Commit graph

75 commits

Author SHA1 Message Date
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Pavel Grafov
20bc79bb3f Keystore 2.0: Allow system_server to manage wifi keys
This is needed because Wifi module needs to import and
generate keys and it runs in system_server.

Also, remove "grant" from system_app and system_server
since there is no need to grant any keys.

Test: Create an enterprise wifi config with EAP-TLS
Bug: 171305388
Change-Id: I50c25f2fe52e968c8cdf1ea20d110f9f052699db
2021-02-09 20:36:51 +00:00
Janis Danisevskis
df31f20dfe Keystore 2.0: Add wifi namespace to sepolicy.
Add the wifi namespace to sepolicy and allow system_app (Settings) and
wifi_supplicant to manage/use the keys in that namespace

Test: N/A
Bug: 171305388
Change-Id: Ib6af8656b18288a1116c241c2e76d9aea421a889
2021-02-09 08:28:45 -08:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Jeff Vander Stoep
07aee66679 system_app: remove adb data loader permissions
Per schfan@ these are no longer needed.

Test: build
Change-Id: Idda1d9775fdd38cbd53c3652b567ddfc5beca0a6
2020-12-09 08:58:23 +01:00
Adam Shih
2543715187 never allow untrusted apps accessing debugfs_tracing
debugfs_tracing can only be accessed by tracing tools provided by the
platform.

Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
2020-12-07 16:33:59 +08:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Michael Sun
6445f190e8 Update to support splitted SystemSuspend AIDL interfaces
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.

Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
2020-11-02 23:54:21 +00:00
Janis Danisevskis
202e8636ac Add policy for property ro.android.security.keystore2.enable
Bug: 171563717
Bug: 171305684
Test: N/A
Change-Id: I323081fd2ce2fee80951c3d1e19b9935e4596705
2020-10-27 09:49:18 -07:00
Janis Danisevskis
144c822018 Move list permission from keystore2_key to keystore class.
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Ignore-AOSP-First: This needs to land in googleplex first to updated
                   prebuilt vendor images. Otherwise it breaks
                   aosp-with-phone builds.
Test: N/A
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-10-01 05:33:31 +00:00
Inseob Kim
96b9d86a0e Remove exported2_system_prop
It's not used anymore.

Bug: 161659925
Test: boot
Change-Id: I5b08bdace28a509d464759a66025c951178225c6
Merged-In: I5b08bdace28a509d464759a66025c951178225c6
(cherry picked from commit 7d96ddbfb0)
2020-08-06 12:52:32 +09:00
Janis Danisevskis
abb93f24c0 Make Keystore equivalent policy for Keystore2
Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
2020-08-05 16:11:48 +00:00
Alan Stokes
bd397a14b4 Merge "Make cross-user apps mlstrustedsubject." 2020-07-23 08:35:43 +00:00
Alan Stokes
81e4e877f3 Make cross-user apps mlstrustedsubject.
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).

This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.

Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).

This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.

A neverallow rule is added to ensure this remains true.

Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.

Test: builds, boots, no new denials.
Bug: 141677108

Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
2020-07-22 14:41:31 +01:00
Inseob Kim
c80b024241 Relabel various exported3_default_prop
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.

- ro.config.per_app_memcg
This becomes lmkd_config_prop.

- ro.zygote
This becomes dalvik_config_prop.

- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.

- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.

- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.

There are still 3 more exported3_default_prop, which are going to be
tracked individually.

Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
2020-07-20 16:11:58 +09:00
Inseob Kim
dc1e5019d6 Rename system_radio_prop
For whatever reason sys.usb.config* has been labeled as
system_radio_prop, which doesn't make sense. Changing context name as
usb_prop. For the same reason exported_system_radio_prop is also
renamed to usb-related names.

