Commit graph

8304 commits

Author SHA1 Message Date
Alex Klyubin
6d931af86d Merge "Move split sepolicy to correct locations" 2017-03-03 21:43:24 +00:00
Nick Kralevich
50bb7b5a67 Label /proc/misc
Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75
2017-03-03 12:20:38 -08:00
Treehugger Robot
afb082e352 Merge "domain: Allow stat on symlinks in vendor" 2017-03-03 20:09:40 +00:00
Roshan Pius
32cc614866 Merge "sepolicy: Allow hal_wifi to set wlan driver status prop" 2017-03-03 19:17:31 +00:00
Jeff Vander Stoep
05d83dd407 domain: Allow stat on symlinks in vendor
Addresses:
denied { getattr } for pid=155 comm="keystore" path="/vendor"
dev="mmcblk0p6" ino=1527 scontext=u:r:keystore:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

On devices without an actual vendor image, /vendor is a symlink to
/system/vendor. When loading a library from this symlinked vendor,
the linker uses resolve_paths() resulting in an lstat(). This
generates an selinux denial. Allow this lstat() so that paths can
be resolved on devices without a real vendor image.

Bug: 35946056
Test: sailfish builds
Change-Id: Ifae11bc7039047e2ac2b7eb4fbcce8ac4580799f
2017-03-03 09:57:44 -08:00
Alex Klyubin
052b0bbb26 Move split sepolicy to correct locations
This moves the CIL files comprising the split sepolicy to the
directories/partitions based on whether the file is part of
platform/system or non-platform/vendor. In particular:
* plat_sepolicy.cil is moved to /system/etc/selinux,
* nonplat_sepolicy.cil is moved to /vendor/etc/selinux, and
* mapping_sepolicy.cil is moved to /vendor/etc/selinux.

Test: Device boots, no additional denials. The test is performed both
      for a device without the CIL files and with the three CIL files.
Bug: 31363362

Change-Id: Ia760d7eb32c80ba72f6409da75d99eb5aae71cd9
2017-03-03 09:44:55 -08:00
Roshan Pius
e62805d7cc sepolicy: Allow hal_wifi to set wlan driver status prop
The new wifi HAL manages the wlan driver and hence needs to be able to
load/unload the driver. The "wlan.driver.status" is used to indicate the
state of the driver to the rest of the system. There are .rc scripts for
example which wait for the state of this property.

Denials:
03-01 13:31:43.394   476   476 W android.hardwar: type=1400
audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0"
dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0
03-01 13:31:43.399   476   476 E libc    : Access denied finding
property "wlan.driver.status"

Bug: 35765841
Test: Denials no longer seen
Change-Id: I502494af7140864934038ef51cb0326ba3902c63
2017-03-03 09:32:03 -08:00
Keun-young Park
24f1752d64 Merge "make ro.persistent_properties.ready accessible for hidl client" 2017-03-02 22:41:30 +00:00
Treehugger Robot
35f93189bb Merge "Use levelFrom=user for v2 apps" 2017-03-02 21:59:14 +00:00
Treehugger Robot
06a7a56229 Merge "Define selinux context for econtroller." 2017-03-02 20:23:11 +00:00
Jeff Davidson
a203d37fbe Define selinux context for econtroller.
Bug: 33075886
Test: N/A
Change-Id: I1654ee20fa6125cf3ed5c0796e85f289db5a9745
2017-03-02 10:36:17 -08:00
Alex Klyubin
6237d8b787 Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.

Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-03-02 10:23:01 -08:00
Chad Brubaker
6dc13ffc82 Use levelFrom=user for v2 apps
This is needed, at least short term

Bug:34231507
Test: Builds
Change-Id: Id313c4f3e40c17b0eead50facf474a890cda5c85
2017-03-02 09:50:33 -08:00
Hugo Benichi
ee0b8cd9fb removing obsolete entries for connectivity_metrics_logger
Test: build, flashed, booted.
Bug: 32648597
Change-Id: Ife3d99293c3274ad3a62fb71ae3f799c74e853f4
2017-03-02 09:43:06 +09:00
Keun-young Park
f67c346af4 make ro.persistent_properties.ready accessible for hidl client
- compared to ro.boottime, this one does not pass time info

bug: 35178781
bug: 34274385
Test: reboot

Change-Id: I6a7bf636a3f201653e2890751d5fa210274c9ede
2017-03-01 12:31:04 -08:00
ashutoshj
1366b03717 Merge "Allow sensor HALs to access ashmem memory regions." 2017-03-01 19:41:15 +00:00
Jeffrey Vander Stoep
fbaf8262d1 Merge "Add /data/misc/reboot and reboot_data_file context" 2017-03-01 04:08:11 +00:00
Keun-young Park
60198b744a Merge "make ro.boottime. properties accessible to hal clients" 2017-02-28 22:39:41 +00:00
Todd Poynor
7290f63354 Add /data/misc/reboot and reboot_data_file context
Add a file context for keeping track of last reboot reason and label
directory /data/misc/reboot/ for this purpose.

