system/sepolicy/Android.mk has become too large (~2k lines) and hard to
navigate. This patch reorganizes build rules for convenience. No
functional changes are made.
Test: m selinux_policy
Change-Id: I9a022b223b2387a4475da6d8209d561bfea228fb
* changes:
Allow `oatpreopt_chroot` to deactivate APEX packages in `/postinstall/apex`.
Allow `oatpreopt` to run `dex2oat` from the Runtime APEX.
Allow `otapreopt_chroot` to mount APEX packages using `apexd` logic.
The dynamic linker always calls access(2) on the path. Don't generate SElinux
denials since the linker does not actually access the path in case the path
does not exist or isn't accessible for the process.
Bug: 120996057
Test: copy ping to /data/local/tmp, run it, no selinux denials
Test: bionic unit tests
Change-Id: Idf33ba7bc6c0d657b6ab0abde6bd078e4bb024e5
Bug: 123367055
Test: used Traceur to take a trace on a user build and verified the
tracepoints are in the resultant trace
Change-Id: I39e963762bf2b9f0e427ee217a3b2a246f970902
selinux_denial_metadate is an concatenation of different bug maps on the
device, including vendor one. This file is only used for debugging, so
we simply move it to /vendor instead of splitting it up.
/vendor/etc/selinux/selinux_denial_metadata has vendor_configs_file
selinux type, which is logd readable.
Bug: 5159394
Test: bug information is still preserved in avc logs, e.g.
audit(0.0:248): avc: denied { read } for
name="u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=18012
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=0
b/79617173 app=com.android.systemui
Change-Id: Id5eb9abd3bdeed92feb2aca40880903533468d50
Give apexd permission to execute sh.
Add userdebug_or_eng domains and rules for the test
APEX for pre- and post-install.
Bug: 119260955
Bug: 119261380
Test: atest apexservice_test
Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267
Untrustworthy symlinks dereferenced by priv-apps could cause those apps
to access files they weren't intending to access. Trusted components
such as priv-apps should never trust untrustworthy symlinks from
untrusted apps.
Modify the rules and add a neverallow assertion to prevent regressions.
Bug: 123350324
Test: device boots and no obvious problems.
Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
The app_zygote should never use any unix sockets, except the
logd socket and some sockets only available on userdebug/eng.
Prevent it from using ptrace.
Bug: 111434506
Test: builds
Change-Id: Ic47cfca51fba0b150a136194ba0e4a8a488c9996
Whitelist the persistent system properties that will be used as
flags in activity manager experiments.
Bug: 120794810
Test: m, flash, test getting flag value in ActivityManagerService.java
Change-Id: I90a10bc87d6db3a64347b62fd02e6f0b12ac9fa8
Allow apexd to log to the kernel log. This aids in low-level
diagnostics, when adb is not available.
Test: m
Change-Id: Ib8f286bd917b34f5e8992b37ab230313a4820bf9
The new codepath for creating the classloader in the webview zygote
triggers an selinux denial; track this until it is fixed.
Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Merged-In: I6835947e81364b5dd43898199108af7b14d31088
Change-Id: I6835947e81364b5dd43898199108af7b14d31088
The bpf maps for per uid stats need to be regularly cleaned now to
optimize the memory usage and performance. It can only done by
system_server since it is the process that scrapes and read the stats.
So allow it to write to maps to clean the stats. This change also
allows the system server to create PF_KEY sockets since we need a
reliable way to force synchronize the rcu on devices with 4.9 kernel.
Test: CtsUsageStatsTestCases
Bug: 79171384
Change-Id: I6564a56a5906a958f7d8e1d290b85de3f6fa121d
Bug: 123006652
Bug: 111441001
Fix: 123006652
Test: Wrote a test app using BugreportManager, checked denials in logcat
Change-Id: Id1c4b1d166bc70aec833c3d644e8aea6ae94c35a
system/sepolicy commit ffa2b61330 made
run-as spawned processes run in the runas_app SELinux domain, instead of
the untrusted_app domain.
https://android-review.googlesource.com/q/topic:%22runas_exec%22+(status:open%20OR%20status:merged)
This broke unix socket connections from untrusted_app* to runas_app.
This functionality is used by Android Studio for the Instant Run
feature. See https://developer.android.com/studio/run/
Allow untrusted_apps to connect to listening abstract sockets hosted by
runas_app.
Addresses the following denial:
01-23 11:11:56.084 16272 16272 W e.myapplication: type=1400 audit(0.0:68): avc: denied { connectto } for path=006972736F636B6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=u:r:untrusted_app_27:s0:c169,c256,c512,c768 tcontext=u:r:runas_app:s0:c169,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.myapplication
01-23 11:11:56.086 16272 16272 V SwapperAgent: Prior agent invocations in this VM: 1
01-23 11:11:56.088 16272 16272 E SwapperAgent: Could not connect to socket
Change-Id: Ia1203f44aebcbec0ff858b8316e147cba7a048a2
Fixes: 123297648
Test: acleung manual testing
This requires moving the type declaration of
perfetto traced to public, because iorapd
needs to refer to it.
Denials without this CL:
https://pastebin.com/raw/sxHMeLEU
Bug: 72170747
Test: 1. runcon u:r:iorapd:s0 iorap.cmd.perfetto \
-v --output-proto /data/misc/iorapd/test
2. Check that no selinux denials other than
avc: denied { entrypoint } for path="/system/bin/iorap.cmd.perfetto" dev="sda6" ino=21 scontext=u:r:iorapd:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
show up (this is a side-effect of runcon).
Change-Id: Iacd1ab201fe9fb2a6302dbd528f42f709cbca054
