Commit graph

115 commits

Author SHA1 Message Date
Martijn Coenen
e3f1d5a314 Create new mediaprovider_app domain.
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-02-04 16:53:18 +01:00
Jeff Vander Stoep
b38a1d8804 untrusted_app: disallow bind RTM_ROUTE socket
Bug: 141455849
Change-Id: I27a8735626a5c3c8aad49e8a68de166f3a10cfde
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
2020-01-28 10:49:50 +01:00
Jeff Vander Stoep
1f7ae8ee3f reland: untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-22 09:47:53 +00:00
Santiago Seifert
1d241db7e5 Revert "untrusted_app_29: add new targetSdk domain"
This reverts commit a1aa2210a9.

Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission

Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
2020-01-21 11:35:24 +00:00
Jeff Vander Stoep
a1aa2210a9 untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
2020-01-20 15:31:52 +01:00
Zimuzo Ezeozue
34a19b76ce Merge "Revert "Allow MediaProvider to host FUSE devices."" 2020-01-10 21:17:15 +00:00
Zimuzo Ezeozue
74a6730767 Revert "Allow MediaProvider to host FUSE devices."
This reverts commit b56cc6fb1f.

Reason for revert: Not necessary

Change-Id: I99d7df2435294e78b753149e20377e78c1c60d36
2020-01-08 20:54:28 +00:00
Orion Hodson
b4d7815fe4 Merge "Reland "sepolicy: rework ashmem_device permissions"" 2019-10-16 12:56:59 +00:00
Tri Vo
b554a950f4 Reland "sepolicy: rework ashmem_device permissions"
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials

Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
2019-10-15 22:27:28 +00:00
Orion Hodson
5527d706c7 Revert "sepolicy: rework ashmem_device permissions"
This reverts commit d9dcea570c.

Reason for revert: http://b/142742451

Change-Id: If46d6dcbb5df21bad8b6a8215d8c21c6b6733476
2019-10-15 21:16:06 +00:00
Jeff Vander Stoep
28903d9829 untrusted_app_25: remove access to net.dns properties
Bug: 33308258
Test: build
Test: atest CtsSelinuxTargetSdk25TestCases
Change-Id: I0bd3dc60dd95e9fb621933f45115a42bbcbc2ccc
2019-10-15 21:17:29 +02:00
Tri Vo
d9dcea570c sepolicy: rework ashmem_device permissions
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
2019-10-07 14:13:35 -07:00
Jiyong Park
e95c704b6f Access to HALs from untrusted apps is blacklist-based
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.

This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.

All the hwservice context that were not in the whitelist are now put
to blacklist.

This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.

Bug: 139645938
Test: m

Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)

Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-09-06 14:10:38 +09:00
Steven Moreland
b27a746f50 Merge "Remove vintf_service."
am: cacefc6a78

Change-Id: Id30138a0955dc7883d83daa2b655a06efebcaaf7
2019-08-28 19:15:40 -07:00
Steven Moreland
4bb0a9802a Remove vintf_service.
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.

coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.

Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
2019-08-28 11:32:25 -07:00
Steven Moreland
88fedc2159 Merge "Reland "Re-open /dev/binder access to all.""
am: aa6793febd

Change-Id: I34360631751c98aab0c34fff9bdcdbae02c52297
2019-08-22 16:15:59 -07:00
Steven Moreland
aa6793febd Merge "Reland "Re-open /dev/binder access to all."" 2019-08-22 22:55:04 +00:00
Tri Vo
b5a4640f65 selinux: remove sysfs_mac_address
am: f1e71dc75c

Change-Id: I0bed37692eed895d8bad9af9ea4e507a6dc4f50f
2019-08-22 03:14:30 -07:00
Tri Vo
f1e71dc75c selinux: remove sysfs_mac_address
Nothing is actually labeled as 'sysfs_mac_address'.

Bug: 137816564
Test: m selinux_policy
Change-Id: I2d7e71ecb3a2b4ed76c13eb05ecac3064c1bc469
2019-08-21 13:07:09 -07:00
Maciej enczykowski
8f5e8e5b82 Do not allow untrusted apps to read sysfs_net files
am: 804d99ac76

Change-Id: I9be056dbdc7146857737bb6847fe51b90702a874
2019-08-20 23:25:28 -07:00
Maciej Żenczykowski
804d99ac76 Do not allow untrusted apps to read sysfs_net files
(this includes /sys/class/net/*/address device mac addresses)

Test: builds
Bug: 137816564
Change-Id: I84268b2e0207559ed00baafb8a3f231c676f8df1
Signed-off-by: Maciej Żenczykowski <maze@google.com>
2019-08-20 16:09:46 -07:00
Steven Moreland
b75b047f44 Reland "Re-open /dev/binder access to all."
This reverts commit 6b2eaade82.

Reason for revert: reland original CL

Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
2019-08-20 16:03:37 -07:00
Steven Moreland
db28fe2381 Revert "Re-open /dev/binder access to all."
am: 6b2eaade82

Change-Id: Ic2d53641d0cebee31be81307d7a31809fa326f2d
2019-08-20 15:55:40 -07:00
Steven Moreland
6b2eaade82 Revert "Re-open /dev/binder access to all."
This reverts commit 94ff361501.

