Commit graph

24 commits

Author SHA1 Message Date
Eric Biggers
448bd57181 Remove all module_request rules
Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked.  Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary.  Their presence or absence makes no difference.

Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
2023-08-22 16:56:04 +00:00
Gabriel Biren
3d0529483b Add supplicant service to the dumpstate
exceptions and dontaudit lists.

wpa_supplicant does not have a dump() method, so
dumpstate shouldn't need to access this HAL.

Bug: 213616004
Test: Treehugger tests
Change-Id: I5a0d80725434b56c9663948c3727faea9fb38db6
2022-01-14 17:17:31 +00:00
Gabriel Biren
4a0673e369 Add SeLinux policy for supplicant AIDL service.
Bug: 196235436
Test: Manual - connect to WiFi
Change-Id: I613a2e7eac620543872a1af7ed477b8d36713b45
2021-11-02 22:24:39 +00:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Pavel Grafov
ae69347dbe Merge "Allow wpa_supplicant to access KeyStore2" 2021-03-05 07:03:57 +00:00
Pavel Grafov
b99c1924af Allow wpa_supplicant to access KeyStore2
Bug: 171305388
Test: manual
Change-Id: I98134c41a4923bccf06c14858603fe888ec84633
2021-03-05 00:27:23 +00:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Janis Danisevskis
df31f20dfe Keystore 2.0: Add wifi namespace to sepolicy.
Add the wifi namespace to sepolicy and allow system_app (Settings) and
wifi_supplicant to manage/use the keys in that namespace

Test: N/A
Bug: 171305388
Change-Id: Ib6af8656b18288a1116c241c2e76d9aea421a889
2021-02-09 08:28:45 -08:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Jeff Sharkey
a0e7a6da28 Update language to comply with Android's inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for reference

Bug: 161896447
Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 12:28:11 -06:00
Steven Moreland
9234e00daf hal_attribute_hwservice_client drop '_client'
Since this attribute just associates a hal_attribute
with a given hwservice in the standard way.

Bug: 80319537
Test: boot + sanity + test for denials
Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
2018-06-06 09:30:18 -07:00
Steven Moreland
343e24a1be hal_attribute_hwservice_client += add_hwservice
For sanity, this makes 'hal_attribute_hwservice_client'
be associated with a specific hwservice thus making things
consistent.

After this change, only configstore, hal_allocator, and the
fwk_* services are inconsistent with all other HALs.

Bug: 80319537
Test: boot device, sanity tests, check for denials
Change-Id: Ibffc65c9567a429e07a3dc4dd41117738459dc2a
2018-06-06 09:25:52 -07:00
Steven Moreland
8fc7981885 Find hal_foo_hwservice -> you are hal_foo_client.
Before, it was possible to access a hwservice without declaring
that you were a client.

This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)

which makes sure the above implication holds using a neverallow rule.

Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
2018-05-30 16:46:57 -07:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Jeff Vander Stoep
d4785c3707 Move platform/vendor data violations to device policy
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e
2017-11-20 17:18:56 +00:00
Jeff Vander Stoep
f63759714c wifi_supplicant: refactor permissions
1. remove some duplicate permissions.
2. Grant permissions to su for dgram sockets in a way that is
   consistent to how we grant permissions to stream_sockets.

Bug: 34980020
Test: build
Change-Id: I50e01d51444a70ead3ef40b52eda8eb29732b46c
2017-11-08 14:34:18 -08:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Roshan Pius
9af7c95f86 sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.

Denials addressed:
03-29 00:04:52.075   734   734 E SELinux : avc:  denied  { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key

Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
2017-03-29 14:07:36 -07:00
Roshan Pius
f27e8f09c2 wpa_supplicant: Remove unnecessary permissions from system_server
Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c
2017-03-22 17:43:38 +00:00
Roshan Pius
a976e64d89 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-03-07 01:34:28 +00:00