tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/priv_app.te

291 lines
11 KiB
Text
Raw Normal View History

Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
###
### A domain for further sandboxing privileged apps.
###
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute priv_app coredomain;
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 20:23:34 +01:00
app_domain(priv_app)
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Access the network.
net_domain(priv_app)
# Access bluetooth.
bluetooth_domain(priv_app)
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
allow priv_app self:process ptrace;
Allow gmscore to ptrace itself This is needed to debug native crashes within the gmscore app. Now that GMS core is running in gmscore_app and not in the priv_app domain, we need this rule for the new domain. This also adds an auditallow to the same rule for priv_app, so we can delete it once no logs show up in go/sedenials for this rule triggerring. Bug: 142672293 Test: TH Change-Id: I7d28bb5df1a876d0092758aff321e62fa2979694
2019-12-12 01:53:45 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app self:process ptrace;
')
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
drop priv_app app_data_file:file execute; system/sepolicy commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type called privapp_data_file. This type is used to label priv-app's /home files. For backwards compatibility, priv-app rules involving normal app_data_files were preserved. Subsequently, system/sepolicy commit 5d1755194a841ab727467a30757fd1606cef905b assigned the file label privapp_data_file to /home files owned by priv-apps. Because of the previous labeling of priv-app data files, priv-apps were granted the ability to mmap(PROT_EXEC) any other app's /home files, regardless of how trustworthy or untrustworthy those files were. Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c preserved the status quo. However, now that we have a more refined label for priv-app /home files, we no longer need to be as permissive. Drop the ability for priv-apps to map executable code from untrusted_apps home directories. "execute" is removed in this change, and "execute_no_trans" was previously removed in commit 8fb4cb8bc20b999d69210f6fc6b552c6e22b8e09. Add a neverallow assertion (compile time assertion + CTS test) to prevent regressions. Further clarify why we need to support priv-apps loading executable code from their own home directories, at least for now. b/112037137 covers further tightening we can do in this area. Bug: 112357170 Test: Device boots and no problems. Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
2018-10-28 00:20:38 +02:00
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
# 1) com.android.opengl.shaders_cache
# 2) com.android.skia.shaders_cache
# 3) com.android.renderscript.cache
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app privapp_data_file:file execute;
')
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
disallow priv-apps from following untrusted app symlinks. Untrustworthy symlinks dereferenced by priv-apps could cause those apps to access files they weren't intending to access. Trusted components such as priv-apps should never trust untrustworthy symlinks from untrusted apps. Modify the rules and add a neverallow assertion to prevent regressions. Bug: 123350324 Test: device boots and no obvious problems. Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 22:05:03 +01:00
allow priv_app privapp_data_file:lnk_file create_file_perms;
Clarify priv_app.te. No semantic changes. Just trying to make this easier to understand: - Separate out common bundles of services from individual services (the naming doesn't make this obvious). - Comment the common ones. - Put related binder_call and service_manager:find rules together. Test: Builds Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
2019-03-22 00:52:30 +01:00
# Priv apps can find services that expose both @SystemAPI and normal APIs.
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app app_api_service:service_manager find;
Clarify priv_app.te. No semantic changes. Just trying to make this easier to understand: - Separate out common bundles of services from individual services (the naming doesn't make this obvious). - Comment the common ones. - Put related binder_call and service_manager:find rules together. Test: Builds Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
2019-03-22 00:52:30 +01:00
allow priv_app system_api_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app mediametrics_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app mediaserver_service:service_manager find;
Add network watchlist service SELinux policy rules Bug: 63908748 Test: built, flashed, able to boot Change-Id: I3cfead1d687112b5f8cd485c8f84083c566fbce2
2017-11-13 18:52:05 +01:00
allow priv_app network_watchlist_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app nfc_service:service_manager find;
SE Linux policies for OemLockService Bug: 34766843 Test: gts-tradefed run gts -m GtsBootloaderServiceTestCases -t \ com.google.android.bootloader.gts.BootloaderServiceTest Change-Id: I8b939e0dbe8351a54f20c303921f606c3462c17d
2017-02-17 14:51:32 +01:00
allow priv_app oem_lock_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app persistent_data_block_service:service_manager find;
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app radio_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
allow priv_app recovery_service:service_manager find;
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
allow priv_app stats_service:service_manager find;
[Tether15] Allow system app to find TetheringManager Bug: 144320246 Test: -build, flash, boot -OFF/ON hotspot Change-Id: I8ce7ac5eb8198f0df4a2da426e3c56e8915e746a
2019-11-11 13:30:23 +01:00
allow priv_app tethering_service:service_manager find;
Game Driver: sepolicy update for plumbing GpuStats into GpuService Allow all the app process with GUI to send GPU health metrics stats to GpuService during the GraphicsEnvironment setup stage for the process. Bug: 123529932 Test: Build, flash and boot. No selinux denials. Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-08 00:00:55 +01:00
# Allow privileged apps to interact with gpuservice
binder_call(priv_app, gpuservice)
Clarify priv_app.te. No semantic changes. Just trying to make this easier to understand: - Separate out common bundles of services from individual services (the naming doesn't make this obvious). - Comment the common ones. - Put related binder_call and service_manager:find rules together. Test: Builds Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
2019-03-22 00:52:30 +01:00
allow priv_app gpu_service:service_manager find;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
priv_app: allow reading /cache symlink Addresses the following denial: avc: denied { read } for name="cache" dev="dm-0" ino=2755 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0 which occurs when a priv-app attempts to follow the /cache symlink. This symlink occurs on devices which don't have a /cache partition, but rather symlink /cache to /data/cache. Bug: 34644911 Test: Policy compiles. Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc
2017-01-24 07:19:06 +01:00
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow priv_app cache_file:lnk_file r_file_perms;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Write to /data/ota_package for OTA packages.
