Commit graph

13310 commits

Author SHA1 Message Date
Joel Galenson
26ccebd74a Clean up bug_map.
Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.

Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.

Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
2018-01-30 15:01:54 -08:00
Jeff Vander Stoep
be6489d1bf tools/build_policies.sh make tool executable
chmod +x

Test: build all sepolicy targets.
Change-Id: I9e47b78667e4a213c31ecce0e37fe7f84abd9655
2018-01-30 10:08:34 -08:00
Treehugger Robot
d0574f97d6 Merge "Allow Keystore to check security logging property." 2018-01-30 15:10:29 +00:00
Jeff Vander Stoep
e88d64944e priv_app: suppress denials for /proc/stat
Bug: 72668919
Test: build
Change-Id: Id156b40a572dc0dbfae4500865400939985949d9
2018-01-30 05:04:23 +00:00
Treehugger Robot
6b81d43537 Merge "Add a script to build multiple SELinux targets." 2018-01-30 02:49:25 +00:00
Ruchi Kandoi
6a60cb3e69 Merge "SE Policy for Secure Element app and Secure Element HAL" 2018-01-30 01:06:41 +00:00
Treehugger Robot
39ed6d6918 Merge "Track usbd SELinux denial." 2018-01-30 00:35:35 +00:00
Joel Galenson
c17c5abe22 Add a script to build multiple SELinux targets.
This script will build the SELinux policy for multiple targets in parallel.

To use it, run:
./build_policies.sh <Android root directory> <output directory> [specific targets to build]

If you do not pass any individual targets, it will build all targets it can find.

It will print out the list of failing targets.  You can open up the corresponding log file in the output directory to see the exact errors.

This script is still a work in progress.  It currently cannot discover all build targets (it misses ones "lunch" does not list).

Bug: 33463570
Test: Ran script to build multiple targets with and without failures.
Change-Id: Iee8ccf4da38e5eb7ce2034431613fe10c65696ab
2018-01-29 15:48:15 -08:00
Ruchi Kandoi
8a2b4a783e SE Policy for Secure Element app and Secure Element HAL
Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-29 21:31:42 +00:00
Primiano Tucci
426b1b468b Merge "SELinux policies for Perfetto cmdline client (/system/bin/perfetto)" 2018-01-29 19:41:06 +00:00
Joel Galenson
07efe37c5f Track usbd SELinux denial.
This should fix presubmit tests.

Bug: 72472544
Test: Built policy.
Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7
2018-01-29 10:39:34 -08:00
Treehugger Robot
eed08f6eff Merge "Track untrusted_app SELinux denial." 2018-01-29 18:37:36 +00:00
Treehugger Robot
de8c30d1d2 Merge "Fix compatible property neverallows" 2018-01-29 18:09:33 +00:00
Tom Cherry
9c778045b2 Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-29 18:07:41 +00:00
Treehugger Robot
03ba445326 Merge "Neverallow vendor_init from writing system_data_file" 2018-01-29 18:05:39 +00:00
Primiano Tucci
1a9f4f7a7a SELinux policies for Perfetto cmdline client (/system/bin/perfetto)
Instead of having statsd linking the perfetto client library
and talk directly to its socket, we let just statsd exec()
the /system/bin/perfetto cmdline client.

There are two reasons for this:
1) Simplify the interaction between statsd and perfetto, reduce
  dependencies, binary size bloat and isolate faults.
2) The cmdline client also takes care of handing the trace to
  Dropbox. This allows to expose the binder interaction surface
  to the short-lived cmdline client and avoid to grant binder
  access to the perfetto traced daemon.

This cmdline client will be used by:
 - statsd
 - the shell user (for our UI and Studio)

Bug: 70942310
Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-29 11:06:00 +00:00
Joel Galenson
56345fdecd Track untrusted_app SELinux denial.
This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: I51345468b7e74771bfa2958efc45a2a839c50283
2018-01-28 08:40:55 -08:00
Treehugger Robot
2c11ff5d2f Merge "Track crash_dump selinux denial." 2018-01-28 00:00:18 +00:00
Treehugger Robot
f340d9c0ea Merge "Sepolicy: Allow stack dumps of statsd" 2018-01-26 03:52:14 +00:00
Treehugger Robot
db8f5465ac Merge "Neverallow vendor_init from accessing stats_data_file" 2018-01-25 22:59:46 +00:00
Treehugger Robot
a5ac7a1310 Merge "OWNERS: add trong, remove klyubin" 2018-01-25 22:53:48 +00:00
Joel Galenson
6e705357c3 Track crash_dump selinux denial.
This should fix presubmit tests.

Bug: 72507494
Test: Built policy.
Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39
2018-01-25 14:14:24 -08:00
Tom Cherry
d1dd6fcdee Neverallow vendor_init from writing system_data_file
This neverallow exception is not needed.

Bug: 62875318
Test: build walleye, bullhead
Change-Id: Ide37ef9fe7a0e1cc4a1809589f78052007698cf5
2018-01-25 13:52:45 -08:00
Jeff Vander Stoep
83814ec368 OWNERS: add trong, remove klyubin
Test: n/a
Change-Id: I7c46d5f984955f963b668fe8d978e68e6b7b9a83
2018-01-25 12:42:23 -08:00
Tom Cherry
c2653ae86d Neverallow vendor_init from accessing stats_data_file
The exception for vendor_init in this neverallow was never needed.

