Commit graph

7883 commits

Author SHA1 Message Date
Treehugger Robot
b916c4d1ea Merge "Move bluetooth policy to private" 2017-02-07 17:48:47 +00:00
Alex Klyubin
485ba85fe4 Merge "Move bluetoothdomain policy to private" 2017-02-07 17:48:37 +00:00
Todd Poynor
41b1e94c89 Merge "Add /data/misc/reboot and reboot_data_file context" 2017-02-07 08:25:54 +00:00
Treehugger Robot
4a8b123634 Merge "Move mdnsd policy to private" 2017-02-07 02:36:33 +00:00
Treehugger Robot
81d1fa3c73 Merge "Move netdomain policy to private" 2017-02-07 01:46:08 +00:00
Todd Poynor
ca051f6d07 Add /data/misc/reboot and reboot_data_file context
Add a file context for keeping track of last reboot reason and label
directory /data/misc/reboot/ for this purpose.

Bug: 30994946
Test: manual: reboot ocmmand, setprop sys.powerctl, SoC thermal mgr
Change-Id: I9569420626b4029a62448b3f729ecbbeafbc3e66
2017-02-06 15:55:54 -08:00
Treehugger Robot
43916281b7 Merge "Allow HWC to be binderized" 2017-02-06 23:45:27 +00:00
Alex Klyubin
661430e061 Move bluetoothdomain policy to private
This leaves only the existence of bluetoothdomain attribute as public
API. All other rules are implementation details of this attribute's
policy and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow bluetoothdomain bluetooth_current
      rule (as expected).
Bug: 31364497

Change-Id: I0edfc30d98e1cd9fb4f41a2900954d9cdbb4db14
2017-02-06 15:32:08 -08:00
Alex Klyubin
801b5ec472 Move bluetooth policy to private
This leaves only the existence of bluetooth domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with bluetooth_current
      except those created by other domains' allow rules referencing
      bluetooth domain from public and vendor policy.
Bug: 31364497

Change-Id: I3521b74a1a9f6c5a5766b358e944dc5444e3c536
2017-02-06 15:29:10 -08:00
Alex Klyubin
d833f6ba95 Move mdnsd policy to private
This leaves only the existence of mdnsd domain as public API. All
other rules are implementation details of this domains's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with mdnsd_current (as
      expected).
Bug: 31364497

Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4
2017-02-06 15:02:32 -08:00
Alex Klyubin
372dc67fcc Move netdomain policy to private
This leaves only the existence of netdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with netdomain_current
      and *_current attributes targeted when netdomain rules reference
      public types.
Bug: 31364497
Change-Id: I102e649374681ce1dd9e1e5ccbaaa5cb754e00a0
2017-02-06 15:02:00 -08:00
Chia-I Wu
1b95d88c6d Allow HWC to be binderized
Test: manual
Bug: 32021609
Change-Id: I6793794f3b1fb95b8dd9336f75362447de618274
2017-02-06 12:50:03 -08:00
Stephen Smalley
4921085d9c Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes.
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 14:24:41 -05:00
Jin Qian
61670b8623 storaged: allow register and callback from batteryproperties
Test: adb shell dumpsys storaged
Bug: 33086174
Bug: 34198239
Change-Id: I85d6bd05192a205662f69466d7d6208e8b834eff
2017-02-06 11:06:05 -08:00
Stephen Smalley
431bdd9f2f Define extended_socket_class policy capability and socket classes
Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class.  The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class.  Add
definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.

Allowing access by specific domains to the new socket security
classes is left to future commits.  Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.

The kernel support will be included upstream in Linux 4.11.  The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").

This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled.  This commit is already in
AOSP master.

Test: policy builds

Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Stephen Smalley
8a00360706 Define the user namespace capability classes and access vectors.
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f
(selinux: distinguish non-init user namespace capability checks)
introduced support for distinguishing capability
checks against a target associated with the init user namespace
versus capability checks against a target associated with a non-init
user namespace by defining and using separate security classes for the
latter.  This support is needed on Linux to support e.g. Chrome usage of
user namespaces for the Chrome sandbox without needing to allow Chrome to
also exercise capabilities on targets in the init user namespace.

Define the new security classes and access vectors for the Android policy.
Refactor the original capability and capability2 access vector definitions
as common declarations to allow reuse by the new cap_userns and cap2_userns
classes.

This change does not allow use of the new classes by any domain; that
is deferred to future changes as needed if/when Android enables user
namespaces and the Android version of Chrome starts using them.

The kernel support went upstream in Linux 4.7.

Based on the corresponding refpolicy patch by Chris PeBenito, but
reworked for the Android policy.

Test: policy builds

Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Abodunrinwa Toki
5470aefbe8 Merge "Declare new textclassification system service." 2017-02-06 18:52:28 +00:00
Chad Brubaker
46e5a060f6 Move neverallows from untrusted_app.te to app_neverallows.te
The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.

This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.

Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-02-06 10:16:50 -08:00
Chad Brubaker
4c40d7344c Merge ephemeral data and apk files into app
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
2017-02-06 10:16:50 -08:00
Abodunrinwa Toki
387367df19 Declare new textclassification system service.
Bug: 34781862
Test: none
Change-Id: Ie628dca592a68ed67a68dda2f3d3e0516e995c80
2017-02-04 04:11:51 +00:00
Jiyong Park
9eff8526b7 Merge "configstore: add selinux policy for configstore@1.0 hal" 2017-02-02 23:07:18 +00:00
Eugene Susla
e81736d2d3 Merge "SELinux permissions for companion device system service" am: b598b47f1a am: 9fb3601b5b am: 5715f8e0a2
am: 360be64852

Change-Id: Id04953e695795a5660c42021eafa8629d4daa55e
2017-02-02 21:54:54 +00:00
Eugene Susla
b598b47f1a Merge "SELinux permissions for companion device system service" 2017-02-02 21:11:34 +00:00
Jiyong Park
ebec1aa2b7 configstore: add selinux policy for configstore@1.0 hal
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.

Bug: 34314793
Test: build & run

Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964
Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
(cherry picked from commit 5ff0f178ba)
2017-02-02 17:46:41 +09:00
Mark Salyzyn
1c8ad93f53 Merge "logd: add getEventTag command and service" am: 542a46267f am: 2cf8777fe5 am: c480ee7d45
am: adce24c352

Change-Id: Iff0acc735158464b12b9011b69da55fb0ca8eccb
2017-02-01 21:39:47 +00:00
Mark Salyzyn
542a46267f Merge "logd: add getEventTag command and service" 2017-02-01 21:24:06 +00:00
Eugene Susla
3411dfb6b0 SELinux permissions for companion device system service
Required for I0aeb653afd65e4adead13ea9c7248ec20971b04a

Test: Together with I0aeb653afd65e4adead13ea9c7248ec20971b04a, ensure that the
system service works
Bug: b/30932767
Change-Id: I994b1c74763c073e95d84222e29bfff5483c6a07
2017-02-01 13:07:17 -08:00
Jiyong Park
e2d0e74147 Merge "configstore: add selinux policy for configstore@1.0 hal" 2017-02-01 04:23:12 +00:00
Calin Juravle
01ee59a7b4 Remove SElinux audit to libart_file
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
2017-01-31 23:43:14 +00:00
Mark Salyzyn
384ce66246 logd: add getEventTag command and service
The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
2017-01-31 15:50:42 +00:00
Mark Salyzyn
d33a9a194b logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2017-01-31 15:50:15 +00:00
Sandeep Patil
a86316e852 property_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-29 21:09:11 +00:00
Janis Danisevskis
e8acd7695b Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.

IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.

Test: Run keystore CTS tests
Bug: 32020919

(cherry picked from commit 5090d6f324)

Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
2017-01-27 15:02:57 -08:00
Alex Klyubin
a7653ee2ed Move webview_zygote policy to private
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: Device boots, with Multiproces WebView developer setting
      enabled, apps with WebView work fine. No new denials.
Bug: 31364497

Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-27 17:01:43 +00:00
Badhri Jagan Sridharan
ae206f1623 sepolicy for usb hal
Bug: 31015010

cherry-pick from b6e4d4bdf1

Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
2017-01-27 00:05:19 +00:00
Alex Klyubin
966efedec8 Move zygote policy to private
This leaves only the existence of zygote domain and its
executable's zygote_exec file label as public API. All other rules are
implementation details of this domain's policy and are thus now
private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie37128531be841b89ecd602992d83d77e26533bc
2017-01-26 13:31:16 -08:00
Alex Klyubin
8429a331aa Move appdomain policy to private
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497

Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
2017-01-26 11:26:49 -08:00
Steven Moreland
cd597cd52a property: add persist.hal.binderization
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.

Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
2017-01-26 06:06:24 +00:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Jiyong Park
5ff0f178ba configstore: add selinux policy for configstore@1.0 hal
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.

Bug: 34314793
Test: build & run

Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
2017-01-26 11:19:23 +09:00
Jeff Tinker
c86f42b9a7 Add sepolicy for drm HALs
bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
2017-01-25 11:21:03 -08:00
Treehugger Robot
727e543f77 Merge "haldomain: search for passthrough hals" 2017-01-25 02:47:41 +00:00
Ray Essick
391854000a rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
2017-01-24 16:57:19 -08:00
Steven Moreland
18d7f8c1b8 haldomain: search for passthrough hals
Bug: 34366227
Test: passthrough services successfully found
Change-Id: If2cad09edc42f01cc5a444229758ecdfe2017cf2
2017-01-24 16:41:00 -08:00
Calin Juravle
9559550791 Merge "SElinux policies for compiling secondary dex files" 2017-01-25 00:33:03 +00:00
Calin Juravle
e5a1f64a2e SElinux policies for compiling secondary dex files
This CLs adds SElinux policies necessary to compile secondary dex files.

When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).

What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.

Test: devices boots
      compilation of secondary dex files works without selinux denials
      cmd package compile --secondary-dex -f -m speed
com.google.android.gms

Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
2017-01-24 14:28:07 -08:00
Treehugger Robot
200d436b39 Merge "Declare new Fonts service" 2017-01-24 12:17:30 +00:00
Nick Kralevich
21cb045bd5 priv_app: allow reading /cache symlink
Addresses the following denial:

  avc: denied { read } for name="cache" dev="dm-0" ino=2755
  scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0
  tclass=lnk_file permissive=0

which occurs when a priv-app attempts to follow the /cache symlink. This
symlink occurs on devices which don't have a /cache partition, but
rather symlink /cache to /data/cache.

