Commit graph

14 commits

Author SHA1 Message Date
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Andreas Gampe
7468db67f6 Sepolicy: Allow stack dumps of statsd
Allow dumpstate & system server watchdog to dump statsd stacks.

Bug: 72461610
Test: m
Change-Id: I4c3472881da253f85d54b5e5b767b06e2618af9c
2018-01-25 09:31:19 -08:00
Yao Chen
b10ff337bf Allow dumpstate to call statsd. This is needed for bugreport.
Selinux violations while calling dump() on statsd by bugreport.

avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
denied { use } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=1
avc: denied { write } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1
avc: denied { getattr } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1

Test: manual
Change-Id: I46c5b119548378cc80c6e4498d00edad5959d188
2018-01-19 09:21:49 -08:00
Vishnu Nair
2d6942d397 Add window trace files SELinux policy rules
- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds

Bug: 64831661

Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '

Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c
2017-11-17 17:17:36 +00:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Joel Scherpelz
5e901bbe89 Allow dumpstate to acquire xtables.lock
iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd
(cherry picked from commit ca0979792f)
2017-04-25 16:22:11 +09:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Keun-young Park
43e8fae079 allow dumpstate to collect ro.boottime.*
- necessary for analyzing early boot stage

bug: 35949319
Test: check captured bugreport for ro.boottime.* in SYSTEM PROPERTIES
Change-Id: I8826abd19ac00f169841b4a7ceeb68be3405d1b9
2017-03-03 13:13:25 -08:00
ynwang
e68d2d2c72 Storaged permissions for task I/O
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2017-01-07 01:12:51 +00:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00