derive_sdk is used to configure installed SDK extensions. It can also
print debug information about these.
Allow dumpstate to execute derive_sdk, to include the debug information
in bugreports.
Bug: 240656777
Test: adb bugreport /tmp/bugreport.zip && unzip -c /tmp/bugreport.zip bugreport*.txt | grep -i 'sdk extensions'
Change-Id: I0f502f9f94a376dff2e7eb821f7bf753de2d5482
The DICE HAL and diced are replaced with dice-service which implements
the diced services and also contains the HAL logic directly, without
exposing an implementation of the HAL service.
Bug: 243133253
Test: atest MicrodroidTests
Change-Id: Ia0edeadb04a3fdd37ee1a69a875a7b29586702c5
Limit processes that can change global settings system properties.
Only system server and shell (for tests) should be able to set the
affected system properties.
Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
Add a new selinux type for a system property used to hold metadata about
the time zone setting system property. Although system settings are
world readable, the associated metadata only needs to be readable by the
system server (currently).
Bug: 236612872
Test: treehugger
Change-Id: Iac1bc3301a049534ea5f69edf27cd85443e6a92e
Reduce use of "exported_system_prop" by defining 2 new (currently
identical) "locale_prop" and "timezone_prop" types for the system
properties that are for "global system settings". See the comments in
private/property_contexts for details.
Initially the rights of the new types should be identical to
exported_system_prop but they will be reduced with a follow-up commit to
enable easier rollback / progress to be made on related work.
Bug: 236612872
Test: treehugger
Change-Id: I8d818342023bc462376c091b8a522532ccaf15d3
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to read current profile files.
It also needs to be mlstrustedsubject because current profile files
seem to have MLS restrictions.
Otherwise, it will get SELinux denials like:
```
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
```
Note the MLS restrictions `c512,c768` in the message above.
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to add/delete/replace profile
files. Otherwise, it will get SELinux denials like:
```
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { write } for name="com.google.android.youtube" dev="dm-52" ino=922 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { add_name } for name="primary.prof.6mOsV9.tmp" scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
```
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: Ib1a914b9a9526a85b69d27970e4b23c4e101c68a
Allow microdroid_manager to start authfs when needed.
Migrate the authfs-related permissions from compos to
microdroid_payload, so it can be used by any payload.
Move a neverallow to the correct file.
Bug: 245262525
Test: atest MicrodroidTests MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I0f5eb9c11bdb427b1f78c9fc721c40de76add484
This is a part of changes to bring up Remote Key Provisioning Daemon
module. See packages/modules/RemoteKeyProvisioning for more info.
Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616
Test: atest rkpd_client_test
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
Will add fuzzer once the service is implemented.
Test: Run remoteaccess HAL on gcar_emu. Verify the service is running.
Bug: 241483300
Change-Id: I01b31a88414536ddd90f9098f422ae43a48cf726
Add selinux policy so the healthconnect system service
can be accessed by other processes.
Bug: 246961138
Test: build
Change-Id: I37e0e7f1a2b4696b18f8876a107c509d2906e850
Conversion of the gatekeeper hidl interface to stable aidl interface.
Bug: 205760843
Test: run vts -m VtsHalGatekeeperTarget
Change-Id: I44f554e711efadcd31de79b543f42c0afb27c23c
ro.log.file_logger.path is a system property that liblog uses to
determine if file_logger should be used (instead of logd) and what file
the logs should be emitted to. It is primarily meant for non-Android
environment like Microdroid, and doesn't need to be set in Android. In
fact, setting it to a wrong value can break the system logging
functionality. This change prevents such a problem by assigning a
dedicated property context (log_file_logger_prop) to the property and
making it non-writable. (Note that it still has to be readable because
liblog reads it and liblog can be loaded in any process)
Bug: 222592894
Test: try to set ro.log.file_logger.path
Change-Id: Ic6b527327f5bd4ca70a58b6e45f7be382e093318
Previously in Microdroid, processes send log messages to logd over
socket and then logcat ran to hand the message to the host side over the
serial console.
That has changed. Now, the liblog library which processes use to emit
logs directly sends the given message to the serial console. Liblog does
this by reading a new system property ro.log.file_logger.path. When this
is set, liblog doesn't use the logd logger, but opens the file that the
sysprop refers to and writes logs there.
This change implments sepolicy side of the story.
* logd and logcat types are removed since they no longer are needed.
* existing references to those types are removed as well.
* a new property type `log_prop` is introduced and the two system
properties are labaled as log_prop
* all processes have read access to the system properties
* all processes have append access to /dev/hvc2
Bug: 222592894
Test: run microdroid, see log is still emitted.
Change-Id: I4c4f3f4fd0e7babeab28ddf39471e914445ef4da
Adding soong module and tool to check if there is fuzzer present
for every service in private/service_contexts. Whenever a service is
added, its is recommended to update
$ANDROID_BUILD_TOP/system/sepolicy/soong/build/service_fuzzer_bindings.go
with service name and its corresponding fuzzer.
Test: m
Bug: 242104782
Change-Id: Id9bc45f50bebf464de7c91c7469d4bb6ff153ebd
