tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/init.te

127 lines
4.8 KiB
Text
Raw Normal View History

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute init coredomain;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, slideshow)
Move /sbin/charger to /system/bin/charger. With the CLs in the same topic, it's being built as a dynamically linked executable. And this applies to normal boot (including charger mode) and recovery mode both. /system/bin/charger under normal boot will be labeled as charger_exec, which has the attribute of system_file_type. The file in recovery image will still be labeled as rootfs. So we keep the domain_trans rule for rootfs file, but allowing for recovery mode only. Bug: 73660730 Test: Boot into charger mode on taimen. Check that charger UI works. Test: Boot into recovery mode. Check that charger process works. Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
2018-09-08 00:05:33 +02:00
domain_auto_trans(init, charger_exec, charger)
allow init to run mke2fs tools to format partitions Test: let fs_mgr format a damaged /data partition Bug: 35219933 Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792 (cherry picked from commit 5f573ab2aa8f566c723f4ddd576f8365dcaec191)
2017-05-02 22:45:08 +02:00
domain_auto_trans(init, e2fs_exec, e2fs)
Allow executing bpfloader from init and modify rules init needs to execute bpfloader as a one-shot service. Add sepolicy for the same. Also update old rules allowing init to fork/exec bpfloader and remove rules allowing netd to do so. Bug: 112334572 Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37 Signed-off-by: Joel Fernandes <joelaf@google.com>
2018-11-29 22:07:40 +01:00
domain_auto_trans(init, bpfloader_exec, bpfloader)
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
recovery_only(`
Move /sbin/charger to /system/bin/charger. With the CLs in the same topic, it's being built as a dynamically linked executable. And this applies to normal boot (including charger mode) and recovery mode both. /system/bin/charger under normal boot will be labeled as charger_exec, which has the attribute of system_file_type. The file in recovery image will still be labeled as rootfs. So we keep the domain_trans rule for rootfs file, but allowing for recovery mode only. Bug: 73660730 Test: Boot into charger mode on taimen. Check that charger UI works. Test: Boot into recovery mode. Check that charger process works. Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
2018-09-08 00:05:33 +02:00
# Files in recovery image are labeled as rootfs.
Moving adbd from rootdir to system/bin Bug: 63910933 Test: boot sailfish in normal mode, checks adbd is started Test: boot sailfish in recovery mode, checks adbd is started Test: boot bullhead in normal mode, checks adbd is started Test: boot bullhead in recovery mode, checks adbd is started Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79 Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79 (cherry picked from commit e2423d149b6a5b9119965c097a2a75cb8d052763)
2017-07-31 12:38:28 +02:00
domain_trans(init, rootfs, adbd)
Move /sbin/charger to /system/bin/charger. With the CLs in the same topic, it's being built as a dynamically linked executable. And this applies to normal boot (including charger mode) and recovery mode both. /system/bin/charger under normal boot will be labeled as charger_exec, which has the attribute of system_file_type. The file in recovery image will still be labeled as rootfs. So we keep the domain_trans rule for rootfs file, but allowing for recovery mode only. Bug: 73660730 Test: Boot into charger mode on taimen. Check that charger UI works. Test: Boot into recovery mode. Check that charger process works. Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
2018-09-08 00:05:33 +02:00
domain_trans(init, rootfs, charger)
Add sepolicy for fastbootd Also allow adb and fastboot to talk to recovery through recovery_socket. This enables changing between modes with usb commands. Test: No selinux denials Bug: 78793464 Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-05-29 19:54:16 +02:00
domain_trans(init, rootfs, fastbootd)
recovery init domain_trans to health HAL. Test: run health HAL in recovery Bug: 177269435 Bug: 170338625 Change-Id: Iac800463d4d29c56466a6671929a51139ca3fde7
2021-11-16 03:56:22 +01:00
domain_trans(init, rootfs, hal_health_server)
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
domain_trans(init, rootfs, recovery)
Allow linkerconfig to be executed from recovery Add extra policy to enable linkerconfig to be executed from recovery. Bug: 139638519 Test: Tested from crosshatch recovery Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
2019-12-09 06:57:46 +01:00
domain_trans(init, rootfs, linkerconfig)
Add recovery service_contexts files. This allows binder services to run in recovery. Test: build them Bug: 170338625 Change-Id: If8580c3fc1b3add87178365c58288126e61345b4
2021-11-13 09:22:01 +01:00
domain_trans(init, rootfs, servicemanager)
