tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/attributes

432 lines
14 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
######################################
# Attribute declarations
#
# All types used for devices.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute dev_type;
Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these SELinux attributes since the apexd and init SELinux policies no longer rely on these attributes. The difference between the previous versions of this patch and the current patch is that the current patch does not remove any SELinux attributes. See also https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656. See also https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919. This patch includes a revert of commit 8b2b951349c4 ("Restore permission for shell to list /sys/class/block"). That commit is no longer necessary since it was a bug fix for the introduction of the sysfs_block type. Bug: 202520796 Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-08 18:30:42 +02:00
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert submission 1850578-remove-selinux-bdev-type Reason for revert: DroidMonitor-triggered revert due to breakage, bug b/203480787 BUG: 203480787 Reverted Changes: I263bce9c4:Remove the bdev_type and sysfs_block_type SELinux ... Ibc9039f96:Revert "Add the 'bdev_type' attribute to all block... Ic6ae83576:Remove the bdev_type and sysfs_block_type SELinux ... Ie493022a8:Remove the bdev_type and sysfs_block_type SELinux ... I1f1ca439b:Revert "Add the 'bdev_type' attribute to all block... I283f8676b:Revert "Add the 'bdev_type' attribute to all block... I7c5c242c5:Revert "Add the 'bdev_type' attribute to all block... Id78d8f7dc:Remove the bdev_type and sysfs_block_type SELinux ... I9c4b2c48b:Remove the bdev_type and sysfs_block_type SELinux ... I51e9d384a:Remove the bdev_type and sysfs_block_type SELinux ... I2c414de3b:Remove the sysfs_block_type SELinux attribute Change-Id: I55609803d530772d507d9dca8ba202a96daf24b7
2021-10-19 12:57:42 +02:00
attribute bdev_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for processes.
attribute domain;
# All types used for filesystems.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute fs_type;
Define contextmount_type attribute and add it to oemfs. Several device-specific policy changes with the same Change-Id also add this attribute to device-specific types. Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 14:49:51 +02:00
# All types used for context= mounts.
attribute contextmount_type;
Add fusefs_type for FUSE filesystems Any FUSE filesystem will receive the 'fuse' type when mounted. It is possible to change this behaviour by specifying the "context=" or "fscontext=" option in mount(). Because 'fuse' has historically been used only for the emulated storage, it also received the 'sdcard_type' attribute. Replace the 'sdcard_type' attribute from 'fuse' with the new 'fusefs_type'. This attribute can be attached on derived types (such as app_fusefs). This change: - Remove the neverallow restriction on this new type. This means any custom FUSE implementation can be mounted/unmounted (if the correct allow rule is added). See domain.te. - Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'. See file.te. - Modify all references to 'sdcard_type' to explicitly include 'fuse' for compatibility reason. Bug: 177481425 Bug: 190804537 Test: Build and boot aosp_cf_x86_64_phone-userdebug Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-23 10:21:49 +02:00
# All types referencing a FUSE filesystem.
# When mounting a new FUSE filesystem, the fscontext= option should be used to
# set a domain-specific type with this attribute. See app_fusefs for an
# example.
attribute fusefs_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute file_type;
# All types used for domain entry points.
attribute exec_type;
# All types used for /data files.
attribute data_file_type;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
expandattribute data_file_type false;
Ban vendor components access to core data types Vendor and system components are only allowed to share files by passing open FDs over HIDL. Ban all directory access and all file accesses other than what can be applied to an open file: stat/read/write/append. This commit marks core data types as core_data_file_type and bans access to non-core domains with an exemption for apps. A temporary exemption is also granted to domains that currently rely on access with TODOs and bug number for each exemption. Bug: 34980020 Test: Build and boot Marlin. Make phone call, watch youtube video. No new denials observed. Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
2017-03-28 07:44:40 +02:00
# All types in /data, not in /data/vendor
attribute core_data_file_type;
Test that /data is properly labeled Data outside of /data/vendor should have the core_data_file_type. Exempt data_between_core_and_vendor for some types. Ensure core_data_file_type and coredomain_socket do not get expanded to their underlying types. Test: build sepolicy for all targets in master (this is a build time test) Bug: 34980020 Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a (cherry picked from commit bdd454792d52719f3b8b1fe8c3fd08cb13a393f1)
2018-01-24 16:01:13 +01:00
expandattribute core_data_file_type false;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
Exempt app_data_file_type from neverallow rules. We need to be able to access app data files from core domains such as installd even for vendor apps. Those file types should not be core_data_file_type, so we explicitly exempty app_data_file_type as well as core_data_file_type from the relevant neverallows. To prevent misuse of the attribute, add a test to check it is not applied to anything in file_contexts. Exempt the existing violators in system policy for now. Test: Builds Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works Test: New test successfully catches violators. Bug: 171795911 Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
