Commit graph

16197 commits

Author SHA1 Message Date
Tom Cherry
09386d41a8 Move watchdogd out of init and into its own domain
am: d840374e65

Change-Id: I93264ded0479ab0e101d0449c2ff52b9a92e3d6e
2018-08-03 12:39:53 -07:00
Tom Cherry
d840374e65 Move watchdogd out of init and into its own domain
Bug: 73660730
Test: watchdogd still runs
Change-Id: I31697c7c6fa2f7009731ff48c659af051838e42f
2018-08-03 19:28:05 +00:00
Nick Kralevich
930614c7e6 Start partitioning off privapp_data_file from app_data_file
am: 23c9d91b46

Change-Id: Id99688b1e9b4d8d43eb1833904ac47c2796166ab
2018-08-02 21:27:57 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Tom Cherry
dada008159 Merge "Allow ueventd to insert modules"
am: b520169832

Change-Id: I03af3fbdecde072ab326ee47fd614f7340aeb908
2018-08-02 12:40:54 -07:00
Tom Cherry
b520169832 Merge "Allow ueventd to insert modules" 2018-08-02 19:22:35 +00:00
Alan Stokes
a8898820d6 Remove legacy execmod access.
am: 0f11ffccf9

Change-Id: I0f85ecb4a1dc6464becce64fb8539cd2f8e1a779
2018-08-02 06:59:12 -07:00
Alan Stokes
0f11ffccf9 Remove legacy execmod access.
Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.

Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7
2018-08-02 11:57:16 +01:00
Tom Cherry
13f118314c Merge "allow init to run fsck for early mount partitions"
am: 9c8d054639

Change-Id: I8976234923363b2d05f1369753a453b6077c06fb
2018-08-01 14:11:43 -07:00
Tom Cherry
9c8d054639 Merge "allow init to run fsck for early mount partitions" 2018-08-01 21:02:35 +00:00
Tom Cherry
52a80ac1f1 Allow ueventd to insert modules
avc:  denied  { sys_module } for comm="ueventd" capability=16 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability
avc:  denied  { module_load } for  pid=581 comm="ueventd" path="/vendor/lib/modules/module.ko" dev="dm-2" ino=1381 scontext=u:r:ueventd:s0 tcontext=u:object_r:vendor_file:s0 tclass=system
avc:  denied  { search } for  pid=556 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:kernel:s0 tclass=key

Bug: 111916071
Test: ueventd can insert modules
Change-Id: I2906495796c3655b5add19af8cf64458f753b891
2018-08-01 13:21:20 -07:00
Bowgo Tsai
7f16c35ed7 Merge "Allowing vold to search /mnt/vendor/*"
am: 209c9066f4

Change-Id: Ic09209f75efba3d76963411666df8bfbe9d7965f
2018-07-31 23:40:03 -07:00
Treehugger Robot
209c9066f4 Merge "Allowing vold to search /mnt/vendor/*" 2018-08-01 06:31:39 +00:00
Tom Cherry
47157353af allow init to run fsck for early mount partitions
Bug: 111883560
Test: fsck runs successfully during early mount
Change-Id: I697d0ab8ba51824d5c5062b48370a73438311566
2018-07-31 13:58:54 -07:00
Nick Kralevich
a343844dee Allow mmap for vendor_init
am: 99ceb07ec1

Change-Id: Idf1d381cee6ba9946b9185a7d5f4475303ad8062
2018-07-30 21:05:44 -07:00
Nick Kralevich
99ceb07ec1 Allow mmap for vendor_init
vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.

Addresses the following denial:

  avc:  denied  { map } for  pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

While I'm here, add mmap() support to other areas where it's likely
needed.

Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
2018-07-30 18:57:53 -07:00
Nick Kralevich
315f2fb260 Protect apps from ptrace by other system components
am: 84a42eadb2

Change-Id: Ib4e55bd3a56639c993314d3732b5dc406fbed0bd
2018-07-27 08:47:19 -07:00
Nick Kralevich
84a42eadb2 Protect apps from ptrace by other system components
The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.

Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
2018-07-25 23:49:30 -07:00
Jeff Vander Stoep
b1f4302819 Merge "OWNERS: add nnk and smoreland"
am: 719fa6db00

Change-Id: Iecca10575cadd8cd8e155f18eadbca4f93f37a2e
2018-07-25 13:12:12 -07:00
Treehugger Robot
719fa6db00 Merge "OWNERS: add nnk and smoreland" 2018-07-25 19:57:23 +00:00
Jeff Vander Stoep
904416562c OWNERS: add nnk and smoreland
Test: none
Change-Id: I5023f3f3f9362d456f30c81ec67580509101e81e
2018-07-25 10:10:40 -07:00
Bowgo Tsai
7b67a617dd Allowing vold to search /mnt/vendor/*
vold will trim rw mount points about daily, but it is denied by SELinux:

root   603   603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied {
search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0

Allowing vold to search /mnt/vendor/* to fix the denials.

Note that device-specific sepolicy needs to be extended to allow vold
to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs:

    allow vold persist_file:dir { ioctl open read };

Bug: 111409607
Test: boot a device, checks the above denial is gone
Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad
2018-07-25 10:18:42 +08:00
Yi Kong
59b5de0b43 Modernize codebase by replacing NULL with nullptr
am: 16544eb94f

Change-Id: I0790ed88b45665c9087562144a73cd0294cb4c31
2018-07-24 16:54:14 -07:00
Yi Kong
16544eb94f Modernize codebase by replacing NULL with nullptr
Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: Ib3f0a25a5129c34d94ebebff818feb5e6fd349dd
2018-07-24 14:54:56 -07:00
Wale Ogunwale
c1ebd93528 Added sepolicy for uri_grants service
am: 3280985971

Change-Id: I17244cba89aa30d1fa560648f618e21d320ed87c
2018-07-23 17:36:57 -07:00
Wale Ogunwale
3280985971 Added sepolicy for uri_grants service
Bug: 80414790
Test: boots
Change-Id: I15233721fa138e0fdf1a30f66d52b64cbab18b81
2018-07-23 15:31:40 -07:00
Tri Vo
f832f2149d 28 mapping workaround for devices upgrading to P.
am: 0cc68ea0b2

Change-Id: Ie3d39420403eaba08ccfd2c3f3fb42a9594f07e6
2018-07-22 19:27:05 -07:00
Tri Vo
0cc68ea0b2 28 mapping workaround for devices upgrading to P.
Bug: 72458734
Test: Compile current system sepolicy with P vendor sepolicy
Test: Plug in a P device then do:
m selinux_policy
cp $OUT/system/etc/selinux/plat_sepolicy.cil  plat_sepolicy.cil
cp $ANDROID_BUILD_TOP/system/sepolicy/private/compat/28.0/28.0.cil 28.0.cil
adb pull /vendor/etc/selinux/plat_pub_versioned.cil
adb pull /vendor/etc/selinux/vendor_sepolicy.cil
secilc plat_sepolicy.cil -m -M true -G -N -c 30 28.0.cil \
plat_pub_versioned.cil vendor_sepolicy.cil
Change-Id: I399b3a204eb94bee0ba1b5024b1c3463219c678e
2018-07-20 15:19:36 -07:00
Alan Stokes
95b223b46f Merge "Re-order rules to match AOSP." into stage-aosp-master 2018-07-20 14:37:53 +00:00
Alan Stokes
a55f637a3d Temporarily add auditing of execmod by apps.
am: 708aa90dd2

Change-Id: I4a0fdea7adead3baceb089644ed37a0c479d2e62
2018-07-20 06:52:41 -07:00
Alan Stokes
c2aad29d05 Re-order rules to match AOSP.
This is to avoid merge problems if we make any further changes in AOSP.

Test: Builds.
Change-Id: Ib4193d31c02dda300513f82f6c7426a2e81d8111
2018-07-20 13:32:30 +00:00
Alan Stokes
708aa90dd2 Temporarily add auditing of execmod by apps.
This is so we can get data on which apps are actually doing this.