allow priv_app ota_package_file:dir rw_dir_perms;
allow priv_app ota_package_file:file create_file_perms;
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
Adding ability for priv apps to read traceur fd Only untrusted apps had privilegs to read file descriptors passed in from traceur, which was an oversight. This fixes the policy so that priv apps can also access file descriptors from traceur in order to read reports shared from traceur. Bug: 74435522 Test: better bug has access to reports shared from traceur Change-Id: I591872cdac31eec62edbc81d95f1220f1152427f
2018-03-13 17:56:27 +01:00
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
# b/18504118: Allow reads from /data/anr/traces.txt
allow priv_app anr_data_file:file r_file_perms;
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
priv_app: remove access to 'proc' and 'sysfs' types. Bug: 65643247 Test: walleye boots with no denials from priv_app. Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2017-12-09 00:37:01 +01:00
# /proc access
allow priv_app {
proc_vmstat
}:file r_file_perms;
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(priv_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(priv_app, sysfs_zram)
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
r_dir_file(priv_app, rootfs)
Allow access to /proc/config.gz for priv_app and recovery Bug: 37485771 Test: sideloaded OTA through recovery on sailfish Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-19 20:35:15 +02:00
# Allow GMS core to open kernel config for OTA matching through libvintf
allow priv_app config_gz:file { open read getattr };
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app config_gz:file { open read getattr };
')
Allow access to /proc/config.gz for priv_app and recovery Bug: 37485771 Test: sideloaded OTA through recovery on sailfish Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-19 20:35:15 +02:00
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
# Allow GMS core to communicate with update_engine for A/B update.
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app update_engine:binder { call transfer };
auditallow update_engine priv_app:binder transfer;
auditallow priv_app update_engine:fd use;
auditallow priv_app update_engine_service:service_manager find;
')
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
Allow GMSCore to call dumpsys storaged Test: trigger dumpsys storaged from GMScore Bug: 37284569 Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176
2017-04-13 02:38:11 +02:00
# Allow GMS core to communicate with dumpsys storaged.
binder_call(priv_app, storaged)
allow priv_app storaged_service:service_manager find;
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app storaged:binder { call transfer };
auditallow storaged priv_app:binder transfer;
auditallow priv_app storaged:fd use;
auditallow priv_app storaged_service:service_manager find;
')
Allow GMSCore to call dumpsys storaged Test: trigger dumpsys storaged from GMScore Bug: 37284569 Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176
2017-04-13 02:38:11 +02:00
Add rules for system_update service. system_update service manages system update information: system updater (priv_app) publishes the pending system update info through the service, while other apps can read the info accordingly (design doc in go/pi-ota-platform-api). This CL adds the service type, and grants priv_app to access the service. Bug: 67437079 Test: Build and flash marlin image. The system_update service works. Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375
2017-10-17 06:57:12 +02:00
# Allow GMS core to access system_update_service (e.g. to publish pending
# system update info).
allow priv_app system_update_service:service_manager find;
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app system_update_service:service_manager find;
')
Add rules for system_update service. system_update service manages system update information: system updater (priv_app) publishes the pending system update info through the service, while other apps can read the info accordingly (design doc in go/pi-ota-platform-api). This CL adds the service type, and grants priv_app to access the service. Bug: 67437079 Test: Build and flash marlin image. The system_update service works. Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375
