Commit graph

89 commits

Author SHA1 Message Date
Greg Kaiser
f62ef0d798 zygote: Add setattr permission to cgroup
Credit to Himanshu Agrawal <quic_hagraw@quicinc.com> for this fix.

Like we do with cgroup_v2, we set attribute permission to cgroup
as well.

Test: On a Go device, which uses cgroup instead of cgroup_v2
Bug: 209933729
Change-Id: I5d58c9f549d205f1a8bdce6c5fba1cc833f2b492
2021-12-16 14:14:29 -08:00
Daniel Norman
cf2499a0ba Allow zygote to canonicalize vendor apex paths.
Bug: 199200417
Test: Build cuttlefish with an 'android'-targeting RRO in a
      vendor APEX. Observe no SELinux errors.
Change-Id: I4c73cb6d98b70282e10354d2596b261bd7c409db
2021-10-18 16:25:14 +00:00
sunny.kuo
1535fbb0b0 Allow Zygote to unmount labeledfs
As "/storage/emulated/0/Android/obb, /storage/emulated/0/Android/data" might be labeledfs (f2fs),
Zygote needs to be allowed to unmount labeledfs while unmounting "/storage".

Here's the warning if we do not add it.
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug:192989523
Test:adb shell stop; adb shell start; check no warning log
Change-Id: I74ce9bed29ec7da536a261a4fea25628f3d382ef
2021-07-14 10:09:20 +08:00
Orion Hodson
f135ce393c Allow zygotes and installd to read odsign properties
Bug: 192049377
Test: manual
Change-Id: I88cfd0b7fa63f195a1ec8f498c106cbf95f649ec
2021-07-01 14:18:51 +01:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Ricky Wai
f07dcee430 Isolate app profile ref data
Due to aosp/1708274, ref data directory is now world accessible.
We need to fix ref data directory so that it does not leak app
visibility information.

Bug: 189787375
Test: AppDataIsolationTests
Change-Id: I4170bbe2eed672c765ee6a28bbc29ab683f67a0a
2021-06-08 12:19:46 +01:00
Alan Stokes
9b0058ed0d Merge "Allow zygote to mount obb and data dirs on top of the mounted dirs." 2021-03-23 17:25:18 +00:00
Ricky Wai
7398c147fe Allow zygote to mount obb and data dirs on top of the mounted dirs.
As data and obbs are already mounted to lowerfs, and we need per app visibility isolation to mount
on those directories.

Here's the warning if we do not add it.
3094  3094 W main    : type=1400 audit(0.0:36): avc: denied { mounton } for path="/storage/emulated/0/Android/obb" dev="dm-5" ino=9206 scontext=u:r:zygote:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=0


Bug: 182997439
Test: No selinux warnings during boot.
Change-Id: Id78d793e70acf0d7699c006e19db6d7fda766bf1
2021-03-22 11:07:06 +00:00
Janis Danisevskis
b488a8fe1a Keystore 2.0: Remove keystore2.enable property.
Bug: 171563717
Test: N/A
Change-Id: I85819a71dc24777a9d54f0c83b8b29da9f48cec1
2021-03-19 10:07:49 -07:00
Treehugger Robot
baf84ee461 Merge "Add SELinux policy for using userfaultfd" 2021-03-17 15:04:51 +00:00
Lokesh Gidra
06edcd8250 Add SELinux policy for using userfaultfd
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.

Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
2021-03-17 04:57:22 -07:00
Ricky Wai
d240d2be77 Dontaudit zygote to read and open media_rw_data_file dir
Zygote will trigger sdcardfs to read and open media_rw_data_file:dir.
We can safely ignore this message.

Bug: 177248242
Test: Able to boot without selinux warning.
Change-Id: Ie9723ac79547bf857f55fc0e60b461210a4e4557
2021-03-04 11:08:33 +00:00
Roman Kiryanov
f6afebf934 Move qemu.sf.lcd_density into system/sepolicy
qemu.sf.lcd_density is rerefenced by surfaceflinger
and zygote.

