Commit graph

38 commits

Author SHA1 Message Date
Tri Vo
bfe51254ee shell: remove from system_executes_vendor_violators.
And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791
2018-02-07 17:48:28 +00:00
Max Bires
35c363897d Adding write permissions to traceur
Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
2018-01-22 21:06:36 +00:00
Tri Vo
30a3157003 Mark shell as system_executes_vendor_violators.
Bug: 62041836
Test: sailfish sepolicy builds

Change-Id: Iad865fea852ab134dd848688e8870bc71f99788d
2018-01-17 09:39:22 -08:00
Yifan Hong
00ab5d86be Allow shell to start vendor shell
Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
2018-01-16 18:28:51 +00:00
Jaekyun Seok
e49714542e Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2018-01-10 16:15:25 +00:00
Tri Vo
f34e592984 shell: directory access to sysfs_net
This will allow bionic cts test to list network interfaces in
/sys/class/net.

Bug: 70537905
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=ifaddrs.getifaddrs_interfaces
Change-Id: Ie07425fc54f9101e911962142824697e64d2bc45
2017-12-12 09:41:13 -08:00
Tri Vo
4081fd3993 Label /proc/sys/kernel/pid_max as proc_pid_max.
And give shell domain read access to /proc/sys/kernel/pic_max.

Bug: 69569397
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=pthread.pthread_mutex_owner_tid_limit
Change-Id: Ib56c18ed553ad2c2113e6913788a4c00965483cc
2017-11-28 08:42:46 -08:00
Tri Vo
c4ef363006 shell: neverallow access to 'proc' label.
Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
2017-11-17 18:39:07 +00:00
Tri Vo
4b829da526 shell: grant access to /proc/version
Addresses this denial during CtsBionicTestCases:
avc: denied { getattr } for path="/proc/version" dev="proc"
ino=4026532359 scontext=u:r:shell:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0

Bug: 68067856
Test: cts-tradefed run commandAndExit cts -m CtsBionicTestCases
--skip-all-system-status-check --primary-abi-only --skip-preconditions
No more denials to /proc/version
Change-Id: I7e927fbaf1a8ce3637e09452cbd50f475176838e
2017-10-23 11:33:43 -07:00
Jeff Vander Stoep
f5ea6145e7 Shell: grant permission to run lsmod
lsmod needs access to /proc/modules

Test: build, run lsmod
Change-Id: Icb6ea6ce791cc6a22c89aa8e90c44749497c8468
2017-10-20 12:38:17 -07:00
Jeff Vander Stoep
a80416e380 shell: grant access to read /proc/filesystems
Addresses the following test failure:
system/extras/tests/kernel.config/nfs_test.cpp:24: Failure
Value of: android::base::ReadFileToString("/proc/filesystems", &fs)
Actual: false
Expected: true

Denial:
avc: denied { read } for name="filesystems" dev="proc"
scontext=u:r:shell:s0 tcontext=u:object_r:proc_filesystems:s0
tclass=file

Bug: 67862327
Test: build
Change-Id: I9ada5404987cb474968afc8cb8d96137ee36c68d
2017-10-17 14:37:56 -07:00
Jeff Vander Stoep
b4c639730b shell: allow reading battery info dirs in /sys
Addresses:
avc: denied { search } for comm="sh" name="bms" dev="sysfs" ino=47908
scontext=u:r:shell:s0 tcontext=u:object_r:sysfs_batteryinfo:s0
tclass=dir

Test: build
Change-Id: I8a0197417c47feefba084e9c75933d28c5f6e5f1
2017-10-13 10:26:44 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Mark Salyzyn
006c2e9934 Switch /data/misc/reboot/last_reboot_reason to persistent property
Switch from /data/misc/reboot/last_reboot_reason to persistent
Android property persist.sys.boot.reason for indicating why the
device is rebooted or shutdown.

Introduce protection for all boot reason properties

Protect the following properties with these labels

ro.boot.bootreason      u:object_r:bootloader_boot_reason_prop:s0
sys.boot.reason         u:object_r:sys_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0

Setup the current as-need access rules for each.

ToDo: Remove u:object_r:reboot_data_file after internal fixes.

Test: system/core/bootstat/boot_reason_test.sh
Bug: 64687998
Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
2017-08-24 15:19:30 -07:00
Pavel Grafov
6357101acc Merge "Let shell and bugreport read logging related properties." into oc-dev
am: 97903c0567

Change-Id: Ida88d74292875a7f218e84d623d17b6e1286278d
2017-04-21 18:20:36 +00:00
Pavel Grafov
a283ac713c Let shell and bugreport read logging related properties.
Currently ro.device_owner and persist.logd.security aren't accessible
without root, so "adb shell getprop" returns empty reply which is
confusing. Also these properties aren't seen from bugreport unless
their change happened recently.