2020-11-12 19:08:18 +01:00
# All types used for app private data files in seapp_contexts.
# Such types should not be applied to any other files.
Introduce app_data_file_type attribute. This gives us an easy way for the policy to refer to all existing or future types used for app private data files in type= assignments in seapp_contexts. Apply the label to all the existing types, then refactor rules to use the new attribute. This is intended as a pure refactoring, except that: - Some neverallow rules are extended to cover types they previous omitted; - We allow iorap_inode2filename limited access to shell_data_file and nfc_data_file; - We allow zygote limited access to system_app_data_file. This mostly reverts the revert in commit b01e1d97bf1320d54c8641cfff687f13f32013bf, restoring commit 27e0c740f1894e9a390b7105255eb29401d25c35. Changes to check_seapp to enforce use of app_data_file_type is omitted, to be included in a following CL. Test: Presubmits Bug: 171795911 Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-10-27 18:35:33 +01:00
attribute app_data_file_type;
expandattribute app_data_file_type false;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
# All types in /system
attribute system_file_type;
system_dlkm: sepolicy: add system_dlkm_file_type Add new attribute system_dlkm_file_type for /system_dlkm partition files. Bug: 218392646 Bug: 200082547 Test: TH Signed-off-by: Ramji Jiyani <ramjiyani@google.com> Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3
2022-02-10 01:35:54 +01:00
# All types in /system_dlkm
attribute system_dlkm_file_type;
sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-02 02:17:12 +02:00
# All types in /vendor
attribute vendor_file_type;
proc_type attribute for files under /proc. With this attribute it will be easier to reference /proc files. Bug: 74182216 Test: policy builds Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
2018-02-16 03:07:18 +01:00
# All types used for procfs files.
attribute proc_type;
Never expand proc_type attribute It's used in build-time tests and in CTS. Bug: 78898770 Test: build user-build Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b Merged-In: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
2018-05-01 18:40:33 +02:00
expandattribute proc_type false;
proc_type attribute for files under /proc. With this attribute it will be easier to reference /proc files. Bug: 74182216 Test: policy builds Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
2018-02-16 03:07:18 +01:00
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
# Types in /proc/net, excluding qtaguid types.
# TODO(b/9496886) Lock down access to /proc/net.
# This attribute is used to audit access to proc_net. it is temporary and will
# be removed.
attribute proc_net_type;
expandattribute proc_net_type true;
proc_type attribute for files under /proc. With this attribute it will be easier to reference /proc files. Bug: 74182216 Test: policy builds Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
2018-02-16 03:07:18 +01:00
# All types used for sysfs files.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute sysfs_type;
Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these SELinux attributes since the apexd and init SELinux policies no longer rely on these attributes. The difference between the previous versions of this patch and the current patch is that the current patch does not remove any SELinux attributes. See also https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656. See also https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919. This patch includes a revert of commit 8b2b951349c4 ("Restore permission for shell to list /sys/class/block"). That commit is no longer necessary since it was a bug fix for the introduction of the sysfs_block type. Bug: 202520796 Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-08 18:30:42 +02:00
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert "Remove the bdev_type and sysfs_block_type SELinux attributes" Revert submission 1850578-remove-selinux-bdev-type Reason for revert: DroidMonitor-triggered revert due to breakage, bug b/203480787 BUG: 203480787 Reverted Changes: I263bce9c4:Remove the bdev_type and sysfs_block_type SELinux ... Ibc9039f96:Revert "Add the 'bdev_type' attribute to all block... Ic6ae83576:Remove the bdev_type and sysfs_block_type SELinux ... Ie493022a8:Remove the bdev_type and sysfs_block_type SELinux ... I1f1ca439b:Revert "Add the 'bdev_type' attribute to all block... I283f8676b:Revert "Add the 'bdev_type' attribute to all block... I7c5c242c5:Revert "Add the 'bdev_type' attribute to all block... Id78d8f7dc:Remove the bdev_type and sysfs_block_type SELinux ... I9c4b2c48b:Remove the bdev_type and sysfs_block_type SELinux ... I51e9d384a:Remove the bdev_type and sysfs_block_type SELinux ... I2c414de3b:Remove the sysfs_block_type SELinux attribute Change-Id: I55609803d530772d507d9dca8ba202a96daf24b7
2021-10-19 12:57:42 +02:00
attribute sysfs_block_type;
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-08 02:02:31 +01:00
# All types use for debugfs files.
attribute debugfs_type;
Revert "Revert "Add neverallows for debugfs access"" This reverts commit e95e0ec0a5f2f6fdf362d14b7960850a05e790b5. Now that b/186727553 is fixed, it should be safe to revert this revert. Test: build Bug: 184381659 Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-05 07:01:51 +02:00
# All types used for tracefs files.
attribute tracefs_type;
Split internal and external sdcards Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-07 01:26:36 +01:00
# Attribute used for all sdcards
attribute sdcard_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for nodes/hosts.
attribute node_type;
# All types used for network interfaces.
attribute netif_type;
# All types used for network ports.
attribute port_type;
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
# All types used for property service
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
attribute property_type;
Remove property read access for non-core properties Instead of allowing global read access to all properties, only allow read access to the properties which are part of core SELinux policy. Device-specific policies are no longer readable by default and need to be granted in device-specific policy. Grant read-access to any property where the person has write access. In most cases, anyone who wants to write a property needs read access to that property. Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
2015-12-08 23:45:50 +01:00
# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
# All properties used to configure log filtering.
attribute log_property_type;
add extended_core_property_type The attribute is used to capture system properties added from outside of AOSP (e.g. by OEM), but are not device-specific and thus are used only inside the system partition. Access to the the system properties from outside of the system partition is prevented by the neverallow rule. Bug: 80382020 Bug: 78598545 Test: m -j selinux_policy Merged-In: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46 Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46 (cherry picked from commit c0f8f2f82a9526be7c7835f2ef9501948fd5b4ed)
2018-05-30 10:38:09 +02:00
# All properties that are not specific to device but are added from
# outside of AOSP. (e.g. OEM-specific properties)
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# Properties used for representing ownership. All properties should have one
