Commit graph

662 commits

Author SHA1 Message Date
Songchun Fan
19a5cc2bab [sepolicy] remove vendor_incremental_module from global sepolicy rules
(Cherry-picking)

Moving to coral-sepolicy

BUG: 150882666
Test: atest PackageManagerShellCommandIncrementalTest
Merged-Id: I55f5d53ee32d0557e06c070961526631e1bb1fc5
Change-Id: Ia9c4d8240787b0d2b349764cac9d61b9d8731fa2
2020-03-19 16:31:44 -07:00
Jeffrey Huang
94452b2a50 Merge "Allow statsd to access a new metadata directory" 2020-03-18 22:22:24 +00:00
Jeffrey Huang
687aa037f6 Allow statsd to access a new metadata directory
Test: m -j
Bug: 149838525
Change-Id: I8633d21feb827c67288eb2894bafae166b103f92
2020-03-04 15:09:54 -08:00
Keun-young Park
aa6dba2770 Merge "Add resize2fs to fsck_exec file context" 2020-02-27 03:02:02 +00:00
Keun young Park
e6e5f32ea0 Add resize2fs to fsck_exec file context
- This allows init to access it.

Bug: 149039306
Test: Flash and confirm that file system can run resize2fs when metadata_csum is enabled.
Change-Id: Id91d8fb6800b254b12eaf93a0e8cb019b55d2702
2020-02-25 08:37:35 -08:00
Changyeon Jo
17b38d526d Update automotive display service rules
This change updates sepolicies for automotive display service to make it
available to the vendor processes.

Bug: 149017572
Test: m -j selinux_policy
Change-Id: I48708fe25e260f9302e02749c3777c0ca0d84e4b
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-02-25 02:02:54 +00:00
Roshan Pius
0f6852b342 Merge "sepolicy(wifi): Allow wifi service access to wifi apex directories" 2020-02-22 03:56:55 +00:00
Roshan Pius
8f84cc32a8 sepolicy(wifi): Allow wifi service access to wifi apex directories
Bug: 148660313
Test: Compiles
Change-Id: I4a973c4516fda5f96f17f82cd3a424b0ca89004b
2020-02-21 10:40:32 -08:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00
David Zeuthen
1948c11d13 Merge "Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL." 2020-02-19 21:14:40 +00:00
David Zeuthen
02bf814aa2 Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL.
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.

Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
2020-02-19 13:46:45 -05:00
Treehugger Robot
281afd81fa Merge "Fixup dalvikcache_data_file on external storage." 2020-02-17 14:34:33 +00:00
Martijn Coenen
4c43eeac63 Fixup dalvikcache_data_file on external storage.
The label also needs to be applied in case of the new 2-level deep
app-data directories.

Bug: 149396179
Bug: 148844589
Test: atest AdoptableHostTest

Change-Id: I0f6f41df54e6f74696039b41b4a0c7e5aae1fd84
2020-02-17 13:56:23 +01:00
Mark Salyzyn
79f9ca6789 bootstat: enhance last reboot reason property with file backing
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.  For now, label this file metadata_bootstat_file.

Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
2020-02-14 13:30:21 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
2020-02-13 12:52:51 -08:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Songchun Fan
99d9374760 selinux rules for loading incremental module
Defining incremental file system driver module, allowing vold to load
and read it.

=== Denial messages ===
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1

Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
2020-02-07 09:52:34 -08:00
Jerry Chang
5594f307c8 sepolicy: new prereboot_data_file type
This adds the type and permissions for dumping and appending prereboot
information.

Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
2020-02-07 10:22:47 +08:00
Yifan Hong
28d5e87d39 Merge "snapshotctl better logging" 2020-02-04 22:18:33 +00:00
Yifan Hong
589bb6f369 snapshotctl better logging
Test: snapshotctl merge --log-to-file
Bug: 148818798
Change-Id: I0e9c8ebb6632a56670a566f7a541e52e0bd24b08
2020-02-04 10:09:24 -08:00
Songchun Fan
f09db16c56 [selinux] properly labeling dirs under /data/incremental
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.

Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].

2. /data/incremental/[random]/backing_mount -> hold incfs backing image.

3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.

Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
2020-02-03 14:28:37 -08:00
Jon Spivack
499e0173b5 Merge "Revert^2 "Move aidl_lazy_test_server to system_ext"" 2020-01-31 00:04:08 +00:00
Jon Spivack
988e381b6b Revert^2 "Move aidl_lazy_test_server to system_ext"
4eae75c9d4

Reason for revert: This undoes the previous reversion, which was made to fix b/148282665.

Change-Id: I70d6e60a0468abea19f5efd7fde10207a251cf61
2020-01-29 02:09:34 +00:00
Zimuzo Ezeozue
5119becf5d Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through" 2020-01-28 22:26:58 +00:00
Zim
fcf599c89c Grant vold, installd, zygote and apps access to /mnt/pass_through
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
 access to the lower filesystem (or sdcardfs).

At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory  with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.

The following components need varying sepolicy privileges:

Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink

zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold

installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through

priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through

Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
2020-01-28 20:56:36 +00:00
Songchun Fan
7de88d73b6 Change selinux path config for oat files
We are updating apps' apk path to have a two-level structure.
Default apk path of an installed app:
Before: /data/app/[packageName]-[randomString]/base.apk
After: /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk

As a result, the oat files will be two levels below /data/app.

