Commit graph

16948 commits

Author SHA1 Message Date
Nick Kralevich
9d8f7eac8a sgdisk: allow BLKRRPART
Allow sgdisk to force the kernel to re-read the partition table.

Addresses the following denial:

avc: denied { ioctl } for path=/dev/block/vold/disk:7,0 dev=tmpfs ino=710640 ioctlcmd=125f scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Bug: 118890056
Test: policy compiles
Test:
  1) adb shell sm set-force-adoptable on
  2) adb shell sm set-virtual-disk true
  3) On device, pick the drop-down notification and
     choose "use as phone/internal storage" to adopt the virtual SD card.
Change-Id: I6825cf526cc48aa2a17afab14eadb6134bfc56f9
2018-11-02 14:26:23 -07:00
Treehugger Robot
5c48444346 Merge "Update access_vectors" 2018-11-02 19:46:37 +00:00
Nick Kralevich
ced51ddd7c Merge "tun_device: enforce ioctl restrictions" 2018-11-02 12:21:04 +00:00
Jiyong Park
b3b94614f7 apexd exports its status via sysprop
A sysprop apexd.status is set by apexd, to that other components (i.e.
init) can determine whether APEXs are all successfully mounted or no
(i.e., being mounted).

The sysprop is only writable by apexd.

Bug: 117403679
Test: adb shell getprop apexd.status returns 'ready'.
Change-Id: I81bcb96e6c5cb9d899f29ffa84f91eab3820be25
2018-11-02 12:23:42 +09:00
Nick Kralevich
ea1775dcb5 Update access_vectors
Update access_vectors to support newer kernel functionality.
This change does not grant any new access.

Inspired by the following refpolicy commits:
* 25a5b24274
* 109ab3296b
* 437e48ac53

Bug: 118843234
Test: policy compiles
Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
2018-11-01 19:53:50 -07:00
Treehugger Robot
5152fc884f Merge "Don't check PRODUCT_SHIPPING_API_LEVEL to determine fake treble." 2018-11-01 22:24:43 +00:00
Treehugger Robot
f0dc5eae56 Merge "sgdisk: add blk_file ioctls" 2018-11-01 20:12:58 +00:00
Nick Kralevich
619c1ef2ac tun_device: enforce ioctl restrictions
Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.

Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.

Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.

The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
11cee2be0c%5E%21

Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.

Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
2018-11-01 12:13:27 -07:00
Treehugger Robot
691ee93921 Merge "sepolicy for server configurable flags" 2018-11-01 18:46:52 +00:00
Tri Vo
0d23383759 Don't check PRODUCT_SHIPPING_API_LEVEL to determine fake treble.
Emulator device can not be considered a full treble device even though
it has PRODUCT_SHIPPING_API_LEVEL = 28. This is prevents us from merging
neverallow rules that implement Treble requirements (aosp/798433). As a
temporary workaround, disable the checks on that variable.

Bug: 112933807
Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I9a29c01dfcbc70e4ba1e4eef233355bc18ec2108
2018-11-01 10:04:32 -07:00
Nick Kralevich
79d36513cc sgdisk: add blk_file ioctls
Add support for the HDIO_GETGEO and BLKGETSIZE ioctls when operating on
/dev/block/vold/ block devices.

HDIO_GETGEO is needed by the sgdisk code to get the number of heads on
the disk drive, likely a side effect of the age of this code.
646af625ce/diskio-unix.cc (193)

Addresses the following denial:
  audit(0.0:1775): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x301 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Technically we don't need to grant this, as the sgdisk code will
fall back to using BLKGETSIZE64 if BLKGETSIZE fails.
646af625ce/diskio-unix.cc (430)

Addresses the following denial:
  audit(0.0:1778): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x1260 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Iaa5274721e8a7d1741591570e9e5305723aad640
2018-11-01 08:23:00 -07:00
Mark Salyzyn
33442f57e7 fastboot: /mnt/scratch refined access on userdebug
Already has permissions to remove the scratch partition, but to allow
more refined cleansing (eg: just remove vendor override), need the
ability to mount and scrub overlay directories.

