Commit graph

65 commits

Author SHA1 Message Date
Florian Mayer
e922aa38bf Give heapprofd dac_read_search on userdebug.
This is needed because some oat dex files are generated without world
readable permissions. See the bug for details.

We are still constrained by the SELinux rules above.

Bug: 129048073

Change-Id: I84e34f83ceb299ff16b29a78f16c620fc0aa5d68
2019-03-21 17:22:09 +00:00
Andreas Gampe
d6fdcefaa8 Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 10:54:42 -07:00
Andreas Gampe
59d5d90da8 Sepolicy: Allow everyone to search keyrings
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.

This set of permissions is analogous to allowances for the fscrypt
keyring and keys.

Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-14 13:21:07 -07:00
Andreas Gampe
1845b406fc Sepolicy: ART APEX boot integrity
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.

Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
2019-03-12 22:26:17 -07:00
Florian Mayer
315d8bfa15 Allow profilable domains to use heapprofd fd and tmpfs.
This is needed to allow to communicate over shared memory.

Bug: 126724929

Change-Id: I73e69ae3679cd50124ab48121e259fd164176ed3
2019-03-04 12:05:35 +00:00
Suren Baghdasaryan
6155b2fd11 sepolicy for vendor cgroups.json and task_profiles.json files
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.

Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-01 00:32:15 +00:00
Andreas Gampe
4c2d06c458 Sepolicy: Add base runtime APEX postinstall policies
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.

Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
2019-02-28 09:24:17 -08:00
Andreas Gampe
f77bcdcf57 Sepolicy: Move dac_override checks to private
In preparation for moving other components to private, so that
private-only components can stay private.

Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 13:12:05 -08:00
shafik
9f8ff76e35 Allow installd to delete directories in staging dir
In order to support deleting session files after a staged session reaches
a final state, installd will need to delete the session directories from
/data/staging.

Bug: 123624108
Test: triggered 2 flows in which a staged session reaches a final state
and made sure installd can delete the session files

Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
2019-02-25 12:02:20 +00:00
Andreas Gampe
63c7b0fa18 Sepolicy: Move dalvik cache neverallow to private
In preparation for additions that should be private-only, move
the neverallows to domain's private part.

Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e
2019-02-22 05:11:08 -08:00
Joel Fernandes
deef7f0afd Add permissions for sys.use_memfd property
Will be used to forcefully turn on memfd if device supports it.
Currently used only for debugging.

Change-Id: I46a1b7169677ea552d4b092e7501da587c42ba1a
Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-02-06 15:16:16 -05:00
Nikita Ioffe
6d73cea5b4 apexd: allow apexd to unlink staging_data_file files
In order to support rollback for apex files, apexd will need to unlink
previously active apex files in /data/apex/active folder. Those files
are hardlinked from /data/staging/session_XXXX which means that they
have staging_data_file:file SELinux fields.

I double checked that this change won't allow apexd to unlink files in
/data/staging/session_XXXX folders, because it will lack write access,
logcat contains following entries:
avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0

Bug: 122339211
Test: verified that apexd can't unlink files in /data/staging/session_XXXX
Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 22:57:29 +00:00
Suren Baghdasaryan
561ce801b0 sepolicy changes to configure cgroup.rc and task_profiles.json access
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.

Bug: 111307099
Test: builds, boots

Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-02-02 16:56:08 +00:00
Ryan Savitski
ca0690e8eb Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.

These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.

For more context, see go/heapprofd-security & go/heapprofd-design.

Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.

Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-21 14:30:57 +00:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00
Eric Holk
f8dfb5f83b [layout compilation] Modify sepolicy to allow installd to run viewcompiler
We will generate precompiled layouts as part of the package install or upgrade
process. This means installd needs to be able to invoke viewcompiler. This
change gives installd and viewcompiler the minimal set of permissions needed for
this to work.

Bug: 111895153
Test: manual
Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
2019-01-18 23:29:47 +00:00
Martijn Coenen
b85acbb889 Allow the kernel to read staging_data_file.
These are APEX files in /data/staging, and will be accessed by the loop
driver in the kernel.

Bug: 118865310
Test: no denials on emulator
Change-Id: I5c849b6677566cb00d28011352b9dc6b787a0bc4
2019-01-16 21:05:26 +01:00
Dario Freni
274c1ded4d SEPolicy for Staged Installs.
Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-07 22:36:28 +00:00
Nick Kralevich
0eb0a16fbd bless app created renderscript files
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00
Nick Kralevich
1e5021c450 Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00
Florian Mayer
b1dad09679 Allow heap profiling everything except TCB on userdebug.
Bug: 117762471
Test: m
Test: flash sailfish
Test: profile all running processes with setenforce 1

Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-28 22:01:58 +00:00
Florian Mayer
0f3decf2f5 Property to enable heap profile from process startup.
This is world-readable so it can be checked in libc's process init.

