Commit graph

13417 commits

Author SHA1 Message Date
Jaekyun Seok
4a62c060e3 Allow vendor-init-settable for ro.radio.noril
ro.radio.noril is used for modem-less products including emulator.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: I2270374a2523889aa4874840594d8267614f93ad
2018-02-26 23:10:10 +00:00
Treehugger Robot
821c44421e Merge "Thank you" 2018-02-24 14:57:47 +00:00
Treehugger Robot
518648e5d4 Merge "Allow traced_probes to list the system partition" 2018-02-23 23:52:12 +00:00
Bookatz
c9f205b56a Fix benign statsd selinux violations
These two selinux policy violations keep showing up from statsd's CTS
tests, although statsd and the CTS test seemed to function fine despite
them. Nonetheless, they seem reasonable to add to the list.

Bug: 73548694
Test: N/A. It didn't seem to be causing any issues in the first place.
Change-Id: Id36c5229c0d7de83675166caeb07c87b719dc374
2018-02-23 13:06:32 -08:00
Nick Kralevich
46eaa82e35 Thank you
After 9 amazing years with Android, it's time to try something new.
I've moved over to Fuchsia (https://en.wikipedia.org/wiki/Google_Fuchsia)
where I'll be helping define security for a new, experimental operating
system.

My time in Android has been the most rewarding of my life. I couldn't
be more proud of our work in creating a trustworthy operating system
used by billions(!) of people, from rich to poor. It's quotes like this
which give me the warm fuzzies:

  https://threatpost.com/whats-new-in-android-8-0-oreo-security/128061/

  "Android O is a big step forward," said Duo Security’s Lady.
  He said with O, Google closes the security gap on the iPhone.
  "It used to be if you cared about security you had to pay a
  premium and buy an iPhone. Soon, even a $50 Android device
  running O will be on par with a $1,000 iPhone X when it comes
  to security."

The platform team is in good hands, with Rene Mayrhofer now leading the
charge to make Android the most secure, privacy preserving operating
system in existence. And thank you to the rest of the team for making
my time in Android so wonderful.

And a special thank you to Stephen Smalley of the Trusted Systems
Research Group for his leadership and guidance. Android Security would
not be where it is today without you.

=====

Keeping with the principle of least privilege, this change removes
myself from the OWNERS file for system/sepolicy. Let us always strive to
build systems so strong that we ourselves cannot even break into them,
and so private that people can trust us with their most sensitive data.

=====

Test: Tested every day by billions of users. ;-)
Change-Id: Ia7d0f3f75fdbd69cc720d02fd5a9b9e92ae607ae
2018-02-23 10:33:00 -08:00
Florian Mayer
ef6358bb77 Allow traced_probes to list the system partition
Relevant denies:

[    2.560660] type=1400 audit(1519404055.529:9): avc: denied { read }
for pid=896 comm=traced_probes name=system dev=sda22 ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Allowing only read then gives:
[    2.554718] type=1400 audit(1519404863.506:9): avc: denied { open }
for pid=890 comm="traced_probes" path="/system" dev="sda22" ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Test: flashed and ran directory listing code.
Bug: 73625480
2018-02-23 17:35:42 +00:00
Robert Sesek
869562e9e3 Remove rules for starting the webview_zygote as a child of init.
The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
2018-02-23 10:55:22 -05:00
Jeff Vander Stoep
7636d6071a Useful neverallow errors
Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.

This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.

Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
    tests)

Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db
2018-02-23 07:55:14 +00:00
Sandeep Patil
34e35e9e95 Add label for kernel test files and executables
This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.

Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.

Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04

Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>
2018-02-22 12:55:30 -08:00
Robert Sesek
63bcf4debb Allow zygote to setpgid on webview_zygote.
Bug: 73720684
Bug: 73720684
Test: m
Test: BootTest on taimen
Change-Id: I5a58fd1cce568cc50ba791f445f5c148eb87b474
2018-02-21 16:34:10 -05:00
Treehugger Robot
ba0310adcc Merge "Allow Traceur app to remove trace files." 2018-02-21 20:55:35 +00:00
Primiano Tucci
5ef6669b04 perfetto: Make producer socket MLS-aware
The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.

