Commit graph

45 commits

Author SHA1 Message Date
Andrew Walbran
3b6a385137 Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." 2021-04-22 18:57:15 +00:00
Andrew Walbran
a995e84c18 Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-04-13 09:30:20 +00:00
Jooyung Han
b62be12176 Allow apexd to access a new dev_type: virtual disk
In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.

Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
  when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
2021-04-13 15:46:16 +09:00
Michael Rosenfeld
3ccbebb415 Permit dropping caches from the shell through sys.drop_caches.
*   Permits setting the sys.drop_caches property from shell.
*   Permits init to read and write to the drop_caches file.
*   Can only be set to 3 (drop_caches) and 0 (unset).

Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-03-19 10:55:51 -07:00
Inseob Kim
85acf6ef70 Fix broken neverallow rules
neverallow rules with allowlist should look like:

    neverallow { domain -allow1 -allow2 } ...

Bug: 181744894
Test: m selinux_policy
Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" .
Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
2021-03-10 10:44:22 +09:00
Alexander Potapenko
3d52817da4 Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
2021-03-05 08:53:39 +01:00
Wonsik Kim
08a25e6709 Revert "Selinux policy for bootreceiver tracing instance"
Revert submission 1572240-kernel_bootreceiver

Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance

Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
2021-03-03 22:47:02 +00:00
Alexander Potapenko
31251aa6ec Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
2021-03-02 16:53:12 +01:00
Paul Crowley
28befc841c Merge "init sets keystore.boot_level, keystore reads" 2021-02-27 05:05:50 +00:00
Paul Crowley
b0c5571da6 init sets keystore.boot_level, keystore reads
Bug: 176450483
Test: init can set, and keystore2 read, keystore.boot_level
Test: `adb shell getprop -Z | grep boot_level` returns
      [keystore.boot_level]: [u:object_r:keystore_listen_prop:s0]
Change-Id: Iedb37db19e9153995800fc97de6ee8c536179caa
2021-02-23 21:08:05 -08:00
David Anderson
d84b67e1cc Fix missing domain transition for snapuserd in recovery.
System files in recovery are labelled as rootfs, so we need an explicit
transition to snapuserd. Without this, factory data resets will fail
with a VABC OTA pending, with the following denial:

        avc:  denied  { entrypoint } for  pid=522 comm="init" path="/system/bin/snapuserd"
                dev="rootfs" ino=1491 scontext=u:r:snapuserd:s0 tcontext=u:object_r:rootfs:s0
                tclass=file permissive=0

Bug: 179336104
Test: factory data reset with VABC OTA pending
Change-Id: Ia839d84a48f2ac8ccb37d6ae3b1f8a8f7e619931
2021-02-23 00:10:43 -08:00
David Anderson
0c0c13a59f init: Allow interacting with snapuserd and libsnapshot.
During first-stage init we spawn a daemon (snapuserd) to interact with
the dm-user kernel module. Immediately after sepolicy is loaded, we
launch the daemon again with the correct privileges, and kill the
original one.

In order for init to do this, it needs to be able to open and write to
the snapuserd socket (which is corrected to the "correct" daemon), as
well as call flock() on /metadata/ota which is how libsnapshot ensures
exclusive access to Virtual A/B snapshots.

Bug: 168259959
Test: no denials with Virtual A/B Compression enabled
Change-Id: Ic7fc78ca1a17673b878766e0f4dfe0265c1be768
2020-10-30 00:17:37 -07:00
Inseob Kim
40c67b20f6 Remove exported2_default_prop
This cleans up remaining exported2_default_prop. Three properties are
changed.

- ro.arch
It becomes build_prop.

- hal.instrumentation.enable
It becomes hal_instrumentation_prop.

- ro.property_service.version
It becomes property_service_version_prop.

Bug: 155844385
Test: selinux denial test on Pixel devices
Change-Id: I7ee0bd8c522cc09ee82ef89e6a13bbbf65291291
2020-07-25 01:06:13 +09:00
Inseob Kim
8c34247c7f Add bootloader_prop for ro.boot. properties
ro.boot. properties assigned as "exported2_default_prop" are now
"bootloader_prop", to remove bad context name "exported2_default_prop".

Two things to clarify:

1) We have both the prefix entry and the exact entries. Although the
exact entries may be redundant, we may want to keep them. Vendors are
still allowed to have properties starting with "ro.boot." on
vendor_property_contexts file. The exact entries can prevent vendors
from modifying them to random contexts.

2) ro.boot. is special as it is originally for kernel command line
"androidboot.". But some ro.boot. properties are being used as if they
were normal. To avoid regression, ro.boot. properties having contexts
other than "exported2_default_prop" are not changed here. They will be
tracked later.

Bug: 155844385
Test: m selinux_policy
Change-Id: Ic0f4117ae68a828787304187457b5e1e105a52c7
Merged-In: Ic0f4117ae68a828787304187457b5e1e105a52c7
2020-07-24 00:15:23 +00:00
Inseob Kim
212e2b621a Add property contexts for vts props
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.

Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
      VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
2020-07-16 16:26:17 +09:00
Alistair Delva
178f0ac675 Add new perfmon capability2 and use it
There are probably more cases but this one blocks presubmit
for cuttlefish with mainline kernels.

