missing label on vendor_service_contexts
Vendors can publish services with servicemanager only on non-Treble
builds. vendor_service_contexts is not meant to be read by
servicemanager.

5bccbfefe4/public/servicemanager.te (22)

Bug: 141333155
Test: create /vendor/etc/selinux/vendor_service_contexts and make sure it is
correctly labeled.
Change-Id: Ib68c50e0cdb2c39f0857a10289bfa26fa11b1b3c
2019-10-01 15:23:27 -07:00
Tri Vo
b398dbb9ea Merge "sepolicy: remove ashmemd" 2019-10-01 16:22:57 +00:00
Pete Bentley
90eb9b0e04 SEPolicy changes to allow vendor BoringSSL self test.
Introduces new domain vendor_boringssl_self_test and runs
/vendor/bin/boringssl_self_test(32|64) in it. New domain
required because boringssl_self_test needs to be in
coredomain in order to reboot the device, but vendor code
may not run in coredomain.

Bug: 141150335
Test: flashall && manually verify no selinux errors logged and that
    four flag files are created in /dev/boringssl, two by the
    system self tests and two by the vendor.

Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a
2019-10-01 14:14:36 +01:00
Treehugger Robot
3cda2d5c2b Merge changes from topic "system_ext_sepolicy"
* changes:
  Separate system_ext_mac_permissions.xml out of system sepolicy.
  Separate system_ext_service_contexts out of system sepolicy.
  Separate system_ext_property_contexts out of system sepolicy.
  Separate system_ext_hwservice_contexts out of system sepolicy.
  Separate system_ext_seapp_contexts out of system sepolicy.
  Separate system_ext_file_contexts out of system sepolicy.
  Separate system_ext_sepolicy.cil out of system sepolicy
2019-09-28 00:28:57 +00:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Bowgo Tsai
a3429fcc2b Separate system_ext_mac_permissions.xml out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
      /system_ext/etc/selinux are identical to previous contents in
      /product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9
2019-09-26 21:29:36 +08:00
Bowgo Tsai
9823116355 Separate system_ext_service_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: If483e7a99dc07f082dd0ecd0162a54140a3267de
2019-09-26 21:29:30 +08:00
Bowgo Tsai
1864cd02fc Separate system_ext_property_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I27db30edfd9948675793fdfec19081288f8017eb
2019-09-26 21:29:22 +08:00
Bowgo Tsai
241d36eedd Separate system_ext_hwservice_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: Ic5774da74e200b9d7699ac2240a12e7616dc512a
2019-09-26 21:29:15 +08:00
Bowgo Tsai
7bc47f4ba7 Separate system_ext_seapp_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I2c2acbcf234861feb39834c867a4eb74c506692d
2019-09-26 21:29:05 +08:00
Bowgo Tsai
86a048d4df Separate system_ext_file_contexts out of system sepolicy.
Bug: 137712473
Test: boot crosshatch
Change-Id: I09f63771d08ad18fb41fca801dd587b086be58c7
2019-09-26 21:28:07 +08:00
Tri Vo
a7f61021b7 sepolicy: ashmem entry point for libcutils
This duplicated ashmem device is intended to replace ashmemd.

Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.

Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
2019-09-25 11:26:18 -07:00
Paul Crowley
aed0f76ee9 Root of /data belongs to init (re-landing)
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.

Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-09-09 14:42:01 -07:00
Tobias Thierer
02924043e3 Merge "SEPolicy for boringssl_self_test." 2019-09-07 23:46:00 +00:00
Treehugger Robot
9aa263055b Merge "Revert "Root of /data belongs to init"" 2019-09-06 23:13:48 +00:00
Paul Crowley
d98e311952 Revert "Root of /data belongs to init"
This reverts commit 206b6535f1.

Reason for revert: Droidfood is blocked
Bug: 140402208
Change-Id: I1d1eb014747ba5c5bb656342e53b8c4e434878d1
2019-09-06 19:59:17 +00:00
Martin Stjernholm
d7951d2647 Rename the context for the ART APEX.
Test: Boot (with default flattened APEXes)
Bug: 135753770
Change-Id: I551e88a250d3bd891f63a6bccee0682d0d0de7cf
2019-09-05 19:49:05 +01:00
Tobias Thierer
353ad0fd47 SEPolicy for boringssl_self_test.
This CL adds hand-written SELinux rules to:
 - define the boringssl_self_test security domain
 - label the corresponding files at type boringssl_self_test_marker
   and boringssl_self_test_exec.
 - define an automatic transition from init to boringssl_self_test
   domains, plus appropriate access permissions.