Bug: 34644911
Test: Policy compiles.
Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc
2017-01-23 22:24:01 -08:00
Clara Bayarri
b69af83b68 Declare new Fonts service
Merged-In: Id2b849d7fa22989225066ebe487fc98d319743ea
Bug: 34190490
Test: CTS in internal master
Change-Id: I27ab62469f3a405c59eda1a2a249899e845bed56
2017-01-23 15:14:33 +00:00
Paul Lawrence
fa2bc1b18f Merge "tracefs not debugfs" am: e5912986e6 am: c08b9c7847 am: 68dc3de844
am: 59b1081e9c

Change-Id: Ic16d8a8d4a80a3ab05441608cbf1cefac13b43af
2017-01-21 16:29:22 +00:00
Treehugger Robot
e5912986e6 Merge "tracefs not debugfs" 2017-01-21 16:11:24 +00:00
TreeHugger Robot
18d428bb1b Merge "Preliminary policy for hal_keymaster (TREBLE)" 2017-01-21 15:38:32 +00:00
Jin Qian
8ad57ef664 storaged: allow reading packages.list
Delete rule for permission_service since we use packages.list instead.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: Ic69d0fe185e627a932bbf8e85fc13163077bbe6b
2017-01-20 20:34:59 -08:00
Paul Lawrence
ef2a17092c tracefs not debugfs
Test:   Device boots
        Can take photos
        Run "adb shell atrace -c -b 16000 -t 5 gfx" without root and check produces
        output
        Run "python systrace.py view gfx freq sched am wm dalvik
        binder_driver" from external/chromium-trace after adb root and
        check populated
Bug: 31856701
Change-Id: Ic319f8a0a3e395efa7ee8ba33a868ac55cb44fe4
2017-01-20 23:13:59 +00:00
Alex Klyubin
e1ff7e8859 Sort hal_* declarations alphabetically
Test: No change to SELinux policy
Change-Id: I45d6d6ab0538b9d4768b922cfdc2c972272d0b18
2017-01-20 10:41:19 -08:00
Treehugger Robot
7b8c00204b Merge "hal_light: add permission to sys/class/leds." 2017-01-20 00:47:47 +00:00
Steven Moreland
62aee3b41b hal_light: add permission to sys/class/leds.
/sys/class/leds is the standard location for linux files dealing with
leds, however the exact contents of this directory is non-standard
(hence the need for a hal).

Bug: 32022100
Test: compiles and works for the subset of common files
Change-Id: I7571d7267d5ed531c4cf95599d5f2acc22287ef4
2017-01-20 00:17:11 +00:00
Treehugger Robot
b7f86a7257 Merge "Allow ephemeral apps to read/write external storage" 2017-01-19 23:25:55 +00:00
Treehugger Robot
51c00faf3d Merge "haldomain: add hwbinder_use" 2017-01-19 21:35:10 +00:00
Chad Brubaker
3d348fd60c Allow ephemeral apps to read/write external storage
Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.

Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
2017-01-19 13:26:26 -08:00
Treehugger Robot
cde575d238 Merge "crash_dump: temporarily make permissive." 2017-01-19 20:22:27 +00:00
Chad Brubaker
5c566d1a5a Move ephemeral_app to appdomain
Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.

This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.

Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
2017-01-19 10:55:51 -08:00
Josh Gao
9cfe34b5ee crash_dump: temporarily make permissive.
Test: policy compiles.
Bug: http://b/34450704
Change-Id: I1381f9de8e4c8cdde4920be423ab32adc2f7a8a2
2017-01-19 10:28:43 -08:00
Treehugger Robot
414bfe1a40 Merge "Allow the Bluetooth HAL to log firmware versions" 2017-01-19 17:28:59 +00:00
mukesh agrawal
3a6bc68e64 allow init and system_server access to tracing
Revise policy, to allow init and system_server to configure,
clear, and read kernel trace events. This will enable us to
debug certain WiFi failures.

Note that system_server is restricted to only accessing
a wifi-specific trace instance. (Hence, system_server is
not allowed to interfere with atrace.) Moreover, even for
the wifi trace instance, system_server is granted limited
permissions. (system_server can not, e.g., change which
events are traced.)

Note also that init and system_server are only granted these
powers on userdebug or eng builds.

