Commit graph

47514 commits

Author SHA1 Message Date
Ellen Arteca
27b515e70a Add SELinux policy for storage areas
We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.

First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively).  This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.

Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
 that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
		storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
		storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
		storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
		storage_area_content_file

These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.

Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName

We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.

Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 20:26:55 +00:00
Victor Hsieh
6543cf9843 Allow priv_app to measure fs-verity on tmp apk files
An APK installing with .idsig gets fs-verity enabled during the package
install. As a step of package install, a package verifier may inspect
the APK. A v4 signature check requires calling FS_IOC_MEASURE_VERITY.
This change gives priv_app the permission (which appdomain already has).

Bug: 337307333
Test: no longer seeing the verifier error
Change-Id: I49b721f229c30677f633dc1e425022ac54801668
2024-04-26 13:04:00 -07:00
William Loh
96a0742dce Merge "Add policy for /data/app-metadata" into main 2024-04-26 16:57:39 +00:00
Ellen Arteca
1c90737732 Merge "Fix the neverallow parser so it can parse comments" into main 2024-04-25 17:11:37 +00:00
William Loh
38b57bcc47 Add policy for /data/app-metadata
Bug: 336618214
Test: manual
Change-Id: If2da435f6622c6bc28a867c9a70e8efafe6524b0
2024-04-25 04:06:45 +00:00
Inseob Kim
ec218a7678 Guard proc_compaction_proactiveness
Bug: 330670954
Test: TH
Change-Id: I92c5f5d08fbe16a7c185e430799c98b6a9b38ecf
2024-04-25 09:58:55 +09:00
Ellen Arteca
7cf8c71868 Fix the neverallow parser so it can parse comments
The neverallow parser has a bug where it cannot parse multiline neverallow
rules that have inline comments. For example (taken from the bug description):
```
    neverallow appdomain
            system_server:udp_socket
          {accept append bind create ioctl listen lock name_bind  relabelfrom relabelto setattr shutdown };
```

Initially, the plan to fix this was to use the existing `avrule_read` function the
libsepol parser, however this function expects a compiled `policy` file that represents
the policies to be read in, while the neverallow parser reads from a `.te` file or a string.

This CL implements a fix to this parsing issue by pre-parsing the string
(either read in from a file or passed in as a string directly) and removing
the comments, before proceeding with the parsing as before.

Bug: 334697757
Test: atest android.security.cts.SELinuxNeverallowRulesTest
Change-Id: Ica67dedc23ca9c8b5ba8566198b6bfa785780921
2024-04-25 00:56:49 +00:00
Inseob Kim
81bf7bd5a7 Merge "Allow vendor init to access compaction_proactiveness" into main 2024-04-23 15:45:46 +00:00
Inseob Kim
221da46b16 Merge changes Ib43d8e17,Ibb124fbb into main
* changes:
  Reland "Check added types/attributes on freeze test too"
  Guard new types with starting_at_board_api macro
2024-04-23 14:44:05 +00:00
Martin Liu
13f4811f5e Allow vendor init to access compaction_proactiveness
Bug: 330670954
Test: boot
Change-Id: Id274910e84d36cb662cea45d3b701c5fecada327
Merged-In: Id274910e84d36cb662cea45d3b701c5fecada327
Signed-off-by: Martin Liu <liumartin@google.com>
2024-04-23 11:18:28 +00:00
Inseob Kim
68b071e4b9 Reland "Check added types/attributes on freeze test too"
Without this check, a release build may accidentally include additional
public types and attributes after "freeze".

Also this adds a detailed error message for how to fix.

Bug: 296875906
Bug: 330670954
Test: m selinux_policy
Change-Id: Ib43d8e1759ee7426f523042f44e7120e97ae0dd9
2024-04-23 02:07:11 +00:00
Inseob Kim
3458c57e5a Guard new types with starting_at_board_api macro
To prevent these types from being released in 24Q3, which must be same
as 202404 release.

Bug: 330670954
Test: build
Change-Id: Ibb124fbb069f2025a572bc09c73c241f808676c3
2024-04-23 02:05:24 +00:00
Treehugger Robot
150b800c90 Merge "Add selinux_policy_system_soong phony module" into main 2024-04-23 01:14:44 +00:00
Inseob Kim
f8079faaa5 Fix BOARD_API_FROZEN conditions
Bug: 330670954
Test: m selinux_policy on frozen release
Change-Id: I494cd5afcd2f6014d19e2cd4061b4cc812a7dbc5
2024-04-22 15:40:29 +09:00
Treehugger Robot
7ea1dd6dd1 Merge "c2: add default1 and default2" into main 2024-04-20 00:07:33 +00:00
Steven Moreland
f877f5dbec c2: add default1 and default2
This is causing some targets to fail.

