Commit graph

8396 commits

Author SHA1 Message Date
Treehugger Robot
45afc7a68a Merge "Allow bugreport to dump some HAL processes." 2017-03-23 20:51:04 +00:00
Steven Moreland
f20b04efdb Allow bugreport to dump some HAL processes.
Whitelist several hals which can be dumped by bugreports. Don't want to
dump more because of the time it takes and also certain hals have
sensitive data which shouldn't be dumped (i.e. keymaster).

Test: dumps work for given hals
Bug: 36414311
Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22
2017-03-23 12:19:17 -07:00
Martijn Coenen
4dd14f69cb Merge "Initial sepolicy for vndservicemanager." 2017-03-23 16:22:27 +00:00
Steven Moreland
d3ce5dc38c Allow hals to read hwservicemanager prop.
Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2
2017-03-23 01:50:50 +00:00
Martijn Coenen
e7d8f4c3c8 Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff
2017-03-23 00:20:43 +00:00
Treehugger Robot
63211f8da2 Merge "Grant additional permissions for ASAN builds" 2017-03-22 22:46:58 +00:00
Treehugger Robot
871e44c456 Merge "dumpstate: allow HALs to read /proc/interrupts" 2017-03-22 22:09:39 +00:00
Treehugger Robot
6456542f3e Merge "hwservicemanager: halserverdomain" 2017-03-22 21:28:46 +00:00
Jeff Vander Stoep
7443484831 Grant additional permissions for ASAN builds
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
2017-03-22 14:03:07 -07:00
Sandeep Patil
a866a416e9 dumpstate: allow HALs to read /proc/interrupts
/proc/interrupts may be dumped by dumpstate HAL if required.

Bug: 36486169
Test: 'adb shell bugreport' on sailfish

Change-Id: Ifc41a516aeea846bc56b86b064bda555b43c58ed
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-22 13:26:03 -07:00
Treehugger Robot
e1a350a035 Merge "wpa_supplicant: Remove unnecessary permissions from system_server" 2017-03-22 20:17:09 +00:00
Treehugger Robot
cc45b87cfa Merge "app.te: prevent locks of files on /system" 2017-03-22 19:14:27 +00:00
Treehugger Robot
bbe7213fa1 Merge "Remove unnecessary binder_call from cameraserver" 2017-03-22 18:16:37 +00:00
Roshan Pius
f27e8f09c2 wpa_supplicant: Remove unnecessary permissions from system_server
Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c
2017-03-22 17:43:38 +00:00
Nick Kralevich
92c44a578c app.te: prevent locks of files on /system
Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
2017-03-22 10:35:24 -07:00
Steven Moreland
e91cbcba4e hwservicemanager: halserverdomain
Test: no neverallows triggered
Bug: 36494354
Change-Id: I52e21a9be5400027d4e96a8befdd4faaffb06a93
2017-03-22 08:43:43 -07:00
Treehugger Robot
9d5f97b381 Merge "Fix sepolicy for Gatekeeper HAL" 2017-03-22 00:10:21 +00:00
Alex Klyubin
6de0d9a756 Merge "Remove unused hal_impl_domain macro" 2017-03-21 23:57:55 +00:00
Chad Brubaker
2e7fa9d82f Merge "Disallow access to proc_net for ephemeral_app" 2017-03-21 22:24:31 +00:00
Treehugger Robot
d32665584b Merge "Enforce one HAL per domain." 2017-03-21 21:23:06 +00:00
Alex Klyubin
57ab001530 Remove unnecessary binder_call from cameraserver
This is a follow-up to 9339168688
which added both
hal_client_domain(cameraserver, hal_graphics_allocator) and
binder_call(cameraserver, hal_graphics_allocator). The latter
binder_call rule is no longer needed because it is automatically
granted by virtue of cameraserver being marked as a client of
Graphics Allocator HAL --
see 49274721b3.

