Commit graph

13714 commits

Author SHA1 Message Date
Pavel Maltsev
43e172af66 Move automotive HALs sepolicy to system/
Bug: 70637118
Test: build, flash and boot automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef
(cherry picked from commit 394dbe34a0)
2018-05-04 21:36:48 +00:00
Pawin Vongmasa
19a74ec88a Put in sepolicies for Codec2.0 services
Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be2889477)
2018-05-04 21:36:41 +00:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Roshan Pius
d7b34a48ff sepolicy(hostapd): Add a HIDL interface for hostapd
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
2018-05-04 21:36:24 +00:00
android-build-prod (mdb)
8c139df845 Merge "FrameworksServicesTests: allow access to test.sys.boot.reason property" 2018-05-04 21:19:46 +00:00
android-build-prod (mdb)
5d34bbcb5e Merge "Allow lmkd to log to statsd" 2018-05-04 20:11:27 +00:00
Jeffrey Vander Stoep
54f61fe53c Merge "Never expand proc_type attribute" 2018-05-04 20:10:28 +00:00
Dan Cashman
9e4aa226ad Remove dcashman@google.com from OWNERS.
Buh-bye!
Test: none

Change-Id: Ib1917adf03f9e777c7fc4bcb749c34c051176860
2018-05-04 09:42:26 -07:00
Calin Juravle
6ff840033c Merge "Allow system server to record its own profile" 2018-05-04 15:06:24 +00:00
Mark Salyzyn
3443cafa98 FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Had to use precise property definition as com.android.phone accesses
test properties as well.

Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
2018-05-04 07:33:56 -07:00
Jeffrey Vander Stoep
bba94f80bb Merge "Revert "FrameworksServicesTests: allow access to test.sys.boot.reason property"" 2018-05-04 14:25:31 +00:00
Jeff Vander Stoep
a6295412b4 Never expand proc_type attribute
It's used in build-time tests and in CTS.

Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
Merged-In: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
2018-05-04 06:44:58 +00:00
Jeffrey Vander Stoep
9c6749d772 Revert "FrameworksServicesTests: allow access to test.sys.boot.reason property"
This reverts commit 0ab13a8dff.

Reason for revert: broken presubmit tests
https://sponge.corp.google.com/target?show=FAILED&sortBy=STATUS&id=83e847b2-8e30-4417-9b15-8e66af4b2bc3&target=DeviceBootTest

Change-Id: Id173c8e7fa28ba04070f507098f301f076e4aae7
2018-05-04 06:23:42 +00:00
Calin Juravle
71d8467b75 Allow system server to record its own profile
On userdebug builds we can now profile system server without disabling
selinux. This is the final piece, and allows the system server to save its
own profile.

Test: manual, on a device with system server profiling enabled
Bug: 73313191
Change-Id: Iaf9575d3cda19ae4c38f1e20a8e1b9288b7abc83
2018-05-03 20:15:18 -07:00
yro
db2e6085bb Allow lmkd to log to statsd
Bug: 78603347
Test: build and locally tested
Change-Id: Ib9b041af63d1fac7a689b932e7a2b202fa8d0f83
2018-05-03 16:43:03 -07:00
android-build-prod (mdb)
0e055173b1 Merge "FrameworksServicesTests: allow access to test.sys.boot.reason property" 2018-05-03 23:21:58 +00:00
android-build-prod (mdb)
fc9afc4d2b Merge "Sepolicy: Fix system server calling perfprofd" 2018-05-03 20:12:40 +00:00
Tri Vo
59e9d2d8c9 Merge "SELinux type for vendor public libs." 2018-05-03 19:52:58 +00:00
Andreas Gampe
986b9af4fa Sepolicy: Fix system server calling perfprofd
Give all the right permissions to find and send a message to
perfprofd from the system server.

Bug: 73175642
Test: m
Test: manual
Change-Id: I82b63ec097dcd445d9e8169fe0df4398d62ac184
2018-05-03 10:57:30 -07:00
Mark Salyzyn
0ab13a8dff FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Test: compile
Bug: 78245377
Change-Id: Id21436d281bab27823969a9f7e92318d70b5a2d6
2018-05-03 16:45:36 +00:00
Tri Vo
29497b623e SELinux type for vendor public libs.
Vendor public libs are exposed to apps (not system), and their ABI
stability is guaranteed by vendor. Introducing new selinux type so that
we don't conflate concepts of same-process HAL and vendor public lib.
The former is exposed to all domains, while the latter should only be
acessible by apps.

