Commit graph

16321 commits

Author SHA1 Message Date
Treehugger Robot
6a14368c16 Merge "Change priv-apps /data/data labels to privapp_data_file" 2018-09-12 23:55:30 +00:00
Nick Kralevich
6cf9160e82 add links to docs explaining motivations behind neverallow assertions.
Test: comments only. Policy compiles.
Change-Id: Ic51533d37fff6c553950a122f33a48e3c119c67c
2018-09-12 15:53:48 -07:00
Treehugger Robot
e64414ef81 Merge "Apply '--fake-treble' flag to the intended devices" 2018-09-12 21:04:23 +00:00
Nick Kralevich
4b26c91ae6 Link to documentation for different block device types
The number of block devices used in an Android device is too damn high
(insert meme here). Let's at least add some links to documentation to
help describe the partition layout expected on a typical Android device.

This builds on top of the work in making the bootloader information
accessible (b/28905584).

Test: only adding comments. Policy compiles.
Change-Id: I8976b855e46255f7e18fa2b807ba83e0db92a82d
2018-09-12 13:58:53 -07:00
Nick Kralevich
5d1755194a Change priv-apps /data/data labels to privapp_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

Commit 23c9d91b46 introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.

This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46, there should be no
noticeable effect from this change.

This change was originally submitted as
4df57822fc. However, it was reverted in
cdc6649acc due to a different labeling
bug. That bug has been fixed, and we can reapply this change.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.
Bug: 112357170
2018-09-12 12:30:32 -07:00
Chong Zhang
8248d9b262 add a property to allow thumbnailer to use hw codecs
bug: 113609172
Change-Id: Ifff91630c3622661139ff27f25932258802cb082
2018-09-12 10:13:56 -07:00
Hector Dearman
9e6c78f73f Merge "Make system_server atrace category work with traced_probes" 2018-09-12 14:07:07 +00:00
Martijn Coenen
b115341dff Merge "Allow init to use binder." 2018-09-12 08:39:50 +00:00
Treehugger Robot
cb09ff080d Merge "Allow shared_relro to access PackageManager." 2018-09-11 23:09:56 +00:00
Tao Bao
703acc6acd Whitelist minui properties to be overridden by /vendor/default.prop.
These values will be read by platform module (/sbin/charger), and need
to be configurable by vendor init.

Bug: 113567255
Test: Build along with other CLs in the topic (for Makefile and
      libminui changes). Boot into charger mode.
Test: Boot into recovery. Run graphics test.
Change-Id: I5b272f345e2a5a255c2f660c59c1da3245aa1e03
2018-09-11 21:12:20 +00:00
Torne (Richard Coles)
0f326f3c47 Allow shared_relro to access PackageManager.
Allow the shared_relro creation process to make calls to PackageManager,
so that it can create a classloader corresponding to the current WebView
implementation. This avoids needing to pass an absolute path to the
native library to the process, which required that the calling code
duplicate existing logic in the framework to find the library and
resulted in bugs and inconsistencies.

Bug: 110790153
Test: WebView-related CTS and GTS tests
Change-Id: I9902bb0400e2a800021dac06278151c8541d458f
2018-09-11 16:26:56 -04:00
Treehugger Robot
dc60253988 Merge "Ensure taking a bugreport generates no denials." 2018-09-11 16:12:21 +00:00
Martijn Coenen
a720d3d00a Allow init to use binder.
But in a very restricted form:
1) Nobody can initiate calls into init
2) Nobody can transfer binder objects into init, except servicemanager

Bug: 112684055
Test: device boots
Change-Id: Icfb218f2871e234284c74e096eccd7a2e786cf94
2018-09-11 07:28:59 +00:00
Treehugger Robot
7706f51fd3 Merge "Recovery does not need permission to start adbd anymore" 2018-09-11 01:49:57 +00:00
Joel Galenson
e9ee9d86d0 Ensure taking a bugreport generates no denials.
Allow dumpstate to get information about sockets and dontaudit
accessing vendor files when running df.

Bug: 112440280
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b
2018-09-10 15:48:34 -07:00
Treehugger Robot
f434377515 Merge "sepolicy: Allow apps to read ashmem fds from system_server" 2018-09-10 17:33:20 +00:00
Benjamin Gordon
360559e7bb sepolicy: Allow apps to read ashmem fds from system_server
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file.  Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.

Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened.  Restore this ability by giving apps read
access to system_server_tmpfs.  system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.

Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
2018-09-10 17:04:09 +00:00
Hector Dearman
244bc7cf97 Make system_server atrace category work with traced_probes
Historically most uses of atrace happen via the shell domain.

There are two exceptions:
- boot tracing
- traced_probes

We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.

For more use cases see b/113127224

[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)

Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.

Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
2018-09-10 14:03:27 +01:00
Tri Vo
34e98082ff Merge "ro.crypto.{allow_encrypt_override filenames_mode} vendor-init-settable." 2018-09-09 20:37:09 +00:00
Tri Vo
fe72cb70d7 ro.crypto.{allow_encrypt_override filenames_mode} vendor-init-settable.
Bug: 114017832
Test: m selinux_policy
Change-Id: I1dcb09c76b3e49888d278a154d79add6c6a6c977
2018-09-08 14:42:51 -07:00
Steven Moreland
c7670e5c55 Apply '--fake-treble' flag to the intended devices
(for the build-time tests)

treble_sepolicy_tests applies tests to the SEPolicy for devices which
implement the SEPolicy split introduced in Android O. For devices which
turn this on and also implement all of the other requirements which
together compose PRODUCT_FULL_TREBLE, these tests help ensure that the
backwards compatibility which this feature adds is possible.

When this test was originally written, devices which specified
PRODUCT_FULL_TREBLE_OVERRIDE were only those devices with a
PRODUCT_SHIPPING_API_LEVEL of < 26. This allowed them to update to use
these features but maintain some legacy behaviors. For these devices,
to achieve the same backwards compatibility guarantees, much
other/extra work would have to be done (if it is possible at all).

Since that time, a new category of devices take advantage of
PRODUCT_FULL_TREBLE_OVERRIDE. These devices must either not define a
PRODUCT_SHIPPING_API_LEVEL or they apply this flag even though it is
not required to be applied. For these cases, the full test suite not
being run has caused problems because these failures aren't discoverred
until later (when compliance tests are run).

Fixes: 112933807
Test: treble_sepolicy_tests on marlin, walleye, and 'some other device'
    (mma here runs this with the correct parameters)

Change-Id: I04c42d3cb86cda3c82f285919b40ba94e1332daa
2018-09-07 16:29:26 -07:00
Hridya Valsaraju
187d6e2280 Recovery does not need permission to start adbd anymore
adbd is started by an init trigger now when sys.usb.config is set
to adb.

Test: adb sideload works in user/userdebug builds
Bug: 113563995
Change-Id: I23db4074cd49cf0ba6c4eb27510e3a5caad5681b
2018-09-07 14:57:36 -07:00
Nick Kralevich
1b1d133be5 Add nnp_nosuid_transition policycap and related class/perm definitions.
af63f4193f
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.

Define these permissions, so that they're usable to policy writers.

This change is modeled after refpolicy
1637a8b407

Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
   kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
2018-09-07 10:52:31 -07:00
Treehugger Robot
8d7d5b42b5 Merge "Fastbootd does not require read access to system and boot partitions" 2018-09-07 17:04:38 +00:00
Treehugger Robot
f82c66f240 Merge "Disallow new untrusted_app access to /proc/tty/drivers" 2018-09-07 16:15:57 +00:00
Jeff Vander Stoep
ff511cb5db Disallow new untrusted_app access to /proc/tty/drivers
Access is deprecated for apps with targetSdkVersion=26+.

Test: build (neverallow rules are build time assertions)
Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1
2018-09-07 07:39:28 -07:00
Marcin Oczeretko
fb947d0c36 Merge "Add looper_stats_service to SE policy." 2018-09-07 09:51:33 +00:00
Hridya Valsaraju
e9fcce5642 Fastbootd does not require read access to system and boot partitions
Bug: 78793464
Test: fastboot flashall

Change-Id: I5b65b818dc43a01f90a38202e3a1b810fef70ca8
2018-09-07 00:09:34 +00:00
Treehugger Robot
bedc4f170c Merge "tombstoned: clean up TODO on anr writes" 2018-09-06 22:45:45 +00:00
Treehugger Robot
ac45700478 Merge "dumpstate: remove JIT and /data execute" 2018-09-06 22:41:19 +00:00
Treehugger Robot
36c7f741c1 Merge "Allow fastbootd to wipe userdata." 2018-09-06 21:12:07 +00:00
Marcin Oczeretko
56ab6be0d4 Add looper_stats_service to SE policy.
Test: Built and flashed an image.
Bug: 113651685
Change-Id: Ide239432ea8a5701d91c00edd06ad3e52560a3f7
2018-09-06 21:07:13 +00:00
Jeff Vander Stoep
93727ae6d7 tombstoned: clean up TODO on anr writes
audit logs indicate that "append" is still used, but not write.

