Commit graph

160 commits

Author SHA1 Message Date
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Treehugger Robot
96acdc0b22 Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2021-02-05 01:59:16 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Kalesh Singh
5bf6faaf94 Fix dumpstate hal_*_server denials
Bug: 178566350
Test: atest CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials -- --abi x86_64
Change-Id: I58e050f2e6f978ea5c7e1a89221178f5374d1731
2021-02-01 22:20:44 -05:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Hunter Knepshield
18312f49b8 SEPolicy changes for public BugreportManager API.
Allow non-system apps to get an instance through
Context#getSystemService, and then dumpstate also needs permissions to
append to public apps' files.

Most carrier apps are not pre-installed, but we still want to allow them
to request connectivity bug reports, which are well-scoped to contain
limited PII and all info should directly relate to connectivity
(cellular/wifi/networking) debugging.

BugreportManager underneath validates that the calling app has carrier
privileges before actually starting the bug report routine. User consent
is requested for every bugreport requested by carrier apps.

Without the dumpstate.te change, the following error will occur:
01-14 20:08:52.394  1755  1755 I auditd  : type=1400 audit(0.0:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0
[ 1167.128552] type=1400 audit(1610654932.394:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0

Bug: 161393541
Test: atest CtsCarrierApiTestCases:BugreportManagerTest
Change-Id: I443b1f6cd96223ed600c4006bc344c2a8663fdc7
2021-01-14 20:15:34 +00:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Alistair Delva
98825d35cb Allow dumpstate to dump face/fingerprint/gnss HALs
Seen with "adb bugreport" on cuttlefish:

avc: denied { call } for scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_face_default:s0 tclass=binder permissive=0
avc: denied { call } for scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=0
avc: denied { call } for scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_gnss_default:s0 tclass=binder permissive=0

Fix it like aosp/1313514

Bug: 170070222
Change-Id: I1c2d6fc0130ef3ee87662d23de0ee031fb60cbec
2020-11-16 13:52:05 -08:00
Alex Hong
906c724514 Allow dumpstate to read proc_pid_max and access profcollectd via binder
Now running ps requires the read permission for /proc/sys/kernel/pid_max.
Also, grant the binder_call permission for recently added profcollectd.

Bug: 170070222
Change-Id: I5bc0f89a0538091de40647777ff6bf47f47dc066
2020-11-10 09:53:41 +00:00
Jack Yu
dd64813204 Add sepolicy to allow read/write nfc snoop log data
Bug: 153704838
Test: nfc snoop log could be accessed
Change-Id: I694426ddb776114e5028b9e33455dd98fb502f0a
2020-09-24 17:36:07 +08:00
Treehugger Robot
142d16a964 Merge "Allow dumpstate to dump auto hal servers" 2020-08-04 17:28:41 +00:00
Roman Kiryanov
b76d0b3060 Allow dumpstate to getattr apex_info_file:file
required by the CTS test.

Bug: 162594434
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Ic9962415d740e300ceb418b3265c24433a9e4f4c
2020-07-31 13:39:11 -07:00
Roman Kiryanov
83b88d5d61 Allow dumpstate to dump hal_light
Bug: 162594434
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I440b5627abe0127324679fcb54bc52a68c44bea4
2020-07-31 13:37:59 -07:00
Yiming Jing
2fd322f630 Allow dumpstate to dump auto hal servers
audiocontrol_hal, vehicle_hal and evs_hal were added to dump_util.cpp in
b/148098383. But the coresponding dumpstate.te is not updated to relfect
the changes, causing denials when dumpstate attempts to dump auto hal servers.

This CL updates dumpstate.te to allow dumpstate to access auto hal servers.

