Commit graph

76 commits

Author SHA1 Message Date
Thiébaud Weksteen
5c5e0f7ecc Remove bug_map entry for system_server
The permission was granted in 6390b3f.

Bug: 216097542
Bug: 73128755
Test: m selinux_policy
Change-Id: I7b1883a46f3972ed722ebc2844ecdbf24abf0ce1
2022-03-30 02:31:43 +00:00
Thiébaud Weksteen
b8abcadd5b Remove bug_map for hal_wifi_default
Bug: 220258444
Test: build & boot cuttlefish
Change-Id: I3b5c0ad1b9cbdca5f86e7615d243192163b99aaf
2022-02-28 14:30:22 +11:00
Shashwat Razdan
d581bd244d SELinux issues:
```
02-18 01:02:35.599     1     1 I auditd  : type=1107 audit(0.0:149): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.wlan.firmware.version pid=478 uid=1010 gid=1010 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0'
02-18 01:02:35.599     1     1 I auditd  : type=1107 audit(0.0:150): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.wlan.driver.version pid=478 uid=1010 gid=1010 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0'
```


Bug: 220258444
Change-Id: I5a99d1895d5ef9c5e784cf9e92c0c8847da21b58
Test: Presubmits
2022-02-18 07:38:19 +00:00
Jiakai Zhang
bf58100685 dontaudit denial on the odex file of location provider.
Bug: 194054685
Test: Presubmits
Change-Id: Ia636f7b32251c3b8cb018fee9216e5968d4e95ff
2022-02-16 14:12:49 +00:00
Jiakai Zhang
329cbf4d4e Track system_server->apex_art_data_file denial.
The denial occurs when system_server dynamically loads AOT artifacts at
runtime.

Sample message:
type=1400 audit(0.0:4): avc: denied { execute } for comm="system_server" path="/data/misc/apexdata/com.android.art/dalvik-cache/arm64/system@framework@com.android.location.provider.jar@classes.odex" dev="dm-37" ino=296 scontext=u:r:system_server:s0 tcontext=u:object_r:apex_art_data_file:s0 tclass=file permissive=0

Currently, system_server is only allowed to load AOT artifacts at startup. odrefresh compiles jars in SYSTEMSERVERCLASSPATH, which are supposed to be loaded by system_server at startup. However, com.android.location.provider is a special case that is not only loaded at startup, but also loaded dynamically as a shared library, causing the denial.

Therefore, this denial is currently expected. We need to compile com.android.location.provider so that its AOT artifacts can be picked up at system_server startup, but we cannot allow the artifacts to be loaded dynamically for now because further discussion about its security implications is needed. We will find a long term solution to this, tracked by b/194054685.

Test: Presubmits
Bug: 194054685

Change-Id: I3850ae022840bfe18633ed43fb666f5d88e383f6
2021-07-24 09:42:03 +08:00
Treehugger Robot
bc0f0aeb9b Merge "Revert "Add bug_map entry for unrelated SELinux denial to unblock IC."" 2021-01-20 07:54:34 +00:00
Hai Zhang
6603b308c7 Revert "Add bug_map entry for unrelated SELinux denial to unblock IC."
This reverts commit dd4b578c25.

Reason for revert: bug_map is only compiled into vendor partition so this doesn't work for GSI.

Change-Id: I653b937495be93a4de288e7df7525fd7504fa0f6
2021-01-19 19:10:38 +00:00
Treehugger Robot
1c343047e9 Merge "Add bug_map entry for unrelated SELinux denial to unblock IC." 2021-01-15 21:59:44 +00:00
Hai Zhang
dd4b578c25 Add bug_map entry for unrelated SELinux denial to unblock IC.
Sample denial message: auditd  : type=1400 audit(0.0:104): avc: denied
{ write } for comm="Binder:1830_4" name="tasks" dev="tmpfs" ino=16681
scontext=u:r:installd:s0 tcontext=u:object_r:device:s0 tclass=file
permissive=0

This denial is triggered for completely unrelated changes when installd
runs dex2oat for service-wifi.jar. One theory is that the unrelated
changes caused certain ART metrics (e.g. number of methods/classes/API) to
change so that dex2oat is triggered earlier and the SELinux denial became
caught by the boot test. So add this to bug_map to unblock the unrelated
changes while a kernel fix is to be tracked in b/177187042

