tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/domain.te

447 lines
13 KiB
Text
Raw Normal View History

Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
exclude su from transitioning to crash_dump domain When /system/bin/crash_dump is executed from the su domain, do not perform a domain transition. This allows processes run from that domain to crash normally without SELinux interfering. Bug: 114136122 Test: cferris: "This change works for me. I ran the crasher executable on /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp). All of them show that crash_dump can read the executables." Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
2018-09-06 04:11:38 +02:00
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
allow domain crash_dump:process sigchld;
Property to enable heap profile from process startup. This is world-readable so it can be checked in libc's process init. Test: m Test: flash sailfish Bug: 117821125 Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-08 14:58:13 +01:00
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
Allow heap profiling of certain app domains on user builds This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
# Allow heap profiling on debug builds.
Allow heapprofd central mode on user builds. This simplifies operation by removing a special case for user builds. Test: atest CtsPerfettoTestCases on user Test: atest CtsPerfettoTestCases on userdebug Test: atest perfetto_integrationtests on userdebug Bug: 153139002 Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 18:17:30 +01:00
userdebug_or_eng(`can_profile_heap({
Allow heap profiling everything except TCB on userdebug. Bug: 117762471 Test: m Test: flash sailfish Test: profile all running processes with setenforce 1 Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-27 12:09:14 +01:00
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
Allow profilable domains to use heapprofd fd and tmpfs. This is needed to allow to communicate over shared memory. Bug: 126724929 Change-Id: I73e69ae3679cd50124ab48121e259fd164176ed3
2019-02-28 16:59:32 +01:00
-logpersist
-recovery
-recovery_persist
-recovery_refresh
Allow heap profiling everything except TCB on userdebug. Bug: 117762471 Test: m Test: flash sailfish Test: profile all running processes with setenforce 1 Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-27 12:09:14 +01:00
-ueventd
-vendor_init
-vold
})')
Property to enable heap profile from process startup. This is world-readable so it can be checked in libc's process init. Test: m Test: flash sailfish Bug: 117821125 Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-08 14:58:13 +01:00
debug builds: allow perf profiling of most domains As with heapprofd, it's useful to profile the platform itself on debug builds (compared to just apps on "user" builds). Bug: 137092007 Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
2020-01-22 21:00:13 +01:00
# As above, allow perf profiling most processes on debug builds.
traced_perf sepolicy tweaks * allow shell to enable/disable the daemon via a sysprop * don't audit signals, as some denials are expected * exclude zygote from the profileable set of targets on debug builds. I've not caught any crashes in practice, but believe there's a possibility that the zygote forks while holding a non-whitelisted fd due to the signal handler. Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
2020-02-19 15:59:17 +01:00
# zygote is excluded as system-wide profiling could end up with it
# (unexpectedly) holding an open fd across a fork.
debug builds: allow perf profiling of most domains As with heapprofd, it's useful to profile the platform itself on debug builds (compared to just apps on "user" builds). Bug: 137092007 Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
2020-01-22 21:00:13 +01:00
userdebug_or_eng(`can_profile_perf({
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
-logpersist
-recovery
-recovery_persist
-recovery_refresh
-ueventd
-vendor_init
-vold
traced_perf sepolicy tweaks * allow shell to enable/disable the daemon via a sysprop * don't audit signals, as some denials are expected * exclude zygote from the profileable set of targets on debug builds. I've not caught any crashes in practice, but believe there's a possibility that the zygote forks while holding a non-whitelisted fd due to the signal handler. Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
2020-02-19 15:59:17 +01:00
-zygote
debug builds: allow perf profiling of most domains As with heapprofd, it's useful to profile the platform itself on debug builds (compared to just apps on "user" builds). Bug: 137092007 Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
2020-01-22 21:00:13 +01:00
})')
