Commit graph

1630 commits

Author SHA1 Message Date
Dan Cashman
044d20729b Remove neverallow preventing hwservice access for apps.
am: 3e307a4de5

Change-Id: Ic144d924948d7b8e73939806d761d27337dbebef
2017-06-21 21:38:19 +00:00
Dan Cashman
3e307a4de5 Remove neverallow preventing hwservice access for apps.
Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP.  As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app.  This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition.  Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.

Bug: 62806062
Test: neverallow-only change builds.  Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 12:30:36 -07:00
Yabin Cui
330d447778 Allow run-as to read/write unix_stream_sockets created by adbd.
This is to Allow commands like `adb shell run-as ...`.

Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
(cherry picked from commit 1847a38b4a)
2017-06-20 13:50:54 -07:00
Tom Cherry
0e6a3d87e9 Merge "Add getpgid to system_service and init" into oc-dr1-dev 2017-06-19 20:38:37 +00:00
Tom Cherry
d5f0aba025 Add getpgid to system_service and init
In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
(cherry picked from commit c59eb4d853)
2017-06-19 11:26:48 -07:00
Dan Cashman
2f2fd36539 Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev
am: b5aeaf6dfa

Change-Id: Ib0ac9cf10c7cb9fd2462e0036307e2552d19b93b
2017-06-16 20:46:00 +00:00
TreeHugger Robot
b5aeaf6dfa Merge "Add extraneous neverallow rule to enforce attribute inclusion." into oc-dev 2017-06-16 20:37:52 +00:00
Dan Cashman
939b50ff61 Add extraneous neverallow rule to enforce attribute inclusion.
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
2017-06-16 11:19:53 -07:00
Sandeep Patil
516d855524 radio: disalllow radio and rild socket for treble devices
am: d3381cd9e6

Change-Id: I33215b5c9d894823f3928742a8712ef42d803156
2017-06-16 17:22:42 +00:00
Sandeep Patil
d3381cd9e6 radio: disalllow radio and rild socket for treble devices
This violates the socket comms ban between coredomain (radio) and
non coredomain (rild) in the platform policy.

Bug: 62616897
Bug: 62343727

Test: Build and boot sailfish

Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-06-14 09:42:21 -07:00
Jerry Zhang
6aa9869a41 Merge "Revert "Split mediaprovider from priv_app."" into oc-dr1-dev 2017-06-10 00:03:13 +00:00
Dan Cashman
96c619c826 DO NOT MERGE. Revert "Enable the TimeZoneManagerService"
This reverts commit 50889ce0eb.

Bug: 62427402
Test: Build and boot.
Change-Id: I32eae7997c901981d3228b61f33322a7c2c84301
2017-06-08 14:43:40 -07:00
Jerry Zhang
cb5129f9de Revert "Split mediaprovider from priv_app."
This reverts commit c147b592b8.

The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.

Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005
2017-06-07 18:20:20 -07:00
Yabin Cui
1488647808 Allow run-as to read/write unix_stream_sockets created by adbd. am: 1847a38b4a am: 2394619394 am: 96df849f15
am: 690ab19801

Change-Id: I7e3c27dad722e2bd208281d74c475a39f91b04dc
2017-06-06 23:37:04 +00:00
Yabin Cui
690ab19801 Allow run-as to read/write unix_stream_sockets created by adbd. am: 1847a38b4a am: 2394619394
am: 96df849f15

Change-Id: I631667710b2998361b0e2db3f13f5fb7d2582420
2017-06-06 23:35:04 +00:00
Sandeep Patil
0a53f1d4fa Fix coredomain violation for modprobe
am: e41af20397

Change-Id: I586cf07d87339f83d66919871d1531e9b8d79c4e
2017-06-06 03:54:39 +00:00
Yabin Cui
1847a38b4a Allow run-as to read/write unix_stream_sockets created by adbd.
This is to Allow commands like `adb shell run-as ...`.

Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
2017-06-05 18:20:42 -07:00
Josh Gao
748e257939 crash_dump_fallback: allow dumpstate:pipe_file write. am: 7aa085233a am: 7b19b08130 am: 9ff58c84a4
am: dde38d9b33

Change-Id: I8ad39a6ba69fa936f6522e29820127adc80798d5
2017-06-06 00:57:37 +00:00
Josh Gao
dde38d9b33 crash_dump_fallback: allow dumpstate:pipe_file write. am: 7aa085233a am: 7b19b08130
am: 9ff58c84a4

Change-Id: If0bc8e741af7cade57c76020db89516c1da69728
2017-06-06 00:43:51 +00:00
Josh Gao
715955b78a crash_dump_fallback: allow dumpstate:pipe_file write.
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
(cherry picked from commit 7aa085233a)
2017-06-05 17:26:29 -07:00
Josh Gao
7aa085233a crash_dump_fallback: allow dumpstate:pipe_file write.
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
2017-06-05 14:50:31 -07:00
Sandeep Patil
e41af20397 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
2017-06-05 08:09:18 -07:00
TreeHugger Robot
abb8793b90 Merge changes from topic 'coredomain_compile_test'
* changes:
  Run Treble sepolicy tests at build time
  Fix coredomain violation for modprobe
2017-06-03 01:14:18 +00:00
Josh Gao
a1cb00cccc Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev am: f378708c5c
am: dbf8d02804