Bug: 177187042
Test: presubmit
Change-Id: I6595b7aa14f73bf967207f1688c8fbd596ee37d1
2021-01-15 14:17:02 +00:00
Thiébaud Weksteen
26d1850b1e Track zygote denials on labeledfs
Bug: 170748799
Test: build policy
Change-Id: I7f244f1e17060251cb1d0896716fee711ec10693
2021-01-15 13:54:11 +01:00
Bram Bonné
882b7c8d39 Re-audit SELinux denials for external storage.
Denial logging was suppressed in r.android.com/1199618 to de-flake
presubmit tests. Since Android 11, FUSE is enabled for all devices by
default, which is expected to prevent these denials from happening.

This change re-enables logging to check that assumption.

Bug: 145267097
Test: DeviceBootTest#SELinuxUncheckedDenialBootTest
Change-Id: I1e9aa6d1234f2f158ba7a7f6bf8aa8588249eee7
2020-09-11 13:24:50 +00:00
Hridya Valsaraju
efd277f8a7 Revert "gmscore_app is attempting to access /dev/ashmem"
Test: build, boot
Change-Id: Id7bff6db07ab7aa0695e132a9d9ffae4912f401c
2020-08-10 17:07:52 +00:00
Jeff Vander Stoep
3e2b91d672 gmscore_app is attempting to access /dev/ashmem
This is not allowed for apps with targetSdkVersion>=Q.

Allow this failure until gmscore fixes.

Bug: 160984921
Test: build
Change-Id: I1e9f2af091b22eef2bc05ae1e571fb45dec05cfe
2020-07-13 14:57:52 +02:00
Jeff Vander Stoep
aeebb9a42e Gboard: Whitelist test failure
This is intended to be temporary workaround until the Gboard
developers fix their app.

Addresses
avc: denied { bind } for comm="ThreadPoolForeg"
scontext=u:r:untrusted_app:s0:c166,c256,c512,c768
tcontext=u:r:untrusted_app:s0:c166,c256,c512,c768
tclass=netlink_route_socket permissive=
app=com.google.android.inputmethod.latin

Bug: 155595000
Test: build
Change-Id: I432ac1462329efb4bc118c3967a099833e6eb813
2020-05-04 08:53:49 +00:00
Jeff Vander Stoep
8c9826ec21 Track another instance of b/77870037
Bug: 77870037
Test: build
Change-Id: I77f5888aaf0fedd07635e301dbc642e3f8749688
2020-04-02 10:17:22 +02:00
Jeff Vander Stoep
5357e7672a Temporarily whitelist system_server->storage denials
Make presubmit less flaky.

Bug: 145267097
Test: build
Change-Id: I45dd2f03a5db98fa70c950378538d32eb97a44df
2020-01-06 14:28:31 +01:00
Jeff Vander Stoep
607bc67cc9 Prevent apps from causing presubmit failures
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.

These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.

Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
2019-12-16 11:19:05 +01:00
Ashwini Oruganti
e80d00ff34 gmscore_app: suppress denials for system_data_file
This denial is generally a sign that apps are attempting to access
encrypted storage before the ACTION_USER_UNLOCKED intent is delivered.
Suppress this denial to prevent logspam.

While gmscore_app is running in permissive mode, there might be other
denials for related actions (that won't show up in enforcing mode after
the first action is denied). This change adds a bug_map entry to track
those denials and prevent presubmit flakes.

Bug: 142672293
Test: Happy builds
Change-Id: Id2f8f8ff5cde40e74be24daa0b1100b91a7a4dbb
2019-12-12 14:38:40 -08:00
Jeff Vander Stoep
a213e0c3c5 gmscore_app: add bug map
De-flake tests.

Test: build
Bug: 145267097
Change-Id: I7c21229d8577ffb9283a94290b3cfe575868d348
2019-12-02 13:42:11 +01:00
Jeff Vander Stoep
99d5970dcf Whitelist app->storage denials
Make presubmit less flaky.

