Commit graph

126 commits

Author SHA1 Message Date
Haoxiang Li
741b9cd5ac Sepolicy update for Automotive Display Service
Bug: 140395359
Test: make sepolicy -j
Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-01-21 18:43:27 +00:00
David Zeuthen
b8b5da4305 Add SELinux policy for Identity Credential HAL
Bug: 111446262
Test: VtsHalIdentityCredentialTargetTest
Change-Id: Icb5a0d8b24d463a2f1533f8dd3bfa84bf90acc6f
2020-01-14 20:13:39 -05:00
Kenny Root
76ea325a3d Support Resume on Reboot
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.

Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
2019-12-09 14:25:04 -08:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Inseob Kim
19b99f18c8 Add attributes for exported properties
This introduces some attributes that can be used to restrict access to
exported properties so that one can easily check from which the
properties can be accessed, and that OEMs can extend their own exported
properties.

Bug: 71814576
Bug: 131162102
Test: boot aosp_cf_x86_phone-userdebug
Test: logcat | grep "avc: "
Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-19 05:07:50 +00:00
Jiyong Park
e95c704b6f Access to HALs from untrusted apps is blacklist-based
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.

This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.

All the hwservice context that were not in the whitelist are now put
to blacklist.

This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.

Bug: 139645938
Test: m

Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)

Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-09-06 14:10:38 +09:00
Steven Moreland
b27a746f50 Merge "Remove vintf_service."
am: cacefc6a78

Change-Id: Id30138a0955dc7883d83daa2b655a06efebcaaf7
2019-08-28 19:15:40 -07:00
Steven Moreland
ebc39c37ab Merge "Clarify vendor_service/vintf_service."
am: 961bf003d6

Change-Id: Ibe65d802dff7d54ed1886800568840e0434dd696
2019-08-28 13:27:44 -07:00
Steven Moreland
4bb0a9802a Remove vintf_service.
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.

coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.

Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
2019-08-28 11:32:25 -07:00
Steven Moreland
df0a65785c Clarify vendor_service/vintf_service.
These attributes are intended to be used w/ services using the system
copy of libbinder (for vendor, this is libbinder_ndk).

Switching vndservicemanager users using the libbinder copy of vendor to
be able to use the system copy of libbinder for registration is an open
problem.

Bug: 136027762
Test: N/A
Change-Id: I1d70380edcb39ca8ef2cb98c25617701b67ba7e1
2019-08-27 15:37:11 -07:00
Steven Moreland
88fedc2159 Merge "Reland "Re-open /dev/binder access to all.""
am: aa6793febd

Change-Id: I34360631751c98aab0c34fff9bdcdbae02c52297
2019-08-22 16:15:59 -07:00
Steven Moreland
b75b047f44 Reland "Re-open /dev/binder access to all."
This reverts commit 6b2eaade82.

Reason for revert: reland original CL

Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
2019-08-20 16:03:37 -07:00
Steven Moreland
db28fe2381 Revert "Re-open /dev/binder access to all."
am: 6b2eaade82

Change-Id: Ic2d53641d0cebee31be81307d7a31809fa326f2d
2019-08-20 15:55:40 -07:00
Steven Moreland
6b2eaade82 Revert "Re-open /dev/binder access to all."
This reverts commit 94ff361501.

Fix: 139759536
Test: marlin build fixed

Change-Id: I3ea2e29896722a80b22f09c405be205ffb7de6b2
2019-08-20 22:39:43 +00:00
Steven Moreland
169bfcfe88 Merge changes Icdf207c5,I20aa48ef
am: 30a06d278f

Change-Id: Ia505b1539cfd64bb93c2f5fe0dbd0603df5e9f5f
2019-08-20 13:41:45 -07:00
Steven Moreland
94ff361501 Re-open /dev/binder access to all.
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
2019-08-20 00:03:34 +00:00
Amy Zhang
3b62596f4f Merge "Tuner Hal 1.0 Enable ITuner service"
am: 3e7429359f

Change-Id: Ic4442460d60d51e97c84ea430830cd12c205e5f6
2019-08-15 13:23:33 -07:00
Amy
89b4bbd4d8 Tuner Hal 1.0 Enable ITuner service
Test: cuttlefish
Bug: 135708935
Change-Id: Ica063458860df45f0e2ab640a2ab35cd4da3da8e
2019-08-14 11:22:09 -07:00
Tomasz Wasilczyk
0540154021 SEPolicy rules for CAN bus HAL
am: 602b30302a

Change-Id: I5ae916b8f4c3d6038c48a522df1efc2ce8fc3d39
2019-08-01 19:34:47 -07:00
Tomasz Wasilczyk
602b30302a SEPolicy rules for CAN bus HAL
Bug: 135918744
Test: VTS (separate new change)
Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9
2019-08-01 10:24:00 -07:00
Kalesh Singh
533363bb54 Merge "Sepolicy for IAshmem HIDL interface" am: b374835ffb
am: 99a5e65385