# of: system_property_type, product_property_type, or vendor_property_type.
# All properties defined by /system.
attribute system_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute system_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute system_internal_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute system_restricted_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute system_public_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
Add libselinux keystore_key backend. We add a new back end for SELinux based keystore2_key namespaces. This patch adds the rump policy and build system infrastructure for installing keystore2_key context files on the target devices. Bug: 158500146 Bug: 159466840 Test: None Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106 Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-07-25 22:02:29 +02:00
# All keystore2_key labels.
attribute keystore2_key_type;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
define(`product_property_type', `system_property_type')
Fix product property type macros Bug: N/A Test: build with product_*_prop(...) Change-Id: Iac906b41ec69023abd41881462f09e268944816b
2020-08-25 09:38:13 +02:00
define(`product_internal_property_type', `system_internal_property_type')
define(`product_restricted_property_type', `system_restricted_property_type')
define(`product_public_property_type', `system_public_property_type')
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All properties defined by /vendor.
attribute vendor_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute vendor_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute vendor_internal_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute vendor_restricted_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 05:22:44 +02:00
expandattribute vendor_public_property_type false;
Add attributes for exported properties This introduces some attributes that can be used to restrict access to exported properties so that one can easily check from which the properties can be accessed, and that OEMs can extend their own exported properties. Bug: 71814576 Bug: 131162102 Test: boot aosp_cf_x86_phone-userdebug Test: logcat | grep "avc: " Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-09 12:46:15 +02:00
Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 00:12:24 +02:00
# All service_manager types created by system_server
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 01:50:08 +02:00
attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
Start locking down access to services from ephemeral apps This starts with the reduction in the number of services that ephemeral apps can access. Prior to this commit, ephemeral apps were permitted to access most of the service_manager services accessible by conventional apps. This commit reduces this set by removing access from ephemeral apps to: * gatekeeper_service, * sec_key_att_app_id_provider_service, * wallpaper_service, * wifiaware_service, * wifip2p_service, * wifi_service. Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine. Bug: 33349998 Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 01:50:08 +02:00
# services which export only system_api
attribute system_api_service;
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2014-12-17 00:45:26 +01:00
untrusted_apps: AIDL vendor service parity w/ HIDL Before, we completely dissallowed any untrusted app to access a service operated by vendor. However, sometimes this is needed in order to implement platform APIs. So now, vendor services which aren't explicitly marked as 'protected_service' (like protected_hwservice in HIDL) are blocked from being used by apps. This gives everyone a mechanism for apps to directly access vendor services, when appropriate. For instance: VINTF | vendor.img/etc | system.img/etc | (vendor HAL) <----AIDL---|--> (public lib <-- loaded by app | or platform | component) | | Fixes: 163478173 Test: neverallow compiles Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
2020-10-21 23:47:00 +02:00
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
Remove vintf_service. The only distinction that matters for security is if a service is served by vendor or not AND which process is allowed to talk to which. coredomain is allowed to talk to vintf_service OR vendor_service, it's just that for a non-@VintfStability service user-defined APIs (as opposed to pingBinder/dump) are restricted. Bug: 136027762 Test: N/A Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
2019-08-28 20:28:55 +02:00
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
Clarify vendor_service/vintf_service. These attributes are intended to be used w/ services using the system copy of libbinder (for vendor, this is libbinder_ndk). Switching vndservicemanager users using the libbinder copy of vendor to be able to use the system copy of libbinder for registration is an open problem. Bug: 136027762 Test: N/A Change-Id: I1d70380edcb39ca8ef2cb98c25617701b67ba7e1
2019-08-28 00:37:11 +02:00
# vndservicemanager)
Reland "Re-open /dev/binder access to all." This reverts commit 6b2eaade8201e49a746173ff13f9bd89f024eb81. Reason for revert: reland original CL Separate runtime infrastructure now makes sure that only Stable AIDL interfaces are used system<->vendor. Bug: 136027762 Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6 Test: boot device, use /dev/binder from vendor
2019-08-21 00:42:58 +02:00
attribute vendor_service;
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
# All types used for services managed by servicemanager.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-06 00:52:02 +02:00
attribute service_manager_type;
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-22 02:06:43 +02:00
# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
Access to HALs from untrusted apps is blacklist-based Before this change, access to HALs from untrusted apps was prohibited except for the whitelisted ones like the gralloc HAL, the renderscript HAL, etc. As a result, any HAL that is added by partners can't be accessed from apps. This sometimes is a big restriction for them when they want to access their own HALs in the same-process HALs running in apps. Although this is a vendor-to-vendor communication and thus is not a Treble violation, that was not allowed because their HALs are not in the whitelist in AOSP. This change fixes the problem by doing the access control in the opposite way; access to HALs are restricted only for the blacklisted ones. All the hwservice context that were not in the whitelist are now put to blacklist. This change also removes the neverallow rule for the binder access to the halserverdomain types. This is not needed as the protected hwservices living in the HAL processes are already not accessible; we have a neverallow rule for preventing hwservice_manager from finding those protected hwservices from untrusted apps. Bug: 139645938 Test: m Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585 (cherry picked from commit 580375c923d422ebf40264b0649a08488fde320c) Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-08-21 17:04:50 +02:00
# All HwBinder services that untrusted apps can't directly access
attribute protected_hwservice;
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
# All domains used for apps.
attribute appdomain;
Clarify comments on 3rd party app attributes. Certain classes of 3rd party apps aren't untrusted_app_domain, but some comments surrounding this are either outdated or wrong. Bug: 168753404 Test: N/A Change-Id: I019c16e26a3778536132f22c37fbea5ae7781af4
2020-09-17 19:15:26 +02:00
# All third party apps (except isolated_app and ephemeral_app)
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
attribute untrusted_app_all;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All domains used for apps with network access.