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
# Path resolution access in cgroups.
allow domain cgroup:dir search;
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
sepolicy changes to configure cgroup.rc and task_profiles.json access cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-11 02:10:31 +01:00
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
Add rules for per-API level task profiles and cgroup description files Define access rights to new per-API level task profiles and cgroup description files under /etc/task_profiles/. Bug: 172066799 Test: boot with per-API task profiles Signed-off-by: Suren Baghdasaryan <surenb@google.com> Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
2020-11-21 03:57:36 +01:00
allow domain task_profiles_api_file:file r_file_perms;
sepolicy for vendor cgroups.json and task_profiles.json files Vendors should be able to specify additional cgroups and task profiles without changing system files. Add access rules for /vendor/etc/cgroups.json and /vendor/etc/task_profiles.json files which will augment cgroups and task profiles specified in /etc/cgroups.json and /etc/task_profiles.json system files. As with system files /vendor/etc/cgroups.json is readable only by init process. task_profiles.json is readable by any process that uses cgroups. Bug: 124960615 Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-02-20 00:02:14 +01:00
allow domain vendor_task_profiles_file:file r_file_perms;
sepolicy changes to configure cgroup.rc and task_profiles.json access cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-11 02:10:31 +01:00
Add permissions for sys.use_memfd property Will be used to forcefully turn on memfd if device supports it. Currently used only for debugging. Change-Id: I46a1b7169677ea552d4b092e7501da587c42ba1a Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-01-31 23:43:57 +01:00
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
Rename sdkext sepolicy to sdkextensions The module is getting renamed, so rename all the policy relating to it at the same time. Bug: 137191822 Test: presubmit Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b (cherry picked from commit 6505573c36dcc6153af37895e968400f722119ea)
2020-01-06 18:29:13 +01:00
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
Add sepolicy for sdkext module prop Add a domain for derive_sdk which is allowed to set persist.com.android.sdkext.sdk_info, readable by all apps (but should only be read by the BCP). Bug: 137191822 Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
2019-11-25 14:10:10 +01:00
selinux policy for buffer queue config Test: boot and check for no policy violations Change-Id: I1ea2a79b9a45b503dcb061c196c5af1d0ddab653
2020-01-20 06:11:07 +01:00
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
Take new types out of compatible_property_only compatible_property_only is meaningless to new types introduced after Android P because the macro is for types which should have different accessibilities depending on the device's launching API level. Bug: N/A Test: system/sepolicy/tools/build_policies.sh Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4
2020-05-21 13:12:55 +02:00
# DO NOT ADD ANY PROPERTIES HERE
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
get_prop(domain, core_property_type)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
Take new types out of compatible_property_only compatible_property_only is meaningless to new types introduced after Android P because the macro is for types which should have different accessibilities depending on the device's launching API level. Bug: N/A Test: system/sepolicy/tools/build_policies.sh Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4
2020-05-21 13:12:55 +02:00
# DO NOT ADD ANY PROPERTIES HERE
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported3_system_prop)
vendor_init can set config.disable_cameraservice This had been settable by vendors up to and including Q release by making config_prop avendor_init writeable. We don't allow this any more. This should be a real vendor settable property now. Bug: 143755062 Test: adb logcat -b all | grep cameraservice Test: atest CtsCameraTestCases Change-Id: Id583e899a906da8a8e8d71391ff2159a9510a630
2020-01-06 13:25:00 +01:00
get_prop({coredomain appdomain shell}, exported_camera_prop)