(Cherry picked from commit ca051f6d07)

Bug: 30994946
Test: manual: reboot ocmmand, setprop sys.powerctl, SoC thermal mgr
Change-Id: I9569420626b4029a62448b3f729ecbbeafbc3e66
2017-02-28 13:34:01 -08:00
Chong Zhang
7291641803 MediaCAS: adding media.cas to service
Also allow media.extractor to use media.cas for descrambling.

bug: 22804304

Change-Id: Id283b31badecb11011211a776ba9ff5167a9019d
2017-02-28 12:31:45 -08:00
Treehugger Robot
34ab219f3f Merge "Bluetooth hal: move to vendor partition." 2017-02-28 04:00:58 +00:00
Keun-young Park
16b9de124e make ro.boottime. properties accessible to hal clients
- hal clients checking hal_binderization prop also need to check
  ro.boottime.persistent_properties.

bug: 35178781
Test: reboot
Change-Id: I413c663537dc118e0492416e3e5a2af721b18107
2017-02-27 19:15:50 -08:00
Steven Moreland
ba1c5831fd Bluetooth hal: move to vendor partition.
Bug: 35328775
Test: works in both binderized and passthrough modes
Merged-In: I1f827b4983e5e67c516e4488ad3497dd62db7e20
Change-Id: I1f827b4983e5e67c516e4488ad3497dd62db7e20
2017-02-28 01:35:11 +00:00
Treehugger Robot
85eda805e6 Merge "storaged: remove rules no longer necessary" 2017-02-28 01:27:45 +00:00
Treehugger Robot
a3e83d0a45 Merge "init: enable init to relabel symlinks for system_block_devices" 2017-02-28 00:01:44 +00:00
Jin Qian
d3a11613c3 storaged: remove rules no longer necessary
Test: adb shell dumpsys storaged --force
Bug: 35323867
Change-Id: I6944ca357875a24465054d3891a00dbcd67495cf
2017-02-27 22:40:34 +00:00
Sandeep Patil
df32f3e82b init: enable init to relabel symlinks for system_block_devices
early mounted block device are created by 'init' in its first stage, so
the following restorecon() now finds device nodes and their corresponding
symlinks. The CL adds rule to make sure the block and
system_block_devices can be relabeled by init in this case.

Bug: 35792677
Bug: 27805372

Test: tested ota using 'adb sideload' on sailfish

Change-Id: I7d9d89878919c1267bf3c74f0cdbb4367b5ad458
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-02-27 14:30:05 -08:00
Nick Kralevich
5251ad1aa6 netd.te: drop dccp_socket support
No SELinux domains can create dccp_socket instances, so it doesn't make
any sense to allow netd to minipulate already-open dccp sockets.

Bug: 35784697
Test: policy compiles.
Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
2017-02-27 09:23:31 -08:00
Alex Klyubin
8f7173b016 Test CIL policy when building it
Prior to this commit, there was a bug in generated CIL where it
wouldn't compile using secilc. The reason was that the build script
was stripping out all lines containing "neverallow" from CIL files,
accidentally removing lines which were not neverallow statements,
such as lmx lines referencing app_neverallows.te.

The commit fixes the build script's CIL neverallow filter to filter
out only neverallow* statements, as originally intended. Moreover, to
catch non-compiling CIL policy earlier in the future, this commit runs
secilc on the policy at build time. In particular, it tests that
platform policy compiles on its own and that nonplatform + platform +
mappig policy compiles as well.

Test: CIL policy builds and compiles on-device using secilc
Bug: 31363362
Change-Id: I769aeb3d8c913a5599f1a2195c69460ece7f6465
2017-02-25 15:08:31 -08:00
Treehugger Robot
6f94c1d584 Merge "Allow adbd to use graphics fds" 2017-02-24 18:46:00 +00:00
Alex Deymo
8d48aa7988 Merge "update_engine: Allow to tag sockets." 2017-02-24 18:02:50 +00:00
Treehugger Robot
eb036bd0ee Merge "kernel: neverallow dac_{override,read_search} perms" 2017-02-24 17:42:15 +00:00
Chia-I Wu
8585788d9f Allow adbd to use graphics fds
Bug: 35708449
Test: AS screen capture
Change-Id: I53f1604e1ee9c9b32c6932f1b8944708f5012e5f
2017-02-24 09:07:27 -08:00
Treehugger Robot
3355de1398 Merge "Camera: allow various FD usage for hal_camera" 2017-02-24 07:42:09 +00:00
Alex Deymo
57b1e913b6 update_engine: Allow to tag sockets.
Bug: 35721166
Test: Run update_engine_unittest as system user in enforcing mode.
Change-Id: I9cd63b19e6eed3e1291d36d4c342ecf725407232
2017-02-23 18:37:45 -08:00
Yin-Chia Yeh
2dc4d1cc1c Camera: allow various FD usage for hal_camera
The camera HAL1 will need to pass/receive FD from various
related processes (app/surfaceflinger/medaiserver)

