Commit graph

29 commits

Author SHA1 Message Date
Gavin Corkery
cd3bb575ab Add sepolicy for scheduling module data directories
Test: Manually test writing and reading files
Bug: 161353402
Change-Id: Ifbc0e4db0ec51f6565a0f52df06b1d148577b788
2021-02-15 22:31:27 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Alan Stokes
fc0cab8d28 Allow vold to set MLS level on per-user directories.
We want to extend vold_prepare_subdirs to set the MLS level to the
correct per-user value for selected user-specific directories.

Grant vold_prepare_subdirs the access it needs to do this, and allow
vold to access the temporary property controlling this.

Bug: 141677108
Test: Manual, with and without property set.
Change-Id: I572462cfd9b8869381f2af5faa29165bb8373d4b
2020-10-02 13:39:59 +01:00
Roshan Pius
8f84cc32a8 sepolicy(wifi): Allow wifi service access to wifi apex directories
Bug: 148660313
Test: Compiles
Change-Id: I4a973c4516fda5f96f17f82cd3a424b0ca89004b
2020-02-21 10:40:32 -08:00
Hai Zhang
f301cd299b Add policies for permission APEX data directory.
Bug: 136503238
Test: presubmit
Change-Id: I636ab95070df4c58cf2c98b395d99cb807a7f243
2020-01-16 16:08:55 -08:00
Oli Lan
91ce5b9c22 Add type for directories containing snapshots of apex data.
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.

Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.

Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-09 11:16:24 +00:00
Oli Lan
79b4e1af4a Add type for APEX data directories.
This adds a new apex_module_data_file type for the APEX data directories
under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata.

Permission is given for vold to identify which APEXes are present and
create the corresponding directories under apexdata in the ce/de user
directories.

See go/apex-data-directories.

Bug: 141148175
Test: Built & flashed, checked directories were created.
Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-12-09 11:14:38 +00:00
Roshan Pius
d804a76d03 Revert "sepolicy: Permission changes for new wifi mainline module"
This reverts commit 3aa1c1725e.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 09:49:32 -08:00
Roshan Pius
3aa1c1725e sepolicy: Permission changes for new wifi mainline module
Move wifi services out of system_server into a separate APK/process.

Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).

Used 'audit2allow' tool to gather list of permissions required.

Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.

Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
2019-07-16 13:30:15 -07:00
Joel Galenson
5d5ac9ad6e Dontaudit unneeded denials.
These denials are intermittent and unnecessary.  Hide them while we
investigate how to properly fix the issue.

Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
(cherry picked from commit 654ceeb93f)
2019-05-10 08:14:54 -07:00
Nick Kralevich
9097360049 Revert "Temporarily hide denial to fix tests."
This reverts commit 94b5fe4af5.

Reason for revert: Obsoleted by https://android-review.googlesource.com/933916

Bug: 129298168
Change-Id: I6b34cfdf76b5094db17ee06831d8a662ea360956
Test: Build.
2019-03-27 13:56:20 +00:00
Joel Galenson
94b5fe4af5 Temporarily hide denial to fix tests.
This shoud be removed once the offending code is fixed.

Bug: 129298168
Test: Build.
Change-Id: Ie94a626be777a094fb587f72b3987994e085a23e
2019-03-25 17:37:51 -07:00
Annie Meng
4c3d11c018 Add rules for multi-user backup/restore
The backup system service will move its storage location to per-user CE
directories to support multiple users. Add additional iterations on the
existing rules to support the new location.

/data/backup -> /data/system_ce/[user id]/backup
Previously covered by rule backup_data_file

/cache/backup -> /data/system_ce/[user id]/backup_stage
Previously covered by rule cache_backup_file

Also add support for vold to create and perform restorecon on the new
locations.

Example denials and detailed proposal in the doc on the linked bug.

Bug: 121197420
Test: 1) Boot device; check dirs created with correct label; run backup
successfully on system user
2) Create secondary user; check dirs created with correct label; run
backup successfully

Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
2019-01-17 12:53:08 +00:00
Narayan Kamath
2ad229c788 Add initial sepolicy for app data snapshots.
Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.

A follow up change will flesh out the access policy on these
directories in more detail.

Test: make, manual
Bug: 112431924

Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
2019-01-16 15:22:51 +00:00
Kevin Chyn
91c2580bce Add placeholder iris and face policy for vold data directory
This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause
the same issue.

Test: vold is able to create directories, ag/5534962

Bug: 116528212
Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
2018-11-30 11:37:19 -08:00
Nick Kralevich
83f25e26f9 Revert "Add placeholder iris and face policy for vold data directory"
This reverts commit 92bde4b941.

Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.

Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
2018-11-19 15:00:19 -08:00
Kevin Chyn
92bde4b941 Add placeholder iris and face policy for vold data directory
Test: vold is able to create directories, ag/5534962

Bug: 116528212

Change-Id: I61dd8802c13b1c42d334a80b678ca6a877848fc2
2018-11-15 17:32:03 -08:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Andreas Huber
4d6a5e8700 Fingerprint data is now stored in one of two ways depending on the
shipping API version:

For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa71a)
2018-05-16 14:22:14 -07:00
Paul Crowley
8096639792 Allow vold_prepare_subdirs to delete more files.
Bug: 78591623
Test: Create a new user with a fingerprint. Reboot. Delete that user.
    Check for denials, files left over in /data/*_{c,d}e/10
Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 15:26:11 -07:00
Joel Galenson
254a872cab Let vold_prepare_subdirs completely clean deleted user data.
After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
2018-04-16 16:39:43 -07:00
Joel Galenson
fc870ce954 Allow some vold_prepare_subdirs denials.
This addresses the following denials:

avc: denied { fowner } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability
avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:storaged_data_file:s0 tclass=file
avc: denied { relabelfrom } for comm="vold_prepare_su" name="storaged" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 77875245
Test: Boot device.
Test: Mislabel directories used by vold_prepare_subdirs, reboot, and
ensure it can relabel them without denials.
Test: Add user, reboot, delete user, reboot, observe no denials.

(cherry picked from commit 855dd5a856)

Merged-In: Id67bc99f151a6ccb9619bbfb7080452956405121
Change-Id: I2f6b5abfaf81570d03a30f2edf7296b5afd10c9b
2018-04-13 09:47:58 -07:00
Jeff Vander Stoep
d25ccabd24 label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 17:21:25 +00:00
Jeff Vander Stoep
bdbdb0f25f vold_prepare_subdirs: grant chown
Addresses:
avc: denied { chown } for comm="vold_prepare_su" capability=0
scontext=u:r:vold_prepare_subdirs:s0
tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability

Bug: 71796118
Test: build
Change-Id: I64b2f1ad8d6e0748c5820b8a37a4fc4f4101d1fb
2018-01-10 08:37:42 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Paul Crowley
5850a2ae6b Move most of public/vold_prepare_subdirs.te to private
AIUI permissions should be in private unless they need to be public.

Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da
2017-10-25 13:06:25 -07:00
Jin Qian
c0125335e5 allow vold_prepare_subdirs to create storaged directories
Test: Boot device, observe logs
Bug: 63740245
Change-Id: I1068304b12ea90736b7927b7368ba1a213d2fbae
2017-10-23 11:34:47 -07:00
Paul Crowley
5b962cfd7b vold_prepare_subdirs sets policy in vold-created dirs.
Bug: 25861755
Test: Boot device, observe logs
Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900
Merged-In: I6c13430d42e9794003eb48e6ca219b874112b900
(cherry picked from commit 47f3ed09d2)
2017-10-17 10:17:20 -07:00