Commit graph

4664 commits

Author SHA1 Message Date
Wei Wang
fbe4afa7aa Merge "stable aidl Power HAL policy" 2020-01-16 22:35:42 +00:00
Joshua Duong
bda9c33ab1 Merge "Allow adbd to set/get persist.adb props, system_server to get." 2020-01-16 17:43:39 +00:00
Treehugger Robot
834c964d66 Merge "system_server: TelephonyManager reads /proc/cmdline" 2020-01-16 15:52:02 +00:00
Treehugger Robot
8943f24f02 Merge "llkd: requires sys_admin permissions" 2020-01-16 12:57:26 +00:00
Howard Chen
8b5a90a5e4 Merge "Allow gsid to create subdirectories under /metadata/gsi/dsu" 2020-01-16 05:33:09 +00:00
Wei Wang
32b24c0f0b stable aidl Power HAL policy
Test: boot and dumpsys -l
Change-Id: I58022c9e0c24ba4e2d695acf63375c9f74c51b22
2020-01-15 16:53:40 -08:00
Treehugger Robot
a5527b4e46 Merge "Add SELinux policy for Identity Credential HAL" 2020-01-15 23:19:03 +00:00
Treehugger Robot
f644c547ad Merge "perf_event: rules for system and simpleperf domain" 2020-01-15 22:07:24 +00:00
Joshua Duong
4bec0691d8 Allow adbd to set/get persist.adb props, system_server to get.
Bug: b/111434128

Test: getprop persist.adb.wifi.guid
Change-Id: If211c2d00724f62a201dd9c19afc9e894001069f
2020-01-15 10:38:11 -08:00
Treehugger Robot
41a1b4af9c Merge "[SfStats] sepolicy for SfStats' global puller" 2020-01-15 17:25:54 +00:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Treehugger Robot
679b417ccd Merge "access_vectors: re-organize common file perms" 2020-01-15 16:49:04 +00:00
Mark Salyzyn
37daf9f48e llkd: requires sys_admin permissions
As a result of commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7
("proc: restrict kernel stack dumps to root")
the userdebug feature where llkd can monitor for live lock
signatures in the stack traces broke.

So now userdebug variant of llkd requires sys_admin permissions.

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Test: llkd_unit_test
Bug: 147486902
Change-Id: I31572afa08daa490a69783855bce55313eaed96c
2020-01-15 08:08:59 -08:00
Nikita Ioffe
edc513c8c1 Merge "Allow apps to read ro.init.userspace_reboot.is_supported" 2020-01-15 14:14:08 +00:00
Treehugger Robot
4d33dc28e7 Merge "Allow init to configure dm_verity kernel driver." 2020-01-15 13:13:01 +00:00
Treehugger Robot
f9d45fc447 Merge "Allow zygote to bind mount /data/misc/profiles/cur" 2020-01-15 05:18:44 +00:00
David Zeuthen
b8b5da4305 Add SELinux policy for Identity Credential HAL
Bug: 111446262
Test: VtsHalIdentityCredentialTargetTest
Change-Id: Icb5a0d8b24d463a2f1533f8dd3bfa84bf90acc6f
2020-01-14 20:13:39 -05:00
Stephen Smalley
cd62a4a56a access_vectors: re-organize common file perms
The open, audit_access, execmod, and watch* permissions
are all defined in the COMMON_FILE_PERMS in the kernel
classmap and inherited by all the file-related classes;
we can do the same in the policy by putting them into the
common file declaration.

refpolicy recently similarly reorganized its definitions and added the
watch* permissions to common file, see:
e5dbe75276
c656b97a28
3952ecb4dd

Adding new permissions to the end of the existing classes was only
required for kernels that predate the dynamic class/perm mapping
support (< v2.6.33).

Test: policy still builds

Change-Id: I44a2c3a94c21ed23410b6f807af7f1179e2c1747
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 14:59:08 -05:00
Nikita Ioffe
32e7ea0096 Allow apps to read ro.init.userspace_reboot.is_supported
This property essentially implements
PowerManager.isRebootingUserspaceSupported[0] public API, hence apps
should be able to read it.

