After adding a new user, deleting it, and rebooting, some of the user's data still remained. This adds the SELinux permissions necessary to remove all of the data. It fixes the followign denials:
avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.
Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
(cherry picked from commit 254a872cab)
dumpstate needs to read all the system properties for debugging.
Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Merged-In: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
(cherry picked from commit 4de238e9b9)
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat. Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".
Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
Tombstoned unlinks "trace_XX" files if there are too many of them.
avc: denied { unlink } for comm="tombstoned" name="trace_12"
scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0
tclass=file
Bug: 77970585
Test: Build/boot taimen. adb root; sigquit an app.
(cherry picked from commit eb8f938fd4)
Change-Id: I2f29d12f747d688f8f4e06b48cf72c5109adc2ae
Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.
Bug: 77881566
Test: build
Merged-In: I78f80400e5f386cad1327a9209ee1afc8e334e56
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
(cherry picked from commit db465285cf)
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status
So they should be whitelisted for compatibility.
Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d18a)
We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file. This commit
widens an existing dontaudit to include them as well as others that we
might see.
Bug: 77908066
Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac
(cherry picked from commit a3b3bdbb2f)
We often see the following denials:
avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0
These are benign, so we are hiding them.
Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
(cherry picked from commit bf4afae140)
This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.
Test: device has battery kernel logs with health HAL
but without healthd
Bug: 77661605
Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2
cgroupfs doesn't allow files to be created, so this can't be needed.
Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.
Bug: 74182216
Test: Denials remain silenced.
Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f
A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.
Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.
Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d
Merged-In: I5d7a029f82505983d21dc722541fb55761a8714d
(cherry picked from commit 0dc3587393)
Update for debugfs labeling changes.
Update for simpleperf behavior with stack traces (temp file).
(cherry picked from commit c8fe29ff1e)
Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Merged-In: Ie000a00ef56cc603f498d48d89001f566c03b661
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661
See also go/perfetto-io-tracing-security.
* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.
Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.
We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.
Bug: 72643420
Bug: 74182216
Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.
Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1
Bug: 72643420
Bug: 74182216
Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.
Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
Merged-In: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
(cherry picked from commit ac8c6e3d44)
Give statsd rights to connect to perfprofd in userdebug.
(cherry picked from commit 488030ee6f)
Bug: 73175642
Test: mmma system/extras/perfprofd
Merged-In: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd
Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd
The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.
Test: Device boots and no more denials when call back is delivered to
apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a
Kernel modules are not permitted to be on /system partition.
That was one of Treble requirements in O:
https://source.android.com/devices/architecture/kernel/modular-kernels#file-locations
Bug: 74069409
Test: pixel/nexus devices don't have LKMs in /system, so this change
shoudl be harmless.
Test: walleye boots without issues from modprobe.
Merged-In: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1
Change-Id: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1
(cherry picked from commit 6ef9f5232e)
ro.config.low_ram should be set on Android Go devices by SoC vendors,
and the value can be read by vendor components.
Bug: 76132948
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
Merged-In: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
(cherry picked from commit 7dd2e025d8)
Add sepolicy rule to grant Wifi HAL permission to use SIOCSIFHWADDR
ioctl. This permission is needed to dynamically change MAC address of
the device.
We are moving the implementation of setting the MAC address from
WifiCond to Vendor HAL to give vendors flexibility in supporting
Connected MAC Randomization. Will clean up WifiCond sepolicy afterwards.
Bug: 74347653
Test: Verified manually
Change-Id: I334cefddf385ecb1ee169eb692c4e0060c26d6d9
