tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/storaged.te

70 lines
2 KiB
Text
Raw Normal View History

Storaged permission setting Allowing storaged for reading from pseudo filesystems and debugfs. Bug: 32221677 Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335
2016-06-18 00:05:10 +02:00
# storaged daemon
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
type storaged, domain, coredomain, mlstrustedsubject;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
type storaged_exec, system_file_type, exec_type, file_type;
Storaged permission setting Allowing storaged for reading from pseudo filesystems and debugfs. Bug: 32221677 Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335
2016-06-18 00:05:10 +02:00
init_daemon_domain(storaged)
# Read access to pseudo filesystems
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
r_dir_file(storaged, domain)
Storaged permission setting Allowing storaged for reading from pseudo filesystems and debugfs. Bug: 32221677 Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335
2016-06-18 00:05:10 +02:00
Define policy for /proc/uid_io/stats New procfs file read by storaged to dump fg/bg IO usage. Remove kmsg rule since it's no longer used by storaged. Allow storaged to find permission_service to translate UID to package name. Test: adb shell storaged -u Bug: 34198239 Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd
2017-01-12 01:20:49 +01:00
# Read /proc/uid_io/stats
allow storaged proc_uid_io_stats:file r_file_perms;
storaged: allow reading packages.list Delete rule for permission_service since we use packages.list instead. Test: adb shell storaged -u Bug: 34198239 Change-Id: Ic69d0fe185e627a932bbf8e85fc13163077bbe6b
2017-01-21 05:29:13 +01:00
# Read /data/system/packages.list
allow storaged system_data_file:file r_file_perms;
Relabel /data/system/packages.list to new type. Conservatively grant access to packages_list_file to everything that had access to system_data_file:file even if the comment in the SELinux policy suggests it was for another use. Ran a diff on the resulting SEPolicy, the only difference of domains being granted is those that had system_data_file:dir permissiosn which is clearly not applicable for packages.list diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new) --- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000 +++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000 @@ -3 +2,0 @@ -allow appdomain packages_list_file:dir getattr; @@ -6 +4,0 @@ -allow coredomain packages_list_file:dir getattr; @@ -8 +5,0 @@ -allow domain packages_list_file:dir search; @@ -35 +31,0 @@ -allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name }; @@ -40 +35,0 @@ -allow tee packages_list_file:dir { search read lock getattr ioctl open }; @@ -43,3 +37,0 @@ -allow traced_probes packages_list_file:dir { read getattr open search }; -allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name }; -allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name }; @@ -48 +39,0 @@ -allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name }; @@ -50 +40,0 @@ -allow zygote packages_list_file:dir { search read lock getattr ioctl open }; Bug: 123186697 Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-19 19:14:38 +01:00
allow storaged packages_list_file:file r_file_perms;
storaged: allow reading packages.list Delete rule for permission_service since we use packages.list instead. Test: adb shell storaged -u Bug: 34198239 Change-Id: Ic69d0fe185e627a932bbf8e85fc13163077bbe6b
2017-01-21 05:29:13 +01:00
storaged: allow storaged to access /data/misc/storaged directory storaged will use this directory to store internal data files. Bug: 63740245 Change-Id: Ie77961c2b398cc464b7199d3acbcc6287312d3b4
2017-08-15 02:01:25 +02:00
# Store storaged proto file
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
Revert "Revert "Add neverallows for debugfs access"" This reverts commit e95e0ec0a5f2f6fdf362d14b7960850a05e790b5. Now that b/186727553 is fixed, it should be safe to revert this revert. Test: build Bug: 184381659 Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-05 07:01:51 +02:00
no_debugfs_restriction(`
userdebug_or_eng(`
# Read access to debugfs
allow storaged debugfs_mmc:dir search;
allow storaged debugfs_mmc:file r_file_perms;
')
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
')
Storaged permission setting Allowing storaged for reading from pseudo filesystems and debugfs. Bug: 32221677 Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335
2016-06-18 00:05:10 +02:00
storaged: allow shell to call dumpsys storaged Test: adb kill-server && adb shell dumpsys storaged Bug: 36492915 Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
2017-03-23 20:28:20 +01:00
# Needed to provide debug dump output via dumpsys pipes.
allow storaged shell:fd use;
allow storaged shell:fifo_file write;
Allow GMSCore to call dumpsys storaged Test: trigger dumpsys storaged from GMScore Bug: 37284569 Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176
2017-04-13 02:38:11 +02:00
# Needed for GMScore to call dumpsys storaged
allow storaged priv_app:fd use;
Allow GMS core to call dumpsys storaged Now that GMS core is running in gmscore_app and not priv_app, we need this rule for the new domain. This also adds an auditallow to the same rule for priv_app, so we can delete it once no logs show up in go/sedenials for this rule triggerring. Bug: 142672293 Test: TH Change-Id: I308d40835156e0c19dd5074f69584ebf1c72ad58
