Commit graph

18864 commits

Author SHA1 Message Date
Treehugger Robot
5dda7f70db Merge "fix memory leaks in sepolicy-analyze tool" 2019-05-17 17:14:20 +00:00
Jinguang Dong
ee62756a7c fix memory leaks in sepolicy-analyze tool
Test: check sepolicy-analyze tool can work well
 sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e
 sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d
 sepolicy-analyze out/target/product/<board>/root/sepolicy dups
 sepolicy-analyze out/target/product/<board>/root/sepolicy permissive
 sepolicy-analyze out/target/product/<board>/root/sepolicy booleans
 sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name>

Change-Id: I09d30967f00062c6a807ae4711ccc87b0fd6064c
2019-05-17 09:57:43 +08:00
Xin Li
3c5d416369 Merge "DO NOT MERGE - Merge pie-platform-release (PPRL.190505.001) into master." 2019-05-17 00:58:10 +00:00
Treehugger Robot
22cade09bf Merge "Ensure avrule is initialized." 2019-05-16 18:50:34 +00:00
Xin Li
d7d639dbdd DO NOT MERGE - Merge pie-platform-release (PPRL.190505.001) into master.
Bug: 132622481
Change-Id: Ia7e5491f115cd49ea5aab7d1add93c73292e326f
2019-05-15 16:55:43 -07:00
TreeHugger Robot
466f763017 Merge "DO NOT MERGE - Merge pi-platform-release (PPRL.190505.001) into stage-aosp-master" into stage-aosp-master 2019-05-15 23:02:15 +00:00
Ryan Savitski
76eabb8c7b atrace.te: allow notifying cameraserver of a change in sysprops
am: 232295e8db

Change-Id: I3cb6bf2fa220cfe97e0810178d452e4e6b7a35a4
2019-05-15 08:47:51 -07:00
Ryan Savitski
232295e8db atrace.te: allow notifying cameraserver of a change in sysprops
This allows the atrace cmd to notify cameraserver (the host of
media.camera service) that the set of tracing-related system properties
have changed. This allows the cameraserver to notice that it might need
to enable its trace events.

The atrace cmd has the necessary permission when running as shell, but
not when it is running as the "atrace" domain (notably when exec'd by
perfetto's traced_probes).

We're adding cameraserver to the whitelist as it contains important
events for investigating the camera stack.

Example denial:
05-14 22:29:43.501  8648  8648 W atrace  : type=1400 audit(0.0:389): avc: denied { call } for scontext=u:r:atrace:s0 tcontext=u:r:cameraserver:s0 tclass=binder permissive=0

Tested: flashed blueline-userdebug, captured a perfetto trace with "camera" atrace category, confirmed that userspace atrace events are included in the trace.
Bug: 130543265
Change-Id: Ifd3fd5fd3a737c7618960343b9f89d3bf7141c94
2019-05-15 00:54:08 +01:00
Nick Kralevich
3396740eb6 Delete ineffective netd neverallow assertion
am: 9fd6a90a4c

Change-Id: Ia126badac9b7f459ab5e23f631ee2bb28460b510
2019-05-14 16:05:07 -07:00
Xin Li
64a0fe3eee DO NOT MERGE - Merge pi-platform-release (PPRL.190505.001) into stage-aosp-master
Bug: 132622481
Change-Id: Iaee0bd41f640b57a58560c01708ba6ce327b46bb
2019-05-14 12:16:13 -07:00
Nick Kralevich
9fd6a90a4c Delete ineffective netd neverallow assertion
It doesn't make sense to write neverallow assertions where an attribute
negation exists allowing the operation. When such a negation exists,
domains can "opt-out" of the neverallow assertion by declaring their
use of the attribute. Such trivially bypassable assertions provide
no security nor architectural guarantees.

"netdomain" is such an attribute. This attribute is used by processes to
indicate that they communicate with the network, for example, using
TCP/UDP sockets. Vendor code is freely allowed to use network
communication by declaring their use of the attribute.

Because the attribute is usable to any vendor domain, the "no socket
connections to netd" restriction is pointless and provides a false sense
of security. Any process can opt-out of these restrictions by just
declaring their use of networking functionality. This also results in
ineffective policy bloat, making it difficult to reason about the policy
and make changes.

Delete the ineffective, misleading neverallow assertion.

Test: compiles
Change-Id: Ia72d9660a337ef811e56c9227af29b17d043b99f
2019-05-14 01:33:55 -07:00
Joel Galenson
44dbfc9c31 Merge "Dontaudit unneeded denials."
am: 62f0e4f9d0

Change-Id: I30893cf5b64ed90d38c84827b47c30f68e75b436
2019-05-13 09:20:13 -07:00
Treehugger Robot
62f0e4f9d0 Merge "Dontaudit unneeded denials." 2019-05-13 15:35:46 +00:00
Maciej enczykowski
765845c7d9 sepolicy - move public clatd to private
am: 44328c061d

Change-Id: Ib6156c7047dee7f20c91654d3efdd3a51a27b46e
2019-05-11 23:56:46 -07:00
Maciej Żenczykowski
44328c061d sepolicy - move public clatd to private
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary.  Netd is it's only launcher (via fork/exec) and
killer.

