Commit graph

15 commits

Author SHA1 Message Date
Alan Stokes
8e8c109350 Installd doesn't need to create cgroup files.
cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f
2018-04-06 12:12:22 +01:00
Alan Stokes
92c149d077 Suppress harmless denials for file creation in cgroupfs.
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
2018-03-29 13:51:56 +01:00
Tom Cherry
621c24cbab add vendor_init.te
First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68
2017-10-25 09:21:30 -07:00
Jin Qian
4de505b6fb allow init to run mke2fs tools to format partitions
Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792
(cherry picked from commit 5f573ab2aa)
2017-09-11 18:34:10 +00:00
Bowgo Tsai
5846c79e80 Moving adbd from rootdir to system/bin
Bug: 63910933
Test: boot sailfish in normal mode, checks adbd is started
Test: boot sailfish in recovery mode, checks adbd is started
Test: boot bullhead in normal mode, checks adbd is started
Test: boot bullhead in recovery mode, checks adbd is started

Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
(cherry picked from commit e2423d149b)
2017-08-28 17:38:13 +08:00
Sandeep Patil
e41af20397 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
2017-06-05 08:09:18 -07:00
Sandeep Patil
d46b5d3519 Allow init to run vendor toybox for modprobe
vendor implementations need to be able to run modprobe as part of
init.rc scripts.  They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.

Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.

Bug: b/38212864
Test: Boot sailfish

Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-05-24 15:01:20 -07:00
Howard Chen
f69311300f SELinux changes for Treble Loadable Kernel Module
This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d9493f)
2017-04-10 20:15:51 +09:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Jaesoo Lee
d363b0f9eb enabled /sbin/modprobe for recovery mode
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
2017-03-16 01:19:58 +00:00
Paul Lawrence
e9cb76381c Remove selinux denial
Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue

Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
2017-02-13 08:51:33 -08:00
Mark Salyzyn
da62cb4dda logcat: introduce split to logd and logpersist domains
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-12-20 20:31:03 +00:00
Sandeep Patil
137a13d5f5 healthd: restore healthd sepolicy for charger mode
Test: Boot charge-only and android on sailfish

Bug: https://b/33672744

Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 3b25e38410)
2016-12-15 18:17:13 -08:00
Sandeep Patil
dc08245c3f healthd: create SEPolicy for 'charger' and reduce healthd's scope
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.

While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.

Test: Tested all modes {recovery, charger-only, android} with new policy

Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
2016-12-15 18:17:13 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00