Add selinux rules for userspace reboot related properties By default sys.init.userspace_reboot.* properties are internal to /system partition. Only exception is sys.init.userspace_reboot.in_progress which signals to all native services (including vendor ones) that userspace reboot is happening, hence it should be a system_public_prop. Only init should be allowed to set userspace reboot related properties. Bug: 135984674 Test: builds Test: adb reboot userspace Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
2019-11-14 13:59:15 +01:00
get_prop({coredomain shell}, userspace_reboot_exported_prop)
Add userspace_reboot_log_prop This properties are used to compute UserspaceRebootAtom and are going to be written by system_server. Also removed now unused userspace_reboot_prop. Test: builds Bug: 148767783 Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
2020-02-07 01:10:29 +01:00
get_prop({coredomain shell}, userspace_reboot_log_prop)
Add userspace_reboot_test_prop This property type represents properties used in CTS tests of userspace reboot. For example, test.userspace_reboot.requested property which is used to check that userspace reboot was successful and didn't result in full reboot, e.g.: * before test setprop test.userspace_reboot.requested 1 * adb reboot userspace * wait for boot to complete * verify that value of test.userspace_reboot.requested is still 1 Test: adb shell setprop test.userspace_reboot.requested 1 Bug: 150901232 Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8 Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8 (cherry picked from commit 3bd53a9ceecc37c79090c59776408b3d4733b036)
2020-03-12 15:45:00 +01:00
get_prop({coredomain shell}, userspace_reboot_test_prop)
Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-29 02:50:24 +01:00
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
Sepolicy: Allow everyone to search keyrings Allow everyone to look for keys in the fsverity keyring. This is required to access fsverity-protected files, at all. This set of permissions is analogous to allowances for the fscrypt keyring and keys. Bug: 125474642 Test: m Test: manual Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-13 23:21:41 +01:00
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
Move fs-verity key loading into fsverity_init domain fsverity_init is a new shell script that uses mini-keyctl for the actual key loading. Given the plan to implement keyctl in toybox, we label mini-keyctl as u:object_r:toolbox_exec:s0. This gives us two benefits: - Better compatibility to keyctl(1), which doesn't have "dadd" - Pave the way to specify key's security labels, since keyctl(1) doesn't support, and we want to avoid adding incompatible option. Test: Boot without SELinux denial Test: After boot, see the key in /product loaded Bug: 128607724 Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-15 19:15:31 +01:00
allow domain fsverity_init:key search;
Sepolicy: Allow everyone to search keyrings Allow everyone to look for keys in the fsverity keyring. This is required to access fsverity-protected files, at all. This set of permissions is analogous to allowances for the fscrypt keyring and keys. Bug: 125474642 Test: m Test: manual Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-13 23:21:41 +01:00
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
')
Add linker config generator and output file to sepolicy Sepolicy for linkerconfig generator and ld.config.txt file from generator Bug: 135004088 Test: m -j & tested from device Change-Id: I2ea7653a33996dde67a84a2e7a0efa660886434a
2019-07-08 12:02:05 +02:00
# Allow access to linkerconfig file
Add more permission for linkerconfig Additional permission is required for linkerconfig from domain to get access to ld.config.txt file from linker. This change allows linker to get /dev/linkerconfig/ld.config.txt Bug: 138920271 Test: m -j && confirmed from cuttlefish Change-Id: Id130a072add8ae82840b0b4d9e997e146f502124
2019-08-05 12:50:53 +02:00
allow domain linkerconfig_file:dir search;
Add linker config generator and output file to sepolicy Sepolicy for linkerconfig generator and ld.config.txt file from generator Bug: 135004088 Test: m -j & tested from device Change-Id: I2ea7653a33996dde67a84a2e7a0efa660886434a
2019-07-08 12:02:05 +02:00
allow domain linkerconfig_file:file r_file_perms;
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f
2019-08-28 23:08:50 +02:00
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
# Limit ability to ptrace or read sensitive /proc/pid files of processes
Update language to comply with Android's inclusive language guidance See https://source.android.com/setup/contribute/respectful-code for reference Bug: 161896447 Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 20:28:11 +02:00