The init.te and system_server.te changes resolve the
following denials:

// Denials when wifi-events.rc configures tracing
{ write } for pid=1 comm="init" name="instances" dev="debugfs" ino=755 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ add_name } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ create } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=1 comm="init" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=1 comm="init" name="buffer_size_kb" dev="debugfs" ino=18061 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=file permissive=1

// Denials when system_server sets up fail-safe
// (auto-terminate tracing if system_server dies)
{ search } for pid=882 comm="system_server" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=882 comm="system_server" name="free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1

// Denials when system_server toggles tracing on or off
// (WifiStateMachine is a thread in system_server)
{ search } for pid=989 comm="WifiStateMachin" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1

// Denials when system_server reads the event trace
// (This happens in response to a dumpsys request)
{ search } for pid=3537 comm="Binder:882_B" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1

Bug: 27254565
Test: manual
Manual test:
- Build this CL along with CL:322337
- Verify that system boots, and that we can connect to GoogleGuest.
  (Testing of actual trace functionality with require some more
  patches in frameworks/opt/net/wifi.)
$ adb root && adb shell dmesg | egrep 'avc: denied.+debugfs'

Change-Id: Ib6eb4116549277f85bd510d25fb30200f1752f4d
2017-01-18 15:17:16 -08:00
Josh Gao
cb3eb4eef9 Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00
Treehugger Robot
ffa2957283 Merge "DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy" 2017-01-18 22:29:42 +00:00
Eino-Ville Talvala
9c43a3ff10 DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy
- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice

Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
2017-01-18 12:02:36 -08:00
Jin Qian
d345906b14 Define policy for /proc/uid_io/stats
New procfs file read by storaged to dump fg/bg IO usage.

Remove kmsg rule since it's no longer used by storaged.

Allow storaged to find permission_service to translate UID
to package name.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd
2017-01-18 11:00:57 -08:00
Steven Moreland
a25192262b haldomain: add hwbinder_use
All hals need to use hwbinder.

Test: no additional denials
Bug: 34180936
Change-Id: Ie92cdbd79fc75062c4afa4cda53cb57ccde7e370
2017-01-18 09:47:50 -08:00
Jorim Jaggi
615b60bd54 Merge "Revert "property_context: split into platform and non-platform components."" 2017-01-18 16:33:31 +00:00
Jorim Jaggi
aa03ef2621 Revert "property_context: split into platform and non-platform components."
This reverts commit 262edc382a.

Fixes: 34370523
Change-Id: I077d064d4031d40bc48cb39eba310e6c16b9627d
2017-01-18 15:47:11 +00:00
Janis Danisevskis
5090d6f324 Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.

IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.

Test: Run keystore CTS tests
Bug: 32020919
Change-Id: I9467ee29232cc54b48a6dae8ae240656999f73bf
2017-01-18 13:48:52 +00:00
Sandeep Patil
af8c60fec1 property_context: split into platform and non-platform components.
am: 262edc382a

Change-Id: If843833a2fb22b92949b47a33bbd88777f4a54e5
2017-01-18 06:12:14 +00:00
Treehugger Robot
ccbf463a9a Merge "property_context: split into platform and non-platform components." 2017-01-18 06:09:02 +00:00
Jeff Sharkey
828433c892 Define policy for /proc/uid_procstat/set.
New procfs file written by the system_server to communicate fg/bg
state of UIDs to switch the statistics counter sets used.

avc: denied { write } for name="set" dev="proc" ino=4026531862 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Test: builds, boots, counter sets updated
Bug: 34360629
Change-Id: I2efbfbba9e73f50ce50a80a3dffd3b14fa55c048
2017-01-17 18:34:17 -07:00
Sandeep Patil
262edc382a property_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-18 00:41:47 +00:00
Sandeep Patil
a058b569e4 service_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-18 00:33:09 +00:00
Myles Watson
1e588b02bc Allow the Bluetooth HAL to log firmware versions
Give the default implementation access to /data/misc/blue* for
backward compatibility.

Future Bluetooth HAL implementations should use the system log.

Test: VTS tests pass, Bluetooth starts/stops
Change-Id: Ia67896b46e3e9ce3421bbb0c8a8542f290b39083
2017-01-17 15:15:07 -08:00
Alex Klyubin
f41d89eb24 Group all HAL impls using haldomain attribute
This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.

This follows the pattern used for appdomain, netdomain and
bluetoothdomain.

Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
2017-01-17 11:20:49 -08:00
Treehugger Robot
597a8a4913 Merge "New SeLinux policy for fingerprint HIDL" 2017-01-14 03:50:05 +00:00
Treehugger Robot
14658c93e7 Merge "hal_health: move system_file permissions to public/hal_health" 2017-01-14 00:24:55 +00:00
Jim Miller
54e0e5af8f New SeLinux policy for fingerprint HIDL
Move from fingerprintd to new fingerprint_hal and update SeLinux policy.

Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
2017-01-13 13:28:31 -08:00
Hridya Valsaraju
953c439643 add selinux policy for GNSS hal
The following are the avc denials that are addressed:

avc: denied { call } for pid=889 comm="system_server"
scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0
tclass=binder permissive=0

avc: denied { call } for scontext=u:r:hal_gnss_default:s0
tcontext=u:r:system_server:s0 tclass=binder permissive=0

avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837
scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43"
ino=1837 scontext=u:r:hal_gnss_default:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug:31974439

Test: Checked that there no more related avc denial messages related to
the GNSS HAL in dmesg.

Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5
2017-01-13 20:54:07 +00:00
Max Bires
9e7a5b0a7c Auditing init and ueventd access to chr device files.
It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-13 17:38:39 +00:00
Myles Watson
926dc3317d Allow debuggerd to access native tests
Test: run a gtest in /data/nativetest/ with no permission denial
Change-Id: Id644ed7dbea59becaf84b6073c9144711ad07c10
2017-01-12 14:18:50 -08:00
Josh Gao
d5db9de58d Merge "Remove support for legacy f_adb interface." 2017-01-12 21:24:34 +00:00
Treehugger Robot
1b7512a139 Merge "Move ephemeral_app policy to private" 2017-01-12 19:59:03 +00:00
Sandeep Patil
07c75b1784 hal_health: move system_file permissions to public/hal_health
Bug: 34231014
Test: Boot angler to ensure no additional denials are reported.

Change-Id: Ic2372d55f7072c65e7ea17036a8eb40dc531d60e
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-11 16:01:07 -08:00
Josh Gao
a3bc3cffdf Remove support for legacy f_adb interface.
Bug: http://b/34228376
Test: m
Change-Id: I1321ada1521bb3e3fd08105f1a41d519ee486683
2017-01-11 15:03:50 -08:00
Jeff Sharkey
6730ee3352 Define policy for new StorageStatsManager API.
Test: builds
Bug: 32206268
Change-Id: I236105b029178f96da519c2295c66c686dcae7cb
2017-01-10 18:10:19 -07:00
Andre Eisenbach
be27f92a3e Add selinux policy for Bluetooth HAL
Bug: 31972505
Test: VTS test passes, Bluetooth starts/stops
Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08
2017-01-10 15:05:14 -08:00
Alex Klyubin
baeac1fd26 Move ephemeral_app policy to private
This leaves only the existence of ephemeral_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private. There are a few rules, defined by other domains'
files remaining in the public policy until the rules from these
domains also move to the private policy:

allow ephemeral_app_current appdomain:binder transfer;
allow ephemeral_app_current audioserver_current:binder transfer;
allow ephemeral_app_current drmserver_current:binder transfer;
allow ephemeral_app_current dumpstate_current:binder transfer;
allow ephemeral_app_current mediaserver_current:binder transfer;
allow ephemeral_app_current surfaceflinger_current:binder transfer;
allow ephemeral_app_current system_server_current:binder transfer;

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I98687181434a98a141469ef676c461fcd1db2d4e
2017-01-09 15:34:27 -08:00
Alex Klyubin
c42d134e07 Move platform_app policy to private
This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
2017-01-09 14:52:59 -08:00
Treehugger Robot
665b75e638 Merge "Split seapp_contexts into plat and nonplat components." 2017-01-09 20:30:22 +00:00
Dan Cashman
9c03807223 Split seapp_contexts into plat and nonplat components.
Bug: 33746381
Test: Device boots with no extra denials.
Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e
2017-01-09 10:10:59 -08:00
Daniel Micay
41e3ee4655 priv_app: rm redundant app_data_file r_file_perms
This is already provided in app.te via create_file_perms for
notdevfile_class_set.

Change-Id: I89ed3537fd1e167571fe259bd4804f8fcc937b95
2017-01-08 17:20:50 -05:00
Nick Kralevich
1a022cbbe7 storaged.te: Remove redundant permission.
All SELinux domains are already granted the ability to read the
filenames in /proc, so it's unnecessary to add it to storaged.te.

  $ grep "proc:dir r_dir_perms" public/domain.te
  allow domain proc:dir r_dir_perms;

Remove redundant rule.

Test: policy compiles.
Change-Id: I8779cda19176f7eb914778f131bb5b14e5b14448
2017-01-06 18:56:29 -08:00
Treehugger Robot
110588797d Merge changes from topic 'storaged'
* changes:
  Storaged permissions for task I/O
  Storaged permission setting
2017-01-07 02:42:26 +00:00
ynwang
e68d2d2c72 Storaged permissions for task I/O
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2017-01-07 01:12:51 +00:00
ynwang
9fa8823cdf Storaged permission setting
Allowing storaged for reading from pseudo filesystems and debugfs.

Bug: 32221677

Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335
2017-01-07 01:12:45 +00:00
Nick Kralevich
164af1039d priv_app.te: remove domain_deprecated
No denials collected.

Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec
2017-01-06 16:32:01 -08:00
Treehugger Robot
804547bcde Merge "Split file_contexts for on-device compilation." 2017-01-06 17:23:45 +00:00
Treehugger Robot
cc966d472c Merge "Move isolated_app policy to private" 2017-01-06 16:33:41 +00:00
Alex Klyubin
72950ba0fc Merge "Move system_app policy to private" 2017-01-06 05:03:40 +00:00
Treehugger Robot
15a9946d0f Merge "Move priv_app policy to private" 2017-01-06 02:08:59 +00:00
Alex Klyubin
b5853c3b95 Move system_app policy to private
This leaves only the existence of system_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from system_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:20:28 -08:00
Alex Klyubin
a390397407 Move isolated_app policy to private
This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from isolated_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3
2017-01-05 16:06:54 -08:00
Alex Klyubin
92295ef8bd Move priv_app policy to private
This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from priv_app_current
      attribute (as expected) except for
      allow priv_app_current update_engine_current:binder transfer;
      which is caused by public update_engine.te rules and will go
      away once update_engine rules go private.
Bug: 31364497

Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-05 15:44:32 -08:00
Alex Klyubin
fce60d3dbc Move untrusted_app policy to private
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from untrusted_domain_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
2017-01-05 14:39:52 -08:00
dcashman
d225b6979d Split file_contexts for on-device compilation.
Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device.  Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.

Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0

Bring back file_contexts.bin.

Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-05 11:22:45 -08:00
Nick Kralevich
e427a2b2be untrusted_app: allow access to /proc/tty/drivers
/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.

Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:

1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive

While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.

Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49
2017-01-04 08:43:09 -08:00
Alexey Polyudov
a9ce208680 gatekeeper HAL service: add security policy
Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
2017-01-03 14:05:04 -08:00
Ashutosh Joshi
c9d46d4ff2 Add sepolicy for sensors
Adding sepoilcy for sensors.

Test: Sensors work.
Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255
2016-12-29 02:20:04 +00:00
ashutoshj
90ab4dfbe7 Merge "Add sepolicy for contexthub HAL" 2016-12-29 01:30:14 +00:00
ashutoshj
9f04eeb035 Merge "Change the name advertised by the context hub service." 2016-12-29 01:29:41 +00:00
Ashutosh Joshi
e8d0bdae21 Add sepolicy for contexthub HAL
Adding sepolicty for contexthub service.

Test: GTS tests pass.
Change-Id: I2576b8028d12a31151d7b7869679b853eb16c75e
2016-12-28 14:58:44 -08:00
Alex Klyubin
6e4508e625 Restrict access to Bluetooth system properties
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.

The reason is that some of these properties may leak persistent
identifiers not resettable by the user.

Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
2016-12-27 18:08:13 -08:00
Alex Klyubin
062236a8c9 Remove access to ro.runtime.firstboot from apps
ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.

Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c
2016-12-27 14:18:47 -08:00
Ashutosh Joshi
dea4975fc7 Change the name advertised by the context hub service.
Bring the context hub service advertised name into compliance with
the other Android services. This changes the name from
"contexthub_service" to "context".

Test: GTS tests pass.

Change-Id: I8490d60f89bdb97813e328b9ddf08270470fda76
2016-12-27 09:31:01 -08:00
Treehugger Robot
b8bb1d4c6a Merge "Sepolicy for allocator hal." 2016-12-22 21:20:37 +00:00
Steven Moreland
72d18125c1 Sepolicy for allocator hal.
Bug: 32123421
Test: full build/test of allocator hal using hidl_test
Change-Id: I253b4599b6fe6e7f4a2f5f55b34cdeed9e5d769b
2016-12-22 11:39:23 -08:00
Alex Klyubin
20151072a7 Restrict access to ro.serialno and ro.boot.serialno
This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.

The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.

Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-22 11:38:29 -08:00
Mark Salyzyn
da62cb4dda logcat: introduce split to logd and logpersist domains
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-12-20 20:31:03 +00:00
Treehugger Robot
4134a4c171 Merge "Add coverage service." 2016-12-20 19:51:59 +00:00
Alex Klyubin
e392020b34 Clarify what determines precedence rules in seapp_contexts
Test: It's a comment -- no impact on build
Change-Id: Ibd7ff0dcd9d4c3d526ca20ab35dd4bac70d14f0a
2016-12-19 11:07:53 -08:00
Allen Hair
2328fec710 Add coverage service.
Bug: 31077138
Test: Device boots, coverage service works when tested manually.
Change-Id: Ia855cfefd5c25be5d1d8db48908c04b3616b5504
2016-12-19 11:04:33 -08:00
Sandeep Patil
c82cf89f5f hal_health: express the sepolicy as attribute
Bug: http://b/32905206

Test: Boot sailfish and no new selinux failures observed in logs

Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9
Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-17 16:17:36 +00:00
Steven Moreland
d86a30a273 Add hal_dumpstate attribute.
- Also allow dumpstate to talk to hal_dumpstate.

Bug: 31982882
Test: compiles
Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
2016-12-16 10:48:32 -08:00
Sandeep Patil
137a13d5f5 healthd: restore healthd sepolicy for charger mode
Test: Boot charge-only and android on sailfish

Bug: https://b/33672744

Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 3b25e38410)
2016-12-15 18:17:13 -08:00
Sandeep Patil
60e8886c1f health: add sepolicy for health hal service
Test: tested with default health HAL on angler running as service.
Bug: b/32754732

Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd9159)
2016-12-15 18:17:13 -08:00
Sandeep Patil
dc08245c3f healthd: create SEPolicy for 'charger' and reduce healthd's scope
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.

While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.

Test: Tested all modes {recovery, charger-only, android} with new policy

Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
2016-12-15 18:17:13 -08:00
Steven Moreland
5b8d87b239 Merge "All hal policies expressed as attributes." 2016-12-15 17:10:26 +00:00
Nick Kralevich
bb9a388840 Assign a label to the ro.boottime.* properties
system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
2016-12-14 13:45:01 -08:00
Steven Moreland
29eed9faea All hal policies expressed as attributes.
Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 17:18:27 -08:00
Connor O'Brien
a95c52e347 Add sepolicy for consumerir HIDL HAL
Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>
2016-12-13 15:23:13 -08:00
Treehugger Robot
1282df7c7a Merge "Split policy for on-device compilation." 2016-12-13 23:03:50 +00:00
dcashman
1faa644c81 Split policy for on-device compilation.
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
2016-12-13 10:06:12 -08:00
Jeff Sharkey
52da39d9a4 Partially revert "mediaprovider" SELinux domain.
The new domain wasn't fully tested, and it caused many regressions
on the daily build.  Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.

Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.

Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb
2016-12-13 09:34:03 -07:00
Jerry Zhang
f921dd9cad Move MediaProvider to its own domain, add new MtpServer permissions
Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.

The new MtpServer permissions fix the following denials:

avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

denial from setting property sys.usb.ffs.mtp.ready, context priv_app

Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4
2016-12-12 11:05:33 -08:00
Treehugger Robot
294d1db44d Merge "Move hci_attach to hikey" 2016-12-12 16:31:34 +00:00
Jeff Sharkey
cb4f5b3c5d Merge "installd has moved on to Binder; goodbye socket!" 2016-12-10 22:54:52 +00:00
Nick Kralevich
4394b2c0a6 Move hci_attach to hikey
This is unused by core policy and by any device policy except for hikey.

Test: device boots
Test: no denials ever collected
Change-Id: I36a6790499e4aeedd808457b43fd72370fa48e53
2016-12-09 22:17:18 -08:00
Nick Kralevich
b56e6ef894 Whitespace fix
Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
2016-12-09 20:14:31 -08:00
Jeff Sharkey
8b1d45201d installd has moved on to Binder; goodbye socket!
After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.

Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
2016-12-09 15:39:37 -07:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
0c8ad1dc94 Fix build.
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types.  Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.

Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
2016-12-06 16:49:25 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Jeff Sharkey
e160d14ed1 Rules for new installd Binder interface.
Most of this CL mirrors what we've already done for the "netd" Binder
interface, while sorting a few lists alphabetically.

Migrating installd to Binder will allow us to get rid of one of
the few lingering text-based command protocols, improving system
maintainability and security.

Test: builds, boots
Bug: 13758960, 30944031
Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7
2016-12-05 15:15:42 -07:00
Max
c27c23fbdb /dev/port does not seem to be used, adding in rules to confirm.
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 16:46:11 -08:00
Ray Essick
090f4a4d9f Allow access to mediaanalytics service
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
2016-12-03 00:06:20 +00:00
Nick Kralevich
d314376da9 label /bugreports
/data/bugreports is moving to /bugreports

Bug: 27262109
Bug: 27204904
Bug: 32799236
Test: new symlink is in /bugreports and is labeled correctly
Change-Id: Ib6a492fba8388bf43debad28cfc851679f8c6151
2016-11-22 08:59:08 -08:00
Nick Kralevich
11dc03e5a2 access_vectors: Remove unused permission definitions
Description stolen from
42a9699a9f

Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
2016-11-21 23:41:18 +00:00
Nick Kralevich
5eadcb8cb1 Collapse urandom_device into random_device
urandom_device and random_device have the exact same security
properties. Collapse them into one type.

Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41
2016-11-21 16:37:07 +00:00
dcashman
3319d5ee16 Move hal_light to attribute.
HAL policy defines how the platform and a given HAL interact, but not how the
HAL is implemented.  This policy should be represented as an attribute that all
processes implementing the HAL can include.

Bug: 32123421
Test: Builds.
Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-18 08:40:04 -08:00
Chia-I Wu
fb08872a40 Add sepolicy for hwcomposer HAL
Allow SurfaceFlinger to call into IComposer, and vice versa for
IComposerCallback.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

binder_call(..., surfaceflinger) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1

allow ... gpu_device:chr_file rw_file_perms for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... graphics_device ... for
avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

allow bootanim ...:fd use for
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

Bug: 32021609
Test: make bootimage
Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588
2016-11-14 01:10:02 +00:00
Chia-I Wu
dd958e5a21 Add sepolicy for gralloc-alloc HAL
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
2016-11-14 01:09:51 +00:00
Chad Brubaker
6f090f6911 Label ephemeral APKs and handle their install/uninstall
Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536
2016-11-12 00:27:28 +00:00
Nick Kralevich
ee751c33c5 property.te: delete security_prop
This property is never used.

Test: policy compiles
Change-Id: I43ace92950e1221754db28548031fbbfc0437d7a
2016-11-11 12:31:19 -08:00
Robert Sesek
dc43f7cd84 Add the "webview_zygote" domain.
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
2016-11-11 10:13:17 -05:00
Jason Monk
0e1cbf568a Add persist.vendor.overlay. to properties
Allow the system_server to change. Allow the zygote to read it as well.

Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
2016-11-10 17:35:39 -05:00
Polina Bondarenko
9785f2addd sepolicy: Add policy for thermal HIDL service
Bug: 32022261
Test: manual
Change-Id: I664a3b5c37f6a3a36e4e5beb91b384a9599c83f8
2016-11-08 13:34:31 +01:00
Etan Cohen
0182a87dab Merge "[NAN-AWARE] Remove NAN service" 2016-11-06 21:56:05 +00:00
Etan Cohen
8da9cd640b Merge "[NAN-AWARE] Add Aware service" 2016-11-05 04:00:40 +00:00
Etan Cohen
43b96aaf12 [NAN-AWARE] Remove NAN service
Finish NAN -> Aware rename process. Removes old NAN service.

Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: I2f0d9595efea2494b56074752194e7a6e66070f2
2016-11-04 13:38:14 -07:00
Etan Cohen
44527cb970 [NAN-AWARE] Add Aware service
Add Aware service - new name for NAN. But do not remove NAN
yet. Enables smooth transition.

Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: Ieb9f1ebf1d2f31ee27f228562b4601023da5282d
2016-11-04 13:37:17 -07:00
Ruchi Kandoi
0a924a6e1a hal_memtrack: Add sepolicy for memtrack service.
Bug: 31180823
Test: reduced sepolicy errors
Change-Id: Ibfba2efa903adec340e37abec2afb3b94a262678
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
2016-11-03 13:05:48 -07:00
Ruchi Kandoi
3c30c4e2db hal_power: Add sepolicy for power service.
Bug: 31177288
Test: reduced sepolicy errors
Change-Id: I29556276ee14c341ac8f472875e6b69f903851ff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
2016-11-03 13:01:48 -07:00
Steven Moreland
1ec710c8ff Sepolicy for light hal.
Bug: 32022100
Test: end to end
Change-Id: I5dd9b64c98a5c549fdaf9e47d5a92fa6963370c7
2016-11-01 21:30:51 +00:00
Dianne Hackborn
11877133ba Allow new settings system service.
Test: N/A
Change-Id: Ib3c85118bf752152f5ca75ec13371073fc2873cc
2016-11-01 21:16:56 +00:00
Felipe Leme
b5f5931e8c Added permissions for the dumpstate service.
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.

BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-11-01 10:43:25 -07:00
Roshan Pius
8224596a32 wifi_hal: Rename to 'hal_wifi'
Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.

Denials:
01-01 21:55:23.896  2865  2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898  2865  2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899  2865  2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899  2865  2865 F libc    : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901   377   377 W         : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907  2867  2867 E         : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908  2867  2867 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908  2867  2867 F DEBUG   : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908  2867  2867 F DEBUG   : Revision: '0'
01-01 21:55:23.908  2867  2867 F DEBUG   : ABI: 'arm64'
01-01 21:55:23.908  2867  2867 F DEBUG   : pid: 2865, tid: 2865, name:
android.hardwar  >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909  2867  2867 F DEBUG   : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910  2867  2867 F DEBUG   : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'

Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-28 09:00:31 -07:00
Jeff Vander Stoep
27ae545a78 clean up hal types
Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d
2016-10-26 09:50:04 -07:00
Connor O'Brien
2370fc775c sepolicy for boot_control HAL service
Bug: 31864052
Test: Logging confirms service runs on boot
Merged-In: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Change-Id: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Signed-off-by: Connor O'Brien <connoro@google.com>
2016-10-25 13:33:48 -07:00
Mikhail Naganov
2ff6b4da73 Update SELinux policy for audiohal
Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1
2016-10-21 09:53:15 -07:00
Treehugger Robot
f5312f8e81 Merge "Creates an autofill system service." 2016-10-21 16:09:31 +00:00
Felipe Leme
8221d59711 Creates an autofill system service.
BUG: 31001899
Test: manual
Change-Id: I8d462b40d931310eab26bafa09645ac88f13fc97
2016-10-20 17:33:27 -07:00
Craig Donner
7ba0485665 sepolicy: Add policy for VR HIDL service.
Test: built and ran on device.
Bug: 31442830
Change-Id: Idd7870b4dd70eed8cd4dc55e292be39ff703edd2
2016-10-20 17:03:54 -07:00
Prashant Malani
2d9d3e6de3 Cleanup and renaming of vibrator HAL sepolicy
Renaming vibrator sepolicy to remove the version number.
Also moving the related binder_call() to maintain alphabetical order.

Bug: 32123421
Change-Id: I2bfa835085519ed10f61ddf74e7e668dd12bda04
Test: booted, and checked vibrate on keypress on bullhead
2016-10-19 09:54:20 -07:00
Prashant Malani
b32b4a112f sepolicy: Add policy for vibrator HIDL service
Fixes the following denials:
avc: denied { open } for pid=7530 comm="android.hardwar" path="/sys/devices/virtual/timed_output/vibrator/enable" dev="sysfs" ino=20519 scontext=u:r:android_hardware_vibrator_1_0_service:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { call } for pid=9173 comm="Binder:7735_C" scontext=u:r:system_server:s0 tcontext=u:r:android_hardware_vibrator_1_0_service:s0 tclass=binder permissive=1

Test: m
Bug: 32021191
Change-Id: I243a86b449794e3c2f0abf91ddcf405eff548d0c
2016-10-13 11:41:30 -07:00
liminghao
b1b872c362 sepolicy: add tune2fs file context.
N/A

Test: builds
Change-Id: I10a53c07f5b56c362cc599a901a2d74d7e96e917
Signed-off-by: liminghao <liminghao@xiaomi.com>
2016-10-11 17:29:37 -06:00
Chad Brubaker
06cf31eb63 Rename autoplay_app to ephemeral_app
Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-07 09:52:31 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00