Commit graph

66 commits

Author SHA1 Message Date
Elliot Berman
ae5869abf4 Introduce vm_manager_device_type for crosvm
Introduce hypervisor-generic type for VM managers:
vm_manager_device_type.

Bug: 274758531
Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c
Suggested-by: Steven Moreland <smoreland@google.com>
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
2023-03-29 10:19:06 -07:00
Keir Fraser
84bb5eeccb Adjust policy for hypervisor system properties
1. Allow them to be configured by vendor_init.
2. Introduce a new system property
   hypervisor.memory_reclaim.supported, which is configured by
   vendor_init and accessed only by virtualizationservice, and is not
   as widely accessible as the existing hypervisor sysprops.

Bug: 235579465
Test: atest MicrodroidTests
Change-Id: I952432568a6ab351b5cc155ff5eb0cb0dcddf433
2022-11-24 10:23:58 +00:00
Sandeep Dhavale
f0ea953e60 Fastboot AIDL Sepolicy changes
Bug: 205760652
Test: Build & flash
Change-Id: I2709c5cc2ca859481aac6fecbc99fe30a52a668b
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
2022-11-09 22:21:27 +00:00
Pete Bentley
e6da3b80d1 Add SEPolicy for PRNG seeder daemon.
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
  correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
  label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
  data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
  (e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance

Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
2022-09-22 15:13:20 +00:00
Kelvin Zhang
19a5785522 Allow init to launch BootControlHAL in recovery
Test: install OTA with data wipe, reboot
Bug: 227536004
Change-Id: I3b76b054e67dcaee83ad330f9fcbcbd98bb6f1f7
2022-09-02 17:50:10 +00:00
Seth Moore
8bfdd82123 Allow the remote provisioner app to set rkp_only properties
The properties for rkp_only are no longer read only.

This allows remote provisioner unit tests to enable/disable the remote
provisioning only mode, which is required to fully verify functionality.

Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I8006712a49c4d0605f6268068414b49714bbd939
2022-04-20 17:15:20 -07:00
Max Bires
aaacfdb054 Add ro.remote_provisioning.*.rkp_only properties.
These properties are used to inform keystore2 and the RemoteProvisioner
app how they should behave in the system in the event that RKP keys are
exhausted. The usual behavior in a hybrid system is not to take any
action and fallback to the factory provisioned key if key attestation is
requested and no remotely provisioned keys are available.

However, there are instances where this could happen on a device that
was intended to be RKP only, in which case the system needs to know that
it should go ahead and attempt to remotely provision new certificates or
throw an error in the case where none are available.

Test: New properties are accessible from the two domains
Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
2022-04-04 11:23:12 -07:00
Yifan Hong
705db2b7e8 recovery init domain_trans to health HAL.
Test: run health HAL in recovery
Bug: 177269435
Bug: 170338625
Change-Id: Iac800463d4d29c56466a6671929a51139ca3fde7
2021-11-18 18:16:09 -08:00
Yifan Hong
28f9b97646 Merge changes from topic "servicemanager-recovery"
* changes:
  servicemanager: recovery write to kmsg.
  Add recovery service_contexts files.
2021-11-18 04:39:15 +00:00
Yifan Hong
d6b2901748 Add recovery service_contexts files.
This allows binder services to run in recovery.

Test: build them
Bug: 170338625
Change-Id: If8580c3fc1b3add87178365c58288126e61345b4
2021-11-16 20:54:17 -08:00
Kalesh Singh
9e6dcd74fc Merge "sepolicy: Allow creating synthetic trace events" 2021-11-09 14:26:19 +00:00
Kalesh Singh
fab8e1c1cc sepolicy: Allow creating synthetic trace events
rss_stat will be throttled using histogram triggers and synthetic trace
events. Add genfs context labels for the synthetic tracefs files.

Bug: 145972256
Test: Check log cat for avc denials
Change-Id: I7e183aa930bb6ee79613d011bed7174d553f9c1a
2021-11-08 09:13:51 -08:00
Yifan Hong
aabea20d89 Remove healthd.
Test: pass
Bug: 203245871
Change-Id: I4eb0b4333d7fde2096c4c75b7655baf897900005
2021-10-20 18:47:41 -07:00
Bart Van Assche
398b0af20f Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these attributes since these will be removed soon.

Bug: 202520796
Test: (AOSP) source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Test: (sc-v2-dev) source build/envsetup.sh && lunch ...-userdebug && m && install-images-on-phone && adb root && adb dmesg | grep 'avc.*comm=.init'
Change-Id: I9f5a4c5c4d6c44fefa8e66c69fec62c99f9a728d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-14 09:13:58 -07:00
Bart Van Assche
60b7d9a36e Revert "Stop granting init access to block device properties"
This reverts commit f20fea50f1.