2019-12-11 21:49:04 +01:00
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
# Remove after no logs are seen for this rule.
userdebug_or_eng(`
auditallow storaged priv_app:fd use;
')
allow storaged gmscore_app:fd use;
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
allow storaged { privapp_data_file app_data_file }:file write;
Allow GMSCore to call dumpsys storaged Test: trigger dumpsys storaged from GMScore Bug: 37284569 Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176
2017-04-13 02:38:11 +02:00
allow storaged permission_service:service_manager find;
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
# Binder permissions
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 22:23:52 +01:00
add_service(storaged, storaged_service)
Define policy for /proc/uid_io/stats New procfs file read by storaged to dump fg/bg IO usage. Remove kmsg rule since it's no longer used by storaged. Allow storaged to find permission_service to translate UID to package name. Test: adb shell storaged -u Bug: 34198239 Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd
2017-01-12 01:20:49 +01:00
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
binder_use(storaged)
binder_call(storaged, system_server)
healthd provides health@2.0 service. * remove binder calls to healthd (storaged, system_server) * Allow healthd to serve health HAL Bug: 62229583 Test: no health related denials Test: VTS health test Test: BatteryManagerTest Change-Id: I0cf1872c0ba69e7de7c3f529d548f9ffe39812ac
2017-09-26 04:40:59 +02:00
hal_client_domain(storaged, hal_health)
storaged: allow register and callback from batteryproperties Test: adb shell dumpsys storaged Bug: 33086174 Bug: 34198239 Change-Id: I85d6bd05192a205662f69466d7d6208e8b834eff
2017-02-06 20:04:31 +01:00
storaged: add permissions for dumpstate The service "storaged" implememnts a dump() interface for dumpsys, and thus it needs to write its state to the fd provided by dumpstate. To correct this, and fix dumpstate, allow the permission. Fixes: avc: denied { use } for pid=3298 comm="dumpsys" path="pipe:[33470]" dev="pipefs" ino=33470 scontext=u:r:storaged:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0 Test: With a device that has storaged, issue the command: $ adb shell dumpstate Change-Id: I515e20f0328b6edc01ea2a7c53b1d3c4ca0e72ac Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-05-03 19:26:40 +02:00
# Implements a dumpsys interface.
allow storaged dumpstate:fd use;
Allow PackageManager to create a new service A new API [getNamesForUids] was recently added to the PackageManager and this API needs to be accessible to native code. However, there were two constraints: 1) Instead of hand-rolling the binder, we wanted to auto generate the bindings directly from the AIDL compiler. 2) We didn't want to expose/annotate all 180+ PackageManager APIs when only a single API is needed. So, we chose to create a parallel API that can be used explicitly for native bindings without exposing the entirety of the PackageManager. Bug: 62805090 Test: Manual Test: Create a native application that calls into the new service Test: See the call works and data and returned Change-Id: I0d469854eeddfa1a4fd04b5c53b7a71ba3ab1f41
2017-08-02 16:27:44 +02:00
# use a subset of the package manager service
allow storaged package_native_service:service_manager find;
storaged: remove rules no longer necessary Test: adb shell dumpsys storaged --force Bug: 35323867 Change-Id: I6944ca357875a24465054d3891a00dbcd67495cf
2017-02-23 02:27:57 +01:00
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-07 00:19:40 +02:00
dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
storaged: remove rules no longer necessary Test: adb shell dumpsys storaged --force Bug: 35323867 Change-Id: I6944ca357875a24465054d3891a00dbcd67495cf
2017-02-23 02:27:57 +01:00
Ensure taking a bugreport generates no denials. This commit adds new SELinux permissions and neverallow rules so that taking a bugreport does not produce any denials. Bug: 73256908 Test: Captured bugreports on Sailfish and Walleye and verified that there were no denials. Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9 Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9 (cherry picked from commit daf1cdfa5ac7eca95f3b21034174a495a6760e47)
2018-03-02 23:14:44 +01:00
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
###
### neverallow
###
neverallow storaged domain:process ptrace;
storaged: remove rules no longer necessary Test: adb shell dumpsys storaged --force Bug: 35323867 Change-Id: I6944ca357875a24465054d3891a00dbcd67495cf
2017-02-23 02:27:57 +01:00
neverallow storaged self:capability_class_set *;
Reference in a new issue Copy permalink