2017-10-17 06:57:12 +02:00
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
# Allow GMS core to communicate with statsd.
binder_call(priv_app, statsd)
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app statsd:binder { call transfer };
auditallow statsd priv_app:binder transfer;
auditallow priv_app statsd:fd use;
')
Update priv_app selinux policy to allow gmscore to be able to communicate with statsd Test: manual testing conducted Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:27:36 +01:00
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
# Access to /data/preloads
allow priv_app preloads_data_file:file r_file_perms;
allow priv_app preloads_data_file:dir r_dir_perms;
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 19:42:03 +01:00
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-11 17:41:25 +02:00
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
allow priv_app keystore:keystore_key gen_unique_id;
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app keystore:keystore_key gen_unique_id;
')
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-11 17:41:25 +02:00
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow priv_app selinuxfs:file r_file_perms;
Audit GMS core related allow rules in priv_app.te We've moved GMS core to its own domain, and these permissions should be removed from the priv_app domain. This change adds auditallow to these permissions so we know if it's safe to check if any other privapps are relying on these. Bug: 142672293 Test: Green builds Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
2019-11-26 20:02:31 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app selinuxfs:file r_file_perms;
')
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-08 00:11:39 +01:00
read_runtime_log_tags(priv_app)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-08 17:15:14 +02:00
perfetto_producer(priv_app)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
Allow incidentd to communicate with clients over pipes. Previously we dumped the data into dropbox. This improves a couple things: - We write into dropbox via the fd, so dropbox doesn't pull from the incidentd directory anymore. - There is a new API to for priv apps to explicitly read incident reports. That gives incidentd finer grained control over who can read it (specifically, it only allows apps to access the incident reports they requested, or were requested for them via statsd, instead of getting DUMP and reading whatever they want from dropbox). Test: bit incident_test:* GtsIncidentManagerTestCases:* Bug: 123543706 Change-Id: I9a323e372c4ff95d91419a61e8a20ea5a3a860a5
2019-03-16 23:45:45 +01:00
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow priv_app incident_service:service_manager find;
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
can_profile_heap(priv_app)
Sepolicy: add dynamic_system_prop and allow shell and system_app (Settings) to set it to enable Dynamic System Update. Also allow priv_app (user of the API) to read it. Bug: 119647479 Bug: 129060539 Test: run the following command on crosshatch-user: adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1 Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8 Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
2019-04-26 10:14:52 +02:00
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
Suppress denials for non-API access avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 17:55:02 +01:00
# suppress denials for non-API accesses.
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
dontaudit priv_app exec_type:file getattr;
priv_app: move logspam suppression to core policy No sign of these denials getting cleaned up, so supress them in core policy. Test: build Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c
2017-10-20 22:35:42 +02:00
dontaudit priv_app device:dir read;
Remove some priv_app logspam. avc: denied { search } for name="/" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:fs_bpf:s0 tclass=dir permissive=0 Bug: 72749888 Test: Boot without seeing the denial. Change-Id: Iaf3559928473c68066e6a42ba71655a683861901
2018-04-21 00:27:21 +02:00
dontaudit priv_app fs_bpf:dir search;
priv_app: remove more logspam avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
2018-04-04 23:36:13 +02:00
dontaudit priv_app net_dns_prop:file read;
priv_app: remove access to 'proc' and 'sysfs' types. Bug: 65643247 Test: walleye boots with no denials from priv_app. Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2017-12-09 00:37:01 +01:00
dontaudit priv_app proc:file read;
priv_app: move logspam suppression to core policy No sign of these denials getting cleaned up, so supress them in core policy. Test: build Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c
2017-10-20 22:35:42 +02:00
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
priv_app: suppress denials to proc_net avc: denied { read } for comm="UserFacing3" name="arp" dev="proc" ino=4026532043 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.google.android.googlequicksearchbox Bug: 132376360 Test: m selinux_policy Change-Id: I6ebe8b6806268f31885026a81ebea0ed15b532d2
2019-05-10 01:14:04 +02:00
dontaudit priv_app proc_net:file read;
priv_app: suppress denials for /proc/stat Bug: 72668919 Test: build Change-Id: Id156b40a572dc0dbfae4500865400939985949d9
2018-01-30 05:50:59 +01:00
dontaudit priv_app proc_stat:file read;
Suppress denials for non-API access avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 17:55:02 +01:00
dontaudit priv_app proc_version:file read;
priv_app: remove more logspam avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
2018-04-04 23:36:13 +02:00
dontaudit priv_app sysfs:dir read;
priv_app: dontaudit read access to default sysfs label Suppress selinux logspam for non-API files in /sys. Bug: 110914297 Test: build Change-Id: I9b3bcf2dbf80f282ae5c74b61df360c85d02483c
2018-06-29 20:04:24 +02:00
dontaudit priv_app sysfs:file read;
priv_app: remove more logspam avc: denied { read } for name="ext4" dev="sysfs" ino=32709 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 b/72749888 avc: denied { read } for name="state" dev="sysfs" ino=51318 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0 b/72749888 Bug: 72749888 Test: build/boot taimen-userdebug. No more logspam Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e (cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)
2018-04-04 23:36:13 +02:00
dontaudit priv_app sysfs_android_usb:file read;
priv_app: supress more snet selinux denial on sysfs Bug: 143294492 Test: build Change-Id: I55c9baf7f55d9ab36bf1509ca466e0747c49567d
2019-10-25 11:01:40 +02:00
dontaudit priv_app sysfs_dm:file r_file_perms;
Suppress denials for non-API access avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 17:55:02 +01:00
dontaudit priv_app wifi_prop:file read;
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-09 05:07:32 +02:00
dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-15 03:20:30 +01:00
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-03-27 15:34:54 +02:00
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-15 03:20:30 +01:00
Suppress denials for apps accessing storage too early The recommended solution is to not access encrypted storage until after the ACTION_USER_UNLOCKED intent is delivered. Test: build Fixes: 72811052 Fixes: 72550646 Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
