When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.
Process:
- Paste in all the neverallow rules from public/domain.te in Android
policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,
I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)
And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.
Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.
Currently only payload can read the files.
Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
- Allow to use binder.
- Allow to talk to health HAL.
Test: manual in recovery
Test: fastboot getvar battery-voltage
Bug: 177269435
Change-Id: Ic3b1619ac34a10cb6007b8e011a01841343e9e8b
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
# With SELinux enforced in the VM, plus some hacks in ART,
# observed odrefresh exited 80.
Change-Id: I81ab0a73314fdcea69c69350c792ff7acab5aab8
Besides the basic execution that is similar to the (deprecating)
odrefresh case, fd_server also needs to be able to create and change
files in the output directory.
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
# Saw composd started the fd_server and the VM
Change-Id: Ia66015b72c4bd232c623604be326c7d7145c0a38
The FUSE daemon in MediaProvider needs to access the file descriptor of
its pinned BPF program and the maps used to commuicate with the kernel.
Bug: 202785178
Test: adb logcat FuseDaemon:V \*:S (in git_master)
Ignore-AOSP-First: mirroring AOSP for prototyping
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I99d641658d37fb765ecc5d5c0113962f134ee1ae
composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.
Bug: 205750213
Test: No denials
Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
... so that it can ensure that the bootconfig hasn't changed since the
last boot.
Bug: 208639280
Test: m
Change-Id: I2310a0df0ebbef9d6fe47dbad2538ecbe7bc84e6
PEM files are ASCII-encoded, open them as text file (as opposed to
binary). Avoid relying on __del__. Introduce a prologue and epilogue
methods to emit the <policy> tag only once per output.
Test: build plat_mac_permissions.xml on bramble and compare with
previous version; identical
Test: build product_mac_permissions.xml on bramble and compare with
previous version; identical
Test: build system_ext_mac_permissions.xml on bramble and compare with
previous version; identical
Test: build vendor_mac_permissions.xml on bramble and compare with
previous version; identical
Bug: 200119288
Change-Id: Iced0acf75bff756453918a411aecb9f4ef8f825d
Only ro.zygote is currently used, though we'll need to a few others of
the same property context.
Bug: 205750213
Test: composd_cmd forced-odrefresh # less SELinux denial
Change-Id: I2efbbc1637142f522a66c47bdd17471c4bde227a
Treble doesn't support T system + O vendor, so removing 26.0 (N) and
27.0 (O) prebuilts and compat files.
Bug: 207815515
Test: build
Change-Id: I98d5972221a8e77f3c45fc48ff50bb2b8eb94275
In general, it appears that libselinux and libsepol interpret paths and
contexts as bytes. For instance, selabel_file(5) mentions about the path
field of file_contexts:
Strings representing paths are processed as bytes (as opposed to
Unicode), meaning that non-ASCII characters are not matched
by a single wildcard.
libsepol also uses primitives such as strchr[1], which explicitly
operate at the byte level (see strchr(3)). However, practically, Android
paths and contexts all uses ASCII characters.
Use the str type (i.e., Unicode) for all Python code to avoid a larger
refactoring. Ensure we convert to bytes for inputs and outputs of
libsepolwrap.so. The encoding "ascii" is used, which will raise an error
should a context or type contain non-ASCII characters.
Update headers to match development/docs/copyright-templates.
[1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4
Bug: 200119288
Test: lunch aosp_bramble-userdebug && m
Test: atest --host fc_sort_test
Test: manually run searchpolicy
Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.
Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
VTS for Netlink Interceptor needs access to netlink_route_socket, and
other services routing traffic to Netlink Interceptor may as well.
Bug: 201467304
Test: VtsHalNetlinkInterceptorV1_0Test
Change-Id: Ic52e54f1eec7175154d2e89e307740071b1ba168
Steps taken to produce the mapping files:
1. Add prebuilts/api/32.0/plat_pub_versioned.cil from the
/vendor/etc/selinux/plat_pub_versioned.cil file built on sc-v2-dev with
lunch target aosp_arm64-eng. Add prebuilts/api/32.0/vendor_sepolicy.cil
as an empty file.
When adding plat_pub_versioned.cil, leave only type and typeattribute
statements, removing the other statements: allow, neverallow, role, etc.
2. Add new file private/compat/32.0/32.0.cil by doing the following:
- copy /system/etc/selinux/mapping/32.0.cil from sc-v2-dev
aosp_arm64-eng device to private/compat/32.0/32.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 32 sepolicy.
Find all such types using treble_sepolicy_tests_32.0 test.
- for all these types figure out where to map them by looking at
31.0.[ignore.]cil files and add approprite entries to 32.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_32.0 and installs
32.0.cil mapping file onto the device.
Bug: 206330997
Test: m treble_sepolicy_tests_32.0
Test: m 32.0_compat_test
Test: m selinux_policy
Change-Id: I8b2991e64e2f531ce12db7aaacad955e4e8ed687
On non-A/B devices, recovery needs to check if battery
is okay before applying the update. This requires
talking to the AIDL health HAL if the device uses
AIDL health HAL.
Test: manually calling GetBatteryInfo and check for denials
Bug: 170338625
Bug: 177269435
Change-Id: Ia89353cfff023376a4176c0582312bdcab00b5e6
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.
Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
Currently BetterBug (privileged app) cannot access the details form
/data/misc/wmtrace.
Test: access a trace from /data/misc/wmtrace/ in betterbug
Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
Overlayfs product/overlay in init first stage is allowed in AndroidS.
product/overlay directory contains RRO apks, it is plausible to allow
dumpstate to access it since dumpstate will call df command.
Or there will be an avc denial:
01-01 07:09:37.234 13582 13582 W df : type=1400 audit(0.0:1717): avc: denied { getattr } for path="/product/overlay"
dev="overlay" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0
Actually, it is more reasonable to set /product/overlay to u:object_r:system_file:s0 since
there already had definiitions releated to /product/overlay
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
Bug: https://b.corp.google.com/u/0/issues/186342252
Signed-off-by: sunliang <sunliang@oppo.com>
Change-Id: I493fab20b5530c6094bd80767a24f3250d7117a8
This seems like an oversight when system_server_startup was
introduced (commit caf42d615d).
Test: Presubmits
Change-Id: Ia371caa8dfc2c250d6ca6f571cf002e25703e793