Bug: 335897540
Test: N/A
Change-Id: Ia077fc6bee952ff06ed13a555b96a00d6b5216e4
2024-04-19 22:02:34 +00:00
Song Chun Fan
38f029ee7b Merge "Remove the usage of the pm.archiving.enabled system property" into main 2024-04-19 16:55:52 +00:00
Inseob Kim
151562f645 Add selinux_policy_system_soong phony module
selinux_policy_system is in Android.mk. selinux_policy_system_soong is a
phony module in Android.bp for Soong built system images.

Bug: 329208946
Test: m aosp_cf_system_x86_64
Change-Id: If101155c5a706925d52593bab648b878b075f7f2
2024-04-19 10:36:36 +09:00
Inseob Kim
8697fc80fd Add macro for board API level guard
'starting_at_board_api' macro is added to guard system/sepolicy/public
types and attributes. The macro will work only when compiling vendor/odm
sepolicy. When compiling platform sepolicy (system / system_ext /
product), rules will always be included, regardless of board API level.

Policy authors should guard new public types and attributes with this
macro, similar to LLNDK. The new types and attributes will be exposed
since next vFRC release.

Bug: 330671090
Test: manually build with various board API level, see output
Change-Id: I03c601ce8fe1f77c7608dc488317d20276fd2d47
2024-04-19 10:33:38 +09:00
Song Chun Fan
015429cc84 Remove the usage of the pm.archiving.enabled system property
This property is no long used.

BUG: 331165939
FIXES: 331165939
Change-Id: Ifaa8c14e8452a5ebf32c3fe39d7953fe7c16d543
2024-04-18 20:15:49 +00:00
Inseob Kim
ff2018fa84 Fix bpfmt
Bug: N/A
Test: N/A
Flag: NONE trivial format change
Change-Id: I8f6293dcc47a4ead347c4861ba929d4b3042c311
2024-04-17 09:55:49 +09:00
Inseob Kim
d0188d8bca Merge "Finalize prebuilt CTS artifacts" into main 2024-04-17 00:26:55 +00:00
Treehugger Robot
4b94b1f5d0 Merge "Fix selinux denial when running adb shell cmd virtual_camera commands" into main 2024-04-16 12:18:35 +00:00
Inseob Kim
4b9929e2fc Finalize prebuilt CTS artifacts
These three files, general_sepolicy.conf / mapping.cil /
plat_sepolicy.cil will be used to test vendor sepolicy's neverallow
rules.

Bug: 330671085
Test: build
Change-Id: I763c9a1e647d614b84c0f7fe3d69affbe64f6153
Merged-In: I763c9a1e647d614b84c0f7fe3d69affbe64f6153
(cherry picked from commit 6f18a17ff8)
2024-04-16 16:18:01 +09:00
Inseob Kim
edf58243dd Add debugfs permission to 29.0 and 30.0 compat cil
Since Android S, we started to enforce the debugfs restrictions. However,
GSI had it turned off (PRODUCT_SET_DEBUGFS_RESTRICTIONS := false) in order
to support pre-S vendor images.

This has an undesirable side effect that the restriction is turned off even
for S+ vendors.

This CL fixes it by

1) re-enabling the restriction for GSI and

2) manually adding the debugfs permissions only to the compat cil for the
pre-S (29 and 30) vendors, effectively turning the restriction off for
them.

Bug: 330671086
Test: build
Test: run neverallow CTS
Change-Id: I5cd554b1b9f729a540e6b0f2aa0662091b691f0c
2024-04-16 01:24:41 +00:00
Jan Sebechlebsky
7f271ce061 Fix selinux denial when running adb shell cmd virtual_camera commands
Bug: 333889277
Test: forrest
Change-Id: I195125b907f56e9a50d13e3ca4c28a1cfcc257b1
2024-04-15 08:30:53 +00:00
Inseob Kim
021596b37f Run neverallow tests on build time
sepolicy_neverallows hasn't been running on `m droid` because of
LOCAL_UNINSTALLED_MODULE := true.

Test: m selinux_policy
Change-Id: Ia7a79723a0f92e659171f50a0829baf83f311661
2024-04-15 11:08:17 +09:00
Shrinidhi Hegde
1f24c3788d Merge "Adding a new property" into main 2024-04-12 14:30:23 +00:00
Shrinidhi Hegde
24aba1e127 Adding a new property
Adding a property to store time at which reboot was triggered from
native watchdog.