Test: Take a photo (both HDR and conventional) using Google Camera
Test: Record video using Google Camera
Test: Record slow motion video using Google Camera
Test: No denials to do with cameraserver and hal_graphics_allocator*
Bug: 34170079
Change-Id: If93fe310fa62923b5107a7e78d158f6e4b4d0b3a
2017-03-21 12:39:13 -07:00
Chad Brubaker
c4a938e75b Disallow access to proc_net for ephemeral_app
Test: Boots, runs
Bug: 32713782
Change-Id: Ia58db3c4c0159482f08e72ef638f3e1736095918
2017-03-21 12:28:49 -07:00
Jeff Vander Stoep
84b96a6b68 Enforce one HAL per domain.
HALs are intended to be limited responsibility and thus limited
permission. In order to enforce this, place limitations on:
1. What processes may transition into a HAL - currently only init
2. What methods may be used to transition into a HAL - no using
   seclabel
3. When HALs exec - only allow exec with a domain transition.

Bug: 36376258
Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules
      are compile time assertions, so building is a sufficient test.

Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131
2017-03-21 12:16:31 -07:00
Yin-Chia Yeh
1222ece97a Merge "Camera: allow cameraserver access hal_graphics_allocator" 2017-03-21 17:18:38 +00:00
Alex Klyubin
cb839c64db Remove unused hal_impl_domain macro
All previous users of this macro have been switched to
hal_server_domain macro.

Test: no hal_impl_domain in system/sepolicy/ and device/**/sepolicy
Test: mmm system/sepolicy
Bug: 34170079
Change-Id: I4a71b3fd5046c0d215b056f1cae25fe6bda0fb45
2017-03-21 09:50:53 -07:00
Treehugger Robot
cc87732443 Merge "Allow app to access configstore HAL" 2017-03-21 06:16:32 +00:00
Jiyong Park
ed4625f353 Allow app to access configstore HAL
Apps should be able to access the configstore HAL since framework
libraries which are loaded into app process can call configstore.

Letting apps have direct access to this HAL is OK because: 

(1) the API of this HAL does not make clients provide any sensitive 
information to the HAL, which makes it impossible for the HAL to 
disclose sensitive information of its clients when the HAL is 
compromised, 

(2) we will require that this HAL is binderized (i.e., does not run 
inside the process of its clients), 

(3) we will require that this HAL runs in a tight seccomp sandbox 
(this HAL doesn't need much access, if at all) and,

(4) we'll restrict the HALs powers via neverallows.

Test: apps can use configstore hal.

Change-Id: I04836b7318fbc6ef78deff770a22c68ce7745fa9
2017-03-21 06:10:23 +00:00
Alex Klyubin
10184efa95 Merge "Move Graphics Allocator HAL IPC rules to proper location" 2017-03-21 02:15:46 +00:00
Yin-Chia Yeh
9339168688 Camera: allow cameraserver access hal_graphics_allocator
Test: Google camera app snapshot/record/
      slow motion recording
Bug: 36383997
Change-Id: I565fb441aec529464474e0dd0e01dbfe0b167c82
2017-03-20 15:51:08 -07:00
Alex Klyubin
08d6f56649 Switch Allocator HAL policy to _client/_server
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.

Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).

Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
      motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
2017-03-20 22:18:12 +00:00
Alex Klyubin
49274721b3 Move Graphics Allocator HAL IPC rules to proper location
Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.

Test: Device boots, no denials to do with hal_graphics_allocator
      (also, removing the binder_call(hal_graphics_allocator_client,
      hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079

Change-Id: I5c64d966862a125994dab903c2eda5815e336a94
2017-03-20 15:02:20 -07:00
Alex Klyubin
00a03d424f Recovery can use HALs only in passthrough mode
This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079

Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
2017-03-20 13:11:33 -07:00
Treehugger Robot
51a2238c9e Merge "Switch Boot Control HAL policy to _client/_server" 2017-03-20 19:33:55 +00:00
Janis Danisevskis
12e960e6c9 Fix sepolicy for Gatekeeper HAL
This patch fixes Gatekeeper HAL rules.

Bug: 34260418
Test: Device boots with gatekeeper_hal using hwbinder and
      gatekeeperd does not fall back to software.
Change-Id: I6aaacb08faaa7a90506ab569425dc525334c8171
2017-03-20 07:39:33 -07:00
Alex Klyubin
09d13e734d Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 17:22:06 -07:00
Treehugger Robot
11ce09bc14 Merge "ppp: Allow specific ioctls on mtp:socket." 2017-03-17 22:53:03 +00:00
Jorge Lucangeli Obes
fd21dc0e1f ppp: Allow specific ioctls on mtp:socket.
The fix for b/35100237 surfaced this error. This SELinux policy
fragment was included only on Marlin, but needs to be included in core
policy.