Change-Id: Ic7504601de554becfefe1639b5f891079d24ff65
2017-06-03 00:11:08 +00:00
Josh Gao
dbf8d02804 Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev
am: f378708c5c

Change-Id: Ia51ea7ccf0974ed1bacfea950571c6e10ed2b1bf
2017-06-03 00:07:22 +00:00
Josh Gao
f378708c5c Merge "crash_dump_fallback: allow dumpstate:fd use." into oc-dev 2017-06-03 00:01:38 +00:00
Sandeep Patil
9e366a0e49 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-06-02 16:11:52 -07:00
Josh Gao
2a00056a95 crash_dump_fallback: allow dumpstate:fd use.
Bug: http://b/62297059
Test: mma
Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
(cherry picked from commit 17885f148d)
2017-06-02 15:04:29 -07:00
Josh Gao
17885f148d crash_dump_fallback: allow dumpstate:fd use.
Bug: http://b/62297059
Test: mma
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
2017-06-02 14:43:27 -07:00
Andrew Scull
39a81fd517 Merge "Add missing sepolicies for OemLock HAL." into oc-dev
am: 60e4fd9dfa

Change-Id: I1628907aeb743c3cb0938e7993237206523fdeb5
2017-06-01 22:22:03 +00:00
Andrew Scull
e8d4bec783 Merge "Add missing sepolicies for the Weaver HAL." into oc-dev
am: cd26745098

Change-Id: I20479829d542df345275c0c2b4512788a30fba4c
2017-06-01 22:21:48 +00:00
TreeHugger Robot
60e4fd9dfa Merge "Add missing sepolicies for OemLock HAL." into oc-dev 2017-06-01 22:05:18 +00:00
TreeHugger Robot
cd26745098 Merge "Add missing sepolicies for the Weaver HAL." into oc-dev 2017-06-01 22:05:15 +00:00
Neil Fuller
911e236ae4 resolve merge conflicts of e664e80a to oc-dev-plus-aosp
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Icadf7c72ad173c134d3e95bb5b93c2b54b1b703e
2017-06-01 20:46:48 +01:00
Steve Muckle
f64e4df3ec Merge "allow modprobe to load signed kernel modules" into oc-dev am: fc1d8d991e
am: 06a4b61b7a

Change-Id: I50d8c90eaba6161e839ceb9fc87a41540e15eead
2017-06-01 19:29:01 +00:00
Steve Muckle
06a4b61b7a Merge "allow modprobe to load signed kernel modules" into oc-dev
am: fc1d8d991e

Change-Id: Id41f7097fd0a48739293d4f8f06f296d0f189684
2017-06-01 19:24:47 +00:00
TreeHugger Robot
fc1d8d991e Merge "allow modprobe to load signed kernel modules" into oc-dev 2017-06-01 19:16:34 +00:00
Andrew Scull
b17b763711 Allow bootctl HAL to access misc block device. am: b0d59450ae
am: 7c4f46b5c1

Change-Id: I88aa64b8847456f66310d632ee86929a76dfaf7b
2017-06-01 18:59:29 +00:00
Andrew Scull
7c4f46b5c1 Allow bootctl HAL to access misc block device.
am: b0d59450ae

Change-Id: If85613b84aecf43b0519bb933d925eb1829e3d5e
2017-06-01 18:39:31 +00:00
Steve Muckle
53add31a25 allow modprobe to load signed kernel modules
Modprobe requires this permission or the following denial will
prevent loading of signed kernel modules:

audit: type=1400 audit(27331649.656:4): avc:  denied  { search } for
pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0
tclass=key permissive=0

Bug: 62256697
Test: Verified signed module loading on sailfish.
Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb
2017-06-01 10:06:21 -07:00
Treehugger Robot
34b4b73729 Merge "Enable the TimeZoneManagerService" 2017-06-01 17:02:37 +00:00
Neil Fuller
ca595e1163 Enable the TimeZoneManagerService
Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
2017-06-01 15:56:43 +00:00
Neil Fuller
50889ce0eb Enable the TimeZoneManagerService
Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6
2017-05-31 16:18:43 +01:00
Andrew Scull
b0d59450ae Allow bootctl HAL to access misc block device.
This is sometimes used for communication with the bootloader.

Bug: 62052545
Test: Build
Change-Id: I3ae37793407719e55ab0830129aa569c9018f7da
2017-05-31 16:00:28 +01:00
Andrew Scull
475954dad5 Add missing sepolicies for OemLock HAL.
Bug: 38232801
Test: Build

Change-Id: Iccc16430e7502bb317f95bb2a5e2f021d8239a00
2017-05-31 15:22:05 +01:00
Andrew Scull
a939c4324c Add missing sepolicies for the Weaver HAL.
Bug: 38233550
Test: Build
Change-Id: I7c2105d5f215a60a611110640afff25fc3403559
2017-05-31 15:17:11 +01:00
Narayan Kamath
f194aad208 SEPolicy: Changes for new stack dumping scheme.
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e96)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
2017-05-31 10:01:48 +00:00
Narayan Kamath
e628cb5b2d SEPolicy: Changes for new stack dumping scheme.
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5
2017-05-31 08:54:37 +01:00
Narayan Kamath
11bfcc1e96 SEPolicy: Changes for new stack dumping scheme.
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f
2017-05-30 18:16:38 +01:00
TreeHugger Robot
53a1121504 Merge "Force expand all hal_* attributes" 2017-05-26 17:50:36 +00:00