Reason for revert: unbreak the git_sc-v2-dev-plus-aosp tests
Bug: 202879263

Change-Id: I79245afb4ba7f5be8ee46f2e91921a7327b650c5
2021-10-13 16:21:54 +00:00
Bart Van Assche
f20fea50f1 Stop granting init access to block device properties
Although there has been a plan to add code to the init process that
requires access to block device properties, that plan has not been
realized. Hence stop granting the init process access to block device
properties

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I0ed83bd533a901f85986d15f636c9b3f39fec271
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-12 09:20:03 -07:00
Enrico Granata
645c390d1a Introduce ro.boot.hypervisor properties
In virtualized deployments of Android, it can be useful to have
access to a description of the hypervisor/host environment being
used to run the guest OS instance.

This is represented by means of a new system property
ro.boot.hypervisor.version, which is meant to convey a
free-form descriptor of the current host/hypervisor version

The property is meant to be provided to Android as androidboot.
by whatever host-specific means are used to supply other boot
properties to the target Android instance. Access could be later
opened to other vendor processes to set if needed for specific
setups where init is not a sufficiently-early stage for
host/guest communication. Such setups are not known at this time.

For a native Android incantation, the property defaults to
being missing

Other properties could later be added to this same namespace
and context if they turn out to be useful in specific scenarios.

Bug: 178749018
Test: build cuttlefish
Change-Id: Id721c14ef1958b525c2866a660dcae8fd176a79d
2021-10-04 11:14:03 -06:00
Woody Lin
6ad56599a2 Revert "Add userspace_panic_device and userpanic_use"
This reverts commit 7ed2456b45.

Reason for revert: /dev/userspace-panic is discarded (b/188777408#comment13)
Bug: 188777408
Change-Id: I98b0159890ee755ffaefc5533f9c40d54f8f26d2
2021-09-18 03:03:36 +00:00
Woody Lin
7ed2456b45 Add userspace_panic_device and userpanic_use
Define type userspace_panic_device and macro userpanic_use for init,
llkd, and system_server to access /dev/userspace_panic - a kernel file
node for userspace processes to request kernel panic.

Bug: 188777408
Change-Id: I1e9d115d85f664aa84bdd6bb4b95bdb48e3aab9a
2021-09-07 01:18:25 +08:00
Bart Van Assche
ec50aa5180 Allow the init and apexd processes to read all block device properties
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.

Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-08-09 13:46:41 -07:00
Bart Van Assche
9059e215dc init.te: Allow init to modify the properties of loop devices
The init process configures swapping over zram over a loop device. An
I/O scheduler is associated with the loop device. Tests have shown that
no I/O scheduler works better than the default, mq-deadline. Hence
allow the init process to configure the loop device I/O scheduler.

Without this patch, the following SELinux denials are reported during
boot:

1     1 I auditd  : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0
1     1 I auditd  : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0

Bug: 194450129
Test: Built Android images and installed these on an Android device.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Change-Id: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
2021-08-04 11:48:14 -07:00
Andrew Walbran
3b6a385137 Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." 2021-04-22 18:57:15 +00:00
Andrew Walbran
a995e84c18 Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-04-13 09:30:20 +00:00
Jooyung Han
b62be12176 Allow apexd to access a new dev_type: virtual disk
In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.

Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
  when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
2021-04-13 15:46:16 +09:00
Michael Rosenfeld
3ccbebb415 Permit dropping caches from the shell through sys.drop_caches.
*   Permits setting the sys.drop_caches property from shell.
*   Permits init to read and write to the drop_caches file.
*   Can only be set to 3 (drop_caches) and 0 (unset).

Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-03-19 10:55:51 -07:00
Inseob Kim
85acf6ef70 Fix broken neverallow rules
neverallow rules with allowlist should look like:

    neverallow { domain -allow1 -allow2 } ...

Bug: 181744894
Test: m selinux_policy
Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" .
Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 10:44:22 +09:00
Alexander Potapenko
3d52817da4 Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
2021-03-05 08:53:39 +01:00
Wonsik Kim
08a25e6709 Revert "Selinux policy for bootreceiver tracing instance"
Revert submission 1572240-kernel_bootreceiver

Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance

Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
2021-03-03 22:47:02 +00:00
Alexander Potapenko
31251aa6ec Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
2021-03-02 16:53:12 +01:00
Paul Crowley
28befc841c Merge "init sets keystore.boot_level, keystore reads" 2021-02-27 05:05:50 +00:00
Paul Crowley
b0c5571da6 init sets keystore.boot_level, keystore reads
Bug: 176450483
Test: init can set, and keystore2 read, keystore.boot_level
Test: `adb shell getprop -Z | grep boot_level` returns
      [keystore.boot_level]: [u:object_r:keystore_listen_prop:s0]
Change-Id: Iedb37db19e9153995800fc97de6ee8c536179caa
2021-02-23 21:08:05 -08:00
David Anderson
d84b67e1cc Fix missing domain transition for snapuserd in recovery.
System files in recovery are labelled as rootfs, so we need an explicit
transition to snapuserd. Without this, factory data resets will fail
with a VABC OTA pending, with the following denial:

        avc:  denied  { entrypoint } for  pid=522 comm="init" path="/system/bin/snapuserd"
                dev="rootfs" ino=1491 scontext=u:r:snapuserd:s0 tcontext=u:object_r:rootfs:s0
                tclass=file permissive=0

Bug: 179336104
Test: factory data reset with VABC OTA pending
Change-Id: Ia839d84a48f2ac8ccb37d6ae3b1f8a8f7e619931
2021-02-23 00:10:43 -08:00
David Anderson
0c0c13a59f init: Allow interacting with snapuserd and libsnapshot.
During first-stage init we spawn a daemon (snapuserd) to interact with
the dm-user kernel module. Immediately after sepolicy is loaded, we
launch the daemon again with the correct privileges, and kill the
original one.

