Commit graph

16541 commits

Author SHA1 Message Date
Tri Vo
3026dc738f Audit access to same_process_hal_file.
am: 81ade3dd1d

Change-Id: Ie3437cd699d16cbf72fca61c5646800d90feaa2a
2018-10-12 22:43:35 -07:00
Tri Vo
7151273060 Merge "Add type for /system/bin/tcpdump."
am: af9251539a

Change-Id: Ie51d95317f6613e086b2b80a5ca967779ab9eb32
2018-10-12 22:43:20 -07:00
Tri Vo
81ade3dd1d Audit access to same_process_hal_file.
same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.

Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
2018-10-13 05:27:03 +00:00
Tri Vo
af9251539a Merge "Add type for /system/bin/tcpdump." 2018-10-13 05:26:33 +00:00
Nick Kralevich
2116488095 Merge "Allow more file ioctls"
am: 03453d0a95

Change-Id: I1aca888b640da537e22cdc1400349308e3c46552
2018-10-12 22:12:32 -07:00
Treehugger Robot
03453d0a95 Merge "Allow more file ioctls" 2018-10-13 04:59:21 +00:00
Hridya Valsaraju
d65b124af5 Merge "Allow fastbootd to read endpoint descriptor for fastboot usb device"
am: a5b14e89db

Change-Id: I30c25680447d3849be7c59fc5695765150f44fb7
2018-10-12 16:43:05 -07:00
Treehugger Robot
a5b14e89db Merge "Allow fastbootd to read endpoint descriptor for fastboot usb device" 2018-10-12 23:31:46 +00:00
Nick Kralevich
3dae261101 move cgroup auditallow into userdebug_or_eng block
am: 186466e955

Change-Id: I1fdfaf3d86511ced2f1c56b2bfbe42261a332ceb
2018-10-12 15:16:20 -07:00
Nick Kralevich
6586fe3110 Allow more file ioctls
The shell script interpreter checks if file descriptors are ttys, which
causes a bunch of denials. Allow the benign ioctl TCGETS. Addresses the
following denials:

  type=1400 audit(0.0:321): avc: denied { ioctl } for comm="sh"
  path="/data/misc/perfprofd/perferr.txt" dev="sda13" ino=6817306
  ioctlcmd=5401 scontext=u:r:perfprofd:s0
  tcontext=u:object_r:perfprofd_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3189): avc: denied { ioctl } for comm="ps"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3004): avc: denied { ioctl } for comm="top"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Include the virtual sdcard when allowing F2FS specific sqlite ioctls,
since apps write sqlite files to the virtual sdcard. Addresses the
following denials:

  type=1400 audit(0.0:324): avc: denied { ioctl } for comm="amapLocManagerT"
  path="/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db"
  dev="sdcardfs" ino=3546650 ioctlcmd=f50c
  scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0
  tclass=file permissive=0 app=com.xiaomi.hm.health

Test: policy compiles.
Change-Id: I7fc570f2bbf69485b1ee6e6b2d9a421639d29123
2018-10-12 22:07:25 +00:00
Tri Vo
e8b33c3139 Add type for /system/bin/tcpdump.
We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.

Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0
2018-10-12 21:51:46 +00:00
Hridya Valsaraju
2e645853ce Allow fastbootd to read endpoint descriptor for fastboot usb device
Test: fastboot flashall
Bug: 78793464
Change-Id: I8e1e982e3a9e356738944df5bfa1e802794a6a25
2018-10-12 13:33:42 -07:00
Nick Kralevich
186466e955 move cgroup auditallow into userdebug_or_eng block
By convention, auditallow statements are typically put into
userdebug_or_eng blocks, to ensure we don't accidentally ship
unnecessary audit rules. Let's do the same here.

Test: policy compiles.
Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e
2018-10-12 13:26:40 -07:00
Siarhei Vishniakou
c38d803278 Merge "Allow system_server to read vendor_file"
am: 25b4eb217c

Change-Id: I78ecee68fdc8dadf62b0c3977f01a0571a1bdc1f
2018-10-12 13:14:55 -07:00
Nick Kralevich
dc2389bc5c installd: add fsverity ioctls
am: 0045ecb0c4

Change-Id: I18a456e47a00e58b353340cc843b8e7a6ef853ed
2018-10-12 13:14:34 -07:00
Treehugger Robot
25b4eb217c Merge "Allow system_server to read vendor_file" 2018-10-12 20:04:22 +00:00
Nick Kralevich
0045ecb0c4 installd: add fsverity ioctls
installd calls fsverity ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_SET_VERITY_MEASUREMENT on APKs in /data/app. Allow it.