Bug: 76413554
Test: build-only change, policy builds
Change-Id: I89dad351374f46c7fe2726991eb4c05064c37ed5
2018-05-02 14:51:05 -07:00
android-build-prod (mdb)
c4ec97ab1f Merge "tombstoned: allow linking tombstones." 2018-05-02 21:43:03 +00:00
Tri Vo
4bb33bc38f Merge "init: restrict setattr perms to /proc." 2018-05-02 18:18:49 +00:00
android-build-prod (mdb)
65352c904a Merge "Audit generic debugfs access for removal" 2018-05-02 06:00:04 +00:00
Jeff Vander Stoep
621668568a adbd: dontaudit sys_resource denials
avc: denied { sys_resource } for comm="adbd" capability=24
scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=capability

Test: build aosp_sailfish-userdebug
Bug: 78935353
Change-Id: I094e54cbd61245d368f3164e30222dfdff902ffa
2018-05-01 23:38:13 +00:00
android-build-prod (mdb)
577b7a5d7b Merge "Only installd and init may relabel app_data_file." 2018-05-01 23:35:16 +00:00
android-build-prod (mdb)
b87d8c0551 Merge "Allow vendor-init-settable for properties used in Android TV" 2018-05-01 22:17:49 +00:00
Maddie Stone
0afa024c28 Only installd and init may relabel app_data_file.
Bug: 78517829
Test: build aosp_sailfish-userdebug
Change-Id: I5e1a97b9fb6fa9ff9fd49e1e664769ae70aeda37
2018-05-01 22:01:57 +00:00
Calin Juravle
922070d82f Merge "Allow profman to resolve symlinks on dirs" 2018-05-01 17:43:20 +00:00
Tri Vo
d0fe17cae4 init: restrict setattr perms to /proc.
Bug: 65643247
Test: device boots without denials from init to proc_*
Change-Id: I44729e791366cdedec27603558b2e929fa414168
2018-04-30 20:45:37 -07:00
android-build-prod (mdb)
92b6793d11 Merge "Setting up sepolicies for statsd planB of listening to its own socket" 2018-05-01 02:20:46 +00:00
Calin Juravle
73d8d12cac Allow profman to resolve symlinks on dirs
When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).

Denial example:

avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0

Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323

(cherry picked from commit 9e80bfc880)

Change-Id: I934170a67640bb8534c123848468c0861b245eeb
2018-04-30 17:38:15 -07:00
android-build-prod (mdb)
4f433a040a Merge "Enforce parent hal attribute hierarchy." 2018-04-30 19:40:12 +00:00
Andreas Gampe
006e160b1a Sepolicy: Modify postinstall_dexopt
Grant fsetid as it was done for installd. Suppress write to
profile files.

Bug: 77958490
Test: m
Test: manual
Change-Id: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
2018-04-30 09:52:54 -07:00
Jaekyun Seok
18aaaad937 Allow vendor-init-settable for properties used in Android TV
The following properties will be whitelisted.
- ro.hdmi.device_type, ro.hdmi.wake_on_hotplug and
persist.sys.hdmi.keep_awake for hdmi
- ro.sf.disable_triple_buffer for SurfaceFlinger
- media.stagefright.cache-params and persist.sys.media.avsync for
nuplayer

Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
2018-04-30 08:49:57 +09:00
Jeff Vander Stoep
72edbb3e83 Audit generic debugfs access for removal
Bug: 78784387
Test: adb bugreport with no "granted" messages.
Change-Id: Iaea67f356a47a9fbf6b8649fc8e8dad772996ba7
2018-04-27 13:46:34 -07:00
Paul Crowley
8096639792 Allow vold_prepare_subdirs to delete more files.
Bug: 78591623
Test: Create a new user with a fingerprint. Reboot. Delete that user.
    Check for denials, files left over in /data/*_{c,d}e/10
Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 15:26:11 -07:00
android-build-prod (mdb)
c58f3de7e5 Merge "app: removed unused /dev/ion write permissions" 2018-04-26 21:18:46 +00:00
Steven Moreland
8a52c98455 Enforce parent hal attribute hierarchy.
In order to support passthrough + binderized implementations
with a simple switch, there is a hierarchy of attributes for
different hal servers.

