Commit graph

186 commits

Author SHA1 Message Date
Myles Watson
671a0c3bda sepolicy: Add Bluetooth AIDL
Bug: 205758693
Test: manual - boot local image with Cuttlefish
Change-Id: Ic0c5408d83f8c352b72f79e9024212c7ff0c84c1
2022-12-02 13:08:26 -08:00
Jooyung Han
01e9b4d5d0 Merge "Allow dumpstate to read apex-info-list.xml" 2022-11-14 02:23:23 +00:00
Jooyung Han
1802a16336 Allow dumpstate to read apex-info-list.xml
Bug: 254486775
Test: sesearch --allow -s dumpstate -t apex_info_file policy
Change-Id: I52cc2ed2fcb0cf969009e323300741169d8e6d8a
2022-11-11 11:30:20 +09:00
Lakshman Annadorai
9691a41b0a Merge "Revert "Add sepolicies for CPU HAL."" 2022-11-09 20:57:15 +00:00
Lakshman Annadorai
4d277b7baa Revert "Add sepolicies for CPU HAL."
This reverts commit f4ab6c9f3c.

Reason for revert: CPU HAL is no longer required because the CPU frequency sysfs files are stable Linux Kernel interfaces and could be read directly from the framework.

Change-Id: I8e992a72e59832801fc0d8087e51efb379d0398f
2022-11-09 16:47:07 +00:00
Changyeon Jo
0dd6bc0c5e Allow dumpstate to signal evsmanagerd
This CL allows dumpstate to signal evsmanagerd, which is another
android.hardware.automotive.evs.IEvsEnumerator implementation, to dump
its stack.

Fix: 243335867
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I37b4cf0ae45f8196f92088cf07a2b45c44f50ee8
2022-11-08 12:53:50 +00:00
Lakshman Annadorai
f4ab6c9f3c Add sepolicies for CPU HAL.
Change-Id: Ia091bf8f597a25351b5ee33b2c2afc982f175d51
Test: Ran `m; emulator; adb logcat -b all -d > logcat.txt;`
      and verified CPU HAL is running without any sepolicy violation.
Bug: 252883241
2022-11-04 18:13:00 +00:00
Thiébaud Weksteen
0596a47aae Grant dumpstate access to update engine prefs
aosp/2215361 added the collection of update_engine preferences by
dumpstate. Add the corresponding policy. The /data/misc/update_engine
directory only contains the prefs/ subdirectory (see
DaemonStateAndroid::Initialize in update_engine).

Bug: 255917707
Test: m selinux_policy
Change-Id: I8c80f319d97f22f29158dd67352c3429d3222a35
2022-10-28 14:36:31 +11:00
Weilin Xu
52546635b2 Applying new IBroadcastRadio AIDL
Update Sepolicy for AIDL broadcast radio HAL. Ignore
fuzzer default AIDL implementation for now.

Bug: 170336130
Test: m -j
Change-Id: Ie55c08c6a721de1f8dc40acc81de68565f99f7d7
2022-09-21 23:17:20 +00:00
Thiébaud Weksteen
33263a0869 Use dump_hal() macro for HAL services
Sort the list of services alphabetically.

Test: build & boot bramble
Change-Id: I3dae597ae3780d7ac97bb8aeeeaf964b375cdf5e
2022-07-27 13:13:47 +10:00
Siarhei Vishniakou
c982ef878d Allow dumpstate to get InputProcessor traces
When the InputProcessor HAL is getting dumped, allow the dumpstate
process to trigger the trace collection.

In the future, we will also add a 'dump' facility to this HAL.

Bug: 237347585
Bug: 237322365
Test: adb bugreport
Change-Id: Iecc525c212c1b899962a032df9643bdd8b0dcdb6
2022-07-06 08:28:50 -07:00
Thiébaud Weksteen
091943f99d Merge "Ignore access to /sys for dumpstate" 2022-06-23 13:22:45 +00:00
Thiébaud Weksteen
5e8a384f5a Ignore access to /sys for dumpstate
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
2022-06-23 01:48:23 +10:00
Jaihind Yadav
fd04d1e908 Don't audit mnt_produt_file in dumpstate.
CTS testcase is failing because of the AVC denails for dumpstate
trying to search mnt_product.

Bug:234086759

Test: android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I794de8c296992b1d3cdafdb802376870a0eecce7
2022-06-01 12:13:13 +00:00
Jeff Vander Stoep
b07c12c39d Iorapd and friends have been removed
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.

Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
2022-05-18 12:07:39 +02:00
Jason Macnak
a93398051c Adds GPU sepolicy to support devices with DRM gralloc/rendering
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
2022-04-18 17:30:56 -07:00
Robert Shih
bf4d7522d7 Allow dumpstate to call dump() on drm hals
Bug: 220996660
Test: adb bugreport
Change-Id: I222c5e845d481dd9f3dcf796d50ca91c6174a023
2022-02-25 06:07:53 +00:00
Thiébaud Weksteen
373cf3ba8e Associate hal_service_type with all HAL services
By default, HAL's services are not accessible by dumpstate. HIDL
implementations were silenced via a dontaudit on hwservice_manager. But
AIDL implementations will trigger a denial, unless authorized via
`dump_hal`. Mark all HAL services with a new attribute
`hal_service_type` so they can be ignored by dumpstate.

Test: m selinux_policy
Bug: 219172252
Change-Id: Ib484368fdeff814d4799792d57a238d6d6e965fd
2022-02-16 10:49:21 +11:00
George Chang
0ddfebb4e1 Add hal_nfc_service
Bug: 204868826
Test: atest VtsAidlHalNfcTargetTest
Change-Id: If01d1d0a74f5c787805d3744772d40a7aa7db9cb
2022-01-20 03:48:57 +00:00
Gabriel Biren
3d0529483b Add supplicant service to the dumpstate
exceptions and dontaudit lists.

wpa_supplicant does not have a dump() method, so
dumpstate shouldn't need to access this HAL.

Bug: 213616004
Test: Treehugger tests
Change-Id: I5a0d80725434b56c9663948c3727faea9fb38db6
2022-01-14 17:17:31 +00:00
Ady Abraham
df28371462 Remove vrflinger
Not used anymore.

Test: build + presubmit
Bug: 170681929
Change-Id: I3ac9b842f89acf620e9f08516e44977d83064f2f
2021-10-20 02:02:57 +00:00
Arthur Ishiguro
876ded0bf8 Allow dumpstate to dump Context Hub HAL
Bug: 194285834
Test: adb bugreport
Change-Id: I6cd7efddf207b896303278539ddb824ad2e4c454
2021-09-22 18:44:49 +00:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
Hridya Valsaraju
a758a5cc3b Allow dumpstate to read /dev/binderfs/binder_logs/proc
This patch fixes the following denial:
avc: denied { read } for name=\"1194\" dev=\"binder\" ino=1048790
 scontext=u:r:dumpstate:s0 tcontext=u:object_r:binderfs_logs_proc:s0 tclass=file permissive=0

Test: build
Bug: 182334323
Change-Id: I739f09f56763e3e7ac01dced6feda7a5a5fd2210
2021-03-17 22:47:43 -07:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Treehugger Robot
96acdc0b22 Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2021-02-05 01:59:16 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Kalesh Singh
5bf6faaf94 Fix dumpstate hal_*_server denials
Bug: 178566350
Test: atest CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials -- --abi x86_64
Change-Id: I58e050f2e6f978ea5c7e1a89221178f5374d1731
2021-02-01 22:20:44 -05:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Hunter Knepshield
18312f49b8 SEPolicy changes for public BugreportManager API.
Allow non-system apps to get an instance through
Context#getSystemService, and then dumpstate also needs permissions to
append to public apps' files.

Most carrier apps are not pre-installed, but we still want to allow them
to request connectivity bug reports, which are well-scoped to contain
limited PII and all info should directly relate to connectivity
(cellular/wifi/networking) debugging.

BugreportManager underneath validates that the calling app has carrier
privileges before actually starting the bug report routine. User consent
is requested for every bugreport requested by carrier apps.