Test: manual
Bug: 291137901
Change-Id: Ied48c3690d0481fd8b08c9789cbfcb205759876c
2024-04-11 15:27:52 +00:00
Treehugger Robot
949b5d7e4e Merge "Revert^2 "Add pm.archiving.enabled system property"" into main 2024-04-11 03:34:52 +00:00
Inseob Kim
e972e936da Revert^2 "Add pm.archiving.enabled system property"
This reverts commit 840041d5d2.

Reason for revert: 202404 prebuilts must not be changed since freeze.

Change-Id: I320fde8de611ad4ae1546f4ce754871a0646dcc4
2024-04-11 00:56:13 +00:00
Treehugger Robot
808a734c09 Merge "Revert "Add pm.archiving.enabled system property"" into main 2024-04-11 00:12:11 +00:00
Treehugger Robot
64a23c81f3 Merge "add compaction_proactiveness type" into main 2024-04-10 23:24:33 +00:00
Ted Bauer
ba5998d7a2 Merge "Let system server set permissions on marker file" into main 2024-04-10 21:16:43 +00:00
Song Chun Fan
840041d5d2 Revert "Add pm.archiving.enabled system property"
This reverts commit 32ab868eac.

Reason for revert: no longer needed

Change-Id: I2ce46773503d39f843038fca3bb8527eb5bb53eb
BUG: 331165939
2024-04-10 17:39:43 +00:00
Ted Bauer
86405531d5 Let system server set permissions on marker file
System server needs to create a file in /metadata/aconfig, and set its
permissions.

Bug: 328444881
Test: m
Change-Id: I30aa576e46d8963e78ff21ad328160a99bd5d523
2024-04-10 15:26:01 +00:00
Martin Liu
f7396914b0 add compaction_proactiveness type
Bug: 332916849
Test: boot
Change-Id: I41c0da22ed5ad738c75fb00e2ac8a22c35dff2d3
Signed-off-by: Martin Liu <liumartin@google.com>
2024-04-10 13:48:15 +00:00
Vikram Gaur
d51e54db82 Merge "Add remote_provisioning.connect_timeout_millis as sysprop" into main 2024-04-09 23:55:00 +00:00
Vikram Gaur
3999879dde Add remote_provisioning.connect_timeout_millis as sysprop
Allow some services to control connection_timeout for testing purposes.

Test: atest RkpdAppUnitTests
Change-Id: Id70ed60c4f67e8f7910870a0b28a2b409fe97f62
2024-04-09 22:20:48 +00:00
Treehugger Robot
5752116370 Merge "Introduce vmlauncher_app domain" into main 2024-04-09 14:04:38 +00:00
Jeongik Cha
77a3ca6b4c Introduce vmlauncher_app domain
Bug: 333485208
Test: check display
Change-Id: I64c09f09615e89cf24398c01b8f87b0136be0a7f
2024-04-09 22:01:06 +09:00
Treehugger Robot
015384b110 Merge "Fix docs in seapp_contexts to point to right file" into main 2024-04-09 07:53:17 +00:00
Nikolay Elenkov
c9d42b5533 Merge "Allow system_server to call ISecretKeeper.deleteAll()" into main 2024-04-09 01:59:35 +00:00
Ellen Arteca
3315a90858 Fix docs in seapp_contexts to point to right file
Fixes a typo in the docs of seapp_contexts: previously they
referenced the wrong file for the order in which input selectors
are compared.

Change-Id: I5e7ca126cdc8b557d5e590eb863bdf4300ec1a18
2024-04-09 01:32:41 +00:00
Nikita Ioffe
5cc6dff1d8 Merge "Add sepolicy rules for microdroid_resources_file" into main 2024-04-08 11:20:39 +00:00
Treehugger Robot
bc71c77f94 Merge "Remove sepolicy for viewcompiler" into main 2024-04-06 00:14:25 +00:00
Treehugger Robot
1c6d3054bb Merge "Install cil_compat_map module's output" into main 2024-04-05 16:22:17 +00:00
Inseob Kim
a9d412d373 Install cil_compat_map module's output
... so it can be packaged as PackagingSpecs

Bug: 329208946
Test: m aosp_cf_system_x86_64
Change-Id: I6298a3e99e74c38befb3a3565e4c638e1558114d
2024-04-05 23:45:23 +09:00
Suren Baghdasaryan
dcd387eedb Merge "lmkd: Add ro.lmkd.swap_compression_ratio property policies" into main 2024-04-05 04:38:11 +00:00
Jeongik Cha
bc287fb76a Merge "Sepolicy for crosvm to show display" into main 2024-04-05 03:31:18 +00:00