Commit graph

13060 commits

Author SHA1 Message Date
Joel Galenson
54d044c12e Merge "Allow init to create /dev/event-log-tags."
am: cea60d7eb5

Change-Id: I9c0195571c616525fe8daaefc76661d111a57917
2017-12-01 16:52:07 +00:00
Treehugger Robot
cea60d7eb5 Merge "Allow init to create /dev/event-log-tags." 2017-12-01 16:47:10 +00:00
Joel Galenson
0975d73010 Allow init to create /dev/event-log-tags.
Now that creating a symlink automatically sets its context,
init needs permission to create this file.

Bug: 69965807
Test: Booted device and tested wifi and camera.
Change-Id: I41f5ca8f4d877312c9b2a909001fe9cd80c3d458
2017-11-30 15:38:19 -08:00
Calin Juravle
2b20a162fe Allow system server to getattr profile_data_files
am: acbda50484

Change-Id: I9575610aeae0464661ad23d0eac696915cb0064e
2017-11-30 23:25:13 +00:00
Calin Juravle
acbda50484 Allow system server to getattr profile_data_files
This is needed in order to get the stat-size of the files.

Bug: 30934496
Test: gts-tradefed -m GtsAndroidRuntimeManagerHostTestCases
Change-Id: I1df0ba941e8f9ff13a23df4063acc3c4f1555c1b
2017-11-29 18:35:35 -08:00
Connor O'Brien
f410c694c6 Merge "selinux: set proc_uid_time_in_state type for /proc/uid"
am: 33ba9c54d1

Change-Id: I09d49857f0bffc37090c4429879fb5288cbc9b90
2017-11-30 01:57:33 +00:00
Connor O'Brien
33ba9c54d1 Merge "selinux: set proc_uid_time_in_state type for /proc/uid" 2017-11-30 01:44:02 +00:00
Jeff Vander Stoep
08c68e1a26 Merge "Fix bug map entry"
am: f838a3bc46

Change-Id: Ia2c73bd7b5524da7df7aa96c14dd60e30feecce2
2017-11-30 01:02:38 +00:00
Treehugger Robot
f838a3bc46 Merge "Fix bug map entry" 2017-11-30 00:52:21 +00:00
Jeff Vander Stoep
53950b6595 Fix bug map entry
Tclass was omitted for two entries.

Bug: 69928154
Bug: 69366875
Test: build
Change-Id: Ie12c240b84e365110516bcd786b98dc37295fdb9
2017-11-29 14:48:41 -08:00
Connor O'Brien
ac3c61eb40 selinux: set proc_uid_time_in_state type for /proc/uid
/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.

Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>
2017-11-29 12:54:13 -08:00
Nicholas Sauer
bfdb55bec2 Merge "Make sepolicy-analyze for ATS."
am: 4ebbe461aa  -s ours

Change-Id: I72f7b323551fc2151668203db725710231c836c5
2017-11-29 04:28:41 +00:00
Nicholas Sauer
4ebbe461aa Merge "Make sepolicy-analyze for ATS." 2017-11-29 04:01:40 +00:00
Calin Juravle
8e4bedd40d Allow system server to open profiles
am: 15da30b6ff

Change-Id: I6a06b84d6319680d73d38ec16ca6e142d79290d1
2017-11-28 23:24:33 +00:00
Nicholas Sauer
b6d6db2706 Make sepolicy-analyze for ATS.
bug: 69430536
Test: make ats-tradefed && ats-tradefed run ats -m
GtsSecurityHostTestCases

Merged-In: I617a7d08b1bf480f970bc8b4339fa6bbdc347311
Change-Id: I1d4af47662de5db4e5f7bba244e42930b6de164b
2017-11-28 21:48:43 +00:00
Calin Juravle
15da30b6ff Allow system server to open profiles
Allow system_server to open profile snapshots for read.
System server never reads the actual content. It passes the descriptor to
to privileged apps which acquire the permissions to inspect the profiles.

