system_vendor_config_prop defines a property contexts which can only be
set from vendor_init. It is one of the mostly used patterns of system
properties. This migrates some properties to help readability and
security.
Bug: 148125056
Test: system/sepolicy/build_policies.sh
Change-Id: I6b53ef520331b32417ad59f4daa04bdfc077f682
This adds the type and permissions for dumping and appending prereboot
information.
Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.
Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
Add a new entry for use_content_detection_for_refresh_rate that will
eventually replace the deprecated use_smart_90_for_video
Change-Id: Iffe83fe0c7620f661228452495a02922f9662406
Test: play video and observe refresh rate
There are a lot of properties which is meant to be set once by
vendor_init. Most of them are configuration properties from vendor. This
introduces a macro to define such properties, which can help readability
and better security than using plain system_public_prop.
Bug: 148125056
Test: manual
Change-Id: I8b68e635d42119bafd1d22cba7957f583822ac7b
The public platform version no longer can be a codename, it is
always the most recently released platform. A new build property
and API provides either the offical version or the current codename
as appropriate. This will avoid breaking apps that look at the
platform version while development is under a codename.
Bug: 143175463
Test: manual
(cherry picked from commit afa84c96ac)
Merged-In: I257ca42672e4712841c90b0608202c846bda628c
Change-Id: If8c91986afe682902787145dae4c0a3b9a2aa8d1
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).
This is a re-landing of https://r.android.com/1210143, which was
reverted due to http://b/142942524. The actual fix was done in
http://ag/10234812.
Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
As of aosp/1224611, there is a new step in the preparation of APEXes
where init calls back into apexd after DE user data is unencrypted to
allow DE apex data to be snapshotted or restored.
This adds a new enum value for the apexd.status property to allow
this status to be described.
Bug: 148672144
Test: build & flash, check boot completes and check in logs that the
correct status values are set.
Change-Id: I7effcf16280eabcd5b9a0d70d33bd34d79121312
Dumpstate runs 'df', which in turn tries to get attributes on all
mounted filesystems. We don't care much for stats on /mnt/user, since
it's simply a mapping of /data. /mnt/installer is simply a bind mount of
/mnt/user, and we don't need to show that in df either.
Bug: 148761246
Test: atest
CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie71b9cde08eb08bd3a7a3e2659ea71c61ca5ab3b
This fixes a bug where a directory's label was removed, causing it to
be unlabeled, and we crashed on trying to set its encryption policy.
Fixes: 148923156
Test: Successfully update from build with the deleted label.
Change-Id: I69c3707e3e66d9e44a22b0783d3016c8ddab6b8f
This helps in the investigation of driver-related issues.
Bug: 145388549
Test: Manually, log collected on user build
Change-Id: I40631aac7878f58e399bc583898630055583fc7c
recovery is excluded because it is not an interesting code
path.
Test: apply OTA, cancel, delete OTA states, then apply again
to trigger CancelUpdate() code path, see logs
Bug: 148818798
Change-Id: I3baac977af54ac0a09c9b732fd172469c9f51627
This concerns the data transfer between an untrusted producer process,
and the tracing service (traced daemon). They communicate over a
combination of a unix socket and shared memory.
Normally, the service creates the shared memory region, and hands it off
to the producer process (see perfetto_producer() macro). This patch
allows for an alternative scheme, where the producer process is allowed
to create the shared memory region, which will then be adopted by the
tracing service. The service already inherently doesn't trust the
producer, so it'll validate that the shared memory is appropriately
sealed before using it.
The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But
this mode has advantages (e.g. being able to write to the shared memory
before connecting) for other producer domains as well.
Bug: 148841422
Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
To include linkerconfig results into dumpstate, dumpstate needs extra
permission on lnkerconfig directory to search all items within the
directory. This change allows dumpstate to have extra access on
linkerconfig directory.
Bug: 148840832
Test: tested from cuttlefish
Change-Id: I955b54ec2cc3d1dcedaa34406e0e0776b6ac12f6
dumpstate creates an error log from CTS test because dumpstate does not
have access to linkerconfig directory. As df doesn't need to scan
linkerconfig directory, do not audit this directory in dumpstate
to get attributes.
Bug: 148760417
Test: m -j passed
Test: No sepolicy error from correspoding test
Change-Id: I3c1c3a489584450bd23fbce2d7cc9b09aaf9c002
This reverts commit d5a0edd75e.
Reason for revert: CTS failure
There are apps that relies on SELinux regulations to constrain their access. We'll need to analyze them before introducing the sepolicy.