From ToT master:
avc: granted { append } for comm="tombstoned" scontext=u:r:tombstoned:s0
tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 32064548
Test: build
Change-Id: Id05853a8ae38b84deed4d8bcca5a72c64ce7fd7e
2018-09-06 14:01:25 -07:00
Nick Kralevich
eef72d34b4 dumpstate: remove JIT and /data execute
Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
2018-09-06 13:28:34 -07:00
Makoto Onuki
ac4b6478c1 Merge "Add app_binding system service" 2018-09-06 17:20:45 +00:00
Nick Kralevich
e6f33f53bf exclude su from transitioning to crash_dump domain
When /system/bin/crash_dump is executed from the su domain, do not
perform a domain transition. This allows processes run from that domain
to crash normally without SELinux interfering.

Bug: 114136122
Test: cferris: "This change works for me. I ran the crasher executable on
  /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp).
  All of them show that crash_dump can read the executables."
Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
2018-09-05 19:49:59 -07:00
Makoto Onuki
6af1181320 Add app_binding system service
Bug: 109809543
Test: Build and boot with the new service in the internal branch.

Change-Id: Iaee365771c3e8e5b8f5f3b6112bbf902c6bb02bd
2018-09-05 14:33:20 -07:00
Hridya Valsaraju
f97026db4a Allow fastbootd to wipe userdata.
This is needed for flashall -w to wipe userdata.
Bug: 113648914
Test: fastboot erase userdata

Change-Id: I7e89cf885c9a67c78de67b79ed16af7e50104bf7
2018-09-05 13:40:30 -07:00
Treehugger Robot
7b22940511 Merge "sepolicy: Add mmap for profman" 2018-09-04 22:09:28 +00:00
Benjamin Gordon
7cab455f2d sepolicy: Add mmap for profman
SELinux has a separate file mmap permission in 4.14+ kernels.  Add this
to profman in cases where it could already access files.

Bug: 112990132
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc
2018-09-04 14:55:31 -06:00
Jeff Vander Stoep
6026a4adb9 app: Allow all apps to read dropbox FDs
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
2018-09-04 20:23:43 +00:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Alan Stokes
b9cb73ad4e Ensure crash_dump cannot be allowed to ptrace itself.
This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5
2018-09-03 17:27:54 +01:00
Joel Galenson
c43273162f Add a script to check for ways to cleanup SELinux policy.
This scripts checks for common problems with SELinux policy,
including:
- Declared types that are not assigned to any files
- Files that don't exist on a running device
- Rules defined in the wrong file
- Using the wrong version of _file_perms/_dir_perms

These are heuristics, mainly because it does not fully parse regular
expressions and because policy might still be needed even if the
relevant file does not exist on a single device.  But it hopefully is
a start at helping cleanup policy.

Bug: 30003114
Bug: 70702017
Test: Run script on core and device-specific policy.
Test: Verify that most of its results are correct.
Change-Id: I1ded4e9b18816841198dcbf72da65f046441d626
2018-08-31 13:55:34 -07:00
Chih-Hung Hsieh
e0db1651e6 Free type_rules before return or exit.
Test: make with WITH_TIDY=1 and clang-analyzer-* checks.
Change-Id: Ide1eaf8880132c566545710e6287f66a5a2b393c
2018-08-31 10:11:09 -07:00
Kevin Chyn
57887307df Add BiometricPromptService to sepolicy
Bug: 72825012

Test: manual
Change-Id: I850c869cdc0ad8735800130bb4a8d67822197ff9
2018-08-30 11:43:20 -07:00
Treehugger Robot
b54e2b7bb3 Merge "init: drop /dev/keychord access" 2018-08-29 14:40:32 +00:00
Treehugger Robot
efb6667a2c Merge "shell: remove /dev/input write access" 2018-08-28 17:53:27 +00:00
Mark Salyzyn
0722b5aab6 init: drop /dev/keychord access
Test: compile
Bug: 64114943
Change-Id: I1d20cc027dbd1a94e2a79b6aebdd265cefe8a6a5
2018-08-28 10:33:49 -07:00
Nick Kralevich
51156264b4 shell: remove /dev/input write access
Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.

Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.

Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.

Bug: 30861057
Test: auditallow statement added in
  f617a404c2 hasn't triggered.
Test: ran getevent, saw correct output, played with device

Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99
2018-08-28 09:19:51 -07:00