- This allows init to access it.
Bug: 149039306
Test: Flash and confirm that file system can run resize2fs when metadata_csum is enabled.
Change-Id: Id91d8fb6800b254b12eaf93a0e8cb019b55d2702
recovery is excluded because it is not an interesting code
path.
Test: apply OTA, cancel, delete OTA states, then apply again
to trigger CancelUpdate() code path, see logs
Bug: 148818798
Change-Id: I3baac977af54ac0a09c9b732fd172469c9f51627
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.
Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
To include linkerconfig results into dumpstate, dumpstate needs extra
permission on lnkerconfig directory to search all items within the
directory. This change allows dumpstate to have extra access on
linkerconfig directory.
Bug: 148840832
Test: tested from cuttlefish
Change-Id: I955b54ec2cc3d1dcedaa34406e0e0776b6ac12f6
dumpstate creates an error log from CTS test because dumpstate does not
have access to linkerconfig directory. As df doesn't need to scan
linkerconfig directory, do not audit this directory in dumpstate
to get attributes.
Bug: 148760417
Test: m -j passed
Test: No sepolicy error from correspoding test
Change-Id: I3c1c3a489584450bd23fbce2d7cc9b09aaf9c002
This reverts commit d5a0edd75e.
Reason for revert: CTS failure
There are apps that relies on SELinux regulations to constrain their access. We'll need to analyze them before introducing the sepolicy.
Bug: 147695658
Change-Id: Ic57fcb90371b50a978ab7b2e0d20c4cb3d2da7f6
Test: cts-tradefed run cts -m CtsPermissionTestCases
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.
Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].
2. /data/incremental/[random]/backing_mount -> hold incfs backing image.
3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.
Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
These properties are owned by system, but is configurable
in vendor partition.
Test: apply OTA
Bug: 148569015
Change-Id: I24baa981d1f850cd18a3429f6e0a4efd31a8570d
In order to track time in state data using eBPF, system_server needs
to be able to attach BPF programs to tracepoints, which involves:
- calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl
- running BPF programs
- reading tracepoint ids from tracefs
Grant system_server the necessary permissions for these tasks
Test: modify system_server to try to attach programs; check for
denials
Bug: 138317993
Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328
Signed-off-by: Connor O'Brien <connoro@google.com>
These ioctls are required to set a default project quota ID on
/data/media.
Bug: 146419093
Test: verified chattr call from rootdir/init.rc
Change-Id: I0c9028e0a6502302fe81a73dfa087261a36d9863
Revert "Add new permissions to test"
Revert submission 1210143-platformcompat-permissions
Reason for revert: http://b/142942524
Reverted Changes:
I3601b12d5: Add new permissions to test
I65d425aac: Make platform_compat discoverable everywhere
I1c8cbb656: Add permissions for using PlatformCompat methods
Change-Id: I356c1d1c4d1213eea6e5585b23faa40722b1a01a
webview_zygote inherits tmpfs files from zygote and needs to stat
them after fork.
Bug: 138851227
Test: run walleye_jitzygote config, fork webview_zygote.
Change-Id: I092b942c0426f3f5731536ae9f2f5886a9196d3d
As apexd now has dac_override, it should also have dac_read_search to
avoid spurious denials.
Bug: 141148175
Test: Build, run apex installation, check denials.
Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
This allows apexd to execute "cp" to perform snapshot and
restore operations.
Other rules for this were added in aosp/1217340, but this one was
missed.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
This allows init to call chattr to allow casefolding on /data/media
Test: lsattr on /data/media on device with casefolding support
Bug: 138322712
Change-Id: I5715484d872088517f67c62a78344a2d417dd77f
The LOCAL_COMPATIBILITY_SUITES variable has been removed, as the users
are now embedding this binary the same way they do the rest of the
sepolicy tools.
Bug: 122331947
Bug: 130696912
Test: treehugger
Change-Id: Ia83025b18da87204d87684f2c0af025d9cecc824
These neverallow rules are to prevent properties from crossing treble
boundary. As attributes like internal / restricted / public has been
landed, the neverallow rules are changed to use attributes to avoid
endless manual maintaining of the list.
Bug: 148181222
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0ba930f6c78852e785858fb069faf4f984643e34
4eae75c9d4
Reason for revert: This undoes the previous reversion, which was made to fix b/148282665.
Change-Id: I70d6e60a0468abea19f5efd7fde10207a251cf61
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
access to the lower filesystem (or sdcardfs).
At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.
The following components need varying sepolicy privileges:
Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink
zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold
installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through
priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through
Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
We are updating apps' apk path to have a two-level structure.
Default apk path of an installed app:
Before: /data/app/[packageName]-[randomString]/base.apk
After: /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk
As a result, the oat files will be two levels below /data/app.
Test: manual
BUG: 148237378
Change-Id: If8e1fed46096f2e5f4150f6eedf74af76ac9d4b4
Fixes the following denial:
type=1400 audit(0.0:4): avc: denied { read } for comm="android.hardwar" name="compatible" dev="sysfs" ino=28205 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=file permissive=0
This permission is needed for ReadDefaultFstab, which searches the device tree for fstab entries. Devices that use dt-fstab may fail to find the misc block device.
Bug: 143589455
Test: manual test
Change-Id: Ied52fe9b1056d26b4dd00811c4690fa4c505fae8