Generated via:
  { echo; cat public/clatd.te; echo; } >> private/clatd.te
  rm -f public/clatd.te

  plus a minor edit to put coredomain after clatd type declaration
  and required changes to move netd's clatd use out of public into private.

Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
2019-05-11 17:47:25 -07:00
Nicolas Geoffray
37b90c0d14 Merge "Allow system server to lock system files."
am: 8f5436a19a

Change-Id: I4025adb1799fa7c96d06aca0db1c572f64fab136
2019-05-10 09:50:55 -07:00
Nicolas Geoffray
8f5436a19a Merge "Allow system server to lock system files." 2019-05-10 16:34:08 +00:00
Joel Galenson
5d5ac9ad6e Dontaudit unneeded denials.
These denials are intermittent and unnecessary.  Hide them while we
investigate how to properly fix the issue.

Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
(cherry picked from commit 654ceeb93f)
2019-05-10 08:14:54 -07:00
Yiwei Zhang
93257b0d61 Allow dumpstate to dumpsys gpu
am: 0051c93e0b

Change-Id: I97926d32185082e1607448e773f83136b014fbfa
2019-05-10 07:40:31 -07:00
Tri Vo
a61c720e15 Merge "priv_app: suppress denials to proc_net"
am: 6c4f6d0f5a

Change-Id: I1fcffa1ed22fd02bf03f1a847da14ba3310dd967
2019-05-10 00:58:22 -07:00
Yiwei Zhang
0051c93e0b Allow dumpstate to dumpsys gpu
Bug: 132402890
Test: adb bugreport and verify dumpsys gpu is included.
Change-Id: Ib145937889f9616a0dcdabb7b58839fb715bf6c3
2019-05-09 23:15:49 -07:00
Tri Vo
6c4f6d0f5a Merge "priv_app: suppress denials to proc_net" 2019-05-10 05:35:19 +00:00
Xin Li
20b1e98c3c [automerger skipped] Merge "DO NOT MERGE - Merge Pie Bonito/Sargo into master."
am: f4c31d3f14 -s ours
am skip reason: subject contains skip directive

Change-Id: I161d19915c84f455eb50137cb962fecfd00e1277
2019-05-09 19:53:59 -07:00
Nicolas Geoffray
db3fde05b5 Allow system server to lock system files.
ART generically locks profile files, and this avoids
special casing the ART code for read-only partitions.

An example on how ART does it:
https://android-review.googlesource.com/c/platform/art/+/958222/3/runtime/jit/jit.cc#731

Bug: 119800099
Test: system server locking a system file, no denial
Change-Id: I4339f19af999d43e07995ddb77478a2384bbe209
2019-05-10 03:00:18 +01:00
Xin Li
1691a7b80e [automerger skipped] DO NOT MERGE - Merge Pie Bonito/Sargo into master.
am: 199072d2be -s ours
am skip reason: subject contains skip directive

Change-Id: Ic2613a41f0bdd2ec1865668ac22bde12fa5ad83f
2019-05-09 16:16:13 -07:00
Tri Vo
e319c03673 priv_app: suppress denials to proc_net
avc: denied { read } for comm="UserFacing3" name="arp" dev="proc"
ino=4026532043 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
app=com.google.android.googlequicksearchbox

Bug: 132376360
Test: m selinux_policy
Change-Id: I6ebe8b6806268f31885026a81ebea0ed15b532d2
2019-05-09 16:14:45 -07:00
Xin Li
f4c31d3f14 Merge "DO NOT MERGE - Merge Pie Bonito/Sargo into master." 2019-05-09 22:05:51 +00:00
Xin Li
199072d2be DO NOT MERGE - Merge Pie Bonito/Sargo into master.
Bug: 131756210
Change-Id: I671e7465545522755b090018c4d9941c72b15008
2019-05-09 09:27:07 -07:00
Maciej Żenczykowski
4fbd081176 Merge "selinux - remove clatd tun creation privs"
am: fbae4d9b35

Change-Id: I63513697bae391f5a4226e964f8d403822998ce9
2019-05-08 18:43:25 -07:00
Stephen Hines
5c081803fc Ensure avrule is initialized.
Bug: http://b/131390872
Test: Builds with -Wconditional-initialize
Change-Id: I14b9316ca392f299745342d61e4fd45ab8e9e307
2019-05-08 17:14:34 -07:00
Maciej Żenczykowski
fbae4d9b35 Merge "selinux - remove clatd tun creation privs" 2019-05-09 00:11:29 +00:00
Hridya Valsaraju
252fae8c15 Merge "Move ro.boot.dynamic_partitions to vendor"
am: 5a883148a0

