Commit graph

76 commits

Author SHA1 Message Date
Jiyong Park
f408371097 Allow virtualizationservice to use vsock
... to connect to the programs running in the guest VM

Bug: 192904048
Test: atest MicrodroidHostTestCases
Change-Id: Iccb48c14ace11cc940bb9ab1e07cc4926182e06e
2021-07-12 15:08:08 +09:00
Treehugger Robot
05b6365178 Merge "Allow shell to read /vendor/apex/*" 2021-06-14 13:20:30 +00:00
Jiyong Park
abdc9739fc Allow shell to read /vendor/apex/*
It is used for future xTS tests to read the raw files.

Bug: 190858091
Test: m
Change-Id: If1c7fd92772ff84d92a95fbee74f6c1f8d1cd365
2021-06-14 08:30:43 +09:00
Nikita Ioffe
681ad260b4 Give adbd and shell read access to /apex/apex-info-list.xml
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.

Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.

Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
2021-06-10 19:57:17 +01:00
Inseob Kim
af2697a452 Merge "Remove microdroid specific rules and files" 2021-06-08 00:53:26 +00:00
Tej Singh
6550adcaed Merge "Make *-apex-info-list.xml readable by shell" 2021-06-08 00:47:33 +00:00
Tej Singh
75385efd27 Make *-apex-info-list.xml readable by shell
Enables CTS testing of the bootstrap apexes.

Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
2021-06-07 21:39:34 +00:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
2021-06-07 19:22:18 +09:00
Jooyung Han
d470ed7b47 Add rules for microdroid_manager
Microdroid_manager is an executable in microdroid. It's role is to manage tasks
in microdroid and communicate with host's virtualizationservice.

To execute a task in microdroid, microdroid_manager should
- read "metadata" partition
- read VM payload config
- exec a command

Bug: 189301496
Test: atest MicrodroidHostTestCases
Change-Id: Iabbe0d3c8832f00df5c545e6b13fc55afa820b33
2021-06-02 09:50:54 +09:00
Jiyong Park
6645ad3b1f Add rules for microdroid_launcher
Microdroid_launcher is an executable in microdroid. It's role is to load
a shared library in an APK that is shared from the host Android and
execute it by calling an entry point (android_native_main) in it.

For now, it is executed from shell, but will eventually be executed from
a binder service (which also is running in microdroid) called
microdroid_manager.

Bug: 188513012
Test: atest MicrodroidHostTestCases
Change-Id: I150a958c1ed0e3e960f4b4b577e808e54e898644
2021-05-25 17:22:01 +09:00
liuyg
04c85dcfc4 Revert "Allow the MediaProvider app to set FUSE passthrough property"
This reverts commit c1e2918fd9.

Reason for revert: Build broke

Change-Id: I4b95e977cf66c586b0d0b465f1b3654c01074152
2021-05-13 18:18:28 +00:00
Alessio Balsini
c1e2918fd9 Allow the MediaProvider app to set FUSE passthrough property
Allow the MediaProvider app to write the system property
fuse.passthrough.enabled in case FUSE passthrough is enabled.
The need for this additional system property is due to the ScopedStorage
CTS tests that are assuming FUSE passtrhough is always on for devices
supporting it, but there may be some cases (e.g., GSI mixed builds)
where this is not possible true and the feature is disabled at runtime,
thus causing the tests to fail.
This additional system property is only set when FUSE passthrough is
actually being used by the system.

Bug: 186635810
Test: CtsScopedStorageDeviceOnlyTest
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I623042d67399253a9167188c3748d93eb0f2d41f
2021-05-13 17:38:16 +00:00
Yi-Yo Chiang
694ab79207 Allow shell to read default fstab
CTS module CtsFsMgrTestCases (gtest) needs to read fstab.

