To configure read-ahead on loop devices, eg.
/sys/devices/virtual/block/loop0/queue/read_ahead_kb
Bug: 120776455
Test: configuring read-ahead on loop devices works from apexd
Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58
I572ea22253e0c1e42065fbd1d2fd7845de06fceb introduced a whitelist, so
everything under tracing/ is assumed to be debugfs_tracing_debug
unless explicitly marked as debugfs_tracing.
Test: Device boots, labels under /sys/kernel/debug/tracing are unchanged.
Change-Id: Id0f0cbcc9e5540551bd2906fbf75f8e939dc4d4c
This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.
Bug: 117990869
Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.
Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
Export /proc/sys/kernel/perf_cpu_time_max_percent and
/proc/sys/kernel/perf_event_mlock_kb in proc_perf. So
they can be read in shell and written by init.
This is needed by simpleperf to control cpu percent and
memory used for profiling.
Bug: 110706031
Test: build and boot hikey960 successfully.
Change-Id: I2a01f583508003ab73427bab30a7982a27dfa677
The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.
Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.
Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
Merged-In: I793c6f54cd9364f33853983f8c5dfb28b98c2708
Introduce a standalone live-lock daemon (llkd), to catch kernel
or native user space deadlocks and take mitigating actions.
Test: llkd_unit_test
Bug: 33808187
Bug: 72838192
Change-Id: If869ecd06e5ce7b04bba1dafd0a77971b71aa517
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
This reverts commit 12e73685b7.
Reason for revert: Rolling original change forward again, more carefully.
Change-Id: I266b181915c829d743c6d8d0b8c0d70b6bf3d620
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat. Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".
Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
Without this, we only have visibility into writes.
Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.
See aosp/661782 for matching filesystem permission change.
Bug: 73625480
Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298
This reverts commit db83323a03.
Reason for revert: breaks some builds due to duplicate genfs entries
Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a
This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).
batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
Bug: 72643420
Bug: 73947096
Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7
(cherry picked from commit a8b3634d3e)
See also go/perfetto-io-tracing-security.
* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.
Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
This allows init to write to it, which it does for atrace.
Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413bc)
Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
1) trace_pipe_raw file to allow perfetto to read the raw
ftrace buffer (rather than the text-based /trace endpoint)
2) cpuX/stats and cpuX/buffer_size_kb that allow to
tune the buffer size per-cpu pipe and to get basic
statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
/enable files. This gives also access to the /format files
for the events that are already enabled on user builds.
/format files simply describe the memory layout
of the binary logs. Example: https://ghostbin.com/paste/f8m4k
This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.
Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.
Bug: 64762598
Test: Successfully took traces in user mode.
Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.
b/71718257
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial. This gives the file a new label and gives init the
ability to write it.
Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d
And grant appropriate permissions to more granular types.
Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.
Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956
This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886
Test: boot Taimen. Walk through setup-wizard. Make phone call and
video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.
b/68399339
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
We already expect contents of /sys/class/net to be labeled as sysfs_net.
Also label the directory for consistensy since we usually label
/sys/class/foo directories as sysfs_foo.
Bug: 65643247
Test: netd_integration_test
Test: can browse internet without denials to sysfs_net
Change-Id: I9d28ab4baf71df99ae966276532f14684d1abca6
/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.
Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>
Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.
Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0
Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
Remove netd access to sysfs_type attribute.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717)
This is to simplify access for hal_audio
Test: ls -Z in /proc/asound correctly shows everything with proc_asound
selinux label
Change-Id: I66ed8babf2363bee27a748147eb358d57a4594c4
New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons
Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons
Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.
Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5
Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
- update_verifier to read sysfs_dm dir and file at
/sys/devices/virtual/block/dm-X.
- vold to write sysfs_dm.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95
