Commit graph

5 commits

Author SHA1 Message Date
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Tianjie Xu
8b3f4c5b6a Gives recovery-persist access to /cache/recovery
Recovery-persist now parses the file /cache/recovery/last_install; and
unlinks it after reporting metrics. Sets up the permission accordingly;
also grants access to /cache if it's a symlink (useful for a/b devices.)

Denials:
recovery-persis: type=1400 audit(0.0:7): avc: denied { write } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:7): avc: denied { search } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:8): avc: denied { search } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:8): avc: denied { read } for name="cache"
dev="dm-0" ino=2991 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0

Bug: 114278989
Test: checks the metrics report on devices with /cache
Change-Id: Iacb5606710e26922a9fbb2d2abacf8333d6df084
2018-09-13 22:44:00 +00:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from recovery_persist.te (Browse further)