Fix missing domain transition for snapuserd in recovery. System files in recovery are labelled as rootfs, so we need an explicit transition to snapuserd. Without this, factory data resets will fail with a VABC OTA pending, with the following denial: avc: denied { entrypoint } for pid=522 comm="init" path="/system/bin/snapuserd" dev="rootfs" ino=1491 scontext=u:r:snapuserd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 Bug: 179336104 Test: factory data reset with VABC OTA pending Change-Id: Ia839d84a48f2ac8ccb37d6ae3b1f8a8f7e619931
2021-02-04 21:30:09 +01:00
domain_trans(init, rootfs, snapuserd)
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
add vendor_init.te First pass at adding vendor_init.te Bug: 62875318 Test: boot sailfish with vendor_init Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68
2017-09-28 23:34:36 +02:00
domain_trans(init, init_exec, vendor_init)
Fix coredomain violation for modprobe modprobe domain was allowed to launch vendor toolbox even if its a coredomain. That violates the treble separation. Fix that by creating a separate 'vendor_modprobe' domain that init is allowed to transition to through vendor_toolbox. Bug: 37008075 Test: Build and boot sailfish Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2 Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit 9e366a0e4959682713037f24af708cf22b9b53c7)
2017-06-03 01:09:26 +02:00
domain_trans(init, { rootfs toolbox_exec }, modprobe)
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
userdebug_or_eng(`
Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng This is do aid developers pushing debug services to not need to modify the underlying SEPolicy avc: denied { transition } for comm="init" path="/system/bin/awk" dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { siginh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process Test: init can execute a system_file marked with seclabel u:r:su:s0 Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
2018-08-03 19:49:20 +02:00
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 20:10:02 +02:00
domain_auto_trans(init, logcat_exec, logpersist)
Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng This is do aid developers pushing debug services to not need to modify the underlying SEPolicy avc: denied { transition } for comm="init" path="/system/bin/awk" dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { siginh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process Test: init can execute a system_file marked with seclabel u:r:su:s0 Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
2018-08-03 19:49:20 +02:00
# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
allow init su:process transition;
dontaudit init su:process noatsecure;
allow init su:process { siginh rlimitinh };
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
')
Allow init to set powerctl property NIAP certification requires that all cryptographic functions undergo a self-test during startup to demonstrate correct operation. init now performs this check during startup. The self-test is forked from init. For the child process to be able to request a reboot it needs permissions to set the sys.powerctl property. Bug: 119826244 Test: Built for walleye. When the BoringSSL self test was forced to fail the device rebooted into the bootloader, as expected. Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
2018-11-28 00:47:12 +01:00
Allow init to read /sys/block/dm-XX/dm/name In order to remount ext4 userdata into checkpointing mode, init will need to delete all devices from dm-stack it is mounted onto (e.g. dm-bow, dm-crypto). For that it needs to get name of a dm-device by reading /sys/block/dm-XX/dm/name file. Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1 Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1 Test: adb reboot userspace Test: adb shell dumpsys activity Bug: 135984674 Bug: 143970043 Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
2019-12-09 22:21:55 +01:00
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
# that userdata is mounted onto.
allow init sysfs_dm:file read;
init.te: Allow init to modify the properties of loop devices The init process configures swapping over zram over a loop device. An I/O scheduler is associated with the loop device. Tests have shown that no I/O scheduler works better than the default, mq-deadline. Hence allow the init process to configure the loop device I/O scheduler. Without this patch, the following SELinux denials are reported during boot: 1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0 1 1 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="init" name="scheduler" dev="sysfs" ino=78312 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_loop:s0 tclass=file permissive=0 Bug: 194450129 Test: Built Android images and installed these on an Android device. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Change-Id: I0af0a92c53bb1f68b57f6814c431a7f03d8ea967
2021-07-29 23:53:51 +02:00
# Allow init to modify the properties of loop devices.
allow init sysfs_loop:dir r_dir_perms;
allow init sysfs_loop:file rw_file_perms;
Revert "Stop granting init access to block device properties" This reverts commit f20fea50f12100896915184b22bb93033da8564f. Reason for revert: unbreak the git_sc-v2-dev-plus-aosp tests Bug: 202879263 Change-Id: I79245afb4ba7f5be8ee46f2e91921a7327b650c5
