Commit graph

8145 commits

Author SHA1 Message Date
Alex Klyubin
e392020b34 Clarify what determines precedence rules in seapp_contexts
Test: It's a comment -- no impact on build
Change-Id: Ibd7ff0dcd9d4c3d526ca20ab35dd4bac70d14f0a
2016-12-19 11:07:53 -08:00
Allen Hair
2328fec710 Add coverage service.
Bug: 31077138
Test: Device boots, coverage service works when tested manually.
Change-Id: Ia855cfefd5c25be5d1d8db48908c04b3616b5504
2016-12-19 11:04:33 -08:00
Nick Kralevich
92ade7480f init.te: fixup stale comment
init switch from a setcon() based transition to an exec() based
transition in bug 19702273. Fixup stale comment.

Test: comment only change. Policy compiles.
Bug: 19702273
Change-Id: I6e1b4b3680193453adafa8952a7ea343d2977505
2016-12-17 09:18:18 -08:00
Sandeep Patil
c82cf89f5f hal_health: express the sepolicy as attribute
Bug: http://b/32905206

Test: Boot sailfish and no new selinux failures observed in logs

Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9
Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-17 16:17:36 +00:00
Jeff Sharkey
1157e733af Merge "Allow installd to measure size of dexopt links." 2016-12-17 04:38:22 +00:00
Daniel Cashman
c81c44a8e5 Merge "Revert "Move sepolicy and recovery from on-device tree and add dependency."" 2016-12-17 00:59:43 +00:00
Daniel Cashman
65d01349a0 Revert "Move sepolicy and recovery from on-device tree and add dependency."
This reverts commit cf5c6ecb93.

Change-Id: Ie86a6ac20ab5a1611efc0e167c0430eb9df9482e
2016-12-17 00:53:26 +00:00
Treehugger Robot
2d4d8842e7 Merge "Move sepolicy and recovery from on-device tree and add dependency." 2016-12-17 00:17:13 +00:00
Treehugger Robot
16df99bdf6 Merge "Remove 'net_admin' capability from healthd" 2016-12-16 22:49:19 +00:00
Dan Cashman
cf5c6ecb93 Move sepolicy and recovery from on-device tree and add dependency.
Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it.  Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.

Bug: 31363362
Test: Builds and boots, including recovery, without additional
  denials.  Neverallow violations still caught at build time.

Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
2016-12-16 14:29:59 -08:00
Jeff Sharkey
86c76890de Allow installd to measure size of dexopt links.
avc: denied { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot-core-libart.oat" dev="sda35" ino=1581062 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=lnk_file permissive=0

Test: builds, boots, quota stats match manual stats
Bug: 27948817
Change-Id: I65fb581a4732e03c46ac705f6693080c5f3be184
2016-12-16 15:05:03 -07:00
Treehugger Robot
d1499e3254 Merge "Switch recovery to versioned policy and split into components." 2016-12-16 19:55:37 +00:00
Sandeep Patil
18410d1a32 Remove 'net_admin' capability from healthd
Bug: https://b/32733887

Change-Id: Ie22756509b53b6e78a95c5a7763b48773cd52fd7
Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-16 11:45:22 -08:00
Steven Moreland
d86a30a273 Add hal_dumpstate attribute.
- Also allow dumpstate to talk to hal_dumpstate.

Bug: 31982882
Test: compiles
Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
2016-12-16 10:48:32 -08:00
Dan Cashman
1c04027795 Switch recovery to versioned policy and split into components.
And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.

Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
2016-12-16 10:19:17 -08:00
Sandeep Patil
137a13d5f5 healthd: restore healthd sepolicy for charger mode
Test: Boot charge-only and android on sailfish

Bug: https://b/33672744

Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 3b25e38410)
2016-12-15 18:17:13 -08:00
Sandeep Patil
60e8886c1f health: add sepolicy for health hal service
Test: tested with default health HAL on angler running as service.
Bug: b/32754732

Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd9159)
2016-12-15 18:17:13 -08:00
Sandeep Patil
82467a9561 health: allow rules for passthrough health HAL
- allows binder calls to hwservicemanager
- allows healthd to read system_file for passthrough HAL

Test: Tested healthd with and without a board specific health HAL on
Angler.

Bug: b/32724915

Change-Id: Icf621859f715cb44bce5d8d3b60320ef495d1543
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 32cacb42b9)
2016-12-15 18:17:13 -08:00
Sandeep Patil
dc08245c3f healthd: create SEPolicy for 'charger' and reduce healthd's scope
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.

While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.

Test: Tested all modes {recovery, charger-only, android} with new policy

Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
2016-12-15 18:17:13 -08:00
Jeff Sharkey
59cd88e262 Merge "Allow installd to get/set filesystem quotas." 2016-12-15 22:32:44 +00:00
Glen Kuhne
9147a23835 hwbinder_use: allow for hwservicemanager callbacks.
In order for hal clients to use IServiceManager::registerForNotifications,
the hwservicemanager needs to be able to call into client processes.

