Commit graph

1508 commits

Author SHA1 Message Date
Treehugger Robot
356772e491 Merge "Update sepolicy of statsd to be able to find incident_service" 2018-01-24 19:37:02 +00:00
Treehugger Robot
24e8eff35d Merge "sepolicy: restrict access to uid_cpupower files" 2018-01-24 19:05:40 +00:00
yro
cf38ca5ed0 Update sepolicy of statsd to be able to find incident_service
Test: manual testing
Change-Id: Ia97c956c08d2062af6b33622c6b61ca3810b0cb1
2018-01-24 18:25:04 +00:00
Janis Danisevskis
97c56bdd78 Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-24 10:22:40 -08:00
Marissa Wall
dfe063c37d sepolicy: restrict access to uid_cpupower files
Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
2018-01-24 08:39:09 -08:00
Joel Galenson
cf391269ac Fix init error trying to access file.
Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d
2018-01-23 17:32:16 -08:00
Tom Cherry
869a4c2e19 Merge "Label /vendor_file_contexts as file_contexts_file" 2018-01-24 00:58:40 +00:00
Tom Cherry
ecc4868f71 Label /vendor_file_contexts as file_contexts_file
vendor_init doesn't have permissions to read rootfs labeled files, but
needs to read /vendor_file_contexts to do restorecon correctly.  This
file is a file_contexts file, so labeling it as such seems appropriate.

Test: bullhead + vendor_init doesn't hit this audit
Change-Id: I1f2cf7dd7de17806ac0f1dfe2483fb6d6659939b
2018-01-23 20:34:57 +00:00
Dongwon Kang
1134bd001e Allow mediaextractor to load libraries from apk_data_file
This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
2018-01-23 11:21:11 -08:00
Yi Jin
bc24ba7283 Selinux permissions for incidentd project
Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3
2018-01-23 19:08:49 +00:00
Tri Vo
0a2f862715 Merge "dumpstate: remove access to 'proc' and 'sysfs' types." 2018-01-23 19:08:33 +00:00
Max Bires
842cc26816 Fixing traceur selinux permission error
getattr for trace_data_file:dir permissions was missing, impacting
functionality.

Bug:68126425
Test: Traceur functionality is properly working
Change-Id: I2c8ae5cf3463a8e5309b8402713744e036a64171
2018-01-22 19:59:35 -08:00
Treehugger Robot
7724907ff4 Merge "Allow dumpstate to call statsd. This is needed for bugreport." 2018-01-23 03:27:43 +00:00
Tri Vo
218d87c01c dumpstate: remove access to 'proc' and 'sysfs' types.
And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
2018-01-23 03:24:37 +00:00
Treehugger Robot
e58fa54803 Merge "Clarify sysfs_leds neverallow." 2018-01-23 02:37:24 +00:00
Steven Moreland
623d9f0683 Clarify sysfs_leds neverallow.
Now that init no longer uses it.

Fixes: 70846424
Test: no neverallows tripped
Change-Id: I5c22dd272b66fd32b4758c1dce659ccd98b8a7ba
2018-01-22 22:03:51 +00:00
Max Bires
35c363897d Adding write permissions to traceur
Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
2018-01-22 21:06:36 +00:00
Steven Moreland
8bda3dfaa1 Add policy for 'blank_screen'.
This util allows init to turn off the screen
without any binder dependencies.

Bug: 70846424
Test: manual + init use
Change-Id: I4f41a966d6398e959ea6baf36c2cfe6fcebc00de
2018-01-22 20:27:01 +00:00
Paul Crowley
68e31786f0 Merge "Allow access to the metadata partition for metadata encryption." 2018-01-22 18:30:08 +00:00
Tri Vo
a3e8572875 Merge "priv_app: remove access to 'proc' and 'sysfs' types." 2018-01-20 05:01:25 +00:00
Badhri Jagan Sridharan
4f6eb37f6c usbd sepolicy
Sepolicy for the usb daemon. (ag/3373886/)

Bug: 63669128
Test: Checked for avc denial messages.
Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af
2018-01-20 03:41:21 +00:00
Tri Vo
f92cfb9e4f priv_app: remove access to 'proc' and 'sysfs' types.
Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2018-01-20 01:05:56 +00:00
Tri Vo
06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00
Treehugger Robot
04b70519cf Merge "Label esdfs as sdcardfs" 2018-01-20 00:40:38 +00:00
Tao Bao
d7d9cfcad2 Add rules for system_update service.
system_update service manages system update information: system updater
(priv_app) publishes the pending system update info through the service,
while other apps can read the info accordingly (design doc in
go/pi-ota-platform-api).

This CL adds the service type, and grants priv_app to access the service.