Bug: 71814576
Bug: 154885206
Test: m selinux_policy
Change-Id: If30bc620dbeac926a8b9bcde908357fda739a6c1
Merged-In: If30bc620dbeac926a8b9bcde908357fda739a6c1
(cherry picked from commit 44fbcdb677)
2020-05-15 15:06:10 +09:00
Yiwei Zhang
3db5a3140f sepolicy: clean up redundant rules around gpuservice
Test: m selinux_policy
Change-Id: I67389253aa3c6071a553e123fa9883cbdb331614
2020-04-15 09:24:16 -07:00
Howard Chen
7833aa4751 Allow developer settings to query gsid status
When the device is running DSU, the DSULoader button should
be disabled.

Bug: 151792130
Test: open developer settings and check the DSULoader

Change-Id: Iae2d3dcc9d2b6de1fa5f6a0931465b355fe74ddf
2020-03-20 07:57:09 +00:00
Rambo Wang
e2fb8aa108 Merge "Allow system_app to interact with Dumpstate HAL" 2020-02-20 04:07:09 +00:00
Rambo Wang
8950e7a25b Allow system_app to interact with Dumpstate HAL
To let end user enable/disable the verbose vender logging,
a developer option is added into Settings app which need
directly interact with Dumpstate HAL. In the future, the
same function may be added into SystemUI, eg. as a
QuickSettings tile.

To allow both Settings app and system.ui, system_app is
the best candidate for the sepolicy change.

Bug: 148822215
Test: make && make RunSettingsRoboTests
Change-Id: Ic6ef497505719e07cc37518b78c9dc146cda2d2c
2020-02-19 06:03:32 +00:00
Songchun Fan
3922253de9 permissions for incremental control file
=== for mounting and create file ===

02-12 21:09:41.828   593   593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.841  1429  1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== for reading signature from file ===
02-12 21:09:47.931  8972  8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:47.994  1429  1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
02-12 21:09:50.034  8972  8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:52.914  1429  1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== data loader app reading from log file ===
02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

Test: manual with incremental installation
BUG: 133435829
Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
2020-02-13 12:53:36 -08:00
Songchun Fan
020e3ab035 selinux rules for apk files installed with Incremental
Apk files installed with Incremental are actually stored under the
/data/incremental directory.

Since files under /data/incremental are labeled as apk_file_data, we
need additional permissions to enable an apk installation.

Denial messages:

=== vold ===
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.760   599   599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.766  1431  1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0
02-04 14:22:45.923  1431  1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:47.326  8839  8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1

02-04 15:32:02.386   591   591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1

=== system_app ===
02-04 14:22:45.793  5064  5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Test: manual
BUG: 133435829
Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
2020-02-07 16:34:42 +00:00
Steven Moreland
a30464c06e More neverallows for default_android_service.
We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.

Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
2020-01-21 11:13:22 -08:00
Nick Kralevich
6e893ec1fe system_app: neverallow /data/local/tmp access
/data/local/tmp is an attacker controlled location which system_apps
should not be depending on. system_apps should only depend on files in
their home directory and files passed to them by file descriptor. To
support this best practice, neverallow access to /data/local/tmp. This
adds a compile time assertion and CTS test to assert that this rule is
never present.

This is conceptually a tightening of already defined neverallow rules in
domain.te. The existing neverallow assertions exclude appdomain, which
is too broad:

  neverallow {
    domain
    -adbd
    -appdomain
    -dumpstate
    -init
    -installd
    -simpleperf_app_runner
    -system_server # why?
    userdebug_or_eng(`-uncrypt')
  } shell_data_file:dir { open search };

  # Same as above for /data/local/tmp files. We allow shell files
  # to be passed around by file descriptor, but not directly opened.
  neverallow {
    domain
    -adbd
    -appdomain
    -dumpstate
    -installd
    userdebug_or_eng(`-uncrypt')
  } shell_data_file:file open;

Test: compiles
Change-Id: Ib7178e2b9d5a41c03837a535f7db5eaf10319aac
2019-09-05 09:24:41 -07:00
Andrew Sapperstein
544a9b1c51 Revert "Revert "Allow rule to let settings access apex files""
This reverts commit e47d2365a8.