Bug: 145267097
Test: build
Change-Id: Id3e8c636f9ebda0dd07a0dcf5211f4a73bd3e3c2
2019-11-27 15:01:05 +01:00
Colin Cross
b24b629ed3 bug_map: track bluetooth storage_stub_file denial
Bug: 145212474
Test: none
Change-Id: I64e7e73907637e100d59b735c57cc40996044607
2019-11-26 10:31:46 -08:00
Tri Vo
0ba37c9e81 Merge "bug_map: track mediaswcodec ashmem denial" 2019-10-15 17:08:43 +00:00
Tri Vo
145130670f bug_map: track mediaswcodec ashmem denial
Bug: 142679232
Test: n/a
Change-Id: Ie6a8e65ad175e2c2ab444381d3b05d0191cc0302
2019-10-15 09:57:55 -07:00
Jeff Vander Stoep
ee036a9fc4 overlayfs: deflake presubmit tests
Bug: 142390309
Test: build
Change-Id: Ibf12d5acba39436cf79b7eb3a1fbadb2296b68c4
2019-10-14 11:20:50 +02:00
Ashwini Oruganti
a661148bc0 Update bug_map to explicitly have the b/ prefix
This is part of a series of updates to bug_map across all of android
tree.

Bug: 141014771
Test: Generated a denial, verified that the bug id in the dmesg logs
remains unchanged.

Change-Id: I852e8ac38a162cc074232f15d919212548d485bf
2019-09-23 14:28:07 -07:00
Pirama Arumuga Nainar
98e320b6e0 Revert "Track usbd SELinux denial."
Bug: 72472544
This reverts commit 07efe37c5f.

Reason for revert: The selinux denial is no longer reproducible.

Test: Presubmit builds

Change-Id: I79d18743171315401401c1b06b3f97d837bf500f
2019-07-14 21:05:41 -07:00
Sudheer Shanka
5e0b83c4c6 Remove obsolete denials tracking.
Bug: 118185801
Test: manual
Change-Id: Ibc4590d6e7b825124035e8f51574afbe5ae4b750
2019-04-18 17:14:50 -07:00
Torne (Richard Coles)
d40f7fd9d5 Allow webview_zygote to read the /data/user/0 symlink.
ART follows the /data/user/0 symlink while loading cache files, leading
to:

avc: denied { getattr } for comm="webview_zygote" path="/data/user/0"
dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0

Allow this access, the same as app and app_zygote do.

Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
2019-04-11 16:18:32 -04:00
Sudheer Shanka
a32080bcc2 Remove priv_app SELinux denial tracking.
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.

Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
2019-02-28 14:15:47 -08:00
Jeff Vander Stoep
c37f2e854c bug_map: remove tracking for b/79414024
It was fixed in change  If630b53d32c3c0414939b1f8db8d486406003567.

Fixes: 79414024
Test: build
Change-Id: I33f749f370ae83581ac28cbefe42ba764da57cdd
2019-02-25 12:25:25 -08:00
Jeff Vander Stoep
b3b7543de6 Whitelist flaky presubmit failures
These denials already have tracking bugs.

Addresses
avc: denied { write } for comm=".gms.persistent" name="0" dev="tmpfs"
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0
tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for path="/data/system_ce/0/accounts_ce.db"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file permissive=0

Bug: 124108085
Bug: 118185801
Test: build tests
Change-Id: I97192e5c85d8d3a9efe950a0bbb33ea88aac76bd
2019-02-18 21:24:46 +00:00
Jeff Vander Stoep
504a654983 crash_dump: dontaudit gpu_device access
And add neverallow so that it's removed from partner policy if
it was added there due to denials.

Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
2019-02-18 21:06:42 +00:00
Sudheer Shanka
9c96649b27 Track untrusted_app_27 SELinux denial
vrcore is trying to access external storage before
it is available.

Bug: 118185801
Test: n/a
Change-Id: Ieb38a1bfb977d9f6f642fecdd1000a195b2c8259
2019-02-15 00:42:47 -08:00
Jeff Vander Stoep
f05de2ee39 Track SELinux denial.
This should help fix presubmit tests.

Bug: 124468495
Bug: 124476401
Test: Build.
Change-Id: I7d8befaef2a90d6dc824f99e3088a922c8d1fdc4
2019-02-14 19:52:03 -08:00
Torne (Richard Coles)
0375302f41 Track SELinux denial caused by webview zygote.
The new codepath for creating the classloader in the webview zygote
triggers an selinux denial; track this until it is fixed.

Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Merged-In: I6835947e81364b5dd43898199108af7b14d31088
Change-Id: I6835947e81364b5dd43898199108af7b14d31088
2019-01-24 11:38:05 -05:00
felkachang
22f8669072 Track isolated_app app_data_file SELinux denial.
The isolated service that do nothing except for both AIDL's basic
skeleton and service binding. It still got the SELinux denied.
This should fix presubmit test.

01-01 00:00:29.196  6121  6121 I auditd  : type=1400 audit(0.0:6):
avc: denied { getattr } for comm="convert.service"
path="/data/data/com.android.externalstorage" dev="sda35" ino=655437
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

Test: ag/5681059 ag/5660144
Bug: 120394782
Change-Id: I7838def96da30b88d510dab860ed9779a0d4d5ed
2018-12-04 05:45:33 +08:00
felkachang
196b12eb3e Track isolated_app SELinux denial.
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.

01-01 00:00:22.103  5831  5831 I auditd  : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0

Test: build
Bug: 119596573

Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
2018-11-29 07:07:55 +00:00
Sudheer Shanka
95767cce45 Track vrcore_app SELinux denial
Bug: 118185801
Test: bug no. appears in the denial logs
Change-Id: Ib1d1bbbdf25e0e63ac8a7dec98aca08cafc3f870
2018-10-23 12:19:27 -07:00
Joel Galenson
732e92b6fe Remove fixed bugs from bug_map.
Test: Build.
Change-Id: I5c02916dfa3b2e8d5ba2bc586d05a69bd1f1254f
Merged-In: I150bc74b13a77f00a7e8b31a6c2edf9654bdbe59
2018-09-17 08:42:55 -07:00
Joel Galenson
a68b104452 bug_map: track new pm/storage denials
avc: denied { getattr } for comm="Binder:1231_1" path="/storage/emulated" dev="tmpfs" ino=72787 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_stub_file:s0 tclass=dir

Bug: 112609936
Test: Built policy.
Change-Id: Ib772aca11bad4ba267de259be4ad065f228ef1df
2018-08-15 10:21:23 -07:00
Jeff Vander Stoep
9c7396d554 Suppress denials for apps accessing storage too early
The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.

Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
2018-06-01 19:15:55 +00:00
Steven Moreland
7baf725ea6 mediacodec->mediacodec+hal_omx{,_server,_client}
(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-30 18:12:32 +00:00
Joel Galenson
06e09abd25 Track cppreopts SELinux denial.
This should help fix presubmit tests.

Bug: 79414024
Test: Built policy.
Change-Id: Ic840150767ff6c2799ac3b5ef22ba139108c94dd
2018-05-08 08:43:07 -07:00
Joel Galenson
5c87b8797b Track otapreopt_chroot postinstall_file SELinux denial.
Bug: 75287236
Test: Built policy.
Change-Id: I90301c33fd8c20e96cfbb424eaf80978e79c34f0
2018-04-24 10:25:22 -07:00
Joel Galenson
8c0d460907 Track radio SELinux denial.
This should help fix presubmit tests.

Bug: 78456764
Test: Built policy.
Change-Id: I7ec5afa83417770731d309d5a57b8a94afa24453
2018-04-23 09:38:24 -07:00
Alan Stokes
62913dbfd2 Remove fixed bug from bug_map.
Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af
2018-04-18 17:11:45 +01:00
Joel Galenson
f55786cfce Add bug_map entries for bugs we've seen.
This adds numerous bug_map entries to try to annotate all denials
we've seen.

Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
2018-04-16 10:31:38 -07:00
Jeff Vander Stoep
4c402df7e3 whitelist test failure that bypassed presubmit
avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs"
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 77816522
Test: build
Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
(cherry picked from commit 2ccd99a53a)
2018-04-13 14:36:11 -07:00
Jeff Vander Stoep
9dc1d5381f priv_app: remove more logspam
avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
(cherry picked from commit 558cdf1e99)
2018-04-11 08:20:36 +09:00
Joel Galenson
c6b5a96bb6 Track storaged SELinux denial.
This should help fix presubmit tests.

Bug: 77634061
Test: Built policy.
Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c
2018-04-05 10:39:03 -07:00