Change-Id: Ia6a6efdddc6e3e92c71211bd28a83eaf2ebd1948
2017-02-23 18:14:31 -08:00
Treehugger Robot
d1f579d5d6 Merge "Restrict /proc/sys/vm/mmap_rnd_bits" 2017-02-24 01:51:55 +00:00
Treehugger Robot
066bc07e4d Merge "Move rild to vendor partition." 2017-02-24 01:47:15 +00:00
mukesh agrawal
723364f136 allow WifiService to use tracing on user builds
Previously, we'd restricted WifiService's use of
the kernel's tracing feature to just userdebug_or_eng
builds.

This restriction was in place because the feature
had not yet been reviewed from a privacy perspective.
Now that the feature has passed privacy review, enable
the feature on all builds.

Note that other safeguards remain in place (on all
builds):
- The set of events to be monitored is configured by
  init, rather than WifiService (part of system_server).
  This privilege separation prevents a compromised
  system_server from tracing additional information.
- The trace events are kept only in RAM, until/unless
  WifiService receives a dump request. (This would happen,
  for example, in the case of adb dumpsys, or generating
  a bugreport.)

Bug: 35679234
Test: manual (see below)

Manual test details:
- flash device
- connect device to a wifi network
$ adb shell dumpsys wifi | grep rdev_connect
  [should see at least one matching line]

Change-Id: I85070054857d75177d0bcdeb9b2c95bfd7e3b6bc
2017-02-23 17:42:48 -08:00
Amit Mahajan
f7bed71a21 Move rild to vendor partition.
Test: Basic telephony sanity
Bug: 35672432
Change-Id: I7d17cc7efda9902013c21d508cefc77baccc06a8
2017-02-23 16:20:07 -08:00
Luis Hector Chavez
64a0503831 Restrict /proc/sys/vm/mmap_rnd_bits
Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by
init. This also tightens the neverallow restrictions for proc_security.

Bug: 33563834
Test: run cts -m CtsPermissionTestCases -t \
      android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane

Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410
2017-02-23 15:22:06 -08:00
Jeff Vander Stoep
ebbbe6dd36 app: remove logspam on ion ioctls
Apps definitely need access to ion ioctls. Remove audit statement.

Test: build marlin
Bug: 35715385
Change-Id: I777d3e9a88065a5f711315a7da6d63587744b408
2017-02-23 15:08:13 -08:00
Fyodor Kupolov
a64b685013 Allow installd to delete from preloads/file_cache
When clearing cache, installd should be able to search for and delete
files in /data/preloads/file_cache

Test: Manually trigger installd freeCache
Bug: 31008665
Change-Id: I4c345cc8b0f7a6a8702a55f4720d21283c9d502a
2017-02-23 20:40:19 +00:00
Alex Klyubin
38dc1e2230 Merge "Switch Keymaster HAL policy to _client/_server" 2017-02-23 17:15:18 +00:00
Treehugger Robot
2e934f7fc5 Merge "init: allow init to restorecon on block devices and their symlinks" 2017-02-23 07:16:18 +00:00
Alex Klyubin
f7543d27b8 Switch Keymaster HAL policy to _client/_server
This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
2017-02-22 20:18:28 -08:00
Alex Klyubin
0aca0241dd Merge "Switch Wi-Fi HAL policy to _client/_server" 2017-02-23 00:55:10 +00:00
Alex Klyubin
1d2a1476ae Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.

Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.

Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.

Test: Setup Wizard (incl. adding a Google Account) completes fine with
      Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
      not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079

Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-22 15:12:19 -08:00
Treehugger Robot
5a2de627c9 Merge "Add service 'overlay' to service_contexts" 2017-02-22 23:08:51 +00:00
Jeff Vander Stoep
3927086dba kernel: neverallow dac_{override,read_search} perms
The kernel should never be accessing files owned by other users.

Disallow this access.

Test: Marlin builds. Neverallow are build time assertions,
they do not policy on the device.

Change-Id: I6ba2eb27c0e2ecf46974059588508cd3223baceb
2017-02-22 14:33:08 -08:00