Apps should be able to access the configstore HAL since framework
libraries which are loaded into app process can call configstore.
Letting apps have direct access to this HAL is OK because:
(1) the API of this HAL does not make clients provide any sensitive
information to the HAL, which makes it impossible for the HAL to
disclose sensitive information of its clients when the HAL is
compromised,
(2) we will require that this HAL is binderized (i.e., does not run
inside the process of its clients),
(3) we will require that this HAL runs in a tight seccomp sandbox
(this HAL doesn't need much access, if at all) and,
(4) we'll restrict the HALs powers via neverallows.
Test: apps can use configstore hal.
Change-Id: I04836b7318fbc6ef78deff770a22c68ce7745fa9
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.
Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).
Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.
Test: Device boots, no denials to do with hal_graphics_allocator
(also, removing the binder_call(hal_graphics_allocator_client,
hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079
Change-Id: I5c64d966862a125994dab903c2eda5815e336a94
This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
The fix for b/35100237 surfaced this error. This SELinux policy
fragment was included only on Marlin, but needs to be included in core
policy.
Bug: 35100237
Test: With https://android-review.googlesource.com/#/c/354292/
Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin.
Test: Connect:
03-17 15:41:22.602 3809 3809 I mtpd : Starting pppd (pppox = 9)
03-17 15:41:22.628 3811 3811 I pppd : Using PPPoX (socket = 9)
03-17 15:41:22.637 3811 3811 I pppd : pppd 2.4.7 started by vpn, uid 1016
03-17 15:41:22.639 3811 3811 I pppd : Using interface ppp0
03-17 15:41:22.639 3811 3811 I pppd : Connect: ppp0 <-->
03-17 15:41:22.770 3811 3811 I pppd : CHAP authentication succeeded
03-17 15:41:22.909 3811 3811 I pppd : MPPE 128-bit stateless compression enabled
03-17 15:41:23.065 3811 3811 I pppd : local IP address 172.16.36.113
03-17 15:41:23.065 3811 3811 I pppd : remote IP address 172.16.36.1
03-17 15:41:23.065 3811 3811 I pppd : primary DNS address 8.8.8.8
03-17 15:41:23.065 3811 3811 I pppd : secondary DNS address 91.239.100.100
Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927
Certain libraries may actually be links. Allow OTA dexopt to read
those links.
Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed
Allow getattr on links for otapreopt_slot. It reads links (to the
boot image oat files) when collecting the size of the artifacts
for logging purposes.
Bug: 30832951
Test: m
Change-Id: If97f7a77fc9bf334a4ce8a613c212ec2cfc4c581
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.
The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
waiting for update_engine folks to answer a couple of questions
which will let me refactor the policy of this HAL.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
Test: take a screenshot
Test: run CTS ImageReaderTest
Bug: 36194109
(cherry picked from commit 49ed0cd658)
Change-Id: I331bce37b35e30084ba9f7ecd063a344a79c5232
The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.
Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.
Example of SElinux denial:
03-15 12:38:46.967 7529 7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.
Denials:
[ 16.986440] c0 437 audit: type=1400 audit(6138546.943:5): avc:
denied { read } for pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986521] c0 437 audit: type=1400 audit(6138546.943:6): avc:
denied { open } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[ 16.986544] c0 437 audit: type=1400 audit(6138546.943:7): avc:
denied { getattr } for pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line
exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl
Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
bufferhubd should be able to use sync fence fd from mediacodec; and
mediacodec should be able to use a gralloc buffer fd from the bufferhubd.
Bug: 32213311
Test: Ran exoplayer_demo and verify mediacodec can plumb buffer through
bufferhub.
Change-Id: Id175827c56c33890ecce33865b0b1167d872fc56
Test: no log spam for graphics allocator
Test: dmesg | audit2allow does not show denial for
hal_graphics_allocator_default
Test: system is responsive after boot (because
android.hardware.graphics.allocator@2.0::IAllocator getService()
will not be blocked)
Bug: 36220026
Change-Id: I3e103f88988fe4a94888e92ee8c5b1f27845ad9e
Policy intermediates are being placed in a seemingly random
intermediates directories.
Currently:
out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates
Instead, place intermediates in the sepolicy_intermediates dir.
Test: intermediates now placed in:
out/target/product/marlin/obj/ETC/sepolicy_intermediates
Test: Marlin builds, no change to sepolicy on device.
Bug: 36269118
Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe
This file is no longer needed because it was needed for supporting
reloadable/dynamic SELinux policy which is no longer supported.
Test: Clean build, flash, device boots without additional denials.
Reboot to recovery works, no additional denials.
Bug: 33642277
Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce
Allow run-as to transmit unix_stream_sockets from the shell user to
Android apps. This is needed for Android Studio's profiling tool to
allow communcation between apps and debugging tools which run as the
shell user.
Bug: 35672396
Test: Functionality was tested by shukang
Test: policy compiles.
Change-Id: I2cc2e4cd5b9071cbc7d6f6b5b0b71595fecb455e
This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.
Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.
Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.
P. S. This commit also removes
allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.
Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
and that the app can register to listen for updates for sensors
and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668
Only audio HAL may access audio driver.
Only camera HAL may access camera driver.
Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
rules are compile time assertions and do not change the
on-device policy.
Bug: 36185625
Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3
Only HALs that manage networks need network capabilities and network
sockets.
Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
rules are compile time assertions and do not change the
on-device policy.
Bug: 36185625
Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.
This change was previously reverted because it affected the location
of property_contexts in recovery. Now that we have separate tagets for
recovery (see ec78c377c0), this change
no longer affects is recovery.
Test: *_property_contexts in correct locations when
PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospPropertyContexts
This test was performed on bullhead (non A/B device) and sailfish
(A/B device).
Test: Clean build, flash, device boots with no additional denials.
Rebooting to recovery, recovery boots fine with no denials.
This test was performed on bullhead (non A/B device) and sailfish
(A/B device).
Bug: 36002573
(cherry picked from commit 4cb628a3be)
Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328
This ensures that SELinux policy artifact needed by recovery at
runtime have targets in this build script. This is to make
recoveryimage/bootimage targets depend on these artifacts explicitly,
which reduces the element of surprise. Moreover, this enables us to
move non-recovery artifacts around without affecting recovery
artifacts.
Test: Clean build, flash, device boots just fine, no new denials.
Reboot to recovery, recovery boots just fine, no denials.
This was tested on bullhead (non A/B device) and sailfish (A/B
device).
Bug: 33642277
Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57
Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756 1345 1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787 1345 1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167
Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9
Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
/vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414
Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6
Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.
Test: make clean && make sepolicy.recovery, then confirm that
repolicy.recovery is identical to the one produced prior to this
change.
Test: Clean build, flash, device boots up fine, no new denials. Device
also boots into recovery just fine, no denials.
Bug: 31363362
Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7
This reverts commit 4cb628a3be.
Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.
Test: Clean build, flash, sailfish and bullhead boot up just fine,
and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7
The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:
IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump
Bug: 36074936
Test: check contents of 'adb shell dumpsys media.audio_flinger'
on -userdebug builds
Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1
Test: Build and boot Marlin and Bullhead.
Test: Contexts split between /system and /vendor on Marlin.
Remains stored in / on Bullhead.
Bug: 36002816
Bug: 36002427
Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2
This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.
Test: *_property_contexts in correct locations when
PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Bug: 36002573
Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7
