Commit graph

13233 commits

Author SHA1 Message Date
Badhri Jagan Sridharan
4f6eb37f6c usbd sepolicy
Sepolicy for the usb daemon. (ag/3373886/)

Bug: 63669128
Test: Checked for avc denial messages.
Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af
2018-01-20 03:41:21 +00:00
Tri Vo
06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00
Treehugger Robot
04b70519cf Merge "Label esdfs as sdcardfs" 2018-01-20 00:40:38 +00:00
Tao Bao
d7d9cfcad2 Add rules for system_update service.
system_update service manages system update information: system updater
(priv_app) publishes the pending system update info through the service,
while other apps can read the info accordingly (design doc in
go/pi-ota-platform-api).

This CL adds the service type, and grants priv_app to access the service.

Bug: 67437079
Test: Build and flash marlin image. The system_update service works.
Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375
2018-01-19 15:03:21 -08:00
Yifan Hong
829c6fef14 Merge "move /vendor VINTF data to /vendor/etc/vintf" 2018-01-19 22:01:28 +00:00
Daniel Rosenberg
9d0d6856c1 Label esdfs as sdcardfs
Test: esdfs should be mountable and usable with selinux on
Bug: 63876697
Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e
2018-01-19 13:50:02 -08:00
Treehugger Robot
38adc92797 Merge "hal_usb_gadget sepolicy" 2018-01-19 21:41:00 +00:00
Treehugger Robot
2b38971ed1 Merge "Allow system apps to read log props." 2018-01-19 19:32:13 +00:00
Treehugger Robot
1572cbaffa Merge "Don't record audio if UID is idle - sepolicy" 2018-01-19 19:31:42 +00:00
Treehugger Robot
43ef5f21f1 Merge "No camera for idle uids - selinux" 2018-01-19 19:01:22 +00:00
Yifan Hong
8d8da6a2e2 move /vendor VINTF data to /vendor/etc/vintf
Test: boots
Test: hwservicemanager can read these files
Bug: 36790901
Change-Id: I0431a7f166face993c1d14b6209c9b502a506e09
2018-01-19 10:57:13 -08:00
Badhri Jagan Sridharan
7bee33e665 hal_usb_gadget sepolicy
Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
2018-01-19 18:56:16 +00:00
Tri Vo
0338f7db2d Merge "Coredomain can't execute vendor code." 2018-01-19 17:47:33 +00:00
Treehugger Robot
536d195469 Merge "neverallow shell access to 'device' type" 2018-01-19 05:20:30 +00:00
Treehugger Robot
5d5284ad93 Merge "Disallow sysfs_leds to coredomains." 2018-01-19 04:56:36 +00:00
Jaekyun Seok
5971d678e6 Merge "Add rcs.publish.status to the whitelist" 2018-01-19 03:22:34 +00:00
Treehugger Robot
1dafee26ee Merge "charger: allow to read /sys/class/power_supply" 2018-01-19 03:18:43 +00:00
Steven Moreland
09fddac1d7 Disallow sysfs_leds to coredomains.
Bug: 70846424
Test: neverallow not tripped
Change-Id: I9e351ee906162a594930b5ab300facb5fe807f13
2018-01-18 18:10:06 -08:00
Yifan Hong
2d64886d08 charger: allow to read /sys/class/power_supply
Test: charger mode correctly shuts off when unplugged

Change-Id: I06a7ffad67beb9f6d9642c4f53c35067b0dc2b3d
Fixes: 71328882
2018-01-18 16:46:17 -08:00
Treehugger Robot
74828e65d5 Merge "Add default namespaces of odm properties" 2018-01-18 23:11:09 +00:00
Jaekyun Seok
34aad97ea9 Add rcs.publish.status to the whitelist
Bug: 72154054
Test: tested with walleye
Change-Id: I35271c6044946c4ec639409c914d54247cfb9f79
2018-01-19 07:35:44 +09:00
Tri Vo
5dab913441 neverallow shell access to 'device' type
Bug: 65643247
Test: builds, the change doesn't affect runtime behavior.

Change-Id: I621a8006db7074f124cb16a12662c768bb31e465
2018-01-18 21:56:00 +00:00
Tri Vo
3ac8456fed Merge "system_server: remove access sysfs_devices_system_cpu" 2018-01-18 20:26:30 +00:00
Treehugger Robot
ec4d4a5ed3 Merge "Suppress denials for non-API access" 2018-01-18 20:03:15 +00:00
Pavel Grafov
118e4969d2 Allow system apps to read log props.
This is needed to allow system apps to know whether security
logging is enabled, so that they can in this case log additional
audit events.

Test: logged a security event from locally modified KeyChain app.
Bug: 70886042
Change-Id: I9e18d59d72f40510f81d1840e4ac76a654cf6cbd
2018-01-18 17:22:28 +00:00
Jeff Vander Stoep
6d8a876a4c Suppress denials for non-API access
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:proc_version:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:wifi_prop:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:net_dns_prop:s0 tclass=file

Bug: 72151306
Test: build
Change-Id: I4b658ccd128746356f635ca7955385a89609eea1
2018-01-18 08:55:02 -08:00
Jaekyun Seok
afca82a3bb Add default namespaces of odm properties
Since /odm is an extension of /vendor, its default property contexts
should be consistent with ones of /vendor.