Bug: 147695658
Change-Id: Ic57fcb90371b50a978ab7b2e0d20c4cb3d2da7f6
Test: cts-tradefed run cts -m CtsPermissionTestCases
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.
Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].
2. /data/incremental/[random]/backing_mount -> hold incfs backing image.
3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.
Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
These properties are owned by system, but is configurable
in vendor partition.
Test: apply OTA
Bug: 148569015
Change-Id: I24baa981d1f850cd18a3429f6e0a4efd31a8570d
These ioctls are required to set a default project quota ID on
/data/media.
Bug: 146419093
Test: verified chattr call from rootdir/init.rc
Change-Id: I0c9028e0a6502302fe81a73dfa087261a36d9863
Revert "Add new permissions to test"
Revert submission 1210143-platformcompat-permissions
Reason for revert: http://b/142942524
Reverted Changes:
I3601b12d5: Add new permissions to test
I65d425aac: Make platform_compat discoverable everywhere
I1c8cbb656: Add permissions for using PlatformCompat methods
Change-Id: I356c1d1c4d1213eea6e5585b23faa40722b1a01a
This allows init to call chattr to allow casefolding on /data/media
Test: lsattr on /data/media on device with casefolding support
Bug: 138322712
Change-Id: I5715484d872088517f67c62a78344a2d417dd77f
These neverallow rules are to prevent properties from crossing treble
boundary. As attributes like internal / restricted / public has been
landed, the neverallow rules are changed to use attributes to avoid
endless manual maintaining of the list.
Bug: 148181222
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0ba930f6c78852e785858fb069faf4f984643e34
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
access to the lower filesystem (or sdcardfs).
At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.
The following components need varying sepolicy privileges:
Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink
zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold
installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through
priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through
Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
pmem uses a block file while access_ramoops uses a char file. Allow both for
now until we can unify on pmem.
Additionally allow the reading of vendor properties so it can read the
path to the character or block device to open.
Test: atest VtsHalRebootEscrowTargetTest
Bug: 146400078
Change-Id: Ief61534e0946480a01c635ce1672579959ec8db5
Setup SELinux to allow the world to read, and system_server to write,
properties used as indicators that we need to invalidate their respective
set of client side caches.
Test: Flashed build and tested that phone boots and does not crash
as StorageManager and UsageStatsManager operations take place.
Change-Id: Ieaacf741ecab5beb18d59945739f05e7ea26ddec
It needs to know whether B partitions should be allocated
at the second half of super.
Test: flash and see serial output
Fixes: 147363527
Change-Id: I58c57befa3ee3569c911cbdf506e919fe1d0bae4
until we gain a better understanding of why this is breaking builds
on for example pixel3_mainline-userdebug
Test: no, but removing neverallows can't break the already broken build...
Bug: 148311635
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib4fa19317034412f9eaa789f39df2548f13178dc
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).
Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.
Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.
Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
The comment in this file acknowledges that this is needed for "Wipe
data/cache", however it does not actually grant the permission for
cache_block_device. Add it. Fixes a denial seen on cuttlefish:
avc: denied { ioctl } for pid=223 comm="mke2fs"
path="/dev/block/vda3" dev="tmpfs" ino=486 ioctlcmd=0x127b
scontext=u:r:recovery:s0 tcontext=u:object_r:cache_block_device:s0
tclass=blk_file permissive=0
Bug: 146898312
Change-Id: I82b9975085c027941c970ca44dbb1a7a370295fa
This reverts commit a1aa2210a9.
Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission
Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.
Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.
Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
This was originally added due to:
avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
in wahoo specific selinux policy in commit cd761300c1cc67cb2be3e001b95317e8a865c5fe 'Allow some denials we have seen.'
This is most likely simply triggered by a race condition on attempting
to access a non existent network device 'bt-pan'.
While we've never seen this anywhere else, it could potentially happen
on any device so we might as well make this global...
Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I00f61a5fc2bfce604badf3b96f6ed808157eb78c
For vndk related properties, use vndk_prop context.
vndk_prop can be defined by 'init' and 'vendor_init', but free to
read by any processes.
Bug: 144534640
Test: check boot to see if the VNDK properties are readable
Change-Id: Ifa2bb0ce6c301ea2071e25ac4f7e569ea3ce5d83
System_server will listen on incoming packets from zygotes.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
The code that uses the property has not been committed, so this change
has no impact on the codebase.
Bug: 140788621
Test: build an image that combines this change with the client code
and boot a phone. Verify that there are no policy violations.
Change-Id: Ie6c1a791578c61adae5b71a38e61a2f5b20bb817