Bug: 162537916
Test: sesearch -A -s dumpstate -t hal_audiocontrol_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_vehicle_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_evs_server -p signal sepolicy
Change-Id: If6d6e4d9c547da17817f2668dc4f2a093bddd632
2020-07-31 10:19:22 -07:00
Adam Shih
8cc3f8d9ee Let dumpstate access hal_identity
Bug: 158614313
Test: CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ic07e64b0bb18f948764e7bde5985eab91747b882
2020-06-24 10:40:44 +08:00
TeYuan Wang
900c723e1d Allow dumpstate to get thermal and power hal debug info
Bug: 156710131
Test: tested in userdebug with dumpstate.unroot set to true
Change-Id: Iabd636f109e719753fdd650f05e1a7af835c49d7
Signed-off-by: TeYuan Wang <kamewang@google.com>
2020-05-18 10:30:28 +08:00
Igor Murashkin
e67fad5deb iorapd: Allow dumpstate (bugreport) to dump iorapd
Bug: 152616197
Test: adb bugreport
Change-Id: I36e3b6d847341ddd84792ccc3f2c2c620e1c3f7b
Merged-In: I36e3b6d847341ddd84792ccc3f2c2c620e1c3f7b
2020-03-31 13:48:47 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Kris Chen
258442b3d4 Add rules to dump fingerprint hal traces
Bug: 150008549
Test: adb shell am hang
Test: adb bugreport
Change-Id: I0440bb8fd3cc1205a43eca6c7ef5f8d0afc92396
2020-03-03 16:58:58 +08:00
Stefano Galarraga
fb9ff8d5b6 Merge "Allow dumpstate to dump NNAPI HAL log on userbuild" 2020-02-25 10:47:38 +00:00
Kenny Root
4def25f171 Merge "rebootescrow: allow dumpstate to call via binder" 2020-02-11 21:25:29 +00:00
Kenny Root
7ae220742c rebootescrow: allow dumpstate to call via binder
Allow dumpstate to call into rebootescrow to request debug information.

Bug: 148763226
Test: adb bugreport
Change-Id: Ib336cab755998b1ddcd7848b3e544c2e0f09c1aa
2020-02-10 21:28:32 -08:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Hridya Valsaraju
4ea5709bc4 Allow dumpstate access to /dev/binderfs/binder_logs
These permissions allow dumpstate to access binder logs
from /dev/binderfs.
avc: denied { read } for name="binder_logs" dev="binder" ino=1048580
scontext=u:r:dumpstate:s0 tcontext=u:object_r:binderfs_logs:s0 tclass=dir permissive=0
avc: denied { read } for comm="dumpstate" name="failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1
avc: denied { open } for comm="dumpstate"
path="/dev/binderfs/binder_logs/failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1
avc: denied { getattr } for comm="dumpstate"
path="/dev/binderfs/binder_logs/failed_transaction_log"
dev="binder" ino=1048585 scontext=u:r:dumpstate:s0
tcontext=u:object_r:binderfs_logs:s0 tclass=file permissive=1

Test: adb shell dumpstate
Bug: 136497735
Change-Id: I5ff7223e431aab9baa3527570fff2da71ab6feb0
2020-02-10 12:47:35 -08:00
Jerry Chang
5594f307c8 sepolicy: new prereboot_data_file type
This adds the type and permissions for dumping and appending prereboot
information.

Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
2020-02-07 10:22:47 +08:00
Martijn Coenen
722026676b Don't audit dumpstate reading /mnt/user, /mnt/installer.
Dumpstate runs 'df', which in turn tries to get attributes on all
mounted filesystems. We don't care much for stats on /mnt/user, since
it's simply a mapping of /data. /mnt/installer is simply a bind mount of
/mnt/user, and we don't need to show that in df either.

Bug: 148761246
Test: atest
CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie71b9cde08eb08bd3a7a3e2659ea71c61ca5ab3b
2020-02-06 09:44:24 +00:00
Stefano Galarraga
a601575307 Allow dumpstate to dump NNAPI HAL log on userbuild
This helps in the investigation of driver-related issues.

Bug: 145388549
Test: Manually, log collected on user build
Change-Id: I40631aac7878f58e399bc583898630055583fc7c
2020-02-05 09:26:23 +00:00
Kiyoung Kim
7be9b32fdb Merge "Allow dumpstate to open and read linkerconfig directory" 2020-02-05 07:58:12 +00:00
Yifan Hong
28d5e87d39 Merge "snapshotctl better logging" 2020-02-04 22:18:33 +00:00
Yifan Hong
589bb6f369 snapshotctl better logging
Test: snapshotctl merge --log-to-file
Bug: 148818798
Change-Id: I0e9c8ebb6632a56670a566f7a541e52e0bd24b08
2020-02-04 10:09:24 -08:00
Kiyoung Kim
608029fb86 Allow dumpstate to open and read linkerconfig directory
To include linkerconfig results into dumpstate, dumpstate needs extra
permission on lnkerconfig directory to search all items within the
directory. This change allows dumpstate to have extra access on
linkerconfig directory.

Bug: 148840832
Test: tested from cuttlefish
Change-Id: I955b54ec2cc3d1dcedaa34406e0e0776b6ac12f6
2020-02-04 19:45:19 +09:00
Kiyoung Kim
7e247cb035 Don't audit linkerconfig in dumpstate
dumpstate creates an error log from CTS test because dumpstate does not
have access to linkerconfig directory. As df doesn't need to scan
linkerconfig directory, do not audit this directory in dumpstate
to get attributes.

