This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.
Bug: 254407246
Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
The domain of 'remount' used to be 'system_file', which is
read-executable by 'shell'. However when I submitted aosp/1878144, the
domain of 'remount' became 'remount_exec', and I forgot to allow
'shell' to read-execute the new 'remount_exec' domain.
This makes `adb remount` w/o root to produce sub-par error message:
$ adb remount [-h]
/system/bin/sh: remount: inaccessible or not found
Allow 'shell' to read-execute 'remount_exec', so that the user can get a
proper error message when not running as root, and help (-h) message can
be displayed:
$ adb remount
Not running as root. Try "adb root" first.
$ adb remount -h
Usage: remount ...
Bug: 241688845
Test: adb unroot && adb remount [-h]
Change-Id: I5c105eaffa7abddaf14a9d0120fd6b71749c7977
Bug: 242892591
Test: atest GtsFontHostTestCases
Test: Manually verified the font files can be updated
Change-Id: Ic72fcca734dc7bd20352d760ec43002707e4c47d
This is required to pass release fence FDs from camera to display
Test: Camera CTS
CRs-Fixed: 3184666
Bug: 234636443
Change-Id: I77884b37e254a9d56b8ec7b2e6dd71718f52d573
This reverts commit a87c7be419.
Reason for revert: I was mistaken and this isn't a property that the vendor should set, but the OEM should override from the product partition. That doesn't require sepolicy changes.
Bug: 256109167
Change-Id: Idebfb623dce960b2b595386ade1e4c4b92a6e402
Vendors should be able to set the `remote_provisioning.tee.rkp_only` and
`remote_provisioning.strongbox.rkp_only` properties via
PRODUCT_VENDOR_PROPERTIES so grant `vendor_init` the permission to set
them.
The property wasn't able to use `system_vendor_config_prop()` as
`remote_prov_app` has tests which override the properties.
Bug: 256109167
Test: manual test setting the property from device.mk for cuttlefish
Change-Id: I174315b9c0b53929f6a11849efd20bf846f8ca29
Similarly to /proc/vmstat, apps are not allowed to access this file.
Ignore the audit message, as this is the most reported denial in our
droidfood population.
Test: m selinux_policy
Change-Id: I88ed1aa1bfad33b462d971e739ca65791cb0227b
The background_install_control service is going to detect
background installed apps and provide the list of such apps.
Bug: 244216300
Test: manual
Change-Id: I6500f29ee063da4a3bc18e109260de419dd39218
Secondary dex files are in app data directories. In order to perform
secondary dex compilation, artd needs permissions to:
- Read secondary dex files
- Create "oat" dir
- Create a reference profile in "oat" dir
- Rename the reference profile
- Delete the reference profile
- Read the current profile in "oat" dir
- Delete the current profile
- Create compilation artifacts in "oat" dir
- Rename compilation artifacts
- Delete compilation artifacts
Bug: 249984283
Test: -
1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms
2. See no SELinux denial.
Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc
And allow VS and crosvm access to privapp_data_file, to the same
extent as app_data_file.
Update some comments, move a neverallow to the bottom of the file with
the others.
Bug: 255286871
Test: Install demo app to system/priv-app, see it work without explicit grant.
Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
We want to more closely monitor the system properties that the
sdk_sandbox has access to.
Bug: 210811873
Test: adb logcat | grep "r:sdk_sandbox"
Change-Id: I0d590374e931ca41d5451cd7c2de5b02fee619e9
For post-OTA boot, we run a userspace block device daemon to mount /system.
However if we let the daemon run while loading sepolicy, it would spam permissive audits.
Since sepolicy is still not enforced yet, we can supress these
audit messages.
Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I0af484f95b6a1deb41498d67de82afd3c6bb29b6
...and crosvm to access a listener socket when passed to it by file
descriptor from virtualizationservice.
Bug: 235579465
Test: Start a VM
Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev. If needed we can add this to
AOSP later.
Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
Merged-In: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
(cherry picked from commit e6da3b80d1)
We need to separate out the feature flags in use by remote key
provisioning daemon (RKPD). For this, I have set up a new namespace
remote_key_provisioning_native. This change adds the SELinux policies to
make sure appropriate permissions are present when accessing the feature
flag for read/write.
Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7
Test: TreeHugger
To prevent race condition on a profile, the app holds a flock when writing the profile, and profman needs to hold a flock to read it. This
is not ideal because either side can get blocked by the flock.
We want to avoid using flock and do it in a move-based way: instead of
mutating the profile in place, the app creates a temp file next to it,
works on the temp file, and replaces the original file after it's done
(or deletes the temp file if it fails).
To achieve that, the app needs the remove_name permission.
Bug: 249522285
Change-Id: I16f27e6a9c5c3a7ab2ab8e24d3ad0a20119e16db
Test: Presubmit
derive_sdk is used to configure installed SDK extensions. It can also
print debug information about these.
Allow dumpstate to execute derive_sdk, to include the debug information
in bugreports.
Bug: 240656777
Test: adb bugreport /tmp/bugreport.zip && unzip -c /tmp/bugreport.zip bugreport*.txt | grep -i 'sdk extensions'
Change-Id: I0f502f9f94a376dff2e7eb821f7bf753de2d5482
Limit processes that can change global settings system properties.
Only system server and shell (for tests) should be able to set the
affected system properties.
Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
Add a new selinux type for a system property used to hold metadata about
the time zone setting system property. Although system settings are
world readable, the associated metadata only needs to be readable by the
system server (currently).