The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.

Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases
2018-02-21 14:37:58 +00:00
Carmen Jackson
fa0bf19bd1 Allow Traceur app to remove trace files.
Bug: 73660835
Test: With the other commit on this topic, clearing all trace files via
the app works properly.

Change-Id: I27a4a5a14d9afe817683f1b046a644648a84badc
2018-02-20 17:03:08 -08:00
Treehugger Robot
fcd48fd593 Merge "Statsd selinux allow shell to interact with statsd" 2018-02-16 23:36:52 +00:00
Treehugger Robot
01624c82c8 Merge "Revert "Revert "Ensure only com.android.shell can run in the shell domain.""" 2018-02-16 22:06:47 +00:00
Primiano Tucci
daeea37e21 Merge "selinux: allow Perfetto traced_probes to write into kmesg" 2018-02-16 21:56:35 +00:00
Bookatz
18b8b8fc46 Statsd selinux allow shell to interact with statsd
To upload configs and download output, this line
is needed.

Bug: 72961153
Test: The statsd cts test passes
Change-Id: I0943cc841881dd5d15e24ba444b146087a81bf96
2018-02-16 13:28:04 -08:00
Max Bires
1a703fedc7 Revert "Revert "Ensure only com.android.shell can run in the shell domain.""
This reverts commit bf0c2a59f8.

Bug:68126425
Test: No apps affected by not being able to run in shell domain
Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4
Merged-In: I8b93eecd023fbb392a98253d721dad75f79b61f4
2018-02-16 10:46:09 -08:00
Treehugger Robot
50fa7be796 Merge "SELinux changes to accomodate starting the webview_zygote as a child of the zygote." 2018-02-16 16:38:52 +00:00
Primiano Tucci
d807d58825 selinux: allow Perfetto traced_probes to write into kmesg
This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.

Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d
2018-02-16 16:38:29 +00:00
Joel Galenson
f7ec413844 Dontaudit denials caused by race with labeling.
These denials seem to be caused by a race with the process that labels
the files.  While we work on fixing them, hide the denials.

Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
2018-02-14 17:07:13 -08:00
Robert Sesek
febdfa4edf SELinux changes to accomodate starting the webview_zygote as a child of the zygote.
In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
2018-02-14 19:00:48 -05:00
Treehugger Robot
946b4b76f0 Merge "Allow wpa_supplicant to read security logging property." 2018-02-14 18:47:26 +00:00
Treehugger Robot
5791086651 Merge "Track crash_dump selinux denial." 2018-02-14 17:53:00 +00:00
Pavel Grafov
54c9dafb5e Allow wpa_supplicant to read security logging property.
This is needed to allow it to log audit events, e.g. cert
validation failure.

Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Merged-In: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
2018-02-14 17:07:35 +00:00
Jeff Vander Stoep
3d4965b2e1 Use SELINUX_IGNORE_NEVERALLOWS flag to disable all tests
The intent of this flag is to disable tests during early device
bringup so that vendor drops can occur without build breakages.
When SELINUX_IGNORE_NEVERALLOWS=true also disable labeling tests
sepolicy_tests, and treble_sepolicy_tests.

Bug: 73322735
Test: build, verify known tests failures do not cause build breakage.
Change-Id: I3e7165938d4e34c066bfa0a20e68b7e02dae4a24
2018-02-14 05:11:59 +00:00
Christopher Ferris
72527282ef Merge "Allow read-only of new property for malloc hooks." 2018-02-14 00:49:48 +00:00
Treehugger Robot
1f4474852f Merge "OWNERS: add tomcherry and bowgotsai" 2018-02-13 23:36:59 +00:00
Treehugger Robot
5670dd1fad Merge "Statsd allow shell in selinux policy" 2018-02-13 22:07:59 +00:00
Christopher Ferris
6766543a16 Allow read-only of new property for malloc hooks.
Bug: 30561479