# with other UIDs to these allowlisted domains.
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
neverallow {
domain
-vold
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-08-08 01:03:47 +02:00
userdebug_or_eng(`-llkd')
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
-dumpstate
Allowing incidentd to get stack traces from processes. Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-03-13 00:21:40 +01:00
userdebug_or_eng(`-incidentd')
Policies for profcollectd Bug: 79161490 Test: run profcollect with enforcing Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-08-31 19:54:01 +02:00
userdebug_or_eng(`-profcollectd')
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
-storaged
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
-system_server
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
} self:global_capability_class_set sys_ptrace;
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-11 17:41:25 +02:00
# Limit ability to generate hardware unique device ID attestations to priv_apps
Create a separate SELinux domain for gmscore This change creates a gmscore_app domain for gmscore. The domain is currently in permissive mode (for userdebug and eng builds), while we observe the SELinux denials generated and update the gmscore_app rules accordingly. Bug: 142672293 Test: Flashed a device with this build and verified com.google.android.gms runs in the gmscore_app domain. Tested different flows on the Play Store app, e.g., create a new account, log in, update an app, etc. and verified no new denials were generated. Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
2019-10-29 22:13:20 +01:00
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
Make Keystore equivalent policy for Keystore2 Bug: 158500146 Bug: 159466840 Test: keystore2_test tests part of this policy Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
2020-07-27 21:53:20 +02:00
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
Neverallow coredomain to kernel interface files. Core domains should not be allowed access to kernel interfaces, which are not explicitly labeled. These interfaces include (but are not limited to): 1. /proc 2. /sys 3. /dev 4. debugfs 5. tracefs 6. inotifyfs 7. pstorefs 8. configfs 9. functionfs 10. usbfs 11. binfmt_miscfs We keep a lists of exceptions to the rule, which we will be gradually shrinking. This will help us prevent accidental regressions in our efforts to label kernel interfaces. Bug: 68159582 Bug: 68792382 Test: build aosp_sailfish-user Test: build aosp_sailfish-userdebug Test: CP to internal and build walleye-user Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7
2017-11-02 18:08:30 +01:00
Use a whitelisting strategy for tracefs. This changes tracefs files to be default-enabled in debug mode, but default-disabled with specific files enabled in user mode. Bug: 64762598 Test: Successfully took traces in user mode. Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-01-31 03:14:45 +01:00
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
Protect dropbox service data with selinux Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-16 16:49:49 +02:00
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2018-11-05 11:39:15 +01:00
-app_zygote
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-dexoptanalyzer
-installd
sepolicy: policies for iorap.inode2filename binary transitions are as follows: iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename Bug: 117840092 Test: adb shell cmd jobscheduler run -f android 28367305 Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-13 01:28:19 +01:00
-iorap_inode2filename
sepolicy: Add iorap_prefetcherd rules /system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during startup See also go/android-iorap-security for the design doc Bug: 137403231 Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-09-19 20:04:20 +02:00
-iorap_prefetcherd
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-profman
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
-rs # spawned by appdomain, so carryover the exception above
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-runas
-system_server
[layout compilation] Modify sepolicy to allow installd to run viewcompiler We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
2019-01-11 17:13:01 +01:00
-viewcompiler
Allow Zygote and Installd to remount directories in /data/data Zygote/Installd now can do the following operations in app data directory: - Mount on it - Create directories in it - Mount directory for each app data, and get/set attributes Bug: 143937733 Test: No denials at boot Test: No denials seen when creating mounts Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 13:30:26 +01:00
-zygote
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir *;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
Further protect app private data files Remove the special case that allowed init to relabel app_data_file and privapp_data_file. The auditallow added in ab82125fc84b2bb154b1b68a11db543a5352d533 has never triggered. Bug: 80190017 Test: policy compiles Test: no SELinux denials collected for the auditallow rule Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
2018-11-16 09:59:23 +01:00
# Only apps should be modifying app data. installd is exempted for
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-installd
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
-rs # spawned by appdomain, so carryover the exception above
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-appdomain
Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2018-11-05 11:39:15 +01:00
-app_zygote
