Commit graph

36 commits

Author SHA1 Message Date
Inseob Kim
09b27c7109 Add "DO NOT ADD statements" comments to public
For visibility

Bug: 232023812
Test: N/A
Change-Id: I0bc6dc568210b81ba1f52acb18afd4bcc454ea1c
2024-03-28 11:27:43 +09:00
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Tri Vo
4bb2d30701 Remove RemoteProvisioner and remoteprovisioning services
Bug: 273325840
Test: keystore2_test
Change-Id: I295ccdda5a3d87b568098fdf97b0ca5923e378bf
2023-03-14 15:45:35 -07:00
Seth Moore
3accea479a Add permissions for remote_provisioning service
Bug: 254112668
Test: manual + presubmit
Change-Id: I54d56c34ad4a8199b8aa005742faf9e1e12583c3
2022-12-06 08:46:20 -08:00
Paul Crowley
283aef2860 Add ro.keystore.boot_level_key.strategy
Bug: 241241178
Test: set property on Cuttlefish, check logs for strategy used.
Change-Id: Ifaaec811316c43fdae232f9a08c5d862011ccc71
2022-08-24 21:38:36 -07:00
Seth Moore
a75cad0d0a Add remotely provisioned key pool se policy
Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.

Add a new service context and include it in the keystore services.

Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.

Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
2022-02-02 15:07:26 -08:00
Janis Danisevskis
2a10f4f10c Allow keystore to read vendor security patch level.
The software KeyMint implementation used by km_compat needs to read the
vendor security patch level.

Bug: 189973657
Test: Android S GSI starts on rvc-vendor based devices.
      Also keystore2_km_compat_tests
Change-Id: I405d6a2b30fa2780321a3e209035c8f8283f5365
2021-11-02 09:03:19 -07:00
Hasini Gunasinghe
4334d35f01 Add keystore permission for metrics re-routing.
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.

Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
2021-06-30 17:02:14 -07:00
Janis Danisevskis
4678660d83 Rename vpnprofilestore to legacykeystore.
Bug: 191373871
Test: N/A
Merged-In: I3f11827909bd37a2127069de82670776a8e192b3
Change-Id: I3f11827909bd37a2127069de82670776a8e192b3
2021-06-30 12:40:39 -07:00
Max Bires
f09391624a Allowing userdebug/eng builds crash dump access to ks
This will make debugging of keystore issues in dogfood populations much
easier than it previously was, as developers will have detailed crash
dump reporting on any issues that do occur.

Bug: 186868271
Bug: 184006658
Test: crash dumps appear if keystore2 explodes
Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99
2021-04-30 18:50:54 +00:00
Janis Danisevskis
f3fe4cfc06 Keystore 2.0: Rename KeystoreUserManager to KeystoreMaintenance
Test: N/A
Change-Id: I40c07e40cb0a852814058fe89d57c44ea85f1994
2021-03-09 14:35:16 -08:00
Janis Danisevskis
291bc98a36 Keystore 2.0: Add policy for vpnprofilestore
Test: N/A
Change-Id: Iba6ca7be95dfcead8ce8ee17d6a6d78a5441d58f
2021-02-23 13:24:52 -08:00
Janis Danisevskis
1aad552cfd Merge "Keystore 2.0: Add permissions and policy for user manager AIDL." 2021-02-18 23:00:29 +00:00
Hasini Gunasinghe
685ca0c888 Keystore 2.0: Add permissions and policy for user manager AIDL.
Bug: 176123105
Test: User can set a password and unlock the phone.
Change-Id: I96c033328eb360413e82e82c0c69210dea2ddac9
2021-02-17 08:55:31 -08:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Max Bires
23f0f3b28a SEPolicy for RemoteProvisioning App
This change adds the SEPolicy changes required to support the remote
provisioning flow. The notable additions are specifically labeling the
remote provisioning app and giving it access to find the remote
provisioning service which is added in keystore. It also requires
network access in order to communicate to the provisioning servers.

This functionality is extremely narrow to the point that it seems worth
it to define a separate domain for this app, rather than add this in to
the priv_app or platform_app permission files. Since this app also
communicates with the network, it also seems advantageous to limit its
permissions only to what is absolutely necessary to perform its
function.