Test: manual
Bug: 117605276
Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f
2018-11-01 14:57:01 +00:00
Minchan Kim
96c6d14c85 Merge "export init.svc.bugreport" 2018-11-01 04:35:27 +00:00
Hongyi Zhang
a6f989241b sepolicy for server configurable flags
Test: manual on device
Change-Id: Ibafe1b345489c88a49a7ed3e2e61e5cc5e1880a1
2018-11-01 03:28:56 +00:00
Treehugger Robot
f1a856e63d Merge "Reland "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble"" 2018-11-01 00:55:55 +00:00
Minchan Kim
fac9bc0a62 export init.svc.bugreport
Vendor need to hook bugreport propery as well as dumpstatez.
This CL exports it.

Test: Confirmed verndor can get property trigger hook manually
Bug: 118718191
Change-Id: I64a0e38716fb863ccd8923c6c41a776ea341f2d1
Signed-off-by: Minchan Kim <minchan@google.com>
2018-11-01 09:32:33 +09:00
Treehugger Robot
b4afdea892 Merge "isolated_app: add mmaps" 2018-10-31 22:55:33 +00:00
David Anderson
16572cca61 Merge "Allow BLKIOMIN and BLKALIGNOFF ioctls to the super device in fastbootd." 2018-10-31 21:33:26 +00:00
Nick Kralevich
00252207f8 isolated_app: add mmaps
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.

Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.

Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
2018-10-31 12:55:01 -07:00
Nick Kralevich
caf42d615d Transient SELinux domain for system_server JIT
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.

Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-31 12:32:01 +00:00
Treehugger Robot
29db0ebf3d Merge "Revert "Enforce execve() restrictions for API > 28"" 2018-10-31 09:31:02 +00:00
Nick Kralevich
15d1a12f7f Revert "Enforce execve() restrictions for API > 28"
This reverts commit 0dd738d810.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b
2018-10-31 03:40:13 +00:00
David Anderson
bf0bf05a0c Allow BLKIOMIN and BLKALIGNOFF ioctls to the super device in fastbootd.
These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.

The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.

Bug: 116802789
Test: fastboot flashall
Change-Id: I38282904828105cf5f16ce9d4b5884d2b0e89d38
2018-10-30 15:44:03 -07:00
Tri Vo
9087b77517 Reland "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble"
This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.

Bug: 113124961
Bug: 111243627
Change-Id: I83d6efad0ff5c7d87a4b990560c390b66aeb3653
Test: m selinux_policy
2018-10-30 21:09:41 +00:00
Wei Wang
18f5431223 Merge "Revert "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble"" 2018-10-30 21:08:02 +00:00
Wei Wang
9c91bbaa45 Revert "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble"
This reverts commit 8844f28a75.

Reason for revert: break build

Change-Id: I853d31465ac7953d2f9c3ee2b0d2ea85a0db621d
2018-10-30 20:27:30 +00:00
Tri Vo
3ce25d1acc Merge "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble" 2018-10-30 18:27:47 +00:00
Nick Kralevich
c4cf98605d Revert "SELinux changes for AppFuse"
This reverts commit 67ed4328eb.

Reason for revert: Broken CTS test. See b/118642091

Bug: 118642091
Bug: 110379912
Change-Id: I5afd16bf23149c74f2740720cdd248a255ff1497
2018-10-30 03:30:55 +00:00
Treehugger Robot
581e6c471c Merge "Enforce execve() restrictions for API > 28" 2018-10-29 21:07:36 +00:00
Treehugger Robot
a94e6e5109 Merge "drop priv_app app_data_file:file execute;" 2018-10-29 18:18:47 +00:00
Nick Kralevich
0dd738d810 Enforce execve() restrictions for API > 28
untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
2018-10-29 09:24:09 -07:00
Jeff Sharkey
f2cad2d92b vold does more than LOOP_GET_STATUS64.
Update the "allowxperm" to reflect the various ioctl() performed in
the vold source code.

Bug: 118437832
Test: atest android.os.storage.cts.StorageManagerTest
Change-Id: Ide3a09104d8b4ce7fa2b7e23e9b215139186f595
2018-10-27 16:56:55 -06:00
Nick Kralevich
e1ddd741de drop priv_app app_data_file:file execute;
system/sepolicy commit 23c9d91b46
introduced a new type called privapp_data_file. This type is used to
label priv-app's /home files. For backwards compatibility, priv-app
rules involving normal app_data_files were preserved. Subsequently,
system/sepolicy commit 5d1755194a
assigned the file label privapp_data_file to /home files owned
by priv-apps.