Change-Id: I6abface2f70338c68968f3450608034687e20e5f
2019-05-08 15:10:00 -07:00
Treehugger Robot
5a883148a0 Merge "Move ro.boot.dynamic_partitions to vendor" 2019-05-08 21:39:26 +00:00
Maciej enczykowski
f1c7d23882 mtp: support using pppox_socket family
am: 8fa5ebdee7

Change-Id: Ic59e960eaf1121cafa224ef4edccd87baf76532c
2019-05-08 06:08:36 -07:00
Maciej Żenczykowski
3e41b297d2 selinux - remove clatd tun creation privs
No longer needed, since this is now done by netd.

In a separate commit so it can potentially not be backported to Q
if we so desire.

Test: build/installed on crosshatch with netd/clatd changes,
  and observed functioning ipv4 on ipv6 only network with no
  avc denials

Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
2019-05-08 10:22:48 +00:00
Maciej Żenczykowski
8fa5ebdee7 mtp: support using pppox_socket family
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).

Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).

Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
2019-05-08 01:16:38 -07:00
Hridya Valsaraju
761ce69a25 Move ro.boot.dynamic_partitions to vendor
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.

Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
2019-05-07 16:16:27 -07:00
android-build-team Robot
b8f90dd88f Snap for 5450365 from 3feb8646fe to pi-platform-release
Change-Id: Icbb75c9f25dd427831213396a6b0064cdb83e271
2019-05-07 21:49:04 +00:00
Maciej Żenczykowski
72ec9fca61 Merge "dontaudit su unlabeled:vsock_socket *"
am: 3e034a2270

Change-Id: I5b5b5e345eac439cf1724741dee7b483095d118e
2019-05-06 18:28:58 -07:00
Treehugger Robot
3e034a2270 Merge "dontaudit su unlabeled:vsock_socket *" 2019-05-07 00:36:51 +00:00
Nick Kralevich
9342f02b2f Merge "ppp: support using pppox_socket family"
am: 83dfb08842

Change-Id: Iaebffea043e41102a08817c0389da66c374acce1
2019-05-06 16:10:53 -07:00
Treehugger Robot
83dfb08842 Merge "ppp: support using pppox_socket family" 2019-05-06 22:51:50 +00:00
Jeffrey Vander Stoep
27be220863 Merge "Add mechanism for granting permissions to old vendor images"
am: 38bbf3016d

Change-Id: I7ca34eccd7485316d3d73447e2e7f460fe8865dc
2019-05-06 15:50:27 -07:00
Jeffrey Vander Stoep
38bbf3016d Merge "Add mechanism for granting permissions to old vendor images" 2019-05-06 22:26:19 +00:00
Maciej Żenczykowski
ae68bf23b6 dontaudit su unlabeled:vsock_socket *
Fix for:
  type=1400 audit(): avc: denied { getopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { setopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { read } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { write } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket

Test: now less audit warnings!
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3bd1b2262dc6dcb099403d24611db66aac9aecb0
2019-05-06 14:36:39 -07:00
Nick Kralevich
e9cafb91d2 ppp: support using pppox_socket family
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).

Modify the ppp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).

Addresses the following denials:

04-19 20:25:34.059 16848 16848 I pppd    : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
04-19 20:25:34.075 16848 16848 I pppd    : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1

Bug: 130852066
Test: compiles
Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc
2019-05-06 12:57:51 -07:00
Jeff Vander Stoep
564e292ae6 Add mechanism for granting permissions to old vendor images
This addresses Treble backwards compat issues introduced in
aosp/793958 and aosp/783669.

Bug: 122874820
Test: build/flash blueline with pi-dev vendor and generic_ab system
    images.
Test: adb pull /sys/fs/selinux/policy;
    sesearch policy --allowx -s vendordomain -t dev_type

Change-Id: Ic2b304472bb88051e03740dc387834056aba641a
2019-05-06 12:32:51 -07:00
Maciej enczykowski
7ee2d312be selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli
am: 6450e0038b

Change-Id: I9009c266bcfab37d1cd67a762ebc1f9ee9277c01
2019-05-05 17:11:43 -07:00
Maciej Żenczykowski
6450e0038b selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli
This is needed to resolve some race conditions between clatd startup and interface naming/numbering.

This resolves:
  type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket

Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
2019-05-05 02:55:20 +00:00
Maciej Żenczykowski
59c7ccf0ca Merge "selinux - netd - tighten down bpf policy"
am: b3b12729f4

Change-Id: I85ccddd260f73cccc183ec2a5bbef8c4600add95
2019-05-03 16:24:42 -07:00