The number of block devices used in an Android device is too damn high
(insert meme here). Let's at least add some links to documentation to
help describe the partition layout expected on a typical Android device.
This builds on top of the work in making the bootloader information
accessible (b/28905584).
Test: only adding comments. Policy compiles.
Change-Id: I8976b855e46255f7e18fa2b807ba83e0db92a82d
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
Commit 23c9d91b46 introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.
This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46, there should be no
noticeable effect from this change.
This change was originally submitted as
4df57822fc. However, it was reverted in
cdc6649acc due to a different labeling
bug. That bug has been fixed, and we can reapply this change.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Bug: 112357170
These values will be read by platform module (/sbin/charger), and need
to be configurable by vendor init.
Bug: 113567255
Test: Build along with other CLs in the topic (for Makefile and
libminui changes). Boot into charger mode.
Test: Boot into recovery. Run graphics test.
Change-Id: I5b272f345e2a5a255c2f660c59c1da3245aa1e03
Allow the shared_relro creation process to make calls to PackageManager,
so that it can create a classloader corresponding to the current WebView
implementation. This avoids needing to pass an absolute path to the
native library to the process, which required that the calling code
duplicate existing logic in the framework to find the library and
resulted in bugs and inconsistencies.
Bug: 110790153
Test: WebView-related CTS and GTS tests
Change-Id: I9902bb0400e2a800021dac06278151c8541d458f
But in a very restricted form:
1) Nobody can initiate calls into init
2) Nobody can transfer binder objects into init, except servicemanager
Bug: 112684055
Test: device boots
Change-Id: Icfb218f2871e234284c74e096eccd7a2e786cf94
Allow dumpstate to get information about sockets and dontaudit
accessing vendor files when running df.
Bug: 112440280
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file. Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.
Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened. Restore this ability by giving apps read
access to system_server_tmpfs. system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.
Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
Historically most uses of atrace happen via the shell domain.
There are two exceptions:
- boot tracing
- traced_probes
We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.
For more use cases see b/113127224
[1]: 9ead54bed6/cmds/atrace/atrace.cpp (545)
Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.
Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
(for the build-time tests)
treble_sepolicy_tests applies tests to the SEPolicy for devices which
implement the SEPolicy split introduced in Android O. For devices which
turn this on and also implement all of the other requirements which
together compose PRODUCT_FULL_TREBLE, these tests help ensure that the
backwards compatibility which this feature adds is possible.
When this test was originally written, devices which specified
PRODUCT_FULL_TREBLE_OVERRIDE were only those devices with a
PRODUCT_SHIPPING_API_LEVEL of < 26. This allowed them to update to use
these features but maintain some legacy behaviors. For these devices,
to achieve the same backwards compatibility guarantees, much
other/extra work would have to be done (if it is possible at all).
Since that time, a new category of devices take advantage of
PRODUCT_FULL_TREBLE_OVERRIDE. These devices must either not define a
PRODUCT_SHIPPING_API_LEVEL or they apply this flag even though it is
not required to be applied. For these cases, the full test suite not
being run has caused problems because these failures aren't discoverred
until later (when compliance tests are run).
Fixes: 112933807
Test: treble_sepolicy_tests on marlin, walleye, and 'some other device'
(mma here runs this with the correct parameters)
Change-Id: I04c42d3cb86cda3c82f285919b40ba94e1332daa
adbd is started by an init trigger now when sys.usb.config is set
to adb.
Test: adb sideload works in user/userdebug builds
Bug: 113563995
Change-Id: I23db4074cd49cf0ba6c4eb27510e3a5caad5681b
af63f4193f
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.
Define these permissions, so that they're usable to policy writers.
This change is modeled after refpolicy
1637a8b407
Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
Access is deprecated for apps with targetSdkVersion=26+.
Test: build (neverallow rules are build time assertions)
Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1
audit logs indicate that "append" is still used, but not write.
From ToT master:
avc: granted { append } for comm="tombstoned" scontext=u:r:tombstoned:s0
tcontext=u:object_r:anr_data_file:s0 tclass=file
Bug: 32064548
Test: build
Change-Id: Id05853a8ae38b84deed4d8bcca5a72c64ce7fd7e
Not needed for modern Android versions. These rules are really, really
old.
Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
When /system/bin/crash_dump is executed from the su domain, do not
perform a domain transition. This allows processes run from that domain
to crash normally without SELinux interfering.
Bug: 114136122
Test: cferris: "This change works for me. I ran the crasher executable on
/data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp).
All of them show that crash_dump can read the executables."
Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to profman in cases where it could already access files.
Bug: 112990132
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.
Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.
Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
This scripts checks for common problems with SELinux policy,
including:
- Declared types that are not assigned to any files
- Files that don't exist on a running device
- Rules defined in the wrong file
- Using the wrong version of _file_perms/_dir_perms
These are heuristics, mainly because it does not fully parse regular
expressions and because policy might still be needed even if the
relevant file does not exist on a single device. But it hopefully is
a start at helping cleanup policy.
Bug: 30003114
Bug: 70702017
Test: Run script on core and device-specific policy.
Test: Verify that most of its results are correct.
Change-Id: I1ded4e9b18816841198dcbf72da65f046441d626
Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.
Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.
Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.
Bug: 30861057
Test: auditallow statement added in
f617a404c2 hasn't triggered.
Test: ran getevent, saw correct output, played with device
Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99