Commit graph

3266 commits

Author SHA1 Message Date
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
2018-08-15 09:38:40 +00:00
Steven Moreland
fa3c138a9c Remove old incidentd socket allow.
Forgotten cleanup item.

Bug: 35870313
Test: making sepolicy (neverallows resolved at compile time)
Change-Id: If9a583c4508db63356869502ec374727afa84b0b
2018-08-14 23:47:00 +00:00
Nick Kralevich
855084960f Fix m4 warnings
Quotes and backticks are sensitive characters and should never show up
in a comment. Fix comment to avoid the use of a single quote. Also fixes
a bug where certain rules were not getting included in the compiled
policy.

Fixes the following build warnings:

[  3% 3564/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3578/114975] build out/target/product/taimen/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3579/114975] build out/target/product/taimen/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3607/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3677/114975] build out/target/product/taimen/obj/ETC/built_plat_sepolicy_intermediates/base_plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored

Test: policy compiles and no warnings.
Change-Id: Ie32d8b536955b40888b79e3a93851d2ae297f8ee
2018-08-14 14:42:54 -07:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
2018-08-14 20:21:36 +00:00
Tri Vo
dac2a4a3a4 Sepolicy for system suspend HAL.
Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be
2018-08-13 17:26:34 -07:00
Tri Vo
fdbd851934 Merge "neverallow fwk access to /vendor" 2018-08-14 00:21:04 +00:00
Yifan Hong
29940d7a28 Merge "vold uses health filesystem HAL" 2018-08-13 21:43:02 +00:00
Treehugger Robot
ad3eb4e212 Merge "suppress some su related denials" 2018-08-13 19:18:24 +00:00
Nick Kralevich
690be8e80d suppress some su related denials
The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

  type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1

Test: policy compiles
Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4
2018-08-13 10:56:49 -07:00
Nick Kralevich
bedfb22ab9 more mmaps
Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.

Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e
2018-08-13 10:37:56 -07:00
Tri Vo
44b7d5b80c neverallow fwk access to /vendor
This rule prevents adding further fwk->vendor access.
Left a TODO to clean up already existing access.

Bug: 37168747
Test: build sailfish, walleye policies
Change-Id: I5e61d0b94b81df228628dba5746e084f291a7904
2018-08-11 16:04:49 -07:00
Yifan Hong
fa5afa2afd vold uses health filesystem HAL
Bug: 111655771
Test: builds
Change-Id: I67850d910770109005b2243c628282ad638c88fb
2018-08-10 14:10:00 -07:00
Suren Baghdasaryan
c8ed855ede Selinux: Allow lmkd write access to sys.lmk. properties
Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.

Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2018-08-10 20:05:46 +00:00
Yifan Hong
0814795c79 Add sepolicy for health filesystem HAL
Test: builds
Test: vts
Bug: 111655771
Change-Id: Iabad3d124bf476cb624addf7d7898e0c2894d550
2018-08-10 11:02:21 -07:00
Mathieu Chartier
291531ef46 Merge "Add missing pm.* properties in property_contexts" 2018-08-08 20:21:42 +00:00
Shibin George
d27b8612df Add missing pm.* properties in property_contexts
Certain pm.* properties, which are especially needed for
Go-targets, are not listed in property_contexts.
Init will not be able to set these properties on bootup
without the correct selinux contexts assigned to the
properties.

BUG: 111738816

Test: In selinux-enforcing mode, on bootup, these
      properties are now correctly set by init.

Change-Id: I6ea0fb229c93725e2987b1e021d5804a132d093d
2018-08-08 17:07:56 +00:00
Tri Vo
d98b728e9f Update comment on same_process_hal_file type.
Test: n/a
Change-Id: I929772fa36da6b96494d14cfa48b47dcc76cccd4
2018-08-08 17:03:03 +00:00
Treehugger Robot
ccfffe6e0d Merge "fs_mgr: add overlayfs handling for squashfs system filesystems" 2018-08-08 16:45:18 +00:00
Steven Moreland
75ba5a42f3 Merge "Fix type of ro.kernel.qemu: int -> bool" 2018-08-08 16:24:55 +00:00
Mark Salyzyn
9b398f3fb7 fs_mgr: add overlayfs handling for squashfs system filesystems
/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices.  Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.

Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
2018-08-08 07:33:10 -07:00
Nick Kralevich
f3eb985447 Remove legacy execmod access from API >= 26.
Text relocation support was removed from the linker for apps targeting
API >= 23. See
https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23

However, the security policy was not updated to remove the execmod
permission at that time, since we didn't have support for targeting
SELinux policies to API versions.

Remove execmod permissions for apps targeting API 26 or greater. The
linker support was removed, so it's pointless to keep around the SELinux
permissions.

Retain execmod support for apps targeting API 25 or lower. While in
theory we could remove support for API 23-25, that would involve the
introduction of a new SELinux domain (and the associated rule
explosion), which I would prefer to avoid.

This change helps protect application executable code from modification,
enforcing W^X properties on executable code pages loaded from files.
https://en.wikipedia.org/wiki/W%5EX

Test: auditallow rules were added and nothing triggered for apps
      targeting API >= 26. Code compiles and device boots.
Bug: 111544476

Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41
2018-08-08 01:39:09 +00:00
Tri Vo
dd253e9019 Add support for RS vendor executables.
/vendor/bin/bcc being a dependency of renderscript should be labeled as
same_process_hal_file. To facilitate that we relax neverallow rules for
executing same_process_hal_file from coredomain.

See details on /vendor/bin/bcc:
https://source.android.com/devices/architecture/vndk/renderscript

Bug: n/a
Test: build-time change
Change-Id: Ie996fb863090bf08b3d3ef653da827d0b22937d7
2018-08-07 23:05:08 +00:00
Steven Moreland
c8ba909117 Fix type of ro.kernel.qemu: int -> bool
Bug: N/A
Test: boot
Change-Id: I67e3554383977c3fb5e89f236838a9cb39fb257e
2018-08-07 14:03:56 -07:00
Nick Kralevich
bd3e300a13 Relax some neverallow rules
Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.

Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
2018-08-07 13:47:36 -07:00
Nick Kralevich
d90d001a78 Revert "Remove legacy execmod access."
This reverts commit 0f11ffccf9.

Reason for revert: libmono crashes

Bug: 112292089
Bug: 111544476
Test: policy compiles, device boots
Change-Id: I064090aa9337cf17b80cd2c9af9342df851a3b27
2018-08-07 17:03:07 +00:00
Nick Kralevich
fed2c09cfa Delete untrusted_v2_app
am: 41b21ee96a

Change-Id: I85087c37b7c575e9b50d7090d155281d4f7c4f74
2018-08-06 15:35:16 -07:00
Nick Kralevich
41b21ee96a Delete untrusted_v2_app
As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6
2018-08-06 12:52:37 -07:00
Joel Galenson
8b2c858053 Allow ephemeral_app to execute system_file.
(cherrypicked from commit f2afca7cf0)

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
2018-08-06 10:42:17 -07:00
Sudheer Shanka
19e85dfb68 Merge "Allow vold to mount at /mnt/user/.*"
am: c5601de4cd

Change-Id: Ie61645bd9b276f67e96ac7f823c1a1048a35ef8e
2018-08-03 16:10:04 -07:00
Sudheer Shanka
a2bacea876 Allow vold to mount at /mnt/user/.*
Bug: 111890351
Test: Device boots and no selinux denials when vold mounts
      at /mnt/user/.*

Change-Id: Id962a85af9f99c54421f0820a22880be36c2e478
2018-08-03 12:55:09 -07:00
Tom Cherry
09386d41a8 Move watchdogd out of init and into its own domain
am: d840374e65

Change-Id: I93264ded0479ab0e101d0449c2ff52b9a92e3d6e
2018-08-03 12:39:53 -07:00
Tom Cherry
d840374e65 Move watchdogd out of init and into its own domain
Bug: 73660730
Test: watchdogd still runs
Change-Id: I31697c7c6fa2f7009731ff48c659af051838e42f
2018-08-03 19:28:05 +00:00
Nick Kralevich
930614c7e6 Start partitioning off privapp_data_file from app_data_file
am: 23c9d91b46