In order for init to do this, it needs to be able to open and write to
the snapuserd socket (which is corrected to the "correct" daemon), as
well as call flock() on /metadata/ota which is how libsnapshot ensures
exclusive access to Virtual A/B snapshots.

Bug: 168259959
Test: no denials with Virtual A/B Compression enabled
Change-Id: Ic7fc78ca1a17673b878766e0f4dfe0265c1be768
2020-10-30 00:17:37 -07:00
Inseob Kim
40c67b20f6 Remove exported2_default_prop
This cleans up remaining exported2_default_prop. Three properties are
changed.

- ro.arch
It becomes build_prop.

- hal.instrumentation.enable
It becomes hal_instrumentation_prop.

- ro.property_service.version
It becomes property_service_version_prop.

Bug: 155844385
Test: selinux denial test on Pixel devices
Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
2020-07-25 01:06:13 +09:00
Inseob Kim
8c34247c7f Add bootloader_prop for ro.boot. properties
ro.boot. properties assigned as "exported2_default_prop" are now
"bootloader_prop", to remove bad context name "exported2_default_prop".

Two things to clarify:

1) We have both the prefix entry and the exact entries. Although the
exact entries may be redundant, we may want to keep them. Vendors are
still allowed to have properties starting with "ro.boot." on
vendor_property_contexts file. The exact entries can prevent vendors
from modifying them to random contexts.

2) ro.boot. is special as it is originally for kernel command line
"androidboot.". But some ro.boot. properties are being used as if they
were normal. To avoid regression, ro.boot. properties having contexts
other than "exported2_default_prop" are not changed here. They will be
tracked later.

Bug: 155844385
Test: m selinux_policy
Change-Id: Ic0f4117ae68a828787304187457b5e1e105a52c7
Merged-In: Ic0f4117ae68a828787304187457b5e1e105a52c7
2020-07-24 00:15:23 +00:00
Inseob Kim
212e2b621a Add property contexts for vts props
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.

Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
      VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
2020-07-16 16:26:17 +09:00
Alistair Delva
178f0ac675 Add new perfmon capability2 and use it
There are probably more cases but this one blocks presubmit
for cuttlefish with mainline kernels.

Bug: 158304247
Change-Id: I6d769b16a230a113a804df61f8de4dcbce2193b6
2020-06-05 10:15:31 -07:00
Nikita Ioffe
44f5ffca15 Add userspace_reboot_log_prop
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.

Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
2020-02-07 01:57:55 +00:00
Ryan Savitski
52b3d315a2 Add sysprop for init's perf_event_open LSM hook check
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.

Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
2020-01-21 19:03:33 +00:00
Kiyoung Kim
b8f4e9280c Merge "Allow linkerconfig to be executed from recovery" 2019-12-13 01:09:58 +00:00
Kiyoung Kim
2c271aab42 Allow linkerconfig to be executed from recovery
Add extra policy to enable linkerconfig to be executed from recovery.

Bug: 139638519
Test: Tested from crosshatch recovery
Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
2019-12-11 15:50:35 +09:00
Nikita Ioffe
23ba976f34 Allow init to read /sys/block/dm-XX/dm/name
In order to remount ext4 userdata into checkpointing mode, init will
need to delete all devices from dm-stack it is mounted onto (e.g.
dm-bow, dm-crypto). For that it needs to get name of a dm-device by
reading /sys/block/dm-XX/dm/name file.

Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
2019-12-09 21:21:55 +00:00
Nikita Ioffe
7065e46b5d Add selinux rules for userspace reboot related properties
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.

Only init should be allowed to set userspace reboot related properties.

Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
2019-11-19 17:41:28 +00:00
Tao Bao
ecc7e8cacb Move /sbin/charger to /system/bin/charger.
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.

/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.

The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.

Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
2019-03-14 09:44:03 -07:00
Joel Fernandes
147cf6482e Allow executing bpfloader from init and modify rules
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.

Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-01-14 10:59:10 -05:00
Branden Archer
d36b1d5f62 Allow init to set powerctl property
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.

The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.

Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
      to fail the device rebooted into the bootloader, as
      expected.

Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
2018-11-27 15:47:12 -08:00
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
2018-08-15 09:38:40 +00:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
2018-08-14 20:21:36 +00:00
Tom Cherry
938ab05d72 Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy

avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process

Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
2018-08-03 19:41:03 +00:00