Test: installd_dexopt_test
Bug: 30934496
Change-Id: I1d1f07a05261af25f6640040af1500c9a4d5b8d5
2017-11-28 20:18:35 +00:00
Tri Vo
ab35e4343b Label /proc/sys/kernel/pid_max as proc_pid_max.
am: 4081fd3993

Change-Id: Iffd1f51451929b92898fd65da600b6259f85a50e
2017-11-28 18:49:56 +00:00
Tri Vo
4081fd3993 Label /proc/sys/kernel/pid_max as proc_pid_max.
And give shell domain read access to /proc/sys/kernel/pic_max.

Bug: 69569397
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=pthread.pthread_mutex_owner_tid_limit
Change-Id: Ib56c18ed553ad2c2113e6913788a4c00965483cc
2017-11-28 08:42:46 -08:00
Nick Kralevich
6cb6dc8431 Clean up old file-based OTA SELinux rules
am: b8b4f5d649

Change-Id: I68d5ca0bf61c25e54f8d6a6aa77a326c3c0d67bf
2017-11-27 18:53:57 +00:00
Nick Kralevich
b8b4f5d649 Clean up old file-based OTA SELinux rules
Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.

Bug: 35853185
Bug: 15575013
Bug: 69664758
Test: adb reboot recovery && adb sideload [file]
Change-Id: I22aa208859b8478a2a90e1ed1c0f0d6b62a6664e
2017-11-27 09:01:36 -08:00
Nick Kralevich
33111652bc Continuation of 9b2e0cbeea
am: df642bef22

Change-Id: I63f0f9b8cfb6e7161b8b89bda377a43d1e114e21
2017-11-22 20:51:06 +00:00
Nick Kralevich
df642bef22 Continuation of 9b2e0cbeea
9b2e0cbeea changed all uses of capability
to global_capability_class_set but accidentally omitted one entry.
Fix the one entry.

Test: policy compiles.
Change-Id: I1bb8c494a2660d9f02783c93b07d4238a2575106
2017-11-22 10:03:35 -08:00
Nick Kralevich
8929a1a98f Revert "Clean up old file-based OTA SELinux rules"
am: b6a05a93c1

Change-Id: I827b6604f6eed56749e71c6e3451d8693f274bdc
2017-11-22 17:37:50 +00:00
Nick Kralevich
b6a05a93c1 Revert "Clean up old file-based OTA SELinux rules"
Self sideload OTA installation is aborted in #PPR1.171122.001.
Likely cause is the removal of the file-based OTA rules. Revert
the change while I investigate.

This reverts commit 7388575591.

Bug: 35853185
Bug: 69664758
Bug: 15575013

Change-Id: I65ca3bad7251f06df33eae8b2d4bcfada93ae9b8
2017-11-22 14:56:01 +00:00
Jiyong Park
07d9f7e0d0 Merge "Label /vendor/priv-app as vendor_app_file"
am: 5086506a99

Change-Id: Icf4ba89621620ac7c624dc1d680bf61f807e163e
2017-11-22 08:07:09 +00:00
Treehugger Robot
5086506a99 Merge "Label /vendor/priv-app as vendor_app_file" 2017-11-22 07:58:48 +00:00
Jeff Vander Stoep
7dc46564d0 Fix CTS regressions
am: 6a28b68d54

Change-Id: I774787b48c0b5f6f20313ee6f9c8062db4072e84
2017-11-22 04:58:48 +00:00
Jeff Vander Stoep
6a28b68d54 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
2017-11-22 04:54:41 +00:00
Jiyong Park
76311578c9 Label /vendor/priv-app as vendor_app_file
In P, we will be supporting privileged apps in vendor partition, thus
need to label /vendor/priv-app as vendor_app_file so that apps can exist
under the dir.

Bug: 35301609
Test: N/A since there is no /vendor/priv-app yet. Framework change
which is currently in the internal is required.

