Move complete domain to private/. Move referencing parts in domain
and kernel to private.
Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
The file descriptors for /dev/zero are no longer open. However,
a descriptor to the shell is still inherited. Update the comment.
Bug: 126787589
Test: m
Test: manual
Change-Id: I0d4518d2ba771622ea969bbf02827db45788bc09
This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474
The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.
Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590
Set the apex_key context for files in
/product/etc/security/apex/ and
/system/product/etc/security/apex/.
The apexd code is already looking for public keys in these locations,
but the apex_key context needs to be set to make them accessible from
apexd.
Bug: 127690808
Test: manual - verified that key files had proper SE-Linux label
Change-Id: Ib15728fa97eb438ea97a9743a06fa46e4d54f1cd
Bug: 128037879
Test: Camera HAL is able to read ro.serialno
Change-Id: I904c852a7100bc65456ee63ffb31d70681293d7d
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.
This set of permissions is analogous to allowances for the fscrypt
keyring and keys.
Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
This CL add new label for files created by fsverity.
Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.
/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.
The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.
Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.
Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1
Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
Remove unnecessary rules which will be added from 28.0.cil automatically
by the build process.
Bug: 111308141
Test: builds
Change-Id: I02064785cac1ed6d8b4e462604a1b8db10c1a25a
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Update copy-paste comment header. Fix file access to the right
type.
Follow-up to commit 1845b406fc.
Bug 125474642
Test: m
Test: boot
Change-Id: I33bfef51c78ca581063c0f950e1837546d013050
Changed the system properties to enum. The valid modes
are "default", "legacy", and "AP-assisted".
Test: Manual
Bug: 126218288
Change-Id: Ib70ed8606e845ca29453013a400b377647e15490
Allows power rail data to be logged in the trace, allowing
high fidelity attribution of battery power use.
Matching feature CL: aosp/891533
SELinux denials that lead to this:
avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder
Test: checked data in a trace
Bug: 122584217
Change-Id: I7e0f4e825be3f54bc78d91da1cb85c2f61465a44
Lmkd needs read access to /proc/pressure/memory, proc/pressure/cpu
and proc/pressure/io nodes to read current psi levels.
Lmkd needs write access to /proc/pressure/memory to set psi monitor
triggers.
Bug: 111308141
Test: modified lmkd to use PSI and tested using lmkd_unit_test
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Merged-In: I9efd60c7fbb89cc08938fa5119b13d794813b52b
Change-Id: I9efd60c7fbb89cc08938fa5119b13d794813b52b
This is for Non-AB ota update recovery partition on GMS Express 2.0 project.
recovery partition update via /vendor/bin/install-recovery.sh from /vendor/etc/recovery.img
Bug: 124277294
Test: builds and test GOTA.
Change-Id: I97521c03a881bd0427e5d02836220ee2c0db7650
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.
Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
Third parameter of a property_context entry should be "exact" if the
entry is for a single property, not a prefix.
And the type of each entry should be the fourth parameter.
Bug: 112386364
Test: m -j
Change-Id: I2ed31c9fd7c7424e3a6a51d44b4e85413ae316b7
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
vold needs write permissions for /sys/block/*/uevent to perform a
coldboot.
https://android.googlesource.com/platform/system/vold/+/refs/heads/master/main.cpp#139
This denial is seen on cuttlefish:
avc: denied { write } for name=uevent dev=sysfs ino=11649
scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_devices_block:s0
tclass=file permissive=1
Pixel devices resolve this denial in device policy, but since coldboot
is performed from platform code, the corresponding permission should be
in /system/sepolicy
Bug: 28053261
Test: boot cuttlefish without above denial
Change-Id: I2de08db603e2d287e8021af70ee8e69266d7736f
The OMX comment here seems unrelated. The linker (system) uses it to
talk to tombstoned.
Fixes: 112606643
Test: N/A
Change-Id: Ib3da832f120d3cc244aa22de5d4d655b874db38b
Moved the system properties from exported3_default
to exported_radio so that the service from vendor
partition can access that.
Test: Manual
Bug: 126218288
Change-Id: I055c1c26d1e25f5d12f2593b96eecf57be62d871
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.
To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.
Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
