Commit graph

8145 commits

Author SHA1 Message Date
Nick Kralevich
4394b2c0a6 Move hci_attach to hikey
This is unused by core policy and by any device policy except for hikey.

Test: device boots
Test: no denials ever collected
Change-Id: I36a6790499e4aeedd808457b43fd72370fa48e53
2016-12-09 22:17:18 -08:00
Nick Kralevich
b56e6ef894 Whitespace fix
Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29
2016-12-09 20:14:31 -08:00
Nick Kralevich
6a259ccd9d remove more domain_deprecated
Test: no denials showing up in log collection
Test: device boots
Bug: 28760354
Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23
2016-12-09 19:57:43 -08:00
Nick Kralevich
30603f1ed9 debuggerd.te: remove domain_deprecated
Remove domain_deprecated and add denials picked up by log collection.

Addresses the following auditallow messages:

  avc: granted { search } for comm="debuggerd" name="arm" dev="sda35"
  ino=57521 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=dir

  avc: granted { read } for comm="debuggerd"
  path="/data/app/dji.pilot-Z6Q2X6YjYNN2Ag8otZTCdg==/lib/arm/libtpnsWatchdog.so"
  dev="sda35" ino=57854 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

  avc: granted { getattr } for comm="debuggerd64"
  path="/data/app/com.google.android.youtube-2/lib/arm64/libcronet.so"
  dev="sda35" ino=1384657 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

  avc: granted { read open } for comm="debuggerd"
  path="/data/app/dji.pilot-We9wJivxEqhzfdtQrNFvaA==/lib/arm/libtpnsWatchdog.so"
  dev="sda35" ino=57575 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I1ae6203e37ddd4a19551d8063d26071ac20f2f3e
2016-12-09 19:17:16 -08:00
Jeff Sharkey
8b1d45201d installd has moved on to Binder; goodbye socket!
After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.

Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
2016-12-09 15:39:37 -07:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
Treehugger Robot
f016fc1109 Merge "Add TCSETS to unpriv_tty_ioctls" 2016-12-08 01:59:36 +00:00
Treehugger Robot
0f80443103 Merge "priv_app.te: Drop auditallow app_data_file:file execute" 2016-12-08 00:04:18 +00:00
Nick Kralevich
240f50e8b3 Add TCSETS to unpriv_tty_ioctls
Addresses the following denial:

avc: denied { ioctl } for comm="top" path="/dev/pts/0" dev="devpts"
ino=3 ioctlcmd=5402 scontext=u:r:shell:s0 tcontext=u:object_r:devpts:s0
tclass=chr_file permissive=0

Bug: 33073072
Bug: 7530569
Test: policy compiles.
Change-Id: If9178d29f2295be46bb118df00ebf73a6ebc9f81
2016-12-07 15:59:34 -08:00
Treehugger Robot
a040aa129d Merge "Restore checkfc and neverallow checks." 2016-12-07 23:02:59 +00:00
Nick Kralevich
57475e5e93 priv_app.te: Drop auditallow app_data_file:file execute
This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.

Addresses the following auditallow messages:

avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776
2016-12-07 13:41:11 -08:00
dcashman
0779155805 Restore checkfc and neverallow checks.
Bug: 33388095
Test: Builds and boots.
Change-Id: Ief9064a16fc733bed54eb76f509ff5aaf5db4baf
2016-12-07 11:27:47 -08:00
Treehugger Robot
23fdf03cf2 Merge "Allow webview_zygote to read/execute installed APKs." 2016-12-07 16:56:08 +00:00
Daniel Rosenberg
2a0053b223 Move sdcardfs media_rw_data_file rules to app.te
Test: No media_rw_data_file related app denials
Change-Id: I1a977db09379f9a3e5bc52c597df12f52929ad19
2016-12-06 19:50:21 -08:00
dcashman
0c8ad1dc94 Fix build.
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types.  Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.

Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
2016-12-06 16:49:25 -08:00
Bill Yi
e082cdb559 Merge remote-tracking branch 'goog/stage-aosp-master' into HEAD 2016-12-06 15:07:48 -08:00
Torne (Richard Coles)
7256f369e9 Allow webview_zygote to read/execute installed APKs.
webview_zygote needs to preload the WebView implementation, which may be
an installed APK, so must be able to read and execute code from inside
the APK.

