Commit graph

85 commits

Author SHA1 Message Date
Jeff Vander Stoep
7dc46564d0 Fix CTS regressions
am: 6a28b68d54

Change-Id: I774787b48c0b5f6f20313ee6f9c8062db4072e84
2017-11-22 04:58:48 +00:00
Jeff Vander Stoep
6a28b68d54 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
2017-11-22 04:54:41 +00:00
Jeffrey Vander Stoep
51aba79e3a Revert "Fix CTS regressions"
am: cd69bebf76

Change-Id: I6f3c20144c971d5040ee325e8bc0e9cff70085a0
2017-11-21 20:39:58 +00:00
Jeffrey Vander Stoep
cd69bebf76 Revert "Fix CTS regressions"
This reverts commit ed876a5e96.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 20:27:47 +00:00
Jeff Vander Stoep
c76a25c106 Fix CTS regressions
am: ed876a5e96

Change-Id: Ic41e1b997968acfd68ade6e9b9901a4dd9b8d2d2
2017-11-21 19:04:54 +00:00
Jeff Vander Stoep
ed876a5e96 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
2017-11-21 18:06:20 +00:00
Benjamin Gordon
d41e616199 Merge "sepolicy: Add rules for non-init namespaces"
am: b9ea282c65

Change-Id: I77676d7adb39747b9195489ef83d72e57cdb3b59
2017-11-21 17:43:02 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Xin Li
c667a0ed64 Merge commit 'd9664064dd09ae254aa3e6ce28fec5fde68c1fb6' into HEAD
Change-Id: Icec8dfff5cff17cf1b557882db62b148a7218b98
2017-11-14 11:46:58 -08:00
William Roberts
87cba6e883 te_macros: add map to tpmfs_domain
domain based tmpfs file access has getattr, read and write.

However newer kernels support map. Add this map permission so they
can use mmap based access.

Test: build test.

Change-Id: I2e128967e10a1332b3c1c908550360a52fbceaf8
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-11-06 22:36:29 +00:00
Dan Cashman
df5469d864 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-27 18:55:47 -07:00
Jeff Vander Stoep
6395a91b0f Merge "Add userbuild() macro for user-build-only policy" into oc-mr1-dev
am: 8c8994f50b

Change-Id: I5327bcea18feabc38427948fcfa0e505846629e4
2017-09-27 19:39:44 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
994cbf4d39 Add userbuild() macro for user-build-only policy
Particularly useful for suppressing selinux logspam for debug-only
permissions.

Bug: 65843095
Test: build, boot, and run tests on user and userdebug builds.
Change-Id: I18ce0b2cf1e96ca037e93309dddb476a150b677f
2017-09-26 12:31:50 -07:00
John Stultz
9f3f378450 sepolicy: Define and allow map permission for vendor dir
This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Signed-off-by: John Stultz <john.stultz@linaro.org>

(cherry picked from commit 24537b2e96)

Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717
2017-08-24 09:01:56 -07:00
John Stultz
d15ac5ba36 sepolicy: Define and allow map permission for vendor dir am: 24537b2e96 am: e63f7f32ac
am: 01cd12a0d6

Change-Id: I4318fedbee9c45b7a3b738743dfac59a76329336
2017-08-23 15:07:56 +00:00
John Stultz
24537b2e96 sepolicy: Define and allow map permission for vendor dir
This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>
2017-08-23 05:41:36 +00:00
Nick Kralevich
457c08cc0b Validate no-cross-domain /proc/PID access am: 7a46380969 am: 881fe06f34
am: 25d4a090ed

Change-Id: I4e9bd171ca88b955d3ae2a7217336a9fa2b103fe
2017-08-11 19:22:00 +00:00
Nick Kralevich
881fe06f34 Validate no-cross-domain /proc/PID access
am: 7a46380969

Change-Id: Iba80938afccd21f0c3b69626223b35c672358e77
2017-08-11 19:17:29 +00:00
Nick Kralevich
7a46380969 Validate no-cross-domain /proc/PID access
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
2017-08-11 10:05:22 -07:00
Josh Gao
fde0e02a2c crash_dump_fallback: allow writing to system_server pipes.
Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
(cherry picked from commit 3c9b91977d)
2017-07-20 20:14:05 +00:00
Josh Gao
326ea2216a crash_dump_fallback: allow writing to system_server pipes. am: 3c9b91977d am: 762a2b85ab
am: ba10fd49f6

Change-Id: I095d29e9319e65c988aeed6a4e916b055857b511
2017-07-20 18:54:53 +00:00
Josh Gao
762a2b85ab crash_dump_fallback: allow writing to system_server pipes.
am: 3c9b91977d

Change-Id: If292e297a21af84c35131ed42c2a65658bec2ed9
2017-07-20 18:30:39 +00:00
Josh Gao
3c9b91977d crash_dump_fallback: allow writing to system_server pipes.
Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
2017-07-20 01:14:16 +00:00
Stephen Smalley
090a64a5d5 Merge "sepolicy: Define and allow map permission" am: 770214abda am: 90f46dd922
am: 5724715380

Change-Id: Iadf138fc64bad940308cb01b3a3b8159b8b33704
2017-07-13 17:09:30 +00:00
Stephen Smalley
90f46dd922 Merge "sepolicy: Define and allow map permission"
am: 770214abda

Change-Id: I253dad49662831625a17162b18f013e0b4a87af4
2017-07-13 17:04:02 +00:00
Stephen Smalley
4397f08288 sepolicy: Define and allow map permission
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 16:31:23 -04:00
Jeff Vander Stoep
5f5aa96286 Preserve attributes needed for CTS
Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
2017-07-05 23:06:35 +00:00
Jeff Vander Stoep
4b7cf4fba1 Suppress su access to pdx sockets
Su runs in permissive mode and denials should be suppressed.

avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_manager_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_vsync_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_bufferhub_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_performance_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1

Bug: 35197529
Test: policy builds
Change-Id: Ia643c6e776e5e5bd473d857d523c3be91d32c40a
2017-06-26 16:33:14 -07:00
Dan Cashman
939b50ff61 Add extraneous neverallow rule to enforce attribute inclusion.
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
2017-06-16 11:19:53 -07:00
Josh Gao
715955b78a crash_dump_fallback: allow dumpstate:pipe_file write.
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
(cherry picked from commit 7aa085233a)
2017-06-05 17:26:29 -07:00
Josh Gao
7aa085233a crash_dump_fallback: allow dumpstate:pipe_file write.
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
2017-06-05 14:50:31 -07:00
Josh Gao
2a00056a95 crash_dump_fallback: allow dumpstate:fd use.
Bug: http://b/62297059
Test: mma
Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
(cherry picked from commit 17885f148d)
2017-06-02 15:04:29 -07:00
Josh Gao
17885f148d crash_dump_fallback: allow dumpstate:fd use.
Bug: http://b/62297059
Test: mma
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
2017-06-02 14:43:27 -07:00
Josh Gao
8ba3138adb Let fallback crash dumping write to dumpstate pipes.
Fix the following denial:
    avc: denied { append } for pid=1093 comm="mediaextractor" path="pipe:[68438]" dev="pipefs" ino=68438 scontext=u:r:mediaextractor:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 ppid=1 pcomm="init" pgid=1 pgcomm="init"

Bug: http://b/38444258
Test: none
Change-Id: I58162e3a28b744a58396e77d6b0e2becb5633d6a
(cherry picked from commit 5efadd91f3)
2017-05-24 14:23:51 -07:00
Josh Gao
5efadd91f3 Let fallback crash dumping write to dumpstate pipes.
Fix the following denial:
    avc: denied { append } for pid=1093 comm="mediaextractor" path="pipe:[68438]" dev="pipefs" ino=68438 scontext=u:r:mediaextractor:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 ppid=1 pcomm="init" pgid=1 pgcomm="init"

Bug: http://b/38444258
Test: none
Change-Id: I58162e3a28b744a58396e77d6b0e2becb5633d6a
2017-05-24 11:56:15 -07:00
Alex Vakulenko
c4055f0d04 SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-15 10:07:05 -07:00
Alex Vakulenko
41daa7f859 SELinux policies for PDX services
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
2017-05-10 16:39:19 -07:00
Dimitry Ivanov
bf030965f9 Allow getattr on tempfs files
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
(cherry picked from commit a0d3ff8edd)
2017-05-04 00:35:47 -07:00
Dimitry Ivanov
a0d3ff8edd Allow getattr on tempfs files
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
2017-05-03 21:52:18 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
d9745f3dec Unbreak user builds
This unbreaks user builds broken by recently landed changes to secilc
which is now aggressively removing attributes which aren't used in
allow rules, even when they are used in other places, such as being
referenced from *_contexts files.

User builds are broken by vndservice_manager_type not being found when
checkfc is run for *vndservice_contexts targets.

Test: On a clean user build: mmma system/sepolicy
Bug: 37319524
Bug: 36508258
Change-Id: I4a1727a74122ecd9020c3831462d56a65ee6d304
2017-04-13 14:17:32 -07:00
Alex Klyubin
4641f67215 Unbreak build
ag/2106481 negatively interfered with ag/2106263...

Test: mmm system/sepolicy
Bug: 34454312
Change-Id: If3f5ef6696341ccfdd706350ec670f8426dac9c9
2017-04-13 12:26:35 -07:00
Alex Klyubin
b866a957c0 Merge "Policy for Camera HAL HwBinder service" into oc-dev 2017-04-13 19:07:11 +00:00
Alex Klyubin
ab2c681fb1 Policy for Camera HAL HwBinder service
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
2017-04-13 10:31:04 -07:00
Alex Klyubin
22157e7a86 Treble devices use binderized HALs
All HALs which are represented by hal_* attributes in SELinux policy
are required to run in binderized mode on Treble devices. This commit
thus makes the SELinux policy for Treble devices no longer associate
domains in hal_x_client with hal_x attribute, which is what was
granting domains hosting clients of hal_x the rules needed to run this
HAL in-process. The result is that core components have now less
access.

This commit has no effect on non-Treble devices.

Test: Device boots -- no new denials
Test: Play movie using Google Play Movies and Netflix
Test: Play YouTube clip in YouTube app and in Chrome
Test: Unlock lock screen using fingerprint
Test: Using Google Camera, take a photo, an HDR+ photo, record a
      video with sound, a slow motion video with sound. Photos and
      videos display/play back fine (incl. sound).
Test: adb screencap
Test: $ monitor
      take screenshot
Test: In all tests, no deials to do with hal_*, except pre-existing
      denials to do with hal_gnss.
Bug: 37160141
Bug: 34274385
Bug: 34170079
Change-Id: I1ca91d43592b466114af13898f5909f41e59b521
2017-04-12 21:35:14 +00:00
Alex Klyubin
446279a6b9 Preserve treble-only flag for CTS neverallows
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
2017-04-07 12:22:10 -07:00
Sandeep Patil
277a20ebec sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-05 13:58:32 -07:00
Steven Moreland
f20c6ee7ab Remove hal_binderization_prop
Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6
2017-04-04 10:24:36 -07:00
Steven Moreland
d40474ec55 Remove hal_binderization_prop
Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6
2017-04-04 09:46:45 -07:00