Commit graph

106 commits

Author SHA1 Message Date
Chong Zhang
785521e211 add mediaswcodec to watchdog and dumpstate
bug: 130887807
test: adb bugreport and check mediaswcodec stack is there
Change-Id: I4a37e4e06c4905f435e96d8b1497e3617e688478
(cherry-picked from https://android-review.googlesource.com/c/platform/system/sepolicy/+/947830)
2019-04-19 12:16:40 -07:00
Joel Galenson
99149c9fbf Fix denial during bugreport.
Bug: 116711254
Test: Build.
Change-Id: Iafad9228a171796ce7ab18d60697eea396be4efa
Merged-In: I060b0d929a9d147f6327432844106d8270222d18
2019-04-11 09:41:50 -07:00
Benjamin Schwartz
b3ecb4e5b9 Allow signals to hal_power_stats_server from dumpstate
This is needed for bugreport to include ANR trace for the process.

Bug: 128878895
Test: adb bugreport
Change-Id: I92e6952b03ffb047e9fb75b0e44024f2623debb3
2019-04-09 10:25:58 -07:00
Roger Wang
49f2954275 Allow dumpstate to dump wlan hal log on userbuild
To check issue on userbuild, wlan hal log
is helpful.

Bug: 122265104
Test: Manully, log collected on user build
Change-Id: I5aa96aa796ca7dfb92e97df3e7be054ff79f6e3d
2019-03-21 12:27:44 +08:00
Joel Galenson
19c90604ad Fix denials during bugreport.
Bug: 124465994
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials
Test: Build all policies.

Change-Id: Ic20b1e0fd3a8bdea408d66f33351b1f5ebc5d84c
(cherry picked from commit f24854f8e8)
2019-03-04 14:01:12 -08:00
Joel Galenson
06e63d2aff Hide denials seen during bugreports.
While taking bugreports we sometimes see dumpstate try to find
hwservices.  These are mostly neverallowed by macros, so hide them.

Bug: 116711254
Bug: 123540375
Test: Build.
Change-Id: Ic73a354bdae3d124eccc9477b7862bcad66fa076
2019-02-04 09:04:05 -08:00
Nikita Ioffe
1ab6affc5c Allow dumpstate to write into privileged apps private files
Bug: 123006652
Bug: 111441001
Fix: 123006652
Test: Wrote a test app using BugreportManager, checked denials in logcat
Change-Id: Id1c4b1d166bc70aec833c3d644e8aea6ae94c35a
2019-01-23 23:13:23 +00:00
Joel Galenson
886ba9c9ff Allow dumpstate to read some directories.
This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I64f441eb66c355d03eaf7755f2e9d3e970305ecd
2019-01-07 12:45:56 -08:00
Joel Galenson
f0264fe2e9 Allow dumpstate to read sysfs_loop files.
This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: Ie190bfa62cf5aa172ebfff8bfd82dea2a7d1a016
2019-01-02 09:23:45 -08:00
Mike Ma
de3a3e4156 Allow dumpstate to dump incidentd
An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.

Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
      and there are no sepolicy violations.

Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e
2018-12-04 15:42:56 -08:00
Yifan Hong
0d53ef2c91 Add rules to dump health traces
Test: bugreport
Bug: 119809588
Change-Id: Ia688d68120daebc0a4feb51c4745535e1b371594
2018-11-27 17:36:07 -08:00
Joel Galenson
33ded4a69b Allow dumpstate to call mediaswcodec over binder
This prevents denials while taking a bugreport.

Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I381b39fa127f82fcef5d820a04209fd1ba4f63cd
2018-10-22 12:39:28 -07:00
Joel Galenson
49531c81c5 Handle denials caused by taking a bugreport.
apex_service is already in the list of services dumpstate cannot find;
this ensures that the dontaudit list is the same.  We hide the denial
caused by df reading one of its directories.

dumpstate can already call all binder services, so we enable it to
call bufferhubd.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5acc84326fa504199221df825549479f3cf50e1
2018-10-10 18:17:50 -07:00
Igor Murashkin
72a88b194c iorapd: Add new binder service iorapd.
This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-08 15:00:34 -07:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Joel Galenson
e9ee9d86d0 Ensure taking a bugreport generates no denials.
Allow dumpstate to get information about sockets and dontaudit
accessing vendor files when running df.

Bug: 112440280
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b
2018-09-10 15:48:34 -07:00
Nick Kralevich
eef72d34b4 dumpstate: remove JIT and /data execute
Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
2018-09-06 13:28:34 -07:00
Chia-I Wu
7c5e18c494 Allow signals to hal_graphics_allocator_server from dumpstate
This is needed for bugreport to include ANR trace for the process.

Bug: 111604912
Test: adb bugreport
Change-Id: I3f09e17523ccf9b637fd9590e53a13e03e80ccaa
2018-08-13 10:41:48 -07:00
Mark Salyzyn
8bc025a5f7 Merge "access to /proc/slabinfo"
am: e0637cfc8e

Change-Id: Ie5f10c93d27607879db52177cd498eec0d61f782
2018-06-15 08:04:18 -07:00
Mark Salyzyn
d6eaed854d access to /proc/slabinfo
init, dumpstate and shell

Test: check avc for init is now gone
Bug: 7232205
Bug: 109821005
Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5
2018-06-14 10:18:45 -07:00
Steven Moreland
d0c4d4e7db mediacodec->mediacodec+hal_omx{,_server,_client} am: 7baf725ea6
am: 6ad7e65447

Change-Id: I9b60e71be957d43f66605958915d3cfb45d42573
2018-05-30 13:51:23 -07:00
Steven Moreland
7baf725ea6 mediacodec->mediacodec+hal_omx{,_server,_client}
(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-30 18:12:32 +00:00
Jaegeuk Kim
5580a18255 Merge "dumpstate: allow /metadata for df" into pi-dev
am: e2f70ebc07

