It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).
Bug: 27882507
Change-Id: Iaa83e3ac543b2221e1178c563e18298305de6da2
(cherrypicked from commit 45737b9f58)
There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.
Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403
The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.
Bug: 26470876
Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c
postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.
Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.
Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5
Prevent direct opens into the system_app sandbox.
Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Do not allow other domains to create or unlink files under
the system app sandbox.
Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely. Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.
Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.
This is an overly broad grant. Commit a10f789d28
started the process of deprecating "block_device" access in favor
of "misc_block_device".
This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.
Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55
Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc. Many processes try
to read proc dirs, though. Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.
Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0
Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3
Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.
Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
Was moved to domain_deprecated. Move back to domain.
Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.
Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
Domain is already allowed to stat selinuxfs, it also needs
dir search.
Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir
Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba. Restore access to everyone.
Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.
Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.
Commit 4e2d22451f restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.
Addresses the following denials:
avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.
Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.
Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.
Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.
Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.
Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.
Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.
Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.
This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label. This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.
This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__. Future
commits will restrict the access.
Bug: 21852512
Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
The extra permissions are not needed. Delete them.
This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.
Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
libselinux stats selinuxfs, as does every process that links against
libselinux such as toolbox. grant:
allow domain selinuxfs:filesystem getattr;
domain is already granted:
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
To make these possible, also grant:
allow domain proc:dir search;
Change-Id: Ife6cfa2124c9d61bf908ac89a8444676acdb4259
1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.
2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.
3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.
Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.
2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.
Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3
Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.
Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.
To prevent this, we add a neverallow.
Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
To prevent assigning non property types to properties, introduce
a neverallow to prevent non property_type types from being set.
Change-Id: Iba9b5988fe0b6fca4a79ca1d467ec50539479fd5
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.
Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16
The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.
Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.
Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.
Bug: 23186405
Test: Manually tested with Brillo build.
Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
vold hasn't use the generic "block_device" label since
commit 273d7ea4ca (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.
Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.
Thanks to jorgelo for reminding me about this.
Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9
For userdebug and eng builds enforce that:
- only logd and shell domains may access logd files
- logd is only allowed to write to /data/misc/logd
Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
