After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.
Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be
An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.
Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
and there are no sepolicy violations.
Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e
The isolated service that do nothing except for both AIDL's basic
skeleton and service binding. It still got the SELinux denied.
This should fix presubmit test.
01-01 00:00:29.196 6121 6121 I auditd : type=1400 audit(0.0:6):
avc: denied { getattr } for comm="convert.service"
path="/data/data/com.android.externalstorage" dev="sda35" ino=655437
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
Test: ag/5681059 ag/5660144
Bug: 120394782
Change-Id: I7838def96da30b88d510dab860ed9779a0d4d5ed
We are making a change to uevent_open_socket() in libcutils related to
setting the receive buffer size of netlink uevent sockets.
After setting SO_RCVBUF, we immediately read it back using getsockopt()
to verify that the setsockopt() call was effective. Only if it was not
effective, we call setsockopt() with SO_RCVBUFFORCE.
getsockopt() previously caused SELinux denials like the following:
avc: denied { getopt } for comm="usb@1.1-service" scontext=u:r:hal_usb_default:s0 tcontext=u:r:hal_usb_default:s0 tclass=netlink_kobject_uevent_socket permissive=0
Bug: 119933843
Change-Id: I7bbb1eb1fa7ade2c94afc52ab1e28762f86a7d1f
Currently, when an APEX is staged, apexd moves the file from
/data/app/vmdl*.tmp directory to /data/apex. However, the original file
is labeled with apk_tmp_file and is not readable from apexd.
We plan to resolve this issue by moving the file content via file
descriptor in between the package manager and apexd.
However, until the plan is implemented, temporarily allow apexd to
relabel the file to apex_data_file that is readable to it. This unblocks
the end-to-end test for APEX.
Bug: 112669193
Test: adb install --apex system/apex/apexd/apexd_testdata/test.apex
adb reboot; adb root; adb shell; cmd apexservice getActivePackages
The test APEX is activated
Change-Id: Ib9d4f5c699261f1fa1e6d557731767ee4d7168f9
This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause
the same issue.
Test: vold is able to create directories, ag/5534962
Bug: 116528212
Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.
Bug: 117990869
Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
"iio_device", "radio_device" must not be accessed by coredomain on all
devices. And "tee_device" must not be accessed by coredomain on Treble
devices.
Bug: 110962171
Test: m selinux_policy
Test: mmma system/sepolicy
Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.
01-01 00:00:22.103 5831 5831 I auditd : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0
Test: build
Bug: 119596573
Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
According to go/sedenials (internal dogfooding), coredomain access to
following types is not exercised and can be removed:
iio_device
radio_device
tee_device
Access to audio_device is still needed since some ALSA interfaces
(/dev/snd/*) are directly used by system_server.
Bug: 110962171
Test: m selinux_policy
Change-Id: I740b99813e1f93136bfcaec087b74f0e03b259ad
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
OOB write if the size of the key value pairs exceeds the max.
Test: Add a long line to the seapp_contexts file
Change-Id: Iaa3e697e7ac134eb6829b8b36b090997ca344b3a
Signed-off-by: liwugang <liwugang@xiaomi.com>
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.
The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.
Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
to fail the device rebooted into the bootloader, as
expected.
Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
The SELinux policy language supports an expandattribute statement.
Similar to the C "inline" declaration, this expands the permissions
associated with types, instead of using the attribute directly. Please
see
1089665e31
for more detail on this language option.
Expansion of attributes causes consistency problems with CTS. If a
neverallow rule exists which refers to an expanded attribute, the CTS
neverallow test will fail, because the policy does not have the
attribute embedded in it. Examples:
* b/119783042 (fixed in 536d3413b8)
* b/67296580 (fixed in 6f7e8609f9)
* b/63809360 (fixed in 89f215e6a0)
etc...
Instead of waiting for the CTS test to fail, modify the Android.mk file
so that we do checks similar to CTS. This allows us to fail at compile
time instead of waiting for a CTS bug. For example, for b/119783042,
instead of the compile succeeding, it will now fail with the following
error message:
[ 70% 190/268] build out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
FAILED: out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c
30 -o out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy.conf ) &&
(out/host/linux-x86/bin/sepolicy-analyze
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
neverallow -w -f out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy_2.conf
|| ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2;
echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2;
echo \"the policy.\" 1>&2; exit 1 ) ) &&
(touch out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp )
&& (mv out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
libsepol.report_failure: neverallow violated by allow vold hal_bootctl_default:binder { call };
libsepol.check_assertions: 1 neverallow failures occurred
sepolicy-analyze failed. This is most likely due to the use
of an expanded attribute in a neverallow assertion. Please fix
the policy.
15:44:27 ninja failed with: exit status 1
Test: Revert 536d3413b8 and verify compile
fails as above.
Test: Compile succeeds
Bug: 119783042
Change-Id: I5df405b337bb744b838dadf53a2234d8ed94bf39
server_configurable_flags_data_file is used for storing server
configurable flags which have been reset during current booting.
system_server needs to read the data to perform related disaster
recovery actions.
For how the data is read, see SettingsToPropertiesMapper.java.
Test: build succeeds & manual on device
Change-Id: Ifa22aecc13af2c574579299d28433622abbe6b85
Hals have 3 attributes associated with them, the attribute itself, the
_client attribute, and the _server attribute. Only the server attribute
isn't expanded using the expandattribute keyword, and as a result, is
the only attribute which can be used in neverallow rules.
Fix neverallow rule to use hal_bootctl_server, which is not expanded,
instead of hal_bootctl.
Introduced in: https://android-review.googlesource.com/c/platform/system/sepolicy/+/777178
Test: policy compiles
Bug: 119500144
Change-Id: I8cff9cc03f4c30704175afb203c68f237fbd61ca
During the build process, use a temporary file until we've determined
that every step of the build process has completed. Failure to do this
may cause subsequent invocations of the make command to improperly
assume that this step ran to completion when it didn't.
Test: code compiles.
Change-Id: I9a28e653e33b61446a87278975789376769bcc6a
There is no real need to access the manifest.json (which is being
renamed in other CLs anyway). So remove the access to it.
Bug: 119672727
Test: m, installed on device, boots.
Change-Id: I2d82062031da36f871b2a64d97a50a6f1e6fc3dd
We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.
Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
