Commit graph

17253 commits

Author SHA1 Message Date
Nikita Ioffe
1ab6affc5c Allow dumpstate to write into privileged apps private files
Bug: 123006652
Bug: 111441001
Fix: 123006652
Test: Wrote a test app using BugreportManager, checked denials in logcat
Change-Id: Id1c4b1d166bc70aec833c3d644e8aea6ae94c35a
2019-01-23 23:13:23 +00:00
Treehugger Robot
b1f34ddaf7 Merge "Permissions for input_native_boot flags" 2019-01-23 23:08:07 +00:00
Ryan Savitski
283761cfca Merge "Allow heap profiling of certain app domains on user builds" 2019-01-23 03:23:12 +00:00
Treehugger Robot
1e6055f172 Merge "Add selinux policy for Sensors HAL 2.0" 2019-01-23 03:15:05 +00:00
Treehugger Robot
d99018cfd5 Merge "Add ro.surface_flinger.* to property_contexts" 2019-01-23 02:03:00 +00:00
Siarhei Vishniakou
c0c9155589 Permissions for input_native_boot flags
For input experiments that are enabled at boot time, allow system_server
to read and write the device config flags.

Bug: 120794829
Test: presubmit
Change-Id: I0f075a7579c593d4e07c3e31be529e34554068a6
2019-01-22 16:18:47 -08:00
Remi NGUYEN VAN
050936239c Merge "Fix permissions for bluetooth tethering." 2019-01-22 22:27:12 +00:00
Brian Stack
b8baed8fa7 Add selinux policy for Sensors HAL 2.0
Bug: 122267378
Test: Builds, no dmesg errors when starting Sensors HAL 2.0
Change-Id: Ieb52449579f72421bf8f36fb6af0cb110d04bd1c
2019-01-22 21:02:21 +00:00
Tri Vo
1b02031d18 Merge changes from topic "product_mapping_file"
* changes:
  Split mapping file into system and product parts
  Rename plat_pub_policy -> pub_policy
  Remove obsolete mapping build rules.
2019-01-22 18:49:21 +00:00
Hongyi Zhang
d71144a922 Merge "Clean up server_configurable_flags test prop" 2019-01-22 18:27:29 +00:00
Sundong Ahn
b9796da741 Add ro.surface_flinger.* to property_contexts
The ro.surface_flinger.* properties are added to property_contexts.
Because these properties are located in vendor partition, but
surfaceflinger service which use these properties is in the system
partition.

Bug: 112386364
Test: m -j & boot test
Change-Id: I98d71d4c03297a2a3fe92ba17bfdcb428f763753
2019-01-22 11:00:14 +09:00
Hongyi Zhang
f3db0085f0 Clean up server_configurable_flags test prop
Test: m -j & manually on device
Change-Id: I3f5ddeb26ddf1bf280ef5e7b3e62b4b892b83a3c
2019-01-22 01:42:36 +00:00
Leo Liou
51373ec7a3 Add selinux policy for ext4 fs-verity feature
avc: denied { read } for comm="init" name="verity" dev="sysfs" ino=44746
scontext=u:r:init:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file
permissive=0

Bug: 117437571
Test: bootable for phone projects
Change-Id: I4c53e03ec55c2064f1b23c0cbd0302de3f8aa38e
2019-01-22 08:12:54 +08:00
Ryan Savitski
ca0690e8eb Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.

These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.

For more context, see go/heapprofd-security & go/heapprofd-design.

Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.

Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-21 14:30:57 +00:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00
Remi NGUYEN VAN
44fd885246 Fix permissions for bluetooth tethering.
Allow bluetooth to find the NetworkStack service so tethering can be
started.

Test: booted, BT tethering obtains IP address and denials not shown
Bug: b/112869080
Change-Id: I726d818f4f9a9adcd98c834726ed22376076ac7b
2019-01-19 11:52:32 +09:00
Tri Vo
937e66496d Split mapping file into system and product parts
Both mapping files need to be included when building sepolicy at boot
time.

Bug: 119305624
Test: boot taimen
Test: "cnd" type is declared in /vendor; "dataservice_app" type is
declared in /product. This permission is preserved
"allow cnd dataservice_app:binder { transfer call };"
Change-Id: I138f34208ea05e170defd2b4ef4700ffa81f9573
2019-01-18 16:07:33 -08:00
Tri Vo
e68ba59fb3 Rename plat_pub_policy -> pub_policy
Public policy that is available to vendor (and odm) sepolicy is a
combination of system and product public sepolicy. Since "plat_" prefix
implies a pure system sepolicy component, drop "plat_" prefix from
"plat_pub_policy" to be consistent with naming in this file.

