This change makes it such that only init can start adbd directly. It
also introduces new rules for ctl.{start,stop,restart} properties such
that only usbd and recovery (and su, since it's permissive) can directly
ask init to start adbd.
Bug: 64720460
Test: adbd still runs
Test: /data/nativetest64/adbd_test/adbd_test
Test: python system/core/adb/test_adb.py
Test: "USB debugging" in System Settings still start/stop adbd
Test: Recovery menu still make the device show as "recovery" in adb
devices
Test: "Apply update from ADB" in recovery menu still works
Change-Id: Iafcda8aa44e85129afcc958036b472d856fa1192
This property is read by the audio service in system server to toggle
camera shutter sound enforcement on a device-specific basis.
Test: Camera shutter sound enforcement works when audio.camerasound.force is set
Bug: 110126976
Change-Id: I2720d3c699c4712d1a328f59dde0b16bbf1016f3
This adds a label for system properties that will affect system-wide
time / time detection logic.
The first example will be something like:
persist.time.detection_impl_version
Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a
When we have wide color gamut content, SurfaceFlinger might want to send a
PowerHint through Power Hal to boost GPU to higher frequency, to make sure GPU
composition can finish in time.
BUG: 110112323
Test: adb shell cat /sys/class/kgsl/kgsl-3d0/devfreq/cur_freq
Change-Id: If60c13aedc4ff84eaefd3430794dc15a478c5a73
Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.
Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).
Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.
Bug: 110520616
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
Like /system and /product, /product-services will contain apps that
should have the same privileges as the one in other system partitions.
Bug: 80741439
Test: successfully tested e2e on two devices, one with
/product-services partition and another with /product-services
symlinking to -> /system/product-services
Change-Id: Ieee7a9a7641a178f44bb406dbdef39ed46713899
From now on, linker will resolve dir.${section} paths of ld.config.txt.
This is added to suppress SELinux denial during resolving /postinstall.
Bug: http://b/80422611
Test: on taimen m -j, logcat | grep denied, atest on bionic/linker/tests
Change-Id: I12c2bb76d71ae84055b5026933dcaa6ef2808590
Add sepolicy entries for the new time zone detector service.
The timezonedetector_service will be called from the
telephony process.
Bug: 78217059
Test: make / booted device
Change-Id: Ib719a4bb444b2af7dd71910fb0bd12992df9d88c
There will likely be no need for platform apps
to call the timedetector_service; it was added
in error.
Bug: 78217059
Test: build / boot
Change-Id: Ie299c92a60f26fe6cb00562219e386a9f13e459f
For 4.14+ kernels, we need map permissions for vendor_config_files,
for things like kernel loaded firmware blobs, etc.
Change-Id: I8144c50b0239aedf4124569003187cc50c963080
Signed-off-by: John Stultz <john.stultz@linaro.org>
init is now a dynamic executable. So it has to be able to execute the
dynamic linker (/system/bin/linker) and shared libraries (e.g.,
/system/lib/libc.so). Furthermore, when in recovery mode, the files are
all labeled as rootfs - because the recovery ramdisk does not support
xattr, so files of type rootfs is allowed to be executed.
Do the same for kernel and ueventd because they are executing the init
executable.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396
Legacy hardware and code still depends on the ueventd helpers to
locate the firmware supported files which are on new mount path
labeled with mnt_vendot_file. For ueventd helper to work we need dir search
and read permission on this new label so moving ueventd to exempted list.
Already ueventd has the vendor_file_type read access.
Bug:110083808
Change-Id: Ia15cc39ecef9e29b4f1f684efdddbeb78b427988
If you can get or serve the hal allocator interface,
you should be a hal_allocator_client or
hal_allocator_server.
Bug: 80319537
Test: boot aosp_walleye and (sanity) take photos
Change-Id: Iea14c67c4aa56df7a74ebdb17e99b78b1d3aa105
The timedetector_service will be called from the
telephony process
Bug: 78217059
Test: build / local testing with a client
Change-Id: I25dfa4daabaa80e6b5e697ad1b1e2f7f72377702
To ensure a surprise reboot does not take the last boot reason on
face value especially if coming from more than one boot sessions ago.
We shift and clear the value from persist.sys.boot.reason to
sys.boot.reason.last and establish a correct last reboot reason in
the canonical sys.boot.reason property. As a result, the power
manager should read the canonical sys.boot.reason for a definitive
result rather than relying on the possibly incorrect values in the
persistent storage. sys.boot.reason should be a core property as
it represents the canonical boot reason API.
