Commit graph

21 commits

Author SHA1 Message Date
Jeff Vander Stoep
44f06601e8 crash_dump: suppress denials on properties
Addresses:
avc: denied { read } for comm="crash_dump64"
name="u:object_r:bluetooth_prop:s0" dev="tmpfs" ino=17280
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_prop:s0
tclass=file

Test: build
Change-Id: I176038ea6add34b5277305073a20f9c1a930e74b
2019-02-07 08:45:15 -08:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Nick Kralevich
702fd0afac crash_dump: remove /system/bin/logcat execute permissions
Currently, crash_dump has the following line:

  read_logd(crash_dump)

which is a macro defined as:

  #####################################
  # read_logd(domain)
  # Ability to run logcat and read from android
  # log daemon via sockets
  define(`read_logd', `
  allow $1 logcat_exec:file rx_file_perms;
  unix_socket_connect($1, logdr, logd)
  ')

which grants both the ability to talk directly to a logd socket, as well
as the ability to execute the /system/bin/logcat command line tool.

This is unneeded (and problematic) for crash_dump. Crash_dump uses
standard, vndk approved libraries to talk directly to logd. It never
exec()s the (non-vndk approved) logcat command.

As crash_dump is a vndk approved component and executed by vendor code,
allowing this transitively makes /system/bin/logcat a vndk component
too, which we want to avoid.

Instead of using the read_logd() macro, just directly add the
unix_socket_connect() call. This allows talking directly to logd, but
blocks the use of the (unneeded) /system/bin/logcat executable.

Test: crasher binary still works when executed from adb shell
Change-Id: I1fe9d0f5f0234c96454a0d91338fa2656f083345
2018-09-13 14:26:14 -07:00
Jeff Vander Stoep
08aa715966 crash_dump: disallow ptrace of TCB components
Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f1588)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c
2018-08-28 08:28:25 -07:00
Joel Galenson
a3b3bdbb2f Widen crash_dump dontaudit.
We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac
2018-04-10 09:55:11 -07:00
Jeff Vander Stoep
627ba82bc3 crashdump: cleanup logs
Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16
(cherry picked from commit cc0304cfc2)
2018-03-26 15:45:04 -07:00
Josh Gao
914a7fb95a crash_dump: allow reading from pipes.
Bug: http://b/63989615
Test: mma
Change-Id: I41506ecb0400867230502181c1aad7e51ce16d70
2017-12-06 11:05:54 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Josh Gao
530e168c67 Add /dev/kmsg_debug.
am: 94e2a921cb

Change-Id: I3cb9bd4305fe3f6d720f757a232d4bb38de98895
2017-08-11 22:54:15 +00:00
Josh Gao
94e2a921cb Add /dev/kmsg_debug.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I6ffe11bc613e88198893e82712719522b74fe1be
2017-08-11 13:25:43 -07:00
Josh Gao
e589330ebd Revert "Add /dev/kmsg_debug." am: 9ac5d01faa am: 032c6d61a3
am: 75b9963252

Change-Id: I272e173f63c6f30bfe5994e15fc4b0bf558535da
2017-05-26 15:26:49 +00:00
Josh Gao
9ac5d01faa Revert "Add /dev/kmsg_debug."
This reverts commit a015186fab.

Bug: http://b/62101480
Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46
2017-05-26 00:32:07 +00:00
Josh Gao
0f0cc480d7 Merge "Add /dev/kmsg_debug." am: b7cb45f0d2 am: 84a1cd0d87
am: 22e19a5c7f

Change-Id: I08ccaf6b7367b94c9dfb723b4756c803e9bfa56e
2017-04-10 21:13:11 +00:00
Josh Gao
a015186fab Add /dev/kmsg_debug.
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
2017-04-06 14:07:02 -07:00
Sandeep Patil
277a20ebec sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-05 13:58:32 -07:00
Josh Gao
5cbed955d3 crash_dump: allow appending to pipes.
Bug: http://b/34978531
Bug: http://b/35209835
Test: debuggerd -b `pidof zygote`
Change-Id: I0611cd4f8d4893740ef8787df09d296b2f7ed97f
2017-02-15 17:29:50 -08:00
Josh Gao
437d1c0534 crash_dump: allow read of APK files.
Fixes type=1400 audit(0.0:3901): avc: denied { open } for comm="crash_dump32" path="/data/app/com.chrome.canary-H8gGiCrQUqTZha2IybgrlA==/base.apk" dev="sda35" ino=1384523 scontext=u:r:crash_dump:s0:c522,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Bug: http://b/34978531
Change-Id: I0374145f71059c3f104055bf4e8dcf08b1101f2a
2017-02-14 16:13:10 -08:00
Josh Gao
943d7ed51e crash_dump: dontaudit CAP_SYS_PTRACE denial.
Bug: http://b/34853272
Test: debuggerd -b `pidof zygote`
Change-Id: I0b18117754e77cfa94cf0b95aff32edb578b1a95
2017-02-01 17:56:07 -08:00
Josh Gao
4d140237b5 crash_dump: don't allow CAP_SYS_PTRACE or CAP_KILL.
Bug: http://b/34853272
Test: debuggerd -b `pidof system_server`
Change-Id: I4c08efb9dfcc8610143f722ae0674578a2ed6869
2017-02-01 17:56:07 -08:00
Calin Juravle
01ee59a7b4 Remove SElinux audit to libart_file
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
2017-01-31 23:43:14 +00:00
Josh Gao
cb3eb4eef9 Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00