Bug: 119305624
Test: m selinux_policy
Change-Id: Iaf094702556ce97371fa1c58c01d707103d7f7d6
2019-01-18 16:07:33 -08:00
Tri Vo
8a2b65244f Remove obsolete mapping build rules.
Mapping files for previous releases are unconditionally packaged on the
device. No need to account for case when BOARD_SEPOLICY_VERS and
PLATFORM_SEPOLICY_VERSION are different.

Bug: 119305624
Test: m selinux_policy
Change-Id: I36c3c43f96870d9a71adf91c8fb8926587c5a50e
2019-01-18 16:07:33 -08:00
Eric Holk
f8dfb5f83b [layout compilation] Modify sepolicy to allow installd to run viewcompiler
We will generate precompiled layouts as part of the package install or upgrade
process. This means installd needs to be able to invoke viewcompiler. This
change gives installd and viewcompiler the minimal set of permissions needed for
this to work.

Bug: 111895153
Test: manual
Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
2019-01-18 23:29:47 +00:00
Treehugger Robot
d25f1303de Merge "Android.mk: remove some build-log spam" 2019-01-18 21:42:19 +00:00
Christian Wailes
0f466d76d9 Merge "Add SELinux policies for blastula pool sockets." 2019-01-18 20:24:46 +00:00
Jeff Vander Stoep
e71f4e0c50 Android.mk: remove some build-log spam
This line always prints when building master branch, it's not
particularly useful.

system/sepolicy/Android.mk:77: warning: BOARD_SEPOLICY_VERS not
specified, assuming current platform version

Test: build
Change-Id: I52f8dc2a77966bc0c21168b1339f3029185e5339
2019-01-18 11:33:57 -08:00
Narayan Kamath
ea8b87fd36 Merge "Allow installd sufficient permissions to rollback_data_file." 2019-01-18 08:27:15 +00:00
Jeffrey Vander Stoep
3a7f33b44d Merge "rs: add tests to ensure rs cannot abuse app data" 2019-01-18 03:10:50 +00:00
Treehugger Robot
a0fb112a8a Merge "Revoke ftrace selinux access from dumpstate" 2019-01-18 01:39:21 +00:00
William Hester
1fefa6c0e8 Merge "Add the testharness service to sepolicy rules" 2019-01-18 01:07:22 +00:00
Jeff Vander Stoep
561aa01ccb rs: add tests to ensure rs cannot abuse app data
Test: build
Change-Id: I2ea39c767264339e300fceeb23c506883d23a14c
2019-01-17 15:24:34 -08:00
Chris Wailes
232f395548 Add SELinux policies for blastula pool sockets.
This patch adds the necessary SELinux contexts for the blastula pool
sockets.

Topic: zygote-prefork
Test: make & flash & check log for message
Bug: 68253328
Change-Id: I46d62e5ab8c573cb7704feec2b1d42d91a990fd9
2019-01-17 23:23:34 +00:00
Treehugger Robot
7f22034591 Merge "gralloc3: add sepolicy for allocator/mapper 3.0" 2019-01-17 22:56:36 +00:00
Treehugger Robot
945f6bd1c6 Merge "recovery: Address the ioctl denials during wiping." 2019-01-17 22:50:56 +00:00
William Hester
5f486c74bf Add the testharness service to sepolicy rules
The testharness service will manage Test Harness Mode and provide a
command-line interface for users to enable Test Harness Mode; however it
does not directly provide a public API.

Bug: 80137798
Test: make
Test: flash crosshatch
Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e
2019-01-17 13:10:37 -08:00
Treehugger Robot
43f0fcf753 Merge "Add filemap events for iorapd" 2019-01-17 21:06:33 +00:00
Jaegeuk Kim
b9114af8aa Merge "zram: allow zram writeback" 2019-01-17 21:03:15 +00:00
Nandana Dutt
5a974a0eae Merge "Add sepolicy for BugreportManagerService" 2019-01-17 20:30:19 +00:00
Marissa Wall
97f5383895 gralloc3: add sepolicy for allocator/mapper 3.0
IAllocator and IMappaer are being rev'd to 3.0. Update sepolicy to
allow them to be used.

