Commit graph

75 commits

Author SHA1 Message Date
YH_Lin
a5ff1bae61 sepolicy: add sepolicy rules for vold to write sysfs gc_urgent
03-22 02:01:02.656   561   561 W Binder:561_4: type=1400 audit(0.0:1895354): avc: denied { write } for name="gc_urgent" dev="sysfs" ino=76829 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_fs_f2fs:s0 tclass=file permissive=0

Test: adb shell sm idle-maint run
Bug: 128935241

Change-Id: I2ae5477c9e605e6d1060565cacc520d696469af2
Signed-off-by: YH_Lin <yhli@google.com>
2019-03-24 13:19:46 +08:00
Martijn Coenen
1f1c4c3fa5 Allow apexd to talk to vold.
To query filesystem checkpointing state.

Bug: 126740531
Test: no denials
Change-Id: I28a68b9899d7cb42d7e557fb904a2bf8fa4ecf66
2019-03-14 07:23:40 +00:00
Tri Vo
5b60eb6397 vold: write permission to sysfs_devices_block
vold needs write permissions for /sys/block/*/uevent to perform a
coldboot.
https://android.googlesource.com/platform/system/vold/+/refs/heads/master/main.cpp#139

This denial is seen on cuttlefish:
avc: denied { write } for name=uevent dev=sysfs ino=11649
scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_devices_block:s0
tclass=file permissive=1

Pixel devices resolve this denial in device policy, but since coldboot
is performed from platform code, the corresponding permission should be
in /system/sepolicy

Bug: 28053261
Test: boot cuttlefish without above denial
Change-Id: I2de08db603e2d287e8021af70ee8e69266d7736f
2019-03-11 13:36:56 -07:00
Tri Vo
a532088e7f Decouple system_suspend from hal attributes.
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.

Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.

Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
2019-02-26 18:10:28 -08:00
Paul Lawrence
84e87b8753 Allow restorecon to work on vold_data_files
Bug: 119769411
Test: Compiles with rule needed to fix Wahoo
Change-Id: Ifad4c285815682a107013479850f2a63c894c855
2019-02-12 14:43:08 -08:00
David Anderson
db90b91ea0 Full sepolicy for gsid.
Bug: 122556707
Test: manual test
Change-Id: I2536deefb3aa75deee4aeae7df074349b705b0f0
2019-02-08 05:56:58 +00:00
Daniel Rosenberg
650981d2a8 Allow update_verifier to call checkpointing
This lets update_verifier call supportsCheckpoint to defer marking the
boot as successful when we may end up failing before we would commit
the checkpoint. In this case, we will mark the boot as successful just
before committing the checkpoint.

Test: Check that marking the boot as succesful was deferred in
      update_verifier, and done later on.
Change-Id: I9b4f3dd607ff5301860e78f4604b600b4ee416b7
2019-02-08 00:19:28 +00:00
Joel Galenson
fb0ab2e14e Hide denial seen during boot.
Test: Build.
Change-Id: Iae56f10eb4257bb0970906cb77b19d0b00c9d2be
2019-02-06 15:32:58 -08:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Sudheer Shanka
f0abbf9798 Allow vold to create files at /mnt/user/.*
Bug: 121099965
Test: manual
Change-Id: I940868eb984399763d7346a201e37cb07fb12333
2018-12-20 12:01:54 -08:00
Martijn Coenen
d7bf9218a0 Allow apexd to write to sysfs loop device parameters.
To configure read-ahead on loop devices, eg.
/sys/devices/virtual/block/loop0/queue/read_ahead_kb

Bug: 120776455
Test: configuring read-ahead on loop devices works from apexd
Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58
2018-12-20 03:05:50 +01:00
Paul Crowley
90e68e929c Remove overpermissive neverallow exceptions.
Test: Compiles - neverallow rules are compile time checks
Change-Id: I2e1177897d2697cde8a190228ba83381d9a1877a
2018-12-12 14:55:18 -08:00
Paul Crowley
f9f7539430 Abolish calls to shell in vold
Never use popen, just execvp directly

Test: Two tests
- Ensure Marlin device boots and vold_prepare_subdirs is called
successfully
- Try adb shell sm set-virtual-disk true, see that eg sgdisk output is
logged.
Bug: 26735063
Bug: 113796163

Change-Id: Icb34140429db85098a0118a2b833772e3620e7ac
2018-11-30 16:02:04 -08:00
Daniel Rosenberg
478ca55bfe Allow vold to remount
remount is needed for commiting checkpoints under f2fs

Test: vdc checkpoint commitChanges
Bug: 111020314
Change-Id: If7d4ab641b59d3e942d9d8a72bd91be08680227b
2018-11-27 21:17:59 +00:00
Nick Kralevich
536d3413b8 use hal_bootctl_server in neverallow rule
Hals have 3 attributes associated with them, the attribute itself, the
_client attribute, and the _server attribute. Only the server attribute
isn't expanded using the expandattribute keyword, and as a result, is
the only attribute which can be used in neverallow rules.

