This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.
Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
access to the lower filesystem (or sdcardfs).
At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.
The following components need varying sepolicy privileges:
Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink
zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold
installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through
priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through
Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
Looking at go/sedenials, we see this permission being used by
MediaProvider once like so:
type=1400 audit(0.0:569759): avc: granted { getattr } for comm=4173796E635461736B202331 path="/proc/config.gz" dev="proc" ino=4026532157 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:config_gz:s0 tclass=file app=com.google.android.providers.media.module
This permission should not be granted to all priv-apps now that GMS core
has been split out into its own domain. This change removes the
permission for the priv_app domain and the corresponding auditallow.
Bug: 147833123
Test: TH
Change-Id: I4f60daefcbdd4991c5d2c32330e907a03bfe6fe5
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
Looking at go/sedenials, we see this permission being used by
MediaProvider like so:
type=1400 audit(0.0:3651): avc: granted { getattr } for comm=4173796E635461736B202331 path="/sys/fs/selinux/class/tipc_socket/perms/recvfrom" dev="selinuxfs" ino=67111391 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file app=com.google.android.providers.media.module
... and numerous other directories, apparently from a filesystem walk.
It appears that this permission should not be granted to all priv-apps
now that GMS core has been split out into its own domain. This change
removes the permission for the priv_app domain and the corresponding
auditallow.
Bug: 147833123
Test: TH
Change-Id: I88146785c7ac3a8c15fe9b5f34f05d936f08ea48
We added an auditallow for this permission on 12/17/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 147833123
Test: TH
Change-Id: I96f810a55e0eb8f3778aea9598f6437de0f65c7f
We added auditallows for these permissions on 12/16/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 147833123
Test: TH
Change-Id: I4789b29462ef561288aeaabbdb1e57271d5fcd2a
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 142672293
Test: TH
Change-Id: Ic2f68b3af861e0c00e2dea731c4d6b3255ab5175
We added an auditallow for these permissions on 12/11/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 142672293
Test: TH
Change-Id: Iaeaef560883b61644625b21e5c7095d4d9c68da9
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 142672293
Test: TH
Change-Id: I18f99f54385b7c4e7c2ae923eff4c76800323a73
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 142672293
Test: TH
Change-Id: I2a59cac8041646b548ba1a73fcd5fddabb4d1429
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.
Bug: 142672293
Test: TH
Change-Id: I554ace42852023521e94017b1e782b6a09129fdf
Looking at go/sedenials, we have learnt that other priv-apps rely on
this permission. The auditallow has served its purpose and can now be
removed.
Bug: 142672293
Test: TH
Change-Id: I9ba1cbfa9ae90ae64e78276e5c1a699aa2a7f864
More historical context in http://b/18504118
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggering.
Bug: 142672293
Test: TH
Change-Id: I5729b89af83090e6e31c012c8acb0f0114c87d3d
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.
Bug: 142672293
Test: TH
Change-Id: I554e0cb00a53fd254c450c20e6c632e58472c3c8
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.
Bug: 142672293
Test: TH
Change-Id: I57f887e96d721ca69a7228df0a75515596776778
Mark tethering_service as app_api_service to allow applications to find
tethering service. Apps should able to use tethering service to
know tethering state if they have ACCESS_NETWORK_STATE permission, but
they may need privileged permission if they want to change tethering.
Bug: 144320246
Test: -build, flash, boot
-ON/OFF hotspot
Change-Id: Ie414618766144c4a4ad89c5cf03398a472638e71
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
Looking at go/sedenials, we have learnt a lot of other priv-apps rely on
this permission. The auditallow has served its purpose and can now be
removed.
Bug: 142672293
Test: Treehugger
Change-Id: Iba81773b223d2bddbd32a0594c5aa01829252847
From go/sedenials, we see that com.android.vending needs this
permission. The auditallow was in place to see if any priv-apps other
than GMS core need this, and now we know.
Bug: 142672293
Test: Treehugger
Change-Id: Iad6caeb648bc23e85571b758a35649924cdeec69
This is needed to debug native crashes within the gmscore app.
Now that GMS core is running in gmscore_app and not in the priv_app
domain, we need this rule for the new domain. This also adds an
auditallow to the same rule for priv_app, so we can delete it once no
logs show up in go/sedenials for this rule triggerring.
Bug: 142672293
Test: TH
Change-Id: I7d28bb5df1a876d0092758aff321e62fa2979694
We've moved GMS core to its own domain, and these permissions should be
removed from the priv_app domain. This change adds auditallow to these
permissions so we know if it's safe to check if any other privapps are
relying on these.
Bug: 142672293
Test: Green builds
Change-Id: I35402f1166a0edf8e001d894413f470c090c7b57
This is needed to get Java heap graphs.
Test: flash aosp; profile system_server with setenforce 1
Bug: 136210868
Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
Since this service no longer exists.
Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Previously we dumped the data into dropbox. This improves a couple
things:
- We write into dropbox via the fd, so dropbox doesn't pull from the
incidentd directory anymore.
- There is a new API to for priv apps to explicitly read incident
reports. That gives incidentd finer grained control over who can
read it (specifically, it only allows apps to access the incident
reports they requested, or were requested for them via statsd,
instead of getting DUMP and reading whatever they want from
dropbox).
Test: bit incident_test:* GtsIncidentManagerTestCases:*
Bug: 123543706
Change-Id: I9a323e372c4ff95d91419a61e8a20ea5a3a860a5
No semantic changes. Just trying to make this easier to understand:
- Separate out common bundles of services from individual services
(the naming doesn't make this obvious).
- Comment the common ones.
- Put related binder_call and service_manager:find rules together.
Test: Builds
Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.
Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
Untrustworthy symlinks dereferenced by priv-apps could cause those apps
to access files they weren't intending to access. Trusted components
such as priv-apps should never trust untrustworthy symlinks from
untrusted apps.
Modify the rules and add a neverallow assertion to prevent regressions.
Bug: 123350324
Test: device boots and no obvious problems.
Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
system/sepolicy commit 23c9d91b46
introduced a new type called privapp_data_file. This type is used to
label priv-app's /home files. For backwards compatibility, priv-app
rules involving normal app_data_files were preserved. Subsequently,
system/sepolicy commit 5d1755194a
assigned the file label privapp_data_file to /home files owned
by priv-apps.
Because of the previous labeling of priv-app data files, priv-apps were
granted the ability to mmap(PROT_EXEC) any other app's /home files,
regardless of how trustworthy or untrustworthy those files were. Commit
23c9d91b46 preserved the status quo.
However, now that we have a more refined label for priv-app /home files,
we no longer need to be as permissive.
Drop the ability for priv-apps to map executable code from
untrusted_apps home directories. "execute" is removed in this change,
and "execute_no_trans" was previously removed in commit
8fb4cb8bc2. Add a neverallow assertion
(compile time assertion + CTS test) to prevent regressions.
Further clarify why we need to support priv-apps loading executable code
from their own home directories, at least for now. b/112037137 covers
further tightening we can do in this area.
Bug: 112357170
Test: Device boots and no problems.
Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.
Access for most third party applications was removed in commit
d78e07cbb7. This change applies the same
constraints to priv-apps that we apply to normal apps.
Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.
Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.
Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
This reverts commit 9899568f6c.
Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.
Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.
Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b
In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.
Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest
Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