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
-installd
sepolicy: Add iorap_prefetcherd rules /system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during startup See also go/android-iorap-security for the design doc Bug: 137403231 Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-09-19 20:04:20 +02:00
-iorap_prefetcherd
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
-rs # spawned by appdomain, so carryover the exception above
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:file_class_set open;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-appdomain
-installd # creation of sandbox
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-installd
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
Allow priv_app read access to /data/app-staging directory During staged installation, we no longer create duplicate sessions for verification purpose. Instead, we send the original files in /data/app-staging folder to package verifiers for verification. That means, Phonesky needs access to /data/app-staging folder to be able to verify the apks inside it. Bug: 175163376 Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
2020-12-10 22:48:51 +01:00
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
Allow priv_app to search apex_data_file and read staging_data_file This changes are necessary to make files under /data/apex/active be readable by Phonesky. Test: builds Bug: 154635217 Merged-In: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 Change-Id: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 (cherry picked from commit 89d43a51bae00bd805db222508e42021b432c414)
2020-04-22 01:04:04 +02:00
neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
Allow installd to delete directories in staging dir In order to support deleting session files after a staged session reaches a final state, installd will need to delete the session directories from /data/staging. Bug: 123624108 Test: triggered 2 flows in which a staged session reaches a final state and made sure installd can delete the session files Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
2019-02-19 13:21:59 +01:00
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
apexd: allow apexd to unlink staging_data_file files In order to support rollback for apex files, apexd will need to unlink previously active apex files in /data/apex/active folder. Those files are hardlinked from /data/staging/session_XXXX which means that they have staging_data_file:file SELinux fields. I double checked that this change won't allow apexd to unlink files in /data/staging/session_XXXX folders, because it will lack write access, logcat contains following entries: avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0 Bug: 122339211 Test: verified that apexd can't unlink files in /data/staging/session_XXXX Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 23:47:57 +01:00
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
neverallow { domain -init -system_server } staging_data_file:file
apexd: allow apexd to unlink staging_data_file files In order to support rollback for apex files, apexd will need to unlink previously active apex files in /data/apex/active folder. Those files are hardlinked from /data/staging/session_XXXX which means that they have staging_data_file:file SELinux fields. I double checked that this change won't allow apexd to unlink files in /data/staging/session_XXXX folders, because it will lack write access, logcat contains following entries: avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0 Bug: 122339211 Test: verified that apexd can't unlink files in /data/staging/session_XXXX Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 23:47:57 +01:00
{ append create relabelfrom rename setattr write no_x_file_perms };
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
Update language to comply with Android's inclusive language guidance See https://source.android.com/setup/contribute/respectful-code for reference Bug: 161896447 Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 20:28:11 +02:00
# outside the rootfs or /system partition except for a few allowlisted domains.
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
sepolicy: Add iorap_prefetcherd rules /system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during startup See also go/android-iorap-security for the design doc Bug: 137403231 Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-09-19 20:04:20 +02:00
-iorap_prefetcherd
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
Initial sepolicy for app_zygote. The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2018-11-05 11:39:15 +01:00
-app_zygote
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
sepolicy changes to configure cgroup.rc and task_profiles.json access cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-11 02:10:31 +01:00
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
Sepolicy: Move dalvik cache neverallow to private In preparation for additions that should be private-only, move the neverallows to domain's private part. Bug: 125474642 Test: m Change-Id: I7def500221701500956fc0b6948afc58aba5234e
2019-02-22 01:01:50 +01:00
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
apexd
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
dnsmasq
dumpstate
init
installd
userdebug_or_eng(`llkd')
lmkd
sepolicy: Add policy for migrate_legacy_obb_data.sh .. and let installd execute it. Required to migrate legacy obb contents Bug: 129167772 Test: make Change-Id: I35d35016680379e3a9363408704ee890a78a9748
2019-05-17 16:05:18 +02:00
migrate_legacy_obb_data