Bug: 137267623
Test: When run together with the other changes from draft CL topic
      http://aosp/q/topic:bug137267623_bsslselftest, check that:
      - both /dev/boringssl/selftest/* marker files are
        present after the device boots.
      - Test: after the boringssl_self_test{32,64} binaries have
        run, no further SELinux denials occur for processes
        trying to write the marker file.

Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f
2019-09-05 02:40:57 +01:00
Martin Stjernholm
58e4384286 Split off ART rules for new ART APEX.
am: f6bd00af8b

Change-Id: If6e89c44c3e4429eed0f593e7a225f1a6f8e1d80
2019-09-02 03:46:11 -07:00
Martin Stjernholm
f6bd00af8b Split off ART rules for new ART APEX.
Test: Build & boot
Bug: 135753770
Exempt-From-Owner-Approval: Approved internally
Change-Id: Iab56f6b5bb7a59fbeaad214a64fbd959060574f4
Merged-In: Iab56f6b5bb7a59fbeaad214a64fbd959060574f4
2019-08-30 17:47:31 +01:00
Paul Crowley
e9465fceb6 Merge "Root of /data belongs to init"
am: b935b6c664

Change-Id: I39a36ec663c98ac55be886e886da4afbf34e9cf2
2019-08-29 23:10:42 -07:00
Paul Crowley
206b6535f1 Root of /data belongs to init
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
2019-08-29 15:08:21 -07:00
Paul Crowley
1fc44958bd Merge "Move layout_version to /data/misc/installd"
am: 7f9c607b4f

Change-Id: I05c2ba0b7f2f44c72bb6c6eba16a4ab385c15939
2019-08-28 13:35:17 -07:00
Paul Crowley
04023ade9a Move layout_version to /data/misc/installd
Bug: 139543295
Test: Boot, ensure file is properly created
Change-Id: I577b25bcf61505970b153884d8ac3567957bb50a
2019-08-21 10:11:35 -07:00
Tri Vo
f517b7a5fd Merge "Label /product/lib(64)/* as system_lib_file"
am: 2765c29bef

Change-Id: I82ba26300d444ab3a31b4fd7f0ac5907d8da7060
2019-08-02 00:28:10 -07:00
Tri Vo
3d58603623 Label /product/lib(64)/* as system_lib_file
Bug: 138545724
Test: n/a
Change-Id: Ic707229a04c2484503154110c45f4acb5ff61bd5
2019-07-29 12:39:10 -07:00
Elliott Hughes
509135ac69 Merge "Remove perfprofd references."
am: c807b3fd8a

Change-Id: I90501f397c29847e2e497f10515571fa10f9d992
2019-07-23 17:10:33 -07:00
Elliott Hughes
c807b3fd8a Merge "Remove perfprofd references." 2019-07-23 23:23:15 +00:00
Tom Cherry
af9b6fc10b Merge "Allow domain access r_file_perms for passwd and group files"
am: aa4af2c082

Change-Id: I352be482e68c35e03e1757904fa6b56906c93f3b
2019-07-19 11:33:45 -07:00
Elliott Hughes
132b081ee3 Remove perfprofd references.
perfprofd was never finished, and has been removed.

Test: treehugger
Change-Id: I4fc8aa9b737360a66d89c5be39651284ee2d6ffd
2019-07-19 11:15:12 -07:00
Tom Cherry
aa4af2c082 Merge "Allow domain access r_file_perms for passwd and group files" 2019-07-19 18:00:41 +00:00
Tom Cherry
da05f1d6b8 Allow domain access r_file_perms for passwd and group files
In b/73062966, we add new AID ranges for each partition that doesn't
yet have them (system, system_ext, odm, product).  We also add group
and passwd files to these partitions to be able to map these AIDs into
human readable user and group names, and vice versa.

All processes should be able to read all users and groups.  We divide
the ranges into non-overlapping regions for each partition and we
namespace the names with the partition name as a prefix.

Allow domain r_file_perms to
/(system|product|system_ext)/etc/(group|passwd).

