Commit graph

18 commits

Author SHA1 Message Date
Nick Kralevich
bedfb22ab9 more mmaps
Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.

Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e
2018-08-13 10:37:56 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Jiyong Park
a6d9d6b68a Reland "Allow dexopt to follow /odm/lib(64) symlinks.""
This reverts commit 942500b910.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
2018-04-02 10:43:22 +09:00
Bowgo Tsai
942500b910 Revert "Allow dexopt to follow /odm/lib(64) symlinks."
This reverts commit 88cd813fe2.

Bug: 75287236
Test: boot a device
Change-Id: Id1bc324e7bd0722065d8a410af31fd6b7aaa9d1c
2018-03-20 09:03:57 +08:00
Bowgo Tsai
88cd813fe2 Allow dexopt to follow /odm/lib(64) symlinks.
Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.

  https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/

This change allows dexopt operations to 'getattr' those symlinks during
OTA.

Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
2018-03-19 13:29:06 +08:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Andreas Gampe
bddd189394 Sepolicy: Fix new access from the linker for postinstall
The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.

Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39
2017-04-28 17:34:41 -07:00
Jeff Hao
37f5c2d9eb Add dex2oat permissions to open and read the tmp apk.
The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).

Part of a multi-project change.

Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests

(cherry-picked from commit 1103f963a7)

Change-Id: I3cf810ef5f4f4462f6082dc30d3a7b144dcce0d9
2017-04-19 11:00:34 -07:00
Sandeep Patil
df679fdbd9 sepolicy: restrict access for /vendor/framework.
/vendor/framework is now designated location for vendor's platform
libraries. The directory is thus only made available for 'dex2oat'
coredomain.

Bug: 36680116
Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for
      'vendor_framework_file'

Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:28:16 -07:00
Sandeep Patil
1b5f81a2d2 sepolicy: restrict /vendor/app from most coredomains
The change makes 'vendor_app_file' accessible only to few platform
domains like dex2oat, idmap, installd, system_server and appdomain.

Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video

Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:28:12 -07:00
Nick Kralevich
4a580ccabb Fix lock logspam and remove domain_deprecated rule
Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.

Addresses the following logspam similar to:

  avc: granted { lock } for comm="iptables"
  path="/system/etc/xtables.lock" dev="sda22" ino=3745
  scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file

  avc: granted { lock } for comm="dex2oat"
  path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
  scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file

Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
2017-04-04 18:37:28 -07:00
Andreas Gampe
3cc71b09d6 Sepolicy: Allow postinstall to read links
Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed
2017-03-17 10:08:52 -07:00
Calin Juravle
ebcec9b8bb Allow profman to analyze profiles for the secondary dex files
The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
2017-03-15 18:47:13 -07:00
Chad Brubaker
4c40d7344c Merge ephemeral data and apk files into app
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
2017-02-06 10:16:50 -08:00
Calin Juravle
01ee59a7b4 Remove SElinux audit to libart_file
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
2017-01-31 23:43:14 +00:00
Calin Juravle
e5a1f64a2e SElinux policies for compiling secondary dex files
This CLs adds SElinux policies necessary to compile secondary dex files.

When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).

What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.

Test: devices boots
      compilation of secondary dex files works without selinux denials
      cmd package compile --secondary-dex -f -m speed
com.google.android.gms

Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
2017-01-24 14:28:07 -08:00
Chad Brubaker
6f090f6911 Label ephemeral APKs and handle their install/uninstall
Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536
2016-11-12 00:27:28 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from dex2oat.te (Browse further)