Commit graph

17142 commits

Author SHA1 Message Date
Tri Vo
35650d50a1 Separate product_mac_permissions.xml out of system sepolicy.
Bug: 119305624
Test: normal/recovery boot aosp_taimen

Change-Id: I46da995886ce421bb87e741d577f659426ff79c4
2019-01-08 09:49:30 -08:00
Tri Vo
6ac0896b90 Separate product_service_contexts out of system sepolicy.
Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: I15aa275fa658b58f5a5d3e651d164f9fcd87c0af
2019-01-08 09:49:30 -08:00
Tri Vo
3507678d2e Separate product_seapp_contexts out of system sepolicy.
Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: Ia8d69be16011db8dd63fa41672449a4ade7302c2
2019-01-08 09:49:30 -08:00
Tri Vo
5da7200510 Separate product_property_contexts out of system sepolicy.
Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: Ib7a29a9f8f23dd917cc25c23c7612f9e4ae36ea0
2019-01-08 09:49:30 -08:00
Tri Vo
ade741635f Separate product_hwservice_contexts out of system sepolicy.
Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: I1009745686acd51563378dac56e857be0d60e794
2019-01-08 09:49:30 -08:00
Treehugger Robot
edbe51215e Merge "Allow dumpstate to read some directories." 2019-01-08 15:21:06 +00:00
Narayan Kamath
9f343b32be Allow system_server to read apex_data_file.
For consistency with APKs, signature verification is performed
in the system_server. This includes checking that the signature of
an updated install matches the signature of the active package that
it updates. For this, it requires search access to /data/apex and
read access to the files under that directory.

Test: m
Change-Id: Ia073adb8892886e4767fa5529e95c110b9cbff1b
2019-01-08 11:55:01 +00:00
Dario Freni
4d399f606f Merge "SEPolicy for Staged Installs." 2019-01-08 09:55:18 +00:00
Treehugger Robot
58b2f2b86d Merge "Add Adam to OWNERS." 2019-01-08 04:41:12 +00:00
Treehugger Robot
ec5a6ce810 Merge "Label the dynamic linker in the runtime APEX correctly" 2019-01-08 00:20:29 +00:00
Dario Freni
274c1ded4d SEPolicy for Staged Installs.
Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-07 22:36:28 +00:00
Joel Galenson
886ba9c9ff Allow dumpstate to read some directories.
This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I64f441eb66c355d03eaf7755f2e9d3e970305ecd
2019-01-07 12:45:56 -08:00
Treehugger Robot
34bd20fbdd Merge "Un-revert "Audit execution of app_data_file native code."" 2019-01-07 20:24:43 +00:00
Tri Vo
f1f1b4f063 Merge "sepolicy: Improve treble test error message." 2019-01-07 19:36:55 +00:00
Alex Buynytskyy
007586d92d Allow adbd to use a socket transferred from shell.
Used for e.g. abb.

Test: Build, flash and boot, use `adb abb` to verify

Change-Id: I4ad75498819edbcc0303f66420a58d06788ab5fb
2019-01-07 15:45:50 +00:00
Alan Stokes
c6cbeadb21 Un-revert "Audit execution of app_data_file native code."
This was originally implemented in commit
890414725f and reverted in commit
fa3eb773ce. This effectively reverts the
revert, with minimal changes to cope with the subsequent reversion of
commit b362474374.

Auditing is only enabled for apps targeting API <= 28.

Test: Compiles, audit messages are seen.
Bug: 121333210
Bug: 111338677
Change-Id: Ie38498a2b61f4b567902117f9ef293faa0e689dd
2019-01-07 14:08:11 +00:00
Tri Vo
1451938da0 sepolicy: Improve treble test error message.
Bug: 120080521
Test: removing a mapped type in the mapping file triggers new error
message
Change-Id: I04b21da7206777af8c281a843bd39ea5c4f0863a
2019-01-06 18:18:32 -08:00
Jiyong Park
048e136653 Label the dynamic linker in the runtime APEX correctly
e2bc9fe9d5ac82457bc6050bf705ff43a1b05cbf in platform/art project added
the dynamic linker to the runtime APEX. Since the dynamic linker has
been labeled as 'system_linker_exec' so does the linker in the APEX.

Bug: 120266448
Test: ls -Z /apex/com.android.runtime/bin/linker
u:object_r:system_linker_exec:s0 /apex/com.android.runtime/bin/linker

Change-Id: I243b86a74d94058b3283830c32232c6584639ff3
2019-01-04 01:19:44 +09:00
Joel Galenson
f0264fe2e9 Allow dumpstate to read sysfs_loop files.
This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: Ie190bfa62cf5aa172ebfff8bfd82dea2a7d1a016
2019-01-02 09:23:45 -08:00
Justin Yun
df9d783276 sepolicy for vendor overlay
Make /(product|system/product)/vendor_overlay/<ver> have the vendor
file context.