Change-Id: Ic56b485f0297178d45061c0b6b7fb44fbb0b0fa5
2018-05-17 18:14:01 -07:00
Jeff Tinker
226ad93b81 Allow dumpstate to trace drm hals
Change-Id: Id7823a3130443107beb4d97426807a6395cf6930
related-to-bug:74607984
Test: adb bugreport and check for drm trace dumps
(cherry picked from commit 4f2739bd95)
2018-05-17 17:22:45 +00:00
Wei Wang
a1db36e1c0 Allow dumpstate to kill dumpstate vendor HAL in timeout case
Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
    dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
    dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04
(cherry picked from commit 60d1767459)
2018-05-16 15:19:36 -07:00
Jaegeuk Kim
18096f9c64 dumpstate: allow /metadata for df
[  196.680228] type=1400 audit(1526230655.786:26): avc: denied { getattr } for
 pid=7159 comm="df" path="/metadata" dev="sda20" ino=2 scontext=u:r:dumpstate:s0
 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0

Bug: 66967195
Bug: 79552162
Test: adb bugreport
Change-Id: Ib2abbc35e04a69992fa09a596694f428d3adc7c1
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2018-05-13 10:13:59 -07:00
Jeff Vander Stoep
1279a7ae85 resolve merge conflicts of bc34fa26ac to pi-dev-plus-aosp
Bug: None
Test: None
Change-Id: Ie9d2f35efd5bf39d0282ccc41fdd3f974d7c01bf
2018-05-04 19:03:03 -07:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
android-build-prod (mdb)
5afce15046 Merge "Audit generic debugfs access for removal" am: 65352c904a
am: 810ad5f27b

Change-Id: I8e5cf7eaf9eb290090adfb5c2821a7efdd9e1acf
2018-05-01 23:11:36 -07:00
Jeff Vander Stoep
72edbb3e83 Audit generic debugfs access for removal
Bug: 78784387
Test: adb bugreport with no "granted" messages.
Change-Id: Iaea67f356a47a9fbf6b8649fc8e8dad772996ba7
2018-04-27 13:46:34 -07:00
Wei Wang
5154fc1fb2 Merge "Allow dumpstate to kill dumpstate vendor HAL in timeout case" into pi-dev
am: d45dfbff95

Change-Id: I90a0270b7820073bcee257f5a11c1d2407f8d841
2018-04-23 21:27:17 -07:00
Wei Wang
d45dfbff95 Merge "Allow dumpstate to kill dumpstate vendor HAL in timeout case" into pi-dev 2018-04-24 04:24:04 +00:00
Wei Wang
60d1767459 Allow dumpstate to kill dumpstate vendor HAL in timeout case
Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
    dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
    dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04
2018-04-23 14:41:25 -07:00
Tianjie Xu
1affab2200 Merge "Allow dumpstate to read the update_engine logs" into pi-dev 2018-04-20 20:09:00 +00:00
Tianjie Xu
c9962ca2b3 Merge "Allow dumpstate to read the update_engine logs" am: ebddc5993f
am: 6210924b1a

Change-Id: Ia8429966d4e6d9980b2a4d3a29a92b46c8e85635
2018-04-20 13:05:54 -07:00
Tianjie Xu
4af699ae3e Allow dumpstate to read the update_engine logs
Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
(cherry picked from commit 7d47427997)
2018-04-20 10:40:51 -07:00
Tianjie Xu
7d47427997 Allow dumpstate to read the update_engine logs
Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
2018-04-18 06:54:39 +00:00
Jaekyun Seok
c3ef1e7b45 Allow dumpstate to read property_type am: 4de238e9b9
am: dfb48cf6fc

Change-Id: I4a5516f694a72624ce353a00b4dd0df0f14ebff6
2018-04-16 16:13:38 -07:00
Jaekyun Seok
f99c74ccf8 Allow dumpstate to read property_type
dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Merged-In: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
(cherry picked from commit 4de238e9b9)
2018-04-17 07:44:05 +09:00
Jaekyun Seok
4de238e9b9 Allow dumpstate to read property_type
dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
2018-04-16 06:18:24 +00:00
Kweku Adams
0fa3d2766f Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
(cherry picked from commit 985db6d8dd)
2018-04-05 16:37:05 -07:00
Kweku Adams
49733255fb Allowing incidentd to get stack traces from processes. am: 985db6d8dd
am: 5f98693a77

Change-Id: Iaeaaeb8195e2ffcbf148b1764d57d4e1c7da6f4f
2018-04-04 09:13:58 -07:00
Kweku Adams
985db6d8dd Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-04-04 16:00:23 +00:00
Jeff Tinker
41cc2b059a Merge "Allow dumpstate to trace drm hals" into pi-dev
am: f7d4978728

Change-Id: Ia141cdcd71b7f76a566ce2f9d0cf720d90693af2
2018-04-03 22:51:48 -07:00
Jeff Vander Stoep
bdf2a9c417 Rename qtaguid_proc to conform to name conventions
Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250
2018-04-03 14:47:38 -07:00
Jeff Tinker
4f2739bd95 Allow dumpstate to trace drm hals
Change-Id: Id7823a3130443107beb4d97426807a6395cf6930
related-to-bug:74607984
test:adb bugreport and check for drm trace dumps
2018-04-02 17:28:51 -07:00
Jeff Vander Stoep
de04528c3b Enable Traceur on user builds.
Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448
2018-02-02 12:46:36 -08:00
Tri Vo
218d87c01c dumpstate: remove access to 'proc' and 'sysfs' types.
And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
2018-01-23 03:24:37 +00:00