Bug: 178144237
Test: presubmit
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Iede75d1170aeac9d020d60a3a66a1f69cee46abf
Merged-In: Iede75d1170aeac9d020d60a3a66a1f69cee46abf
2021-02-23 20:15:33 -08:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Janis Danisevskis
202e8636ac Add policy for property ro.android.security.keystore2.enable
Bug: 171563717
Bug: 171305684
Test: N/A
Change-Id: I323081fd2ce2fee80951c3d1e19b9935e4596705
2020-10-27 09:49:18 -07:00
Ricky Wai
15fb633cb5 Allow zygote to read storage properties
Bug: 151316657
Test: Able to boot without warnings
Change-Id: If53e472b560d5cf73c145d668bc462ca6881fe4e
2020-06-30 10:27:58 +01:00
Inseob Kim
6ffdf1b001 Add new context packagemanager_config_prop
To remove bad context names exported[23]_default_prop

Bug: 155844385
Test: m selinux_policy
Change-Id: Ic4bbc8e45d810368a96f6985c2234798e73be82d
Merged-In: Ic4bbc8e45d810368a96f6985c2234798e73be82d
(cherry picked from commit 072b01438e)
2020-06-19 17:47:19 +09:00
Jiyong Park
93a99cf8fc Introduce apex_info_file type
/apex/apex-info-file.xml is labeled as apex_info_file. It is
created/written by apexd once by apexd, and can be read by zygote and
system_server. The content of the file is essentially the same as the
return value of getAllPackages() call to apexd.

Bug: 154823184
Test: m
Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
(cherry picked from commit f1de4c02cc)
Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
2020-05-27 09:35:11 +09:00
Ricky Wai
037e11b86e Ignore errors that zygote tries to setattr media_rw_data_file dir
Bug: 152043945
Test: No selinux error in boot
Change-Id: Id01377e6b8c7be9103bd1dec3283cf720e6f6af9
2020-03-23 17:13:00 +00:00
Pawin Vongmasa
76d7cf961e Allow XML file paths to be customized with sysprop
Three properties are declared as vendor-init-settable:
ro.media.xml_variant.codecs
ro.media.xml_variant.codecs_performance
ro.media.xml_variant.profiles

media_codecs.xml can now be named
media_codecs${ro.media.xml_variant.codecs}.xml

media_codecs_performance.xml can now be named
media_codecs_performance${ro.media.xml_variant.codecs_performance}.xml

media_profiles_V1_0 can now be named
media_profiles${ro.media.xml_variant.profiles}.xml

Test: Rename "media_codecs.xml" to "media_codecs_test.xml",
set ro.media.xml_variant.codecs to "_test", then
call "stagefright -i".

Test: Rename "media_codecs_performance.xml" to
"media_codecs_performance_test.xml",
set ro.media.xml_variant.codecs_performance to "_test", then
run android.media.cts.VideoDecoderPerfTest.

Test: Rename "media_profiles_V1_0.xml" to "media_profiles_test.xml",
set ro.media.xml_variant.profiles to "_test", then
run vts_mediaProfiles_validate_test.

Bug: 142102953
Change-Id: I407a0a327fcc8e799bb4079b11048a497565be48
2020-03-18 06:02:55 -07:00
Ricky Wai
ad538514a7 Allow zygote to go into media directory to bind mount obb dir
Bug: 148049767
Change-Id: I2134de4df0db3268340fcfec6ad1cb8a94e3e8f9
2020-02-19 14:24:27 +00:00
Zimuzo Ezeozue
5119becf5d Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through" 2020-01-28 22:26:58 +00:00
Zim
fcf599c89c Grant vold, installd, zygote and apps access to /mnt/pass_through
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
 access to the lower filesystem (or sdcardfs).

At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory  with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.

The following components need varying sepolicy privileges:

Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink

zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold

installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through

priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through

Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
2020-01-28 20:56:36 +00:00
Treehugger Robot
b9b2acff99 Merge "Whitelisting window_manager_native_boot system property" 2020-01-24 19:52:07 +00:00
Valerie Hau
7b2a2dff0c Whitelisting window_manager_native_boot system property
Bug: 147096935
Test: build, boot

Change-Id: Iadeefa3cfc9bb17eb19b60dbd18de047fa01b673
2020-01-21 22:54:49 +00:00
Jing Ji
2b12440ff7 Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.

Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
2020-01-16 16:09:48 -08:00
Ricky Wai
ca6e01aa53 Allow zygote to bind mount /data/misc/profiles/cur
Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating moun
Change-Id: Ia6b196dde6ed511ebff53b03891122b1120fec07
2020-01-14 11:34:15 +00:00
Ricky Wai
b2b7c02e7d Allow zygote to relabel CE and DE dirs from tmpfs to system_data_file
Also, allow zygote to scan dirs in /mnt/expand and relabel.

Test: No denials at boot
Test: No denials seen when creating mounts
Bug: 143937733
Change-Id: I86e77d27f5e9fb2f5852f787c7e5d9179c7404aa
2020-01-10 14:26:40 +00:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Martijn Coenen
357eb193e9 Revert "Temporarily relax Zygote storage mounting rules."
This reverts commit 9f02b30a72.

This is no longer needed, because we never shipped app storage
sandboxes.