Fixes: 184850580
Test: CtsFsMgrTestCases on user build
Change-Id: I0f04bb021d8732a1c5f987ba2984da2c98f40653
2021-04-12 04:46:06 +00:00
Michael Rosenfeld
3ccbebb415 Permit dropping caches from the shell through sys.drop_caches.
*   Permits setting the sys.drop_caches property from shell.
*   Permits init to read and write to the drop_caches file.
*   Can only be set to 3 (drop_caches) and 0 (unset).

Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-03-19 10:55:51 -07:00
Chun-Wei Wang
75e3fa6ead Merge "Add persist.rollback.is_test (6/n)" 2021-03-06 14:33:38 +00:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n)
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-03-03 10:34:06 +08:00
Yifan Hong
a18cf7ed0c Allow shell to read VAB props.
Bug: 179427873
Test: adb unroot and read the prop
Change-Id: Ib480903afae2e7180a59f8834dd7c54062acd947
2021-02-24 22:33:46 +00:00
Hongming Jin
58f83415ea Add /data/misc/a11ytrace folder to store accessibility trace files.
Bug: 157601519
Test: adb shell cmd accessibility start-trace
      adb shell cmd accessibility stop-trace
Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
2021-02-16 09:35:09 -08:00
Tianjie
c3752cf5dd Set context for hash algorithm properties.
Also move verity_status_prop to system_restricted_prop since we
need to query it in cts tests

Bug: 175236047
Test: atest CtsNativeVerifiedBootTestCases
Change-Id: I82b26edaf5c5ad233bd83dff77eaafb9174646ef
2021-01-20 19:06:47 -08:00
Primiano Tucci
2bb8587933 Allow shell + priv_app to traverse /data/misc/perfetto-traces
This is a follow-up to r.android.com/1542764.
1. In order to allow priv_app to
   stat(/data/misc/perfetto-traces/bugreport/*) we need
   also the `search` permission to traverse the parent
   directory /data/misc/perfetto-traces.
2. Allow shell to read the new bugreport/ directory.
   shell can read bugreports anyways and this is needed
   for CTS tests.

Bug: 177761174
Bug: 177684571
Test: manual (changpa@)
Change-Id: I39d6a1c7941bcdcdc314a7538c0accfd37c52ca2
2021-01-18 14:16:03 +00:00
Mitch Phillips
eaf1404d8a [MTE] Add memtag sysprop sepolicy.
These flags should be writeable to the shell for both root and non-root
users. They should be readable everywhere, as they're read in libc
during initialization (and there's nothing secret to hide). We just
don't want to allow apps to set these properties.

These properties are non-persistent, are for local developer debugging
only.

Bug: 135772972
Bug: 172365548
Test: `adb shell setprop memtag.123 0` in non-root shell succeeds.
Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
2021-01-11 08:35:58 -08:00
David Anderson
09bb944221 Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-19 21:03:30 +00:00
Inseob Kim
0cef0fe5ac Add contexts for sqlite debug properties
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.

Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-18 12:14:20 +09:00
Roland Levillain
06bee189ad Allow the shell user to run dex2oat.
This is required for ART's Checker tests, which are part of
(host-driven) ART run-tests, and will also be required to run ART
run-tests via TradeFed in AOT-compilation modes in the future.

Test: Run `atest art-run-test-004-checker-UnsafeTest18` with
      https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1484277
      merged in, on a device where `adb` commands are not run as root
Bug: 162408889
Bug: 147812905
Change-Id: I3e4824bf15bdbad1ddf26601f871feec11313ecc
2020-11-02 21:51:27 +00:00
Treehugger Robot
b178fe826c Merge changes from topic "ramdisk_timestamp_runtime_load"
* changes:
  Add ro.bootimage.* property contexts
  Add /second_stage_resources tmpfs.
2020-10-16 19:23:08 +00:00
Primiano Tucci
512bdb9c1b Create directory for shell<>perfetto interaction
Users are unable to pass config files directly to
perfetto via `perfetto -c /path/to/config` and have to
resort to awkward quirks like `cat config | perfetto -c -'.
This is because /system/bin/perfetto runs in its own SELinux
domain for reasons explained in the bug.
This causes problem to test infrastructures authors. Instead
of allowing the use of /data/local/tmp which is too ill-scoped
we create a dedicated folder and allow only shell and perfetto
to operate on it.

