Commit graph

15 commits

Author SHA1 Message Date
Hridya Valsaraju
a885dd84c7 Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
2021-05-02 21:41:53 -07:00
Hridya Valsaraju
f9dbb72654 Revert "Add a neverallow for debugfs mounting"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
1c3d898d87 Add a neverallow for debugfs mounting
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs). This patch
adds a neverallow statement that prevents processes other than init
from being provided access to mount debugfs in non-user builds
when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I289f2d25662a78678929e29f83cb31cebd8ca737
2021-04-21 14:13:02 -07:00
Inseob Kim
afc09932f6 Enforce sysprop owner
Every property should have an appropriate owner attribute, which can be
one of: system_property_type, product_property_type, or
vendor_property_type. This will be enforced for devices launching with S
or later. Devices launching with R or eariler can relax this by setting
following under BoardConfig.mk:

BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true

Bug: 131162102
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I7914ef1b7463c9ec00812b9720094531fd63f0c7
2020-10-19 05:07:05 +00:00
Jooyung Han
0606ce79c9 Use file_contexts files for flattened APEXes
Previously, soong emitted APEX_FILE_CONTEXTS_INFOS make var which lists
"all" APEXes and file_contexts.bin used all of them regardless whether
an APEX is installed or not.

This doesn't work when there's a vendor specific APEX which uses vendor
specific labels. Other lunch target may fail to build due to "unknown
label" which is introduced by the vendor APEX which is fact not supposed
to be installed.

Now build/make/core/Makefile creates file_contexts.modules.tmp which is
a collection of file_contexts for flattend apexes which are to be
intalled.

Bug: 166518492
Test: m file_contexts.bin
      check contents of file_contexts.concat.tmp
Change-Id: I00c6b87bdc75fc1e04e6f8ecddae6f18762d888a
2020-09-23 15:44:11 +00:00
Peter Collingbourne
330ee2ca22 sepolicy: Allow system_server to use execmem in emulator builds with software rendering.
In emulator builds without OpenGL passthrough, we use software rendering
via SwiftShader, which requires JIT support. Therefore, we need to allow
system_server to use execmem so that it can run JITed code. These builds
are never shipped to users.

Bug: 142352330
Change-Id: I4d55b5a1b4ebae2fc8198ef66107c22bde41ad7e
2019-11-01 15:27:29 -07:00
Inseob Kim
ed59c22ffc Add BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
A new sysprop neverallow rules are mandatory only for devices launching
with R or later. For devices already launched, neverallow rules can be
relaxed with adding following line to BoardConfig.mk:

BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true

Bug: 131162102
Test: Set PRODUCT_SHIPPING_API_LEVEL := 30 and try building with
changing some system_public_prop to system_internal_prop
Test: m cts sepolicy_tests

Change-Id: Id978b4d81a8683a57304bb639961105e2d91fa9a
Merged-In: Id978b4d81a8683a57304bb639961105e2d91fa9a
(cherry picked from commit 3be11e7abb)
2019-10-15 09:25:57 +09:00
Dan Willemsen
3c3e59b2a2 Use prebuilt m4 instead of system m4
Bug: 117561006
Test: treehugger
Change-Id: Id794aed10fdffef10490561d2cfeb2a92801b331
2019-06-19 10:59:57 -07:00
Pirama Arumuga Nainar
ce9c0c5a5f In native coverage builds, allow all domains to access /data/misc/trace
Bug: http://b/135139675

Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type).  Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.

Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.

Test: Build 32-bit cuttlefish with coverage:
          m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
      and verify that there are no selinux denials in kernel log and
      logcat.

Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 08:31:51 -07:00
Nick Kralevich
764cbd063e m4: add --fatal-warnings
Error out if m4 generates a warning. This will help detect and prevent
malformed macros.

See 855084960f for motivation.

Test: policy compiles
Test: Policy doesn't compile if 855084960f
      is reverted.

Change-Id: Iee6b6273bc2a24b1220861fd662573e76001defc
2018-08-15 09:55:27 -07:00
Tri Vo
77c44fc420 Mechanism to exclude neverallows from *TS.
build_test_only is used to denote rules that should not verified
as part of compliance testing.

Use this macro to exclude neverallow rules which we want to check as
part of build, but not CTS.

Bug: 80499271
Test: SELinuxNeverallowRulesTest on walleye has no more failure of type
"Type or attribute * used in neverallow undefined in policy being checked."
Number of failing test cases is reduced by 142.
Test: policy.conf used to check neverallows at build-time still retains
all neverallow rules.
Change-Id: I5f1b383d9096bb5a7b8c0f1bc008b5dd07419580
2018-06-06 14:51:39 -07:00
Joel Galenson
8c72eea5ff Use user policy when checking neverallow rules.
When building userdebug or eng builds, we still want to build the user
policy when checking neverallow rules so that we can catch compile
errors.

Commit c0713e86 split out a helper function but lost one instance of
using user instead of the real variant.  This restores that one and
adds it to the neverallow check.

Bug: 74344625
Test: Added a rule that referred to a type defined only
in userdebug and eng and ensure we throw a compile error when building
userdebug mode.

Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae
(cherry picked from commit 053cb34130)
2018-03-08 09:57:54 -08:00
Jaekyun Seok
e49714542e Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2018-01-10 16:15:25 +00:00
Steven Moreland
763697d425 Use PRODUCT_SEPOLICY_SPLIT for full Treble.
PRODUCT_FULL_TREBLE is being broken up into smaller,
more manageable components.

Bug: 62019611
Test: manual
Change-Id: I9b65f120851d9ea134a0059a417f0282777717fc
2017-11-10 10:25:23 -08:00
Dan Cashman
36ee91d4b5 Add sepolicy definitions.mk and create policy.conf function.
Bug: 36899958
Test: Builds 'n' boots.
Change-Id: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
Merged-In: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
(cherry picked from commit c0713e8679)
2017-08-25 15:08:45 +08:00