system_core, branch replicant-10 Fork of system/core Revert "Use more relaxed VNDK config" 2020-06-25T11:57:45+00:00 Joonas Kylmälä joonas.kylmala@iki.fi 2020-04-04T22:11:55+00:00 61fceee12e41fee72a381ab46187210d21d027cf This reverts commit ab82d1f68baf7a7963fdb5299516c2545a2d7175. 
This reverts commit ab82d1f68baf7a7963fdb5299516c2545a2d7175.
HACK: gatekeeperd: force software imeplementation 2020-06-25T11:57:45+00:00 Denis 'GNUtoo' Carikli GNUtoo@cyberdimension.org 2019-06-09T14:02:02+00:00 c92720b38d68913f61f1419c8bf910a09aba9e1d Without that hack, IGatekeeper::getService() will try to get a service implementing the Gatekeeper HAL. The HAL is supposed to talk to a component that resides in a Trusted Execution Environment (TEE) such as MobiCore. On many Android device, the Trusted Execution Environment is not free software, nor under the control of the user, so it cannot be trusted by the user, and in fact it's better, if possible, to make sure that it does not to run at all in that case. Because of that the proper fix would be either to implement a Gatekeeper HAL that would not depend on nonfree software that cannot be trusted. This could for instance be implemented by: * Using a simple software implementation. * Using the linux kernel keyring for that which can provide good resilience against userspace trying to get key material. See man 7 keyrings for more information on that. * Have a free software Trusted Execution Environment like Google's Trusty or other implementations. See the following documentation for more background information: https://source.android.com/security/authentication/gatekeeper Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Rebased and adapted for Replicant 10 Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi> 
Without that hack, IGatekeeper::getService() will try to get
a service implementing the Gatekeeper HAL. The HAL is supposed
to talk to a component that resides in a Trusted Execution
Environment (TEE) such as MobiCore.

On many Android device, the Trusted Execution Environment
is not free software, nor under the control of the user, so it
cannot be trusted by the user, and in fact it's better, if possible,
to make sure that it does not to run at all in that case.

Because of that the proper fix would be either to implement
a Gatekeeper HAL that would not depend on nonfree software that
cannot be trusted.

This could for instance be implemented by:
* Using a simple software implementation.
* Using the linux kernel keyring for that which can
  provide good resilience against userspace trying to get key
  material. See man 7 keyrings for more information on that.
* Have a free software Trusted Execution Environment like
  Google's Trusty or other implementations.

See the following documentation for more background information:
https://source.android.com/security/authentication/gatekeeper

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Rebased and adapted for Replicant 10
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Use more relaxed VNDK config 2020-06-25T11:57:45+00:00 Joonas Kylmälä joonas.kylmala@iki.fi 2019-03-06T06:35:17+00:00 75afa19b3a854d09ee0f5c59862b33514d206cf4 This allows graphics libraries to communicate with each other. Change-Id: I4c66e86b6353a174584ff77b38989713f2f77a9e Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi> 
This allows graphics libraries to communicate with each other.

Change-Id: I4c66e86b6353a174584ff77b38989713f2f77a9e
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Fine tune blkio setting to improve boot time 2020-06-13T12:00:35+00:00 Rick Yiu rickyiu@google.com 2020-06-04T06:28:19+00:00 084bb1b1cf6a72dfa1516e0071311b4360a9090e Bug: 133200996 Test: boot time test Change-Id: I5262c28596adb7e849b202b8a163c190818f271a 
Bug: 133200996
Test: boot time test
Change-Id: I5262c28596adb7e849b202b8a163c190818f271a
rootdir: init.rc: use default dirty writeout policy 2020-06-13T11:59:38+00:00 Jaegeuk Kim jaegeuk@google.com 2019-04-02T14:01:43+00:00 87e43cb7009897314c5a33370da66bf337327576 This patch removed the old writeout policy tune which was never touched since 2009. In the meantime, most of Android devices are equipped with over 4GB DRAM and very fast flash storages like UFS, which becomes more like desktop or servers in 2009. So, it'd be worth to go back to use the default kernel configs. Bug: 129751503 Change-Id: Idb58f5b01bbc4afd270cffba5b8912ea3565819f Signed-off-by: Jaegeuk Kim <jaegeuk@google.com> 
This patch removed the old writeout policy tune which was never touched since
2009. In the meantime, most of Android devices are equipped with over 4GB DRAM
and very fast flash storages like UFS, which becomes more like desktop or
servers in 2009. So, it'd be worth to go back to use the default kernel configs.

Bug: 129751503
Change-Id: Idb58f5b01bbc4afd270cffba5b8912ea3565819f
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
adbd: remove ifdefs guarding root/secure. 2020-06-09T10:52:27+00:00 Josh Gao jmgao@google.com 2020-06-05T00:58:48+00:00 350500d60d8808867e531c1769b179f3db423d87 The same adbd module prebuilt will get used for both user and userdebug builds in the post-APEX world, so we can't guard functionality with product variable ifdefs anymore. The code that was previously compiled out runs before we drop root, so the increased attack surface essentially consists of an attacker having control over system properties, and that likely implies that we're doomed already (either they have filesystem control, or they have code execution in init). Bug: http://b/158156979 Test: treehugger Change-Id: Ia70d3140189e5212beb813ff719355e30ca5fa04 
The same adbd module prebuilt will get used for both user and userdebug
builds in the post-APEX world, so we can't guard functionality with
product variable ifdefs anymore.

The code that was previously compiled out runs before we drop root, so
the increased attack surface essentially consists of an attacker having
control over system properties, and that likely implies that we're
doomed already (either they have filesystem control, or they have code
execution in init).