Test: compile
Bug: 86671991
Bug: 63736262
Change-Id: If3742c487d6c0ab69c464f056bf48c786b66a945
The shell is now available directly in the recovery ramdisk. We no
longer need to mount system.img to /system as the recovery ramdisk is
self-contained. However, there is a problem that every file in the
ramdisk is labeled as rootfs because the ramdisk does not support xattr.
This CL adds several recovery-only rules that are required to make the
recovery ramdisk self-contained. Most importantly, adbd is allowed to
domain_trans to shell. Also shell is allowe to execute files of type
rootfs. Finally, the recovery is allowed to mount on tmpfs since it now
mounts system.img to /mnt/system.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.
Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e
build_test_only is used to denote rules that should not verified
as part of compliance testing.
Use this macro to exclude neverallow rules which we want to check as
part of build, but not CTS.
Bug: 80499271
Test: SELinuxNeverallowRulesTest on walleye has no more failure of type
"Type or attribute * used in neverallow undefined in policy being checked."
Number of failing test cases is reduced by 142.
Test: policy.conf used to check neverallows at build-time still retains
all neverallow rules.
Change-Id: I5f1b383d9096bb5a7b8c0f1bc008b5dd07419580
Previously, supposedly, each individual client of configstore
was supposed to add the add_hwservice attribute itself to get
ahold of the specific sub-interface of configstore relevant to
it. However, there is only one configstore interface,
ISurfaceFlingerConfigs.
From this point onward, the configstore hal is to be thought of
as specifically relating to surface flinger. Other properties
may be added as other attributes/packages.
For instance, if we want a configstore entry for 'IFooConfig',
then we would add the configuration to one of the following
packages:
- android.hardware.foo@X.Y (to the interface itself)
- android.hardware.foo.config@X.Y (to a configuration of the interface)
- android.hardware.configstore.foo@X.Y (as a sub-interface of configstore)
and then it could be associated with the sepolicy attributes
(respectively):
- hal_foo
- hal_foo_config (or just hal_foo if they are 1-1)
- hal_configstore_foo
The specific pattern to be followed irrelevant to this CL
and subject to future discussion, the point being that we're going
to have a separate sepolicy attribute (and package, although this
isn't strictly necessary) for each separate domain's configuration.
Fixes: 109806245
Test: boot walleye, check for denials
Change-Id: If661e3fca012017a6c854fe3f02df4b779d514df
Since this attribute just associates a hal_attribute
with a given hwservice in the standard way.
Bug: 80319537
Test: boot + sanity + test for denials
Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
For sanity, this makes 'hal_attribute_hwservice_client'
be associated with a specific hwservice thus making things
consistent.
After this change, only configstore, hal_allocator, and the
fwk_* services are inconsistent with all other HALs.
Bug: 80319537
Test: boot device, sanity tests, check for denials
Change-Id: Ibffc65c9567a429e07a3dc4dd41117738459dc2a
This change removes references to the common time management
service.
Bug: 80462439
Test: build / boot
Merged-In: I2c8fca44fe05e3a35f5580d23e23a4c033075613
Change-Id: I2c8fca44fe05e3a35f5580d23e23a4c033075613
This was defined, but it had no users in the Android tree.
Because of this, ODM manifests required extra sepolicy to be applied
in vendor. Before this, there was no policy split, so that was okay,
but now it is impossible.
Bug: 91735839
Test: add an odm manifest for SE conditional on
a system property (ro.boot.product.hardware.sku)
and make sure it is read into the manifest (using
the vintf tool) and also that a client can get the
$ lshal | grep secure
Y android.hardware.secure_element@1.0::ISecureElement/SIM1 0/2 881 2262 567
Change-Id: I94a2928943be6a17416b8bbd78106809c0c21198
Merged-In: I94a2928943be6a17416b8bbd78106809c0c21198
This commit contains the changes needed to add the new
time detector system server service.
Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7
Clatd and zygote
are all overprivileged
as is storaged
Test: Verify no "granted" messages from dogfooders. Build flash
aosp_taimen-userdebug. Verify no denials.
Change-Id: I735adcffed553962ad12072716a7200883930dcf
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.
Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.
Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.
Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Merged-In: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
(cherry picked from commit c0f8f2f82a)
System properties can be abused to get around Treble requirements of
having a clean system/vendor split. This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.
Bug: 78598545
Test: build 2017 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
(cherry picked from commit cdb1624c27)
