Commit graph

18063 commits

Author SHA1 Message Date
Roland Levillain
f52fefe5ee Merge "Allow otapreopt_chroot to use a flattened Runtime APEX package." 2019-03-20 10:38:57 +00:00
Tri Vo
8730aeb2e9 Allow system_suspend access to /sys/power/wake_[un]lock.
Bug: 128923994
Test: boot taimen, no denials when writing to /sys/power/wake_[un]lock
Change-Id: Ib9ade5e532f906d2228642dfa5f52f609e559199
2019-03-19 21:34:49 -07:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Treehugger Robot
2456c37021 Merge "Fix memory leaks" 2019-03-20 01:14:58 +00:00
Jeffrey Vander Stoep
9331374113 Merge "Android.bp: set sepolicy version for use by init" 2019-03-19 21:44:59 +00:00
George Burgess IV
bf2f927019 Fix memory leaks
This CL fixes leaks of the policy that we're building up. The analyzer
only caught the leaks on the error path, but I assume that
`check_assertions` does nothing to free the object that it's handed.

Analyzer warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'avrule'
[clang-analyzer-unix.Malloc]

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'neverallows'
[clang-analyzer-unix.Malloc]

Bug: None
Test: Treehugger; reran the analyzer
Change-Id: I79a0c34e8b53d33a1f01497337590eab660ad3ec
2019-03-19 12:10:51 -07:00
Andreas Gampe
08450264ae Sepolicy: Allow zygote to pick up dalvikcache artifacts
Allow the zygote to pick up integrity-checked boot classpath
artifacts from the dalvik cache.

Bug: 125474642
Test: m
Test: manual
Merged-In: I45d760c981c55a52bd0b22c79a9cba4868a09528
Change-Id: I45d760c981c55a52bd0b22c79a9cba4868a09528
2019-03-19 10:36:12 -07:00
Andreas Gampe
e72ec6bfd3 Sepolicy: Allow system_server_startup to load dalvikcache artifacts
Allow the startup domain to pick up integrity-checked artifacts
from the dalvik-cache. The corresponding framework code will
only load the system server classpath.

Bug: 128688902
Test: m
Test: manual
Merged-In: Ib37f8d7c39431e2792eeb4dac1cd732307519827
Change-Id: Ib37f8d7c39431e2792eeb4dac1cd732307519827
2019-03-19 10:36:03 -07:00
Przemyslaw Szczepaniak
8b2ad2c978 Make package_native_serice an (ephemeral_)?app_api_service.
This is required for accessing package_native_service
in libneuralnetworks.so for NNAPI Vendor Extension checks.

package_service is (ephemeral_)?app_api_service, native
one is a subset of it.

Bug: 120483623
Test: NeuralNetworksTest_FibonacciExtension
Change-Id: I9fa2c9aa263724d2256bbf26de19d6b357c82f9b
2019-03-19 16:37:45 +00:00
Nicolas Geoffray
e668732936 Merge "Allow init to set dalvik.vm.boot-image." 2019-03-19 15:00:41 +00:00
Roland Levillain
66f40a8b2d Allow otapreopt_chroot to use a flattened Runtime APEX package.
- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
  execute `dex2oat` from `/postinstall` -- this is for the case where
  it is located in a flattened Runtime APEX in
  `/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
  `/postinstall/system/apex` (which are bind-mounted in
  `/postinstall/apex`).

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
2019-03-19 14:44:22 +00:00
Xiao Ma
87b6d4018d Merge "Allow the netowrk stack to access its own data files." 2019-03-19 13:21:12 +00:00
Jeff Vander Stoep
60bb29fcdf crash_dump: suppress devpts denials
The following denial caused a presubmit failure:
06-15 15:16:24.176   956   956 I auditd  : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.

Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507
2019-03-19 04:05:51 +00:00
Xiao Ma
c06f0f602a Allow the netowrk stack to access its own data files.
After moving IpMemoryStore service to network stack module(aosp/906907),
the following untracked SELinux denials are observed on boot.

W id.networkstack: type=1400 audit(0.0:63): avc: denied { write } for
name="com.android.networkstack" dev="sda13" ino=704810
scontext=u:r:network_stack:s0:c49,c260,c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Add radio_data_file type for network stack user configuration and
relevant permission to allow access to its data, as the network stack
is a privileged app.

