The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow vendor_init to set these properties and allow Zygote to access
them.
Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Change-Id: I5666524a9708c6fefe113ad4109b8a344405ad57
Provides mapping using the isIsolatedComputeApp to enable certain
isolated process running in such domain with more hardware
acceleratation.
Bug: 267494028
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: I9ff341de69e0ad15cb7764276e0c726d54261b84
This CL the selinux rules for the property ro.usb.uvc.enabled which will
be used to toggle UVC Gadget functionality on the Android Device.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the property can only be read at runtime,
not written to.
Change-Id: I0fd6051666d9554037acc68fa81226503f514a45
Provides a new domain to enable secure sensitive data processing. This
allows processing of sensitive data, while enforcing necessary privacy
restrictions to prevent the egress of data via network, IPC or file
system.
Bug: 255597123
Test: m && manual - sample app with IsolatedProcess=True can use camera
service
Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
Introduce isolated_app_all typeattribute to share policies between
isolated_app and future similar apps that wish to be enforced with
isolation properties.
Bug: 255597123
Test: m && presubmit
Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89
installd needs to kill profman if profman times out.
Bug: 242352919
Test: -
1. Add an infinate loop to profman.
2. Run `adb shell pm compile -m speed-profile com.android.chrome`
3. See profman being killed after 1 minute.
Change-Id: I71761eaab027698de0339d855b9a436b56580ed8
am skip reason: Merged-In I916c9795d96e4a4a453f9aed5e380f11981804e9 with SHA-1 24d90e792e is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2402006
Change-Id: I270b951dd87754c9477b3d52f00b6dc21c9bc501
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.
In more detail, this change:
* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.
* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].
* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.
This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/
Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)
Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
Provide isIsolatedComputeApp selector for apps reusing _isolated user to run in domains other than isolated_app. Processes match the selector will have a default domain isolated_compute_app assigned. Also updated _isolated neverallow statements.
Bug: 265540209
Bug: 265746493
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: Ia05954aa6a9a9a07d6a8d1e3235a89e7b37dead9
This type doesn't exist in Microdroid.
Bug: 266871002
Test: m SANITIZE_TARGET=address com.android.virt
Change-Id: I2ca6db9669eafc4037bbf87bdcff60935893d93f
am skip reason: Merged-In I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad with SHA-1 8a7dcb5e1e is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399373
Change-Id: I8513e2cf38a4c2e7bb1ba0202c22266803df5079
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I40ac5d43da5778b5fa863b559c28e8d72961f831 with SHA-1 d0e108fbbe is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399372
Change-Id: Ia177a221b0d022f8db3af87df458f16788328080
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This is enabled on debuggable builds only, includes
- Grant mlstrustedsubject typeattribute to wm_trace_data_file
- Grant platform_app (like systemui) the write access to
wm_trace_data_file
Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
WMShell protolog [start | stop]
Change-Id: I9f77f8995e4bf671616ce6c49eeb93720e31430e
Platforms, such as cuttlefish, are RKP only, and are using a new
version of keymint that is not compatible with the old
RemoteProvisioner. Therefore, we must ensure that the configuration
is fixed and cannot be turned off.
Bug: 266482839
Test: RemoteProvisionerUnitTests
Test: keystore2_client_tests
Test: RkpdAppUnitTests
Change-Id: Ib7b3128b27c4a26fdd2dbdc064b491f7a3d3cd92
We plan to move canhalconfigurator from system to system_ext partition.
So let's update its sepolicy file context first.
Bug: 263516803
Test: build selinux policy for aosp_cf_x86_64_auto target
Change-Id: Ic4bd69489fa2f94ba33665a2cf1359e9fa487ea6
ro.secure and ro.debuggable system properties are not intended
to be visible via Android SDK. This change blocks untrusted
apps from reading these properties.
Test: n/a for cherry-pick
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Change-Id: I40ac5d43da5778b5fa863b559c28e8d72961f831
Merged-In: I40ac5d43da5778b5fa863b559c28e8d72961f831
It is safe to grant this permission because:
* UID restrictions will prevent killing arbitrary apps.
* Runas enforces restrictions preventing transitioning to UIDs of apps
that are not debuggable.
Addresses:
avc: denied { sigkill } for scontext=u:r:runas_app:s0:c87,c257,c512,c768
tcontext=u:r:untrusted_app:s0:c87,c257,c512,c768 tclass=process
permissive=0 app=com.example.myapplication
Bug: 263379256
Test: Build and deploy any Android app in debug mode
adb shell
run-as com.example.myapplication
kill -SIGKILL <pid>
Change-Id: I1e4588a9a1c7ee71e0396fbd1ea5e1b24720bd62
The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.
Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