[0]: 73cab34d9f:core/java/android/os/PowerManager.java;l=1397

Test: m checkbuild
Test: atest CtsUserspaceRebootHostSideTestCases
Test: adb shell getprop ro.init.userspace_reboot.is_supported
Bug: 135984674
Change-Id: I09cab09735760529de81eb6d5306f052ee408a6e
2020-01-14 12:39:23 +00:00
Ricky Wai
ca6e01aa53 Allow zygote to bind mount /data/misc/profiles/cur
Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating moun
Change-Id: Ia6b196dde6ed511ebff53b03891122b1120fec07
2020-01-14 11:34:15 +00:00
Treehugger Robot
184fe45549 Merge "perf_event: define security class and access vectors" 2020-01-13 23:10:54 +00:00
Lee Shombert
bafd0c762a SELinux changes for the hasSystemFeature() binder cache property.
The binder_cache_system_server_prop context allows any user to read the
property but only the system_server to write it.  The only property with
this context is currently binder.cache_key.has_system_feature but users
will be added.

Bug: 140788621

Test: this was tested on an image with a binder cache implementation.  No
permission issues were found.  The implementation is not part of the current
commit.

Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043
2020-01-13 10:21:54 -08:00
Ryan Savitski
80640c536c perf_event: define security class and access vectors
This patch allows us to write SELinux policies for the
perf_event_open() syscall LSM hooks added to the kernel in the following
commit:
da97e18458

Bug: 137092007
Change-Id: I0005759eb7a487faebe94a4653e3865343eb441e
2020-01-13 14:56:54 +00:00
Ashwini Oruganti
65d6fd48c8 Merge "priv_app: Remove rules for system_update_service" 2020-01-11 00:49:14 +00:00
Alec Mouri
f5df7b4467 [SfStats] sepolicy for SfStats' global puller
Bug: 119885568
Bug: 136597024
Test: adb shell cmd stats pull-source 10062
Test: statsd_testdrive 10062
Change-Id: Ide8ecd2683b3ea29a3207f89d35d7067490dabb1
2020-01-10 16:34:48 -08:00
Zimuzo Ezeozue
34a19b76ce Merge "Revert "Allow MediaProvider to host FUSE devices."" 2020-01-10 21:17:15 +00:00
Treehugger Robot
623fb38952 Merge "priv_app: Remove rules allowing a priv-app to ptrace itself" 2020-01-10 20:23:06 +00:00
Ashwini Oruganti
a40840daa8 priv_app: Remove rules for system_update_service
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: Ic2f68b3af861e0c00e2dea731c4d6b3255ab5175
2020-01-10 11:17:00 -08:00
Treehugger Robot
1f9ecdc894 Merge "Allow zygote to relabel CE and DE dirs from tmpfs to system_data_file" 2020-01-10 19:11:33 +00:00
Treehugger Robot
6df27928dd Merge "priv_app: Remove rules for storaged" 2020-01-10 14:49:32 +00:00
Ricky Wai
b2b7c02e7d Allow zygote to relabel CE and DE dirs from tmpfs to system_data_file
Also, allow zygote to scan dirs in /mnt/expand and relabel.

Test: No denials at boot
Test: No denials seen when creating mounts
Bug: 143937733
Change-Id: I86e77d27f5e9fb2f5852f787c7e5d9179c7404aa
2020-01-10 14:26:40 +00:00
Ashwini Oruganti
2ba18e99d8 priv_app: Remove rules allowing a priv-app to ptrace itself
We added an auditallow for these permissions on 12/11/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: Iaeaef560883b61644625b21e5c7095d4d9c68da9
2020-01-09 13:37:30 -08:00
Ashwini Oruganti
75ccb46de7 priv_app: Remove rules for keystore
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I18f99f54385b7c4e7c2ae923eff4c76800323a73
2020-01-09 13:23:40 -08:00
Ashwini Oruganti
d1a8f0dcb4 priv_app: Remove rules for storaged
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I2a59cac8041646b548ba1a73fcd5fddabb4d1429
2020-01-09 13:02:38 -08:00
Nikita Ioffe
0b099c801d Merge "Add userspace_reboot_config_prop property type" 2020-01-09 10:05:18 +00:00
Anton Hansson
7130e677ed Merge "Rename sdkext sepolicy to sdkextensions" 2020-01-09 08:46:08 +00:00
Treehugger Robot
4f362b1c68 Merge "priv_app: Remove rules for update_engine" 2020-01-08 23:21:27 +00:00
Nikita Ioffe
f596cc859b Add userspace_reboot_config_prop property type
This property type will be used for read-only userspace reboot related
properties that are used to configure userspace reboot behaviour, e.g.:
* timeout for userspace reboot watchdog;
* timeout for services to terminate;
* timeout for services to shutdown;
* etc.

