Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it. Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.
Bug: 31363362
Test: Builds and boots, including recovery, without additional
denials. Neverallow violations still caught at build time.
Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.
Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
Test: tested with default health HAL on angler running as service.
Bug: b/32754732
Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd9159)
- allows binder calls to hwservicemanager
- allows healthd to read system_file for passthrough HAL
Test: Tested healthd with and without a board specific health HAL on
Angler.
Bug: b/32724915
Change-Id: Icf621859f715cb44bce5d8d3b60320ef495d1543
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 32cacb42b9)
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.
While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.
Test: Tested all modes {recovery, charger-only, android} with new policy
Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.
Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6
system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:
[ro.boottime.init]: [5294587604]
[ro.boottime.InputEventFind]: [10278767840]
[ro.boottime.adbd]: [8359267180]
...
These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.
bullhead:/ $ getprop -Z ro.boottime.adbd
u:object_r:default_prop:s0
Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.
bullhead:/ $ getprop -Z ro.boottime.adbd
u:object_r:boottime_prop:s0
New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).
Additional read access can be granted as-needed.
This is part of a larger effort to implement fine-grain access control
on the properties managed by init.
Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.
Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.
Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2
There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.
Bug: 26901147
Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.
Bug: 31363362
Test: Policy builds on-device and boots. sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
The new domain wasn't fully tested, and it caused many regressions
on the daily build. Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.
Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.
Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb
Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.
Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf
Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.
The new MtpServer permissions fix the following denials:
avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
denial from setting property sys.usb.ffs.mtp.ready, context priv_app
Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4
Need write permissions on the specified sysfs path for reloading
firmware.
Denials:
01-21 23:39:01.650 4669 4669 W android.hardwar: type=1400
audit(0.0:103): avc: denied { write } for name="fwpath" dev="sysfs"
ino=6847 scontext=u:r:hal_wifi:s0
tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0
01-21 23:39:01.653 4669 4669 E android.hardware.wifi@1.0-service:
Failed to open wlan fw path param: Permission denied
Bug: 32018162
Test: Denials no longer present in the logs.
Change-Id: I1a468e7c2a2a4360a2b61f04f1940471d52d0dd6
We're going to be using Android framework directly to invoke Wifi HIDL
calls. So, change permissions appropriately.
Bug: 33398154
Test: Verfied that framework is able to make HIDL calls using
go/aog/310610.
Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a
Add a pre-submit check to ensure that files have a newline character at
the end.
Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.
Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d
This is unused by core policy and by any device policy except for hikey.
Test: device boots
Test: no denials ever collected
Change-Id: I36a6790499e4aeedd808457b43fd72370fa48e53
After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.
Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea019)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.
Addresses the following auditallow messages:
avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776