If vendor_overlay requires to mount on the vendor directories other
than 'vendor_file', the contexts must be defined in the device
specific sepolicy files.

Bug: 119076200
Test: build and check if the files are overided and have the required
sepolicy contexts.

Change-Id: I69ed38d4ea8e7d89f56865b1ca1e26f290e9892d
2018-12-30 00:48:25 +00:00
Zachary Iqbal
893272d883 Added placeholder SELinux policy for the biometric face HAL.
Notes:
- Added face hal domain, context and file types for the default
  SELinux policy.
- Please see aosp/q/topic:"Face+Authentication"

Bug: 80155388
Test: Built successfully.
Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
2018-12-28 12:23:56 -08:00
Dario Freni
ca86169422 Revert "Add StagingManager service."
This reverts commit 9eb3b8ffdf.

Reason for revert: We are deciding for now not to make StagingManager a fully-fledged binder service, as it will only be accessed by PackageInstaller. We might re-evaluate this decision later if needed.

Bug: 122072686
Change-Id: Ic2a53fc92ddd7d7eeccc6a4a0117f28724346ec7
2018-12-28 12:50:49 +00:00
Dario Freni
9eb3b8ffdf Add StagingManager service.
Adding a new high-level service which will handle staged installs, i.e.
installs that require a reboot.

Bug: 118865310
Test: An initial implementation of StagingManager can be reached
successfully by PackageManagerService and PackageInstallerService.
Change-Id: I8859b463575f8ee85caae43570958347b82f967e
2018-12-27 16:13:24 +00:00
Michael Groover
09c86730b5 Merge "Add selinux policy for new SensorPrivacyService"
Test: manually verified SensorPrivacyService is accessible
Bug: 110842805
Merged-In: Idd215f338f2da0dab4898ea06fa08d9b4a1bcb5f
Change-Id: Idd215f338f2da0dab4898ea06fa08d9b4a1bcb5f
(cherry picked from commit 0ac3dea71b)
2018-12-27 08:53:15 +00:00
Peiyong Lin
e4fdac5ac9 Merge "[SEPolicy] Add composer 2.3" 2018-12-22 07:05:46 +00:00
Peiyong Lin
3a4b920de6 [SEPolicy] Add composer 2.3
Use regular expression for all composer service versions.

BUG: 115554640
Test: Build, flash and boot

Merged-In: Ie84ebb0a43c9eaad66829b15deaa8b3046bd7fe4
Change-Id: Ie84ebb0a43c9eaad66829b15deaa8b3046bd7fe4
2018-12-22 03:00:03 +00:00
Treehugger Robot
9c9eb2dfca Merge "sepolicy: Add "rs" and "rs_exec" to public policy" 2018-12-22 00:34:18 +00:00
Nick Kralevich
65a89c1b2b Revert "remove app_data_file execute"
This reverts commit b362474374.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots
2018-12-21 10:03:50 -08:00
Nick Kralevich
fa3eb773ce Revert "Audit execution of app_data_file native code."
This reverts commit 890414725f.

Unittest failures of JvmtiHostTest1906#testJvmti. To do a clean revert
of b362474374, we need to also revert this
change.

Test: compiles
Bug: 121333210
Bug: 111338677
2018-12-21 09:59:53 -08:00
Emilian Peev
a34cfe7b56 sepolicy: Add "rs" and "rs_exec" to public policy
Add "rs" and "rs_exec" types to public policy. Access
to these types might be needed for device specific
customization.

Bug: 121306110
Test: Manual using application
Change-Id: Ief35d3353625adfbf468447de74aa80651dd9451
2018-12-21 17:47:54 +00:00
Florian Mayer
49ff99ff79 Merge "Make heapprofd work with MLS." 2018-12-21 17:27:51 +00:00
Florian Mayer
23e1f4c7d3 Make heapprofd work with MLS.
Arbitrary apps need to connect to heapprofd in order to send samples.

Relevant denial trying to profile com.google.android.inputmethod.latin
on userdebug:

12-20 14:50:20.420 25219 25219 I heapprofd: type=1400 audit(0.0:1006): avc: denied { read } for path="/proc/24819/mem" dev="proc" ino=244219 scontext=u:r:heapprofd:s0 tcontext=u:r:untrusted_app_27:s0:c133,c256,c512,c768 tclass=file permissive=1

Bug: 121370989

Test: m
Test: flash walleye
Test: profile com.google.android.inputmethod.latin

Change-Id: Iee82c8c49951e5a5726cd5ab0b9e8fa71226c802
2018-12-21 15:25:01 +00:00
Remi NGUYEN VAN
47c2dee5c2 Add selinux policies for network stack service
The policies allow the system server to register a network_stack_service
used to communicate with the network stack process.

