Commit graph

242 commits

Author SHA1 Message Date
Treehugger Robot
34ab219f3f Merge "Bluetooth hal: move to vendor partition." 2017-02-28 04:00:58 +00:00
Steven Moreland
ba1c5831fd Bluetooth hal: move to vendor partition.
Bug: 35328775
Test: works in both binderized and passthrough modes
Merged-In: I1f827b4983e5e67c516e4488ad3497dd62db7e20
Change-Id: I1f827b4983e5e67c516e4488ad3497dd62db7e20
2017-02-28 01:35:11 +00:00
Jin Qian
d3a11613c3 storaged: remove rules no longer necessary
Test: adb shell dumpsys storaged --force
Bug: 35323867
Change-Id: I6944ca357875a24465054d3891a00dbcd67495cf
2017-02-27 22:40:34 +00:00
Chia-I Wu
8585788d9f Allow adbd to use graphics fds
Bug: 35708449
Test: AS screen capture
Change-Id: I53f1604e1ee9c9b32c6932f1b8944708f5012e5f
2017-02-24 09:07:27 -08:00
Treehugger Robot
d1f579d5d6 Merge "Restrict /proc/sys/vm/mmap_rnd_bits" 2017-02-24 01:51:55 +00:00
Treehugger Robot
066bc07e4d Merge "Move rild to vendor partition." 2017-02-24 01:47:15 +00:00
mukesh agrawal
723364f136 allow WifiService to use tracing on user builds
Previously, we'd restricted WifiService's use of
the kernel's tracing feature to just userdebug_or_eng
builds.

This restriction was in place because the feature
had not yet been reviewed from a privacy perspective.
Now that the feature has passed privacy review, enable
the feature on all builds.

Note that other safeguards remain in place (on all
builds):
- The set of events to be monitored is configured by
  init, rather than WifiService (part of system_server).
  This privilege separation prevents a compromised
  system_server from tracing additional information.
- The trace events are kept only in RAM, until/unless
  WifiService receives a dump request. (This would happen,
  for example, in the case of adb dumpsys, or generating
  a bugreport.)

Bug: 35679234
Test: manual (see below)

Manual test details:
- flash device
- connect device to a wifi network
$ adb shell dumpsys wifi | grep rdev_connect
  [should see at least one matching line]

Change-Id: I85070054857d75177d0bcdeb9b2c95bfd7e3b6bc
2017-02-23 17:42:48 -08:00
Amit Mahajan
f7bed71a21 Move rild to vendor partition.
Test: Basic telephony sanity
Bug: 35672432
Change-Id: I7d17cc7efda9902013c21d508cefc77baccc06a8
2017-02-23 16:20:07 -08:00
Luis Hector Chavez
64a0503831 Restrict /proc/sys/vm/mmap_rnd_bits
Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by
init. This also tightens the neverallow restrictions for proc_security.

Bug: 33563834
Test: run cts -m CtsPermissionTestCases -t \
      android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane

Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410
2017-02-23 15:22:06 -08:00
Jeff Vander Stoep
ebbbe6dd36 app: remove logspam on ion ioctls
Apps definitely need access to ion ioctls. Remove audit statement.

Test: build marlin
Bug: 35715385
Change-Id: I777d3e9a88065a5f711315a7da6d63587744b408
2017-02-23 15:08:13 -08:00
Alex Klyubin
0aca0241dd Merge "Switch Wi-Fi HAL policy to _client/_server" 2017-02-23 00:55:10 +00:00
Alex Klyubin
1d2a1476ae Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.

Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.

Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.

Test: Setup Wizard (incl. adding a Google Account) completes fine with
      Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
      not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079

Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-22 15:12:19 -08:00
Treehugger Robot
5a2de627c9 Merge "Add service 'overlay' to service_contexts" 2017-02-22 23:08:51 +00:00
Myles Watson
20b8d6b9a6 Allow the Bluetooth HAL to toggle rfkill
Bug: 35657600
Test: user build of Marlin starts with BT
Change-Id: Ic2380da66467b9b1c385da7d7fa10fddf4c7fae1
2017-02-22 20:12:16 +00:00
Mårten Kongstad
e096e5f54a Add service 'overlay' to service_contexts
The 'overlay' service is the Overlay Manager Service, which tracks
packages and their Runtime Resource Overlay overlay packages.