attribute netdomain;
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
# All domains used for binder service domains.
attribute binderservicedomain;
Move boot_control HAL permissions to an attribute. The boot_control HAL is library loaded by our daemons (like update_engine and update_verifier) that interacts with the bootloader. The actual implementation of this library is provided by the vendor and its runtime permissions are tied to this implementation which varies a lot based on how the bootloader and the partitions it uses are structured. This patch moves these permissions to an attribute so the attribute can be expanded on each device without the need to repeat that on each one of our daemons using the boot_control HAL. Bug: 27107517 Change-Id: Idfe6a208720b49802b03f70fee4a3e73030dae2e
2016-04-22 22:23:36 +02:00
bpfdomain: attribute for domain which can use BPF Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325
2022-02-10 01:32:44 +01:00
# All domains which have BPF access.
attribute bpfdomain;
expandattribute bpfdomain false;
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-15 19:05:55 +01:00
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
Add attribute for all vendor hwservice. Bug: 159707777 Test: make Change-Id: Ie3ab6d362b970ae8a9f0a8f1c0109bf03d521ce0
2020-09-25 22:33:02 +02:00
# All vendor hwservice.
attribute vendor_hwservice_type;
Tighten restrictions on core <-> vendor socket comms This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 (cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1) Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
2017-03-31 02:39:00 +02:00
# All socket devices owned by core domain components
attribute coredomain_socket;
Test that /data is properly labeled Data outside of /data/vendor should have the core_data_file_type. Exempt data_between_core_and_vendor for some types. Ensure core_data_file_type and coredomain_socket do not get expanded to their underlying types. Test: build sepolicy for all targets in master (this is a build time test) Bug: 34980020 Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a (cherry picked from commit bdd454792d52719f3b8b1fe8c3fd08cb13a393f1)
2018-01-24 16:01:13 +01:00
expandattribute coredomain_socket false;
Tighten restrictions on core <-> vendor socket comms This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 (cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1) Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
2017-03-31 02:39:00 +02:00
Ban socket connections between core and vendor On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and vendor domain are not permitted to connect to each other's sockets. There are two main exceptions: (1) apps are permitted to talk to other apps over Unix domain sockets (this is public API in Android framework), and (2) domains with network access (netdomain) are permitted to connect to netd. This commit thus: * adds neverallow rules restricting socket connection establishment, * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "socket_between_core_and_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Bug: 36613996 Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
2017-03-25 00:07:35 +01:00
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
expandattribute socket_between_core_and_vendor_violators false;
Ban socket connections between core and vendor On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and vendor domain are not permitted to connect to each other's sockets. There are two main exceptions: (1) apps are permitted to talk to other apps over Unix domain sockets (this is public API in Android framework), and (2) domains with network access (netdomain) are permitted to connect to netd. This commit thus: * adds neverallow rules restricting socket connection establishment, * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "socket_between_core_and_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Bug: 36613996 Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
2017-03-25 00:07:35 +01:00
Add vendor_executes_system_violators attribute Temporary attribute (checked against in CTS) to point out vendor processes that run /system executables. These are currently only down to 2-3 of them that are related to telephony on sailfish Bug: 36463595 Test: Build succeeds for sailfish Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \ --skip-device-info --skip-preconditions --skip-connectivity-check \ --abi arm64-v8a Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-15 06:26:57 +02:00
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
expandattribute vendor_executes_system_violators false;
Add vendor_executes_system_violators attribute Temporary attribute (checked against in CTS) to point out vendor processes that run /system executables. These are currently only down to 2-3 of them that are related to telephony on sailfish Bug: 36463595 Test: Build succeeds for sailfish Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \ --skip-device-info --skip-preconditions --skip-connectivity-check \ --abi arm64-v8a Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-15 06:26:57 +02:00
Start tracking platform/vendor data access violations As part of Treble, enforce that the communication between platform and vendor components use the official hw binder APIs. Prevent sharing of data by file path. Platform and vendor components may share files, but only via FD passed over hw binder. This change adds the violators attribute that will be used to mark violating domains that need to be fixed. Bug: 34980020 Test: build Change-Id: Id9acfbbc86bfd6fd0633b8164a37ce94d25ffa2c
2017-10-17 22:07:54 +02:00
# All domains which violate the requirement of not sharing files by path
# between between vendor and core domains.
# TODO(b/34980020)
attribute data_between_core_and_vendor_violators;
expandattribute data_between_core_and_vendor_violators false;
Introduce system_executes_vendor_violators attribute. We use this attribute to annotate coredomains that execute vendor code in a Treble-violating way. Bug: 62041836 Test: sepolicy builds Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
