auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: I4a2112d4097c84c87d23a28a7fc0ac5f208dc5dc
Change-Id: Ic4ce690e82b09ed176495f3b55be6069ffc074ac
SDK's data should not be accessible directly by other domains, including
system server. Added neverallow to ensure that.
Bug: b/279885689
Test: make and boot device
Change-Id: If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2
Adds persist.sysui.notification.builder_extras_override property
associated permissions, which will be used to flag guard
a change in core/...Notification.java.
Original change I3f7e2220798d22c90f4326570732a52b0deeb54d didn't
cover zygote, which are needed for preloaded classes
Test: manual flash+adb setprop/getprop
Bug: 169435530
Change-Id: Ifad9e7c010554aa6a1e1822d5885016058c801c9
This change gives a new type (dalvik_dynamic_config_prop) to some ART
properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to
allow system server to set them.
Bug: 274530433
Test: Locally added some code to set those properties and saw it being
successfull.
Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089
This patch:
* allows for heap and perf profiling of all processes on the system
(minus undumpable and otherwise incompatible domains). For apps, the
rest of the platform will still perform checks based on
profileable/debuggable manifest flags. For native processes, the
profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
writers (=perfetto_producer) for the ART java heap graph plugin
(perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
graphs.
Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
We want to more closely monitor the system properties that the
sdk_sandbox has access to.
Bug: 210811873
Test: adb logcat | grep "r:sdk_sandbox"
Change-Id: I0d590374e931ca41d5451cd7c2de5b02fee619e9
Next attempt at rolling forward aosp/2200430. It appears the
first-stage-init did not create the /dev/selinux folder on GSI
instances, resulting in breakages when selinux.cpp tries to copy files
to that folder.
To verify these changes for b/244793900, follow
gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I2bc630cfaad697d44053adcfd639a06e3510cc72
Revert "Add seamendc tests for sdk_sandbox in apex sepolicy"
Revert submission 2201484-sdk_sandbox
Note: this is not a clean revert, I kept the changes in aosp/2199179
and the changes to system/sepolicy/Android.mk. Those changes are already
part of internal, I do not want to put those files out of sync again.
Test: atest SeamendcHostTest
Reason for revert: b/244793900
Reverted Changes:
Ib14b14cbc:Add seamendc tests for sdk_sandbox in apex sepolic...
I27ee933da:Move allow rules of sdk_sandbox to apex policy
Change-Id: If225cdd090248e050d1f0b42f547a4b073bbafc6
Third attempt to roll-forward the apex_sepolicy changes from
aosp/2179294 and aosp/2170746.
I was finally able to figure out the likely root cause of the test
breakages in internal b/243971667. The related CL aosp/2199179 is making
the apex_sepolicy files mandatory for all AOSP builds.
Without the apex_sepolicy files, mixed GSI builds in internal using AOSP
as base would not implement the sdk_sandbox rules, causing breakages for
the SdkSandbox components.
Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I27ee933da6648cca8ff1f37bde388f72b4fe6ad6
This is a roll-forward of a small chunk of aosp/2170746.
The previous CL was causing test breakages (b/240731742, b/240462388,
b/240463116).
This CL is smaller than the previous one, it only moves allow rules from
the platform policy to the apex policy (I believe the error was caused
by typeattribute rules). I also ran the closest approximation I could
find to the breaking environment, and it appears the tests are passing
https://android-build.googleplex.com/builds/abtd/run/L44100000955891118https://android-build.googleplex.com/builds/abtd/run/L68000000955937148
Bug: 236691128
Test: atest SeamendcHostTest
Change-Id: I4c480041838c8c14011f099ba8295097fe9212db
This service has valid use cases such as video players and should therefore not be audited.
Change-Id: I3a0cffb34429320a412a7c05220376c0b58e28a3
Test: make
Bug: 211632068
Revert "Add java SeamendcHostTest in cts"
Revert submission 2111065-seamendc
Reason for revert: b/240731742, b/240462388 and b/240463116
Reverted Changes:
I3ce2845f2:Move parts of sdk_sandbox from private to apex pol...
I0c10106e2:Add java SeamendcHostTest in cts
Test: revert cl
Change-Id: If9981796694b22b7cbfe1368cd815889c741e69d
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
We might want to change this in later android versions.
Bug: b/228159127
Bug: b/227745962
Test: Manual
Change-Id: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.
Test: Manual
Bug: b/227745962
Bug: b/227581095
Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.
Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f
