Commit graph

8176 commits

Author SHA1 Message Date
Nick Kralevich
4e404290e4 Move net.dns* to it's own label.
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.

Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:

  * system_server
  * system_app (apps which run as UID=system)
  * netmgrd
  * radio

This change:

1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.

In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.

Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
2017-02-09 16:14:05 -08:00
Nick Kralevich
8b63356bd3 Address auditallow spam from init
Init has access to a number of character devices inherited via
domain.te. Exclude those character devices from the auditallow
logging.

In addition, init has access to a number of character devices explicitly
listed in init.te. Exclude those from auditallow logging too.

Addresses various auditallow spam, including:

avc: granted { read open } for comm="init" path="/dev/urandom"
dev="tmpfs" ino=1197 scontext=u:r:init:s0
tcontext=u:object_r:random_device:s0 tclass=chr_file

avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs"
ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0
tclass=chr_file

avc: granted { read } for comm="init" name="keychord" dev="tmpfs"
ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0
tclass=chr_file

avc: granted { read open } for comm="init" path="/dev/keychord"
dev="tmpfs" ino=1326 scontext=u:r:init:s0
tcontext=u:object_r:keychord_device:s0 tclass=chr_file

and others not covered above.

Bug: 35197529
Bug: 33347297
Test: policy compiles and no auditallow denials.
Change-Id: Id869404a16c81c779943e9967eb32da226b6047e
2017-02-09 12:18:05 -08:00
Jeff Tinker
fbd43f03a5 Fix selinux denial for binderized drm hal
Change-Id: I19d65a83c5c3f42296e8cd8a425bf1f64651068f
related-to-bug:32815560
2017-02-08 20:48:18 +00:00
Alex Klyubin
84aebd3c9b Move binderservicedomain policy to private
This leaves only the existence of binderservicedomain attribute as
public API. All other rules are implementation details of this
attribute's policy and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with *_current targets
      referenced in binderservicedomain.te.
Bug: 31364497
Change-Id: Ic830bcc5ffb6d624e0b3aec831071061cccc513c
2017-02-08 09:09:39 -08:00
Alex Klyubin
865a04b142 Merge "Add incident command and incidentd daemon se policy." 2017-02-08 16:54:37 +00:00
Andre Eisenbach
6e3a5d0053 Bluetooth: Enable /proc access for vendor library low power control
Bug: 35097918
Test: manual
Change-Id: I84a1eaae99ebd04f0f8a6990b2f85ed7f2e11182
2017-02-08 04:31:53 +00:00
Alex Klyubin
83ac242fb9 Move blkid policy to private
This leaves only the existence of blkid and blkid_untrusted domains as
public API. All other rules are implementation details of these
domains' policy and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with blkid_current and
      blkid_untrusted_current (as expected).
Bug: 31364497
Change-Id: I0dda2feeb64608b204006eecd8a7c9b9c7bb2b81
2017-02-07 23:57:53 +00:00
Joe Onorato
41f93db9de Add incident command and incidentd daemon se policy.
Test: adb shell incident
Bug: 31122534
Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906
2017-02-07 15:52:07 -08:00
Alex Klyubin
29dee5383e Merge "Move system_server policy to private" 2017-02-07 21:43:37 +00:00
Alex Klyubin
a2a538ee5f Merge "Move atrace policy to private" 2017-02-07 21:42:27 +00:00
Alex Klyubin
7562c0449e Merge "Move audioserver policy to private" 2017-02-07 21:41:57 +00:00
Treehugger Robot
2ba80ab006 Merge "Move surfaceflinger policy to private" 2017-02-07 21:28:01 +00:00
Alex Klyubin
432bc0e55b Merge "Move adbd policy to private" 2017-02-07 20:57:51 +00:00
Alex Klyubin
59322f1aef Move system_server policy to private
This leaves only the existence of system_server domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with
      system_server_current except those created by other domains'
      allow rules referencing system_server domain from public and
      vendor policies.
Bug: 31364497

Change-Id: Ifd76fa83c046b9327883eb6f0bbcd2113f2dd1a4
2017-02-07 20:24:05 +00:00
Alex Klyubin
357c1617f7 Move atrace policy to private
atrace and its atrace_exec now exist only in private policy.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with atrace_current
      which is expected now that atrace cannot be referenced from
      public or vendor policy.
Bug: 31364497

Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
2017-02-07 10:54:20 -08:00
Alex Klyubin
238ce796a4 Move audioserver policy to private
This leaves only the existence of audioserver domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with audioserver_current
      except those created by other domains' allow rules referencing
      audioserver domain from public and vendor policies.
Bug: 31364497