           /------- hal_X --------\
           |               **     |
           v                      v
      hal_X_client           hal_X_server
           |                      |
           |                      |
           v                      v
    halclientdomain        halserverdomain

** - hal_X -> hal_X_server is only on non-Treble devices. This
  is because on these devices, certain HALs are allowed to be
  loaded directly into the client process in "passthrough" mode
  as was the case in Android before Android O. This is a legacy
  compatibility mode. On Treble devices, any client can also be
  hal_X just by virtue of a server being able to also be a hal
  client.

There is also one exception to this rule. su is not given every
hal_* permission. If it is given all of these permissions on
non-Treble devices, it must be added as an exemption to many
other neverallow rules. As a sideeffect (which existed before
this patch), su is not allowed to talk directly to all hardware
on non-Treble devices as with Treble devices.

Fixes: 34180936
Test: compile only (neverallow rules are resolved at compile time)

Change-Id: I47122daf95acd49cadaf8b7664e56268dac78945
2018-04-26 20:52:21 +00:00
Jeff Vander Stoep
c20ba5bd68 app: removed unused /dev/ion write permissions
The /dev/ion driver's file operations structure does not specify a
write operation. Granting write is meaningless. This audit statement
has been around since Android Oreo and logs collected from dogfooders
shows that no apps are attempting to open the file with write
permissions.

Bug: 28760354
Test: build
Test: verify no "granted" messages from dogfood devices.
Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb
2018-04-26 11:16:53 -07:00
android-build-prod (mdb)
aa2185bba6 Merge "searchpolicy depends on FcSort" 2018-04-26 15:27:27 +00:00
android-build-prod (mdb)
82a9051bc2 Merge "vendor_init: allow stat() of /data dir" 2018-04-26 15:12:52 +00:00
Alan Stokes
72ed615228 Allow wpa_supplicant to write to files in /proc/net.
This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.

Bug: 77903086
Test: WiFi still working

Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893
2018-04-26 16:00:49 +01:00
Jeff Vander Stoep
4cd7aa5969 vendor_init: allow stat() of /data dir
avc: denied { getattr } for path="/data" scontext=u:r:vendor_init:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

Bug: 78345561
Test: build/boot device. Denial is gone.
Change-Id: Ie858f1fe65aeb1845b00a5143c345e81aa2ec632
(cherry picked from commit 6f8d2628b3)
2018-04-25 22:23:07 -07:00
yro
64c7a758b4 Setting up sepolicies for statsd planB of listening to its own socket
Test: manual
Bug: 78318738
Change-Id: I45c3511860fbe6a1de45c6930052a8865b38986a
2018-04-25 02:20:36 -07:00
Zheng Zhang
3623c2b6c0 Allow mediaserver to access vendor_app_file
Currently, when vendor APK try to use MediaPlayer to play its audio
resource, it would fail due to this neverallow rules.

avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0

Bug: 78436043
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063
2018-04-25 06:00:59 +00:00
Jeff Vander Stoep
3a3756feee searchpolicy depends on FcSort
Bug: 77965486
Test: run cts -m CtsSecurityHostTestCases -t
    android.cts.security.FileSystemPermissionTest#testDevHwRandomPermissions

Change-Id: Ib5965649e9b2b4bb0259383374dfac76cc0a8bd5
(cherry picked from commit cc541a80c3)
2018-04-24 14:12:50 -07:00
Treehugger Robot
fd87a92acf Merge "Track otapreopt_chroot postinstall_file SELinux denial." 2018-04-24 19:21:54 +00:00
Joel Galenson
5c87b8797b Track otapreopt_chroot postinstall_file SELinux denial.
Bug: 75287236
Test: Built policy.
Change-Id: I90301c33fd8c20e96cfbb424eaf80978e79c34f0
2018-04-24 10:25:22 -07:00
Paul Crowley
42bd1638bf Add metadata_file class for root of metadata folder.
Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
2018-04-23 14:14:49 -07:00