Test: compile with allocator/mapper patches add boot the device
Bug: 120493579
Change-Id: Id241c6bd79c02ec93d8dd415539f90a18f733d03
2019-01-17 11:56:08 -08:00
Primiano Tucci
82f99dbed7 Add filemap events for iorapd
iorapd needs to access these events on-device
through perfetto.

Bug: 122606712
Bug: 72170747
Change-Id: I819dc9b79e85c3e261859d125c680a50737351da
2019-01-17 18:38:32 +00:00
Narayan Kamath
802cfe0f3d Allow installd sufficient permissions to rollback_data_file.
Used to capture and restore app data snapshots as implemented in change
I3e4d36c11e52fb885b585b1946e215cf986206fd.

Test: make, manual
Bug: 112431924

Change-Id: I1cd1ec3f9c93c4af65b662a5ada582299b595a8f
2019-01-17 16:56:42 +00:00
Primiano Tucci
33e81a9e42 Revoke ftrace selinux access from dumpstate
Getting rid of the feature in aosp/874979.
See other CL and bug for context.

Bug: 122987614
Bug: 122987614
Test: run dumpstate before and after patch,
      file sizes are comparable,
      observed no tracing-related errors.
Change-Id: Ifcde8dcbb99ce53d226b50ddd3178adaaa4322bd
2019-01-17 16:09:01 +00:00
Annie Meng
4c3d11c018 Add rules for multi-user backup/restore
The backup system service will move its storage location to per-user CE
directories to support multiple users. Add additional iterations on the
existing rules to support the new location.

/data/backup -> /data/system_ce/[user id]/backup
Previously covered by rule backup_data_file

/cache/backup -> /data/system_ce/[user id]/backup_stage
Previously covered by rule cache_backup_file

Also add support for vold to create and perform restorecon on the new
locations.

Example denials and detailed proposal in the doc on the linked bug.

Bug: 121197420
Test: 1) Boot device; check dirs created with correct label; run backup
successfully on system user
2) Create secondary user; check dirs created with correct label; run
backup successfully

Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
2019-01-17 12:53:08 +00:00
Nandana Dutt
5cdd2f5ef8 Add sepolicy for BugreportManagerService
BUG:111441001
Test: boots
Change-Id: I71a54e8335c5ce7f9d97af3dbbd62e663bb66d33
2019-01-17 12:23:31 +00:00
Annie Meng
9e332a59b2 Merge "Add initial sepolicy for app data snapshots." 2019-01-17 11:01:00 +00:00
Jaegeuk Kim
579271906a zram: allow zram writeback
This allows fs_mgr in init to build loopback device and its control.

Bug: 74582279
Change-Id: I039cd57d4638870a59dd38c952d3ab9b671be545
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2019-01-17 04:28:00 +00:00
Frank Li
2d86b6502d Merge "Allow netd to write to statsd" 2019-01-17 04:15:00 +00:00
Treehugger Robot
938d0c2bf6 Merge "Allow the kernel to read staging_data_file." 2019-01-17 01:18:47 +00:00
Martijn Coenen
b85acbb889 Allow the kernel to read staging_data_file.
These are APEX files in /data/staging, and will be accessed by the loop
driver in the kernel.

Bug: 118865310
Test: no denials on emulator
Change-Id: I5c849b6677566cb00d28011352b9dc6b787a0bc4
2019-01-16 21:05:26 +01:00
Nick Kralevich
80eec389e2 rs.te: Remove dontaudit statements
These dontaudit rules were in place to suppress SELinux denials due to
file descriptor leakage. The file descriptor leakage has been fixed, so
these rules are no longer necessary. Delete.

Fixes: 120983106
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I5cad79c3526583bd2b65bd089fee9c490f6beb5e
2019-01-16 10:54:16 -08:00
Treehugger Robot
2b80559518 Merge "app: remove redundant neverallow rule" 2019-01-16 15:28:28 +00:00
Narayan Kamath
2ad229c788 Add initial sepolicy for app data snapshots.
Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.

A follow up change will flesh out the access policy on these
directories in more detail.

Test: make, manual
Bug: 112431924

Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
2019-01-16 15:22:51 +00:00
lifr
980c08c999 Allow netd to write to statsd
config sepolicy to allow netd to write to statsd.

Test: run runtests.sh, make sure no missing test and get all pass
      run /out/host/linux-x86/bin/statsd_testdrive 82
      Got following metric data dump:pass for local test
Bug: 119862317

Change-Id: Ieff5ca55de46715d54ef57c4a6d144fd7d03e4b7
2019-01-16 13:33:18 +00:00