Commit graph

26 commits

Author SHA1 Message Date
Eric Biggers
17369bef4a Remove init's write access to /data/user and /data/media
As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file.  This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.

Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
2022-05-12 00:19:29 +00:00
Eric Biggers
9a5992336e Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug.  Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()".  Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories.  Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.

This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible.  This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories.  This
is similar to what https://r.android.com/1117297 did for /data itself.

Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.

A significant limitation is that /data/user/0 is currently being created
by init during early boot.  Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories.  As the
next step, I'll try to eliminate the /data/user/0 quirk.  Anyway, this
CL is needed regardless of whether we're able to do that.

Test: Booted cuttlefish.  Ran 'sm partition disk:253,32 private', then
      created and deleted a user.  Used 'ls -lZ' to check the relevant
      SELinux labels on both internal and adoptable storage.  Also did
      similar tests on raven, with the addition of going through the
      setup wizard and using an app that creates media files.  No
      relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 04:12:46 +00:00
Eric Biggers
9bf0a0c141 Remove some FDE rules and update comments
Now that FDE (Full Disk Encryption) is no longer supported, the SELinux
policy doesn't need to support it.  Remove two rules that are no longer
needed.  Also update some comments that implied that other rules were
needed only because of FDE support, when actually they are still needed
for other reasons.  Finally, fix some outdated documentation links.

Bug: 208476087
Change-Id: I4e03dead91d34fcefdfcdc68d44dd97f433d6eaf
2022-04-15 21:06:51 +00:00
Howard Chen
8720492f2e Allow vold to get the DSU status
Currently, the vold detects the factory reset by checking the
metadata encryption key. This logic is only valid when the
device is not in DSU mode. This CL allows vold to get the DSU
status.

Test: run DSU installation on a Pixel device
Bug: 199222795
Change-Id: Ia6ca3b27afd52347b132d7e2d8be244fb9f15e7d
2021-09-16 09:58:43 +08:00
Paul Crowley
bf29c3a2dc Allow vold to deleteAllKeys in Keystore
Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`

Bug: 187105270
Test: booted twice on Cuttlefish
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
2021-08-10 21:51:09 -07:00
Eric Biggers
040ce199b2 Fix permissions for vold.post_fs_data_done
The system property "vold.post_fs_data_done" is used by init and vold to
communicate with each other in order to set up FDE on devices that use
FDE.  It needs to be gettable and settable by vold, and settable by init
and vendor_init.  This was the case in Android 11 and earlier; however,
the change
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1277447
("Rename exported and exported2 vold prop") broke this by giving this
property the type "vold_config_prop", which made it no longer settable
by vold.

Since none of the existing property types appear to be appropriate for
this particular property, define a new type "vold_post_fs_data_prop" and
grant the needed domains permission to get/set it.

This is one of a set of changes that is needed to get FDE working again
so that devices that launched with FDE can be upgraded to Android 12.

Bug: 186165644
Test: Tested FDE on Cuttlefish
Change-Id: I2fd8af0091f8b921ec37381ad3b85a156d074566
2021-04-26 12:43:05 -07:00
Satya Tangirala
a999004528 Keystore 2.0: sepolicy changes for vold to use keystore2
Vold needs to be able to search for keystore2 and keystore2 maintenance
services, and call methods provided by those services.

Bug: 181910578
Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
2021-04-07 02:14:33 -07:00
Satya Tangirala
5ef8686428 Keystore 2.0: Add early_boot_ended permission
Add early_boot_ended permission to the keystore2 access vector. This
permission must be checked before allowing calls to earlyBootEnded() on
Keymint devices.

Bug: 181821046
Bug: 181910578
Change-Id: I8860a4424a249455ab540b6c2896e7d836ceb8a3
2021-03-24 05:20:58 -07:00
Satya Tangirala
0653374e71 Add convert_storage_key_to_ephemeral to keystore2_key access vector
Introduce the convert_storage_key_to_ephemeral permission to the
keystore2_key access vector and give vold permission to use it. This
permission must be checked when a caller wants to get a per-boot
ephemeral key from a long lived wrapped storage key.