Bug: 170404111
Test: manual, see aosp/1459023
Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 21:27:27 +00:00
Yifan Hong
6bb5a76d29 Add ro.bootimage.* property contexts
In addition, allow shell to read this property.

Test: getprop -Z
Test: cts-tradefed run cts -m CtsGestureTestCases
      and check /sdcard/device-info-files/PropertyDeviceInfo.deviceinfo.json

Bug: 169169031
Change-Id: Ib71b01bac326354696e159129f9dea4c2e918c51
2020-10-07 11:55:20 -07:00
Janis Danisevskis
ed96f5c518 Move list permission from keystore2_key to keystore class.
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Test: N/A
Merged-In: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-09-30 12:18:26 -07:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Janis Danisevskis
47f3761cc8 Add keystore2_key namespace shell_key for shell.
Add a keystore2_key namespace that can be used by `shell` for testing.

Bug: 158500146
Bug: 162265751
Test: keystore2_test
Change-Id: I78b9b285969dd503a09609f7bcb02552b24d1a6b
Merged-In: I78b9b285969dd503a09609f7bcb02552b24d1a6b
2020-08-05 21:58:04 +00:00
Alan Stokes
bd397a14b4 Merge "Make cross-user apps mlstrustedsubject." 2020-07-23 08:35:43 +00:00
Alan Stokes
81e4e877f3 Make cross-user apps mlstrustedsubject.
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).

This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.

Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).

This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.

A neverallow rule is added to ensure this remains true.

Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.

Test: builds, boots, no new denials.
Bug: 141677108

Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
2020-07-22 14:41:31 +01:00
Inseob Kim
c97a97cd3f Move more properties out of exported3_default_prop
This is to remove exported3_default_prop. Contexts of these properties
are changed.

- ro.boot.wificountrycode
This becomes wifi_config_prop

- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.

- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.

Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
2020-07-21 13:11:57 +09:00
Yi Kong
239c85dd0d Add sepolicy for profcollectd
This does not yet list all the required capabilities for profcollectd,
but it at least allows the service to start under permissive mode.

Bug: 79161490
Test: start profcollectd
Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030
2020-07-01 23:44:37 +08:00
Peiyong Lin
37dea070ce Update sepolicy for GPU profiling properties.
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.

Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
2020-06-05 12:03:29 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Nikita Ioffe
91c3795b2c Add userspace_reboot_test_prop
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1

Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8
(cherry picked from commit 3bd53a9cee)
2020-03-16 15:13:08 +00:00
Kiyoung Kim
dc34050e17 Remove sys.linker property
sys.linker property was defined to enable / disable generate linker
configuration, but the property has been removed. Remove sys.linker
property definition as it is no longer in use

Bug: 149335054
Test: m -j passed && cuttlefish worked without sepolicy error
Change-Id: Iacb2d561317d0920f93104717ce4f4bb424cc095
Merged-In: Iacb2d561317d0920f93104717ce4f4bb424cc095
2020-02-19 10:16:06 +09:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Florian Mayer
d54f4487bc Merge "Allow shell to unlink perfetto_traces_data_file." 2019-09-30 17:40:01 +00:00
Florian Mayer
c069bc134e Allow shell to unlink perfetto_traces_data_file.
Bug: 141704436
Test:
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 186
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0    3488 2019-09-30 14:12 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0             3488 2019-09-30 14:08 ..
-rw-------  1 shell  shell u:object_r:perfetto_traces_data_file:s0  180467 2019-09-30 14:12 profile-shell
blueline:/ $ rm /data/misc/perfetto-traces/profile-shell
rm ro /data/misc/perfetto-traces/profile-shell (y/N):y
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 6
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0  3488 2019-09-30 14:13 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0           3488 2019-09-30 14:08 ..
blueline:/ $


Change-Id: Ia710068c3cca53a415347fb0a7064740e500d15d
2019-09-30 13:13:14 +00:00
Eric Biggers
b57af5d0e6 Allow shell to get encryption policy for CTS
Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.