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
netd
postinstall_dexopt
recovery
rss_hwm_reset
sdcardd
tee
ueventd
uncrypt
vendor_init
vold
vold_prepare_subdirs
zygote
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
sepolicy: policies for iorap.inode2filename binary transitions are as follows: iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename Bug: 117840092 Test: adb shell cmd jobscheduler run -f android 28367305 Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-13 01:28:19 +01:00
iorap_inode2filename
sepolicy: Add iorap_prefetcherd rules /system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during startup See also go/android-iorap-security for the design doc Bug: 137403231 Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-09-19 20:04:20 +02:00
iorap_prefetcherd
initial policy for traced_perf daemon (perf profiler) The steps involved in setting up profiling and stack unwinding are described in detail at go/perfetto-perf-android. To summarize the interesting case: the daemon uses cpu-wide perf_event_open, with userspace stack and register sampling on. For each sample, it identifies whether the process is profileable, and obtains the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the bionic signal handler handing over the FDs over a dedicated socket). It then uses libunwindstack to unwind & symbolize the stacks, sending the results to the central tracing daemon (traced). This patch covers the app profiling use-cases. Splitting out the "profile most things on debug builds" into a separate patch for easier review. Most of the exceptions in domain.te & coredomain.te come from the "vendor_file_type" allow-rule. We want a subset of that (effectively all libraries/executables), but I believe that in practice it's hard to use just the specific subtypes, and we're better off allowing access to all vendor_file_type files. Bug: 137092007 Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 20:16:13 +01:00
traced_perf
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
traced_probes
Allow heapprofd central mode on user builds. This simplifies operation by removing a special case for user builds. Test: atest CtsPerfettoTestCases on user Test: atest CtsPerfettoTestCases on userdebug Test: atest perfetto_integrationtests on userdebug Bug: 153139002 Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 18:17:30 +01:00
heapprofd
Sepolicy: Move dac_override checks to private In preparation for moving other components to private, so that private-only components can stay private. Bug: 125474642 Test: m Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 22:12:05 +01:00
} self:global_capability_class_set dac_read_search;
Sepolicy: Move otapreopt_chroot to private Move complete domain to private/. Move referencing parts in domain and kernel to private. Bug: 128840749 Test: m Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 18:54:42 +01:00
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`userdebug_or_eng(`-fastbootd')')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
Add sepolicy for installing GSIs to external storage. To install GSIs on external storage (such as sdcards), gsid needs some additional privileges: - proc_cmdline and device-tree access to call ReadDefaultFstab(). This is ultimately used to check whether system's dm-verity has check_at_most_once enabled, which is disallowed with sdcards. - vfat read/write access to write files to the sdcard. Note that adopted sdcards are not supported here. - read access to the sdcard block device. To enable this without providing access to vold_block_device, a new sdcard_block_device label was added. Devices must apply this label appropriately to enable gsid access. - FIBMAP access for VFAT filesystems, as they do not support FIEMAP. This only appears to work by granting SYS_RAWIO. Bug: 126230649 Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/... works without setenforce 0 Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-16 00:41:15 +01:00
Update language to comply with Android's inclusive language guidance See https://source.android.com/setup/contribute/respectful-code for reference Bug: 161896447 Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 20:28:11 +02:00
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
Add sepolicy for installing GSIs to external storage. To install GSIs on external storage (such as sdcards), gsid needs some additional privileges: - proc_cmdline and device-tree access to call ReadDefaultFstab(). This is ultimately used to check whether system's dm-verity has check_at_most_once enabled, which is disallowed with sdcards. - vfat read/write access to write files to the sdcard. Note that adopted sdcards are not supported here. - read access to the sdcard block device. To enable this without providing access to vold_block_device, a new sdcard_block_device label was added. Devices must apply this label appropriately to enable gsid access. - FIBMAP access for VFAT filesystems, as they do not support FIEMAP. This only appears to work by granting SYS_RAWIO. Bug: 126230649 Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/... works without setenforce 0 Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-16 00:41:15 +01:00
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-gsid
-init
-recovery
-ueventd
-healthd
-uncrypt
-tee
-hal_bootctl_server
Add fastbootd to the sys_rawio whitelist. A similar problem was previously encountered with the boot control HAL in bug 118011561. The HAL may need access to emmc to implement set_active commands. fastbootd uses the boot control HAL in passthru mode when in recovery, so by extension, it needs this exception as well. Bug: 140367894 Test: fastbootd can use sys_rawio Change-Id: I1040e314a58eae8a516a2e999e9d4e2aa51786e7
