Add extra policy to enable linkerconfig to be executed from recovery.
Bug: 139638519
Test: Tested from crosshatch recovery
Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
gsid needs access to /sys/fs/f2fs/<dev>/features to detect whether
pin_file support is enabled in the kernel.
Bug: 134949511
Test: libsnapshot_test gtest
Change-Id: I5c7ddba85c5649654097aa51285d7fa5c53f4702
This can be used as an existence check on a process
before calling kill (which is already granted).
Addresses:
avc: denied { signull } for comm="Binder:1328_1"
scontext=u:r:system_server:s0 tcontext=u:r:webview_zygote:s0
tclass=process permissive=0
Bug: 143627693
Test: build
Change-Id: I01dfe3c0cb2f4fec2d1f1191ee8243870cdd1bc6
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.
Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
In order to remount ext4 userdata into checkpointing mode, init will
need to delete all devices from dm-stack it is mounted onto (e.g.
dm-bow, dm-crypto). For that it needs to get name of a dm-device by
reading /sys/block/dm-XX/dm/name file.
Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.
Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.
Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.
Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.
See go/apex-data-directories.
Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
Allow telephony to access platform_compat in order to log app failures
related to security fixes that we've made.
Bug: 144631034
Test: manual
Change-Id: Ibf783f0eb306061136fe0a57023d01344253eef0
mediaserver and mediaextractor both need this.
bug: 145607042
bug: 145355521
test: run modified android.media.cts.HeifWriterTest
to use the new android.Os.memfd_create, the test
should pass; shouldn't fail in verification step
due to MediaMetadataRetriever can't access the memfd.
Change-Id: I47dabb9d98c77b647521884c7b5fadf04eae3b41
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).
Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
PackageManager tries to scan /apex (apex_mnt_dir) for flattened apexes.
Previously, because /apex was blindly bind-mounted to /system/apex for
"flattened" apexes, the label for /apex is the same as /system/apex,
which is oaky for system_server to handle it.
But to support flattened apexes from other partitions such as /vendor or
/system_ext, every apex should be mounted under /apex individually,
which leaves the se-label of /apex unchanged (apex_mnt_dir).
Bug: 144732372
Test: boot with flattened apexes
see if there are errors "denied system_server with apex_mnt_dir"
Change-Id: I81bd6ab152770c3c569b22274a6caa026615303e
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.
In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.
Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.
ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split. It is also read by system_server and installd
currently.
Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
This change enforces all the defined rules for the vzwomatrigger_app
domain and unsets permissive mode. There have not been any new denials
in the past weeks for this domain (source: go/sedenials), and hence this
domain appears to not need any new permissions.
Bug: 142672293
Test: Green builds
Change-Id: I588b4e3038a3e8188d97183a592f9023a95dd3a8
* changes:
Revert "sepolicy: Permission changes for new wifi mainline module"
Revert "wifi_stack: Move to network_stack process"
Revert "sepolicy(wifi): Allow audio service access from wifi"
We've moved GMS core to its own domain, and these permissions should be
removed from the priv_app domain. This change adds auditallow to these
permissions so we know if it's safe to check if any other privapps are
relying on these.
Bug: 142672293
Test: Green builds
Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
This reverts commit baa06ee2cd.
Reason for revert: Added missing property name in vendor_init.te.
Bug: none
Test: none (other than neverallow checking)
Change-Id: I9e93bf4ea6ca3a4634f8f4cbce2f13c5f410883b
Previously mediaserver could only access hidl via mediadrmserver.
Required because mediadrmserver will be removed in R.
Bug: 134787536
Bug: 144731879
Test: MediaPlayerDrmTest
Change-Id: If0ae1453251e88775a43750e24f7dac198294780
This change creates a gmscore_app domain for gmscore. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update the gmscore_app rules
accordingly.
Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.gms runs in the gmscore_app domain. Tested different
flows on the Play Store app, e.g., create a new account, log in, update
an app, etc. and verified no new denials were generated.
Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
This reverts commit 3aa1c1725e.
Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.
Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
This reverts commit 1086c7d71d.
Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.
Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: I69ccc6afbe15db88f516cdc64e13d8cfdb0c743c
This reverts commit 386cf9d957.
Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.
Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ibb4db9d92c8d9f1170fcc047fa3377eef2acfce6
This reverts commit 9f02b30a72.
This is no longer needed, because we never shipped app storage
sandboxes.
Bug: 130812417
Test: builds
Change-Id: Ia1f51db4904742d2ef15222f2350c67af0dd4a28
Add the SELinux policy to implement a no-write persistent property
controlling whether to launch a JVMTI agent in the system server.
Bug: none
Test: none (other than the neverallow)
Change-Id: Ic70ee5b05c5507b4159ef4c825a360be47bc02b0
This adds permissions for content_capture_service,
incidentcompanion_service, media_session_service, and telecom_service.
These were observed via sedenials on dogfood builds.
Bug: 142672293
Bug: 144677148
Test: Green builds, no more denials show up for these services.
Change-Id: Ifd93c54fb3ca3f0da781cd2038217a29e812a40f
This change adds a rule for com.android.permissioncontroller to run in
the previously defined permissioncontroller_app.
com.android.permissioncontroller would require similar permissions to
com.google.android.permissioncontroller.
Bug: 142672293
Test: Green builds
Change-Id: I92e7175526380c0711f52fafe8d1f8d9531d07f8
Tethering module would run in network stack process. Add network_stack
as client of tetheroffload hidl and give it permission to create and share
netlink_netfilter_sockets
Bug: 144320246
Test: -build, flas, boot
-OFF/ON hotspot
Change-Id: Id961fd4af0d30f902eb0115aa15db612aaa8bb91
This reverts commit 9076b9c541.
This is breaking incidentcompanion_service and preventing taking bug
reports from work profile.
Bug: 144677148
Bug: 142672293
Test: Green builds.
Change-Id: I7a82522a5bb21c05fbabd3f3f1c05d4a8c6ca8f4
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.
Only init should be allowed to set userspace reboot related properties.
Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
AuthService is introduced in ag/9700446.
Bug: 141025588
Test: can successfully publish AuthService with publishBinderService(...)
Change-Id: I0f9fceac0c555d05a29467e4ab1380f389b60af4
Add entries necessary for the new time zone detection service.
Bug:140712361
Test: See related frameworks/base change
Change-Id: Ide4244104e2add843c1d699d528328dd71a6b525
This creates a new vzwomatrigger_app domain. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update permissions.
Bug: 142672293
Test: Build, flash, boot successfully
Change-Id: I552df772b66e8e7edb1ccee754d1ea8dd1acece0
The property is set to inform kernel to do a warm_reset on the next
reboot. This is useful to persist the logs to debug device boot
failures. More details in http://go/rvc-ota-persist-logs.
The property is set to 1 by update_engine after an OTA. And it's set to
0 by update_verifier or vold after we mark the current slot boot
successful.
The property is read by vendor_init. And according to its value,
vendor_init writes a particular sysfs file to schedule a warm reset
on the following reboot.
Without the new context, the denial message says:
[ 13.423163] audit: type=1107 audit(1746393.166:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=ota.warm_reset pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0'
[ 23.096497] init: Unable to set property 'OTA.warm_reset' from uid:0 gid:2001 pid:841: SELinux permission check failed
[ 23.096574] type=1107 audit(1573768000.668:42): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=OTA.warm_reset pid=841 uid=0 gid=2001 scontext=u:r:update_verifier:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
[ 23.108430] update_verifier: Failed to reset the warm reset flag
Bug: 143489994
Test: check the property can be set by update_engine, and read by vendor_init
Change-Id: I87c12a53a138b72ecfed3ab6a4d846c20f5a8484
In normal Android, libsnapshot interacts with libfiemap over binder (via
IGsid). There is no binder in recovery, so instead, we directly link to
the library and therefore need appropriate sepolicy changes.