Bug: 62875318
Test: Build walleye, bullhead
Change-Id: Iac2b57df30b376492851d7520994e0400a87f1e1
2018-01-25 19:42:11 +00:00
Tom Cherry
eed2e84a95 Fix compatible property neverallows
The current neverallow rules for compatible properties restrict
domains from write file permissions to the various property files.
This however is the wrong restriction, since only init actually writes
to these property files.  The correct restriction is to restrict 'set'
for 'property_service' as this change does.

Note there is already a restriction preventing {domain -init} from
writing to these files in domain.te.

Test: build
Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09
2018-01-25 10:35:50 -08:00
Joel Galenson
b050dccdd8 Suppress denials from idmap reading installd's files.
We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
2018-01-25 10:07:19 -08:00
Andreas Gampe
7468db67f6 Sepolicy: Allow stack dumps of statsd
Allow dumpstate & system server watchdog to dump statsd stacks.

Bug: 72461610
Test: m
Change-Id: I4c3472881da253f85d54b5e5b767b06e2618af9c
2018-01-25 09:31:19 -08:00
Treehugger Robot
715c3a78d2 Merge "Allow binder call between statsd and healthd. Also allow statsd to find health hal service for battery metrics." 2018-01-25 06:32:33 +00:00
Treehugger Robot
2638cd2c96 Merge "Add sepolicy for radio.config" 2018-01-25 04:07:24 +00:00
Jaekyun Seok
fbe91b7ee2 Merge "Add a default rule for /product files" 2018-01-25 03:53:37 +00:00
Jeffrey Vander Stoep
e0460897fe Merge "Track idmap selinux denial." 2018-01-25 01:56:30 +00:00
Joel Galenson
7b1e9a5f1c Track idmap selinux denial.
This should fix presubmit tests.

Bug: 72444813
Test: Built policy.
Change-Id: I5b8661b34c9417cd95cb0d6b688443dcbe0d1c0b
2018-01-24 17:49:20 -08:00
Jaekyun Seok
a90cae8c5f Add a default rule for /product files
Since /product is an extension of /system, its file contexts should be
consistent with ones of /system.

Bug: 64195575
Test: tested installing a RRO, apps, priv-apps and permissions
Change-Id: I7560aaaed852ba07ebe1eb23b303301481c897f2
2018-01-25 07:59:23 +09:00
Treehugger Robot
d312b5fdbe Merge "Adding permission for traceur to use content provider" 2018-01-24 21:09:25 +00:00
Treehugger Robot
e2d20c6ef6 Merge "vold: clarify sysfs access" 2018-01-24 21:08:03 +00:00
yinxu
612350e34f Add sepolicy for radio.config
Bug: 64131518
Test: Compile and flash the device, check whether service vendor.radio-config-hal-1-0 starts
Change-Id: Id728658b4acdda87748259b74e6b7438f6283ea5
2018-01-24 12:13:10 -08:00
yro
53164f40de Allow binder call between statsd and healthd. Also allow statsd to find
health hal service for battery metrics.

Test: cts test, manual test

Change-Id: I73a801f6970e25bee5921479f2f7078bcb1973a9
2018-01-24 19:51:17 +00:00
Pavel Grafov
c5b3330c30 Allow Keystore to check security logging property.
This is needed to allow it to log audit events.

Test: manual, import a key and see adb shell su system logcat -b security
Bug: 70886042
Change-Id: Icd3c13172d47f8eac7c2a97c306d8c654e634f88
2018-01-24 19:49:18 +00:00
Treehugger Robot
356772e491 Merge "Update sepolicy of statsd to be able to find incident_service" 2018-01-24 19:37:02 +00:00
Treehugger Robot
24e8eff35d Merge "sepolicy: restrict access to uid_cpupower files" 2018-01-24 19:05:40 +00:00
Tom Cherry
bb694aac6c Merge "Disallow vendor_init from accessing core_data_file_type" 2018-01-24 18:41:35 +00:00
yro
cf38ca5ed0 Update sepolicy of statsd to be able to find incident_service
Test: manual testing
Change-Id: Ia97c956c08d2062af6b33622c6b61ca3810b0cb1
2018-01-24 18:25:04 +00:00
Janis Danisevskis
97c56bdd78 Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-24 10:22:40 -08:00
Max Bires
278147eb8a Adding permission for traceur to use content provider
This change will allow traceur to pass a file descriptor to another app
in order to allow that app to process trace data files. E.g. in the use
case that someone would like to email the traces they collected and pass
the trace data files to gmail, this will now be permitted.

Bug:68126425
Test: Traceur can pass fd's to untrusted apps for processing
Change-Id: If0507b5d1f06fd8400e04bd60e06a44153dc59b7
2018-01-24 10:17:00 -08:00
Marissa Wall
dfe063c37d sepolicy: restrict access to uid_cpupower files
Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
2018-01-24 08:39:09 -08:00
Tom Cherry
564d5e393c Disallow vendor_init from accessing core_data_file_type
Now that the vendor_init mechanism is in place, this SELinux
restriction will disallow vendor init scripts from touching core data
files as intended with Treble.

Bug: 62875318
Test: None
Change-Id: Ifa50486c48551ba095d2ed8cc6570fc5040c172d
2018-01-24 07:05:33 +00:00
Joel Galenson
cf391269ac Fix init error trying to access file.
Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d
2018-01-23 17:32:16 -08:00
Tom Cherry
869a4c2e19 Merge "Label /vendor_file_contexts as file_contexts_file" 2018-01-24 00:58:40 +00:00
Treehugger Robot
d35399ffd1 Merge changes I513cdbfd,Ia1fa1fd6
* changes:
  Allow mediaextractor to load libraries from apk_data_file
  Allow scanning extractor library directory
2018-01-23 23:51:25 +00:00