Test: m -j passed
Change-Id: I6eab528714df6a17aae0cb546dcc3ad4bb21deea
2019-03-19 11:42:11 +09:00
Nicolas Geoffray
45963b59ae Allow init to set dalvik.vm.boot-image.
Test: m
Bug: 119800099
Change-Id: Idb4d4c6005e4ff271c1b5940bd39b655b674a0bb
2019-03-18 21:40:19 +00:00
Alex Salo
a1ce292dbb Add selinux setting for attention
Bug: 126472144
Test: adb shell dumpsys attention
Change-Id: Ie421b719c8fc0414ee664055aa5d007c081edf17
2019-03-18 21:00:35 +00:00
Andreas Gampe
2db55f184e Merge changes I15bd76e5,I5572c3b0
* changes:
  Sepolicy: Allow otapreopt_chroot to find linker
  Sepolicy: Move otapreopt_chroot to private
2019-03-18 21:00:04 +00:00
Treehugger Robot
118f0bf1fb Merge "fastboot: fs_mgr: overlay: suppress noise" 2019-03-18 20:51:59 +00:00
Andreas Gampe
3c581e2064 Sepolicy: Allow otapreopt_chroot to find linker
The linker is behind a symlink. Allow to read and follow.

Bug: 128840749
Test: m
Test: manual a/b ota
Test: DexoptOtaTests
Change-Id: I15bd76e517ab3cebf13ebd42ff6e5dae42364c83
2019-03-18 10:55:32 -07:00
Andreas Gampe
d6fdcefaa8 Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 10:54:42 -07:00
Treehugger Robot
ac9cd71fed Merge "Sepolicy: Fix comment on apexd:fd use" 2019-03-16 23:50:32 +00:00
Mark Salyzyn
86f0e54dfa fastboot: fs_mgr: overlay: suppress noise
Suppress noise associated with test mounting scratch partition.

Add internal fs_mgr_is_ext4 and fs_mgr_is_f2fs to get heads up on
mount failures and thus bypass trying.  Resolve all the avc
complaints associated with overlay handling including these new
operations.

Test: adb-remount-test.sh
Bug: 109821005
Change-Id: Ieb1f8c19ced930b6fe2d1791ef710ce528da7e37
2019-03-15 13:25:11 -07:00
Andreas Gampe
15e02450f1 Sepolicy: Fix comment on apexd:fd use
The file descriptors for /dev/zero are no longer open. However,
a descriptor to the shell is still inherited. Update the comment.

Bug: 126787589
Test: m
Test: manual
Change-Id: I0d4518d2ba771622ea969bbf02827db45788bc09
2019-03-15 11:26:05 -07:00
Florian Mayer
4db9df1a92 Merge "Allow traced to lazily start heapprofd." 2019-03-15 18:17:52 +00:00
Jiyong Park
5a74473d1b No need to bind-mount bionic libraries
This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474

The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.

Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590
2019-03-15 14:28:27 +09:00
Anders Fridlund
af9d7b15a3 Add apex_key context for files on product
Set the apex_key context for files in
/product/etc/security/apex/ and
/system/product/etc/security/apex/.

The apexd code is already looking for public keys in these locations,
but the apex_key context needs to be set to make them accessible from
apexd.

Bug: 127690808
Test: manual - verified that key files had proper SE-Linux label
Change-Id: Ib15728fa97eb438ea97a9743a06fa46e4d54f1cd
2019-03-15 03:10:53 +00:00
Treehugger Robot
005f019e04 Merge "Allow camera hal to read serialno." 2019-03-15 01:18:45 +00:00
Treehugger Robot
3637592a2d Merge "add label for /proc/sys/fs/verity/require_signatures" 2019-03-14 23:10:39 +00:00
Jayant Chowdhary
f7b53209a4 Allow camera hal to read serialno.
Bug: 128037879

Test: Camera HAL is able to read ro.serialno

Change-Id: I904c852a7100bc65456ee63ffb31d70681293d7d
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
2019-03-14 14:36:41 -07:00
Jack Yu
be93704fc5 Merge "Changed IWLAN operation mode system properties to enum" 2019-03-14 20:49:08 +00:00
Florian Mayer
a769f0fd43 Allow traced to lazily start heapprofd.
Bug: 126724929

Change-Id: I15f0ae10d5e45fc65850635230e377b6f77ad4d7
2019-03-14 20:42:29 +00:00
Andreas Gampe
59d5d90da8 Sepolicy: Allow everyone to search keyrings
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.