Bug: 236612872
Test: treehugger
Change-Id: Iac1bc3301a049534ea5f69edf27cd85443e6a92e
Reduce use of "exported_system_prop" by defining 2 new (currently
identical) "locale_prop" and "timezone_prop" types for the system
properties that are for "global system settings". See the comments in
private/property_contexts for details.
Initially the rights of the new types should be identical to
exported_system_prop but they will be reduced with a follow-up commit to
enable easier rollback / progress to be made on related work.
Bug: 236612872
Test: treehugger
Change-Id: I8d818342023bc462376c091b8a522532ccaf15d3
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to read current profile files.
It also needs to be mlstrustedsubject because current profile files
seem to have MLS restrictions.
Otherwise, it will get SELinux denials like:
```
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
```
Note the MLS restrictions `c512,c768` in the message above.
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to add/delete/replace profile
files. Otherwise, it will get SELinux denials like:
```
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { write } for name="com.google.android.youtube" dev="dm-52" ino=922 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { add_name } for name="primary.prof.6mOsV9.tmp" scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
```
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: Ib1a914b9a9526a85b69d27970e4b23c4e101c68a
VintfObject will monitor for /apex directory for VINTF data.
Add permissions for service managers to read this data.
Bug: 239055387
Test: m && boot
Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
Sepolicy changes for confirmationui while converting from hidl
to aidl.
Bug: b/205760172
Test: run vts -m VtsHalConfirmationUIV1_0Target
Change-Id: Ib21038fd89789755b978489f5293725b221d86c4
This is a part of changes to bring up Remote Key Provisioning Daemon
module. See packages/modules/RemoteKeyProvisioning for more info.
Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616
Test: atest rkpd_client_test
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
Will add fuzzer once the service is implemented.
Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
Add selinux policy so the healthconnect system service
can be accessed by other processes.
Bug: 246961138
Test: build
Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850
Conversion of the gatekeeper hidl interface to stable aidl interface.
Bug: 205760843
Test: run vts -m VtsHalGatekeeperTarget
Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c
ro.log.file_logger.path is a system property that liblog uses to
determine if file_logger should be used (instead of logd) and what file
the logs should be emitted to. It is primarily meant for non-Android
environment like Microdroid, and doesn't need to be set in Android. In
fact, setting it to a wrong value can break the system logging
functionality. This change prevents such a problem by assigning a
dedicated property context (log_file_logger_prop) to the property and
making it non-writable. (Note that it still has to be readable because
liblog reads it and liblog can be loaded in any process)
Bug: 222592894
Test: try to set ro.log.file_logger.path
Change-Id: Ic6b527327f5bd4ca70a58b6e45f7be382e093318
Previously in Microdroid, processes send log messages to logd over
socket and then logcat ran to hand the message to the host side over the
serial console.
That has changed. Now, the liblog library which processes use to emit
logs directly sends the given message to the serial console. Liblog does
this by reading a new system property ro.log.file_logger.path. When this
is set, liblog doesn't use the logd logger, but opens the file that the
sysprop refers to and writes logs there.
This change implments sepolicy side of the story.
* logd and logcat types are removed since they no longer are needed.
* existing references to those types are removed as well.
* a new property type `log_prop` is introduced and the two system
properties are labaled as log_prop
* all processes have read access to the system properties
* all processes have append access to /dev/hvc2
Bug: 222592894
Test: run microdroid, see log is still emitted.
Change-Id: I4c4f3f4fd0e7babeab28ddf39471e914445ef4da
This is needed for getting CPU time and wall time spent on subprocesses. Otherwise, the following denials will occur:
09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { read } for scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1
09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { search } for name="6157" dev="proc" ino=57917 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=dir permissive=1
09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { open } for path="/proc/6157/stat" dev="proc" ino=57954 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1
Bug: 245380798
Test: -
1. adb shell pm art optimize-package -m speed -f \
com.google.android.youtube
2. See CPU time and wall time in the output. No denial occured.
Change-Id: I9c8c98a31e1ac0c9431a721938c7a9c5c3ddc42b
New ro.kernel.watermark_scale_factor property is used to store the
original value read from /proc/sys/vm/watermark_scale_factor before
extra_free_kbytes.sh changes it. The original value is necessary to
use the same reference point in case the script is invoked multiple
times. The property is set by init the first time script is invoked
and should never be changed afterwards.
Bug: 242837506
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I7760484854a41394a2efda9445cff8cb61587514
Next attempt at rolling forward aosp/2200430. It appears the
first-stage-init did not create the /dev/selinux folder on GSI
instances, resulting in breakages when selinux.cpp tries to copy files
to that folder.
To verify these changes for b/244793900, follow
gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I2bc630cfaad697d44053adcfd639a06e3510cc72
Starting with
91a9ab7c94
, calling io_uring_setup will need selinux permission to create anon
inodes.
Test: th
Bug: 244785938
Change-Id: I351983fefabe0f6fdaf9272506ea9dd24bc083a9
Revert "Add seamendc tests for sdk_sandbox in apex sepolicy"
Revert submission 2201484-sdk_sandbox
Note: this is not a clean revert, I kept the changes in aosp/2199179
and the changes to system/sepolicy/Android.mk. Those changes are already
part of internal, I do not want to put those files out of sync again.
Test: atest SeamendcHostTest
Reason for revert: b/244793900
Reverted Changes:
Ib14b14cbc:Add seamendc tests for sdk_sandbox in apex sepolic...
I27ee933da:Move allow rules of sdk_sandbox to apex policy
Change-Id: If225cdd090248e050d1f0b42f547a4b073bbafc6
