The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.
Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
build_test_only is used to denote rules that should not verified
as part of compliance testing.
Use this macro to exclude neverallow rules which we want to check as
part of build, but not CTS.
Bug: 80499271
Test: SELinuxNeverallowRulesTest on walleye has no more failure of type
"Type or attribute * used in neverallow undefined in policy being checked."
Number of failing test cases is reduced by 142.
Test: policy.conf used to check neverallows at build-time still retains
all neverallow rules.
Change-Id: I5f1b383d9096bb5a7b8c0f1bc008b5dd07419580
Since this attribute just associates a hal_attribute
with a given hwservice in the standard way.
Bug: 80319537
Test: boot + sanity + test for denials
Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
For sanity, this makes 'hal_attribute_hwservice_client'
be associated with a specific hwservice thus making things
consistent.
After this change, only configstore, hal_allocator, and the
fwk_* services are inconsistent with all other HALs.
Bug: 80319537
Test: boot device, sanity tests, check for denials
Change-Id: Ibffc65c9567a429e07a3dc4dd41117738459dc2a
Before, it was possible to access a hwservice without declaring
that you were a client.
This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)
which makes sure the above implication holds using a neverallow rule.
Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6
In order to support passthrough + binderized implementations
with a simple switch, there is a hierarchy of attributes for
different hal servers.
/------- hal_X --------\
| ** |
v v
hal_X_client hal_X_server
| |
| |
v v
halclientdomain halserverdomain
** - hal_X -> hal_X_server is only on non-Treble devices. This
is because on these devices, certain HALs are allowed to be
loaded directly into the client process in "passthrough" mode
as was the case in Android before Android O. This is a legacy
compatibility mode. On Treble devices, any client can also be
hal_X just by virtue of a server being able to also be a hal
client.
There is also one exception to this rule. su is not given every
hal_* permission. If it is given all of these permissions on
non-Treble devices, it must be added as an exemption to many
other neverallow rules. As a sideeffect (which existed before
this patch), su is not allowed to talk directly to all hardware
on non-Treble devices as with Treble devices.
Fixes: 34180936
Test: compile only (neverallow rules are resolved at compile time)
Change-Id: I47122daf95acd49cadaf8b7664e56268dac78945
The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.
Test: Device boots and no more denials when call back is delivered to
apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a
aosp/605217 adds the following lines:
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
However, the m4 pre-processing step of selinux policy compilation outputs:
genfscon tracefs /options/-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/-tgid u:object_r:debugfs_tracing:s0
And as a result of the "print" it prints:
m4: system/sepolicy/private/genfs_contexts: 177:
m4: system/sepolicy/private/genfs_contexts: 203:
Due to the following macro:
https://android.googlesource.com/platform/system/sepolicy/+/oreo-mr1-dev/public/te_macros#580
This change removes the now-deprecated print macro to unblock
aosp/605217.
Bug: 72862003
Test: verify that the m4 output for aosp/605217 is correct.
Change-Id: Ia4ec96e16b98e8df241cceb64e3f3b7bea9a7f3d
This CL lists all the exported platform properties in
private/exported_property_contexts.
Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.
Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.
Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug
Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
This reverts commit ed876a5e96.
Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
domain based tmpfs file access has getattr, read and write.
However newer kernels support map. Add this map permission so they
can use mmap based access.
Test: build test.
Change-Id: I2e128967e10a1332b3c1c908550360a52fbceaf8
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Particularly useful for suppressing selinux logspam for debug-only
permissions.
Bug: 65843095
Test: build, boot, and run tests on user and userdebug builds.
Change-Id: I18ce0b2cf1e96ca037e93309dddb476a150b677f
This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/
Only, making sure we add the same map permissions for the vendor
directory.
Signed-off-by: John Stultz <john.stultz@linaro.org>
(cherry picked from commit 24537b2e96)
Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717
This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/
Only, making sure we add the same map permissions for the vendor
directory.
Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf
Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.
TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.
Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying). The kernel commit is anticipated to
be included in Linux 4.13.
This change defines map permission for the Android policy. It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets. This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.
This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.
Test: Policy builds
Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.
In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.
Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
armeabi-v7a CtsSecurityHostTestCases completed in 4s.
501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons. Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced. Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.
This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types. In
particular, this has caused an issue with the neverallows added in our
macros. Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this. Also add corresponding rules
for other types which have been removed due to no corresponding rules.
Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes. sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.
Bug: http://b/62297059
Test: dumpstate
Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
(cherry picked from commit 7aa085233a)
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.
Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0
Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
(cherry picked from commit a0d3ff8edd)
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0
Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