2019-10-26 00:11:58 +02:00
-fastbootd
Add sepolicy for installing GSIs to external storage. To install GSIs on external storage (such as sdcards), gsid needs some additional privileges: - proc_cmdline and device-tree access to call ReadDefaultFstab(). This is ultimately used to check whether system's dm-verity has check_at_most_once enabled, which is disallowed with sdcards. - vfat read/write access to write files to the sdcard. Note that adopted sdcards are not supported here. - read access to the sdcard block device. To enable this without providing access to vold_block_device, a new sdcard_block_device label was added. Devices must apply this label appropriately to enable gsid access. - FIBMAP access for VFAT filesystems, as they do not support FIEMAP. This only appears to work by granting SYS_RAWIO. Bug: 126230649 Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/... works without setenforce 0 Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-16 00:41:15 +01:00
} self:global_capability_class_set sys_rawio;
Allow Zygote and Installd to remount directories in /data/data Zygote/Installd now can do the following operations in app data directory: - Mount on it - Create directories in it - Mount directory for each app data, and get/set attributes Bug: 143937733 Test: No denials at boot Test: No denials seen when creating mounts Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 13:30:26 +01:00
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
-init
-installd
-zygote
} mirror_data_file:dir *;
net_dns_prop: neverallow most access Prepare for these properties to be completely removed. Bug: 33308258 Test: build Change-Id: Ie22918247db1d6e85a36e0df958916b6752629d0
2020-02-04 12:31:05 +01:00
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
Label kprobes and restrict access Bug: 149659981 Test: build Change-Id: I6abcd1bb9af15e7ba0f1f5e711ea9ac661bffc25
2020-06-10 12:27:12 +02:00
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
Move a couple of treble policies to private We need to add an exception for a private type, it can only be recognised if these are private policies. Bug: 79161490 Test: TreeHugger Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466
2020-08-31 15:38:04 +02:00
# On TREBLE devices, most coredomains should not access vendor_files.
# TODO(b/71553434): Remove exceptions here.
full_treble_only(`
neverallow {
coredomain
-appdomain
-bootanim
-crash_dump
-heapprofd
Policies for profcollectd Bug: 79161490 Test: run profcollect with enforcing Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-08-31 19:54:01 +02:00
userdebug_or_eng(`-profcollectd')
Move a couple of treble policies to private We need to add an exception for a private type, it can only be recognised if these are private policies. Bug: 79161490 Test: TreeHugger Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466
2020-08-31 15:38:04 +02:00
-init
-iorap_inode2filename
-iorap_prefetcherd
-kernel
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
# Vendor domains are not permitted to initiate communications to core domain sockets
full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-appdomain
-socket_between_core_and_vendor_violators
}, {
coredomain
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
});
')
full_treble_only(`
# Do not allow system components access to /vendor files except for the
# ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
-iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
Allow heapprofd central mode on user builds. This simplifies operation by removing a special case for user builds. Test: atest CtsPerfettoTestCases on user Test: atest CtsPerfettoTestCases on userdebug Test: atest perfetto_integrationtests on userdebug Bug: 153139002 Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 18:17:30 +01:00
-heapprofd
Policies for profcollectd Bug: 79161490 Test: run profcollect with enforcing Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-08-31 19:54:01 +02:00
userdebug_or_eng(`-profcollectd')
Move a couple of treble policies to private We need to add an exception for a private type, it can only be recognised if these are private policies. Bug: 79161490 Test: TreeHugger Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466
2020-08-31 15:38:04 +02:00
-shell
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
} {
vendor_file_type
-same_process_hal_file
-vendor_app_file
-vendor_apex_file
-vendor_configs_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vndk_sp_file
}:file *;
')
Exempt older vendor images from recent mls changes. We no longer allow apps with mlstrustedsubject access to app_data_file or privapp_data_file. For compatibility we grant access to all apps on vendor images for SDK <= 30, whether mlstrustedsubject or not. (The ones that are not already have access, but that is harmless.) Additionally we have started adding categories to system_data_file etc. We treat these older vendor apps as trusted for those types only. The result is that apps on older vendor images still have all the access they used to but no new access. We add a neverallow to prevent the compatibility attribute being abused. Test: builds Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
2020-11-16 19:10:33 +01:00
# mlsvendorcompat is only for compatibility support for older vendor
# images, and should not be granted to any domain in current policy.
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
Reference in a new issue Copy permalink