Commit graph

18 commits

Author SHA1 Message Date
Chenbo Feng
08f92f9c01 sepolicy: New sepolicy classes and rules about bpf object
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.

Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
2018-01-02 11:52:33 -08:00
Stephen Smalley
9fbc408f93 sepolicy: Define validate_trans permission
am: 509923116f

Change-Id: Ia24ef33e8cdbee7c3336fda2a5c0ec0e4ca751f0
2017-07-13 17:04:15 +00:00
Stephen Smalley
90f46dd922 Merge "sepolicy: Define and allow map permission"
am: 770214abda

Change-Id: I253dad49662831625a17162b18f013e0b4a87af4
2017-07-13 17:04:02 +00:00
Stephen Smalley
509923116f sepolicy: Define validate_trans permission
Kernel commit f9df6458218f4fe ("selinux: export validatetrans
decisions") introduced a /sys/fs/selinux/validatetrans pseudo file
for use by userspace file system servers and defined a new validatetrans
permission to control its use.

Define the new permission in the Android SELinux policy.
This change only defines the new permission; it does not allow it
to any domains by default.

This avoids a kernel message warning about the undefined permission on
the policy load, ala:
SELinux:  Permission validate_trans in class security not defined in policy.

Test: Policy builds

Change-Id: Ib922a83b7d8f94905207663a72f7a1bc3db8d2c2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-13 16:57:27 +00:00
Stephen Smalley
4397f08288 sepolicy: Define and allow map permission
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 16:31:23 -04:00
Stephen Smalley
52909aca44 Define smc_socket security class.
am: 2be9799bcc

Change-Id: If42bc0d3fc50db8294c8a9fd083d915b8e47a95e
2017-06-26 22:02:28 +00:00
Stephen Smalley
a77096b02a Merge "Define getrlimit permission for class process"
am: e02e0ad1cc

Change-Id: I67eea67d667005d5ac357e1131a319ed57b33894
2017-06-26 22:02:12 +00:00
Stephen Smalley
2be9799bcc Define smc_socket security class.
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.

Test:  Policy builds

Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-26 21:44:58 +00:00
Stephen Smalley
91a3eeac8f Define getrlimit permission for class process
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so it is not required for getrlimit(2), only for prlimit(2)
on another process.

Test:  Policy builds

Change-Id: Ic0079a341e959f1c5a3d045974df4b756fd4ab67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 12:13:15 -04:00
Dan Cashman
2f1c7ba75e Remove vndservice_manager object classes.
vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
2017-04-18 12:40:44 -07:00
Shawn Willden
a0c7f01299 Add keystore_key:attest_unique_id to priv_app.
Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-12 06:39:14 -06:00
Martijn Coenen
bc6d88d2da Add new classes and types for (hw|vnd)servicemanager.
Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 11:02:23 -07:00
Stephen Smalley
4921085d9c Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes.
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 14:24:41 -05:00
Stephen Smalley
431bdd9f2f Define extended_socket_class policy capability and socket classes
Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class.  The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class.  Add
definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.

Allowing access by specific domains to the new socket security
classes is left to future commits.  Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.

The kernel support will be included upstream in Linux 4.11.  The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").

This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled.  This commit is already in
AOSP master.

Test: policy builds

Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Stephen Smalley
8a00360706 Define the user namespace capability classes and access vectors.
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f
(selinux: distinguish non-init user namespace capability checks)
introduced support for distinguishing capability
checks against a target associated with the init user namespace
versus capability checks against a target associated with a non-init
user namespace by defining and using separate security classes for the
latter.  This support is needed on Linux to support e.g. Chrome usage of
user namespaces for the Chrome sandbox without needing to allow Chrome to
also exercise capabilities on targets in the init user namespace.

Define the new security classes and access vectors for the Android policy.
Refactor the original capability and capability2 access vector definitions
as common declarations to allow reuse by the new cap_userns and cap2_userns
classes.

This change does not allow use of the new classes by any domain; that
is deferred to future changes as needed if/when Android enables user
namespaces and the Android version of Chrome starts using them.

The kernel support went upstream in Linux 4.7.

Based on the corresponding refpolicy patch by Chris PeBenito, but
reworked for the Android policy.

Test: policy builds

Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Josh Gao
cb3eb4eef9 Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00
Nick Kralevich
11dc03e5a2 access_vectors: Remove unused permission definitions
Description stolen from
42a9699a9f

Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
2016-11-21 23:41:18 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from access_vectors (Browse further)