Bug: 148760417
Test: m -j passed
Test: No sepolicy error from correspoding test
Change-Id: I3c1c3a489584450bd23fbce2d7cc9b09aaf9c002
2020-02-04 15:51:00 +09:00
Steven Moreland
a30464c06e More neverallows for default_android_service.
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.

Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
2020-01-21 11:13:22 -08:00
Ricky Wai
2e17c0558e Don't audit data_mirror in dumpstate
Bug: 146376151
Test: atest SELinuxHostTest#testNoBugreportDenials
Change-Id: Ia94496bcb8f60cd9a828380164ade65cab62bac2
2019-12-19 16:36:24 +00:00
Minchan Kim
8dfe383b2a Allow dumpstate to access PSI statistics
dumpstate need to access /proc/pressure/{cpu,mem,io}

Bug: 141884936
Test: adb bugreport and check bugreport file includes PSI metric
Change-Id: I01e7376206c07c1700d6ffe3690d61a1db8dfe84
Signed-off-by: Minchan Kim <minchan@google.com>
2019-10-01 14:43:55 -07:00
Tom Cherry
c72dc07de2 Merge "Allow dumpstate to read /data/misc/logd always"
am: 4c52cedf22

Change-Id: I32bce2aedcbb2adb4d566410945a98299ea21fc9
2019-07-15 16:43:00 -07:00
Tom Cherry
77f8d4f8ca Allow dumpstate to read /data/misc/logd always
There is no reason to deny dumpstate from reading /data/misc/logd on
user builds.  Logpersist is disallowed from running on those builds,
so there is no harm in copying this directory.

Bug: 136978224
Test: build
Change-Id: Ia58bde10e1f45978975597cd2ea1951a784d3b49
2019-07-08 13:20:10 -07:00
TreeHugger Robot
f325a7db06 Merge "DO NOT MERGE - Merge qt-dev-plus-aosp-without-vendor (5699924) into stage-aosp-master" into stage-aosp-master 2019-07-02 07:41:05 +00:00
Kalesh Singh
113d10baaa Sepolicy for added SystemSuspend HAL to ANR list.
Change-Id: Ib7b647d07c5432ed4cdb674f3c9642cfcb5c9d79
Bug: 135458700
Fixes: 135458700
Test: Trigger ANR dump (adb shell am hang).
grep through logcat for sepolicy denials.
2019-06-28 10:08:22 -07:00
Kevin Chyn
a18c5bdd70 Add rules to dump hal traces
Test: manual
Bug: 126802513

Change-Id: If037483f305e161a158e30f6322d5e25b7770952
Merged-In: If037483f305e161a158e30f6322d5e25b7770952
2019-06-20 00:31:03 +00:00
Kevin Chyn
6d976f4d5d Add rules to dump hal traces
Test: manual
Bug: 126802513

Change-Id: If037483f305e161a158e30f6322d5e25b7770952
2019-06-19 19:55:14 +00:00
TreeHugger Robot
cf48bfd082 Merge "Properly define hal_codec2 and related policies" into qt-dev 2019-05-24 07:21:23 +00:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00
Nikita Ioffe
1c4a5260c1 selinux: Allow dumpstate send signals to vold
Test: adb bugreport
Test: verified vold stacktrace is present in bugreport
Bug: 132344997
Change-Id: I0ebf7f171d854b9aaf894ccb8c7a5f68f18e692b
Merged-In: I0ebf7f171d854b9aaf894ccb8c7a5f68f18e692b
(cherry picked from commit f7c3d19d29)
2019-05-21 20:39:07 +01:00
Nikita Ioffe
f7c3d19d29 selinux: Allow dumpstate send signals to vold
Test: adb bugreport
Test: verified vold stacktrace is present in bugreport
Bug: 132344997
Change-Id: I0ebf7f171d854b9aaf894ccb8c7a5f68f18e692b
2019-05-21 13:03:55 +01:00
TreeHugger Robot
5f30c238ec Merge "Allow signals to power/thermal HAL from dumpstate" into qt-dev 2019-04-24 20:18:26 +00:00
Wei Wang
addfe4679d Allow signals to power/thermal HAL from dumpstate
Bug: 129711808
Test: Take BR
Change-Id: Ibcb03698a6e2966f4913ddb6e674502bce4df235
2019-04-23 14:22:41 -07:00
Wei Wang
76d93f0ce8 Allow signals to power/thermal HAL from dumpstate
Bug: 129711808
Test: Take BR
Change-Id: Ibcb03698a6e2966f4913ddb6e674502bce4df235
2019-04-23 14:21:03 -07:00