Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label. This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.
This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__. Future
commits will restrict the access.
Bug: 21852512
Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
This allow bspatch to have same perssion as update_engine.
Also added a rule to allow update_engine to execute bspatch.
Bug: 24478450
Test: No more permission deny during delta update.
Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4
The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.
Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.
Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.
Bug: 23186405
Test: Manually tested with Brillo build.
Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
(cherry picked from commit a10f789d28)
The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).
Bug: 25612377
Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993
1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.
2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.
3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.
Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.
Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16
The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.
Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.
Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.
Bug: 23186405
Test: Manually tested with Brillo build.
Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
Apply the same sepolicy used on dhcpcd to dhcpcd-6.8.2,
which is have it run with the dhcp context, and have its
data files possess the dhcp_data_file context.
BUG: 22956197
Change-Id: I7915b694038bb309d93691ef5d4d293593ef3b5e
Since ram devices are labeled in base contexts, also add a label
for devices using zram.
Change-Id: I002baebf40246e78c6f9fb367ac6fb019101cc86
Signed-off-by: William Roberts <william.c.roberts@intel.com>
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: Ic585c4d4381fe51bd764902ef28c38db63b7f2cc
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0
Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
Run idmap in its own domain rather than leaving it in installd's domain.
This prevents misuse of installd's permissions by idmap.
zygote also needs to run idmap. For now, just run it in zygote's
domain as it was previously since that is what is done for dex2oat
invocation by zygote. zygote appears to run idmap with system uid
while installd runs it with app UIDs, so using different domains
seems appropriate.
Remove system_file execute_no_trans from both installd and zygote;
this should no longer be needed with explicit labels for dex2oat and
idmap.
Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.
While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.
Bug: 19197175
Change-Id: I819f6a54c0a232826016823f2fde3adf7be31f9d
(cherry pick from commit 0d22c6cec6)
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.
(cherry-pick of 1b4b3b918b)
Change-Id: Iea6e1271fb054ea7f44860724e04143875867d78
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.
Also let vold create new directories under it's private storage area
where the benchmarks will be carried out. Mirror the definition of
the private storage area on expanded media.
avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.
Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.
Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.
(cherrypicked from commit 2025fd1476)
Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.
Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.
Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.
Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
This reverts commit c450759e8e.
There was nothing wrong with this change originally --- the companion
change in init was broken.
Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
Added permission to SAP socket used to access the the RIL daemon
Change-Id: Ifbfb764f0b8731e81fb3157955aa4fda6120d846
Signed-off-by: Casper Bonde <c.bonde@samsung.com>
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:
% adb shell am set-watch-heap com.android.systemui 1048576
% adb shell dumpsys procstats --start-testing
which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.
Allow this behavior.
Addresses the following denial:
avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
Creates new directory at /data/misc/vold for storing key material
on internal storage. Only vold should have access to this label.
Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
/odm has the same permissions as /system/... for devices with a
separate odm partition
Bug: 19609718
Change-Id: I6dd83d43c5fd8682248e79d11b0ca676030eadf0
/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.
Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7
- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'
Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart
Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.
Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
The Nexus 9 uses f2fs for /data. Make sure to properly label
/system/bin/fsck.f2fs so that the appropriate domain transition occurs.
Add support for getattr on devpts, required for fsck.f2fs.
Addresses the following denials:
avc: denied { execute_no_trans } for pid=172 comm="init" path="/system/bin/fsck.f2fs" dev="dm-0" ino=272 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=0
avc: denied { getattr } for pid=170 comm="fsck.f2fs" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
Change-Id: I34b3f91374d1eb3fb4ba76abce14ff67db259f96
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
Assign a more specific type than block_device to all
block devices created or accessed by vold. Allow vold
to set the context on the device nodes it creates.
vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).
vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.
vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.
This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.
Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove the ability of init to execute programs from / or /system
without changing domains. This forces all helper programs and
services invoked by init to be assigned their own domain.
Introduce separate domains for running the helper programs
executed from the fs_mgr library by init. This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).
e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system. We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.
mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices. As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.
With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.
To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain. This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.
Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service. A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them. A neverallow rule prevents us from allowing
qemu-props to set default_prop.
We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat. We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).
Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
