Commit graph

12 commits

Author SHA1 Message Date
Pavel Maltsev
4cafae77a4 Allow to use sockets from hal server for auto
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9
2018-05-14 14:36:19 -07:00
Amit Mahajan
312248ff72 Revert "Revert "Move rild from public to vendor.""
This reverts commit 016f0a58a9.

Reason for revert: Was temporarily reverted, merging back in with fix.

Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
2018-03-12 17:12:53 +00:00
Jeffrey Vander Stoep
016f0a58a9 Revert "Move rild from public to vendor."
This reverts commit eeda6c6106.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1
2018-03-11 20:46:50 +00:00
Amit Mahajan
eeda6c6106 Move rild from public to vendor.
Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e
2018-03-08 12:50:13 -08:00
Roshan Pius
5bca3e860d sepolicy(hostapd): Add a HIDL interface for hostapd
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
2018-01-12 14:05:38 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
c75aa50d5d Add another extraneous neverallow rule to force attribute inclusion
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62658302
Bug: 62999603
Test: Build Marlin policy.
Test: verify attribute exists in policy using sepolicy-analyze.
    sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \
    attribute hal_tetheroffload_server
Test: CTS neverallow tests pass.
    cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249
2017-06-26 10:32:18 -07:00
Jeff Vander Stoep
d75a2c0cc8 Exempt tetheroffload hal from network socket restrictions
The tetheroffload hal must be able to use network sockets as part of
its job.

Bug: 62870833
Test: neverallow-only change builds.
Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7
2017-06-21 12:46:21 -07:00
Wyatt Riley
799c23490d Removing UDP access for hal_gnss
Underlying data services setup no longer needs this

Bug: 35757613
Bug: 36085168
Test: GPS, XTRA & avc denial checks
Change-Id: I679ee70f65f34d5a7d1fc1f1fe92af6a92ec92c5
2017-05-18 13:55:51 -07:00
Jeff Vander Stoep
84b96a6b68 Enforce one HAL per domain.
HALs are intended to be limited responsibility and thus limited
permission. In order to enforce this, place limitations on:
1. What processes may transition into a HAL - currently only init
2. What methods may be used to transition into a HAL - no using
   seclabel
3. When HALs exec - only allow exec with a domain transition.

Bug: 36376258
Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules
      are compile time assertions, so building is a sufficient test.

Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131
2017-03-21 12:16:31 -07:00
Jeff Vander Stoep
f9be765d66 Restrict HAL network access to HALS that manage network hardware
Only HALs that manage networks need network capabilities and network
sockets.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625

Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df
2017-03-13 21:35:48 -07:00