Bug: 158304247
Change-Id: I6d769b16a230a113a804df61f8de4dcbce2193b6
2020-06-05 10:15:31 -07:00
Nikita Ioffe
44f5ffca15 Add userspace_reboot_log_prop
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.

Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
2020-02-07 01:57:55 +00:00
Ryan Savitski
52b3d315a2 Add sysprop for init's perf_event_open LSM hook check
Written exclusively by init. Made it readable by shell for CTS, and for
easier platform debugging.

Bug: 137092007
Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2
2020-01-21 19:03:33 +00:00
Kiyoung Kim
b8f4e9280c Merge "Allow linkerconfig to be executed from recovery" 2019-12-13 01:09:58 +00:00
Kiyoung Kim
2c271aab42 Allow linkerconfig to be executed from recovery
Add extra policy to enable linkerconfig to be executed from recovery.

Bug: 139638519
Test: Tested from crosshatch recovery
Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348
2019-12-11 15:50:35 +09:00
Nikita Ioffe
23ba976f34 Allow init to read /sys/block/dm-XX/dm/name
In order to remount ext4 userdata into checkpointing mode, init will
need to delete all devices from dm-stack it is mounted onto (e.g.
dm-bow, dm-crypto). For that it needs to get name of a dm-device by
reading /sys/block/dm-XX/dm/name file.

Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04
2019-12-09 21:21:55 +00:00
Nikita Ioffe
7065e46b5d Add selinux rules for userspace reboot related properties
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.

Only init should be allowed to set userspace reboot related properties.

Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
2019-11-19 17:41:28 +00:00
Tao Bao
ecc7e8cacb Move /sbin/charger to /system/bin/charger.
With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.

/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.

The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.

Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc
2019-03-14 09:44:03 -07:00
Joel Fernandes
147cf6482e Allow executing bpfloader from init and modify rules
init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.

Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>
2019-01-14 10:59:10 -05:00
Branden Archer
d36b1d5f62 Allow init to set powerctl property
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.

The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.

Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
      to fail the device rebooted into the bootloader, as
      expected.

Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
2018-11-27 15:47:12 -08:00
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
2018-08-15 09:38:40 +00:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
2018-08-14 20:21:36 +00:00
Tom Cherry
938ab05d72 Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy

avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process

Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
2018-08-03 19:41:03 +00:00
Tom Cherry
d840374e65 Move watchdogd out of init and into its own domain
Bug: 73660730
Test: watchdogd still runs
Change-Id: I31697c7c6fa2f7009731ff48c659af051838e42f
2018-08-03 19:28:05 +00:00
Alan Stokes
06bac37f51 Installd doesn't need to create cgroup files.
cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

(cherry picked from commit 8e8c109350)
2018-04-09 13:49:13 +01:00
Alan Stokes
832a7042b0 Suppress harmless denials for file creation in cgroupfs.
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d077)
2018-03-29 10:18:54 -07:00
Tom Cherry
621c24cbab add vendor_init.te
First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68
2017-10-25 09:21:30 -07:00
Jin Qian
4de505b6fb allow init to run mke2fs tools to format partitions
Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792
(cherry picked from commit 5f573ab2aa)
2017-09-11 18:34:10 +00:00
Bowgo Tsai
5846c79e80 Moving adbd from rootdir to system/bin
Bug: 63910933
Test: boot sailfish in normal mode, checks adbd is started
Test: boot sailfish in recovery mode, checks adbd is started
Test: boot bullhead in normal mode, checks adbd is started
Test: boot bullhead in recovery mode, checks adbd is started

Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
(cherry picked from commit e2423d149b)
2017-08-28 17:38:13 +08:00
Sandeep Patil
e41af20397 Fix coredomain violation for modprobe
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
2017-06-05 08:09:18 -07:00
Sandeep Patil
d46b5d3519 Allow init to run vendor toybox for modprobe
vendor implementations need to be able to run modprobe as part of
init.rc scripts.  They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.

Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.

Bug: b/38212864
Test: Boot sailfish

Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-05-24 15:01:20 -07:00
Howard Chen
f69311300f SELinux changes for Treble Loadable Kernel Module
This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d9493f)
2017-04-10 20:15:51 +09:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Jaesoo Lee
d363b0f9eb enabled /sbin/modprobe for recovery mode
This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa
2017-03-16 01:19:58 +00:00
Paul Lawrence
e9cb76381c Remove selinux denial
Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue

Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
2017-02-13 08:51:33 -08:00
Mark Salyzyn
da62cb4dda logcat: introduce split to logd and logpersist domains
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-12-20 20:31:03 +00:00
Sandeep Patil
137a13d5f5 healthd: restore healthd sepolicy for charger mode
Test: Boot charge-only and android on sailfish

Bug: https://b/33672744

Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 3b25e38410)
2016-12-15 18:17:13 -08:00
Sandeep Patil
dc08245c3f healthd: create SEPolicy for 'charger' and reduce healthd's scope
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.

While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.

Test: Tested all modes {recovery, charger-only, android} with new policy

Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
2016-12-15 18:17:13 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00