Product-specific sepolicy will be installed into /product/etc/selinux/*.
This change separates out /product/etc/selinux/product_sepolicy.cil out
of system sepolicy.
This file is merged into precompiled_sepolicy at build-time. In case
precompiled_sepolicy can't be used (e.g. system-only-ota), init wll
merge this file with the rest of the sepolicy at runtime.
I left TODOs to separate other product-specific SELinux artifacts out of
system.
Bug: 119305624
Test: boot aosp_taimen with product_sepolicy.cil
Test: build selinux_policy for aosp_arm64; no product_sepolicy.cil
produced
Change-Id: Idb84a1c8ceb2de78f1460d954497c53fed08935f
grep can potentially run out of memory on Mac builds for large input
files. So we add a python util to handle filtering out files.
We will also need this util to filter plat_sepolicy.cil out of
product_sepolicy.cil
Bug: 119305624
Test: boot aosp_taimen
Change-Id: I61cd68f407ea5de43a06bf522a5fc149e5067e8c
Make mediaextractor use hidl memory allocated by
hidl allocator, instead of constructing hidl memory
from IMemory.
bug: 112766913
bug: 111407253
Change-Id: I7902f18768005c995925bc9a7947299e9988b68a
(Needed for internal commit I39e131718ea41f9cb23177c28213ddf7b7741338)
We're creating a new PermissionManagerService that will handle
all of the permission related APIs. These are currently being
routed through PackageManagerService.
Test: Device boots
Change-Id: I7d08561dd33b692209c30d413cdca0ff567358f1
rss_hwm_reset is binary that reset RSS high-water mark counters for all
currently running processes. It runs in a separate process because it
needs dac_override capability.
Bug: 119603799
Test: no errors in logcat
Change-Id: I6221a5eca3427bf532830575d8fba98eb3e65c29
On debug builds, introduce audit logging of apps targeting SDK <= 28
that execute native code from a non-priv app home directory via
execve() or dl_open().
Bug: 111338677
Test: Builds + boots.
Test: Launch app that uses private .so files, see granted logs.
Change-Id: I5880801d3a29cbf2c1cf4e0d72adc69a9d548952
To work around a kernel bug where pages that are read before changing
the loop device offset are not invalidated correctly.
Bug: 120853401
Test: apexd mounts APEX files on gphone_sdk_x86_64
Change-Id: I89f23f8f9d472e599f053553b73cc0618dcb3747
It doesn't seem like any of our (Google's) devices use
BOARD_ODM_SEPOLICY_DIRS, but this will be helpful for partners.
Also, use BOARD_VENDOR_SEPOLICY_DIRS instead BOARD_SEPOLICY_DIRS for
readability.
Bug: n/a
Test: m selinux_policy
Change-Id: I23f64a24d51ccdb8aa616d0fd8a06d70b6efed32
When daemonizing perfetto, SIGINT should be sent to ensure clean
shutdown.
Denial:
12-06 11:12:16.566 3099 3099 I sh : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1
Test: m
Test: flash walleye
Test: SIGINT perfetto from shell
Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.
Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.
This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.
Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.
Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.
This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
This is analoguous to what Perfetto does with persist.traced.enable.
Test: m
Test: flash walleye
Test: setprop persist.heapprofd.enable 1
setprop persist.heapprofd.enable 0
Change-Id: I997272ef8c6fe078aca2388ed0cf2ecc3de612a5
- Update policy for new system service, used for SystemUI/Apps to
present predicted apps in their UI.
Bug: 111701043
Test: manual verification
Change-Id: Ia3b5db987097d2d71bf774ca550041e03214471d
Thermal API has been added to PowerManager and this CL is to grant
IThermal access to app.
Bug: 119613338
Test: PowerManager CTS test
Change-Id: I977530a9a5490bdc53af1548788b885e7c649f01
Bug: 118510237
Test: Boot and test callback on ThermalHAL 1.1 and ThermalHAL 2.0
(cherry picked from commit 75cc6bf2d5)
Change-Id: Iafb376e61dc579c3bfd173ac34a4d525b83d8e5c
Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.
Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0
These selinux policy rules were added for bufferhub to run a binder
service. But later we decided to use a hwbinder service instead, and the
original binder service was removed in git/master. Now we can safely
remove these rules.
Test: Build passed. Device boot successfully without selinux denial.
Bug: 118891412
Change-Id: I349b5f0f2fa8fb6a7cfe7869d936791355c20753