Bug: 37053313
Test: manual, took bugreport and ran getprop after "adb unroot".
Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d
2017-04-21 16:24:45 +01:00
Neil Fuller
4e941ebbb0 Allow the shell user to run tzdatacheck am: 5684f61fe2 am: 072f386528
am: 162319d0c0

Change-Id: Ifc803d7d645be1ec7bd1d34f05e821a522f797e2
2017-04-20 11:16:47 +00:00
Neil Fuller
5684f61fe2 Allow the shell user to run tzdatacheck
Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.

This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.

Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36
2017-04-20 09:31:36 +00:00
Martijn Coenen
3ea47b9249 Add hwservice_contexts and support for querying it.
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
2017-04-12 18:07:12 -07:00
Steven Moreland
f20c6ee7ab Remove hal_binderization_prop
Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6
2017-04-04 10:24:36 -07:00
Steven Moreland
d40474ec55 Remove hal_binderization_prop
Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6
2017-04-04 09:46:45 -07:00
Jeff Vander Stoep
892d1e40ce adbd/shell: grant access to sepolicy for cts
Test: Test: make cts && \
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan
      Fails as expected.
Bug: 36002573

Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0
2017-04-03 16:31:09 -07:00
Daniel Nicoara
6907e39aa4 VR: Add sepolicy for VR HWC service
VR HWC is being split out of VR Window Manager. It creates a HW binder
interface used by SurfaceFlinger which implements the HWComposer HAL and
a regular binder interface which will be used by a system app to receive
the SurfaceFlinger output.

Bug: b/36051907
Test: Ran in permissive mode and ensured no permission errors show in
logcat.

Change-Id: If1360bc8fa339a80100124c4e89e69c64b29d2ae
2017-03-31 10:25:53 -04:00
Steven Moreland
867aa27fdf shell.te: hwbinder for lshal
Update shell.te to reflect the fact that hwbinder_user permission is for
lshal, not dumpsys.

Bug: 33382892
Test: pass
Change-Id: I1d298261cea82177436a662afbaa767f00117b16
2017-02-13 15:42:42 -08:00
Nick Bray
084faf0259 Add policies for new services.
Bug: 30989383
Bug: 34731101
Test: manual
Change-Id: Icf9d48568b505c6b788f2f5f456f2d709969fbeb
2017-02-09 15:15:11 -08:00
Joe Onorato
41f93db9de Add incident command and incidentd daemon se policy.
Test: adb shell incident
Bug: 31122534
Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906
2017-02-07 15:52:07 -08:00
Steven Moreland
cd597cd52a property: add persist.hal.binderization
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.

Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
2017-01-26 06:06:24 +00:00
Steven Moreland
5fd3626795 shell: hwbinder_use
In order to dump hardware services using dumpsys, dumpsys needs to be
able to talk to the hwservicemanager.

Bug: 33382892
Test: dumpsys --hw works from unrooted shell
Change-Id: I31f0982193991428da465507f93d50646cb38726
2017-01-20 15:40:13 -08:00
Alex Klyubin
cba41e5a06 Enable ADB shell access to ro.serialno
6e4508e625 inadvertently removed access
to ro.serialno and ro.boot.serialno from ADB shell. This is needed for
CTS. This commit thus reinstates the access.

Test: adb shell getprop ro.serialno
Bug: 33700679
Change-Id: I62de44b1631c03fcd64ceabaf33bbaeb869c2851
2016-12-28 17:44:33 -08:00
Mark Salyzyn
da62cb4dda logcat: introduce split to logd and logpersist domains
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-12-20 20:31:03 +00:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
Daniel Rosenberg
2a0053b223 Move sdcardfs media_rw_data_file rules to app.te
Test: No media_rw_data_file related app denials
Change-Id: I1a977db09379f9a3e5bc52c597df12f52929ad19
2016-12-06 19:50:21 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Jeff Sharkey
e160d14ed1 Rules for new installd Binder interface.
Most of this CL mirrors what we've already done for the "netd" Binder
interface, while sorting a few lists alphabetically.

Migrating installd to Binder will allow us to get rid of one of
the few lingering text-based command protocols, improving system
maintainability and security.

Test: builds, boots
Bug: 13758960, 30944031
Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7
2016-12-05 15:15:42 -07:00
Max
c27c23fbdb /dev/port does not seem to be used, adding in rules to confirm.
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 16:46:11 -08:00
Nick Kralevich
c9630dc6a1 shell.te: revoke syslog(2) access to shell user
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.

The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.

This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.

References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a

TODO: Further unify /dev/kmsg permissions with syslog_read permissions.

Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
2016-11-16 10:22:51 -08:00
Felipe Leme
b5f5931e8c Added permissions for the dumpstate service.
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.

BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-11-01 10:43:25 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from shell.te (Browse further)