Commit graph

455 commits

Author SHA1 Message Date
Yabin Cui
bd4c9e8530 Add permissions in profcollectd to parse kernel etm data.
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.

Bug: 166559473
Test: run profcollectd.

Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
2021-04-08 16:03:59 -07:00
Josh Gao
d6d8a0fa5e Merge "Add neverallow to prevent reading heap dumps." 2021-04-05 23:55:11 +00:00
Treehugger Robot
da7889276f Merge "Use postinstall file_contexts" 2021-03-30 18:01:34 +00:00
Alex Light
16dfb432b3 Use postinstall file_contexts
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.

Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
2021-03-24 17:00:35 -07:00
Thiébaud Weksteen
6620b476a8 Merge "Add SELinux lockdown policy" 2021-03-23 17:49:53 +00:00
Peter Collingbourne
228c1c396c Merge "Add support for a hw_timeout_multiplier system property." 2021-03-17 18:18:51 +00:00
Thiébaud Weksteen
bcfca1a686 Add SELinux lockdown policy
The lockdown hook defines 2 modes: integrity and confidentiality [1].
The integrity mode ensures that the kernel integrity cannot be corrupted
by directly modifying memory (i.e. using /dev/mem), accessing PCI
devices, interacting with debugfs, etc. While some of these methods
overlap with the current policy definition, there is value in enforcing
this mode for Android to ensure that no permission has been overly
granted. Some of these detection methods use arbitrary heuristic to
characterize the access [2]. Adapt part of the policy to match this
constraint.

The confidentiality mode further restricts the use of other kernel
facilities such as tracefs. Android already defines a fine-grained
policy for these. Furthermore, access to part of tracefs is required in
all domains (see debugfs_trace_marker). Allow any access related to this
mode.

[1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/
[2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/

Bug: 148822198
Test: boot cuttlefish with patched kernel; check logcat for denials.
Test: run simpleperf monitor to exercise tracefs; check logcat for denials.
Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
2021-03-17 15:26:01 +01:00
Janis Danisevskis
ac4a6e75fc Keystore 2.0: Allow apps to get the Keystore state.
Bug: 171305684
Test: atest com.android.server.locksettings
Change-Id: I348e02704a0ddacb7859821149dc97df1d298758
2021-03-15 19:04:03 -07:00
Peter Collingbourne
01e58e0fe3 Add support for a hw_timeout_multiplier system property.
In order to test the platform in emulators that are orders of magnitude
slower than real hardware we need to be able to avoid hitting timeouts
that prevent it from coming up properly. For this purpose introduce
a system property, ro.hw_timeout_multiplier, which may be set to
an integer value that acts as a multiplier for various timeouts on
the system.

Bug: 178231152
Change-Id: I6d7710beed0c4c5b1720e74e7abe3a586778c678
Merged-In: I6d7710beed0c4c5b1720e74e7abe3a586778c678
2021-03-11 14:04:18 -08:00
Janis Danisevskis
291bc98a36 Keystore 2.0: Add policy for vpnprofilestore
Test: N/A
Change-Id: Iba6ca7be95dfcead8ce8ee17d6a6d78a5441d58f
2021-02-23 13:24:52 -08:00
Elliott Hughes
adaf4fe7a9 Merge "init/ueventd and system_server no longer need access to /dev/hw_random." 2021-02-16 20:08:39 +00:00
Elliott Hughes
5aaf7f3461 init/ueventd and system_server no longer need access to /dev/hw_random.
We let the kernel worry about that now.

Bug: http://b/179086242
Test: treehugger
Change-Id: I51bdfaf7488717cc4e4c642261e31d1801cfba68
2021-02-12 09:33:22 -08:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Florian Mayer
ea00b68ee5 Allow shell to create shell_[test_]_data_file sockets.
This makes it easier to write some tests without requiring root for
creating a temporary socket.

