Commit graph

25 commits

Author SHA1 Message Date
David Anderson
6557d87b0f Add sepolicy for installing GSIs to external storage.
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
 - proc_cmdline and device-tree access to call ReadDefaultFstab().
   This is ultimately used to check whether system's dm-verity has
   check_at_most_once enabled, which is disallowed with sdcards.
 - vfat read/write access to write files to the sdcard. Note that
   adopted sdcards are not supported here.
 - read access to the sdcard block device. To enable this without
   providing access to vold_block_device, a new sdcard_block_device
   label was added. Devices must apply this label appropriately to
   enable gsid access.
 - FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
   This only appears to work by granting SYS_RAWIO.

Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
      works without setenforce 0

Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-27 17:12:51 -07:00
Yifan Hong
e3ee390c6b Add super_block_device_type
This is the type used on super partition block devices.
- On devices launch with DAP, super is already marked
as super_block_device_type.
- On retrofit devices, appropriate block devices must
be marked as super_block_device_type, for example:

    typeattribute system_block_device super_block_device_type;

Bug: 128991918
Test: builds
Change-Id: I7e26d85b577ce08d8dc1574ddc43146d65843d9c
2019-03-25 17:58:10 +00:00
Tri Vo
02c4c3fa7b Remove sepolicy for /dev/alarm.
After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be
2018-12-06 04:23:22 +00:00
Tri Vo
d918c8df78 Remove redundant cgroup type/labelings.
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".

Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
2018-11-17 01:24:49 +00:00
Tri Vo
c7f56cdc83 Remove kmem_device selinux type.
kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
2018-11-15 21:31:56 +00:00
Tri Vo
ced1751e45 Remove mtd_device type.
mtd_device does not label any /dev node present on walleye, and the only
permission to that type is:
allow hal_telephony_server mtd_device:dir search;
I suspect there is no need to keep mtd_device around.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: If74b1258b21edeca38c8b7dc07a3a10b751a7e85
2018-11-12 23:11:03 +00:00
Tri Vo
b805adaa16 Remove dead *_device types from system sepolicy.
No coredomain domain has access to these types and corresponding /dev
nodes don't exist on the device:

audio_seq_device
audio_timer_device
full_device
i2c_device
vcs_device

Bug: 110962171
Test: m selinux_policy
Test: boot walleye
Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672
2018-11-09 15:45:59 -08:00
Nick Kralevich
4b26c91ae6 Link to documentation for different block device types
The number of block devices used in an Android device is too damn high
(insert meme here). Let's at least add some links to documentation to
help describe the partition layout expected on a typical Android device.

This builds on top of the work in making the bootloader information
accessible (b/28905584).

Test: only adding comments. Policy compiles.
Change-Id: I8976b855e46255f7e18fa2b807ba83e0db92a82d
2018-09-12 13:58:53 -07:00
Hridya Valsaraju
4ae8fe9b84 Define 'super_block_device' type
Bug: 78793464
Test: fastboot getvar partition-size:super

'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.

Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea
2018-08-20 10:55:03 -07:00
Ruchi Kandoi
ea3cf0007e Add secure_element_device
Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce
2018-03-07 16:37:24 +00:00
Tom Cherry
8b5433a9cc Add /dev/__properties__/property_info
Allow init to create a serialized property_info file and allow all
processes to read it.

Bug: 36001741
Test: boot bullhead, walleye using property_info

Change-Id: Ie51d4c0f0221b128dd087029c811fda15b4d7093
2017-12-13 01:28:15 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Josh Gao
94e2a921cb Add /dev/kmsg_debug.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I6ffe11bc613e88198893e82712719522b74fe1be
2017-08-11 13:25:43 -07:00
Josh Gao
9ac5d01faa Revert "Add /dev/kmsg_debug."
This reverts commit a015186fab.

Bug: http://b/62101480
Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46
2017-05-26 00:32:07 +00:00
Tom Cherry
5dff1962e4 Revert "remove /dev/log"
This reverts commit 8c60f74dcc.

Bug: 38242876
Change-Id: Iba5a94d16901dc0c52f1941972c26877baa4805c
2017-05-11 23:21:29 +00:00
Tom Cherry
8c60f74dcc remove /dev/log
This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

Test: see that logging still works on bullhead

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
2017-04-11 21:35:32 +00:00
Josh Gao
a015186fab Add /dev/kmsg_debug.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
2017-04-06 14:07:02 -07:00
Jeff Sharkey
a8e0f76c44 Define policy for "loop-control" device.
Per loop(4), this device is the preferred way of allocating new
loop devices since Linux 3.1.

avc: denied { read write } for name="loop-control" dev="tmpfs" ino=15221 scontext=u:r:vold:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

Bug: 34903607
Change-Id: I1f5f62cf0a1c24c6f6453100004812af4b8e1503
2017-03-25 21:39:03 -06:00
Martijn Coenen
e7d8f4c3c8 Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff
2017-03-23 00:20:43 +00:00
Alex Klyubin
09d13e734d Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 17:22:06 -07:00
Max Bires
9e7a5b0a7c Auditing init and ueventd access to chr device files.
It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-13 17:38:39 +00:00
Josh Gao
a3bc3cffdf Remove support for legacy f_adb interface.
Bug: http://b/34228376
Test: m
Change-Id: I1321ada1521bb3e3fd08105f1a41d519ee486683
2017-01-11 15:03:50 -08:00
Max
c27c23fbdb /dev/port does not seem to be used, adding in rules to confirm.
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 16:46:11 -08:00
Nick Kralevich
5eadcb8cb1 Collapse urandom_device into random_device
urandom_device and random_device have the exact same security
properties. Collapse them into one type.

Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41
2016-11-21 16:37:07 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from device.te (Browse further)