Without the dumpstate.te change, the following error will occur:
01-14 20:08:52.394  1755  1755 I auditd  : type=1400 audit(0.0:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0
[ 1167.128552] type=1400 audit(1610654932.394:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0

Bug: 161393541
Test: atest CtsCarrierApiTestCases:BugreportManagerTest
Change-Id: I443b1f6cd96223ed600c4006bc344c2a8663fdc7
2021-01-14 20:15:34 +00:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Alistair Delva
98825d35cb Allow dumpstate to dump face/fingerprint/gnss HALs
Seen with "adb bugreport" on cuttlefish:

avc: denied { call } for scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_face_default:s0 tclass=binder permissive=0
avc: denied { call } for scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=0
avc: denied { call } for scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_gnss_default:s0 tclass=binder permissive=0

Fix it like aosp/1313514

Bug: 170070222
Change-Id: I1c2d6fc0130ef3ee87662d23de0ee031fb60cbec
2020-11-16 13:52:05 -08:00
Alex Hong
906c724514 Allow dumpstate to read proc_pid_max and access profcollectd via binder
Now running ps requires the read permission for /proc/sys/kernel/pid_max.
Also, grant the binder_call permission for recently added profcollectd.

Bug: 170070222
Change-Id: I5bc0f89a0538091de40647777ff6bf47f47dc066
2020-11-10 09:53:41 +00:00
Jack Yu
dd64813204 Add sepolicy to allow read/write nfc snoop log data
Bug: 153704838
Test: nfc snoop log could be accessed
Change-Id: I694426ddb776114e5028b9e33455dd98fb502f0a
2020-09-24 17:36:07 +08:00
Treehugger Robot
142d16a964 Merge "Allow dumpstate to dump auto hal servers" 2020-08-04 17:28:41 +00:00
Roman Kiryanov
b76d0b3060 Allow dumpstate to getattr apex_info_file:file
required by the CTS test.

Bug: 162594434
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Ic9962415d740e300ceb418b3265c24433a9e4f4c
2020-07-31 13:39:11 -07:00
Roman Kiryanov
83b88d5d61 Allow dumpstate to dump hal_light
Bug: 162594434
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: I440b5627abe0127324679fcb54bc52a68c44bea4
2020-07-31 13:37:59 -07:00
Yiming Jing
2fd322f630 Allow dumpstate to dump auto hal servers
audiocontrol_hal, vehicle_hal and evs_hal were added to dump_util.cpp in
b/148098383. But the coresponding dumpstate.te is not updated to relfect
the changes, causing denials when dumpstate attempts to dump auto hal servers.

This CL updates dumpstate.te to allow dumpstate to access auto hal servers.

Bug: 162537916
Test: sesearch -A -s dumpstate -t hal_audiocontrol_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_vehicle_server -p signal sepolicy
Test: sesearch -A -s dumpstate -t hal_evs_server -p signal sepolicy
Change-Id: If6d6e4d9c547da17817f2668dc4f2a093bddd632
2020-07-31 10:19:22 -07:00
Adam Shih
8cc3f8d9ee Let dumpstate access hal_identity
Bug: 158614313
Test: CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ic07e64b0bb18f948764e7bde5985eab91747b882
2020-06-24 10:40:44 +08:00
TeYuan Wang
900c723e1d Allow dumpstate to get thermal and power hal debug info
Bug: 156710131
Test: tested in userdebug with dumpstate.unroot set to true
Change-Id: Iabd636f109e719753fdd650f05e1a7af835c49d7
Signed-off-by: TeYuan Wang <kamewang@google.com>
2020-05-18 10:30:28 +08:00
Igor Murashkin
e67fad5deb iorapd: Allow dumpstate (bugreport) to dump iorapd
Bug: 152616197
Test: adb bugreport
Change-Id: I36e3b6d847341ddd84792ccc3f2c2c620e1c3f7b
Merged-In: I36e3b6d847341ddd84792ccc3f2c2c620e1c3f7b
2020-03-31 13:48:47 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Kris Chen
258442b3d4 Add rules to dump fingerprint hal traces
Bug: 150008549
Test: adb shell am hang
Test: adb bugreport
Change-Id: I0440bb8fd3cc1205a43eca6c7ef5f8d0afc92396
2020-03-03 16:58:58 +08:00
Stefano Galarraga
fb9ff8d5b6 Merge "Allow dumpstate to dump NNAPI HAL log on userbuild" 2020-02-25 10:47:38 +00:00
Kenny Root
4def25f171 Merge "rebootescrow: allow dumpstate to call via binder" 2020-02-11 21:25:29 +00:00
Kenny Root
7ae220742c rebootescrow: allow dumpstate to call via binder
Allow dumpstate to call into rebootescrow to request debug information.

Bug: 148763226
Test: adb bugreport
Change-Id: Ib336cab755998b1ddcd7848b3e544c2e0f09c1aa
2020-02-10 21:28:32 -08:00