Bug: http://b/158156979
Test: treehugger
Change-Id: Ia70d3140189e5212beb813ff719355e30ca5fa04
init.rc: disable kernel module autoloading 2020-06-06T16:18:28+00:00 Eric Biggers ebiggers@google.com 2020-03-11T16:56:15+00:00 9f8e60656e3240a3ade46ab5f63f76ab842a4ec7 There is a longstanding bug where file-based encryption causes spurious SELinux denials of module_request because it uses the kernel's crypto API, and the crypto API tries to autoload kernel modules. While this sometimes indicate missing kconfig options, it can still happen even if all needed kconfig options are enabled. This is because a crypto algorithm can be a composition like "hmac(sha512)", and the crypto API will first look for the full composition before it instantiates it using the components like "hmac" and "sha512". But often an implementation of the full composition doesn't exist. However, as far as I can tell, Android doesn't actually use kernel module autoloading at all. First, Android never changes /proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this isn't where modprobe is located on Android. Android's SELinux policy contains a neverallow rule that ensures that only init (not even vendor_init) can write to this setting, so vendors can't be changing it. Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH, which overrides the path of all usermode helpers including modprobe. But this is a relatively new kconfig option, available only in android-4.14 and later. Also, for a vendor to actually do this they'd also need to extend the SELinux policy with a domain_auto_trans rule to allow their usermode helper to be executed by the kernel. Android does increasingly use kernel modules, and GKI (Generic Kernel Image) will require them. However, the modules are actually inserted by userspace by 'init', not autoloaded. It's possible to disable kernel module autoloading completely by setting /proc/sys/kernel/modprobe to an empty string. So, let's do that. This prevents lots of spurious SELinux denials, and allows removing unnecessary rules to allow or dontaudit the module_request permission. Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this change exposes a kernel bug that causes a WARNING in get_fs_type(). To avoid this WARNING, a kernel fix should be applied too -- currently under discussion upstream (https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org). Bug: 130424539 Bug: 132409186 Bug: 144399145 Bug: 146477240 Bug: 148005188 Bug: 149542343 Test: Tested on cuttlefish and coral: - Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe before this change, and the empty string after. - Checked that if all SELinux rules for module_request are removed, there are SELinux denials for module_request before this change but none after. - Ran lsmod both before and after and verified that the list is the same, i.e. checked that this change doesn't break how Android actually loads kernel modules. Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5 (cherry picked from commit 843f46e674e3f9d424144aa91c51777d66c9692c) 
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.

While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled.  This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512".  But
often an implementation of the full composition doesn't exist.

However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all.  First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android.  Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.

Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later.  Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.

Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them.  However, the modules are actually inserted by
userspace by 'init', not autoloaded.

It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string.  So, let's do that.

This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.

Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type().  To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).

Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343

Test: Tested on cuttlefish and coral:

    - Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
      before this change, and the empty string after.

    - Checked that if all SELinux rules for module_request are removed,
      there are SELinux denials for module_request before this change
      but none after.

    - Ran lsmod both before and after and verified that the list is the
      same, i.e. checked that this change doesn't break how Android
      actually loads kernel modules.

Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
(cherry picked from commit 843f46e674e3f9d424144aa91c51777d66c9692c)
Merge tag 'android-10.0.0_r37' into staging/lineage-17.1_merge-android-10.0.0_r37 2020-06-02T02:46:14+00:00 Kevin F. Haggerty haggertk@lineageos.org 2020-06-02T02:46:14+00:00 8715e68d169854a16f4ef16649b834739494bf89 Android 10.0.0 Release 37 (QQ3A.200605.001) * tag 'android-10.0.0_r37': Add cpu-set properties to serializer test Allowing R and S developer GSI for DSU Adding new GSI public keys Increase timeouts. Add TEMP_FAILURE_RETRY where appropriate. Increase timeout to avoid flaky tests. configs for jailed procs to dump code coverage data Move gcov output to /data/misc/trace rootdir: init.rc to limit discard size to 128MB Change-Id: I402131a51320e548dfd105d2223423e14a9e8ec4 
Android 10.0.0 Release 37 (QQ3A.200605.001)

* tag 'android-10.0.0_r37':
  Add cpu-set properties to serializer test
  Allowing R and S developer GSI for DSU
  Adding new GSI public keys
  Increase timeouts.
  Add TEMP_FAILURE_RETRY where appropriate.
  Increase timeout to avoid flaky tests.
  configs for jailed procs to dump code coverage data
  Move gcov output to /data/misc/trace
  rootdir: init.rc to limit discard size to 128MB

Change-Id: I402131a51320e548dfd105d2223423e14a9e8ec4
fs_mgr: skip setting rootfs block as ro during mount_all in recovery 2020-05-03T20:32:05+00:00 Alessandro Astone ales.astone@gmail.com 2020-05-03T20:29:58+00:00 6ec9b91220c9a8e8073a35aaf933a2a98fa371ad Change-Id: I418aa8480828671cfc04aedf0d88daf1eb3c1e96 
Change-Id: I418aa8480828671cfc04aedf0d88daf1eb3c1e96
adb: go back to standard adb root prop 2020-04-18T23:20:54+00:00 Alessandro Astone ales.astone@gmail.com 2020-03-20T18:47:03+00:00 226d851d24f3fe50482a295692c0b45d9451cd7e * This reverts change Ie2b8c5e9d75371da43305f003607869370bbd1a4 plus more changes Change-Id: Ia17239e3671d2c1a92664810ed53175110699473 
 * This reverts change Ie2b8c5e9d75371da43305f003607869370bbd1a4
   plus more changes

Change-Id: Ia17239e3671d2c1a92664810ed53175110699473