2021-10-13 18:21:54 +02:00
# Allow init to examine the properties of block devices.
Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these attributes since these will be removed soon. Bug: 202520796 Test: (AOSP) source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc Test: (sc-v2-dev) source build/envsetup.sh && lunch ...-userdebug && m && install-images-on-phone && adb root && adb dmesg | grep 'avc.*comm=.init' Change-Id: I9f5a4c5c4d6c44fefa8e66c69fec62c99f9a728d Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-13 19:56:57 +02:00
allow init sysfs_type:file { getattr read };
# Allow init get the attributes of block devices in /dev/block.
allow init dev_type:dir r_dir_perms;
allow init dev_type:blk_file getattr;
Revert "Stop granting init access to block device properties" This reverts commit f20fea50f12100896915184b22bb93033da8564f. Reason for revert: unbreak the git_sc-v2-dev-plus-aosp tests Bug: 202879263 Change-Id: I79245afb4ba7f5be8ee46f2e91921a7327b650c5
2021-10-13 18:21:54 +02:00
Permit dropping caches from the shell through sys.drop_caches. * Permits setting the sys.drop_caches property from shell. * Permits init to read and write to the drop_caches file. * Can only be set to 3 (drop_caches) and 0 (unset). Bug: 178647679 Test: flashed user build and set property; no avc denials. Test: flashed userdebug build and dropped caches w/o root. Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-02-11 03:45:35 +01:00
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
Allow init to set powerctl property NIAP certification requires that all cryptographic functions undergo a self-test during startup to demonstrate correct operation. init now performs this check during startup. The self-test is forked from init. For the child process to be able to request a reboot it needs permissions to set the sys.powerctl property. Bug: 119826244 Test: Built for walleye. When the BoringSSL self test was forced to fail the device rebooted into the bootloader, as expected. Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
2018-11-28 00:47:12 +01:00
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
Add selinux rules for userspace reboot related properties By default sys.init.userspace_reboot.* properties are internal to /system partition. Only exception is sys.init.userspace_reboot.in_progress which signals to all native services (including vendor ones) that userspace reboot is happening, hence it should be a system_public_prop. Only init should be allowed to set userspace reboot related properties. Bug: 135984674 Test: builds Test: adb reboot userspace Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
2019-11-14 13:59:15 +01:00
# Only init is allowed to set userspace reboot related properties.
set_prop(init, userspace_reboot_exported_prop)
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
Add sysprop for init's perf_event_open LSM hook check Written exclusively by init. Made it readable by shell for CTS, and for easier platform debugging. Bug: 137092007 Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
2020-01-14 19:20:06 +01:00
# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
# TODO(b/137092007): this can be removed once the platform stops supporting
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
Add new perfmon capability2 and use it There are probably more cases but this one blocks presubmit for cuttlefish with mainline kernels. Bug: 158304247 Change-Id: I6d769b16a230a113a804df61f8de4dcbce2193b6
2020-06-05 19:15:30 +02:00
allow init self:global_capability2_class_set perfmon;
Add sysprop for init's perf_event_open LSM hook check Written exclusively by init. Made it readable by shell for CTS, and for easier platform debugging. Bug: 137092007 Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
2020-01-14 19:20:06 +01:00
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
init: Allow interacting with snapuserd and libsnapshot. During first-stage init we spawn a daemon (snapuserd) to interact with the dm-user kernel module. Immediately after sepolicy is loaded, we launch the daemon again with the correct privileges, and kill the original one. In order for init to do this, it needs to be able to open and write to the snapuserd socket (which is corrected to the "correct" daemon), as well as call flock() on /metadata/ota which is how libsnapshot ensures exclusive access to Virtual A/B snapshots. Bug: 168259959 Test: no denials with Virtual A/B Compression enabled Change-Id: Ic7fc78ca1a17673b878766e0f4dfe0265c1be768
2020-10-30 08:12:22 +01:00
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
allow init snapuserd:unix_stream_socket connectto;