Change-Id: I86a765ef9da5267113e64a7cbb38ba0abf5c2835
2017-11-22 12:07:08 +09:00
Nick Kralevich
5a30dc3636 Merge "Clean up old file-based OTA SELinux rules"
am: 4fbbd147c8

Change-Id: I304c54a480b150a8c910f268ccf84869dfb7e3f5
2017-11-22 00:33:13 +00:00
Treehugger Robot
4fbbd147c8 Merge "Clean up old file-based OTA SELinux rules" 2017-11-22 00:15:29 +00:00
Courtney Goeltzenleuchter
4fb7f127f7 Merge "Add support for updated HW composer interface"
am: 0629dedc41

Change-Id: I576b7b98ba147c97a992ea3c65239060c4cec51e
2017-11-21 23:48:18 +00:00
Courtney Goeltzenleuchter
0629dedc41 Merge "Add support for updated HW composer interface" 2017-11-21 23:42:05 +00:00
Nick Kralevich
7388575591 Clean up old file-based OTA SELinux rules
Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.

Bug: 35853185
Bug: 15575013
Test: adb reboot recovery && adb sideload [file]
Change-Id: I4238d17808bed6a81f47e14eb1797496c07642e2
2017-11-21 14:20:17 -08:00
Jeffrey Vander Stoep
54242ffae1 Merge "Prepare treble_sepolicy_tests for inclusion in CTS"
am: 18cb4daed7

Change-Id: Ibbaef489e45195aa105b6df09bb7378481ab2d06
2017-11-21 21:15:41 +00:00
Jeffrey Vander Stoep
18cb4daed7 Merge "Prepare treble_sepolicy_tests for inclusion in CTS" 2017-11-21 21:07:33 +00:00
Jeffrey Vander Stoep
51aba79e3a Revert "Fix CTS regressions"
am: cd69bebf76

Change-Id: I6f3c20144c971d5040ee325e8bc0e9cff70085a0
2017-11-21 20:39:58 +00:00
Jeffrey Vander Stoep
cd69bebf76 Revert "Fix CTS regressions"
This reverts commit ed876a5e96.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 20:27:47 +00:00
Jeff Vander Stoep
c76a25c106 Fix CTS regressions
am: ed876a5e96

Change-Id: Ic41e1b997968acfd68ade6e9b9901a4dd9b8d2d2
2017-11-21 19:04:54 +00:00
Jeff Vander Stoep
ed876a5e96 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
2017-11-21 18:06:20 +00:00
Benjamin Gordon
d41e616199 Merge "sepolicy: Add rules for non-init namespaces"
am: b9ea282c65

Change-Id: I77676d7adb39747b9195489ef83d72e57cdb3b59
2017-11-21 17:43:02 +00:00
Benjamin Gordon
b9ea282c65 Merge "sepolicy: Add rules for non-init namespaces" 2017-11-21 17:34:40 +00:00
Courtney Goeltzenleuchter
68f2438870 Add support for updated HW composer interface
Test: build
Bug: 63710530
Change-Id: I85cddfaf3ec004165040935f8723e9eed0ef7900
2017-11-21 10:09:23 -07:00
Jeff Vander Stoep
246b807122 Merge "Remove tracking bugs that have been resolved"
am: 11c5700f4b

Change-Id: I10a19ad706d053e1a7a8e9f5d07d7c30aad0a053
2017-11-21 16:50:45 +00:00
Treehugger Robot
11c5700f4b Merge "Remove tracking bugs that have been resolved" 2017-11-21 16:42:19 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Jeff Vander Stoep
378763f218 Remove tracking bugs that have been resolved
Bug: 69175449
Bug: 69197466
Test: build
Change-Id: I11e46b65449cb6f451ecab8d4dff9adc162fe115
2017-11-20 22:14:32 -08:00
Vishnu Nair
063ad62779 Allow system_server to remove files in /data/misc/wmtrace/*
am: df8d4b87ef

Change-Id: Ia617cd27b03de715772eb2d94205422ad8dfe745
2017-11-21 03:18:24 +00:00
Vishnu Nair
df8d4b87ef Allow system_server to remove files in /data/misc/wmtrace/*
Bug: 64831661
Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root dmesg | grep 'avc: '
Change-Id: I1578aac9e102246ec722c78a6e9efb5581259d81
2017-11-20 15:21:56 -08:00
Jeff Vander Stoep
fe0910c9ad Prepare treble_sepolicy_tests for inclusion in CTS
Unconditionally compile treble_sepolicy_tests. Make compat
files conditional on running the compat tests.

Bug: 37008075
Test: build
Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:29:38 +00:00