Also add additional neverallow assertions to strengthen some
restrictions on this domain.

Test: WebView apps work after installing a WebView APK.
Bug: 21643067
Change-Id: I58aedc5e0a25259e2e20c70d4260579a354b6789
2016-12-06 18:14:46 +00:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Jeff Sharkey
0fd68b7736 Merge "Rules for new installd Binder interface."
am: fed665edca

Change-Id: I0d6037fb73845cc012609d769b8a0bb009536848
2016-12-06 00:24:14 +00:00
Jeff Sharkey
fed665edca Merge "Rules for new installd Binder interface." 2016-12-06 00:14:54 +00:00
Nick Kralevich
38cd0764df Prevent ptrace of logd on user builds
am: cb5f4a3dd8

Change-Id: I5b019efd007c4037757ea9940a629876733186bd
2016-12-06 00:14:17 +00:00
Jeff Sharkey
e160d14ed1 Rules for new installd Binder interface.
Most of this CL mirrors what we've already done for the "netd" Binder
interface, while sorting a few lists alphabetically.

Migrating installd to Binder will allow us to get rid of one of
the few lingering text-based command protocols, improving system
maintainability and security.

Test: builds, boots
Bug: 13758960, 30944031
Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7
2016-12-05 15:15:42 -07:00
Nick Kralevich
cb5f4a3dd8 Prevent ptrace of logd on user builds
system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later
amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd
doesn't want it's memory accessible by anyone else. Unfortunately,
setting DUMPABLE isn't sufficient against a root level process such with
ptrace. Only one such process exists, "debuggerd".

Block debuggerd from accessing logd's memory on user builds. Userdebug
and eng builds are unaffected.  Add a neverallow rule (compile time
assertion + CTS test) to prevent regressions.

Bug: 32450474
Test: Policy compiles.
Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
2016-12-05 14:07:32 -08:00
Nick Kralevich
7fb7102b40 Merge "Revert "ueventd.te: auditallow device:chr_file""
am: 8ee06cc44f

Change-Id: I870f2084bd6f483c8e1537a73259e0d0a45f3a07
2016-12-05 17:35:23 +00:00
Nick Kralevich
8ee06cc44f Merge "Revert "ueventd.te: auditallow device:chr_file"" 2016-12-05 17:30:23 +00:00
Nick Kralevich
e78fa1bf37 Revert "ueventd.te: auditallow device:chr_file"
Broke the dragon build:

libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

This reverts commit ed0b4eb366.

Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd
2016-12-05 17:29:25 +00:00
Nick Kralevich
887f026beb Merge "ueventd.te: auditallow device:chr_file"
am: 4868f377fa

Change-Id: I3c57e833dd736ac87718d9e95e0a02e3048de979
2016-12-05 16:46:21 +00:00
Treehugger Robot
4868f377fa Merge "ueventd.te: auditallow device:chr_file" 2016-12-05 16:41:25 +00:00
Robert Sesek
6774088baa Merge "Allow webview_zygote to stat /sys/kernel/debug/tracing/trace_marker."
am: 2c222c1e3f

Change-Id: I89d6c56ce6d29dfb184f9eb95aaaa49909e25b44
2016-12-05 16:34:20 +00:00
Treehugger Robot
2c222c1e3f Merge "Allow webview_zygote to stat /sys/kernel/debug/tracing/trace_marker." 2016-12-05 16:30:25 +00:00
Nick Kralevich
ed0b4eb366 ueventd.te: auditallow device:chr_file
By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.

Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.

  $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
  allow init device:chr_file { setattr read lock getattr write ioctl open append };
  allow ueventd device:chr_file { read lock getattr write ioctl open append };

this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):

  neverallow { domain -init -ueventd } device:chr_file { open read write };

Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.

Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.

The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.

While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.

Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
2016-12-05 14:22:18 +00:00
Daniel Micay
5fa3dd0608 Merge "auditallow priv_app app_data_file execution"
am: a24d7f5392

Change-Id: Ia27cb54e53bbd755adaf588fb4bb2f948ba3d255
2016-12-05 05:58:44 +00:00
Treehugger Robot
a24d7f5392 Merge "auditallow priv_app app_data_file execution" 2016-12-05 05:53:36 +00:00
Max
45c41f35ad /dev/port does not seem to be used, adding in rules to confirm.
am: c27c23fbdb

Change-Id: I28f0ec1eac5fa78ca1268089954c190c0e38b188
2016-12-05 02:30:31 +00:00
Max
c27c23fbdb /dev/port does not seem to be used, adding in rules to confirm.
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 16:46:11 -08:00
Daniel Micay
758e6b3678 auditallow priv_app app_data_file execution
In general, apps shouldn't be executing data from their writable data
directories. Allowing this is a security risk and use cases for this are
almost always anti-patterns where saner alternatives are available such
as using one of the standard systems for shipping libraries (extracted
by the package manager or aligned/uncompressed in the apk) or using the
existing package system to handle plugins. It's reasonable for the
untrusted_app domain to have this (not just for backwards compatibility)
for priv_app should be held to a higher standard.

Ideally, untrusted apps would be able to opt-in to disabling this and
then the default could then be switched at a new API level. It could do
more than just hardening apps not requiring it by having documentation
explain the risks and offer alternatives to reduce 'legitimate' use. The
base system could disable it for all of the bundled untrusted apps.

Change-Id: I4efcfaf01c6b6c33c39e98c22a1934e8892e2147
2016-12-04 19:33:54 -05:00
Amit Mahajan
2643c6f7b8 Merge "SEPolicy changes for radio hal."
am: 65ad9bc1c3

Change-Id: I46623679450cd1fd1302698c1ea8a1f290bc6d16
2016-12-04 22:54:20 +00:00
Treehugger Robot
65ad9bc1c3 Merge "SEPolicy changes for radio hal." 2016-12-04 22:50:51 +00:00
Amit Mahajan
b435584603 SEPolicy changes for radio hal.
Test: none
Bug: 32020264
Change-Id: If5f22dad672895b3684b8e44209c5a1eae16ba47
2016-12-04 22:50:15 +00:00
Ray Essick
2932497ae0 Allow access to mediaanalytics service
am: 090f4a4d9f

Change-Id: Ib9481c4abc8cd9b5b58f87067e9d5803651d73c1
2016-12-03 15:28:29 +00:00
Jeff Sharkey
954fc0acf2 Allow system_server to measure emulated stats.
am: 17c675b327

Change-Id: I9b04ff4503a197e25538f0f77dc6b24888240a2c
2016-12-03 04:24:17 +00:00
Ray Essick
090f4a4d9f Allow access to mediaanalytics service
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
2016-12-03 00:06:20 +00:00
Robert Sesek
5af7c660cf Allow webview_zygote to stat /sys/kernel/debug/tracing/trace_marker.
Test: m
Test: angler boots

Bug: 21643067
Change-Id: I7530120385766506405a318caac8ef143e71cce7
2016-12-02 18:09:23 -05:00
Jeff Sharkey
17c675b327 Allow system_server to measure emulated stats.
Historically we pushed all system_server SD card interactions through
DefaultContainerService to avoid holding open FDs, but it's safe to
measure disk usage for internal emulated storage when looking
directly at /data/media, since there is no risk of unsafe ejection.

These rule changes give us just enough access to measure statistics.

avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

Test: builds, boots, and access allowed
Bug: 33298975
Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
2016-12-02 13:16:05 -07:00
Max
2464a492b4 Merge "Added an auditallow rule to track vold remounting filesystems."
am: 685ef6b821

Change-Id: I8b1a5415261fcb6b939152ce2fe3b58b0353d1bd
2016-12-01 17:46:17 +00:00
Treehugger Robot
685ef6b821 Merge "Added an auditallow rule to track vold remounting filesystems." 2016-12-01 17:29:34 +00:00
Nick Kralevich
1780a627ae domain_deprecated.te: remove /proc/net access
am: dd649da84b

Change-Id: I648e8b2869b4b2d95255575e257f07f11153865d
2016-12-01 17:19:16 +00:00
Nick Kralevich
dd649da84b domain_deprecated.te: remove /proc/net access
Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.

Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
2016-11-30 15:23:26 -08:00
Steven Moreland
7aa5caf81c dumpstate: talk to vibrator hal
am: 839c7ded30

Change-Id: Ibbbc3e8e51cbe6a5e2f1e5be7839a1cc3341b33c
2016-11-30 05:38:13 +00:00
Max
314d8c5801 Added an auditallow rule to track vold remounting filesystems.
Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow

Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
2016-11-29 17:11:36 -08:00