This set of permissions is analogous to allowances for the fscrypt
keyring and keys.

Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-14 13:21:07 -07:00
Xiaoyong Zhou
a711d375ab add label for /proc/sys/fs/verity/require_signatures
This CL add new label for files created by fsverity.

Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a
2019-03-14 12:44:31 -07:00
Jeff Vander Stoep
ecd288f41d Android.bp: set sepolicy version for use by init
Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370
2019-03-14 17:49:14 +00:00
Treehugger Robot
a907d15ba1 Merge "Sepolicy: Fix APEX boot integrity" 2019-03-14 17:20:18 +00:00
Tao Bao
ecc7e8cacb Move /sbin/charger to /system/bin/charger.
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.

/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.

The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.

Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
2019-03-14 09:44:03 -07:00
Gavin Corkery
64b812c27e Rename data/pkg_staging to data/app-staging
Test: n/a
Bug: 126330086

Change-Id: I34d5085d8e6546d77cc854e27ca849462d482396
Merged-In: I34d5085d8e6546d77cc854e27ca849462d482396
2019-03-14 14:00:53 +00:00
Roland Levillain
bf2ee36db9 Merge "No longer label patchoat binaries in file_contexts." 2019-03-14 13:19:12 +00:00
Martijn Coenen
1f1c4c3fa5 Allow apexd to talk to vold.
To query filesystem checkpointing state.

Bug: 126740531
Test: no denials
Change-Id: I28a68b9899d7cb42d7e557fb904a2bf8fa4ecf66
2019-03-14 07:23:40 +00:00
Jeff Vander Stoep
1795d0bcfd crash_dump: dontaudit devices passed by exec()
avc: denied { read } for comm="crash_dump64" name="v4l-touch22"
dev="tmpfs" ino=18821 scontext=u:r:crash_dump:s0
tcontext=u:object_r:input_device:s0 tclass=chr_file

Test: build
Change-Id: Iac66b77ad255c950b21fd267c88fdbc382be2877
2019-03-13 20:50:25 -07:00
Suren Baghdasaryan
96cc32b0eb Merge "sepolicy: Remove unnecessary psi procfs rules" 2019-03-14 01:42:21 +00:00
Tri Vo
d6c5ff5f72 Allow global read access to /sys/kernel/mm/transparent_hugepage/
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.

Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1

Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
2019-03-13 23:47:25 +00:00
Treehugger Robot
058f7f4add Merge "ODM updates the recovery partition through vendor's materials" 2019-03-13 21:36:50 +00:00
Suren Baghdasaryan
f4b7e01c1f sepolicy: Remove unnecessary psi procfs rules
Remove unnecessary rules which will be added from 28.0.cil automatically
by the build process.

Bug: 111308141
Test: builds

Change-Id: I02064785cac1ed6d8b4e462604a1b8db10c1a25a
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-13 20:53:55 +00:00
Suren Baghdasaryan
9902c67cfa Merge "sepolicy: Allow lmkd access to psi procfs nodes" 2019-03-13 20:51:31 +00:00
Andreas Gampe
6cd179f992 Sepolicy: Fix APEX boot integrity
Update copy-paste comment header. Fix file access to the right
type.

Follow-up to commit 1845b406fc.

Bug 125474642
Test: m
Test: boot

Change-Id: I33bfef51c78ca581063c0f950e1837546d013050
2019-03-13 13:38:31 -07:00
Tri Vo
3a463e108d Merge "vold: write permission to sysfs_devices_block" 2019-03-13 20:36:30 +00:00
Roland Levillain
6f314bcd95 No longer label patchoat binaries in file_contexts.
The patchoat program has been removed from Android in
https://android-review.googlesource.com/c/platform/art/+/774905.

Test: n/a
Bug: 77856493
Change-Id: Icf6ed2e5671d20f57dff94a55bedfb035cfc0ee7
2019-03-13 20:18:57 +00:00
Treehugger Robot
98de091a4f Merge "Allow traced_probes to access power rail data." 2019-03-13 19:47:54 +00:00
Andreas Gampe
01147a70f4 Merge "Sepolicy: ART APEX boot integrity" 2019-03-13 18:19:03 +00:00