Bug: 67437079
Test: Build and flash marlin image. The system_update service works.
Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375
2018-01-19 15:03:21 -08:00
Paul Crowley
ab318e30d3 Allow access to the metadata partition for metadata encryption.
Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f
2018-01-19 14:45:08 -08:00
Yifan Hong
829c6fef14 Merge "move /vendor VINTF data to /vendor/etc/vintf" 2018-01-19 22:01:28 +00:00
Daniel Rosenberg
9d0d6856c1 Label esdfs as sdcardfs
Test: esdfs should be mountable and usable with selinux on
Bug: 63876697
Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e
2018-01-19 13:50:02 -08:00
Treehugger Robot
38adc92797 Merge "hal_usb_gadget sepolicy" 2018-01-19 21:41:00 +00:00
Treehugger Robot
2b38971ed1 Merge "Allow system apps to read log props." 2018-01-19 19:32:13 +00:00
Treehugger Robot
1572cbaffa Merge "Don't record audio if UID is idle - sepolicy" 2018-01-19 19:31:42 +00:00
Yifan Hong
8d8da6a2e2 move /vendor VINTF data to /vendor/etc/vintf
Test: boots
Test: hwservicemanager can read these files
Bug: 36790901
Change-Id: I0431a7f166face993c1d14b6209c9b502a506e09
2018-01-19 10:57:13 -08:00
Badhri Jagan Sridharan
7bee33e665 hal_usb_gadget sepolicy
Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
2018-01-19 18:56:16 +00:00
Yao Chen
b10ff337bf Allow dumpstate to call statsd. This is needed for bugreport.
Selinux violations while calling dump() on statsd by bugreport.

avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
denied { use } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=1
avc: denied { write } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1
avc: denied { getattr } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1

Test: manual
Change-Id: I46c5b119548378cc80c6e4498d00edad5959d188
2018-01-19 09:21:49 -08:00
Treehugger Robot
536d195469 Merge "neverallow shell access to 'device' type" 2018-01-19 05:20:30 +00:00
Treehugger Robot
5d5284ad93 Merge "Disallow sysfs_leds to coredomains." 2018-01-19 04:56:36 +00:00
Steven Moreland
09fddac1d7 Disallow sysfs_leds to coredomains.
Bug: 70846424
Test: neverallow not tripped
Change-Id: I9e351ee906162a594930b5ab300facb5fe807f13
2018-01-18 18:10:06 -08:00
Treehugger Robot
74828e65d5 Merge "Add default namespaces of odm properties" 2018-01-18 23:11:09 +00:00
Tri Vo
5dab913441 neverallow shell access to 'device' type
Bug: 65643247
Test: builds, the change doesn't affect runtime behavior.

Change-Id: I621a8006db7074f124cb16a12662c768bb31e465
2018-01-18 21:56:00 +00:00
Tri Vo
3ac8456fed Merge "system_server: remove access sysfs_devices_system_cpu" 2018-01-18 20:26:30 +00:00
Treehugger Robot
ec4d4a5ed3 Merge "Suppress denials for non-API access" 2018-01-18 20:03:15 +00:00
Pavel Grafov
118e4969d2 Allow system apps to read log props.
This is needed to allow system apps to know whether security
logging is enabled, so that they can in this case log additional
audit events.

Test: logged a security event from locally modified KeyChain app.
Bug: 70886042
Change-Id: I9e18d59d72f40510f81d1840e4ac76a654cf6cbd
2018-01-18 17:22:28 +00:00
Jeff Vander Stoep
6d8a876a4c Suppress denials for non-API access
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:proc_version:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:wifi_prop:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:net_dns_prop:s0 tclass=file

Bug: 72151306
Test: build
Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 08:55:02 -08:00
Jaekyun Seok
afca82a3bb Add default namespaces of odm properties
Since /odm is an extension of /vendor, its default property contexts
should be consistent with ones of /vendor.

Bug: 36796459
Test: tested on wahoo devices
Change-Id: Ia67ebe81e9c7102aab35a34f14738ed9a24811d3
2018-01-18 13:31:37 +09:00
Treehugger Robot
e3b05cf614 Merge "storaged: remove access to sysfs_type" 2018-01-18 01:25:42 +00:00
Chenbo Feng
566411edf2 Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-17 23:19:30 +00:00
Tri Vo
35c65c1e01 system_server: remove access sysfs_devices_system_cpu
CpuFrequency.java seems to be the only thing that depends on
/sys/devices/system/cpu in system_server. And according to
b/68988722#comment15, that dependency is not exercised.

Bug: 68988722
Test: walleye boots without denials to sysfs_devices_system_cpu
Change-Id: If777b716bf74188581327b7f5aa709f5d88aad2d
2018-01-17 21:02:06 +00:00
Yang Ni
1642d4059a Merge "Allow applications to use NN API HAL services" 2018-01-17 16:34:16 +00:00
Jeffrey Vander Stoep
66024968e9 Merge "Annotate denials" 2018-01-17 06:23:27 +00:00
Svet Ganov
b9a1e7ba84 Don't record audio if UID is idle - sepolicy
If a UID is in an idle state we don't allow recording to protect
user's privacy. If the UID is in an idle state we allow recording
but report empty data (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.

Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
      Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
              -t android.media.cts.AudioRecordTest

bug:63938985

Change-Id: I8c044e588bac4182efcdc08197925fddf593a717
2018-01-16 21:22:18 -08:00