Fix neverallow rule to use hal_bootctl_server, which is not expanded,
instead of hal_bootctl.

Introduced in: https://android-review.googlesource.com/c/platform/system/sepolicy/+/777178

Test: policy compiles
Bug: 119500144
Change-Id: I8cff9cc03f4c30704175afb203c68f237fbd61ca
2018-11-26 23:17:28 -08:00
Nick Kralevich
1c5d223b16 vold: remove access to /proc/net files
The auditallow added in commit
7a4af30b38 ("Start the process of locking
down proc/net", May 04 2018), has not been triggered. This is safe to
delete.

Test: Policy compiles
Test: no collected SELinux denials
Bug: 68016944
Change-Id: Ib45519b91742d09e7b93bbaf972e558848691a80
2018-11-16 17:46:56 -08:00
Nick Kralevich
fefc887eda vold: allow ioctls BLKDISCARD and BLKGETSIZE
BLKDISCARD is used by vold while wiping block devices
b2455747a9/Utils.cpp (619)

BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Vold indirectly uses this when executing /system/bin/newfs_msdos.
Arguably this is a bug in newfs_msdos, as BLKGETSIZE64 should be used
instead.
Code: 0c7e133c7f/mkfs_msdos.c (845)

Addresses the following denials:

audit(0.0:24): avc: denied { ioctl } for comm="Binder:588_2" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1277 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
audit(0.0:25): avc: denied { ioctl } for comm="newfs_msdos" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1260 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Bug: 119562530
Change-Id: Ib7198daf150d6f2578545a6a402e0313069ea2b4
2018-11-14 13:01:00 -08:00
Risan
0c1848b170 SELinux changes for AppFuse
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I827a108bd118090542354360a8c90b295e6a0fef
2018-11-13 22:45:51 +00:00
Nick Kralevich
c4cf98605d Revert "SELinux changes for AppFuse"
This reverts commit 67ed4328eb.

Reason for revert: Broken CTS test. See b/118642091

Bug: 118642091
Bug: 110379912
Change-Id: I5afd16bf23149c74f2740720cdd248a255ff1497
2018-10-30 03:30:55 +00:00
Jeff Sharkey
f2cad2d92b vold does more than LOOP_GET_STATUS64.
Update the "allowxperm" to reflect the various ioctl() performed in
the vold source code.

Bug: 118437832
Test: atest android.os.storage.cts.StorageManagerTest
Change-Id: Ide3a09104d8b4ce7fa2b7e23e9b215139186f595
2018-10-27 16:56:55 -06:00
Risan
67ed4328eb SELinux changes for AppFuse
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
2018-10-26 19:45:50 +00:00
Nick Kralevich
787fc8d0e6 vold.te: allow BLKSECDISCARD
vold needs to securely delete content from various block devices. Allow
it.

Addresses the following denials:

type=1400 audit(0.0:66): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/dm-3" dev="tmpfs" ino=17945 ioctlcmd=0x127d scontext=u:r:vold:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
type=1400 audit(0.0:43): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/sda45" dev="tmpfs" ino=17485 ioctlcmd=127d scontext=u:r:vold:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Ie7b4b8ac4698d9002a4e8d142d4e463f8d42899a
2018-10-23 03:35:08 -07:00
Nick Kralevich
4c8eaba75a start enforcing ioctl restrictions on blk_file
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
2018-10-18 15:24:32 -07:00
Nick Kralevich
877b086097 vold: allow FS_IOC_FIEMAP
This is needed to find the file on the raw block device, so it can be
securely deleted.

