Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
This is needed to get Java heap graphs.
Test: flash aosp; profile system_server with setenforce 1
Bug: 136210868
Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.
Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.
Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.
Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
The testharness service will manage Test Harness Mode and provide a
command-line interface for users to enable Test Harness Mode; however it
does not directly provide a public API.
Bug: 80137798
Test: make
Test: flash crosshatch
Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.
Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.
This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.
Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.
Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.
This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.
Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.
Bug: 117961216
[Android Version]:
android_p_mr0_r0
[Kernel Version]:
4.19.0-rc8
[CTS Version]:
cts-9.0_r1
[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies
[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0
[Test Result With This Patch]:
PASS
Change-Id: I45efacabe64af36912a53df60ac059889fde1629
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file. Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.
Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened. Restore this ability by giving apps read
access to system_server_tmpfs. system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.
Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.
Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.
This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c
Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.
b/68399339
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf
Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.
TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.
Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem
Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem
Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).
Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.
Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.
Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.
Bug: 32064548
Test: Manual
(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)
(cherry picked from commit 11bfcc1e96)
Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.
Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.
Bug: 32064548
Test: Manual
Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5
Currently, some jni libs in /vendor/lib are allowed to be executed
in java process by labelling them as same_process_hal_file. This is
wrong because those jni libs are not in fact same process HALs.
After b/37481404, those jni libs for vendor apks are embedded inside the
apk just like downloaded apks.
In order to make this possible, appdomain is allowed to execute
vendor_app_file. Note that allowing this is not a Treble violation because
vendor_app_file is Java and JNI code only. Native libraries in
/vendor/lib are still prevented from being loaded in apps except for
those are labeled as same_process_hal_file AND are loaded via the
'sphal' namespace.
Bug: 37481404
Test: Phone application does not crash.
Change-Id: Ifaece2f05d0b20e28c4b1c0847f5ea0bb28ade02
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.
Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.
Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.
Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
The API does not expose the FD directly. But they are
used by libaaudio.so linked with the app.
Needed for low latency audio.
Bug: 37167970
Test: NativeOboe touch to tone latency app
Change-Id: I92372eff44d856e9aff399dc9c64fd18524fdc44
Signed-off-by: Phil Burk <philburk@google.com>
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.
Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
video in Google Camera app. Check that photos show up fine and
that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371
This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.
Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
photo, record a video with sound and a slow motion video with
sound, then check that photos look good and videos play back
fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a
The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.
Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.
Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f
Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.
Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file
And potentially some other bugs that have yet to surface.
Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
permissions for everything. Since RS drivers can be loaded into any
process, their vendor implementation and dependencies have been
marked as 'same process HALs' already.
Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
./cts-tradefed run cts -m CtsRenderscriptTestCases \
--skip-device-info --skip-preconditions --skip-connectivity-check \
--abi arm64-v8a
Result: Tests Passed: 743 Tests Failed: 0
Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>
We should give appdomain the access to the /vendor/framework directory
since the jar in the directory is not dexopt-ed.AFAIK, jars which are
not in the bootclasspath are not dexopt-ed by default.
Bug: b/37129319
Test: built and confirmed that embms.apk not crashed
Change-Id: Ic2b1eef472f2fba53e26403dde8ad9ede8105a03