Bug: 130812417
Test: builds
Change-Id: Ia1f51db4904742d2ef15222f2350c67af0dd4a28
2019-11-22 16:02:07 +01:00
Tri Vo
f25025f6ff Reland "sepolicy: fix zygote JIT permissions w.r.t. ashmem"
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.

Bug: 134434505
Change-Id: I3b5eeac1ec06d8d70da327743174ca83eec6b41c
Test: boot crosshatch
2019-10-15 22:26:56 +00:00
Orion Hodson
09d9076513 Revert "sepolicy: fix zygote JIT permissions w.r.t. ashmem"
This reverts commit 7120b72a9b.

Reason for revert: http://b/142742451

Change-Id: Ib857e0a56a83c0466b92f944421e3bd11c9279b4
2019-10-15 21:15:44 +00:00
Tri Vo
7120b72a9b sepolicy: fix zygote JIT permissions w.r.t. ashmem
zygote now allocates JIT memory using libcutils API (aosp/1135101)
instead of going to /dev/ashmem directly, which requires execute
permissions to ashmem_libcutils_device.

Bug: 134434505
Test: boot crosshatch
Change-Id: I0a54d64bd4656fafd2f03701d7828cfa94c08f04
2019-10-08 11:31:46 -07:00
Tri Vo
08bf97db8c sepolicy: allow zygote to use ashmem fds
Ashmem FD selinux labels have recently been changed (aosp/1127917) from
"ashmemd" to the label of the whichever process opens the fd, which
resulted in the following denial:

avc: denied { use } for
path="/dev/ashmemf5dc2dbf-d1e7-457e-b694-93c84704135e" dev="tmpfs"
ino=18972 ioctlcmd=0x7704 scontext=u:r:zygote:s0
tcontext=u:r:system_server:s0 tclass=fd permissive=1

Test: m selinux_policy
Change-Id: I4880420014bda21cd4f83e3d6190c3cfaa76822f
2019-10-02 15:25:48 -07:00
Nicolas Geoffray
f77e8c1b0c Allow zygote to create fds and map executable.
This is so that zygote can create the JIT cache with memfd_create
(or ashmem when memfd is not available).

Test: boot
Bug: 119800099
Change-Id: I88f1f6b1c930a8d22985b306a238f60b4af59f9c
2019-06-17 20:18:23 +01:00
Ryan Mitchell
ef1a64e231 Allow zygote to scan static overlays on /oem
During preloading resources, zygote scans the overlay directories of
supported partitions looking for android RROs to apply statically. Zygote
currently is allowed to read overlays in /oem/overlay, but zygote does
not have the search permission to be able to scan /oem.

Without this patch, this denial is logged:
04-04 14:57:40.136   876   876 I auditd  : type=1400 audit(0.0:9):
avc: denied { search } for comm="main" name="oem" dev="dm-3" ino=46
scontext=u:r:zygote:s0 tcontext=u:object_r:oemfs:s0 tclass=dir
permissive=0

Bug: 121033532
Test: booting without denials and stat oem succeeds
Change-Id: I661f3e0aff7ec3513870d08ddc122fc359b8f995
2019-04-17 16:06:34 +00:00
Steven Moreland
c46e31c961 private: allow zygote mnt_expand_file:dir getattr;
zygote is using this permission to preload Java libraries.

Bug: 128529256
Test: boot
Change-Id: If7e56409ae0171f5a04eadb2c297c865f9d4ffaf
2019-03-20 16:26:43 +00:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Andreas Gampe
08450264ae Sepolicy: Allow zygote to pick up dalvikcache artifacts
Allow the zygote to pick up integrity-checked boot classpath
artifacts from the dalvik cache.

Bug: 125474642
Test: m
Test: manual
Merged-In: I45d760c981c55a52bd0b22c79a9cba4868a09528
Change-Id: I45d760c981c55a52bd0b22c79a9cba4868a09528
2019-03-19 10:36:12 -07:00
Sudheer Shanka
a3423bb74b Update a comment to match the latest rules.
Test: n/a
Change-Id: Ib45a25b3c9b987f56c350b91d72caca8a16fb52e
2019-02-14 11:48:49 -08:00
Sudheer Shanka
868c075e0e Allow zygote to create files under sdcardfs.
sdcardfs will automatically try to create .nomedia file
under Android/{data,obb} and this is being attributed
to whoever is trying to create Android/{data,obb} dirs.
Earlier this is used to done from app context but now
zygote handles the creation of these dirs.

Bug: 124345887
Test: manual
Change-Id: I96feada2f5edff2ece2586a532b069a58a36dd3b
2019-02-14 18:49:57 +00:00