2017-12-21 00:38:35 +01:00
# All system domains which violate the requirement of not executing vendor
# binaries/libraries.
# TODO(b/62041836)
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
neverallow coredomain from writing vendor properties System properties can be abused to get around Treble requirements of having a clean system/vendor split. This CL seeks to prevent that by neverallowing coredomain from writing vendor properties. Bug: 78598545 Test: build 2017 Pixels Test: build aosp_arm64 Change-Id: I5e06894150ba121624d753228e550ba9b81f7677 (cherry picked from commit cdb1624c27e51ee85b6a4ea6ebd529bd0e07648f)
2018-05-02 00:15:16 +02:00
# All system domains which violate the requirement of not writing vendor
# properties.
# TODO(b/78598545): Remove this once there are no violations
attribute system_writes_vendor_properties_violators;
expandattribute system_writes_vendor_properties_violators false;
system_writes_mnt_vendor_violators for device launched before P. In cases when a device upgrades to system-as-root from O to P, it needs a mount point for an already existing partition that is accessed by both system and vendor. Devices launching with P must not have /mnt/vendor accessible to system. Bug: 78598545 Test: m selinx_policy Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f
2018-09-18 04:17:41 +02:00
# All system domains which violate the requirement of not writing to
# /mnt/vendor/*. Must not be used on devices launched with P or later.
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;
Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 19:00:32 +02:00
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
# transition to treble and will be removed in a future platform
# version, requiring all hwservices that are labeled with this
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
Rename untrusted_app_visible_*' to include 'violators'. Bug: 110887137 Test: Flash new system policy onto a device with vendor policy that uses untrusted_app_visible_* attributes, and check that old and new attributes are applied to exactly same types. Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e (cherry picked from commit 7abca51d198b721eb217db89aed4256887a7b9d1)
2018-07-29 01:48:06 +02:00
attribute untrusted_app_visible_hwservice_violators;
expandattribute untrusted_app_visible_hwservice_violators false;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# halserver domains that are accessible to untrusted applications. These
# domains are typically those hosting hwservices attributed by the
Rename untrusted_app_visible_*' to include 'violators'. Bug: 110887137 Test: Flash new system policy onto a device with vendor policy that uses untrusted_app_visible_* attributes, and check that old and new attributes are applied to exactly same types. Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e (cherry picked from commit 7abca51d198b721eb217db89aed4256887a7b9d1)
2018-07-29 01:48:06 +02:00
# untrusted_app_visible_hwservice_violators.
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
# It is a temporary allowance to aid the transition to treble and will be
# removed in the future platform version, requiring all halserver domains that
# are labeled with this attribute to be submitted to AOSP in order to maintain
# their app-visibility.
Rename untrusted_app_visible_*' to include 'violators'. Bug: 110887137 Test: Flash new system policy onto a device with vendor policy that uses untrusted_app_visible_* attributes, and check that old and new attributes are applied to exactly same types. Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e (cherry picked from commit 7abca51d198b721eb217db89aed4256887a7b9d1)
2018-07-29 01:48:06 +02:00
attribute untrusted_app_visible_halserver_violators;
expandattribute untrusted_app_visible_halserver_violators false;
Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 19:00:32 +02:00
SELinux policies for PDX services Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-01 22:01:44 +02:00
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
expandattribute pdx_endpoint_socket_type false;
SELinux policies for PDX services Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-01 22:01:44 +02:00
attribute pdx_channel_socket_type;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
expandattribute pdx_channel_socket_type false;
SELinux policies for PDX services Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-01 22:01:44 +02:00
pdx_service_attributes(display_client)
pdx_service_attributes(display_manager)
pdx_service_attributes(display_screenshot)
pdx_service_attributes(display_vsync)
pdx_service_attributes(performance_client)
pdx_service_attributes(bufferhub_client)
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
expandattribute halclientdomain true;
Group all HAL impls using haldomain attribute This marks all HAL domain implementations with the haldomain attribute so that rules can be written which apply to all HAL implementations. This follows the pattern used for appdomain, netdomain and bluetoothdomain. Test: No change to policy according to sesearch. Bug: 34180936 Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
2017-01-11 00:54:25 +01:00
Allow to use sockets from hal server for auto Add an exemption to neverallow rule to use sockets from HAL servers only for automotive build Bug: 78901167 Test: assign this attribute to hal_vehicle_default and try to open socket from HAL implementation Test: verify that new CTS test will fail for non-automotive build with this attribute buing used Test: make cts && cts-tradefed run singleCommand cts --skip-device-info --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest Merged-In: I27976443dad4fc5b7425c089512cac65bb54d6d9 (cherry picked from commit 4cafae77a4ac9e9b34410714787b68523dcd5345) Change-Id: I58e25a0f86579073aa568379b10b6599212134c6