Bug: 181806377
Bug: 181910578
Change-Id: I542c084a8fab5153bc98212af64234e62e9ad032
2021-03-21 14:14:28 -07:00
Yo Chiang
ffe786ebd7 Allow gsid to find and binder-call vold
Bug: 168571434
Test: 1. Install a DSU system.
  2. Boot the DSU system and reboot back to the host system.
  3. Wipe the DSU installation.
  4. DSU metadata key dir /metadata/vold/metadata_encryption/dsu/dsu is
     destroyed.
Change-Id: I229a02abb7bd1f070bb078bdaf89fb27cc4bfa47
2020-10-23 20:30:00 +08:00
Janis Danisevskis
144c822018 Move list permission from keystore2_key to keystore class.
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Ignore-AOSP-First: This needs to land in googleplex first to updated
                   prebuilt vendor images. Otherwise it breaks
                   aosp-with-phone builds.
Test: N/A
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-10-01 05:33:31 +00:00
Xin Li
11da9e6792 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: I6d0b1be1a46288fff42c3689dbef2f7443efebcc
Change-Id: I133180d20457b9f805f3da0915e2cf6e48229132
2020-08-29 01:45:24 -07:00
Janis Danisevskis
32d7738224 Setup vold_key keystore2_key namespace.
Allow vold to access its namespace using raw Keymint blobs.

Test: keystore2_test runs some tests against this policy.
Bug: 160623310
Bug: 158500146
Change-Id: Iaf338f1ac48dd56ef6e1b73cb3b8634a91e8bf9f
Merged-In: Iaf338f1ac48dd56ef6e1b73cb3b8634a91e8bf9f
2020-08-05 16:11:48 +00:00
Songchun Fan
6cc8757c66 Merge "Define vendor-specific property ro.incremental.enable" am: 10230b9749 am: 08a9c932af
Change-Id: I3a0d4150776da7555d4fea667d7cc71fc922148e
2020-05-02 20:27:28 +00:00
Songchun Fan
9fdcbcd29b Define vendor-specific property ro.incremental.enable
[cherry-picking]

Make ro.incremental.enable a vendor-specific property. Allow
system_server and vold to read this property.

Test: manual
BUG: 155212902
Change-Id: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
Merged-In: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b
2020-05-01 10:27:51 -07:00
Martijn Coenen
4ba95161a9 Merge "Add external_storage properties." am: c3917f0ea9 am: 6d91301b2e
Change-Id: Idf0d542cff4c81085a5372d86b36ca3edd85c5db
2020-04-16 08:35:08 +00:00
Martijn Coenen
01234d371e Add external_storage properties.
Since these need to be set from a vendor context.

Bug: 152170470
Bug: 153525566
Test: N/A
Change-Id: I2e90ad08fa0a5bd2b4759d92f95d35cec2b316df
2020-04-15 17:30:41 +02:00
Inseob Kim
ad1e34422e Rename exported and exported2 vold prop am: 3f5a7d247a am: ea1deefaf2
Change-Id: I78d1be11192c807b5dcb75d0633a327953f73e5e
2020-04-07 15:21:22 +00:00
Inseob Kim
3f5a7d247a Rename exported and exported2 vold prop
This is a subtask to clean up bad context names "exported*_prop".

Bug: 152469526
Test: m
Change-Id: Ie2d4046732e9d6562294fa664dcd7f019aa7c229
2020-04-07 12:56:23 +09:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Inseob Kim
42c7d8966c Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
2020-03-19 00:15:01 +09:00
Paul Crowley
f9f7539430 Abolish calls to shell in vold
Never use popen, just execvp directly

Test: Two tests
- Ensure Marlin device boots and vold_prepare_subdirs is called
successfully
- Try adb shell sm set-virtual-disk true, see that eg sgdisk output is
logged.
Bug: 26735063
Bug: 113796163

Change-Id: Icb34140429db85098a0118a2b833772e3620e7ac
2018-11-30 16:02:04 -08:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00