public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary. Netd is it's only launcher (via fork/exec) and
killer.
Generated via:
{ echo; cat public/clatd.te; echo; } >> private/clatd.te
rm -f public/clatd.te
plus a minor edit to put coredomain after clatd type declaration
and required changes to move netd's clatd use out of public into private.
Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
Allow netd to trigger the kernel synchronize rcu with open and close
pf_key socket. This action was previously done by system_server but now
it need to be done by netd instead because there might be race issue
when netd is operating on a map that is cleaned up by system server.
Bug: 126620214
Test: android.app.usage.cts.NetworkUsageStatsTest
android.net.cts.TrafficStatsTest
Change-Id: Id5ca86aa4610e37a2752709ed9cfd4536ea3bfaf
Allow netd to send network events to the NetworkStack, and allow the
NetworkStack to interact with netlink_route_socket for neighbor
monitoring.
Test: built, booted, WiFi works, no more violations
Bug: 112869080
Change-Id: If212b2897e37e9d249f81ba8139461bce461528e
config sepolicy to allow netd to write to statsd.
Test: run runtests.sh, make sure no missing test and get all pass
run /out/host/linux-x86/bin/statsd_testdrive 82
Got following metric data dump:pass for local test
Bug: 119862317
Change-Id: Ieff5ca55de46715d54ef57c4a6d144fd7d03e4b7
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.
Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
Recent change in netd and bpfloader switched the creater of bpf maps
from netd to bpfloader. Change the rules related to it to make sure it
doesn't fail.
Test: dumpsys netd trafficcontroller
Bug: 112334572
Change-Id: I016ff68b58ef7b12bdfdebc2fd178be1d0206a62
To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.
Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305
Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.
Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746
Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
long live domain.te!
Remove all references.
Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c