Test: WIP
Bug: 33383725
Change-Id: I59470e9cd5cbeafda010fedc0b91eeb41280e0a1
2016-12-15 14:17:27 -08:00
Jeff Sharkey
fe1de04626 Allow installd to get/set filesystem quotas.
To support upcoming disk usage calculation optimizations, this change
grants installd access to work with filesystem quotas.

avc: denied { search } for name="block" dev="tmpfs" ino=15279 scontext=u:r:installd:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=1
avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1

Test: builds
Bug: 27948817
Change-Id: Ic166e8ced30e15ce84223576729888a824037691
2016-12-15 13:50:49 -07:00
Treehugger Robot
a24fae4f87 Merge "Split mac_permissions.xml into plat and non-plat components." 2016-12-15 20:13:28 +00:00
dcashman
90b3b94897 Split mac_permissions.xml into plat and non-plat components.
Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710
2016-12-15 10:20:35 -08:00
Treehugger Robot
62f0b8ea0e Merge "Enforce assumptions around metadata_block_device" 2016-12-15 18:14:12 +00:00
Steven Moreland
5b8d87b239 Merge "All hal policies expressed as attributes." 2016-12-15 17:10:26 +00:00
Nick Kralevich
5207ca6af4 Enforce assumptions around metadata_block_device
Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.

Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6
2016-12-15 08:28:38 -08:00
Chad Brubaker
0046853f66 Merge "Allow binder IPC between ephemeral app and appdomain" 2016-12-15 00:04:44 +00:00
Nick Kralevich
bb9a388840 Assign a label to the ro.boottime.* properties
system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
2016-12-14 13:45:01 -08:00
Chad Brubaker
641d5d8f9b Allow binder IPC between ephemeral app and appdomain
Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702
2016-12-14 21:06:57 +00:00
Treehugger Robot
d57dd813a2 Merge "Do not allow new additions to core_property_type" 2016-12-14 02:22:40 +00:00
Steven Moreland
29eed9faea All hal policies expressed as attributes.
Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 17:18:27 -08:00
Nick Kralevich
d310df20bd Do not allow new additions to core_property_type
core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2
2016-12-13 16:02:39 -08:00
Max
16c889c51f Removing file system remount permission from vold
There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.

Bug: 26901147

Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec
2016-12-13 15:37:33 -08:00
Connor O'Brien
a95c52e347 Add sepolicy for consumerir HIDL HAL
Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>
2016-12-13 15:23:13 -08:00
Treehugger Robot
1282df7c7a Merge "Split policy for on-device compilation." 2016-12-13 23:03:50 +00:00
dcashman
1faa644c81 Split policy for on-device compilation.
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
2016-12-13 10:06:12 -08:00
Jeff Sharkey
52da39d9a4 Partially revert "mediaprovider" SELinux domain.
The new domain wasn't fully tested, and it caused many regressions
on the daily build.  Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.

Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.

Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb
2016-12-13 09:34:03 -07:00
Treehugger Robot
0a80782877 Merge changes I1a468e7c,I4d0d8896
* changes:
  hal_wifi: Allow HAL to reload wifi firmware
  hal_wifi: Allow system_server to access wifi HIDL services
2016-12-13 00:32:42 +00:00
Jerry Zhang
35aa81ad51 Merge "Move MediaProvider to its own domain, add new MtpServer permissions" 2016-12-13 00:12:04 +00:00
Daniel Rosenberg
02bf4aad9f isolated_app.te: Give permissions for using sdcardfs
Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.

Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf
2016-12-12 13:16:24 -08:00
Jerry Zhang
f921dd9cad Move MediaProvider to its own domain, add new MtpServer permissions
Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.

The new MtpServer permissions fix the following denials:

avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

denial from setting property sys.usb.ffs.mtp.ready, context priv_app

Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4
2016-12-12 11:05:33 -08:00
Roshan Pius
85e3e7d6e1 hal_wifi: Allow HAL to reload wifi firmware
Need write permissions on the specified sysfs path for reloading
firmware.

Denials:
01-21 23:39:01.650  4669  4669 W android.hardwar: type=1400
audit(0.0:103): avc: denied { write } for name="fwpath" dev="sysfs"
ino=6847 scontext=u:r:hal_wifi:s0
tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0
01-21 23:39:01.653  4669  4669 E android.hardware.wifi@1.0-service:
Failed to open wlan fw path param: Permission denied

Bug: 32018162
Test: Denials no longer present in the logs.
Change-Id: I1a468e7c2a2a4360a2b61f04f1940471d52d0dd6
2016-12-12 10:40:18 -08:00
Roshan Pius
02ed21e851 hal_wifi: Allow system_server to access wifi HIDL services
We're going to be using Android framework directly to invoke Wifi HIDL
calls. So, change permissions appropriately.

Bug: 33398154
Test: Verfied that framework is able to make HIDL calls using
go/aog/310610.

Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a
2016-12-12 10:40:14 -08:00
Treehugger Robot
9f1e2b53fb Merge "Block files without trailing newlines" 2016-12-12 18:09:52 +00:00
Treehugger Robot
cd55e8ef51 Merge "debuggerd.te: remove domain_deprecated" 2016-12-12 16:40:45 +00:00
Treehugger Robot
2f38ac75fa Merge "remove more domain_deprecated" 2016-12-12 16:32:21 +00:00
Treehugger Robot
294d1db44d Merge "Move hci_attach to hikey" 2016-12-12 16:31:34 +00:00
Nick Kralevich
16b7f0a14c Block files without trailing newlines
Add a pre-submit check to ensure that files have a newline character at
the end.

Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.

Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d
2016-12-12 08:18:01 -08:00
Jeff Sharkey
cb4f5b3c5d Merge "installd has moved on to Binder; goodbye socket!" 2016-12-10 22:54:52 +00:00