UsbDeviceManager in system_server now
helps set up the endpoint files.
Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98
We already grant rw file access, but without dir search it's not much
use.
denied { search } for name="vibrator" dev="sysfs" ino=49606 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir permissive=0
Bug: 72643420
Test: Builds, denial gone
Change-Id: I3513c0a14f0ac1e60517009046e2654f1fc45c66
The kernel is unusual in that it's both a core process, but vendor
provided. Exempt it from the restriction against accessing files from
on /vendor. Also, rework the neverallow rule so that it disallows
opening/modifying files, but allows reading files passed over IPC.
Bug: 68213100
Test: build (this is a build-time test)
Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446
Now that Bluetooth supports delay reporting, audioserver needs
access to Bluetooth Properties in order to determine whether the
feature is enabled or disabled.
Bug: 32755225
Test: Enable the property and see that there was no error accessing it
Change-Id: I519d49deb2df4efb3cc2cce9c6d497db18b50c13
persist.sys.zram_enabled is set in vendor/build.prop in taimen and walleye,
which was added after the initial whitelist.
go/treble-sysprop-compatibility requires whitelisting such a property to
allow it to be overridden by vendor/{default|build}.prop.
Bug: 73905119
Test: succeeded building and test with taimen
Change-Id: I931182aa05eb90c14df6e2c7cc26913f3874fa18
The sheer volume of these can cause confusion.
Sample denials (repeated for many processes):
denied { getattr } for path="/proc/1/status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1
denied { open } for path="/proc/1" dev="proc" ino=18608 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=dir permissive=1
denied { open } for path="/proc/1/status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1
denied { read } for name="status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1
Bug: 72643420
Test: Denials no longer present in permissive mode.
Change-Id: Ic07b9b0b59ca2122c4843095b63075ab8fd2c70b
Updates statsd sepolicy so it can use the thermal hal.
Test: verified these policies solved sepolicy issues with thermal hal.
Change-Id: I36839a72494b084d5742c4d83c3ce9814102b974
ro.radio.noril is used for modem-less products including emulator.
Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: I2270374a2523889aa4874840594d8267614f93ad
These two selinux policy violations keep showing up from statsd's CTS
tests, although statsd and the CTS test seemed to function fine despite
them. Nonetheless, they seem reasonable to add to the list.
Bug: 73548694
Test: N/A. It didn't seem to be causing any issues in the first place.
Change-Id: Id36c5229c0d7de83675166caeb07c87b719dc374
After 9 amazing years with Android, it's time to try something new.
I've moved over to Fuchsia (https://en.wikipedia.org/wiki/Google_Fuchsia)
where I'll be helping define security for a new, experimental operating
system.
My time in Android has been the most rewarding of my life. I couldn't
be more proud of our work in creating a trustworthy operating system
used by billions(!) of people, from rich to poor. It's quotes like this
which give me the warm fuzzies:
https://threatpost.com/whats-new-in-android-8-0-oreo-security/128061/
"Android O is a big step forward," said Duo Security’s Lady.
He said with O, Google closes the security gap on the iPhone.
"It used to be if you cared about security you had to pay a
premium and buy an iPhone. Soon, even a $50 Android device
running O will be on par with a $1,000 iPhone X when it comes
to security."
The platform team is in good hands, with Rene Mayrhofer now leading the
charge to make Android the most secure, privacy preserving operating
system in existence. And thank you to the rest of the team for making
my time in Android so wonderful.
And a special thank you to Stephen Smalley of the Trusted Systems
Research Group for his leadership and guidance. Android Security would
not be where it is today without you.
=====
Keeping with the principle of least privilege, this change removes
myself from the OWNERS file for system/sepolicy. Let us always strive to
build systems so strong that we ourselves cannot even break into them,
and so private that people can trust us with their most sensitive data.
=====
Test: Tested every day by billions of users. ;-)
Change-Id: Ia7d0f3f75fdbd69cc720d02fd5a9b9e92ae607ae
The webview_zygote is now launched as a child-zygote process from the
main zygote process.
Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.
This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.
Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
tests)
Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db
This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.
Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.
Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04
Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>
The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.
The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.
Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1
Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases
Bug: 73660835
Test: With the other commit on this topic, clearing all trace files via
the app works properly.
Change-Id: I27a4a5a14d9afe817683f1b046a644648a84badc
To upload configs and download output, this line
is needed.
Bug: 72961153
Test: The statsd cts test passes
Change-Id: I0943cc841881dd5d15e24ba444b146087a81bf96
This reverts commit bf0c2a59f8.
Bug:68126425
Test: No apps affected by not being able to run in shell domain
Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4
Merged-In: I8b93eecd023fbb392a98253d721dad75f79b61f4
This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.
Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d
These denials seem to be caused by a race with the process that labels
the files. While we work on fixing them, hide the denials.
Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.
A follow-up CL will remove the rules for starting webview_zygote via
init.
Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
This is needed to allow it to log audit events, e.g. cert
validation failure.
Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Merged-In: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