Addresses the following denials:

  type=1400 audit(0.0:13): avc: denied { ioctl } for comm="Binder:912_1"
  path="/data/app/com.android.vending-QZXfga9NZzHdv31lJzPTdQ==/base.apk"
  dev="dm-3" ino=43887 ioctlcmd=0x6686 scontext=u:r:installd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:40): avc: denied { ioctl } for comm="Binder:876_1"
  path="/data/app/com.android.settings-0xUwDcuYseP40L3WMUTGIw==/base.apk"
  dev="dm-0" ino=6855 ioctlcmd=0x6685 scontext=u:r:installd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Test: policy compiles and device boots
Bug: 30972906
Change-Id: Ifc88ae6909971c2f2bb24479f5e748fc7900447d
2018-10-12 08:56:48 -07:00
Siarhei Vishniakou
3639f57960 Allow system_server to read vendor_file
Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.

Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.

Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
2018-10-12 02:42:09 +00:00
Chong Zhang
817027b055 Merge "add mediaswcodec service"
am: 9977e25411

Change-Id: Id64de9050f14d4f782dbdf6a9b695a52201e042e
2018-10-11 19:03:25 -07:00
Treehugger Robot
9977e25411 Merge "add mediaswcodec service" 2018-10-12 01:48:47 +00:00
Sooraj Sasindran
d09ac29451 Merge "Add ians service contexts"
am: 3158efd684

Change-Id: I1c01a879a6eeeecbaa0ecbaf211c61aa7cbec72a
2018-10-11 16:15:32 -07:00
Sooraj Sasindran
3158efd684 Merge "Add ians service contexts" 2018-10-11 22:58:32 +00:00
Chong Zhang
bdbfff1b00 add mediaswcodec service
Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
2018-10-11 15:10:17 -07:00
Nick Kralevich
b8b512528c remove system_app proc_net_type access
am: 2e251461fc

Change-Id: I8bee9014a8b4debfff0b29c7178b6126a4aaa365
2018-10-11 12:59:38 -07:00
Nick Kralevich
2e251461fc remove system_app proc_net_type access
The auditallow added in 7a4af30b3 has not triggered. This is safe to
remove.

Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8
2018-10-11 10:20:19 -07:00
Tri Vo
7f5c49235f Merge "Constrain cgroups access."
am: 99f2477953

Change-Id: Ib2dd4f787fb6fb00234ee70d2a6e1569b3d96fd5
2018-10-11 09:44:01 -07:00
Tri Vo
99f2477953 Merge "Constrain cgroups access." 2018-10-11 16:30:05 +00:00
Joel Galenson
7aa5d3ebab Handle denials caused by taking a bugreport.
am: 49531c81c5

Change-Id: I116cbfb34379fef0c3003c1b1d9c30b211e63647
2018-10-11 06:48:36 -07:00
Joel Galenson
49531c81c5 Handle denials caused by taking a bugreport.
apex_service is already in the list of services dumpstate cannot find;
this ensures that the dontaudit list is the same.  We hide the denial
caused by df reading one of its directories.

dumpstate can already call all binder services, so we enable it to
call bufferhubd.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5acc84326fa504199221df825549479f3cf50e1
2018-10-10 18:17:50 -07:00
Tri Vo
f55c989d18 Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-10 17:41:09 -07:00
Tri Vo
fc25373422 Merge "Label /data/asan/* libs as system_lib_file."
am: 9a06d551c6

Change-Id: Ib00c42dea5a1f89b9a45c01df80680ecf7a76381
2018-10-10 13:43:57 -07:00
Sooraj Sasindran
ffaf66d48b Add ians service contexts
Add ians service contexts

Bug: 113106744
Test: verified from service list that ianas is
      registered
Change-Id: Iea653416ffa45cba07a544826e0a2395d31cedca
Merged-In: Iea653416ffa45cba07a544826e0a2395d31cedca
2018-10-10 20:43:05 +00:00
Nick Kralevich
9ab886960d Merge "enable ioctl filtering on other filesystem types"
am: 505bc75e6d