Change-Id: I6662394d8318781de6e3b0c125435b66581363af
2017-02-07 10:47:18 -08:00
Dimitry Ivanov
c7125fa230 Allow getattr on rootfs:lnk_file for all domains
Bug: http://b/32123312
Test: mm && boot
Change-Id: I6550fbe2bd5f9f5a474419b483b0f786d4025e88
2017-02-07 18:08:03 +00:00
Alex Klyubin
5d30beb1b2 Move surfaceflinger policy to private
This leaves only the existence of surfaceflinger domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with
      surfaceflinger_current except those created by other domains'
      allow rules referencing surfaceflinger domain from public and
      vendor policies.
Bug: 31364497

Change-Id: I177751afad82ec27a5b6d2440cf0672cb5b9dfb8
2017-02-07 10:06:12 -08:00
Alex Klyubin
8309f0a299 Move adbd policy to private
This leaves only the existence of adbd domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with adbd_current except
      those created by other domains' allow rules referencing adbd
      domain from public and vendor policies.

Bug: 31364497
Change-Id: Icdce8b89f67c70c6c4c116471aaa412e55028cd8
2017-02-07 09:55:05 -08:00
Treehugger Robot
b916c4d1ea Merge "Move bluetooth policy to private" 2017-02-07 17:48:47 +00:00
Alex Klyubin
485ba85fe4 Merge "Move bluetoothdomain policy to private" 2017-02-07 17:48:37 +00:00
Treehugger Robot
4a8b123634 Merge "Move mdnsd policy to private" 2017-02-07 02:36:33 +00:00
Treehugger Robot
81d1fa3c73 Merge "Move netdomain policy to private" 2017-02-07 01:46:08 +00:00
Treehugger Robot
43916281b7 Merge "Allow HWC to be binderized" 2017-02-06 23:45:27 +00:00
Alex Klyubin
661430e061 Move bluetoothdomain policy to private
This leaves only the existence of bluetoothdomain attribute as public
API. All other rules are implementation details of this attribute's
policy and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow bluetoothdomain bluetooth_current
      rule (as expected).
Bug: 31364497

Change-Id: I0edfc30d98e1cd9fb4f41a2900954d9cdbb4db14
2017-02-06 15:32:08 -08:00
Alex Klyubin
801b5ec472 Move bluetooth policy to private
This leaves only the existence of bluetooth domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with bluetooth_current
      except those created by other domains' allow rules referencing
      bluetooth domain from public and vendor policy.
Bug: 31364497

Change-Id: I3521b74a1a9f6c5a5766b358e944dc5444e3c536
2017-02-06 15:29:10 -08:00
Alex Klyubin
d833f6ba95 Move mdnsd policy to private
This leaves only the existence of mdnsd domain as public API. All
other rules are implementation details of this domains's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with mdnsd_current (as
      expected).
Bug: 31364497

Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4
2017-02-06 15:02:32 -08:00
Alex Klyubin
372dc67fcc Move netdomain policy to private
This leaves only the existence of netdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with netdomain_current
      and *_current attributes targeted when netdomain rules reference
      public types.
Bug: 31364497
Change-Id: I102e649374681ce1dd9e1e5ccbaaa5cb754e00a0
2017-02-06 15:02:00 -08:00
Chia-I Wu
1b95d88c6d Allow HWC to be binderized
Test: manual
Bug: 32021609
Change-Id: I6793794f3b1fb95b8dd9336f75362447de618274
2017-02-06 12:50:03 -08:00
Stephen Smalley
4921085d9c Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes.
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 14:24:41 -05:00
Stephen Smalley
431bdd9f2f Define extended_socket_class policy capability and socket classes
Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class.  The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class.  Add
definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.

Allowing access by specific domains to the new socket security
classes is left to future commits.  Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.

The kernel support will be included upstream in Linux 4.11.  The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").

This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled.  This commit is already in
AOSP master.

Test: policy builds

Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Stephen Smalley
8a00360706 Define the user namespace capability classes and access vectors.
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f
(selinux: distinguish non-init user namespace capability checks)
introduced support for distinguishing capability
checks against a target associated with the init user namespace
versus capability checks against a target associated with a non-init
user namespace by defining and using separate security classes for the
latter.  This support is needed on Linux to support e.g. Chrome usage of
user namespaces for the Chrome sandbox without needing to allow Chrome to
also exercise capabilities on targets in the init user namespace.