Change-Id: I15778c78f997acdc3422ea941301f0ea61dabff4
2019-05-30 00:52:03 -07:00
Kalesh Singh
46303aa1f7 Sepolicy for IAshmem HIDL interface
Change-Id: Id78f995661120f136d671ea0084db358e7662122
Bug: 133443879
Test: Manually check logcat for sepolicy denials (logcat | grep IAshmem)
2019-05-29 14:44:47 -07:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00
Tri Vo
1bbbf810c9 Treble-ize sepolicy for fwk HIDL services.
Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
Merged-In: I6e87b236bdbdd939fca51fb7255e97635118ed2d
(cherry picked from commit 1d34b8cc31)
2019-04-22 17:07:06 -07:00
Tri Vo
1d34b8cc31 Treble-ize sepolicy for fwk HIDL services.
Bug: 130734497
Test: m selinux_policy; system_server and statds still have permission
to export HIDL services.
Change-Id: I6e87b236bdbdd939fca51fb7255e97635118ed2d
2019-04-22 12:47:53 -07:00
Yifan Hong
e3ee390c6b Add super_block_device_type
This is the type used on super partition block devices.
- On devices launch with DAP, super is already marked
as super_block_device_type.
- On retrofit devices, appropriate block devices must
be marked as super_block_device_type, for example:

    typeattribute system_block_device super_block_device_type;

Bug: 128991918
Test: builds
Change-Id: I7e26d85b577ce08d8dc1574ddc43146d65843d9c
2019-03-25 17:58:10 +00:00
Jayant Chowdhary
fe0af517db Abstract use of cameraserver behind an attribute
Bug: 124128212

Test: Builds

Change-Id: Ia0df765e15a72b3bdd1cba07ff1cf16128da5ae2
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
2019-03-01 14:02:59 -08:00
Tri Vo
a532088e7f Decouple system_suspend from hal attributes.
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.

Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.

Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
2019-02-26 18:10:28 -08:00
Siarhei Vishniakou
41a871ba84 Permissions for InputClassifier HAL
Add the required permissions for the InputClassifier HAL.

Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76
2019-01-11 02:08:19 +00:00
Zachary Iqbal
893272d883 Added placeholder SELinux policy for the biometric face HAL.
Notes:
- Added face hal domain, context and file types for the default
  SELinux policy.
- Please see aosp/q/topic:"Face+Authentication"

Bug: 80155388
Test: Built successfully.
Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
2018-12-28 12:23:56 -08:00
Benjamin Schwartz
e7040eada0 Add power.stats HAL 1.0 sepolicy
Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0
2018-12-11 00:11:08 +00:00
Jiwen 'Steve' Cai
d5c5ef900c Sepolicy for bufferhub hwservice
Bug: 118124442
Test: device can boot with android.frameworks.bufferhub@1.0-service
      running
Change-Id: I1d186d5350671b0d2dd4e831429b8fba828316e0
2018-10-25 10:08:05 -07:00
Chong Zhang
bdbfff1b00 add mediaswcodec service
Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
2018-10-11 15:10:17 -07:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Yifan Hong
1cef6a94eb health.filesystem HAL renamed to health.storage
...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
2018-09-20 04:12:45 +00:00
Tri Vo
ca4217e211 system_writes_mnt_vendor_violators for device launched before P.
In cases when a device upgrades to system-as-root from O to P, it needs a mount
point for an already existing partition that is accessed by both system and
vendor.

Devices launching with P must not have /mnt/vendor accessible to system.

Bug: 78598545
Test: m selinx_policy
Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f
2018-09-17 19:26:12 -07:00
Tri Vo
7f8b6cc66c Rename untrusted_app_visible_*' to include 'violators'.
Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d19)
2018-08-21 21:32:41 +00:00
Tri Vo
dac2a4a3a4 Sepolicy for system suspend HAL.
Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be
2018-08-13 17:26:34 -07:00
Yifan Hong
0814795c79 Add sepolicy for health filesystem HAL
Test: builds
Test: vts
Bug: 111655771
Change-Id: Iabad3d124bf476cb624addf7d7898e0c2894d550
2018-08-10 11:02:21 -07:00
Jiyong Park
d8ae007189 add extended_core_property_type
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.

Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.

Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Merged-In: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
(cherry picked from commit c0f8f2f82a)
2018-06-01 13:27:54 +09:00
Tom Cherry
5897e23ea1 neverallow coredomain from writing vendor properties
System properties can be abused to get around Treble requirements of
having a clean system/vendor split.  This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.

Bug: 78598545
Test: build 2017 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
(cherry picked from commit cdb1624c27)
2018-06-01 13:26:49 +09:00
Tri Vo
1156d59389 Use hal_attribute for all HALs.
Bug: 72757373
Test: policy builds
Change-Id: I7cc5e28aac8ed381c9c350f540826e069941f6c4
2018-05-30 18:18:07 -07:00
Steven Moreland
7baf725ea6 mediacodec->mediacodec+hal_omx{,_server,_client}
(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-30 18:12:32 +00:00
Pavel Maltsev
8d7f503336 Allow to use sockets from hal server for auto
Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Merged-In: I27976443dad4fc5b7425c089512cac65bb54d6d9

(cherry picked from commit 4cafae77a4)

Change-Id: I58e25a0f86579073aa568379b10b6599212134c6
2018-05-15 14:38:00 -07:00
Pavel Maltsev
43e172af66 Move automotive HALs sepolicy to system/
Bug: 70637118
Test: build, flash and boot automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef
(cherry picked from commit 394dbe34a0)
2018-05-04 21:36:48 +00:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Roshan Pius
d7b34a48ff sepolicy(hostapd): Add a HIDL interface for hostapd
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
2018-05-04 21:36:24 +00:00
Jeff Vander Stoep
a6295412b4 Never expand proc_type attribute
It's used in build-time tests and in CTS.

Bug: 78898770
Test: build user-build
Change-Id: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
Merged-In: I254bf4d7ed0c0cb029b55110ceec982b84e4a91b
2018-05-04 06:44:58 +00:00
Tri Vo
41bf08e592 proc_type attribute for files under /proc.
With this attribute it will be easier to reference /proc files.

Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
2018-03-19 14:58:25 -07:00