Commit graph

2531 commits

Author SHA1 Message Date
Chenbo Feng
16dbe82eaf Block access to xt_qtaguid proc files
In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.

Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest

Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
2018-09-28 01:33:02 +00:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Nick Kralevich
ff1c765ff2 Label /system/usr/share/zoneinfo differently
/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879
2018-09-27 10:18:40 -07:00
Tri Vo
6cd9bd078a Label /system/bin/linker* symlinks as system_file.
Fixes:
avc: denied { read } for comm="init" name="linker_asan64" dev="sda22" ino=1833
scontext=u:r:init:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=lnk_file
permissive=0

Bug: 116486312
Test: adb unroot && adb shell ls -l /system/bin/linker_asan
Change-Id: I754daaf3576e83d516cc9189b8be04dcc41bbc5c
2018-09-24 16:22:38 -07:00
Fan Xu
26fa914cb2 Update SELinux Policy for bufferhubd
Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
2018-09-24 12:29:43 -07:00
Treehugger Robot
06ddf4b44e Merge "Add label for /system/bin/fsck.exfat" 2018-09-24 18:38:45 +00:00
Oleksiy Avramchenko
65a0b50763 Add label for /system/bin/fsck.exfat
Allow vold to run exFAT filesystem check.

Test: build, mount exFAT volume
Bug: 80202067
Change-Id: I68f3438de89246e806cebe483f37e31c68aaa3d7
2018-09-24 14:04:05 +02:00
Jeff Vander Stoep
0b67bb88e5 Further lock down app data
Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
2018-09-22 22:38:42 -07:00
Kevin Chyn
7087bf1256 Merge "Rename biometric_prompt_service to biometric_service" 2018-09-22 03:47:00 +00:00
Tri Vo
6816044271 Merge "More granular vendor access to /system files." 2018-09-22 01:30:25 +00:00
Jeffrey Vander Stoep
7776cc3bc5 Merge "system_server: add policy for getConnectionOwnerUid API" 2018-09-21 21:04:20 +00:00
Kevin Chyn
75ded482df Rename biometric_prompt_service to biometric_service
Bug: 111461540
Bug: 112570477

Test: builds
Change-Id: Icc68720ebe931c2d917703b2d34aa0f4eec3f549
Merged-In: Icc68720ebe931c2d917703b2d34aa0f4eec3f549
2018-09-20 23:09:54 -07:00
Yifan Hong
1cef6a94eb health.filesystem HAL renamed to health.storage
...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
2018-09-20 04:12:45 +00:00
Tri Vo
5c1fe61eaa More granular vendor access to /system files.
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
2018-09-20 03:07:50 +00:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Primiano Tucci
51dc7cb1d4 Allow perfetto traced_probes to poll /proc/{meminfo,stat,vmstat,...}
This allows the trace producer daemon to snapshot counters at
high frequency in the trace. As usual for Perfetto, this data is
NOT made available to arbitrary apps but only to an extremely
limited subset of processes governed by selinux rules (currently
shell and statsd).

Bug: 115956288
Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
2018-09-19 11:29:17 +00:00
Joel Galenson
732e92b6fe Remove fixed bugs from bug_map.
Test: Build.
Change-Id: I5c02916dfa3b2e8d5ba2bc586d05a69bd1f1254f
Merged-In: I150bc74b13a77f00a7e8b31a6c2edf9654bdbe59
2018-09-17 08:42:55 -07:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Jeff Vander Stoep
d1b14ab732 system_server: add policy for getConnectionOwnerUid API
Bug: 9496886
Bug: 109758967
Test: atest HostsideVpnTests
Change-Id: I1716d9c740b374b861e691b31ab271c681cf6bff
2018-09-13 21:29:12 -07:00
Yangster
f8c2c14a07 Allow stats_companion to register thermal throttling event listener.
Test: manual test

BUG: b/112432890
Change-Id: If703cd25a2c0864ffd49bfdc83821fae291974b5
2018-09-13 09:18:33 -07:00
Treehugger Robot
7826a7879c Merge "add links to docs explaining motivations behind neverallow assertions." 2018-09-13 02:13:24 +00:00
Nick Kralevich
6cf9160e82 add links to docs explaining motivations behind neverallow assertions.
Test: comments only. Policy compiles.
Change-Id: Ic51533d37fff6c553950a122f33a48e3c119c67c
2018-09-12 15:53:48 -07:00
Nick Kralevich
5d1755194a Change priv-apps /data/data labels to privapp_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

Commit 23c9d91b46 introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.

This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46, there should be no
noticeable effect from this change.

This change was originally submitted as
4df57822fc. However, it was reverted in
cdc6649acc due to a different labeling
bug. That bug has been fixed, and we can reapply this change.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.
Bug: 112357170
2018-09-12 12:30:32 -07:00
Hector Dearman
9e6c78f73f Merge "Make system_server atrace category work with traced_probes" 2018-09-12 14:07:07 +00:00
Treehugger Robot
f434377515 Merge "sepolicy: Allow apps to read ashmem fds from system_server" 2018-09-10 17:33:20 +00:00
Benjamin Gordon
360559e7bb sepolicy: Allow apps to read ashmem fds from system_server
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file.  Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.

Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened.  Restore this ability by giving apps read
access to system_server_tmpfs.  system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.

Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
2018-09-10 17:04:09 +00:00
Hector Dearman
244bc7cf97 Make system_server atrace category work with traced_probes
Historically most uses of atrace happen via the shell domain.

There are two exceptions:
- boot tracing
- traced_probes

We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.

For more use cases see b/113127224

[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)

Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.

Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
2018-09-10 14:03:27 +01:00
Nick Kralevich
1b1d133be5 Add nnp_nosuid_transition policycap and related class/perm definitions.
af63f4193f
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.

Define these permissions, so that they're usable to policy writers.

This change is modeled after refpolicy
1637a8b407

Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
   kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
2018-09-07 10:52:31 -07:00
Treehugger Robot
f82c66f240 Merge "Disallow new untrusted_app access to /proc/tty/drivers" 2018-09-07 16:15:57 +00:00
Jeff Vander Stoep
ff511cb5db Disallow new untrusted_app access to /proc/tty/drivers
Access is deprecated for apps with targetSdkVersion=26+.

Test: build (neverallow rules are build time assertions)
Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1
2018-09-07 07:39:28 -07:00
Marcin Oczeretko
fb947d0c36 Merge "Add looper_stats_service to SE policy." 2018-09-07 09:51:33 +00:00
Marcin Oczeretko
56ab6be0d4 Add looper_stats_service to SE policy.
Test: Built and flashed an image.
Bug: 113651685
Change-Id: Ide239432ea8a5701d91c00edd06ad3e52560a3f7
2018-09-06 21:07:13 +00:00
Nick Kralevich
eef72d34b4 dumpstate: remove JIT and /data execute
Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
2018-09-06 13:28:34 -07:00
Makoto Onuki
ac4b6478c1 Merge "Add app_binding system service" 2018-09-06 17:20:45 +00:00
Nick Kralevich
e6f33f53bf exclude su from transitioning to crash_dump domain
When /system/bin/crash_dump is executed from the su domain, do not
perform a domain transition. This allows processes run from that domain
to crash normally without SELinux interfering.

Bug: 114136122
Test: cferris: "This change works for me. I ran the crasher executable on
  /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp).
  All of them show that crash_dump can read the executables."
Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
2018-09-05 19:49:59 -07:00
Makoto Onuki
6af1181320 Add app_binding system service
Bug: 109809543
Test: Build and boot with the new service in the internal branch.

Change-Id: Iaee365771c3e8e5b8f5f3b6112bbf902c6bb02bd
2018-09-05 14:33:20 -07:00
Jeff Vander Stoep
6026a4adb9 app: Allow all apps to read dropbox FDs
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
2018-09-04 20:23:43 +00:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Alan Stokes
b9cb73ad4e Ensure crash_dump cannot be allowed to ptrace itself.
This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5
2018-09-03 17:27:54 +01:00
Kevin Chyn
57887307df Add BiometricPromptService to sepolicy
Bug: 72825012

Test: manual
Change-Id: I850c869cdc0ad8735800130bb4a8d67822197ff9
2018-08-30 11:43:20 -07:00
Jeff Vander Stoep
08aa715966 crash_dump: disallow ptrace of TCB components
Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f1588)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c
2018-08-28 08:28:25 -07:00
Treehugger Robot
ed16534eb5 Merge "Allow signals to hal_graphics_allocator_server from dumpstate" 2018-08-27 18:46:28 +00:00
Howard Ro
00f76cb4ff Merge "Allow all app types to socket send to statsdw (statsd socket)" 2018-08-25 00:32:59 +00:00
Howard Ro
21bd2aeb08 Allow all app types to socket send to statsdw (statsd socket)
Also move statsd to /public/

Bug: 110538431
Test: manual testing
Change-Id: I58319e169eaab7d997ed3628c3c9709cf7bd0d4a
2018-08-23 16:13:30 -07:00
Tri Vo
00f28f6d09 Merge "Rename untrusted_app_visible_*' to include 'violators'." 2018-08-23 03:22:20 +00:00
Christine Franks
a11cdd2f93 Add color_service selinux policy
Bug: 111215474
Test: boots
Change-Id: I98955bcd02f643400c3eb97232467c09a2c5c1e5
2018-08-21 17:53:00 -07:00
Tri Vo
7f8b6cc66c Rename untrusted_app_visible_*' to include 'violators'.
Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d19)
2018-08-21 21:32:41 +00:00
Benjamin Gordon
7ed266c678 sepolicy: Fix references to self:capability
commit 9b2e0cbeea added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
2018-08-21 15:55:23 +00:00
Yifan Hong
3784e7fcfa Merge "s/product-services/product_services/g" 2018-08-21 01:07:56 +00:00