# Allow for libsnapshot's use of flock() on /metadata/ota.
allow init ota_metadata_file:dir lock;
Allow apexd to access a new dev_type: virtual disk In microdroid, apexd activates apexes which are passed as a virtual disk to share apexes with host Android. Bug: 184605708 Test: apexd running in microdroid can read /dev/block/vdb2 when a disk image is passed to crosvm via --disk= option. Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
2021-04-12 14:44:43 +02:00
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
Add sysprop for init's perf_event_open LSM hook check Written exclusively by init. Made it readable by shell for CTS, and for easier platform debugging. Bug: 137092007 Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
2020-01-14 19:20:06 +01:00
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
Add property contexts for vts props vts_config_prop and vts_status_prop are added to remove exported*_prop. ro.vts.coverage becomes vts_config_prop, and vts.native_server.on becomes vts_status_prop. Bug: 155844385 Test: Run some vts and then getprop, e.g. atest \ VtsHalAudioEffectV4_0TargetTest && adb shell getprop Test: ro.vts.coverage is read without denials Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
2020-07-13 19:10:37 +02:00
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
Fix broken neverallow rules neverallow rules with allowlist should look like: neverallow { domain -allow1 -allow2 } ... Bug: 181744894 Test: m selinux_policy Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" . Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 02:42:23 +01:00
neverallow { domain -init } vts_status_prop:property_service set;
Add bootloader_prop for ro.boot. properties ro.boot. properties assigned as "exported2_default_prop" are now "bootloader_prop", to remove bad context name "exported2_default_prop". Two things to clarify: 1) We have both the prefix entry and the exact entries. Although the exact entries may be redundant, we may want to keep them. Vendors are still allowed to have properties starting with "ro.boot." on vendor_property_contexts file. The exact entries can prevent vendors from modifying them to random contexts. 2) ro.boot. is special as it is originally for kernel command line "androidboot.". But some ro.boot. properties are being used as if they were normal. To avoid regression, ro.boot. properties having contexts other than "exported2_default_prop" are not changed here. They will be tracked later. Bug: 155844385 Test: m selinux_policy Change-Id: Ic0f4117ae68a828787304187457b5e1e105a52c7 Merged-In: Ic0f4117ae68a828787304187457b5e1e105a52c7
2020-07-23 10:54:35 +02:00
# Only init can write normal ro.boot. properties
Fix broken neverallow rules neverallow rules with allowlist should look like: neverallow { domain -allow1 -allow2 } ... Bug: 181744894 Test: m selinux_policy Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" . Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 02:42:23 +01:00
neverallow { domain -init } bootloader_prop:property_service set;
Remove exported2_default_prop This cleans up remaining exported2_default_prop. Three properties are changed. - ro.arch It becomes build_prop. - hal.instrumentation.enable It becomes hal_instrumentation_prop. - ro.property_service.version It becomes property_service_version_prop. Bug: 155844385 Test: selinux denial test on Pixel devices Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
2020-07-24 17:34:56 +02:00
Introduce ro.boot.hypervisor properties In virtualized deployments of Android, it can be useful to have access to a description of the hypervisor/host environment being used to run the guest OS instance. This is represented by means of a new system property ro.boot.hypervisor.version, which is meant to convey a free-form descriptor of the current host/hypervisor version The property is meant to be provided to Android as androidboot. by whatever host-specific means are used to supply other boot properties to the target Android instance. Access could be later opened to other vendor processes to set if needed for specific setups where init is not a sufficiently-early stage for host/guest communication. Such setups are not known at this time. For a native Android incantation, the property defaults to being missing Other properties could later be added to this same namespace and context if they turn out to be useful in specific scenarios. Bug: 178749018 Test: build cuttlefish Change-Id: Id721c14ef1958b525c2866a660dcae8fd176a79d
2021-10-01 21:11:36 +02:00
# Only init can write ro.boot.hypervisor properties
neverallow { domain -init } hypervisor_prop:property_service set;