Bug: 139154945
Test: no denials in recovery or fastbootd
Change-Id: I356d7b5b906ac198e6f32c4d0cdd206c97faeb84
Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Build successfully, flashed a phone and basic usage of Permission Manager seemed to work well.
Change-Id: I3fb9cfaa216ddbd865b56e72124374eb1c75dea8
/sys/class/wakeup/wakeupN can point to an arbitrary path in sysfs. Add
"search" permission for path resolution.
Bug: 144095608
Test: m selinux_policy
Change-Id: I033d15b4ca56656f144189f5c2b1b885f30155a3
incident report contains similar data as in a bugreport, but in proto
format. Currently ro.serialno is not captured due to selinux settings.
Test: adb shell incident -p LOCAL 1000
Bug: 143372261
Change-Id: I6a89308c1347fba2ce4f7b469f9a02b119d4aeb7
Android is moving away from debugfs. Information from /d/wakeup_sources
and /d/suspend_stats is now also exposed in sysfs under
/sys/class/wakeup/* and /sys/power/suspend_stats/* respectively:
https://lkml.org/lkml/2019/7/31/1349https://lkml.org/lkml/2019/8/6/1275
Allow SystemSuspend to read those sysfs nodes.
One caveat is that /sys/class/wakeup/wakeupN can be a symlink to a
device-specific location. In this case, device sepolicy should label
that the files appropriately. This is similar to how device policy
applies "sysfs_net" and "sysfs_batteryinfo" labels.
Bug: 144095608
Bug: 129087298
Test: boot cuttlefish; system_suspend is able to read
/sys/power/suspend_stats/* and /sys/class/wakeup/*
Change-Id: I350c88a271c0f422d0557aeb5e05e1537dc97bc9
Relax the requirement to have both seinfo and name specified for
privapps. The original reason for requiring both was because, normally,
a package can only be uniquely specified by both name and signature,
otherwise package squatting could occur. However, privapps are
pre-installed, so the concerns about the potential for package squatting
are eliminated. This change will drastically simplify sepolicy
configuration for priv-apps.
Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller still runs in the
permissioncontroller_app domain.
Change-Id: I5bb2bf84b9db616c4492bd1402550821c70fdd07
Add some rules based on the SELinux denials observed.
Bug: 143905061
Bug: 142672293
Test: Green builds, no more denials for the 7 services added.
Change-Id: I27e4634cb1df03166e734f6c12c8cb9147568d72
System_server will read this property to determine if it should
expect the lmkd sends notification to it on low memory kills.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: Iff90f7d28dc7417994f5906333d58fb18cb4a04c
In emulator builds without OpenGL passthrough, we use software rendering
via SwiftShader, which requires JIT support. Therefore, we need to allow
system_server to use execmem so that it can run JITed code. These builds
are never shipped to users.
Bug: 142352330
Change-Id: I4d55b5a1b4ebae2fc8198ef66107c22bde41ad7e
When snapshotctl merge is called on sys.boot_completed
and /metadata/ota/state does not exist, it now tries
to initialize it by creating one.
Test: no selinux denials on boot
Bug: 143551390
Change-Id: I6ee268270e8f788d90610d7a1a90f252ea9baa3a
This is needed to use graphics RenderEngine, creation will
try to access configstore.
bug: 135717526
test: run MediaMetadataRetrieverTest, there shouldn't be any
avc denials in logcat.
Change-Id: Ie26ffe4844edd52684f254e77d9f515550dc82fb
This creates an SELinux domain for permissioncontroller and moves it out of the
priv_app SELinux domain.
Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller runs in the
permissioncontroller_app domain.
Change-Id: Ieb2e4cb806d18aaeb2e5c458e138975d1d5b64fe
A similar problem was previously encountered with the boot control HAL
in bug 118011561. The HAL may need access to emmc to implement
set_active commands.
fastbootd uses the boot control HAL in passthru mode when in recovery,
so by extension, it needs this exception as well.