Test: m
Test: flash sailfish

Bug: 117821125

Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-19 21:52:43 +00:00
Nick Kralevich
598a75c11d Further protect app private data files
Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc8 has never triggered.

Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
2018-11-16 01:03:11 -08:00
Tri Vo
a289d523ea Move coredomains rules from private/domain.te to private/coredomain.te
We lose git history with this, but imo the rules being moved don't have
much reference material. Also, as we write more neverallow rules for
CKI, I'd like to consolidate them in private/coredomain.te

Test: m selinux_policy
Change-Id: I6d0c3d2af0c4dfe7dd3cb1d8836b4b5e00db37a4
2018-11-15 15:15:53 -08:00
Nick Kralevich
caf42d615d Transient SELinux domain for system_server JIT
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.

Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-31 12:32:01 +00:00
Jeff Vander Stoep
0b67bb88e5 Further lock down app data
Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
2018-09-22 22:38:42 -07:00
Nick Kralevich
e6f33f53bf exclude su from transitioning to crash_dump domain
When /system/bin/crash_dump is executed from the su domain, do not
perform a domain transition. This allows processes run from that domain
to crash normally without SELinux interfering.

Bug: 114136122
Test: cferris: "This change works for me. I ran the crasher executable on
  /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp).
  All of them show that crash_dump can read the executables."
Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
2018-09-05 19:49:59 -07:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Jeff Vander Stoep
ab82125fc8 Improve tests protecting private app data
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.

In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.

Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 13:47:49 -07:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-18 19:53:03 +00:00
Kweku Adams
985db6d8dd Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-04-04 16:00:23 +00:00
Yi Jin
76238cd4ef Allow incidentd to read LAST_KMSG only for userdebug builds
Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6
2018-03-30 10:15:24 -07:00
Primiano Tucci
feaf22b130 Reland: perfetto: allow traced_probes to execute atrace
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039
2018-03-22 01:51:39 +00:00
Jerry Zhang
1d40154575 Add functionfs access to system_server.
UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98
2018-03-01 12:07:15 -08:00
Primiano Tucci
b4b31f9d72 Allow perfetto traced_probes to access tracefs on user
Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-13 15:54:11 +00:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Jeff Vander Stoep
de04528c3b Enable Traceur on user builds.
Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448
2018-02-02 12:46:36 -08:00
Tom Cherry
9c778045b2 Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-29 18:07:41 +00:00
Tri Vo
218d87c01c dumpstate: remove access to 'proc' and 'sysfs' types.
And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
2018-01-23 03:24:37 +00:00
Tri Vo
f92cfb9e4f priv_app: remove access to 'proc' and 'sysfs' types.
Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2018-01-20 01:05:56 +00:00
Tri Vo
06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00
Tri Vo
5dab913441 neverallow shell access to 'device' type
Bug: 65643247
Test: builds, the change doesn't affect runtime behavior.

Change-Id: I621a8006db7074f124cb16a12662c768bb31e465
2018-01-18 21:56:00 +00:00
Tri Vo
48027a0067 storaged: remove access to sysfs_type
Bug: 68388678
Test: storaged-unit-tests
Change-Id: Iea1ba0131a389dc4396ff3ebe2cdf68dbd688c8a
2018-01-16 18:39:29 -08:00
Primiano Tucci
c80f9e037b Perfetto SELinux policies
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2018-01-10 00:18:46 +00:00
Max Bires
4ea5569f53 Adding a traceur_app domain to remove it from shell
This CL creates a traceur_app domain with userdebug privileges akin to
what shell has with regards to being able to find most services on
device. Previously, traceur was running as shell which was an
unintentional abuse of selinux architecture.

Bug: 68126425
Test: Traceur functions outside of shell user privilege
Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
2018-01-02 15:29:03 -08:00
Tri Vo
d276b4349d Remove access to 'sysfs' files from healtd and charger.
We rely on vendors to label all dependencies of healthd/charger under
/sys/class/power_supply with sysfs_batteryinfo type.

Bug: 65643247
Bug: 32659667
Test: boots without denials from healthd, to sysfs_batteryinfo or to
sysfs_msm_subsys.
Test: charging with device turned off works without /sys denials.

Change-Id: I893f309ecad8a0caf7d0b81f5f945725907255c2
2017-12-11 16:31:24 +00:00
Andreas Gampe
e40d676058 Sepolicy: Update rules for perfprofd
Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915
2017-12-08 15:21:09 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Tri Vo
c4ef363006 shell: neverallow access to 'proc' label.
Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
2017-11-17 18:39:07 +00:00