From c46a7bc759049445cf1b2d09eab4d5018f690aa8 Mon Sep 17 00:00:00 2001 From: Ashwini Oruganti Date: Tue, 29 Oct 2019 14:13:20 -0700 Subject: [PATCH] Create a separate SELinux domain for gmscore This change creates a gmscore_app domain for gmscore. The domain is currently in permissive mode (for userdebug and eng builds), while we observe the SELinux denials generated and update the gmscore_app rules accordingly. Bug: 142672293 Test: Flashed a device with this build and verified com.google.android.gms runs in the gmscore_app domain. Tested different flows on the Play Store app, e.g., create a new account, log in, update an app, etc. and verified no new denials were generated. Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3 --- private/compat/29.0/29.0.ignore.cil | 1 + private/domain.te | 2 +- private/gmscore_app.te | 111 ++++++++++++++++++++++++++++ private/seapp_contexts | 3 + private/stats.te | 1 + public/gmscore_app.te | 5 ++ 6 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 private/gmscore_app.te create mode 100644 public/gmscore_app.te diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 83c76cbcf..524b84afe 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -14,6 +14,7 @@ ctl_apexd_prop device_config_storage_native_boot_prop device_config_sys_traced_prop + gmscore_app hal_can_bus_hwservice hal_can_controller_hwservice hal_tv_tuner_hwservice diff --git a/private/domain.te b/private/domain.te index 5851d75f3..a621ae651 100644 --- a/private/domain.te +++ b/private/domain.te @@ -105,7 +105,7 @@ neverallow { } self:global_capability_class_set sys_ptrace; # Limit ability to generate hardware unique device ID attestations to priv_apps -neverallow { domain -priv_app } *:keystore_key gen_unique_id; +neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; neverallow { domain diff --git a/private/gmscore_app.te b/private/gmscore_app.te new file mode 100644 index 000000000..b2e5d16c9 --- /dev/null +++ b/private/gmscore_app.te @@ -0,0 +1,111 @@ +### +### A domain for further sandboxing the PrebuiltGMSCore app. +### +typeattribute gmscore_app coredomain; + +# Allow everything. +# TODO(b/142672293): remove when no selinux denials are triggered for this +# domain +# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around +# `gmscore_app` and remove this line once we are confident about this having +# the right set of permissions. +userdebug_or_eng(`permissive gmscore_app;') + +app_domain(gmscore_app) + +allow gmscore_app sysfs_type:dir search; +# Read access to /sys/class/net/wlan*/address +r_dir_file(gmscore_app, sysfs_net) +# Read access to /sys/block/zram*/mm_stat +r_dir_file(gmscore_app, sysfs_zram) + +r_dir_file(gmscore_app, rootfs) + +# Allow GMS core to open kernel config for OTA matching through libvintf +allow gmscore_app config_gz:file { open read getattr }; + +# Allow GMS core to communicate with update_engine for A/B update. +binder_call(gmscore_app, update_engine) +allow gmscore_app update_engine_service:service_manager find; + +# Allow GMS core to communicate with dumpsys storaged. +binder_call(gmscore_app, storaged) +allow gmscore_app storaged_service:service_manager find; + +# Allow GMS core to access system_update_service (e.g. to publish pending +# system update info). +allow gmscore_app system_update_service:service_manager find; + +# Allow GMS core to communicate with statsd. +binder_call(gmscore_app, statsd) + +# Allow GMS core to generate unique hardware IDs +allow gmscore_app keystore:keystore_key gen_unique_id; + +# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check +allow gmscore_app selinuxfs:file r_file_perms; + +# suppress denials for non-API accesses. +dontaudit gmscore_app exec_type:file r_file_perms; +dontaudit gmscore_app device:dir r_dir_perms; +dontaudit gmscore_app fs_bpf:dir r_dir_perms; +dontaudit gmscore_app net_dns_prop:file r_file_perms; +dontaudit gmscore_app proc:file r_file_perms; +dontaudit gmscore_app proc_interrupts:file r_file_perms; +dontaudit gmscore_app proc_modules:file r_file_perms; +dontaudit gmscore_app proc_net:file r_file_perms; +dontaudit gmscore_app proc_stat:file r_file_perms; +dontaudit gmscore_app proc_version:file r_file_perms; +dontaudit gmscore_app sysfs:dir r_dir_perms; +dontaudit gmscore_app sysfs:file r_file_perms; +dontaudit gmscore_app sysfs_android_usb:file r_file_perms; +dontaudit gmscore_app sysfs_dm:file r_file_perms; +dontaudit gmscore_app sysfs_loop:file r_file_perms; +dontaudit gmscore_app wifi_prop:file r_file_perms; +dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms; + +# Access the network +net_domain(gmscore_app) + +# Allow loading executable code from writable priv-app home +# directories. This is a W^X violation, however, it needs +# to be supported for now for the following reasons. +# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) +# 1) com.android.opengl.shaders_cache +# 2) com.android.skia.shaders_cache +# 3) com.android.renderscript.cache +# * /data/user_de/0/com.google.android.gms/app_chimera +# TODO: Tighten (b/112357170) +allow gmscore_app privapp_data_file:file execute; + +allow gmscore_app privapp_data_file:lnk_file create_file_perms; + +# /proc access +allow gmscore_app proc_vmstat:file r_file_perms; + +# Allow interaction with gpuservice +binder_call(gmscore_app, gpuservice) +allow gmscore_app gpu_service:service_manager find; + +# find services that expose both @SystemAPI and normal APIs. +allow gmscore_app app_api_service:service_manager find; +allow gmscore_app system_api_service:service_manager find; +allow gmscore_app audioserver_service:service_manager find; +allow gmscore_app cameraserver_service:service_manager find; +allow gmscore_app drmserver_service:service_manager find; +allow gmscore_app mediadrmserver_service:service_manager find; +allow gmscore_app mediaextractor_service:service_manager find; +allow gmscore_app mediametrics_service:service_manager find; +allow gmscore_app mediaserver_service:service_manager find; +allow gmscore_app network_watchlist_service:service_manager find; +allow gmscore_app nfc_service:service_manager find; +allow gmscore_app oem_lock_service:service_manager find; +allow gmscore_app persistent_data_block_service:service_manager find; +allow gmscore_app radio_service:service_manager find; +allow gmscore_app recovery_service:service_manager find; +allow gmscore_app stats_service:service_manager find; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +allow gmscore_app shell_data_file:file r_file_perms; +allow gmscore_app shell_data_file:dir r_dir_perms; diff --git a/private/seapp_contexts b/private/seapp_contexts index 4980c9384..1e035dce8 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -159,6 +159,9 @@ user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom= user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all +user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user diff --git a/private/stats.te b/private/stats.te index 81ec1cf77..ea9530c69 100644 --- a/private/stats.te +++ b/private/stats.te @@ -40,6 +40,7 @@ binder_call(statsd, stats) neverallow { domain -dumpstate + -gmscore_app -incidentd -platform_app -priv_app diff --git a/public/gmscore_app.te b/public/gmscore_app.te new file mode 100644 index 000000000..b574bf39c --- /dev/null +++ b/public/gmscore_app.te @@ -0,0 +1,5 @@ +### +### A domain for further sandboxing the PrebuiltGMSCore app. +### + +type gmscore_app, domain;