Fix: 139759536
Test: marlin build fixed

Change-Id: I3ea2e29896722a80b22f09c405be205ffb7de6b2
2019-08-20 22:39:43 +00:00
Steven Moreland
169bfcfe88 Merge changes Icdf207c5,I20aa48ef
am: 30a06d278f

Change-Id: Ia505b1539cfd64bb93c2f5fe0dbd0603df5e9f5f
2019-08-20 13:41:45 -07:00
Steven Moreland
94ff361501 Re-open /dev/binder access to all.
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
2019-08-20 00:03:34 +00:00
Zim
cf289bc411 Allow MediaProvider to host FUSE devices.
am: b56cc6fb1f

Change-Id: Id6909432f50669e4450e6c9fa9de8cc1a8164b08
2019-08-07 19:28:53 -07:00
Zim
b56cc6fb1f Allow MediaProvider to host FUSE devices.
This change is part of enabling upcoming platform changes that are
described in the bug linked below.

Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
2019-08-07 19:00:15 +01:00
Pawin Vongmasa
e7e6fffb86 Merge "Properly define hal_codec2 and related policies" into qt-dev
am: cf48bfd082

Change-Id: I974ad8ddfa1c1ec9bacc120e6f892ed0e760df57
2019-05-24 00:33:45 -07:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00
Marco Nelissen
52bcfdf5a0 Merge "Remove unneeded permissions" into qt-dev
am: 2b34e6ad9f

Change-Id: I74362a13fe68a37f30fafe53e606b8eb99e812e9
2019-05-09 23:10:28 -07:00
Marco Nelissen
ba258f0ec0 Remove unneeded permissions
Media component update service is removed, so selinux
permissions for it are no longer needed.

Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
2019-05-09 22:19:33 +00:00
Steven Moreland
68b6f805c9 Use explicit whitelist for HIDL app neverallows.
There were three separate neverallows here. Simplifying it to one
with only a small number of exceptions.

Bug: 131177459
Bug: 37226359
Test: m sepolicy (checks neverallows)

Change-Id: I93045c9f698f28675c634643a827a1cd513f215e
2019-04-29 13:11:38 -07:00
Tri Vo
8eff3e23d8 Deprecate /mnt/sdcard -> /storage/self/primary symlink.
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/

Apps targeting R+ must NOT use that symlink.

For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.

Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
2019-04-12 03:15:52 +00:00
Tri Vo
19200ae354 ephemeral_app: restore /dev/ashmem open permissions
ephemeral_app domain doesn't distinguish between apps that target Q vs
ones target pre-Q. Restore ashmem permissions for older apps.

Bug: 130054503
Test: start com.nextlatam.augmentedfaces instant app
Change-Id: I490323cce96d69e561fc808426a9dfba2aeac30f
Merged-In: I490323cce96d69e561fc808426a9dfba2aeac30f
(cherry picked from commit 0da2ecda62)
2019-04-09 14:18:18 -07:00
Tri Vo
0da2ecda62 ephemeral_app: restore /dev/ashmem open permissions
ephemeral_app domain doesn't distinguish between apps that target Q vs
ones target pre-Q. Restore ashmem permissions for older apps.

Bug: 130054503
Test: start com.nextlatam.augmentedfaces instant app
Change-Id: I490323cce96d69e561fc808426a9dfba2aeac30f
2019-04-09 11:53:53 -07:00
Tri Vo
8b12ff5f21 Neverallow app open access to /dev/ashmem
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.

Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
2019-02-27 21:17:25 +00:00
Tri Vo
877fe9dea6 audit apps opening /dev/ashmem
Bug: 113362644
Test: boot device
Test: use Chrome app, no audit logs
Change-Id: I6c78c7ac258a4ea90d501a152b5c9e7851afcf08
2019-02-21 11:43:20 -08:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Jeff Vander Stoep
0ac2eece90 Neverallow executable files and symlink following
Test: build
Change-Id: Iec30d8a7642c34f12571c5654914ddbdc3d8355e
2019-02-04 18:38:05 +00:00
Jiwen 'Steve' Cai
e17b293528 Allow app to conntect to BufferHub service
Bug: 112940221
Test: AHardwareBufferTest
Change-Id: I1fd065844e03c7e079dc40b7f7dbb8968f1b00bc
2019-01-14 10:49:35 -08:00
Nick Kralevich
fb66c6f81b rename rs_data_file to app_exec_data_file
There are multiple trusted system components which may be responsible
for creating executable code within an application's home directory.
Renderscript is just one of those trusted components.

Generalize rs_data_file to app_exec_data_file. This label is intended to
be used for any executable code created by trusted components placed
into an application's home directory.

Introduce a typealias statement to ensure files with the previous label
continue to be understood by policy.

This change is effectively a no-op, as it just renames a type, but
neither adds or removes any rules.

Bug: 121375718
Bug: 112357170
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 20:07:20 +00:00
Siarhei Vishniakou
41a871ba84 Permissions for InputClassifier HAL
Add the required permissions for the InputClassifier HAL.

Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76
2019-01-11 02:08:19 +00:00
Nick Kralevich
65a89c1b2b Revert "remove app_data_file execute"
This reverts commit b362474374.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots
2018-12-21 10:03:50 -08:00
Nick Kralevich
b362474374 remove app_data_file execute
Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4
2018-12-12 13:20:39 -08:00
Nick Kralevich
0eb0a16fbd bless app created renderscript files
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00
Benjamin Schwartz
e7040eada0 Add power.stats HAL 1.0 sepolicy
Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0
2018-12-11 00:11:08 +00:00
Dan Austin
55d9096652 SEPolicy changes to allow kcov access in userdebug.
This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.

Bug: 117990869

Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
2018-11-30 10:56:29 -08:00
David Brazdil
535c5d2be0 Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:47:39 +00:00
Nick Kralevich
a194d3757a Tighten up handling of new classes
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
2018-11-16 03:10:14 -08:00