Test: No denials!
Change-Id: I602c12365a575d914afc91f55e6a9b6aa2e14189
2021-02-08 01:33:12 -08:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Hasini Gunasinghe
1a5c2f4ced Add policy for IKeystoreAuthorization AIDL service.
The interaface now provided by IKeystoreAuthorization AIDL interface was
previously provided by Keystore AIDL interface.

This CL adds policy to allow Keystore2 to register
IKeystoreAuthorization aidl service and to allow service manager to
look up and connect to the service.

Bug: 159475191
Test: Needs to be tested in runtime
Change-Id: I56829a8764e0efe55efdc92b75d7a3d918a20dae
2021-01-15 09:43:22 -08:00
Janis Danisevskis
191940036b Add policy for the security compatibility hal service.
This service manager is registered by Keystore 2.0 to lookup legacy
wrapper services.

Keystore 2.0 is now written in rust. We have AIDL binding for rust but
no HIDL binding. Keystore 2.0 has to support legacy HIDL based
interfaces. So we implement the AIDL KeyMint interface in terms of the
legacy HIDL Keymaster <=  V4.1 devices in C++. This wrapper is linked
into the Keystore 2.0 process but it cannot be called directly but must
be treated like a remote binder instead. However, we cannot register
these wrappers directly, because a) we are not a vendor component, and
b) it would conflict with genuine KeyMint devices on newer devices. So
Instead we register Keystore 2.0 itself as a legacy service provider.
Which it can query itself for the legacy wrappers if it does not find
a genuine KeyMint implementation to connect to.

Bug: 171351607
Test: Keystore 2.0 can register this Service and lookup legacy wrapper
      services.
Change-Id: I935f23837721ce126531236f4920dba469a47be4
2020-12-15 08:23:52 -08:00
Janis Danisevskis
d5ad76b0c4 Add policy for the android protected confirmation service.
This is the service offered by Keystore 2.0 to provide APC service to
application. It was formerly part of the IKeystoreService interface.
Not it is an interface in ints own right.

Test: Keystore 2.0 can register the apc service interface.
      Apps can lookup and call this interface.
Bug: 159341464
Change-Id: I058adf0021d9b89f4eac7534e366c29071f0f98b
2020-12-10 10:58:11 -08:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
Sunil Ravi
d8843d1c2e sepolicy(wifi): Allow keystore-wificond communication
Denial log:
1. 10-30 11:02:50.279  wifi  1119  1119 W HwBinder:1119_1:
type=1400 audit(0.0:113): avc: denied { transfer } for
scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0
tclass=binder permissive=0

2. 01-15 16:24:04.214 W/keystore( 1007): type=1400
audit(0.0:109): avc: denied { call } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0

3. 01-16 12:11:19.704 W/keystore( 1021): type=1400
audit(0.0:163): avc: denied { transfer } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0

Bug: 143638513
Bug: 145310496
Test: Installed CA and wifi certificates and connects
to enterprise network.
No selinux denial seen from wificond and keystore.

Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
2020-01-17 21:14:25 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Max Bires
d2d91e60de Adding ability for keystore to find dropbox
This will allow the logging in keystore to actually work.

Bug: 36549319
Test: keystore dropbox logging is successful
Change-Id: Ic135fa9624c289c54187e946affbd0caacef13c1
(cherry picked from commit 2e69afc079)
2018-04-26 16:14:24 +00:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
9a14704f62 Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.

The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).

Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
      keystore and hal_wifi_supplicant_default domains
Bug: 36896667

Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 15:04:05 -07:00
Roshan Pius
9af7c95f86 sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.

Denials addressed:
03-29 00:04:52.075   734   734 E SELinux : avc:  denied  { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key

Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
2017-03-29 14:07:36 -07:00
Alex Klyubin
f7543d27b8 Switch Keymaster HAL policy to _client/_server
This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
2017-02-22 20:18:28 -08:00
Jeff Vander Stoep
a1b4560088 Remove logspam
Grant observed uses of permissions being audited in domain_deprecated.

fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir

sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file

update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir

vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424
2017-02-10 12:06:38 -08:00
Janis Danisevskis
e8acd7695b Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.

IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.

Test: Run keystore CTS tests
Bug: 32020919

(cherry picked from commit 5090d6f324)

Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
2017-01-27 15:02:57 -08:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from keystore.te (Browse further)