Addresses the following denials:

  type=1400 audit(0.0:492): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/10/current/encrypted_key" dev="dm-3" ino=9984 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
  type=1400 audit(0.0:517): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/11/current/secdiscardable" dev="dm-3" ino=9581 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
  type=1400 audit(0.0:694): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/0/current/keymaster_key_blob" dev="dm-3" ino=9903 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Test: policy compiles and device boots
Change-Id: I1adf21b7fa92b1f92ce76532f4d9337a4d58a2e5
2018-10-15 06:14:08 -07:00
Nick Kralevich
ebc3a1a34c Move to ioctl whitelisting for plain files / directories
Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2
2018-10-10 13:02:57 +00:00
Igor Murashkin
72a88b194c iorapd: Add new binder service iorapd.
This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-08 15:00:34 -07:00
Joel Galenson
2d123fce3c Ensure vold is a client of hal_bootctl only in Treble mode.
This fixes a build breakage.

Test: Build policy.
Change-Id: Id5209a2bd6446ac6dd744b7426f540bc1a8641ed
2018-10-05 12:37:05 -07:00
Daniel Rosenberg
ac5293b4fb Add bootctl for vold
Allows checkpoint commands to check A/B update status

Test: vdc checkpoint startCheckpoint -1
Bug: 111020314
Change-Id: I086db548d55176bf88211001c7c1eecb8c50689e
2018-10-03 15:51:45 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Jeff Vander Stoep
0b67bb88e5 Further lock down app data
Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
2018-09-22 22:38:42 -07:00
Yifan Hong
1cef6a94eb health.filesystem HAL renamed to health.storage
...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
2018-09-20 04:12:45 +00:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Tri Vo
dac2a4a3a4 Sepolicy for system suspend HAL.
Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be
2018-08-13 17:26:34 -07:00
Yifan Hong
fa5afa2afd vold uses health filesystem HAL
Bug: 111655771
Test: builds
Change-Id: I67850d910770109005b2243c628282ad638c88fb
2018-08-10 14:10:00 -07:00
Sudheer Shanka
a2bacea876 Allow vold to mount at /mnt/user/.*
Bug: 111890351
Test: Device boots and no selinux denials when vold mounts
      at /mnt/user/.*

Change-Id: Id962a85af9f99c54421f0820a22880be36c2e478
2018-08-03 12:55:09 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Bowgo Tsai
7b67a617dd Allowing vold to search /mnt/vendor/*
vold will trim rw mount points about daily, but it is denied by SELinux:

root   603   603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied {
search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0

Allowing vold to search /mnt/vendor/* to fix the denials.

Note that device-specific sepolicy needs to be extended to allow vold
to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs:

    allow vold persist_file:dir { ioctl open read };

Bug: 111409607
Test: boot a device, checks the above denial is gone
Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad
2018-07-25 10:18:42 +08:00
Yifan Hong
711908e60b vold: not allowed to read sysfs_batteryinfo
It doesn't need to read batteryinfo to function properly.
Bug: 110891415
Test: builds and boots

Change-Id: I7f388180a25101bfd0c088291ef03a9bf8ba2b2c
2018-07-12 11:45:28 -07:00
Jeff Vander Stoep
ab82125fc8 Improve tests protecting private app data
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.

In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.

Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 13:47:49 -07:00
Joel Galenson
be31a68e92 Allow vendor_init to getattr vold_metadata_file.
This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file.  The rules above it still prevent it
from doing anything other than relabelto and getattr.

Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
(cherry picked from commit 597be44e96)
2018-05-15 08:03:41 -07:00
Jeff Vander Stoep
7a4af30b38 Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00
Paul Crowley
42bd1638bf Add metadata_file class for root of metadata folder.
Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
2018-04-23 14:14:49 -07:00
Jeff Vander Stoep
d25ccabd24 label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 17:21:25 +00:00
Paul Crowley
d9a4e06ec5 Allow vendor_init and e2fs to enable metadata encryption
Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.

Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26
2018-02-01 13:25:34 -08:00
Tri Vo
dcad0f04cf vold: clarify sysfs access
And remove a redundant rule.

Test: sesearch shows no changes to vold's sepolicy.
Change-Id: Icccc18696e98b999968ecbe0fb7862c35575a9b3
2018-01-23 13:43:51 -08:00
Jaekyun Seok
e49714542e Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2018-01-10 16:15:25 +00:00
Luis Hector Chavez
7ae939e84b Revert "Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid"
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.

Bug: 71632076
Test: aosp_sailfish still works

Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
2018-01-08 13:09:34 -08:00
Jeff Vander Stoep
6a28b68d54 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
2017-11-22 04:54:41 +00:00
Jeffrey Vander Stoep
cd69bebf76 Revert "Fix CTS regressions"
This reverts commit ed876a5e96.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 20:27:47 +00:00
Jeff Vander Stoep
ed876a5e96 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
2017-11-21 18:06:20 +00:00