Bug: 140367894
Test: fastbootd can use sys_rawio
Change-Id: I1040e314a58eae8a516a2e999e9d4e2aa51786e7
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup
See also go/android-iorap-security for the design doc
Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
Create a service context for manager itself and allow servicemanager to
register itself. This is so that tools like dumpsys can reference
servicemanager the same way they would reference other services.
That things can still get ahold of the servicemanager directly via
libbinder APIs since it is a context manager.
Bug: 136027762
Test: dumpsys -l
Change-Id: If3d7aa5d5284c82840ed1877b969572ce0561d2e
Used when mapping RTM_GETLINK messages to this new permission.
Users of netlink_route_sockets that do not use the net_domain()
macro will need to grant this permission as needed. Compatibility
with older vendor images is preserved by granting all vendor domains
access to this new permission in *.compat.cil files.
Bug: 141455849
Test: build (this change is a no-op without kernel changes)
Change-Id: I18f1c9fc958120a26b7b3bea004920d848ffb26e
PackageManager needs to access these data to inspect APK signatures.
Test: installed apex.test under /vendor/apex and verified it is
recognized.
Change-Id: I657958631939d67ee04c0836001f52c212a0a35d
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.
Bug: 134434505
Change-Id: I3b5eeac1ec06d8d70da327743174ca83eec6b41c
Test: boot crosshatch
This property is used for testing purposes when verifying the
behavior when an OTA occurs. It should be readable by the
system server, and be settable by the shell.
Test: Set property from shell, read with PackageManager
Bug: 140992644
Change-Id: I39ad9b7961208f02fa45011215c2ff5ac03b7380
NetworkStack will need to use netlink_tcpdiag_socket to get tcp
info. In order to support updatability for NetworkStack as it's
a mainline module, get the information from kernel directly to
reduce the dependecy with framework.
Test: Build and test if NetworkStack can get the tcp_info without
SEPolicy exception
Bug: 136162280
Change-Id: I8f584f27d5ece5e97090fb5fafe8c70c5cbbe123
This is needed to get Java heap graphs.
Test: flash aosp; profile system_server with setenforce 1
Bug: 136210868
Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.
Bug: 134434505
Test: boot crosshatch
Change-Id: I0a54d64bd4656fafd2f03701d7828cfa94c08f04
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.
For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with other
permission.
Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the sepolicy changes to move the recovery resources from
system to vendor. The big change is renaming install_recovery*.te to
vendor_install_recovery*.te to emphasize the move to vendor. Other changes
follow from that. The net result is that the application of the recovery patch
has the same permissions that it had when it lived in system.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: If29cb22b2a7a5ce1b25d45ef8635e6cb81103327
Probably flew under the radar because Google only tests on devices that
include devices with a physical /vendor partition.
Test: "make selinux_policy", confirm correct labels on a legacy device
Change-Id: I1aa856c6e3774912d1f4c0a09bbc2d174016f59d
Signed-off-by: Felix <google@ix5.org>
snapshotctl is a shell interface for libsnapshot. After rebooting
into an updated build, on sys.boot_completed, init calls
snapshotctl to merge snapshots. In order to do that, it needs to:
- Talk to gsid to mount and unmount COW images
- read the current slot suffix to do checks (and avoid merging
snapshots when it shouldn't).
- read / write OTA metadata files to understand states of
the snapshot
- delete OTA metadata files once a snapshot is merged
- collapse the snapshot device-mapper targets into a plain
dm-linear target by re-mapping devices on device-mapper
Test: reboot after OTA, see merge completed without denials
Bug: 135752105
Change-Id: Idfe99d4004e24805d56cd0ab2479557f237c2448
Ashmem FD selinux labels have recently been changed (aosp/1127917) from
"ashmemd" to the label of the whichever process opens the fd, which
resulted in the following denial:
avc: denied { use } for
path="/dev/ashmemf5dc2dbf-d1e7-457e-b694-93c84704135e" dev="tmpfs"
ino=18972 ioctlcmd=0x7704 scontext=u:r:zygote:s0
tcontext=u:r:system_server:s0 tclass=fd permissive=1
Test: m selinux_policy
Change-Id: I4880420014bda21cd4f83e3d6190c3cfaa76822f
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
during an OTA, update_engine uses libsnapshot to talk to gsid
to create these images as a backing storage of snapshots. These
"COW images" stores the changes update_engine has applied to
the partitions.