Change-Id: Id99688b1e9b4d8d43eb1833904ac47c2796166ab
2018-08-02 21:27:57 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Tom Cherry
dada008159 Merge "Allow ueventd to insert modules"
am: b520169832

Change-Id: I03af3fbdecde072ab326ee47fd614f7340aeb908
2018-08-02 12:40:54 -07:00
Tom Cherry
b520169832 Merge "Allow ueventd to insert modules" 2018-08-02 19:22:35 +00:00
Alan Stokes
a8898820d6 Remove legacy execmod access.
am: 0f11ffccf9

Change-Id: I0f85ecb4a1dc6464becce64fb8539cd2f8e1a779
2018-08-02 06:59:12 -07:00
Alan Stokes
0f11ffccf9 Remove legacy execmod access.
Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.

Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7
2018-08-02 11:57:16 +01:00
Tom Cherry
13f118314c Merge "allow init to run fsck for early mount partitions"
am: 9c8d054639

Change-Id: I8976234923363b2d05f1369753a453b6077c06fb
2018-08-01 14:11:43 -07:00
Tom Cherry
9c8d054639 Merge "allow init to run fsck for early mount partitions" 2018-08-01 21:02:35 +00:00
Tom Cherry
52a80ac1f1 Allow ueventd to insert modules
avc:  denied  { sys_module } for comm="ueventd" capability=16 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability
avc:  denied  { module_load } for  pid=581 comm="ueventd" path="/vendor/lib/modules/module.ko" dev="dm-2" ino=1381 scontext=u:r:ueventd:s0 tcontext=u:object_r:vendor_file:s0 tclass=system
avc:  denied  { search } for  pid=556 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:kernel:s0 tclass=key

Bug: 111916071
Test: ueventd can insert modules
Change-Id: I2906495796c3655b5add19af8cf64458f753b891
2018-08-01 13:21:20 -07:00
Bowgo Tsai
7f16c35ed7 Merge "Allowing vold to search /mnt/vendor/*"
am: 209c9066f4

Change-Id: Ic09209f75efba3d76963411666df8bfbe9d7965f
2018-07-31 23:40:03 -07:00
Treehugger Robot
209c9066f4 Merge "Allowing vold to search /mnt/vendor/*" 2018-08-01 06:31:39 +00:00
Tom Cherry
47157353af allow init to run fsck for early mount partitions
Bug: 111883560
Test: fsck runs successfully during early mount
Change-Id: I697d0ab8ba51824d5c5062b48370a73438311566
2018-07-31 13:58:54 -07:00
Nick Kralevich
a343844dee Allow mmap for vendor_init
am: 99ceb07ec1

Change-Id: Idf1d381cee6ba9946b9185a7d5f4475303ad8062
2018-07-30 21:05:44 -07:00
Nick Kralevich
99ceb07ec1 Allow mmap for vendor_init
vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.

Addresses the following denial:

  avc:  denied  { map } for  pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

While I'm here, add mmap() support to other areas where it's likely
needed.

Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
2018-07-30 18:57:53 -07:00
Nick Kralevich
315f2fb260 Protect apps from ptrace by other system components
am: 84a42eadb2

Change-Id: Ib4e55bd3a56639c993314d3732b5dc406fbed0bd
2018-07-27 08:47:19 -07:00
Nick Kralevich
84a42eadb2 Protect apps from ptrace by other system components
The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.

Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
2018-07-25 23:49:30 -07:00
Bowgo Tsai
7b67a617dd Allowing vold to search /mnt/vendor/*
vold will trim rw mount points about daily, but it is denied by SELinux:

root   603   603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied {
search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0

Allowing vold to search /mnt/vendor/* to fix the denials.

Note that device-specific sepolicy needs to be extended to allow vold
to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs:

    allow vold persist_file:dir { ioctl open read };

Bug: 111409607
Test: boot a device, checks the above denial is gone
Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad
2018-07-25 10:18:42 +08:00