Test: m
Test: atest perfetto_integrationtests with https://r.android.com/1575345
      passed with this CL
      failed without with
        avc: denied { create } for name="traced_consumer"
        scontext=u:r:shell:s0 tcontext=u:object_r:shell_data_file:s0
        tclass=sock_file permissive=0

Change-Id: I281778259a55973cda9d6e7af6dea5637591502c
2021-02-09 13:29:05 +00:00
Florian Mayer
5cefb23c4f Allow heapprofd to read shell_test_data_file.
This is so we can run integrationtests on user.

Change-Id: Ie6afad9758968e6cdeb030fbf4d3b75a61813269
2021-02-09 13:28:49 +00:00
Treehugger Robot
96acdc0b22 Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2021-02-05 01:59:16 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Treehugger Robot
883de3cd2e Merge "Add vendor_public_framework_file type to SEPolicy" 2021-01-28 11:41:00 +00:00
Oliver Woodman
bc41c14ffd Merge "Define SOC sysprop policy" 2021-01-28 09:12:52 +00:00
Oliver Woodman
164ba2bd39 Define SOC sysprop policy
BUG: 158284209
Test: atest android.os.cts.BuildTest
Change-Id: I7df7e575072c37ca379b97f60cc6c0850a02bcd1
2021-01-27 13:49:00 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Dorin Drimus
84cd7087d5 Add vendor_public_framework_file type to SEPolicy
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.

Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
2021-01-26 15:59:37 +01:00
Orion Hodson
74b129b77c Merge "Permissions for odrefresh and /data/misc/apexdata/com.android.art" 2021-01-19 09:37:36 +00:00
Inseob Kim
150355b1c3 Merge "Revert^2 "Make default_prop only readable from coredomain"" 2021-01-14 09:42:25 +00:00
Inseob Kim
5c011e57a5 Revert^2 "Make default_prop only readable from coredomain"
This reverts commit 32fbfbc016.

Reason for revert: Fixed breakages

Change-Id: I474ee7dd7b82b4f2e02353e8a3fb55e3c410941f
2021-01-14 04:08:16 +00:00
Mitch Phillips
e0bab54ba6 Merge "[MTE] Add memtag sysprop sepolicy." 2021-01-13 18:07:36 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Florian Mayer
a8a3d8b1bf Allow heapprofd central mode on user builds.
This simplifies operation by removing a special case for user builds.

Test: atest CtsPerfettoTestCases on user
Test: atest CtsPerfettoTestCases on userdebug
Test: atest perfetto_integrationtests on userdebug
Bug: 153139002
Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 17:19:02 +00:00
Mitch Phillips
eaf1404d8a [MTE] Add memtag sysprop sepolicy.
These flags should be writeable to the shell for both root and non-root
users. They should be readable everywhere, as they're read in libc
during initialization (and there's nothing secret to hide). We just
don't want to allow apps to set these properties.

These properties are non-persistent, are for local developer debugging
only.

Bug: 135772972
Bug: 172365548
Test: `adb shell setprop memtag.123 0` in non-root shell succeeds.
Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
2021-01-11 08:35:58 -08:00
Inseob Kim
726dc022db Merge "Revert "Make default_prop only readable from coredomain"" 2021-01-05 08:56:07 +00:00
Jackal Guo
32fbfbc016 Revert "Make default_prop only readable from coredomain"
This reverts commit 082ced1951.

Reason for revert: b/176784961

Change-Id: Ia85667216d63084e9e23aefe1d3bfd7942d51a2a
2021-01-05 08:47:57 +00:00
Treehugger Robot
3acee7da98 Merge "Make default_prop only readable from coredomain" 2021-01-05 05:25:14 +00:00
Josh Gao
0f48b76e72 Add neverallow to prevent reading heap dumps.
Bug: http://b/172518739
Test: mma
Change-Id: I12342015ddd1d8666f62317e027dae6816f53c7e
2020-12-17 16:51:50 -08:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
Inseob Kim
082ced1951 Make default_prop only readable from coredomain
default_prop has been readable from coredomain and appdomain. It's too
broad, because default_prop is a context for properties which don't have
matching property_contexts entries.