If the update is successful, these changes will be merged to the
partitions, and these images will be teared down. If the update
fails, these images will be deleted after rolling back to the
previous slot.
- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
during an OTA, update_engine and gsid stores update states and
information of the created snapshots there. At next boot, init
reads these files to re-create the snapshots.
Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.
Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
The wifi stack APK will run inside the network_stack process. So, move
the sepolicy rules for wifi stack inside the network stack rules.
Bug: 135691051
Test: Manual tests
- manual connect to wifi networks
- Remove networks
Test: Will send for ACTS wifi regression testing
Change-Id: I9d5da80852f22fa1d12b2dbbc76b9e06c1275310
(cherry-picked from b83abf7af3df64e0d3c1b22548f2344b55aece28)
Vendors can publish services with servicemanager only on non-Treble
builds. vendor_service_contexts is not meant to be read by
servicemanager.
5bccbfefe4/public/servicemanager.te (22)
Bug: 141333155
Test: create /vendor/etc/selinux/vendor_service_contexts and make sure it is
correctly labeled.
Change-Id: Ib68c50e0cdb2c39f0857a10289bfa26fa11b1b3c
The commit 7baf725ea6 broke OMX on O/O-MR1(/P?) vendors.
Previous to this commit, all OMX codecs had to use "mediacodec" type,
after this commit, omx codecs just had to get hal_omx_server attribute.
This commit left to the vendor the charge of adding "hal_omx_server"
attribute to mediacodec.
However this can't work on non-Q vendors.
On P vendor, versioned_plat_pub contains the appdomain <=> mediacodec
allows, so OMX isn't technically broken on those devices.
But to ensure it won't break in the future, mark 28's mediacodec as
hal_omx_server as well
This fixes broken OMX decoding on O/O-MR1 vendors, failing with the
following denial:
avc: denied { call } for comm=4E444B204D65646961436F6465635F scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:mediacodec:s0 tclass=binder permissive=0
Bug: 141186440
Change-Id: I018f8d9aabc77e7ea86ca14734b1ab2edfdf8ed1
Introduces new domain vendor_boringssl_self_test and runs
/vendor/bin/boringssl_self_test(32|64) in it. New domain
required because boringssl_self_test needs to be in
coredomain in order to reboot the device, but vendor code
may not run in coredomain.
Bug: 141150335
Test: flashall && manually verify no selinux errors logged and that
four flag files are created in /dev/boringssl, two by the
system self tests and two by the vendor.
Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a
* changes:
Separate system_ext_mac_permissions.xml out of system sepolicy.
Separate system_ext_service_contexts out of system sepolicy.
Separate system_ext_property_contexts out of system sepolicy.
Separate system_ext_hwservice_contexts out of system sepolicy.
Separate system_ext_seapp_contexts out of system sepolicy.
Separate system_ext_file_contexts out of system sepolicy.
Separate system_ext_sepolicy.cil out of system sepolicy
Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.
The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.
For more details see change I9082241066cba82b531e51f9a5aec14526467162
Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
Also, since fsverity_init has been rewriten in C++, shell execution is no
longer needed.
Test: no denial is generated
Bug: 112038744
Change-Id: I7e409cadd68cb6d5d8557a126a3b9e78063190be
Bug: 137712473
Test: boot crosshatch
Test: Moving product sepolicy to system_ext and checks the file contents in
/system_ext/etc/selinux are identical to previous contents in
/product/etc/selinux.
Change-Id: I434e7f23a1ae7d01d084335783255330329c44e9
This duplicated ashmem device is intended to replace ashmemd.
Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.
Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
To aid in debugging if there are failures.
Bug: 137267623
Test: add prints to boringssl_self_test and see them
Change-Id: I34b20225514898911b3f476d4517430433eb379e
