Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.
Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7
vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.
Addresses the following denial:
avc: denied { map } for pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
While I'm here, add mmap() support to other areas where it's likely
needed.
Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.
Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
vold will trim rw mount points about daily, but it is denied by SELinux:
root 603 603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied {
search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0
Allowing vold to search /mnt/vendor/* to fix the denials.
Note that device-specific sepolicy needs to be extended to allow vold
to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs:
allow vold persist_file:dir { ioctl open read };
Bug: 111409607
Test: boot a device, checks the above denial is gone
Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad
This is so we can get data on which apps are actually doing this.
Bug: 111544476
Test: Device boots. No audits seen on test device.
Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea
Steps taken to produce the mapping files:
1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng
2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.
This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.
Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.
Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
(cherry picked from commit c6afcb7fc0)
Avoids subsequent merge conflicts in this section of the file.
Test: manual: compile
Change-Id: I9af723dccff54039031dc4d8f3e5ee34be5960d1
Merged-In: I9af723dccff54039031dc4d8f3e5ee34be5960d1
(cherry picked from commit 6682530515)
Cut down on logspam during kernel_net_tests
Test: /data/nativetest64/kernel_net_tests/kernel_net_tests
Change-Id: Id19f50caebc09711f80b7d5f9d87be103898dd9a
Add selinux policy for the new Binder-based vr flinger vsync service.
Bug: 72890037
Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.
- Confirmed the CTS test
android.security.cts.SELinuxHostTest#testAospServiceContexts, when
built from the local source tree with this CL applied, passes.
- Confirmed the CTS test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
when built from the local source tree with this CL applied, passes.
Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06