2018-05-15 23:16:57 +02:00
# Exempt for halserverdomain to access sockets. Only builds for automotive
# device types are allowed to use this attribute (enforced by CTS).
# Unlike phone, in a car many modules are external from Android perspective and
# HALs should be able to communicate with those devices through sockets.
attribute hal_automotive_socket_exemption;
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-15 19:05:55 +01:00
# HALs
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(allocator);
Add atrace HAL 1.0 sepolicy Bug: 111098596 Test: atrace/systrace (cherry picked from commit 9ed5cf6e430a864630c2451bf35f18ac7668c12b) Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-20 01:06:28 +02:00
hal_attribute(atrace);
Use hal_attribute for all HALs. Bug: 72757373 Test: policy builds Change-Id: I7cc5e28aac8ed381c9c350f540826e069941f6c4
2018-03-10 23:13:01 +01:00
hal_attribute(audio);
Move automotive HALs sepolicy to system/ Bug: 70637118 Test: build, flash and boot automotive builds Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef (cherry picked from commit 394dbe34a0dc7519acb9948175ba63ee18bedbed)
2018-04-10 23:07:14 +02:00
hal_attribute(audiocontrol);
authsecret HAL policies. Bug: 71527305 Test: compile and boot Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a (cherry picked from commit 1aedf4b5f8bdc391c61a22d01278de70c26eb9e8)
2018-01-10 17:11:46 +01:00
hal_attribute(authsecret);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(bluetooth);
Use hal_attribute for all HALs. Bug: 72757373 Test: policy builds Change-Id: I7cc5e28aac8ed381c9c350f540826e069941f6c4
2018-03-10 23:13:01 +01:00
hal_attribute(bootctl);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(broadcastradio);
Use hal_attribute for all HALs. Bug: 72757373 Test: policy builds Change-Id: I7cc5e28aac8ed381c9c350f540826e069941f6c4
2018-03-10 23:13:01 +01:00
hal_attribute(camera);
SEPolicy rules for CAN bus HAL Bug: 135918744 Test: VTS (separate new change) Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9
2019-07-24 02:38:51 +02:00
hal_attribute(can_bus);
hal_attribute(can_controller);
Use hal_attribute for all HALs. Bug: 72757373 Test: policy builds Change-Id: I7cc5e28aac8ed381c9c350f540826e069941f6c4
2018-03-10 23:13:01 +01:00
hal_attribute(cas);
Properly define hal_codec2 and related policies Test: make cts -j123 && cts-tradefed run cts-dev -m \ CtsMediaTestCases --compatibility:module-arg \ CtsMediaTestCases:include-annotation:\ android.platform.test.annotations.RequiresDevice Bug: 131677974 Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-04-30 14:09:28 +02:00
hal_attribute(codec2);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(configstore);
Added default policy for Confirmation UI HAL Bug: 63928580 Test: Manually tested. Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-09 23:42:53 +01:00
hal_attribute(confirmationui);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(contexthub);
Dice HAL: Add policy for dice HAL. And allow diced to talk to the dice HAL. Bug: 198197213 Test: N/A Change-Id: I74797b13656b38b50d7cd28a4c4c6ec4c8d1d1aa
2021-11-10 23:52:05 +01:00
hal_attribute(dice);
Use hal_attribute for all HALs. Bug: 72757373 Test: policy builds Change-Id: I7cc5e28aac8ed381c9c350f540826e069941f6c4
2018-03-10 23:13:01 +01:00
hal_attribute(drm);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(dumpstate);
Move automotive HALs sepolicy to system/ Bug: 70637118 Test: build, flash and boot automotive builds Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef (cherry picked from commit 394dbe34a0dc7519acb9948175ba63ee18bedbed)
2018-04-10 23:07:14 +02:00
hal_attribute(evs);
Added placeholder SELinux policy for the biometric face HAL. Notes: - Added face hal domain, context and file types for the default SELinux policy. - Please see aosp/q/topic:"Face+Authentication" Bug: 80155388 Test: Built successfully. Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
2018-05-24 09:59:40 +02:00
hal_attribute(face);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
hal_attribute(graphics_allocator);
hal_attribute(graphics_composer);
hal_attribute(health);
health.filesystem HAL renamed to health.storage ...to reflect that the HAL operates on storage devices, not filesystem. Bug: 111655771 Test: compiles Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
2018-09-19 19:24:45 +02:00
hal_attribute(health_storage);
Add SELinux policy for Identity Credential HAL Bug: 111446262 Test: VtsHalIdentityCredentialTargetTest Change-Id: Icb5a0d8b24d463a2f1533f8dd3bfa84bf90acc6f
2020-01-15 01:44:40 +01:00
hal_attribute(identity);
Permissions for InputClassifier HAL Add the required permissions for the InputClassifier HAL. Bug: 62940136 Test: no selinux denials in logcat when HAL is used inside input flinger. Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76
2018-01-17 21:27:06 +01:00
hal_attribute(input_classifier);
Add sepolicy for IInputProcessor HAL This sepolicy is needed so that the vendor can launch a new HAL process, and then this HAL process could join the servicemanager as an impl for IInputProcessor. This HAL will be used to contain the previous impl of InputClassifier and also new features that we are going to add. Bug: 210158587 Test: use together with a HAL implementation, make sure HAL runs Change-Id: I476c215ad622ea18b4ce5cba9c07ae3257a65817
2022-01-12 00:06:14 +01:00
hal_attribute(input_processor);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(ir);
hal_attribute(keymaster);
Revert^2 "Move keymint to android.hardware.security." 16d61d038340c129b5d206ac3d41f1bdf3313b8a Bug: 175345910 Bug: 171429297 Exempt-From-Owner-Approval: re-landing topic with no changes in this CL. Change-Id: I1352c6b46b007dba3448b3c9cbdf454d7862a176
2020-12-11 14:05:27 +01:00
hal_attribute(keymint);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
SEPolicy for Netlink Interceptor Make Netlink Interceptor work when SELinux is enforcing Test: Netlink Interceptor HAL comes up and works Bug: 194683902 Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
2021-10-06 01:53:52 +02:00
hal_attribute(nlinterceptor);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(oemlock);