Bug: 36796459
Test: tested on wahoo devices
Change-Id: Ia67ebe81e9c7102aab35a34f14738ed9a24811d3
2018-01-18 13:31:37 +09:00
Treehugger Robot
e3b05cf614 Merge "storaged: remove access to sysfs_type" 2018-01-18 01:25:42 +00:00
Tri Vo
e26da71344 Coredomain can't execute vendor code.
Bug: 62041836
Test: policies for internal devices build successfully

Change-Id: I6856c0ab9975210efd5b4bed17c103ba3364d1ab
2018-01-17 16:18:11 -08:00
Tri Vo
65565c1cfd Merge "Mark shell as system_executes_vendor_violators." 2018-01-17 23:46:22 +00:00
Chenbo Feng
566411edf2 Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-17 23:19:30 +00:00
Tri Vo
35c65c1e01 system_server: remove access sysfs_devices_system_cpu
CpuFrequency.java seems to be the only thing that depends on
/sys/devices/system/cpu in system_server. And according to
b/68988722#comment15, that dependency is not exercised.

Bug: 68988722
Test: walleye boots without denials to sysfs_devices_system_cpu
Change-Id: If777b716bf74188581327b7f5aa709f5d88aad2d
2018-01-17 21:02:06 +00:00
Tri Vo
30a3157003 Mark shell as system_executes_vendor_violators.
Bug: 62041836
Test: sailfish sepolicy builds

Change-Id: Iad865fea852ab134dd848688e8870bc71f99788d
2018-01-17 09:39:22 -08:00
Andy Hung
8b049d5b6f dumpstate: add media.metrics
Test: adb bugreport
Bug: 71483452
Change-Id: Ibd98702c1f757f17ada61a906ae4e0ec750aac79
2018-01-17 09:36:20 -08:00
Yang Ni
1642d4059a Merge "Allow applications to use NN API HAL services" 2018-01-17 16:34:16 +00:00
Jeffrey Vander Stoep
66024968e9 Merge "Annotate denials" 2018-01-17 06:23:27 +00:00
Treehugger Robot
1757417211 Merge "Fix TODOs of duplicate property names for prefix and exact matching" 2018-01-17 05:35:55 +00:00
Svet Ganov
b9a1e7ba84 Don't record audio if UID is idle - sepolicy
If a UID is in an idle state we don't allow recording to protect
user's privacy. If the UID is in an idle state we allow recording
but report empty data (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.

Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
      Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
              -t android.media.cts.AudioRecordTest

bug:63938985

Change-Id: I8c044e588bac4182efcdc08197925fddf593a717
2018-01-16 21:22:18 -08:00
Treehugger Robot
163fc775a6 Merge "Sepolicy: Allow perfprofd to contact dropbox" 2018-01-17 03:57:07 +00:00
Jeff Vander Stoep
1e1a3f7c58 Annotate denials
There is a race condition between when /data is mounted
and when processes attempt to access it. Attempting to access
/data before it's mounted causes an selinux denial. Attribute
these denials to a bug.

07-04 23:48:53.646   503   503 I auditd  : type=1400 audit(0.0:7): avc:
denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
07-15 17:41:18.100   582   582 I auditd  : type=1400 audit(0.0:4): avc:
denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2
scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
permissive=0

Bug: 68864350
Test: build
Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5
2018-01-16 19:47:36 -08:00
Tri Vo
48027a0067 storaged: remove access to sysfs_type
Bug: 68388678
Test: storaged-unit-tests
Change-Id: Iea1ba0131a389dc4396ff3ebe2cdf68dbd688c8a
2018-01-16 18:39:29 -08:00
Jaekyun Seok
f9d27887eb Fix TODOs of duplicate property names for prefix and exact matching
Duplicate property names are supported now for prefix and exact
matching.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458
2018-01-16 22:41:04 +00:00
Treehugger Robot
97753529fd Merge "Files under /vendor must have attribute vendor_file_type." 2018-01-16 21:52:50 +00:00
Michael Butler
ea331aa7b8 Allow applications to use NN API HAL services
The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)
2018-01-16 13:50:37 -08:00
Tri Vo
ba6cd7b1fe Merge "Introduce system_executes_vendor_violators attribute." 2018-01-16 20:07:00 +00:00
Treehugger Robot
0432e19f44 Merge "Improve neverallow error messages and allow disabling them on userdebug builds." 2018-01-16 18:59:25 +00:00
Yifan Hong
00ab5d86be Allow shell to start vendor shell
Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
2018-01-16 18:28:51 +00:00
Tri Vo
282dbf7bbb Introduce system_executes_vendor_violators attribute.
We use this attribute to annotate coredomains that execute vendor code
in a Treble-violating way.

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
2018-01-16 17:43:30 +00:00
Svet Ganov
9139ea1b2a No camera for idle uids - selinux
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.

Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
      Added - CameraTest#testCameraAccessForIdleUid

Change-Id: I9ab3d6ec99764a93638746f18912ed60d299015f
2018-01-15 16:12:06 -08:00
Nathan Harold
ee268643c1 Allow More Apps to Recv UDP Sockets from SystemServer
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2018-01-15 23:10:42 +00:00