Change-Id: I897dea6a32c653d31be88a7b3fc56ee4538cf178
Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com>
Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com>
Bug: 31052947
Test: boot the Android framework
2017-02-22 11:28:15 -08:00
Treehugger Robot
2f34839207 Merge "Allow all untrusted_apps to create ptys" 2017-02-22 19:15:46 +00:00
Jeff Vander Stoep
d152425133 Allow all untrusted_apps to create ptys
Bug: 35632346
Test: build and boot aosp_marlin
Change-Id: Ia2d019b0160e9b512f3e3a70ded70504fe4fea0c
2017-02-21 22:17:16 -08:00
Treehugger Robot
313dfe7dcf Merge "Switch Fingerprint HAL policy to _client/_server" 2017-02-22 04:08:31 +00:00
Chad Brubaker
0b1e965f88 Merge "Add new untrusted_v2_app domain" 2017-02-22 00:12:53 +00:00
Alex Klyubin
f98650e4ab Switch Fingerprint HAL policy to _client/_server
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.

Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.

NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.

Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
      with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079

Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-21 16:11:25 -08:00
Chad Brubaker
a782a81627 Add new untrusted_v2_app domain
untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-21 12:39:55 -08:00
Alex Klyubin
6b28742a49 Merge "Switch DRM HAL policy to _client/_server" 2017-02-21 16:36:17 +00:00
Treehugger Robot
eebb73b517 Merge "android.hidl.memory -> android.hidl.allocator" 2017-02-18 01:49:07 +00:00
Alex Klyubin
9b718c409f Switch DRM HAL policy to _client/_server
This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.

Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.

Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.

Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9
2017-02-17 15:36:41 -08:00
Alex Klyubin
bd86739682 Merge "Switch Bluetooth HAL policy to _client/_server" 2017-02-17 22:44:47 +00:00
Nick Kralevich
38c12828da Add documentation on neverallow rules
Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
2017-02-17 22:37:23 +00:00
Steven Moreland
33fb0a989b android.hidl.memory -> android.hidl.allocator
Test: hidl_test, device boots with allocator
Bug: 35327976

Merged-In: I6232a2823ff16058c70f173ec2332772048563f4
Change-Id: I6232a2823ff16058c70f173ec2332772048563f4
2017-02-17 20:48:09 +00:00
Alex Klyubin
168435fe03 Switch Bluetooth HAL policy to _client/_server
This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.

Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.

Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
      over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
      speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83
2017-02-17 11:32:00 -08:00
Josh Gao
cce8513c40 Merge changes from topic 'crash_dump_append'
* changes:
  crash_dump: allow appending to pipes.
  Revert "crash_dump: temporarily make permissive."
2017-02-16 22:43:59 +00:00
Nick Kralevich
929da014e6 Label /proc/config.gz
Add a label to /proc/config.gz, so we can distinguish this file from
other /proc files in security policy.

For now, only init is allowed read access. All others are denied.
TODO: clarify exactly who needs access. Further access will be granted
in a future commit.

Bug: 35126415
Test: policy compiles and no device boot problems.
Change-Id: I8b480890495ce5b8aa3f8c7eb00e14159f177860
2017-02-16 12:07:01 -08:00
Nick Kralevich
d419ed8fb7 Remove crash_dump from sys_ptrace neverallow exception
CAP_SYS_PTRACE is no longer used by crash_dump. There's no reason to
exclude it from the neverallow compile time assertion.

Test: policy compiles.
Change-Id: Ib2dced19091406553c16e6ce538cfb68bbc1e5aa
2017-02-16 09:17:35 -08:00
Treehugger Robot
ca5b535119 Merge "Use _client and _server for Audio HAL policy" 2017-02-16 03:28:05 +00:00
Eino-Ville Talvala
6d9be83119 System server: Allow get/setsched to hal_camera domain.
Much like audio, the camera HAL may need to have key threads running
in SCHED_FIFO or similar priority.  Allow system_server to raise
thread priority for camera HALs to make this possible.

Test: Video recording works, with EIS. No logspam about EIS failure.
Bug: 35389145
Change-Id: I1d92f9f10dc3aff22ce56b8b9cc57db043631919
2017-02-15 14:13:13 -08:00
Alex Klyubin
ac2b4cd2cb Use _client and _server for Audio HAL policy
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-15 13:32:14 -08:00
Alex Klyubin
ac1a6d440c Move hal_*_default policy to vendor image
hal_*_default daemons whose policy is in common/device-agnostic policy
are provided by the vendor image (see vendor/file_contexts). Thus,
their policy should also reside in the vendor image, rather than in
the system image. This means their policy should live in the vendor
subdirectory of this project.

