tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/domain.te

315 lines
9.2 KiB
Text
Raw Normal View History

Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
exclude su from transitioning to crash_dump domain When /system/bin/crash_dump is executed from the su domain, do not perform a domain transition. This allows processes run from that domain to crash normally without SELinux interfering. Bug: 114136122 Test: cferris: "This change works for me. I ran the crasher executable on /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp). All of them show that crash_dump can read the executables." Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
2018-09-06 04:11:38 +02:00
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
allow domain crash_dump:process sigchld;
Property to enable heap profile from process startup. This is world-readable so it can be checked in libc's process init. Test: m Test: flash sailfish Bug: 117821125 Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-08 14:58:13 +01:00
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
# Allow heap profiling on debug builds.
userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
Allow heap profiling everything except TCB on userdebug. Bug: 117762471 Test: m Test: flash sailfish Test: profile all running processes with setenforce 1 Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-27 12:09:14 +01:00
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
Allow profilable domains to use heapprofd fd and tmpfs. This is needed to allow to communicate over shared memory. Bug: 126724929 Change-Id: I73e69ae3679cd50124ab48121e259fd164176ed3
2019-02-28 16:59:32 +01:00
-logpersist
-recovery
-recovery_persist
-recovery_refresh
Allow heap profiling everything except TCB on userdebug. Bug: 117762471 Test: m Test: flash sailfish Test: profile all running processes with setenforce 1 Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-27 12:09:14 +01:00
-ueventd
-vendor_init
-vold
})')
Property to enable heap profile from process startup. This is world-readable so it can be checked in libc's process init. Test: m Test: flash sailfish Bug: 117821125 Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-08 14:58:13 +01:00
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
# Path resolution access in cgroups.
allow domain cgroup:dir search;
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
sepolicy changes to configure cgroup.rc and task_profiles.json access cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-11 02:10:31 +01:00
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
sepolicy for vendor cgroups.json and task_profiles.json files Vendors should be able to specify additional cgroups and task profiles without changing system files. Add access rules for /vendor/etc/cgroups.json and /vendor/etc/task_profiles.json files which will augment cgroups and task profiles specified in /etc/cgroups.json and /etc/task_profiles.json system files. As with system files /vendor/etc/cgroups.json is readable only by init process. task_profiles.json is readable by any process that uses cgroups. Bug: 124960615 Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-02-20 00:02:14 +01:00
allow domain vendor_task_profiles_file:file r_file_perms;
sepolicy changes to configure cgroup.rc and task_profiles.json access cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-11 02:10:31 +01:00
Add permissions for sys.use_memfd property Will be used to forcefully turn on memfd if device supports it. Currently used only for debugging. Change-Id: I46a1b7169677ea552d4b092e7501da587c42ba1a Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-01-31 23:43:57 +01:00
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
get_prop(domain, core_property_type)
get_prop(domain, exported_dalvik_prop)
get_prop(domain, exported_ffs_prop)
get_prop(domain, exported_system_radio_prop)
get_prop(domain, exported2_config_prop)
get_prop(domain, exported2_radio_prop)
get_prop(domain, exported2_system_prop)
get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported_dalvik_prop)
get_prop({coredomain appdomain shell}, exported_ffs_prop)
get_prop({coredomain appdomain shell}, exported_system_radio_prop)
get_prop({coredomain appdomain shell}, exported2_config_prop)
get_prop({coredomain appdomain shell}, exported2_radio_prop)
get_prop({coredomain appdomain shell}, exported2_system_prop)
get_prop({coredomain appdomain shell}, exported2_vold_prop)
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
Sepolicy: Allow everyone to search keyrings Allow everyone to look for keys in the fsverity keyring. This is required to access fsverity-protected files, at all. This set of permissions is analogous to allowances for the fscrypt keyring and keys. Bug: 125474642 Test: m Test: manual Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-13 23:21:41 +01:00
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
Move fs-verity key loading into fsverity_init domain fsverity_init is a new shell script that uses mini-keyctl for the actual key loading. Given the plan to implement keyctl in toybox, we label mini-keyctl as u:object_r:toolbox_exec:s0. This gives us two benefits: - Better compatibility to keyctl(1), which doesn't have "dadd" - Pave the way to specify key's security labels, since keyctl(1) doesn't support, and we want to avoid adding incompatible option. Test: Boot without SELinux denial Test: After boot, see the key in /product loaded Bug: 128607724 Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-15 19:15:31 +01:00