Change-Id: I6142ee8311b586981c3214e1f234d6eae1642b4e
2018-10-10 13:34:54 -07:00
Tri Vo
9a06d551c6 Merge "Label /data/asan/* libs as system_lib_file." 2018-10-10 20:31:08 +00:00
Treehugger Robot
505bc75e6d Merge "enable ioctl filtering on other filesystem types" 2018-10-10 20:17:16 +00:00
Nick Kralevich
306758eee1 property files: remove ioctl and lock
am: 0e79107309

Change-Id: I604d6992bad2721566e9846f157196f432c21bf1
2018-10-10 12:24:52 -07:00
Tri Vo
45d521a577 Label /data/asan/* libs as system_lib_file.
This patch gives global access to asan libraries. This is not ideal since the
labeling is not symmetric with standard locations, but this approach is easy to
maintain.

Fixes: 117555408
Test: processes on asan builds load /data/asan/* libs correctly
Change-Id: If54558c1808d8b16e06073c150c9f3eb358dda67
2018-10-10 11:23:00 -07:00
Nick Kralevich
6695c50dee enable ioctl filtering on other filesystem types
ebc3a1a34c enabled ioctl filtering on
normal files and directories. However, no per-ioctl permissions were
enforced for symbolic links, named pipes ("mkfifo"), or
named sockets.

Start enforcing fine-grain ioctl restrictions for symbolic links, named
pipes, and named sockets.

Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from
being usable on nonsensical filesystem objects and provide a layer of
defense for kernel bugs.

Test: Device boots and no obvious problem.
Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc
2018-10-10 10:07:32 -07:00
Nick Kralevich
0e79107309 property files: remove ioctl and lock
They are unneeded.

Test: device boots and no obvious problems.
Change-Id: Ib788a89645c893c8c36acbe7fb34ce93bf6a57d7
2018-10-10 09:02:12 -07:00
Nick Kralevich
d3d4fe8e8c Merge "Move to ioctl whitelisting for plain files / directories"
am: ae079b88bb

Change-Id: I334de5f9528e4b84fc656b95de2832b6e63502df
2018-10-10 08:55:52 -07:00
Treehugger Robot
ae079b88bb Merge "Move to ioctl whitelisting for plain files / directories" 2018-10-10 15:39:59 +00:00
Nick Kralevich
4a0f3fae61 Merge "kernel: allow write access to /data/misc/vold/virtual_disk"
am: 5d4a119233

Change-Id: I5b823e5b528527da800c01b3c9da8b1e2af50a05
2018-10-10 08:21:08 -07:00
Treehugger Robot
5d4a119233 Merge "kernel: allow write access to /data/misc/vold/virtual_disk" 2018-10-10 15:14:10 +00:00
Nick Kralevich
6a4f72fecc Revert "Constrain cgroups access."
am: cacea25ed0

Change-Id: I501b64576a2f059ce5c56064777cad07251d72cb
2018-10-10 06:10:40 -07:00
Nick Kralevich
ebc3a1a34c Move to ioctl whitelisting for plain files / directories
Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2
2018-10-10 13:02:57 +00:00
Nick Kralevich
cacea25ed0 Revert "Constrain cgroups access."
This reverts commit 9899568f6c.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0
2018-10-10 04:25:17 +00:00
Nick Kralevich
fb13ddda26 kernel: allow write access to /data/misc/vold/virtual_disk
The kernel thread which manages this file really needs read/write access
to this file, not read-only. This was suspected in b/36626310 but
apparently something must have changed in the kernel surrounding
permission checking for kernel threads (still unknown)

Bug: 36626310
Bug: 117148019
Bug: 116841589
Test: policy compiles
Change-Id: I9c42541e2567a79b2d741eebf3ddf219f59478a9
2018-10-09 19:50:48 -07:00
Tri Vo
0b4e4f47f7 Constrain cgroups access.
am: 9899568f6c

Change-Id: I253a0b620daa55663eda04baecba2d2ffd925925
2018-10-09 16:52:32 -07:00
Tri Vo
9899568f6c Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b
2018-10-09 23:42:06 +00:00
Igor Murashkin
9a88ef46a9 Merge "iorapd: Add new binder service iorapd."
am: 77e40fbd06

Change-Id: Ibf6517366094b6d47cc0e1551b2ed709c3b10937
2018-10-09 16:29:10 -07:00