2018-06-01 21:12:11 +02:00
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
# denial to prevent apps from spamming the logs.
dontaudit priv_app system_data_file:dir write;
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
###
### neverallow rules
###
# Receive or send uevent messages.
neverallow priv_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow priv_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow priv_app debugfs:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow priv_app service_manager_type:service_manager add;
# Do not allow privileged apps to connect to the property service
# or set properties. b/10243159
neverallow priv_app property_socket:sock_file write;
neverallow priv_app init:unix_stream_socket connectto;
neverallow priv_app property_type:property_service set;
# Do not allow priv_app to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and priv_app is allowed fork permission to itself.
neverallow priv_app mlstrustedsubject:process fork;
# Do not allow priv_app to hard link to any files.
# In particular, if priv_app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure priv_app never has this
# capability.
neverallow priv_app file_type:file link;
Adding ability for priv apps to read traceur fd Only untrusted apps had privilegs to read file descriptors passed in from traceur, which was an oversight. This fixes the policy so that priv apps can also access file descriptors from traceur in order to read reports shared from traceur. Bug: 74435522 Test: better bug has access to reports shared from traceur Change-Id: I591872cdac31eec62edbc81d95f1220f1152427f
2018-03-13 17:56:27 +01:00
# priv apps should not be able to open trace data files, they should depend
# upon traceur to pass a file descriptor which they can then read
neverallow priv_app trace_data_file:dir *;
neverallow priv_app trace_data_file:file { no_w_file_perms open };
Constrain cgroups access. What changed: - Removed cgroup access from untrusted and priv apps. - Settings app writes to /dev/stune/foreground/tasks, so system_app domain retains access to cgroup. - libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used abundantly in native code. So added a blanket allow rule for (coredomain - apps) to access cgroups. - For now, only audit cgroup access from vendor domains. Ultimately, we want to either constrain vendor access to individual domains or, even better, remove vendor access and have platform manage cgroups exclusively. Changes from original aosp/692189 which was reverted: - There seem to be spurious denials from vendor-specific apps. So added back access from { appdomain -all_untrusted_apps -priv_app } to cgroup. Audit this access with intent to write explicit per-domain rules for it. Bug: 110043362 Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates /dev/memcg on a per app basis on a device that supports that. Test: aosp_sailfish, wahoo boot without cgroup denials This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a. Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-11 00:48:15 +02:00
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
drop priv_app app_data_file:file execute; system/sepolicy commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type called privapp_data_file. This type is used to label priv-app's /home files. For backwards compatibility, priv-app rules involving normal app_data_files were preserved. Subsequently, system/sepolicy commit 5d1755194a841ab727467a30757fd1606cef905b assigned the file label privapp_data_file to /home files owned by priv-apps. Because of the previous labeling of priv-app data files, priv-apps were granted the ability to mmap(PROT_EXEC) any other app's /home files, regardless of how trustworthy or untrustworthy those files were. Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c preserved the status quo. However, now that we have a more refined label for priv-app /home files, we no longer need to be as permissive. Drop the ability for priv-apps to map executable code from untrusted_apps home directories. "execute" is removed in this change, and "execute_no_trans" was previously removed in commit 8fb4cb8bc20b999d69210f6fc6b552c6e22b8e09. Add a neverallow assertion (compile time assertion + CTS test) to prevent regressions. Further clarify why we need to support priv-apps loading executable code from their own home directories, at least for now. b/112037137 covers further tightening we can do in this area. Bug: 112357170 Test: Device boots and no problems. Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
2018-10-28 00:20:38 +02:00
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app app_data_file:file no_x_file_perms;
disallow priv-apps from following untrusted app symlinks. Untrustworthy symlinks dereferenced by priv-apps could cause those apps to access files they weren't intending to access. Trusted components such as priv-apps should never trust untrustworthy symlinks from untrusted apps. Modify the rules and add a neverallow assertion to prevent regressions. Bug: 123350324 Test: device boots and no obvious problems. Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 22:05:03 +01:00
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
Reference in a new issue Copy permalink