Allow getattr on links for otapreopt_slot. It reads links (to the
boot image oat files) when collecting the size of the artifacts
for logging purposes.
Bug: 30832951
Test: m
Change-Id: If97f7a77fc9bf334a4ce8a613c212ec2cfc4c581
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.
The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
waiting for update_engine folks to answer a couple of questions
which will let me refactor the policy of this HAL.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.
Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.
Example of SElinux denial:
03-15 12:38:46.967 7529 7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.
Denials:
[ 16.986440] c0 437 audit: type=1400 audit(6138546.943:5): avc:
denied { read } for pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986521] c0 437 audit: type=1400 audit(6138546.943:6): avc:
denied { open } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986544] c0 437 audit: type=1400 audit(6138546.943:7): avc:
denied { getattr } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line
exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl
Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
bufferhubd should be able to use sync fence fd from mediacodec; and
mediacodec should be able to use a gralloc buffer fd from the bufferhubd.
Bug: 32213311
Test: Ran exoplayer_demo and verify mediacodec can plumb buffer through
bufferhub.
Change-Id: Id175827c56c33890ecce33865b0b1167d872fc56
Allow run-as to transmit unix_stream_sockets from the shell user to
Android apps. This is needed for Android Studio's profiling tool to
allow communcation between apps and debugging tools which run as the
shell user.
Bug: 35672396
Test: Functionality was tested by shukang
Test: policy compiles.
Change-Id: I2cc2e4cd5b9071cbc7d6f6b5b0b71595fecb455e
This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.
Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.
Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.
P. S. This commit also removes
allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.
Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
and that the app can register to listen for updates for sensors
and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
Only audio HAL may access audio driver.
Only camera HAL may access camera driver.
Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
rules are compile time assertions and do not change the
on-device policy.
Bug: 36185625
Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3
Only HALs that manage networks need network capabilities and network
sockets.
Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
rules are compile time assertions and do not change the
on-device policy.
Bug: 36185625
Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df
The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:
IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump
Bug: 36074936
Test: check contents of 'adb shell dumpsys media.audio_flinger'
on -userdebug builds
Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1
perf_event_max_sample_rate is needed to be read for native profiling,
otherwise CTS test can fail on devices with kernel >= 4.4. Before this CL,
the file is not readable from untrusted_app domain. This CL makes it readable
from both shell domain and untrusted_app domain.
Bug: http://b/35554543
Test: build and test on marlin.
Change-Id: Id118e06e3c800b70a749ab112e07a4ec24bb5975
We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.
Test: device boots, foreign dex markers are not created anymore
Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62
Note: The existing rules allowing socket communication will be removed
once we migrate over to HIDL completely.
(cherry-pick of 2a9595ede2)
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
Bug: 35979722
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Test: no more avc errors on debugfs
Change-Id: I91d98428aaec915b3206535559a0c096e6de1603
We need more time to investigate the effect that this change will
have on DRM solutions. Until the investigation is done, revert.
This reverts commit 38d3eca0d4.
Bug: 30146890
Bug: 20013628
Bug: 35323421
Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16
Test: policy compiles.
Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.
Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
Drop support for execmod (aka text relocations) for newer API versions.
Retain it for older app APIs versions.
Bug: 30146890
Bug: 20013628
Bug: 35323421
Test: policy compiles.
Change-Id: Ie54fdb385e9c4bb997ad6fcb6cff74f7e32927bb
Fix restorecon failue on second call
Bug: 35803475
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Change-Id: Ia5496fcba031616297fa0a4c0f45e3ece0b4d662
Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.
/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.
TODO: Remove access to proc:file from update_engine_common after more
testing.
Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75
Addresses:
denied { getattr } for pid=155 comm="keystore" path="/vendor"
dev="mmcblk0p6" ino=1527 scontext=u:r:keystore:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
On devices without an actual vendor image, /vendor is a symlink to
/system/vendor. When loading a library from this symlinked vendor,
the linker uses resolve_paths() resulting in an lstat(). This
generates an selinux denial. Allow this lstat() so that paths can
be resolved on devices without a real vendor image.
Bug: 35946056
Test: sailfish builds
Change-Id: Ifae11bc7039047e2ac2b7eb4fbcce8ac4580799f
The new wifi HAL manages the wlan driver and hence needs to be able to
load/unload the driver. The "wlan.driver.status" is used to indicate the
state of the driver to the rest of the system. There are .rc scripts for
example which wait for the state of this property.
Denials:
03-01 13:31:43.394 476 476 W android.hardwar: type=1400
audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0"
dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0
03-01 13:31:43.399 476 476 E libc : Access denied finding
property "wlan.driver.status"
Bug: 35765841
Test: Denials no longer seen
Change-Id: I502494af7140864934038ef51cb0326ba3902c63
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
- compared to ro.boottime, this one does not pass time info
bug: 35178781
bug: 34274385
Test: reboot
Change-Id: I6a7bf636a3f201653e2890751d5fa210274c9ede
Add a file context for keeping track of last reboot reason and label
directory /data/misc/reboot/ for this purpose.
(Cherry picked from commit ca051f6d07)
Bug: 30994946
Test: manual: reboot ocmmand, setprop sys.powerctl, SoC thermal mgr
Change-Id: I9569420626b4029a62448b3f729ecbbeafbc3e66
- hal clients checking hal_binderization prop also need to check
ro.boottime.persistent_properties.
bug: 35178781
Test: reboot
Change-Id: I413c663537dc118e0492416e3e5a2af721b18107
early mounted block device are created by 'init' in its first stage, so
the following restorecon() now finds device nodes and their corresponding
symlinks. The CL adds rule to make sure the block and
system_block_devices can be relabeled by init in this case.
Bug: 35792677
Bug: 27805372
Test: tested ota using 'adb sideload' on sailfish
Change-Id: I7d9d89878919c1267bf3c74f0cdbb4367b5ad458
Signed-off-by: Sandeep Patil <sspatil@google.com>
No SELinux domains can create dccp_socket instances, so it doesn't make
any sense to allow netd to minipulate already-open dccp sockets.
Bug: 35784697
Test: policy compiles.
Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