Test: atest FrameworksNetTests
Bug: b/112869080
Change-Id: Ib9b7d9150fe4afcce03c8b3dbb36b81c67e39366
2018-12-21 00:09:50 +00:00
Remi NGUYEN VAN
41b6263007 Merge "sepolicy changes for network stack app" 2018-12-21 00:06:39 +00:00
Joel Galenson
0e25fb85b0 Add Adam to OWNERS.
Test: None.
Change-Id: Ie317dbdf96de32d8129da15fa0d771caa4ebca9d
2018-12-20 15:42:17 -08:00
Treehugger Robot
7e06c56154 Merge "Open permission manager service to the world" 2018-12-20 21:36:13 +00:00
Sudheer Shanka
f0abbf9798 Allow vold to create files at /mnt/user/.*
Bug: 121099965
Test: manual
Change-Id: I940868eb984399763d7346a201e37cb07fb12333
2018-12-20 12:01:54 -08:00
Todd Kennedy
2ec0388564 Open permission manager service to the world
There are many permission related APIs currently handled by the
package manager service. These are simply pass throughs from the
package manager service to an internal API defined by the
permission manager service. Instead of this multi-hop, we want
to open the permission manager service directly to apps. For
legacy, we won't be able to remove the APIs from PackageManager,
but, the implementation should go directly to the Permission
Manager Service.

Test: System boots w/o selinux denials
Change-Id: I1d953077b3da18ccf44deb85b9084be68a2179bd
2018-12-20 07:54:23 -08:00
Martijn Coenen
36f93d0339 Merge "Allow apexd to write to sysfs loop device parameters." 2018-12-20 07:53:08 +00:00
Remi NGUYEN VAN
5f3ba92c61 sepolicy changes for network stack app
The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.

Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597
2018-12-20 12:05:31 +09:00
Treehugger Robot
2ec03cb5cb Merge "Allow statsd to write stats log events to perfd(running as shell) via pipes." 2018-12-20 02:31:11 +00:00
Treehugger Robot
4fa9b85632 Merge "sepolicy: fix mac build" 2018-12-20 02:27:32 +00:00
Martijn Coenen
d7bf9218a0 Allow apexd to write to sysfs loop device parameters.
To configure read-ahead on loop devices, eg.
/sys/devices/virtual/block/loop0/queue/read_ahead_kb

Bug: 120776455
Test: configuring read-ahead on loop devices works from apexd
Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58
2018-12-20 03:05:50 +01:00
Treehugger Robot
f21085ca29 Merge "Ensure that hwservice_manager adds / finds make sense." 2018-12-20 01:33:44 +00:00
Treehugger Robot
c2be630c3a Merge "Ensure that service_manager adds / finds make sense." 2018-12-20 00:43:22 +00:00
Nick Kralevich
db43ee04eb Ensure that hwservice_manager adds / finds make sense.
Add a neverallow rule asserting that services registered or queried
through hwservicemanager must have the attribute hwservice_manager_type.
Attempting to add or query a service which does not have that
attribute is malformed policy.

Test: compiles
Change-Id: Ib498508694f478c396f2d9273abaccbff06975e6
2018-12-19 14:24:26 -08:00
Nick Kralevich
5f154404de Ensure that service_manager adds / finds make sense.
Add a neverallow rule asserting that services registered or queried
through servicemanager must have the attribute service_manager_type
or vndservice_manager_type. Attempting to add or query a service which
does not have one of those attributes is malformed policy.

See
https://android-review.googlesource.com/c/platform/system/sepolicy/+/826500/7/private/system_server.te#696
as an example where this occurred.

Test: compiles
Change-Id: I339bde04b80819b07832d96797fd7f477a4b676a
2018-12-19 13:44:22 -08:00
Tri Vo
ebf3eacafe sepolicy: fix mac build
sed "-i" flag on Mac has different syntax than on Linux. Replace use of
sed with grep.

A simple fix like this should suffice for this case, but ideally, we
should maintain our own utils instead of using tools on the host
machine.

Fixes: 121235932
Test: m selinux_policy
Change-Id: I46c3bdb90bf7de48d2c942b15a65ce82ae3041c5
2018-12-19 20:28:14 +00:00
Nick Kralevich
5cbe41b12f rs.te: Allow following /data/user/0 symlink
The bcc command line uses /data/user/0 paths, so renderscript needs to
be able to follow those symlinks.

Addresses the following denial:

  audit(1545249938.830:2274): avc: denied { read } for comm="bcc" name="0" dev="dm-6" ino=101 scontext=u:r:rs:s0:c184,c256,c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=1 app=android.rscpp.cts

Test: cts-tradefed run cts -m CtsRsCppTestCases
Bug: 121266184
Bug: 112357170
Change-Id: I16210f9b95f386bdee0863cf0044c956af99586d
2018-12-19 12:09:42 -08:00
Tri Vo
3361ec4358 Separate product_file_contexts out of system sepolicy.
Bug: 119305624
Test: boot blueline
Change-Id: I3ecdeab3bb33c3cb5e80dc10ba1079c9853048f8
2018-12-18 20:01:18 -08:00