Define the new security classes and access vectors for the Android policy.
Refactor the original capability and capability2 access vector definitions
as common declarations to allow reuse by the new cap_userns and cap2_userns
classes.

This change does not allow use of the new classes by any domain; that
is deferred to future changes as needed if/when Android enables user
namespaces and the Android version of Chrome starts using them.

The kernel support went upstream in Linux 4.7.

Based on the corresponding refpolicy patch by Chris PeBenito, but
reworked for the Android policy.

Test: policy builds

Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Abodunrinwa Toki
5470aefbe8 Merge "Declare new textclassification system service." 2017-02-06 18:52:28 +00:00
Josh Gao
d765766bcb Merge changes from topic 'debuggerd_ambient'
* changes:
  crash_dump: dontaudit CAP_SYS_PTRACE denial.
  crash_dump: don't allow CAP_SYS_PTRACE or CAP_KILL.
2017-02-06 18:37:55 +00:00
Chad Brubaker
46e5a060f6 Move neverallows from untrusted_app.te to app_neverallows.te
The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.

This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.

Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-02-06 10:16:50 -08:00
Chad Brubaker
4c40d7344c Merge ephemeral data and apk files into app
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
2017-02-06 10:16:50 -08:00
Abodunrinwa Toki
387367df19 Declare new textclassification system service.
Bug: 34781862
Test: none
Change-Id: Ie628dca592a68ed67a68dda2f3d3e0516e995c80
2017-02-04 04:11:51 +00:00
Treehugger Robot
a38067c770 Merge "Exclude dev/null from auditing - was producing log spam." 2017-02-03 23:04:55 +00:00
Tianjie Xu
254ce3fbe8 Merge "Allow update_verifier to read dm blocks" 2017-02-03 21:50:07 +00:00
Max Bires
f47ee7fbd2 Exclude dev/null from auditing - was producing log spam.
Test: Device boots
Change-Id: I2fb0a03c9ed84710dc2db7b170c572a2eae45412
2017-02-03 13:26:32 -08:00
Tianjie Xu
d5cdca08c7 Allow update_verifier to read dm blocks
Update_verifier will read dm-wrapped system/vendor partition. Therefore,
change the sepolicy accordingly.

Here's the denied message:
update_verifier: type=1400 audit(0.0:131): avc: denied { read } for
name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0
tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0

Bug: 34391662
Test: Read of /dev/block/dm-0 succeeds during boot time.
Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1
2017-02-03 21:00:30 +00:00
Jiyong Park
9eff8526b7 Merge "configstore: add selinux policy for configstore@1.0 hal" 2017-02-02 23:07:18 +00:00
Eugene Susla
b598b47f1a Merge "SELinux permissions for companion device system service" 2017-02-02 21:11:34 +00:00
Jiyong Park
ebec1aa2b7 configstore: add selinux policy for configstore@1.0 hal
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.

Bug: 34314793
Test: build & run

Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964
Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
(cherry picked from commit 5ff0f178ba)
2017-02-02 17:46:41 +09:00
Josh Gao
943d7ed51e crash_dump: dontaudit CAP_SYS_PTRACE denial.
Bug: http://b/34853272
Test: debuggerd -b `pidof zygote`
Change-Id: I0b18117754e77cfa94cf0b95aff32edb578b1a95
2017-02-01 17:56:07 -08:00
Josh Gao
4d140237b5 crash_dump: don't allow CAP_SYS_PTRACE or CAP_KILL.
Bug: http://b/34853272
Test: debuggerd -b `pidof system_server`
Change-Id: I4c08efb9dfcc8610143f722ae0674578a2ed6869
2017-02-01 17:56:07 -08:00
Max Bires
3171829af3 Removing init and ueventd access to generic char files
There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
2017-02-01 21:35:08 +00:00
Mark Salyzyn
542a46267f Merge "logd: add getEventTag command and service" 2017-02-01 21:24:06 +00:00
Eugene Susla
3411dfb6b0 SELinux permissions for companion device system service
Required for I0aeb653afd65e4adead13ea9c7248ec20971b04a

Test: Together with I0aeb653afd65e4adead13ea9c7248ec20971b04a, ensure that the
system service works
Bug: b/30932767
Change-Id: I994b1c74763c073e95d84222e29bfff5483c6a07
2017-02-01 13:07:17 -08:00
Calin Juravle
01ee59a7b4 Remove SElinux audit to libart_file
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
2017-01-31 23:43:14 +00:00