allow domain fsverity_init:key search;
Sepolicy: Allow everyone to search keyrings Allow everyone to look for keys in the fsverity keyring. This is required to access fsverity-protected files, at all. This set of permissions is analogous to allowances for the fscrypt keyring and keys. Bug: 125474642 Test: m Test: manual Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-13 23:21:41 +01:00
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
')
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-08-08 01:03:47 +02:00
userdebug_or_eng(`-llkd')
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
-dumpstate
Allowing incidentd to get stack traces from processes. Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-03-13 00:21:40 +01:00
userdebug_or_eng(`-incidentd')
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
-storaged
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
-system_server
userdebug_or_eng(`-perfprofd')
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
} self:global_capability_class_set sys_ptrace;
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-11 17:41:25 +02:00
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
Neverallow coredomain to kernel interface files. Core domains should not be allowed access to kernel interfaces, which are not explicitly labeled. These interfaces include (but are not limited to): 1. /proc 2. /sys 3. /dev 4. debugfs 5. tracefs 6. inotifyfs 7. pstorefs 8. configfs 9. functionfs 10. usbfs 11. binfmt_miscfs We keep a lists of exceptions to the rule, which we will be gradually shrinking. This will help us prevent accidental regressions in our efforts to label kernel interfaces. Bug: 68159582 Bug: 68792382 Test: build aosp_sailfish-user Test: build aosp_sailfish-userdebug Test: CP to internal and build walleye-user Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7
2017-11-02 18:08:30 +01:00
Use a whitelisting strategy for tracefs. This changes tracefs files to be default-enabled in debug mode, but default-disabled with specific files enabled in user mode. Bug: 64762598 Test: Successfully took traces in user mode. Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-01-31 03:14:45 +01:00
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
Protect dropbox service data with selinux Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-16 16:49:49 +02:00
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2018-11-05 11:39:15 +01:00
-app_zygote
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-dexoptanalyzer
-installd
userdebug_or_eng(`-perfprofd')
-profman
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
-rs # spawned by appdomain, so carryover the exception above
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-runas
-system_server
[layout compilation] Modify sepolicy to allow installd to run viewcompiler We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
2019-01-11 17:13:01 +01:00
-viewcompiler
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir *;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
Further protect app private data files Remove the special case that allowed init to relabel app_data_file and privapp_data_file. The auditallow added in ab82125fc84b2bb154b1b68a11db543a5352d533 has never triggered. Bug: 80190017 Test: policy compiles Test: no SELinux denials collected for the auditallow rule Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
2018-11-16 09:59:23 +01:00
# Only apps should be modifying app data. installd is exempted for
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-installd
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
-rs # spawned by appdomain, so carryover the exception above
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-appdomain
Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2018-11-05 11:39:15 +01:00
-app_zygote
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-installd
userdebug_or_eng(`-perfprofd')
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
-rs # spawned by appdomain, so carryover the exception above
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:file_class_set open;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-appdomain
-installd # creation of sandbox
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-installd
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
Allow installd to delete directories in staging dir In order to support deleting session files after a staged session reaches a final state, installd will need to delete the session directories from /data/staging. Bug: 123624108 Test: triggered 2 flows in which a staged session reaches a final state and made sure installd can delete the session files Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
2019-02-19 13:21:59 +01:00
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
apexd: allow apexd to unlink staging_data_file files In order to support rollback for apex files, apexd will need to unlink previously active apex files in /data/apex/active folder. Those files are hardlinked from /data/staging/session_XXXX which means that they have staging_data_file:file SELinux fields. I double checked that this change won't allow apexd to unlink files in /data/staging/session_XXXX folders, because it will lack write access, logcat contains following entries: avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0 Bug: 122339211 Test: verified that apexd can't unlink files in /data/staging/session_XXXX Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 23:47:57 +01:00