Since all this configuration is device specific, vendor_init should be
able to set these properties.

Test: build/soong/soong_ui.bash \
  --make-mode \
  TARGET_PRODUCT=full \
  TARGET_BUILD_VARIANT=eng \
  droid \
  dist DIST_DIR=/tmp/buildbot/dist_dirs/aosp-master-linux-full-eng/funwithprops \
  checkbuild
Bug: 135984674
Bug: 147374477

Change-Id: I1f69980aea6020e788d5d2acaf24c0231939907c
2020-01-08 22:43:57 +00:00
Treehugger Robot
c66a329a48 Merge "priv_app.te: Remove auditallows for shell_data_file" 2020-01-08 22:26:38 +00:00
Jon Spivack
c8c6c0060e Merge "Add aidl_lazy_test_server" 2020-01-08 22:26:31 +00:00
Ashwini Oruganti
5d395b253c priv_app: Remove rules for update_engine
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I554ace42852023521e94017b1e782b6a09129fdf
2020-01-08 13:54:38 -08:00
Ashwini Oruganti
977fdd98fe priv_app.te: Remove auditallows for shell_data_file
Looking at go/sedenials, we have learnt that other priv-apps rely on
this permission. The auditallow has served its purpose and can now be
removed.

Bug: 142672293
Test: TH
Change-Id: I9ba1cbfa9ae90ae64e78276e5c1a699aa2a7f864
2020-01-08 13:29:59 -08:00
Zimuzo Ezeozue
74a6730767 Revert "Allow MediaProvider to host FUSE devices."
This reverts commit b56cc6fb1f.

Reason for revert: Not necessary

Change-Id: I99d7df2435294e78b753149e20377e78c1c60d36
2020-01-08 20:54:28 +00:00
Andrei-Valentin Onea
5e4a45f403 Merge "Make platform_compat accessible on release builds." 2020-01-08 18:42:44 +00:00
Anton Hansson
b84133555a Rename sdkext sepolicy to sdkextensions
The module is getting renamed, so rename all the policy
relating to it at the same time.

Bug: 137191822
Test: presubmit
Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
(cherry picked from commit 6505573c36)
2020-01-08 11:41:18 +00:00
Treehugger Robot
3e93ffb62f Merge "vendor_init can set config.disable_cameraservice" 2020-01-08 06:59:48 +00:00
Jon Spivack
ae2df6b5de Add aidl_lazy_test_server
This is a test service for testing dynamic start/stop of AIDL services. In order to test realistic use cases with SELinux enabled, it requires the same permissions as a regular service.

Bug: 147153962
Test: aidl_lazy_test aidl_lazy_test_1 aidl_lazy_test_2
Change-Id: Ifc3b2eaefba9c06c94f9cf24b4474107d4e26563
2020-01-07 15:11:03 -08:00
Ashwini Oruganti
86e110e688 gmscore_app: Enforce all rules for the domain
This change flips the switch and stops running gmscore_app in permissive
mode. Looking at the data in go/sedenials, we don't see any untracked
denial that isn't occurring for the priv_app domain as well. gmscore
should have all the necessary permissions it had was running in the
priv_app domain.

Bug: 142672293
Test: Build, flash, boot.
Change-Id: I0db56671cdfccbd79cd303bc2a819260ef7677fe
2020-01-07 10:53:49 -08:00
Robin Lee
cbfe879fe6 vendor_init can set config.disable_cameraservice
This had been settable by vendors up to and including Q release by
making config_prop avendor_init writeable. We don't allow this any
more. This should be a real vendor settable property now.

Bug: 143755062
Test: adb logcat -b all | grep cameraservice
Test: atest CtsCameraTestCases
Change-Id: Id583e899a906da8a8e8d71391ff2159a9510a630
2020-01-07 06:57:42 +00:00
Howard Chen
a44b9cb8cc Allow gsid to create subdirectories under /metadata/gsi/dsu
Bug: 144247097
Test: adb shell gsi_tool install --gsi-size $(du -b system.raw|cut -f1) < system.raw

Change-Id: I37a2cd78fcdca32413958a306e687afe309c3bbc
2020-01-07 02:52:49 +00:00