mediacodec->mediacodec+hal_omx{,_server,_client} (breaks vendor blobs, will have to be regenerated after this CL) This moves mediacodec to vendor so it is replaced with hal_omx_server. The main benefit of this is that someone can create their own implementation of mediacodec without having to alter the one in the tree. mediacodec is still seccomp enforced by CTS tests. Fixes: 36375899 Test: (sanity) YouTube Test: (sanity) camera pics + video Test: check for denials Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-26 01:23:37 +02:00
hal_attribute(omx);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(power);
Add power.stats HAL 1.0 sepolicy Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP. Bug: 111185513 Bug: 120551881 Test: make Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0
2018-12-10 23:59:57 +01:00
hal_attribute(power_stats);
Support Resume on Reboot When an OTA is downloaded, the RecoverySystem can be triggered to store the user's lock screen knowledge factor in a secure way using the IRebootEscrow HAL. This will allow the credential encrypted (CE) storage, keymaster credentials, and possibly others to be unlocked when the device reboots after an OTA. Bug: 63928581 Test: make Test: boot emulator with default implementation Test: boot Pixel 4 with default implementation Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
2019-12-04 01:55:43 +01:00
hal_attribute(rebootescrow);
SE Policy for Secure Element app and Secure Element HAL Test: App startup on boot Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-04 19:33:20 +01:00
hal_attribute(secure_element);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(tv_cec);
hal_attribute(tv_input);
Tuner Hal 1.0 Enable ITuner service Test: cuttlefish Bug: 135708935 Change-Id: Ica063458860df45f0e2ab640a2ab35cd4da3da8e
2019-08-09 23:27:17 +02:00
hal_attribute(tv_tuner);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(usb);
hal_usb_gadget sepolicy Bug: 63669128 Test: Checked for avc denail messages. Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
2018-01-08 18:29:40 +01:00
hal_attribute(usb_gadget);
Add support for hal_uwb Bug: 187386527 Test: Boot and confirm HAL is up Signed-off-by: Michael Ayoubi <mayoubi@google.com> Change-Id: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
2021-06-10 04:01:52 +02:00
hal_attribute(uwb);
sepolicy: Rename hal_uwb -> hal_uwb_vendor Since we are now creating an AOSP HAL for uwb. Rename Pixel specific internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy rules that are going to be added in Android T. Android S Architecture: |Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL Implementation | Vendor driver/firmware Android T Architecture: |Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL Implementation | Vendor driver/firmware Ignore-AOSP-First: Dependent changes in internal-only projects. Bug: 195308730 Test: Compiles Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3 Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
2021-08-24 22:59:07 +02:00
# TODO(b/196225233): Remove this attribute and its usages elsewhere
# once all chip vendors integrate to the new UWB stack.
hal_attribute(uwb_vendor);
Move automotive HALs sepolicy to system/ Bug: 70637118 Test: build, flash and boot automotive builds Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef (cherry picked from commit 394dbe34a0dc7519acb9948175ba63ee18bedbed)
2018-04-10 23:07:14 +02:00
hal_attribute(vehicle);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
hal_attribute(wifi);
sepolicy(hostapd): Add a HIDL interface for hostapd * Note on cherry-pick: Some of the dependent changes are not in AOSP. In order to keep hostapd running correctly in AOSP, I've modified this change to only include policy additions. Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947 Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947 (cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443)
2017-12-23 00:03:15 +01:00
hal_attribute(wifi_hostapd);
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_attribute(wifi_supplicant);
Wifi Keystore HAL is not a HAL Wifi Keystore HAL is a HwBinder service (currently offered by keystore daemon) which is used by Wifi Supplicant HAL. This commit thus switches the SELinux policy of Wifi Keystore HAL to the approach used for non-HAL HwBinder services. The basic idea is simimilar to how we express Binder services in the policy, with two tweaks: (1) we don't have 'hwservicemanager find' and thus there's no add_hwservice macro, and (2) we need loosen the coupling between core and vendor components. For example, it should be possible to move a HwBinder service offered by a core component into another core component, without having to update the SELinux policy of the vendor image. We thus annotate all components offering HwBinder service x across the core-vendor boundary with x_server, which enables the policy of clients to contain rules of the form: binder_call(mydomain, x_server), and, if the service uses IPC callbacks, also binder_call(x_server, mydomain). Test: mmm system/sepolicy Test: sesearch indicates to changes to binder { call transfer} between keystore and hal_wifi_supplicant_default domains Bug: 36896667 Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
Sepolicy update for Automotive Display Service Bug: 140395359 Test: make sepolicy -j Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610 Signed-off-by: Changyeon Jo <changyeon@google.com>
2019-11-13 20:25:55 +01:00
attribute automotive_display_service_server;
Treble-ize sepolicy for fwk HIDL services. Bug: 130734497 Test: m selinux_policy; system_server and statds still have permission to export HIDL services. Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d (cherry picked from commit 1d34b8cc313228cbcc5e4ff1d7be9c9db69d8585)
2019-04-22 19:09:38 +02:00
attribute camera_service_server;
Add fwk_display_hwservice. This hidl service provides information about vsync and hotplug to vendor services which is required by at least some camera hal implementations. Test: VtsFwkDisplayServiceV1_0TargetTest Test: no denials Bug: 38311538 Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9
2017-05-17 02:43:52 +02:00
attribute display_service_server;
Revert^2 "Adds a sepolicy for EVS manager service" 0137c98b90d709c246d55c24eeea1204d6eca9a1 Bug: 216727303 Test: m -j selinux_policy on failed targets reported in b/218802298 Change-Id: I2ae2fc85a4055f2cb7d19ff70b120e7b7ff0957d
