In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.
Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest
Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.
Create a separate label for /system/usr/share/zoneinfo.
Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879
Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.
Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.
Fixes: 116022258
Test: build passed
Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
Assert that only apps and installd may open private app files.
Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.
Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
...to reflect that the HAL operates on storage devices,
not filesystem.
Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*
Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks. Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission. Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.
Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
This allows the trace producer daemon to snapshot counters at
high frequency in the trace. As usual for Perfetto, this data is
NOT made available to arbitrary apps but only to an extremely
limited subset of processes governed by selinux rules (currently
shell and statsd).
Bug: 115956288
Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
Add additional compile time constraints on the ability to ptrace various
sensitive domains.
llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.
crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.
Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
Commit 23c9d91b46 introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.
This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46, there should be no
noticeable effect from this change.
This change was originally submitted as
4df57822fc. However, it was reverted in
cdc6649acc due to a different labeling
bug. That bug has been fixed, and we can reapply this change.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Bug: 112357170
