This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.
Bug: 117762471
Bug: 117761873
Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4
We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.
Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0
Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.
Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.
Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
Set up a new service for sw media codec services.
Bug: 111407413
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.
Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.
Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.
Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
Bug: 116732452
Test: No sepolicy violations observed with this change
(cherry picked from commit I1958182dd8ecc496625da2a2a834f71f5d43e7bb)
Change-Id: Ib386767d8acfacf9fedafd9a79dd555ce233f41c
/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.
Create a separate label for /system/usr/share/zoneinfo.
Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879
Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.
Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.
Fixes: 116022258
Test: build passed
Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
...to reflect that the HAL operates on storage devices,
not filesystem.
Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*
Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.
Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
Bug: 78793464
Test: fastboot getvar partition-size:super
'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.
Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.
Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.
Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.
Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices. Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.
Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
Steps taken to produce the mapping files:
1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng
2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.
Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