Remove exported2_default_prop This cleans up remaining exported2_default_prop. Three properties are changed. - ro.arch It becomes build_prop. - hal.instrumentation.enable It becomes hal_instrumentation_prop. - ro.property_service.version It becomes property_service_version_prop. Bug: 155844385 Test: selinux denial test on Pixel devices Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
2020-07-24 17:34:56 +02:00
# Only init can write hal.instrumentation.enable
Fix broken neverallow rules neverallow rules with allowlist should look like: neverallow { domain -allow1 -allow2 } ... Bug: 181744894 Test: m selinux_policy Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" . Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 02:42:23 +01:00
neverallow { domain -init } hal_instrumentation_prop:property_service set;
Remove exported2_default_prop This cleans up remaining exported2_default_prop. Three properties are changed. - ro.arch It becomes build_prop. - hal.instrumentation.enable It becomes hal_instrumentation_prop. - ro.property_service.version It becomes property_service_version_prop. Bug: 155844385 Test: selinux denial test on Pixel devices Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
2020-07-24 17:34:56 +02:00
# Only init can write ro.property_service.version
Fix broken neverallow rules neverallow rules with allowlist should look like: neverallow { domain -allow1 -allow2 } ... Bug: 181744894 Test: m selinux_policy Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" . Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 02:42:23 +01:00
neverallow { domain -init } property_service_version_prop:property_service set;
init sets keystore.boot_level, keystore reads Bug: 176450483 Test: init can set, and keystore2 read, keystore.boot_level Test: `adb shell getprop -Z | grep boot_level` returns [keystore.boot_level]: [u:object_r:keystore_listen_prop:s0] Change-Id: Iedb37db19e9153995800fc97de6ee8c536179caa
2021-02-23 17:40:05 +01:00
# Only init can set keystore.boot_level
Fix broken neverallow rules neverallow rules with allowlist should look like: neverallow { domain -allow1 -allow2 } ... Bug: 181744894 Test: m selinux_policy Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" . Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 02:42:23 +01:00
neverallow { domain -init } keystore_listen_prop:property_service set;
Selinux policy for bootreceiver tracing instance Create contexts for /sys/kernel/tracing/instances/bootreceiver Allow read access to files in this dir for system_server. Bug: 172316664 Bug: 181778620 Test: manual runs with KFENCE enabled Signed-off-by: Alexander Potapenko <glider@google.com> Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
2021-03-02 16:46:50 +01:00
Add ro.remote_provisioning.*.rkp_only properties. These properties are used to inform keystore2 and the RemoteProvisioner app how they should behave in the system in the event that RKP keys are exhausted. The usual behavior in a hybrid system is not to take any action and fallback to the factory provisioned key if key attestation is requested and no remotely provisioned keys are available. However, there are instances where this could happen on a device that was intended to be RKP only, in which case the system needs to know that it should go ahead and attempt to remotely provision new certificates or throw an error in the case where none are available. Test: New properties are accessible from the two domains Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
2022-02-02 06:15:44 +01:00
# Only init can set the ro.remote_provisioning.* props
neverallow { domain -init } remote_prov_prop:property_service set;
Selinux policy for bootreceiver tracing instance Create contexts for /sys/kernel/tracing/instances/bootreceiver Allow read access to files in this dir for system_server. Bug: 172316664 Bug: 181778620 Test: manual runs with KFENCE enabled Signed-off-by: Alexander Potapenko <glider@google.com> Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
2021-03-02 16:46:50 +01:00
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
sepolicy: Allow creating synthetic trace events rss_stat will be throttled using histogram triggers and synthetic trace events. Add genfs context labels for the synthetic tracefs files. Bug: 145972256 Test: Check log cat for avc denials Change-Id: I7e183aa930bb6ee79613d011bed7174d553f9c1a
2021-11-05 04:47:29 +01:00
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
dontaudit init debugfs_tracing_debug:dir { write add_name };
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
# chown/chmod on devices.
allow init {
dev_type
-hw_random_device
-keychord_device
-kvm_device
-port_device
}:chr_file setattr;
Reference in a new issue Copy permalink