inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.
Denial: avc: denied { read } for pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0
Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
Tests around Virtual A/B, DSUs, remount etc need to create loop devices
and write to them, which requires the kernel domain to have file write
access. However there are very few contexts where this is allowed, and
most are for testing. These testing locations are not consistently
available (eg, /data/nativetest does not always exist).
We already allow readonly loop devices in /data/local/tmp for testing
purposes, so this adds write support as well (userdebug/eng only).
Bug: 218976943
Test: fiemap_image_test
Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
Currently, vendor_service is excluded from this neverallow
for the same reason. However, the current plan is to remove
vendor_service. Since some vendor HAL services are not
marked as hal_service_type, this part of the change needs
to be submitted independently in order to clean them up.
Bug: 237115222
Test: build
Change-Id: I7893184c4d1011881b721d0b851e07c17f73732b
In order to see the HAL state in bugreports, we need to allow the HAL to
write to file where the dump is going.
Bug: 237233372
Test: adb shell dumpsys android.hardware.input.processor.IInputProcessor/default
Change-Id: Idf78269e4ee9798c078ac3b7ee4f375515d7aadc
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.
In the future, we will also add a 'dump' facility to this HAL.
Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
This enables users to run "fastboot getvar dmesg" which is important to
debugging flashing failures in automation. The command is only allowed on
unlocked devices running userdebug builds.
Bug: 230269532
Test: fastboot getvar dmesg
Change-Id: Ia27268fd984f903ca73e69b5717f4206a3cf1ae9
These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.
Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
Remove mention of the /system/bin/idmap binary: the file no longer
exists.
Remove interaction between the domains installd and idmap to interact:
installd used to fork and exec the idmap binary, but the idmap2 binary
has its own binder service.
Bug: 118711077
Bug: 119264713
Test: atest FrameworksServicesTests:com.android.server.om OverlayDeviceTests OverlayHostTests CtsAppSecurityHostTestCases:OverlayHostTest
Change-Id: I06d22057308984e43cb84ff365dbdd1864c7064b
Netd is now serving an AIDL HAL to replace the old HIDL HAL.
Bug: 205764585
Test: Boot and check for avc denials
Change-Id: I1ca5ed4ff3b79f082ea2f6d3e81f60a64ca04855
Adding a new system property that will act as a toggle
enabling/disabling the framework changes that were submitted to prevent
leaked animators.
Bug: 233391022
Test: manual.
Merged-In: I57225feb50a3f3b4ac8c39998c47f263ae211b66
Change-Id: Ifc339efc1c3a5e19920b77d1f24bef19c39d5f44
CTS testcase is failing because of the AVC denails for dumpstate
trying to search mnt_product.
Bug:234086759
Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I794de8c296992b1d3cdafdb802376870a0eecce7
This patch allows ioctls() to support zoned device.
Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I69b322ceffd45c7e191d3a37e67ac7324c5b7ee2
Commit ea9921f4f5b9 ("f2fs-tools: support zoned device in Android") in
f2fs-tools supports zoned device in Android. When detecting the disk
supports zoned device with proper types, we need to access its sysfs
entry. Note that, we need to check sysfs entries by default for
non-zoned disks in general as well.
If a product doesn't use metadata encryption which sets a device mapper, vendor
selinux needs to allow sysfs entries for raw disks such as sysfs_scsi_devices or
sysfs_devices_block.
avc: denied { search } for comm="fsck.f2fs" name="dm-44" dev="sysfs" ino=82102 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=dir permissive=0
avc: denied { read } for comm="fsck.f2fs" name="zoned" dev="sysfs" ino=82333 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=file permissive=0
Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Iaa4dc9826b614b71b928c33ebc207afab96e586a
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.
Test: TH
Bug: 233300834
Change-Id: I9559185081213fdeb33019733654ce95af816d99
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
Let vendor_init can react Vendor System Native Experiment
changes via persist.device_config.vendor_system_native.* properties.
Bug: 223685902
Test: Build and check no avc denied messages in dmesg
Change-Id: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
Merged-In: If69d1dab02d6c36cdb1f6e668887f8afe03e5b0e
... as this is needed for the hal to access and map
gralloc buffers on devices such as Cuttlefish. Previously,
this sepolicy is added in device specific directories but
the Cuttlefish team is looking at centralizing the sepolicy.
Bug: b/161819018
Test: `atest CtsNNAPITestCases`
Test: `atest VtsHalNeuralnetworksV1_0TargetTest`
Change-Id: Ia5b2704e2cdeedfa19d160e546d811b7d1c21aa9
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file. This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.
Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
All domains using libbinder need access to this new ioctl in order to
pull precise information upon failed binder operations.
Bug: 28321379
Tested: clients can now use the ioctl through libbinder
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I8d6e5ca6b133b934855a7545cc1a9786e2c4ad65
init should use subcontext (vendor_init) for actions/services from
/{vendor, odm} partitions. However, when configs are from vendor APEXes,
init can't tell whether the APEXes are from /{vendor, odm} just by
looking at the config file paths.
Instead, init can look up /apex/apex-info-list.xml for APEXes
preinstalled paths to tell APEXes' original partition.
Bug: 232021354
Test: atest CtsBluetoothTestCases
(Cuttlefish has BT HAL APEX in /vendor)
Change-Id: I8cb5d9eb3970790499ef1eb1ee00851591a42e98
