Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.
Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/
This change allows dexopt operations to 'getattr' those symlinks during
OTA.
Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.
Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39
The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).
Part of a multi-project change.
Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests
(cherry-picked from commit 1103f963a7)
Change-Id: I3cf810ef5f4f4462f6082dc30d3a7b144dcce0d9
/vendor/framework is now designated location for vendor's platform
libraries. The directory is thus only made available for 'dex2oat'
coredomain.
Bug: 36680116
Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for
'vendor_framework_file'
Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa
Signed-off-by: Sandeep Patil <sspatil@google.com>
The change makes 'vendor_app_file' accessible only to few platform
domains like dex2oat, idmap, installd, system_server and appdomain.
Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video
Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b
Signed-off-by: Sandeep Patil <sspatil@google.com>
Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.
Addresses the following logspam similar to:
avc: granted { lock } for comm="iptables"
path="/system/etc/xtables.lock" dev="sda22" ino=3745
scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file
avc: granted { lock } for comm="dex2oat"
path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file
Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
Certain libraries may actually be links. Allow OTA dexopt to read
those links.
Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed
The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.
Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.
Example of SElinux denial:
03-15 12:38:46.967 7529 7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.
Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.
The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.
Test: devices boots and everything works as expected
no more auditallow logs
Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
This CLs adds SElinux policies necessary to compile secondary dex files.
When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).
What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.
Test: devices boots
compilation of secondary dex files works without selinux denials
cmd package compile --secondary-dex -f -m speed
com.google.android.gms
Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c