The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.

For more details see change I9082241066cba82b531e51f9a5aec14526467162

Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
2019-09-27 15:24:27 -07:00
Kiyoung Kim
82c87ede24 Define sepolicy with property for linker
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.

Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
2019-08-14 12:35:15 +09:00
Yifan Hong
18ade868ff Add rules for lpdump and lpdumpd
- lpdump is a binary on the device that talks to lpdumpd
  via binder.

- lpdumpd is a daemon on the device that actually reads
  dynamic partition metadata. Only lpdump can talk to it.

Bug: 126233777
Test: boots (sanity)
Test: lpdump

Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-25 10:14:20 -07:00
Nick Kralevich
68e27caeb6 allow shell rs_exec:file rx_file_perms
Hostside tests depend on being able to execute /system/bin/bcc. Allow
it.

From bug:

In the NDK:

  $ ./checkbuild.py
  $ virtualenv -p ../out/bootstrap/bin/python3 env
  $ source env/bin/activate
  $ ./run_tests.py --filter rs-cpp-basic
  FAIL rs-cpp-basic.rstest-compute [armeabi-v7a-19]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0xee70f000
  Segmentation fault

  FAIL rs-cpp-basic.rstest-compute [arm64-v8a-21]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0x7a91e13000
  Segmentation fault

  02-23 23:00:45.635  9516  9518 V RenderScript: Successfully loaded runtime: libRSDriver_adreno.so
  02-23 23:00:45.650  9518  9518 W rstest-compute: type=1400 audit(0.0:15): avc: denied { read } for name="bcc" dev="dm-0" ino=390 scontext=u:r:shell:s0 tcontext=u:object_r:rs_exec:s0 tclass=file permissive=0
  02-23 23:00:45.651  9516  9518 E RenderScript: Cannot open file '/system/bin/bcc' to compute checksum
  02-23 23:00:45.652  9516  9516 E rsC++   : Internal error: Object id 0.

Test: compiles
Fixes: 126388046
Change-Id: I28e591d660c4ba9a33135e940d298d35474ef0b6
2019-02-26 13:09:28 -08:00
Nick Kralevich
905b4000cb Fix dl.exec_linker* tests
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.

Addresses the following denial:

audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0

Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
2019-02-25 15:11:40 -08:00
Florian Mayer
aeca04b967 Allow to signal perfetto from shell.
When daemonizing perfetto, SIGINT should be sent to ensure clean
shutdown.

Denial:
12-06 11:12:16.566  3099  3099 I sh      : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1

Test: m
Test: flash walleye
Test: SIGINT perfetto from shell

Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
2018-12-13 10:46:42 +00:00
Fan Xu
ffffed28fa Remove unused bufferhub sepolicy
These selinux policy rules were added for bufferhub to run a binder
service. But later we decided to use a hwbinder service instead, and the
original binder service was removed in git/master. Now we can safely
remove these rules.

Test: Build passed. Device boot successfully without selinux denial.
Bug: 118891412
Change-Id: I349b5f0f2fa8fb6a7cfe7869d936791355c20753
2018-12-10 13:36:11 -08:00
Yiwei Zhang
ff0f79c195 [gpuservice] allow "adb shell cmd gpu vkjson"
Also allow adb shell dumpsys gpu to not return error.

Bug: 120095213
Test: flash non-eng build and adb shell cmd gpu vkjson
Change-Id: Ia4a50a475ce76ec35e082dd52d4a6c80dde7f571
2018-11-27 15:58:20 -08:00