Reason for revert: Original CL was not the cause of the breakage. It went green before this revert landed. https://android-build.googleplex.com/builds/branches/aosp-master/grid?

Original CL went in 5695273.
Went green in 5695399.
Revert went in 5695588.

Change-Id: Ie4d7065fe7d3c58cdff99c2b7d76b50b941895bb
2019-06-28 15:28:28 +00:00
Cosmo Hsieh
e47d2365a8 Revert "Allow rule to let settings access apex files"
This reverts commit 0c0ba46192.

Reason for revert: <Broken build 5695273 on aosp-master on aosp_x86_64-eng>

Change-Id: I763f19aa5b72f2e1aaebbc78bb8ab3020c3d2a7b
2019-06-28 09:51:28 +00:00
Todd Kennedy
0c0ba46192 Allow rule to let settings access apex files
In order to show licensing information, we need to read it from
an asset stored in the .apex file.

Bug: 135183006
Test: Manual; settings can access apex files stored on /data
Change-Id: I71fbde6e295d9c890c9b9b0449e5150834a6680e
2019-06-27 18:34:25 +00:00
Hung-ying Tyan
565384db61 Sepolicy: add dynamic_system_prop
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.

Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
      adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1

Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
2019-04-30 18:29:56 +08:00
Xiao Ma
e2876a3d11 revert ipmemorystore selinux policy.
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.

Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
2019-04-01 16:37:25 +09:00
Yifan Hong
18ade868ff Add rules for lpdump and lpdumpd
- lpdump is a binary on the device that talks to lpdumpd
  via binder.

- lpdumpd is a daemon on the device that actually reads
  dynamic partition metadata. Only lpdump can talk to it.

Bug: 126233777
Test: boots (sanity)
Test: lpdump

Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-25 10:14:20 -07:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Tri Vo
131fa73add Restrict access to suspend control
Test: m selinux_policy
Change-Id: Ieccfd2aa059da065ace4f2db1b9634c52dd2cb24
2019-03-07 18:31:58 +00:00
Luke Huang
524f25ebb0 Add sepolicy for resolver service
Bug: 126141549
Test: built, flashed, booted
Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-03-05 15:49:33 +00:00
Yiwei Zhang
544d6b34ec Game Driver: sepolicy update for plumbing GpuStats into GpuService
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.

Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-08 18:15:17 -08:00
Chalard Jean
fb15c9f12f Add sepolicy for IpMemoryStoreService
Bug: 116512211
Test: Builds, boots, including upcoming changes needing this
Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399
2019-01-10 18:06:56 +09:00
Nick Kralevich
2e251461fc remove system_app proc_net_type access
The auditallow added in 7a4af30b3 has not triggered. This is safe to
remove.

Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8
2018-10-11 10:20:19 -07:00
Tri Vo
f55c989d18 Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-10 17:41:09 -07:00
Nick Kralevich
cacea25ed0 Revert "Constrain cgroups access."
This reverts commit 9899568f6c.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0
2018-10-10 04:25:17 +00:00
Tri Vo
9899568f6c Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b
2018-10-09 23:42:06 +00:00
Igor Murashkin
72a88b194c iorapd: Add new binder service iorapd.
This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-08 15:00:34 -07:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Jeff Vander Stoep
6026a4adb9 app: Allow all apps to read dropbox FDs
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
2018-09-04 20:23:43 +00:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-18 19:53:03 +00:00
Jaekyun Seok
224921d18a Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-13 09:25:06 +09:00
Nathan Harold
252b015365 Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-04-03 21:52:14 +00:00
Bookatz
022ab0e738 Statsd allow shell in selinux policy
CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 09:34:55 -08:00
Tri Vo
06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00