Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.
In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.
Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
armeabi-v7a CtsSecurityHostTestCases completed in 4s.
501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.
avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
adb shell cmd package compile -r bg-dexopt --secondary-dex \
com.google.android.googlequicksearchbox
Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons. Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced. Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.
This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types. In
particular, this has caused an issue with the neverallows added in our
macros. Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this. Also add corresponding rules
for other types which have been removed due to no corresponding rules.
Bug: 62658302
Bug: 62999603
Test: Build Marlin policy.
Test: verify attribute exists in policy using sepolicy-analyze.
sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \
attribute hal_tetheroffload_server
Test: CTS neverallow tests pass.
cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249
NOTE: This change is marked dnma because we don't want it on
oc-dr1-dev-plus-aosp or any other downstream branch. Moreover,
oc-dr1-dev-plus-aosp is the only outgoing merger from oc-dr1-dev for
this project.
This reverts commit 11bfcc1e96.
Bug: 62908344
Test: make
Change-Id: Ide61829cf99f15777c46f657a0e140d594f88243
This reverts commit 57e9946fb7.
Bug: 62616897
Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.
Signed-off-by: Sandeep Patil <sspatil@google.com>
The tetheroffload hal must be able to use network sockets as part of
its job.
Bug: 62870833
Test: neverallow-only change builds.
Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7
Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP. As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app. This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition. Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.
Bug: 62806062
Test: neverallow-only change builds. Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
This is to Allow commands like `adb shell run-as ...`.
Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
(cherry picked from commit 1847a38b4a)
In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM. We must send the signal both to all
processes within a POSIX process group and a cgroup. To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing. If they are, we skip sending a second signal. This requires
getpgid permissions, hence this SELinux change.
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
(cherry picked from commit c59eb4d853)
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem
Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons. Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced. Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.
This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types. In
particular, this has caused an issue with the neverallows added in our
macros. Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this. Also add corresponding rules
for other types which have been removed due to no corresponding rules.
Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes. sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
CTS checks to make sure that the _contexts files on a device have
a superset of the AOSP entries. This was removed due to concurrent
master and DR development. Restore the entry to allow CTS to pass.
Bug: 38241921
Bug: 62348859
Test: Policy builds and is identical to oc-dev for prop ctxts.
Change-Id: I87ccbee7aadee57b8e46ede73280810362b618c0
Now that we're expected to use this when taking traces, we need to add
this permission so that Traceur can also access this file.
Test: Used Traceur and saw the traces appear in the bugreports
directory, as expected.
Bug: 62493544
Change-Id: Ib4304176abbb51e2e3b45c566ff14574e1cfaa82
Merged-In: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53
(this merged-in is not the same change; it's a conflicting change in
master)
This will prevent us from breaking our own neverallow rules
in the platform sepolicy regardless of vendor policy adding
exceptions to the neverallow rules using "*_violators" attributes
Bug: 62616897
Bug: 62343727
Test: Build policy for sailfish
Test: Build policy with radio to rild socket rule enabled for all
and ensure the build fails
Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
Signed-off-by: Sandeep Patil <sspatil@google.com>
This violates the socket comms ban between coredomain (radio) and
non coredomain (rild) in the platform policy.
Bug: 62616897
Bug: 62343727
Test: Build and boot sailfish
Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43
Signed-off-by: Sandeep Patil <sspatil@google.com>
[ 7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)
Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
and recovery modes
Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.
Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.
Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.
Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.
Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi arm64-v8a \
--module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
This reverts commit c147b592b8.
The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.
Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005
