Commit graph

30 commits

Author SHA1 Message Date
Rubin Xu
0c8286fe74 SELinux rule for ro.device_owner and persist.logd.security
They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
2016-01-19 15:27:03 +00:00
Nick Kralevich
f01453ad45 Remove core_property_type from ctl_* properties
Per https://android-review.googlesource.com/185392 , ctl.* properties
are not represented as files in the filesystem. So there's no need
to grant read access to them, since it's pointless.

Remove core_property_type from these properties, which has the net
effect of removing read access to these non-existent files.

Change-Id: Ic1ca574668a3511c335a7036a2bb7993ff02c1e3
2015-12-09 08:47:02 -08:00
Nick Kralevich
5a570a4b6b Remove property read access for non-core properties
Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.

Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.

Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
2015-12-08 14:47:04 -08:00
Felipe Leme
83fd8a54f5 Increase communication surface between dumpstate and Shell:
- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-04 14:08:28 -08:00
Tom Cherry
949d7cbc29 Support fine grain read access control for properties
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
2015-12-03 14:06:10 -08:00
Yasuhiro Matsuda
436be43107 am 3d328179: Add SELinux settings to support tracing during boot.
* commit '3d328179a17364e7bde6c496b6e99fb6601176f6':
  Add SELinux settings to support tracing during boot.
2015-07-30 08:05:41 +00:00
Yasuhiro Matsuda
3d328179a1 Add SELinux settings to support tracing during boot.
This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0
2015-07-30 14:34:41 +09:00
Jeff Sharkey
7617cd48b7 New "selinux.restorecon" control property.
This new property is used as a control verb for running a recursive
restorecon at the path contained in the property value.

Defines a new label and grants access to vold, which invokes it when
mounting private adopted volumes.

Bug: 21121357
Change-Id: I8ff12a146e54a505aa5b43a542578891563d647a
2015-06-09 13:39:04 -07:00
Jeff Vander Stoep
8b015f9df4 Create context for ctl.console
(cherry picked from commit c2e31a7782)

Change-Id: I92218709fa8cdb71c0369aca8fdd7922df45f7d0
2015-04-24 14:47:31 -07:00
Jeff Vander Stoep
c2e31a7782 Create context for ctl.console
Change-Id: I1c9fa4da442aa47ae4b7341eab6f788f0329d2d2
2015-04-24 14:39:16 -07:00
Jeffrey Vander Stoep
eb9536488c Revert "Create context for ctl.console"
This reverts commit bbd56b71ce.

Change-Id: I3e295f785aa62de3a04b2f201be97dd7ef0c207f
2015-04-24 21:05:46 +00:00
Jeff Vander Stoep
bbd56b71ce Create context for ctl.console
Change-Id: I9ba4952230ec1b811b8ec6cd19c0286ee791bf08
2015-04-24 20:32:46 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
2015-04-23 19:45:21 -07:00
Sami Tolvanen
9f0682dc50 Revert "Allow ueventd to set verity.* properties"
Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.

This reverts commit 47cd53a558.

Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da
2015-02-27 22:18:01 +00:00
Sami Tolvanen
47cd53a558 Allow ueventd to set verity.* properties
On dm-verity errors, we catch uevents in ueventd and set the value
for a matching verity.* property. Allow ueventd to actually change
property values.

Needed by changes from
  Ibb82953594d234f81ad21c40f524190b88e4ac8f

Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc
2015-02-18 13:56:06 +00:00
Nick Kralevich
c48971f69f allow system_server to set ro.build.fingerprint
Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See 5568772e81
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
2014-11-18 22:44:31 +00:00
Stephen Smalley
54e9bc4514 Dependencies for new goldfish service domains.
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service.  A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them.  A neverallow rule prevents us from allowing
qemu-props to set default_prop.

We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat.  We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).

Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-27 17:19:39 -07:00
Martijn Coenen
9ac7df2280 Allow NFC to read/write nfc. system properties.
(cherry pick of commit 05383ebfb4)

Bug: 17298769
Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97
2014-09-26 13:57:02 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Paul Jensen
97a2cfdf66 Allow Bluetooth app to initiate DHCP service on bt-pan interface.
bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
2014-06-19 02:49:37 +00:00
Mark Salyzyn
9e7bbf61de selinux: logd Development settings
- logd Development Settings failed to access persist.logd.size

Change-Id: I0732b44fcbffbf3c187bcb23df2db807fa3e8fde
2014-06-12 13:08:13 -07:00
Robert Craig
4b3893f90b Replace ctl_default_prop access with explicit service property keys.
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.

Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-25 13:36:50 -04:00
Stephen Smalley
1c0c010261 Allow system_app to start bugreport and to create /data/anr/traces.txt.
Resolves denials such as:

avc:  denied  { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service

avc:  denied  { write } for  pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { add_name } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { create } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-11 12:12:14 +00:00
Nick Kralevich
116a20fdb6 debuggerd: Allow "debug.db.uid" usage
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
2014-02-18 15:00:40 -08:00
Nick Kralevich
dd1ec6d557 Give system_server / system_app ability to write some properties
Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
2013-11-01 10:45:03 -07:00
Nick Kralevich
7914a47f05 Enable SELinux on vold
This change enables SELinux security enforcement on vold.

For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d and
50e37b93ac, with the following
additional changes:

1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.

2) Addition of the powerctl property, which vold contacts to
tell init to reboot.

3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.

4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.

Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature.  I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-28 20:41:16 -07:00
Alex Klyubin
3123b1eef7 SELinux policy for Bluetooth properties.
Properties under bluetooth. and persist.service.bdroid. are
considered Bluetooth-related properties.

Change-Id: Iee937d9a1184c2494deec46f9ed7090c643acda7
2013-05-06 10:18:27 -07:00
William Roberts
9e70c8bf68 Move policy files
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.

Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
2013-03-22 10:42:10 -07:00
William Roberts
e2ad318e45 Label persist audio properties
label all persist.audio.* properties
and allow mediaserver access to them.

Change-Id: If5755d9783dce298e66a25bcb7f17ff17bd83ea7
2012-11-28 12:15:02 -08:00
Stephen Smalley
124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00