/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956
This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886
Test: boot Taimen. Walk through setup-wizard. Make phone call and
video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).
1) traced: unprivileged daemon. This is architecturally similar to logd.
It exposes two UNIX sockets:
- /dev/socket/traced_producer : world-accessible, allows to stream
tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
from traced to each client process, which needs to be able to
mmap it R/W (but not X)
- /dev/socket/traced_consumer : privilege-accessible (only from:
shell, statsd). It allows to configure tracing and read the trace
buffer.
2) traced_probes: privileged daemon. This needs to:
- access tracingfs (/d/tracing) to turn tracing on and off.
- exec atrace
- connect to traced_producer to stream data to traced.
init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc
Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
we are aiming to improve logging performance by having wifi hal
directly write to the flash.
Wifi hal need to be able to create, write, and delete files in
a directory. This will be restricted to userdebug and eng builds only.
Bug: 70170285
Test: compile, run on device
Change-Id: Id0cd317411f4c393d7529aa31b501046d7350edb
Many processes including third party apps are expected to
access /proc/net/xt_qtaguid/stats. Give this file a new label
to avoid spamming the logs and temporarily grant read access to
all processes.
Read-only permission is adequate for all processes based on unix
permissions.
sailfish:/ # ls -laZ /proc/net/xt_qtaguid/stats
-r--r--r-- 1 root net_bw_stats u:object_r:proc_net_xt_qtaguid_stats:s0 stats
Bug: 9496886
Bug: 68016944
Bug: 70722355
Test: Build/flash Sailfish. Browse in Chrome and watch videos in youtube.
No "denied" or "granted" selinux messages observed in the logs.
Change-Id: I29f1ee806c8149988b9b93a950790d14754927ef
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.
b/68399339
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.
Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0
Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59
Add label update_engine_log_data_file for log files created by
update engine in directory /data/misc/update_engine_log.
Bug: 65568605
Test: manual
Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
This will be used to enforce data separation between platform and
vendor.
Test: build
Bug: 34980020
Change-Id: Ia312f00068d3982c7aae7e35bd0c96a6eb9ea3be
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
This is no longer used and violates Treble data separation.
Bug: 68057930
Test: verify on Sailfish that /data/misc/audiohal doesn't exist
This dir appears to be Qualcomm specific and should not have
been defined in core policy.
Change-Id: I55fba7564203a7f8a1d8612abd36ec1f89dc869d
Remove netd access to sysfs_type attribute.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717)
Remove netd access to sysfs_type attribute.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons
Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons
Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.
Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5
Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
- update_verifier to read sysfs_dm dir and file at
/sys/devices/virtual/block/dm-X.
- vold to write sysfs_dm.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95
Renamed this type:
proc_asound_cards -> proc_asound
Labeled /proc/asound/devices as proc_asound.
We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.
Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.
Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0