Test: Booted on walleye and verified that read denials of the property
Test: do not generate warnings.
Change-Id: I61a4a7d3a360a6d27d8986eb8f3f9662272233b1
(cherry picked from commit 2f35f5ca6c)
2018-02-13 13:36:51 -08:00
Jeff Vander Stoep
31e1ddd611 OWNERS: add tomcherry and bowgotsai
Test: n/a
Change-Id: I7041cc0f17ece86c01db1d9c17f68b58473cf27c
2018-02-13 21:31:49 +00:00
Treehugger Robot
2732f1497b Merge "Allow perfetto traced_probes to access tracefs on user" 2018-02-13 18:02:01 +00:00
Bookatz
022ab0e738 Statsd allow shell in selinux policy
CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 09:34:55 -08:00
Primiano Tucci
b4b31f9d72 Allow perfetto traced_probes to access tracefs on user
Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-13 15:54:11 +00:00
Joel Galenson
116f75062f Track crash_dump selinux denial.
This should fix presubmit tests.

Bug: 68319037
Test: Built policy.
Change-Id: I0c3bc08c9b114e7a3737cdb3005fb59b2df47d55
2018-02-12 10:09:43 -08:00
Treehugger Robot
7a567e3a19 Merge "Track untrusted_app SELinux denial." 2018-02-12 17:50:57 +00:00
Joel Galenson
fc804cc179 Track untrusted_app SELinux denial.
This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5
2018-02-09 15:23:30 -08:00
Tom Cherry
a099830e3d Prevent vendor_init from using binder or sockets
Bug: 72809699
Test: build
Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24
2018-02-09 19:32:59 +00:00
Treehugger Robot
d388f370c6 Merge "Track system_server SELinux denial." 2018-02-09 07:30:31 +00:00
Treehugger Robot
3721b0513d Merge "label /data/vendor{_ce,_de}" 2018-02-09 05:50:26 +00:00
Joel Galenson
387729fed5 Track system_server SELinux denial.
This should fix presubmit tests.

Bug: 73128755
Test: Built policy.
Change-Id: Ie389de04360090594e627e629a59a60092dda6ca
2018-02-08 14:32:14 -08:00
Treehugger Robot
74e408c42b Merge "Remove /sys/devices/virtual/net labeling from core." 2018-02-08 21:37:42 +00:00
Jeff Vander Stoep
d25ccabd24 label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 17:21:25 +00:00
Treehugger Robot
8c87c2ad65 Merge "prevent benign dex2oat selinux denial temporarily" 2018-02-07 23:46:18 +00:00
Treehugger Robot
9eb4de160d Merge changes from topic "vintf_matrix_sepolicy"
* changes:
  Use PLATFORM_SEPOLICY_COMPAT_VERSIONS
  Move PLATFORM_SEPOLICY_VERSION to make/core/config.mk
2018-02-07 22:32:44 +00:00
Treehugger Robot
8c8ed1f03d Merge "shell: remove from system_executes_vendor_violators." 2018-02-07 22:20:03 +00:00
Yifan Hong
617e853560 Use PLATFORM_SEPOLICY_COMPAT_VERSIONS
This is a list of sepolicy versions that the framework supports.

Test: builds and boots

Bug: 67920434
Change-Id: I0f408fa3967214b47a64101760dbbb2542023dcf
2018-02-07 11:15:28 -08:00
Yifan Hong
3dff9ab470 Move PLATFORM_SEPOLICY_VERSION to make/core/config.mk
Test: m framework_compatibility_matrix.xml -j
Test: device boots

Bug: 67920434
Bug: 69390067

Change-Id: I3461873c22f704b9bbaa3a4e6f7e1df34d6b61a3
2018-02-07 11:15:28 -08:00
Tri Vo
e670802f7c Remove /sys/devices/virtual/net labeling from core.
Bug: 72878750
Test: build sepolicy
Change-Id: Ifa6822e042beed0e5971c85155aa526912807c8a
2018-02-07 10:30:18 -08:00
Tri Vo
bfe51254ee shell: remove from system_executes_vendor_violators.
And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791
2018-02-07 17:48:28 +00:00