tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/update_engine.te

54 lines
2 KiB
Text
Raw Normal View History

Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
# Domain for update_engine daemon.
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 22:19:03 +02:00
type update_engine, domain, update_engine_common;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
type update_engine_exec, exec_type, file_type;
net_domain(update_engine);
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow update_engine self:global_capability_class_set { fowner sys_admin };
Do not audit the fsetid capability for update engine There's a selinux denial for update_engine after go/aog/530462; the denial is likely due to the setgid bit of the update_engine_log_data_file. Message: 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 Bug: 69197466 Test: denial message gone on sailfish. Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf
2017-11-12 23:38:03 +01:00
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
dontaudit update_engine self:global_capability_class_set fsetid;
Do not audit the fsetid capability for update engine There's a selinux denial for update_engine after go/aog/530462; the denial is likely due to the setgid bit of the update_engine_log_data_file. Message: 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 Bug: 69197466 Test: denial message gone on sailfish. Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf
2017-11-12 23:38:03 +01:00
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
allow update_engine kmsg_device:chr_file w_file_perms;
Add bspatch to update_engine_exec. This allow bspatch to have same perssion as update_engine. Also added a rule to allow update_engine to execute bspatch. Bug: 24478450 Test: No more permission deny during delta update. Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4
2015-11-21 01:09:14 +01:00
allow update_engine update_engine_exec:file rx_file_perms;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
wakelock_use(update_engine);
New postinstall domain and rules to run post-install program. When using the A/B updater, a device specific hook is sometimes needed to run after the new partitions are updated but before rebooting into the new image. This hook is referred to throughout the code as the "postinstall" step. This patch creates a new execution domain "postinstall" which update_engine will use to run said hook. Since the hook needs to run from the new image (namelly, slot "B"), update_engine needs to temporarly mount this B partition into /postinstall and then run a program from there. Since the new program in B runs from the old execution context in A, we can't rely on the labels set in the xattr in the new filesystem to enforce the policies baked into the old running image. Instead, when temporarily mounting the new filesystem in update_engine, we override all the new file attributes with the new postinstall_file type by passing "context=u:object_r:postinstall_file:s0" to the mount syscall. This allows us to set new rules specific to the postinstall environment that are consistent with the rules in the old system. Bug: 27177071 TEST=Deployed a payload with a trivial postinstall script to edison-eng. Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-02 01:14:45 +01:00
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
sepolicy: Fix references to self:capability commit 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 added a new self:global_capability_class_set macro that covers both self:capability and self:cap_userns. Apply the new macro to various self:capability references that have cropped up since then. Bug: 112307595 Test: policy diff shows new rules are all cap_userns Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
2018-08-15 21:34:20 +02:00
dontaudit update_engine self:global_capability_class_set sys_rawio;
New postinstall domain and rules to run post-install program. When using the A/B updater, a device specific hook is sometimes needed to run after the new partitions are updated but before rebooting into the new image. This hook is referred to throughout the code as the "postinstall" step. This patch creates a new execution domain "postinstall" which update_engine will use to run said hook. Since the hook needs to run from the new image (namelly, slot "B"), update_engine needs to temporarly mount this B partition into /postinstall and then run a program from there. Since the new program in B runs from the old execution context in A, we can't rely on the labels set in the xattr in the new filesystem to enforce the policies baked into the old running image. Instead, when temporarily mounting the new filesystem in update_engine, we override all the new file attributes with the new postinstall_file type by passing "context=u:object_r:postinstall_file:s0" to the mount syscall. This allows us to set new rules specific to the postinstall environment that are consistent with the rules in the old system. Bug: 27177071 TEST=Deployed a payload with a trivial postinstall script to edison-eng. Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-02 01:14:45 +01:00
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
# Allow using persistent storage in /data/misc/update_engine.
Allow update_engine to access /data/misc/update_engine_log Add label update_engine_log_data_file for log files created by update engine in directory /data/misc/update_engine_log. Bug: 65568605 Test: manual Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9
2017-11-06 12:56:00 +01:00
allow update_engine update_engine_data_file:dir create_dir_perms;
allow update_engine update_engine_data_file:file create_file_perms;
# Allow using persistent storage in /data/misc/update_engine_log.
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
Allow update_engine to use Binder IPC. Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
2016-01-26 01:41:03 +01:00
# Register the service to perform Binder IPC.
binder_use(update_engine)
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 22:23:52 +01:00
add_service(update_engine, update_engine_service)
Allow update_engine to use Binder IPC. Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
2016-01-26 01:41:03 +01:00
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
Add ota_package_file label for OTA packages. (cherry picked from commit 6c3f2831aca571ec3b01f60996965a432aa8164d) Allow priv_app, uncrypt, update_engine to access the OTA packages at /data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks the existence of the folder, and downloads the package there if present. Bug: 28944800 Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
2016-05-25 06:07:48 +02:00
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
Add permissions for hal_boot The service running the boot control HAL needs the permissions provided by the boot_control_hal attribute. update_engine and update_verifier still also need these permissions in order to successfully call the new HAL in pass-through mode, but also need permission to call the new service. Bug: 31864052 Test: Built and confirmed no permission denials. Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911 Signed-off-by: Connor O'Brien <connoro@google.com>
2016-11-19 03:44:07 +01:00
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
Move update_engine rules out of update_engine_common.te Grant update_engine access to sysfs. Ran fake ota go/manual-ab-ota, and this denial was fixed: avc: denied { read } for pid=912 comm="update_engine" name="compatible" dev="sysfs" ino=17399 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Test: boots with no new denials Change-Id: I8697da3af254aea1cec44d9dbb1eca18be31859c
2017-10-04 01:09:08 +02:00
/proc, /sys access from uncrypt, update_engine, postinstall_dexopt New types: 1. proc_random 2. sysfs_dt_firmware_android Labeled: 1. /proc/sys/kernel/random as proc_random. 2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab, vbmeta} as sysfs_dt_firmware_android. Changed access: 1. uncrypt, update_engine, postinstall_dexopt have access to generic proc and sysfs labels removed. 2. appropriate permissions were added to uncrypt, update_engine, update_engine_common, postinstall_dexopt. Bug: 67416435 Bug: 67416336 Test: fake ota go/manual-ab-ota runs without denials Test: adb sideload runs without denials to new types Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
2017-10-04 19:34:11 +02:00
# access /proc/misc
Move update_engine rules out of update_engine_common.te Grant update_engine access to sysfs. Ran fake ota go/manual-ab-ota, and this denial was fixed: avc: denied { read } for pid=912 comm="update_engine" name="compatible" dev="sysfs" ino=17399 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Test: boots with no new denials Change-Id: I8697da3af254aea1cec44d9dbb1eca18be31859c
2017-10-04 01:09:08 +02:00
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
Reference in a new issue Copy permalink