Vendor and odm passwd and group files already have this access, since
/(vendor|odm)/etc/* is already domain readable.

Example contents:
blueline:/ $ cat /system/etc/passwd
system_tom::6050:6050::/:/bin/sh
blueline:/ $ cat /product/etc/passwd
product_tom::7013:7013::/:/bin/sh

Bug: 73062966
Test: tree-hugger selinux denial during boot test
Change-Id: Ib4dc31778e95e952174e1365497feaf93dca7156
2019-07-19 09:19:23 -07:00
David Anderson
575f881668 Merge "Add selinux labels for /metadata/ota."
am: 9859aa0a24

Change-Id: I1d24e9d7db69f9b61e4384a1b1902112f9fb3678
2019-07-18 16:00:38 -07:00
David Anderson
9859aa0a24 Merge "Add selinux labels for /metadata/ota." 2019-07-18 22:42:13 +00:00
Roshan Pius
3754b4b007 sepolicy: Permission changes for new wifi mainline module
am: 3aa1c1725e

Change-Id: Ia9e876cdd12f1305dacb2961f398c492cc03dadb
2019-07-16 17:20:00 -07:00
David Anderson
c1bc87394d Add selinux labels for /metadata/ota.
/metadata/ota will store critical bits necessary to reify
system and vendor partition state during an OTA. It will be accessed
primarily by first-stage init, recovery/fastbootd, and update_engine.

Bug: 136678799
Test: manual test
Change-Id: Ib78cb96ac60ca11bb27d2b2fe011482e64ba0cf8
2019-07-16 13:38:10 -07:00
Roshan Pius
3aa1c1725e sepolicy: Permission changes for new wifi mainline module
Move wifi services out of system_server into a separate APK/process.

Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).

Used 'audit2allow' tool to gather list of permissions required.

Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.

Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
2019-07-16 13:30:15 -07:00
Kiyoung Kim
fa21eb75f7 Merge "Add linker config generator and output file to sepolicy"
am: 8231ac82e5

Change-Id: I266798bc918e0bc2cf7db54d456431428eba872b
2019-07-15 17:39:47 -07:00
Kiyoung Kim
8231ac82e5 Merge "Add linker config generator and output file to sepolicy" 2019-07-16 00:32:13 +00:00
Kiyoung Kim
affa6f323c Add linker config generator and output file to sepolicy
Sepolicy for linkerconfig generator and ld.config.txt file from
generator

Bug: 135004088
Test: m -j & tested from device
Change-Id: I2ea7653a33996dde67a84a2e7a0efa660886434a
2019-07-12 12:32:19 +09:00
Justin Yun
07def020ba Rename product_services to system_ext
am: 87b4b81190

Change-Id: I21f4e7542eb186f725610598d7cfc88395393c50
2019-07-09 02:15:08 -07:00
Justin Yun
87b4b81190 Rename product_services to system_ext
Bug: 134359158
Test: build and check if system_ext.img is created
Change-Id: I395324d369d9467895471f5b62d327fd9b3381dc
2019-07-09 08:57:35 +00:00
Matthias Kramm
1710bbd6fe Merge "Revert "Allow hal_face to write to /data/vendor/camera_calibration/*."" am: f4362c08c7
am: 199db0ceb1

Change-Id: Icce34a06c681b8d3717061c31d142622acbfd979
2019-06-19 18:36:04 -07:00
Matthias Kramm
ebcc08249b Revert "Allow hal_face to write to /data/vendor/camera_calibration/*."
This reverts commit 3a44b17897.

Reason for revert: Moved to downstream repo.

Change-Id: I7d3ad43335f71ed03e7a93bc5c96a8933785afd8
2019-06-19 20:15:50 +00:00
Matthias Kramm
cf010dcb85 Merge "Allow hal_face to write to /data/vendor/camera_calibration/*." am: 9faeec71f2
am: c58cd73209

Change-Id: I102966877e40ec5c56033feb510e519c033aa407
2019-06-17 12:48:25 -07:00
Matthias Kramm
3a44b17897 Allow hal_face to write to /data/vendor/camera_calibration/*.
Also, allow hal_camera to read from there.

Bug: 133792720
Change-Id: Iedec8d7325b4424d166f8e4d09182e1f29808ef2
Test: Running presubmit.
2019-06-14 05:53:59 -07:00