There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.
Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.
The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.
Test: devices boots and everything works as expected
no more auditallow logs
Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f324)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.
Test: Boot sailfish, adjust screen brightness from the system UI, no
SELinux denials for system_server to do with sysfs_leds.
Bug: 34715716
Change-Id: Iccb4224d770583e3c38930e8562723d57d283077
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: Device boots, with Multiproces WebView developer setting
enabled, apps with WebView work fine. No new denials.
Bug: 31364497
Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
Bug: 31015010
cherry-pick from b6e4d4bdf1
Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
Dumpstate needs the hwbinder_use permission in order to talk to hardware
services.
Bug: 34709307
Test: no denials submitting bugreport
Change-Id: Ic51da5371cd346c0fa9fb3881a47adaf53c93566
This leaves only the existence of zygote domain and its
executable's zygote_exec file label as public API. All other rules are
implementation details of this domain's policy and are thus now
private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie37128531be841b89ecd602992d83d77e26533bc
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.
This partially reverts the moving of rules out of gatekeeperd in
commit a9ce208680.
Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.
Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.
This reverts the moving of rules out of mediadrmserver in commit
c86f42b9a7.
Test: YouTube videos play back, no mediadrmserver denials
Bug: 34715716
Bug: 32815560
Change-Id: Ib57ef880bcc306c6e01f2c24c0f3a4298598eb9a
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
This CLs adds SElinux policies necessary to compile secondary dex files.
When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).
What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.
Test: devices boots
compilation of secondary dex files works without selinux denials
cmd package compile --secondary-dex -f -m speed
com.google.android.gms
Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
Allow update_verifier to load the boot_control_hal in passthrough mode.
Test: update_verifier works, no denials
Bug: 34656553
Change-Id: I5c20ce67c8f1fd195f2429dae497221514ed95a8
system_server needs the permissions to open the lights hal in the same
process.
Bug: 34634317
Test: can change brightness on marlin (tested on internal master)
Change-Id: I11fe59b4ab32e13d6dad246f4e6c56951e051181
This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.
Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80
auditallow this until we track down where the file is opened without
O_APPEND.
01-23 08:02:12.272 555 555 W tombstoned: type=1400 audit(0.0:11480): avc: denied { write } for path="/data/anr/traces.txt" dev="sda35" ino=4669445 scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file permissive=0
Bug: http://b/34193533
Test: mma
Change-Id: I77b854dce06231232004432839ebd5aa963ef035
In order to dump hardware services using dumpsys, dumpsys needs to be
able to talk to the hwservicemanager.
Bug: 33382892
Test: dumpsys --hw works from unrooted shell
Change-Id: I31f0982193991428da465507f93d50646cb38726
In my commit f41d89eb24 I forgot to
switch rild and gatekeeperd rules from explicitly associating these
domains with the hal_telephony and hal_gatekeeper to using the
hal_impl_domain macro. As a result, the recent commit
a25192262b inadvertently revoked
HwBinder access from rild and gatekeeperd.
This commit fixes the issue by switching rild and gatekeeperd to the
hal_impl_domain macro.
Test: "sepolicy-analyze out/target/product/bullhead/root/sepolicy attribute haldomain"
now lists rild and gatekeeperd
Test: "sepolicy-analyze out/target/product/bullhead/root/sepolicy attribute hal_telephony"
still lists rild
Test: "sepolicy-analyze out/target/product/bullhead/root/sepolicy attribute hal_gatekeeper"
still lists gatekeeperd
Bug: 34180936
Bug: 34470443
Change-Id: I7949556f58c36811205d5ea3ee78ea5708e95b45