Bug: 111544476
Test: Device boots. No audits seen on test device.
Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea
2018-07-20 12:40:29 +01:00
Tri Vo
6c32e0624f Merge "Add mapping files for 28.0.[ignore.]cil"
am: 13e60ed1fa

Change-Id: I5b19874975830ddcb2765851544eebc9848d3df4
2018-07-19 18:03:05 -07:00
Tri Vo
13e60ed1fa Merge "Add mapping files for 28.0.[ignore.]cil" 2018-07-20 00:56:27 +00:00
Jae Shin
1fa9634896 Add mapping files for 28.0.[ignore.]cil
Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c
2018-07-18 20:08:38 -07:00
TreeHugger Robot
39f114d79d Merge changes from topic "selinux_cherry_picks" into stage-aosp-master
* changes:
  remove thermalcallback_hwservice
  reorder api 27 compat entries for removed types to match AOSP
2018-07-19 00:21:31 +00:00
Jeff Vander Stoep
7f6087c972 app: exempt su from auditallow statement
am: f95bf194c1

Change-Id: Idcdcb03b7764a6f0f3a7dd2d3110ed5f7166b772
2018-07-18 16:21:00 -07:00
Todd Poynor
c3e9ff90d3 remove thermalcallback_hwservice
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
(cherry picked from commit c6afcb7fc0)
2018-07-18 16:18:50 -07:00
Todd Poynor
d1ff81c2a7 reorder api 27 compat entries for removed types to match AOSP
Avoids subsequent merge conflicts in this section of the file.

Test: manual: compile
Change-Id: I9af723dccff54039031dc4d8f3e5ee34be5960d1
Merged-In: I9af723dccff54039031dc4d8f3e5ee34be5960d1
(cherry picked from commit 6682530515)
2018-07-18 16:17:40 -07:00
Jeff Vander Stoep
f95bf194c1 app: exempt su from auditallow statement
Cut down on logspam during kernel_net_tests

Test: /data/nativetest64/kernel_net_tests/kernel_net_tests
Change-Id: Id19f50caebc09711f80b7d5f9d87be103898dd9a
2018-07-18 21:21:46 +00:00
Tri Vo
690de22d48 resolve merge conflicts of d07ab2fe93 to stage-aosp-master
BUG: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: I58fff9dc7826eb60520b087d08ecd931cba63bf0
2018-07-18 13:08:55 -07:00
Tri Vo
d07ab2fe93 Merge "Add 28.0 prebuilts" 2018-07-18 18:31:23 +00:00
Steven Thomas
4b3ec1984e Merge "Selinux changes for vr flinger vsync service"
am: 663a827b47

Change-Id: Icc345eda8c645065cc30f14fe4d3de07ba888c25
2018-07-17 16:21:34 -07:00
Treehugger Robot
663a827b47 Merge "Selinux changes for vr flinger vsync service" 2018-07-17 23:15:13 +00:00
Tri Vo
afdfeeb506 Add 28.0 prebuilts
Bug: n/a
Test: n/a
Change-Id: I11e6baaa45bcb01603fc06e8a16002727f4e5a00
2018-07-17 15:31:47 -07:00
Josh Gao
98545f075c system_server: allow appending to debuggerd -j pipe.
am: 5ca755e05e

Change-Id: I92b326f5f1c9f1db083c329ecc8eca952039dc06
2018-07-17 15:25:36 -07:00
Josh Gao
5ca755e05e system_server: allow appending to debuggerd -j pipe.
Test: debuggerd -j `pidof system_server`
Change-Id: I6cca98b20ab5a135305b91cbb7c0fe7b57872bd3
2018-07-17 12:46:01 -07:00
Yifan Hong
65c568d0dd perfprofd: talk to health HAL.
Test: perfprofd tests
Bug: 110890430
Change-Id: I0f7476d76b8d35b6b48fe6b77544ca8ccc71534d
2018-07-17 11:37:26 -07:00
Steven Thomas
7bec967402 Selinux changes for vr flinger vsync service
Add selinux policy for the new Binder-based vr flinger vsync service.

Bug: 72890037

Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.

- Confirmed the CTS test
  android.security.cts.SELinuxHostTest#testAospServiceContexts, when
  built from the local source tree with this CL applied, passes.

- Confirmed the CTS test
  android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
  when built from the local source tree with this CL applied, passes.

Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06
2018-07-13 17:17:01 -07:00
Yifan Hong
c74c0fbb34 Merge changes from topic "coredomain_batteryinfo"
am: 6397d7e0cb

Change-Id: I88c793acd19ce05e275d6f2883f90540f37d52b6
2018-07-13 12:42:47 -07:00