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
neverallow { domain -init -system_server } staging_data_file:file
apexd: allow apexd to unlink staging_data_file files In order to support rollback for apex files, apexd will need to unlink previously active apex files in /data/apex/active folder. Those files are hardlinked from /data/staging/session_XXXX which means that they have staging_data_file:file SELinux fields. I double checked that this change won't allow apexd to unlink files in /data/staging/session_XXXX folders, because it will lack write access, logcat contains following entries: avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0 Bug: 122339211 Test: verified that apexd can't unlink files in /data/staging/session_XXXX Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 23:47:57 +01:00
{ append create relabelfrom rename setattr write no_x_file_perms };
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2018-11-05 11:39:15 +01:00
-app_zygote
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
sepolicy changes to configure cgroup.rc and task_profiles.json access cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-11 02:10:31 +01:00
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
Sepolicy: Move dalvik cache neverallow to private In preparation for additions that should be private-only, move the neverallows to domain's private part. Bug: 125474642 Test: m Change-Id: I7def500221701500956fc0b6948afc58aba5234e
2019-02-22 01:01:50 +01:00
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
Sepolicy: Add base runtime APEX postinstall policies Add art_apex_postinstall domain that is allowed to move precreated AoT artifacts from /data/ota. Bug: 125474642 Test: m Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
2019-02-21 19:03:07 +01:00
-art_apex_postinstall
Sepolicy: ART APEX boot integrity Add ART boot integrity check domain. Give it rights to run fsverity and delete boot classpath artifacts. Bug 125474642 Test: m Test: boot Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
2019-03-04 23:10:02 +01:00
-art_apex_boot_integrity
Sepolicy: Move dalvik cache neverallow to private In preparation for additions that should be private-only, move the neverallows to domain's private part. Bug: 125474642 Test: m Change-Id: I7def500221701500956fc0b6948afc58aba5234e
2019-02-22 01:01:50 +01:00
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
Sepolicy: ART APEX boot integrity Add ART boot integrity check domain. Give it rights to run fsverity and delete boot classpath artifacts. Bug 125474642 Test: m Test: boot Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
2019-03-04 23:10:02 +01:00
-art_apex_boot_integrity
Sepolicy: Add base runtime APEX postinstall policies Add art_apex_postinstall domain that is allowed to move precreated AoT artifacts from /data/ota. Bug: 125474642 Test: m Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
2019-02-21 19:03:07 +01:00
-art_apex_postinstall
Sepolicy: Move dalvik cache neverallow to private In preparation for additions that should be private-only, move the neverallows to domain's private part. Bug: 125474642 Test: m Change-Id: I7def500221701500956fc0b6948afc58aba5234e
2019-02-22 01:01:50 +01:00
} dalvikcache_data_file:dir no_w_dir_perms;
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
dnsmasq
dumpstate
init
installd
install_recovery
userdebug_or_eng(`llkd')
lmkd
netd
perfprofd
postinstall_dexopt
recovery
rss_hwm_reset
sdcardd
tee
ueventd
uncrypt
vendor_init
vold
vold_prepare_subdirs
zygote
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
traced_probes
Give heapprofd dac_read_search on userdebug. This is needed because some oat dex files are generated without world readable permissions. See the bug for details. We are still constrained by the SELinux rules above. Bug: 129048073 Change-Id: I84e34f83ceb299ff16b29a78f16c620fc0aa5d68
2019-03-21 14:07:05 +01:00
userdebug_or_eng(`heapprofd')
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
} self:global_capability_class_set dac_read_search;
Sepolicy: Move otapreopt_chroot to private Move complete domain to private/. Move referencing parts in domain and kernel to private. Bug: 128840749 Test: m Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 18:54:42 +01:00
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`userdebug_or_eng(`-fastbootd')')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
Add sepolicy for installing GSIs to external storage. To install GSIs on external storage (such as sdcards), gsid needs some additional privileges: - proc_cmdline and device-tree access to call ReadDefaultFstab(). This is ultimately used to check whether system's dm-verity has check_at_most_once enabled, which is disallowed with sdcards. - vfat read/write access to write files to the sdcard. Note that adopted sdcards are not supported here. - read access to the sdcard block device. To enable this without providing access to vold_block_device, a new sdcard_block_device label was added. Devices must apply this label appropriately to enable gsid access. - FIBMAP access for VFAT filesystems, as they do not support FIEMAP. This only appears to work by granting SYS_RAWIO. Bug: 126230649 Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/... works without setenforce 0 Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-16 00:41:15 +01:00
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-gsid
-init
-recovery
-ueventd
-healthd
-uncrypt
-tee
-hal_bootctl_server
} self:global_capability_class_set sys_rawio;
Reference in a new issue Copy permalink