This CL partially cherry-picks ag/18350151 to
update prebuilts. Other parts are already included by
aosp/2083463.
Bug: 226456604
Bug: 223685902
Test: Build
Change-Id: I1ddb1db855a13671e7b76b48d84e4f1ab5a63374
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file. This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.
Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
Add a property to be read by system_server's AudioService that
indicates whether the spatializer effect can use head tracking.
If true, head tracking functionality will be initialized and
the corresponding APIs will be active.
Bug: 226474336
Test: atest android.media.audio.cts.SpatializerTest
Change-Id: Id8f574ecd2303034a29da58615018586b68bf55d
The compliance tests rely on this.
Bug: 230660133
Test: run MicrodroidHostTests on a user build
Merged-In: Ic061632d80285182ec2ae7d31f3527948702cf32
Change-Id: Ic061632d80285182ec2ae7d31f3527948702cf32
This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.
Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.
Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Merged-In: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
Steps taken to produce the mapping files:
0. Add 33.0 prebuilts to prebuilts/api/33.0/.
1. Add the following Android.bp modules.
33.0.board.compat.map
33.0.board.compat.cil
33.0.board.ignore.map
plat_33.0.cil
system_ext_33.0.cil
product_33.0.cil
33.0.ignore.cil
system_ext_33.0.ignore.cil
product_33.0.ignore.cil
33.0.compat.cil
system_ext_33.0.compat.cil
2. Touch the following three files.
private/compat/33.0/33.0.cil
private/compat/33.0/33.0.compat.cil
private/compat/33.0/33.0.ignore.cil
3. Add 33.0 to PLATFORM_SEPOLICY_COMPAT_VERSIONS on
build/make/core/config.mk. Note that we don't update
sepolicy_major_vers to 33, but just update compat versions.
4. Run the following command.
$ source build/make/rbesetup.sh && lunch aosp_arm64-userdebug
$ m sepolicy_generate_compat
$ sepolicy_generate_compat --branch=tm-dev \
--build latest --target-version 33.0 \
--latest-version 32.0
This change also enables treble_sepolicy_tests_33.0 and installs
33.0.cil mapping file onto the device.
Test: m treble_sepolicy_tests_33.0
Test: m 33.0_compat_test
Test: m slinux_policy
Change-Id: Ie969ff0372ff1268776165cee5cb5b07d303453c
This supports the ability to switch between ANGLE and a legacy GLES
driver in cases when transitioning from a legacy GLES driver to ANGLE
as the system driver. With ANGLE as the GLES system driver, the
platform needs a way to identify the legacy GLES driver, so that it
can be used for particular applications.
Test: CtsAngleDeveloperOptionHostTest
Bug: 224558229
Change-Id: I359b37daa96eb6f8424bde530bb1ac79affd1b04
Allow init to use toolbox to rm -rf stale files under /data/misc/virtualizationservice.
Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Change-Id: I4a31e437344974597fc5280d898f23780a820f16
(cherry picked from commit 8e06fb4109)
Group together the rules for setting up app data isolation and get all
the comments up-to-date. Also remove some parts that aren't needed:
- 'allow zygote mnt_expand_file:dir mounton;' -- not needed. It might
have been thought that this was needed for mounting tmpfs on
/mnt/expand/$volume/user{,_de}, but those have type system_data_file.
- 'allow zygote mnt_expand_file:dir relabelto;' -- not needed, as
nothing is ever relabeled to this type.
- 'allow zygote media_rw_data_file:dir getattr;' -- not needed to create
bind mounts. The similar rules for user_profile_* don't include this.
- 'allow zygote mirror_data_file:dir r_dir_perms;' -- tighten to just
the required search permission.
- 'allow zygote system_data_file:dir getattr;' -- redundant with 'allow
zygote system_data_file:dir r_dir_perms;', and not needed for the
stated reason of "Get inode of directories for app data isolation".
Test: booted Cuttlefish, no denials seen.
Change-Id: Id77b8c81625fd785a5d0d88c37d7c85b8fff7244
We might want to change this in later android versions.
Bug: b/228159127
Bug: b/227745962
Test: Manual
Change-Id: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.
Test: Manual
Bug: b/227745962
Bug: b/227581095
Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
This reverts commit d338d0ef55.
Reason for revert: The original problem was due to failing to switch mount namespace when bootchart is on (see b/229983560) but this doesn't fix it but only suppresses the symptom. aosp/2073287 fixes the original problem.
Change-Id: I6538de37872e718291e78b591a1ae43e83f7a3e3