From now on, only coredomain can read default_prop. It's still broad,
but at least random apps can't read default_prop anymore.

Bug: 170590987
Test: SELinux denial boot test for internal devices
Change-Id: Ieed7e60d7e4448705c70e4f1725b2290e4fbcb4a
2020-12-14 16:58:23 +09:00
Janis Danisevskis
d5ad76b0c4 Add policy for the android protected confirmation service.
This is the service offered by Keystore 2.0 to provide APC service to
application. It was formerly part of the IKeystoreService interface.
Not it is an interface in ints own right.

Test: Keystore 2.0 can register the apc service interface.
      Apps can lookup and call this interface.
Bug: 159341464
Change-Id: I058adf0021d9b89f4eac7534e366c29071f0f98b
2020-12-10 10:58:11 -08:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Suren Baghdasaryan
37f1a137b6 Add rules for per-API level task profiles and cgroup description files
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.

Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
2020-11-23 09:30:26 -08:00
Florian Mayer
b23d38c7a0 Merge "userdebug_or_eng: allow traced_perf to read kallsyms." 2020-11-13 10:02:27 +00:00
Florian Mayer
167407dc47 userdebug_or_eng: allow traced_perf to read kallsyms.
This tracing daemon interfaces with perf_events, and is used for
callstack sampling. Currently, we only handle userspace stacks. We
have the ability to collect kernel frame addresses (as unwound
by the kernel itself), but need /proc/kallsyms to symbolize them.

This patch mirrors what was done for traced_probes (ftrace event
kptr symbolization) in aosp/1455337 - the daemon can set a sysprop
that causes "init" to temporarily relax kptr_restrict, then the daemon
can open and read /proc/kallsyms. After the file is parsed, the
kptr_restrict value is restored.

To reiterate, this is confined to userdebug_or_eng due to the reasons
outlined in go/perfetto-kallsyms.

Bug: 173124818
Change-Id: I9077bbfe6fea3318f4c37947a5c455061ca43d8d
2020-11-12 20:04:40 +00:00
Alan Stokes
668e74f6f4 Exempt app_data_file_type from neverallow rules.
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.

To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.

Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches  violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
2020-11-12 18:08:18 +00:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Florian Mayer
12376168b4 New type for printk_formats, allow traced_probes.
Test: ls -lZ /sys/kernel/tracing/printk_formats
      [...] u:object_r:debugfs_tracing_printk_formats:s0 [...]

Test: setenforce 0;
      runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
      logcat complains about /sys/kernel/tracing/printk_formats

Test: setenforce 0;
      runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
      logcat does not complain about /sys/kernel/tracing/printk_formats

(need to setenforce 0, because otherwise the exec of ls is denied).

Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
2020-11-05 12:55:50 +00:00
Primiano Tucci
cd452300a7 Allow tracing service to access kallsyms on userdebug
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].

[1] 4cbffc461e/kernel/sysctl.c (L2254)

Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882

Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
2020-10-23 14:03:08 +01:00
Treehugger Robot
766ad4462a Merge "Revert "Prevent isolated_app from searching system_data_file."" 2020-10-20 10:06:54 +00:00
Alan Stokes
0a364c35e5 Revert "Prevent isolated_app from searching system_data_file."
This reverts commit 8dea731805.

Reason for revert: b/162048565: broke access to /data/misc/shared_relro

Change-Id: Ia0f7b6bd575f1d1c95f11a356a5463b72dde9b10
2020-10-15 16:44:52 +00:00
Florian Mayer
7f663a15e1 Merge "Allow heapprofd to read shell_data_file." 2020-10-12 09:29:34 +00:00