2022-02-10 15:09:02 +01:00
attribute evsmanager_service_server;
Treble-ize sepolicy for fwk HIDL services. Bug: 130734497 Test: m selinux_policy; system_server and statds still have permission to export HIDL services. Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d (cherry picked from commit 1d34b8cc313228cbcc5e4ff1d7be9c9db69d8585)
2019-04-22 19:09:38 +02:00
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
sepolicy: Create new attribute to serve ISuspendControlServiceInternal Bug: 178417023 Test: Verified manually Change-Id: Ie058ecf6b31c260e7788cbf0e74fa4182129d3e1 Signed-off-by: Darren Hsu <darrenhsu@google.com>
2021-02-25 11:02:53 +01:00
attribute system_suspend_internal_server;
Decouple system_suspend from hal attributes. System suspend service is not a HAL, so avoid using HAL-specific macros and attributes. Use system_suspend_server attribute for ISystemSuspend.hal permissions. Use system_suspend type directly for internal .aidl interface permissions. Bug: 126259100 Test: m selinux_policy Test: blueline boots; wakelocks can still be acquired; device suspends if left alone. Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
2019-02-27 01:45:40 +01:00
attribute system_suspend_server;
Treble-ize sepolicy for fwk HIDL services. Bug: 130734497 Test: m selinux_policy; system_server and statds still have permission to export HIDL services. Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d (cherry picked from commit 1d34b8cc313228cbcc5e4ff1d7be9c9db69d8585)
2019-04-22 19:09:38 +02:00
attribute wifi_keystore_service_server;
Add super_block_device_type This is the type used on super partition block devices. - On devices launch with DAP, super is already marked as super_block_device_type. - On retrofit devices, appropriate block devices must be marked as super_block_device_type, for example: typeattribute system_block_device super_block_device_type; Bug: 128991918 Test: builds Change-Id: I7e26d85b577ce08d8dc1574ddc43146d65843d9c
2019-03-22 22:14:32 +01:00
# All types used for super partition block devices.
attribute super_block_device_type;
Allow coredomain access to only approved categories of vendor heaps One of the advantages of the DMA-BUF heaps framework over ION is that each heap is a separate char device and hence it is possible to create separate sepolicy permissions to restrict access to each heap. In the case of ION, allocation in every heap had to be done through /dev/ion which meant that there was no away to restrict allocations in a specific heap. This patch intends to restrict coredomain access to only approved categories of vendor heaps. Currently, the only identified category as per partner feedback is the system-secure heap which is defined as a heap that allocates from protected memory. Test: Build, video playback works on CF with ION disabled and without sepolicy denials Bug: 175697666 Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-15 07:57:49 +01:00
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
sepolicy: set expandattribute false for dmabuf_heap_device_type This is needed to avoid build failure in target bertha_arm64. Test: make Bug: 176124106 Change-Id: Id24eaa00dc5d601deb7533ac1d484a76535c8df0
2020-12-23 03:44:07 +01:00
expandattribute dmabuf_heap_device_type false;
Split gsi_metadata_file and add gsi_metadata_file_type attribute Split gsi_metadata_file into gsi_metadata_file plus gsi_public_metadata_file, and add gsi_metadata_file_type attribute. Files that are okay to be publicly readable are labeled with gsi_public_metadata_file. Right now only files needed to infer the device fstab belong to this label. The difference between gsi_metadata_file and gsi_public_metadata_file is that gsi_public_metadata_file has relaxed neverallow rules, so processes who wish to read the fstab can add the respective allow rules to their policy files. Allow gsid to restorecon on gsi_metadata_file to fix the file context of gsi_public_metadata_file. Bug: 181110285 Test: Build pass Test: Issue a DSU installation then verify no DSU related denials and files under /metadata/gsi/ are labeled correctly. Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-22 06:46:12 +01:00
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
Refactor apex data file types. We ended up with 4 labels for specific APEX files that were all identical; I've replaced them with a single one (apex_system_server_data_file). Additionally I created an attribute to be applied to a "standard" APEX module data file type that establishes the basics (it can be managed by vold_prepare_subdirs and apexd), to make it easier to add new such types - which I'm about to do. Fix: 189415223 Test: Presubmits Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
2021-07-12 15:21:48 +02:00
# Types used for module-specific APEX data directories under
# /data/{misc,misc_ce,misc_de}/apexdata.
attribute apex_data_file_type;
Add charger_type. This is the common type for domains that executes charger's functionalities, including setting and getting necessary properties, permissions to maintain the health loop, writing to kernel log, handling inputs and drawing screens, etc. Permissions specific to the system charger is not moved. Also enforce stricter neverallow rules on charger_{status,config}_prop. For charger_config_prop, only init / vendor_init can set. For charger_status_prop, only init / vendor_init / charger / health HAL can set. For both, only init / vendor_init / charger / dumpstate / health HAL can get. (Health HAL is determined by the intersection of charger_type and hal_health_server.) A follow up CL will be added to add charger_type to hal_health_default, the default domain for health HAL servers. Vendors may add charger_type to their domains that serves the health AIDL HAL as well. Test: manual Bug: 203246116 Change-Id: I0e99b6b68d381b7f73306d93ee4f8c5c8abdf026
2021-10-26 02:58:04 +02:00
# Domains used for charger.
# This is the common type for domains that executes charger's
# functionalities, including setting and getting necessary properties,
# permissions to maintain the health loop, writing to kernel log, handling
# inputs and drawing screens, etc.
attribute charger_type;
Reference in a new issue Copy permalink