Test: Device boots and appears to work
Bug: 34135607
Bug: 34170079
Change-Id: I6613e43733e03d4a3d4726f849732d903e024016
2017-02-14 18:35:50 -08:00
Josh Gao
3067af1436 Revert "crash_dump: temporarily make permissive."
This reverts commit 9cfe34b5ee.

Bug: http://b/34978531
Change-Id: I0702641c48fad273f16fa1a5f0e4483dfe408c05
2017-02-14 16:13:30 -08:00
Treehugger Robot
fb6783391e Merge changes from topic 'selinux-targetSdkVersion'
* changes:
  untrusted_app: policy versioning based on targetSdkVersion
  Add minTargetSdkVersion input selector to seapp_contexts
2017-02-14 23:42:59 +00:00
Jeff Vander Stoep
bacb6d7936 untrusted_app: policy versioning based on targetSdkVersion
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-14 13:30:12 -08:00
Michael Peck
f54b3622c7 Add minTargetSdkVersion input selector to seapp_contexts
This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.

When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 13:03:12 -08:00
Steven Moreland
d734f151a7 Merge "Move hals to vendor partition." 2017-02-14 01:10:14 +00:00
Treehugger Robot
ff5784f3c8 Merge "Remove selinux denial" 2017-02-14 00:30:02 +00:00
Pawin Vongmasa
5b4f15e1de Merge "Sepolicy for OMX hal." 2017-02-14 00:28:23 +00:00
Steven Moreland
aa11b6a9c7 Move hals to vendor partition.
Bug: 34135607
Test: hals work

Merged-In: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
Change-Id: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
2017-02-13 23:14:13 +00:00
Paul Lawrence
e9cb76381c Remove selinux denial
Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue

Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
2017-02-13 08:51:33 -08:00
Nick Kralevich
4cae28d43c tracefs: avoid overly generic regexes
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.

See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103

The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.

The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.

Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .

This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.

Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
2017-02-12 08:40:32 -08:00
Nick Kralevich
6ebcfe478d Don't try to relabel tracing directory
Use the default filesystem label from genfs_contexts for the directory
/sys/kernel/debug/tracing and /sys/kernel/tracing, instead of explicitly
attempting to relabel it.

There are three cases we need to consider:

1) Old-style tracing functionality is on debugfs
2) tracing functionality is on tracefs, but mounted under debugfs
3) tracefs is mounted at /sys/kernel/tracing

For #1, the label on /sys/kernel/debug/tracing will be debugfs, and all
processes are allowed debugfs:dir search, so having the label be debugfs
instead of debugfs_tracing will not result in any permission change.

For #2, the label on /sys/kernel/debug/tracing will be debugfs_tracing,
which is the same as it is today. The empty directory
/sys/kernel/tracing wlll retain the sysfs label, avoiding the denial
below.

For #3, /sys/kernel/debug/tracing won't exist, and /sys/kernel/tracing
will have the debugfs_tracing label, where processes are allowed search
access.

Addresses the following denial:

avc:  denied  { associate } for  pid=1 comm="init" name="tracing"
dev="sysfs" ino=95 scontext=u:object_r:debugfs_tracing:s0
tcontext=u:object_r:sysfs:s0 tclass=filesystem permissive=0

Bug: 31856701
Bug: 35197529
Test: no denials on boot
Change-Id: I7233ea92c6987b8edfce9c2f1d77eb25c7df820f
2017-02-11 09:44:36 -08:00
Pawin Vongmasa
5559d21aa5 Sepolicy for OMX hal.
Bug: 31399200
Test: Compiles
Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57
2017-02-11 00:12:00 -08:00
Treehugger Robot
3651bae67b Merge "Allow untrusted apps to access VrManager." 2017-02-11 04:30:42 +00:00
Craig Donner
9051eaf3f1 Allow untrusted apps to access VrManager.
There is only a single systemapi at the moment that is callable, and it is
protected by a signature/preinstalled permission.

(cherry picked from commit I778864afc9d02f8b2bfcf6b92a9f975ee87c4724)

Bug: 35059826,33297721
Test: manually on a marlin
Change-Id: I3789ce8238f5a52ead8f466dfa3045fbcef1958e
2017-02-10 16:30:31 -08:00
Treehugger Robot
e6ff034ae4 Merge "surfaceflinger: grant access to vr_manager_service" 2017-02-10 23:43:47 +00:00