Commit graph

23 commits

Author SHA1 Message Date
Steven Moreland
82f7900341 Make AIDL HAL client attribute an exclusive client.
Like HIDL HALs, if we have a service which is allowed to access
hal_<foo>_service, we want that service to have the attribute
hal_<foo>_client.

Unlike HIDL HALs, some AIDL services are allowed to get ahold of all
HALs, so these have to be exempted from this check.

Fixes: 168152053
Test: neverallows pass
Change-Id: I4bce6d9441c2921c3ea40f2b01fef4030c02a28a
2020-09-11 00:02:00 +00:00
Jeff Sharkey
a0e7a6da28 Update language to comply with Android's inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for reference

Bug: 161896447
Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 12:28:11 -06:00
Steven Moreland
a30464c06e More neverallows for default_android_service.
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.

Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
2020-01-21 11:13:22 -08:00
Harpreet "Eli" Sangha
1b62e7fd9d atrace: allow tracing of vibrator hal
Test: On-Device Systrace
Change-Id: I4172c83cf50106d28eb7b9330c5bb559fabc504b
Signed-off-by: Harpreet "Eli" Sangha <eliptus@google.com>
2019-06-17 12:25:05 +09:00
Ryan Savitski
19459a3802 atrace: debug: allow notifying camera HAL of a change in sysprops
Similar to aosp/961857, but enables the logging of atrace events from
the camera HAL (primarily HIDL interactions, but also a couple of ION
events).

Keeping it confined to userdebug_or_eng. Longer-term planning belongs on
b/78136428.

Not adding fwk_camera_hwservice, as it is a HIDL interface to
cameraserver (which is already covered above).

Plus slight reorganization of existing atrace.te contents, and donaudits
to reduce logspam from denials (including pre-existing ones that were
hitting the rate limiter).

Specific denials addressed (listing HALs, finding camera HAL, notifying it):
05-15 18:07:19.684   618   618 E SELinux : avc:  denied  { list } for  scontext=u:r:atrace:s0 tcontext=u:r:hwservicemanager:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.701   618   618 E SELinux : avc:  denied  { find } for interface=android.hardware.camera.provider::ICameraProvider sid=u:r:atrace:s0 pid=10137 scontext=u:r:atrace:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager permissive=1
05-15 18:07:19.698 10137 10137 I atrace  : type=1400 audit(0.0:273): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:hal_camera_default:s0 tclass=binder permissive=1

Bug: 130543265
Tested: flashed blueline-userdebug, took a trace with perfetto, confirmed HIDL atrace slices present in camera hal trace.
Change-Id: I0f8ce989355603e41d6c05c3de07e7dd615555eb
2019-05-17 12:20:06 +01:00
Ryan Savitski
232295e8db atrace.te: allow notifying cameraserver of a change in sysprops
This allows the atrace cmd to notify cameraserver (the host of
media.camera service) that the set of tracing-related system properties
have changed. This allows the cameraserver to notice that it might need
to enable its trace events.

The atrace cmd has the necessary permission when running as shell, but
not when it is running as the "atrace" domain (notably when exec'd by
perfetto's traced_probes).

We're adding cameraserver to the whitelist as it contains important
events for investigating the camera stack.

Example denial:
05-14 22:29:43.501  8648  8648 W atrace  : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0

Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
Bug: 130543265
Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
2019-05-15 00:54:08 +01:00
Yifan Hong
18ade868ff Add rules for lpdump and lpdumpd
- lpdump is a binary on the device that talks to lpdumpd
  via binder.

- lpdumpd is a daemon on the device that actually reads
  dynamic partition metadata. Only lpdump can talk to it.

Bug: 126233777
Test: boots (sanity)
Test: lpdump

Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-25 10:14:20 -07:00
Luke Huang
524f25ebb0 Add sepolicy for resolver service
Bug: 126141549
Test: built, flashed, booted
Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-03-05 15:49:33 +00:00
Lalit Maganti
d6ae1a5e42 sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout
This CL adds rules to allow traced_probes to dup a pipe as the stderr
for atrace and also send a sigkill to atrace after a timeout.

This fixes b/119656920

Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb
2018-11-16 14:47:19 +00:00
Igor Murashkin
72a88b194c iorapd: Add new binder service iorapd.
This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-08 15:00:34 -07:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Hector Dearman
244bc7cf97 Make system_server atrace category work with traced_probes
Historically most uses of atrace happen via the shell domain.

There are two exceptions:
- boot tracing
- traced_probes

We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.

For more use cases see b/113127224

[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)

Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.

Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
2018-09-10 14:03:27 +01:00
Primiano Tucci
feaf22b130 Reland: perfetto: allow traced_probes to execute atrace
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039
2018-03-22 01:51:39 +00:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Alex Klyubin
357c1617f7 Move atrace policy to private
atrace and its atrace_exec now exist only in private policy.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with atrace_current
      which is expected now that atrace cannot be referenced from
      public or vendor policy.
Bug: 31364497

Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
2017-02-07 10:54:20 -08:00
Nick Kralevich
b56e6ef894 Whitespace fix
Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
2016-12-09 20:14:31 -08:00
dcashman
0c8ad1dc94 Fix build.
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types.  Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.

Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
2016-12-06 16:49:25 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from atrace.te (Browse further)