Test: manual
BUG: 148237378
Change-Id: If8e1fed46096f2e5f4150f6eedf74af76ac9d4b4
2020-01-28 10:33:13 -08:00
Jon Spivack
5f11b2e0ed Merge "Revert "Move aidl_lazy_test_server to system_ext"" 2020-01-25 21:29:45 +00:00
Jon Spivack
4eae75c9d4 Revert "Move aidl_lazy_test_server to system_ext"
Revert submission 1209453-aidl-lazy-presubmit

Reason for revert: b/148282665. A test has begun to fail on git_stage-aosp-master, and I need to verify whether these changes are responsible.

Reverted Changes:
Ib09a2460e: Add aidl_lazy_test to general-tests
Ib08989356: Move aidl_lazy_test_server to system_ext
I694e6ad35: Add aidl_lazy_test_server to Cuttlefish
I65db12c63: Add aidl_lazy_test to presubmit
I7ec80a280: Dynamically stop services with multiple interfaces...

Change-Id: I55f6b0f7800f348259787f62c6faa19a90f8bdcc
2020-01-25 02:55:04 +00:00
Jon Spivack
65028a3609 Merge "Move aidl_lazy_test_server to system_ext" 2020-01-24 01:30:49 +00:00
Jon Spivack
eb57c756c2 Move aidl_lazy_test_server to system_ext
This allows it to be installed and run during presubmit.

Bug: 147380480
Test: aidl_lazy_test
Change-Id: Ib08989356d02f2bf041d0780ec6c5bf65899c597
2020-01-22 17:36:05 -08:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Haoxiang Li
741b9cd5ac Sepolicy update for Automotive Display Service
Bug: 140395359
Test: make sepolicy -j
Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-01-21 18:43:27 +00:00
Treehugger Robot
4f0bf97b41 Merge "Add policies for permission APEX data directory." 2020-01-17 23:45:54 +00:00
Jing Ji
2b12440ff7 Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.

Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
2020-01-16 16:09:48 -08:00
Hai Zhang
f301cd299b Add policies for permission APEX data directory.
Bug: 136503238
Test: presubmit
Change-Id: I636ab95070df4c58cf2c98b395d99cb807a7f243
2020-01-16 16:08:55 -08:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Jon Spivack
ae2df6b5de Add aidl_lazy_test_server
This is a test service for testing dynamic start/stop of AIDL services. In order to test realistic use cases with SELinux enabled, it requires the same permissions as a regular service.

Bug: 147153962
Test: aidl_lazy_test aidl_lazy_test_1 aidl_lazy_test_2
Change-Id: Ifc3b2eaefba9c06c94f9cf24b4474107d4e26563
2020-01-07 15:11:03 -08:00
Songchun Fan
743f9eddf6 [incremental] labels for incfs and directory root
Adding two labels: "incfs" for the incremental filesystem and
"incremental_root_file" for file paths /data/incremental/*.

Doc: go/incremental-selinux

Test: manual
Change-Id: I7d45ed1677e3422119b2861dfc7b541945fcb7a2
2019-12-18 16:59:31 -08:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Chris Weir
6ad4f3207a Merge "Modify SEPolicy to support SLCAN" 2019-12-11 21:25:14 +00:00
Kiyoung Kim
cd74ef82fd Merge "Move linker config under /linkerconfig" 2019-12-11 02:55:06 +00:00
Oli Lan
91ce5b9c22 Add type for directories containing snapshots of apex data.
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.

Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.

Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-09 11:16:24 +00:00
Oli Lan
79b4e1af4a Add type for APEX data directories.
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.

Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.

See go/apex-data-directories.

Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-12-09 11:14:38 +00:00
Kiyoung Kim
00cf2fbe50 Move linker config under /linkerconfig
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions using chroot. To match system
image and configuration, linker config better stays under /linkerconfig

Bug: 144966380
Test: m -j passed && tested from cuttlefish
Change-Id: Iea67663442888c410f29f8dd0c44fe49e3fcef94
2019-12-05 12:42:29 +09:00
chrisweir
cd40aa0ab7 Modify SEPolicy to support SLCAN
SLCAN setup requires certain ioctls and read/write operations to
certain tty's. This change allows the HAL to set up SLCAN devices while
complying with SEPolicy.

In addition to adding support for SLCAN, I've also included permissions
for using setsockopt. In order for the CAN HAL receive error frames from
the CAN bus controller, we need to first set the error mask and filter
via setsockopt.

Test: manual
Bug: 144458917
Bug: 144513919
Change-Id: I63a48ad6677a22f05d50d665a81868011c027898
2019-12-04 14:06:09 -08:00
Hangyu Kuang
ee3a8ea798 MediaTranscodingService: Add sepolicy for MediaTranscodingService.
Bug:145233472
Test: Build and flash the phone.
"adb shell dumpsys -l | grep media" shows media.transcoding service.

Change-Id: I48a42e7b595754989c92a8469eb91360ab6db7c6
2019-12-02 13:57:28 -08:00
Shuo Qian
584234e8b1 Merge "Setting up SELinux policy for Emergency number database" 2019-11-27 19:14:50 +00:00
Shuo Qian
9322cb088a Setting up SELinux policy for Emergency number database
Test: Manual; https://paste.googleplex.com/6222197494382592
Bug: 136027884
Change-Id: I29214de6b5b5a62bff246c1256567844f4ce55c7
2019-11-26 12:51:02 -08:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Treehugger Robot
f0a9150deb Merge "file_contexts: Include legacy /system/vendor paths" 2019-10-16 06:53:13 +00:00