Because of the previous labeling of priv-app data files, priv-apps were
granted the ability to mmap(PROT_EXEC) any other app's /home files,
regardless of how trustworthy or untrustworthy those files were. Commit
23c9d91b46 preserved the status quo.
However, now that we have a more refined label for priv-app /home files,
we no longer need to be as permissive.

Drop the ability for priv-apps to map executable code from
untrusted_apps home directories. "execute" is removed in this change,
and "execute_no_trans" was previously removed in commit
8fb4cb8bc2. Add a neverallow assertion
(compile time assertion + CTS test) to prevent regressions.

Further clarify why we need to support priv-apps loading executable code
from their own home directories, at least for now. b/112037137 covers
further tightening we can do in this area.

Bug: 112357170
Test: Device boots and no problems.
Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
2018-10-27 15:20:38 -07:00
Treehugger Robot
de8dfc752c Merge "Switch to r_file_perms" 2018-10-26 22:51:47 +00:00
Nick Kralevich
0bfa7b5385 Switch to r_file_perms
The current rule is missing mmap. r_file_perm implicitly adds mmap, so
we should just use that instead.

Test: policy compiles.
Change-Id: I4051d1eb4c36a2b6ff2b5f26ce53355287cbe2b4
2018-10-26 13:25:51 -07:00
Risan
67ed4328eb SELinux changes for AppFuse
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
2018-10-26 19:45:50 +00:00
Tri Vo
3eae9de2e8 Merge "same_process_hal_file: access to individual coredomains" 2018-10-26 18:03:13 +00:00
Tri Vo
90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00
Tri Vo
5292449e3d Merge "Don't label /dev/tegra.* from core policy" 2018-10-26 18:02:30 +00:00
Jiyong Park
173a1d9add Allow apexd more ioctl cmds for loop devices
apexd is using following additional ioctl cmds to mount the mini
filesystem inside APEXs:

 LOOP_SET_STATUS64
 LOOP_SET_FD
 LOOP_SET_BLOCK_SIZE
 LOOP_SET_DIRECT_IO
 LOOP_CLR_FD

Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot

/apex/com.android.example.apex exists

Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc
2018-10-26 21:33:29 +09:00
Tri Vo
2ea956c03b Don't label /dev/tegra.* from core policy
/dev/tegra.* is not used in android platform and is device-specific

Bug: 110962171
Test: boot walleye
Change-Id: I4cc790d28457b429a3ed9829de223dae357eb498
2018-10-26 02:33:51 +00:00
Tri Vo
8844f28a75 Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble
This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.

Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I291b7cc3c8c07b838f1ea22e55550c42c5083d8f
2018-10-25 17:21:13 -07:00
Jiwen 'Steve' Cai
d5c5ef900c Sepolicy for bufferhub hwservice
Bug: 118124442
Test: device can boot with android.frameworks.bufferhub@1.0-service
      running
Change-Id: I1d186d5350671b0d2dd4e831429b8fba828316e0
2018-10-25 10:08:05 -07:00
Anton Hansson
564eb9d6d6 Merge "Properly escape dots in file_contexts filenames" 2018-10-25 11:25:17 +00:00
Bill Yi
77e061110e Merge pie-platform-release to aosp-master - DO NOT MERGE
Change-Id: I7a398025c18a7ce22c775a67328dc5504f98c04f
2018-10-24 14:48:45 -07:00
Treehugger Robot
554f18163a Merge "sepolicy: Allow apps to get info from priv_app by ashmem" 2018-10-24 18:02:23 +00:00
Jack Yu
b10f4eba61 Added a new system properties for IWLAN operation mode
Added a new flag to specify the IWLAN operation mode. Also
allowed this system properties for vendor native service to
access.

Test: Manual
Bug: 73659459
Change-Id: I23197e451557fae36a0cc5da4b50b3a00f9233dc
2018-10-24 10:48:12 -07:00
Anton Hansson
854adfd6a8 Merge "Add sepolicy for preloads_copy script" 2018-10-24 17:09:11 +00:00
Tom Cherry
fc1980eb8a Merge "Combine vendor-init-actionable with vendor-init-readable" 2018-10-24 15:52:06 +00:00
Anton Hansson
c6742dbbf9 Properly escape dots in file_contexts filenames
I found these with the regex (?<!\\)\.(?!\*|\+)

Test: make
Change-Id: I1c2e817d164b1074cb359cdb6d46bcf71e220765
2018-10-24 14:50:22 +01:00