Commit graph

68 commits

Author SHA1 Message Date
Jeff Vander Stoep
607bc67cc9 Prevent apps from causing presubmit failures
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.

These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.

Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
2019-12-16 11:19:05 +01:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Xiao Ma
e2876a3d11 revert ipmemorystore selinux policy.
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.

Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
2019-04-01 16:37:25 +09:00
Jeff Vander Stoep
9f5d0d90a3 Initial selinux policy support for memfd
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.

Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.

Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
2019-01-30 19:11:49 +00:00
William Hester
5f486c74bf Add the testharness service to sepolicy rules
The testharness service will manage Test Harness Mode and provide a
command-line interface for users to enable Test Harness Mode; however it
does not directly provide a public API.

Bug: 80137798
Test: make
Test: flash crosshatch
Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e
2019-01-17 13:10:37 -08:00
Chalard Jean
fb15c9f12f Add sepolicy for IpMemoryStoreService
Bug: 116512211
Test: Builds, boots, including upcoming changes needing this
Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399
2019-01-10 18:06:56 +09:00
Nick Kralevich
0eb0a16fbd bless app created renderscript files
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00
Nick Kralevich
1e5021c450 Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00
ji, zhenlong z
fdfa42bf29 sepolicy: Allow apps to get info from priv_app by ashmem
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.

Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.

Bug: 117961216

[Android Version]:
android_p_mr0_r0

[Kernel Version]:
4.19.0-rc8

[CTS Version]:
cts-9.0_r1

[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies

[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0

[Test Result With This Patch]:
PASS

Change-Id: I45efacabe64af36912a53df60ac059889fde1629
2018-10-23 12:37:03 +08:00
Benjamin Gordon
360559e7bb sepolicy: Allow apps to read ashmem fds from system_server
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file.  Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.

Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened.  Restore this ability by giving apps read
access to system_server_tmpfs.  system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.

Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
2018-09-10 17:04:09 +00:00
Nathan Harold
252b015365 Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-04-03 21:52:14 +00:00
Nathan Harold
ee268643c1 Allow More Apps to Recv UDP Sockets from SystemServer
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2018-01-15 23:10:42 +00:00
Jeff Vander Stoep
77b290f303 app: move appdomain to public policy
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.

Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
2017-12-19 21:31:01 -08:00
Marissa Wall
80ee23f74a Restrict access to uid_concurrent_*_time
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
2017-12-12 19:19:04 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00
Nick Kralevich
881fe06f34 Validate no-cross-domain /proc/PID access
am: 7a46380969

Change-Id: Iba80938afccd21f0c3b69626223b35c672358e77
2017-08-11 19:17:29 +00:00
Nick Kralevich
7a46380969 Validate no-cross-domain /proc/PID access
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
2017-08-11 10:05:22 -07:00
Andreas Gampe
22a8918b2b App: Allow wrapped app to send pid
am: ee694980d0

Change-Id: Ic572585b380405f135646731f9fc749fcee86a3b
2017-07-13 05:28:51 +00:00
Andreas Gampe
ee694980d0 App: Allow wrapped app to send pid
Allow wrapped app to send pid back to zygote.

Bug: 63566721
Bug: 63635227
Test: lunch angler-userdebug && m
Test: lunch angler-user && m
Test: lunch angler-user && m && fastboot flashall && m cts && cts-tradefed run commandAndExit cts-dev -m CtsWrapWrapDebugTestCases
Change-Id: Ie1b41c3eb124aa5ee321c124d0121a0e965f0f0e
2017-07-12 18:24:58 -07:00
Daniel Rosenberg
8a65aeca0e Add rules for vfat for sdcardfs
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem

Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
      an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
2017-06-22 00:20:59 +00:00
Daniel Rosenberg
29713c8da6 Merge "Add rules for vfat for sdcardfs" into oc-dev
am: 58d0d1e4af

Change-Id: Ia53beb365c39d501c9d6cd53a4cb72dec14b610b
2017-06-16 22:04:05 +00:00
Daniel Rosenberg
260a4485f3 Add rules for vfat for sdcardfs
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem

Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
      an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
2017-06-16 19:47:33 +00:00
Narayan Kamath
bf7a5bd68b SEPolicy: Allow app / system_server to write to dumpstate pipes. am: a34781ae15 am: 32c7000e6e
am: b25e882338

Change-Id: I778011a48800ace4d865813b148efcdd88d166bb
2017-05-31 13:37:59 +00:00
Narayan Kamath
a34781ae15 SEPolicy: Allow app / system_server to write to dumpstate pipes.
tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).

Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.

Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c
2017-05-31 11:45:39 +00:00
Narayan Kamath
f194aad208 SEPolicy: Changes for new stack dumping scheme.
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e96)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
2017-05-31 10:01:48 +00:00
Narayan Kamath
e628cb5b2d SEPolicy: Changes for new stack dumping scheme.
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5
2017-05-31 08:54:37 +01:00
Jiyong Park
524b0650ce Merge "sepolicy: allow apps to execute libs embedded inside vendor apk" into oc-dev
am: a82c3d57a2

Change-Id: I332b2e50b5057016ad6b530f7660c95bd53af4b7
2017-05-17 10:40:25 +00:00
Jiyong Park
865390312d sepolicy: allow apps to execute libs embedded inside vendor apk
Currently, some jni libs in /vendor/lib are allowed to be executed
in java process by labelling them as same_process_hal_file. This is
wrong because those jni libs are not in fact same process HALs.