Bug: 35100237
Test: With https://android-review.googlesource.com/#/c/354292/
Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin.
Test: Connect:
03-17 15:41:22.602  3809  3809 I mtpd    : Starting pppd (pppox = 9)
03-17 15:41:22.628  3811  3811 I pppd    : Using PPPoX (socket = 9)
03-17 15:41:22.637  3811  3811 I pppd    : pppd 2.4.7 started by vpn, uid 1016
03-17 15:41:22.639  3811  3811 I pppd    : Using interface ppp0
03-17 15:41:22.639  3811  3811 I pppd    : Connect: ppp0 <-->
03-17 15:41:22.770  3811  3811 I pppd    : CHAP authentication succeeded
03-17 15:41:22.909  3811  3811 I pppd    : MPPE 128-bit stateless compression enabled
03-17 15:41:23.065  3811  3811 I pppd    : local  IP address 172.16.36.113
03-17 15:41:23.065  3811  3811 I pppd    : remote IP address 172.16.36.1
03-17 15:41:23.065  3811  3811 I pppd    : primary   DNS address 8.8.8.8
03-17 15:41:23.065  3811  3811 I pppd    : secondary DNS address 91.239.100.100

Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927
2017-03-17 17:09:19 -04:00
Andreas Gampe
3cc71b09d6 Sepolicy: Allow postinstall to read links
Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed
2017-03-17 10:08:52 -07:00
Andreas Gampe
f7c2613eb1 Sepolicy: Allow getattr for otapreopt_slot
Allow getattr on links for otapreopt_slot. It reads links (to the
boot image oat files) when collecting the size of the artifacts
for logging purposes.

Bug: 30832951
Test: m
Change-Id: If97f7a77fc9bf334a4ce8a613c212ec2cfc4c581
2017-03-17 10:05:31 -07:00
Treehugger Robot
37f7ffa388 Merge "Annotate most remaining HALs with _client/_server" 2017-03-17 05:07:15 +00:00
Alex Klyubin
9e6b24c6a5 Annotate most remaining HALs with _client/_server
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-16 19:55:16 -07:00
Calin Juravle
83011a266d Merge "Allow profman to analyze profiles for the secondary dex files" 2017-03-17 00:47:27 +00:00
Mathias Agopian
312e7eaa20 Allow apps to access the graphic allocator HAL
Test: take a screenshot
Test: run CTS ImageReaderTest
Bug: 36194109

(cherry picked from commit 49ed0cd658)

Change-Id: I331bce37b35e30084ba9f7ecd063a344a79c5232
2017-03-16 13:02:27 -07:00
Treehugger Robot
156ccbb227 Merge "Specify intermediates dir for sepolicy" 2017-03-16 17:33:04 +00:00
Treehugger Robot
bfb6a6c5e7 Merge "Allow fd access between mediacodec and bufferhubd" 2017-03-16 04:14:18 +00:00
Calin Juravle
ebcec9b8bb Allow profman to analyze profiles for the secondary dex files
The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
2017-03-15 18:47:13 -07:00
Treehugger Robot
08900a01d0 Merge "Allow system_server binder_call into hal_graphics_allocator" 2017-03-16 01:29:11 +00:00
Jaesoo Lee
d363b0f9eb enabled /sbin/modprobe for recovery mode
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
2017-03-16 01:19:58 +00:00
Jiwen 'Steve' Cai
eeb0d38037 Allow fd access between mediacodec and bufferhubd
bufferhubd should be able to use sync fence fd from mediacodec; and
mediacodec should be able to use a gralloc buffer fd from the bufferhubd.

Bug: 32213311
Test: Ran exoplayer_demo and verify mediacodec can plumb buffer through
bufferhub.

Change-Id: Id175827c56c33890ecce33865b0b1167d872fc56
2017-03-15 15:56:27 -07:00
Yifan Hong
3107a6c370 Allow system_server binder_call into hal_graphics_allocator
Test: no log spam for graphics allocator
Test: dmesg | audit2allow does not show denial for
hal_graphics_allocator_default
Test: system is responsive after boot (because
      android.hardware.graphics.allocator@2.0::IAllocator getService()
      will not be blocked)

Bug: 36220026
Change-Id: I3e103f88988fe4a94888e92ee8c5b1f27845ad9e
2017-03-15 15:54:50 -07:00