virtualizationmanager may handle some AVF debug policies for unproteted VM.
Bug: 243630590
Test: Run unprotected VM with/without ramdump
Change-Id: I2941761efe230a9925d1146f8ac55b50e984a4e9
This patch:
* allows for heap and perf profiling of all processes on the system
(minus undumpable and otherwise incompatible domains). For apps, the
rest of the platform will still perform checks based on
profileable/debuggable manifest flags. For native processes, the
profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
writers (=perfetto_producer) for the ART java heap graph plugin
(perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
graphs.
Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
Provides the script to replace current isolated_app with
isolated_app_all if possible.
Bug: 267487579
Test: m && presubmit
Change-Id: Ifcec81ddf3da2ffb4eac67d8be1de70c1eab6b92
ro.us.uvc.enabled should not be readable from apps that can't or
shouldn't act on UVC support. This means all non-system apps. This CL
adds an explicit neverallow rule to prevent all appdomains (except
system_app and device_as_webcam).
Bug: 242344221
Bug: 242344229
Test: Build passes, manually confirmed that non-system apps cannot
access the property
Change-Id: I1a40c3c3cb10cebfc9ddb791a06f26fcc9342ed9
DeviceAsWebcam is a new service that turns an android device into a
webcam. It requires access to all services that a
regular app needs access to, and it requires read/write permission to
/dev/video* nodes which is how the linux kernel mounts the UVC gadget.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the service can access all the nodes it
needs, and no selinux exceptions are reported for the service
when running.
Change-Id: I45c5df105f5b0c31dd6a733f50eb764479d18e9f
I noticed a bunch of denials in the logs like this:
avc: denied { read } for pid=187 comm="dex2oat64"
name="u:object_r:device_config_runtime_native_boot_prop:s0"
dev="tmpfs" ino=76 scontext=u:r:dex2oat:s0
tcontext=u:object_r:device_config_runtime_native_boot_prop:s0
tclass=file permissive=0
But we actually want to be able to access these properties.
Bug: 264496291
Test: atest android.compos.test.ComposTestCase#testOdrefreshSpeed
Change-Id: I6ce8ee74a1024a9ddd6ef91e73111d68da878899
The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow vendor_init to set these properties and allow Zygote to access
them.
Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Change-Id: I5666524a9708c6fefe113ad4109b8a344405ad57
Provides mapping using the isIsolatedComputeApp to enable certain
isolated process running in such domain with more hardware
acceleratation.
Bug: 267494028
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: I9ff341de69e0ad15cb7764276e0c726d54261b84
This CL the selinux rules for the property ro.usb.uvc.enabled which will
be used to toggle UVC Gadget functionality on the Android Device.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the property can only be read at runtime,
not written to.
Change-Id: I0fd6051666d9554037acc68fa81226503f514a45
Provides a new domain to enable secure sensitive data processing. This
allows processing of sensitive data, while enforcing necessary privacy
restrictions to prevent the egress of data via network, IPC or file
system.
Bug: 255597123
Test: m && manual - sample app with IsolatedProcess=True can use camera
service
Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
Introduce isolated_app_all typeattribute to share policies between
isolated_app and future similar apps that wish to be enforced with
isolation properties.
Bug: 255597123
Test: m && presubmit
Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89
installd needs to kill profman if profman times out.
Bug: 242352919
Test: -
1. Add an infinate loop to profman.
2. Run `adb shell pm compile -m speed-profile com.android.chrome`
3. See profman being killed after 1 minute.
Change-Id: I71761eaab027698de0339d855b9a436b56580ed8
am skip reason: Merged-In I916c9795d96e4a4a453f9aed5e380f11981804e9 with SHA-1 24d90e792e is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402006
Change-Id: I270b951dd87754c9477b3d52f00b6dc21c9bc501
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.
In more detail, this change:
* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.
* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].
* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.
This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/
Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)
Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
Provide isIsolatedComputeApp selector for apps reusing _isolated user to run in domains other than isolated_app. Processes match the selector will have a default domain isolated_compute_app assigned. Also updated _isolated neverallow statements.
Bug: 265540209
Bug: 265746493
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: Ia05954aa6a9a9a07d6a8d1e3235a89e7b37dead9
This type doesn't exist in Microdroid.
Bug: 266871002
Test: m SANITIZE_TARGET=address com.android.virt
Change-Id: I2ca6db9669eafc4037bbf87bdcff60935893d93f