After b/37481404, those jni libs for vendor apks are embedded inside the
apk just like downloaded apks.

In order to make this possible, appdomain is allowed to execute
vendor_app_file. Note that allowing this is not a Treble violation because
vendor_app_file is Java and JNI code only. Native libraries in
/vendor/lib are still prevented from being loaded in apps except for
those are labeled as same_process_hal_file AND are loaded via the
'sphal' namespace.

Bug: 37481404
Test: Phone application does not crash.
Change-Id: Ifaece2f05d0b20e28c4b1c0847f5ea0bb28ade02
2017-05-17 10:18:34 +09:00
Alex Vakulenko
c4055f0d04 SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-15 10:07:05 -07:00
Luke Song
9639c5a841 Move sensord sepolicy
am: 2dd9ae33f7

Change-Id: Ia17bae012b678ba604a4f869baf9b29027879ff5
2017-05-13 01:22:51 +00:00
Luke Song
2dd9ae33f7 Move sensord sepolicy
Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.

Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
2017-05-11 16:25:03 -07:00
Alex Vakulenko
14847b075b Merge "SELinux policies for PDX services" into oc-dev
am: 7e6176400b

Change-Id: Idefee5498a277bd5b507e648ff41bdc02aa0d752
2017-05-11 18:33:26 +00:00
Alex Vakulenko
41daa7f859 SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-10 16:39:19 -07:00
Nick Kralevich
c4df0d71d2 Merge "Further restrict SELinux API access" am: 076677330d am: b49bc8212a
am: 1ffa6f80da

Change-Id: I4e1669df2067738858c2d7a1e79e0a153cfeef5b
2017-05-08 19:10:23 +00:00
Nick Kralevich
14e2e9261f Further restrict SELinux API access
Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
2017-05-08 09:51:59 -07:00
TreeHugger Robot
b9d5d20790 Merge "sepolicy: allow AAudio apps to use FDs from the audio HAL" into oc-dev 2017-05-02 22:22:44 +00:00
Phil Burk
d6e9c94908 sepolicy: allow AAudio apps to use FDs from the audio HAL
The API does not expose the FD directly. But they are
used by libaaudio.so linked with the app.

Needed for low latency audio.

Bug: 37167970
Test: NativeOboe touch to tone latency app
Change-Id: I92372eff44d856e9aff399dc9c64fd18524fdc44
Signed-off-by: Phil Burk <philburk@google.com>
2017-04-28 15:14:13 -07:00
Abodunrinwa Toki
adfc5db008 SELinux configuration for TextClassifier model updates.
Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c
2017-04-27 18:54:00 +01:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
TreeHugger Robot
0b99924986 Merge "restore permissions to /vendor for non-treble devices" into oc-dev 2017-04-19 18:51:10 +00:00
Alex Klyubin
75ca483215 surfaceflinger and apps are clients of Configstore HAL
This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.

Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
      video in Google Camera app. Check that photos show up fine and
      that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371
2017-04-18 12:24:22 -07:00
Alex Klyubin
5007c10a51 Apps and system_server are gralloc HAL clients
This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.

Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
      photo, record a video with sound and a slow motion video with
      sound, then check that photos look good and videos play back
      fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a
2017-04-17 12:55:00 -07:00
Martijn Coenen
fc80f48082 Remove mediacodec from binder violators.
The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
2017-04-15 21:48:56 -07:00
Martijn Coenen
de2e79c58f Give apps, cameraserver, and system_server access to sync fences.
Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f
2017-04-14 23:05:39 +00:00
Jeff Vander Stoep
f627e5581c restore permissions to /vendor for non-treble devices
Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
2017-04-14 10:01:14 -07:00
Sandeep Patil
3af3a13b31 sepolicy: Fix renderscript driver lookup
Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
  permissions for everything. Since RS drivers can be loaded into any
  process, their vendor implementation and dependencies have been
  marked as 'same process HALs' already.

Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
      ./cts-tradefed run cts -m CtsRenderscriptTestCases \
      --skip-device-info --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a
      Result: Tests Passed: 743 Tests Failed: 0

Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-10 08:45:20 -07:00
Jaesoo Lee
5377be6563 allow access to vendor_framework_file to dex2oat and appdomain
We should give appdomain the access to the /vendor/framework directory
since the jar in the directory is not dexopt-ed.AFAIK, jars which are
not in the bootclasspath are not dexopt-ed by default.

Bug: b/37129319
Test: built and confirmed that embms.apk not crashed

Change-Id: Ic2b1eef472f2fba53e26403dde8ad9ede8105a03
2017-04-07 09:16:05 -07:00