Commit graph

108 commits

Author SHA1 Message Date
Nikita Ioffe
89d43a51ba Allow priv_app to search apex_data_file and read staging_data_file
This changes are necessary to make files under /data/apex/active
be readable by Phonesky.

Test: builds
Bug: 154635217
Change-Id: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2
2020-04-22 00:05:07 +01:00
Florian Mayer
856391e9eb Refactor sepolicy to support central mode on user.
Functionally this is a no-op change.

This is a cherry-pick of 356b98d552.

Bug: 152976928
Change-Id: If4c0c6c74e60cc84f4adedfd430b385795cd15eb
Merged-In: If4c0c6c74e60cc84f4adedfd430b385795cd15eb
2020-04-06 19:40:55 +01:00
Nikita Ioffe
3bd53a9cee Add userspace_reboot_test_prop
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1

Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
2020-03-16 11:17:12 +00:00
Ryan Savitski
cfd767180d traced_perf sepolicy tweaks
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
  I've not caught any crashes in practice, but believe there's a
  possibility that the zygote forks while holding a non-whitelisted fd
  due to the signal handler.

Bug: 144281346
Merged-In: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
(cherry picked from commit 008465e5ec)
2020-02-28 15:04:43 +00:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00
Kiyoung Kim
dc34050e17 Remove sys.linker property
sys.linker property was defined to enable / disable generate linker
configuration, but the property has been removed. Remove sys.linker
property definition as it is no longer in use

Bug: 149335054
Test: m -j passed && cuttlefish worked without sepolicy error
Change-Id: Iacb2d561317d0920f93104717ce4f4bb424cc095
Merged-In: Iacb2d561317d0920f93104717ce4f4bb424cc095
2020-02-19 10:16:06 +09:00
David Stevens
3942fe1682 selinux policy for buffer queue config
Test: boot and check for no policy violations

Change-Id: I1ea2a79b9a45b503dcb061c196c5af1d0ddab653
2020-02-13 20:11:47 +09:00
Nikita Ioffe
44f5ffca15 Add userspace_reboot_log_prop
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.

Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
2020-02-07 01:57:55 +00:00
Jeffrey Vander Stoep
9788ca1738 Merge "net_dns_prop: neverallow most access" 2020-02-06 12:16:22 +00:00
Jeff Vander Stoep
5afd6d788c net_dns_prop: neverallow most access
Prepare for these properties to be completely removed.

Bug: 33308258
Test: build
Change-Id: Ie22918247db1d6e85a36e0df958916b6752629d0
2020-02-05 09:55:30 +01:00
Oli Lan
335d704c77 Add sepolicy rules to allow apexd to perform snapshot and restore.
This adds rules required for apexd to perform snapshot and restore
of the new apex data directories.

See go/apex-data-directories for more information on the feature.

See the chain of CLs up to ag/10169468 for the implementation of
snapshot and restore.

Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce
Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-27 18:21:29 +00:00
Ryan Savitski
845569e2e5 debug builds: allow perf profiling of most domains
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).

Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
2020-01-22 22:04:02 +00:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Nikita Ioffe
32e7ea0096 Allow apps to read ro.init.userspace_reboot.is_supported
This property essentially implements
PowerManager.isRebootingUserspaceSupported[0] public API, hence apps
should be able to read it.

[0]: 73cab34d9f:core/java/android/os/PowerManager.java;l=1397

Test: m checkbuild
Test: atest CtsUserspaceRebootHostSideTestCases
Test: adb shell getprop ro.init.userspace_reboot.is_supported
Bug: 135984674
Change-Id: I09cab09735760529de81eb6d5306f052ee408a6e
2020-01-14 12:39:23 +00:00
Anton Hansson
b84133555a Rename sdkext sepolicy to sdkextensions
The module is getting renamed, so rename all the policy
relating to it at the same time.

Bug: 137191822
Test: presubmit
Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
(cherry picked from commit 6505573c36)
2020-01-08 11:41:18 +00:00
Robin Lee
cbfe879fe6 vendor_init can set config.disable_cameraservice
This had been settable by vendors up to and including Q release by
making config_prop avendor_init writeable. We don't allow this any
more. This should be a real vendor settable property now.

Bug: 143755062
Test: adb logcat -b all | grep cameraservice
Test: atest CtsCameraTestCases
Change-Id: Id583e899a906da8a8e8d71391ff2159a9510a630
2020-01-07 06:57:42 +00:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Anton Hansson
e822545909 Add sepolicy for sdkext module prop
Add a domain for derive_sdk which is allowed to set
persist.com.android.sdkext.sdk_info, readable by all
apps (but should only be read by the BCP).

Bug: 137191822
Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info
Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
2019-12-05 14:11:50 +00:00
Ashwini Oruganti
8f079fb0e2 Merge "Create a separate SELinux domain for gmscore" 2019-11-25 16:59:10 +00:00
Ashwini Oruganti
c46a7bc759 Create a separate SELinux domain for gmscore
This change creates a gmscore_app domain for gmscore. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update the gmscore_app rules
accordingly.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.gms runs in the gmscore_app domain. Tested different
flows on the Play Store app, e.g., create a new account, log in, update
an app, etc. and verified no new denials were generated.
Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
2019-11-22 10:39:19 -08:00
Nikita Ioffe
7065e46b5d Add selinux rules for userspace reboot related properties
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.

Only init should be allowed to set userspace reboot related properties.

Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
2019-11-19 17:41:28 +00:00
David Anderson
74affd1403 Add fastbootd to the sys_rawio whitelist.
A similar problem was previously encountered with the boot control HAL
in bug 118011561. The HAL may need access to emmc to implement
set_active commands.

fastbootd uses the boot control HAL in passthru mode when in recovery,
so by extension, it needs this exception as well.

Bug: 140367894
Test: fastbootd can use sys_rawio
Change-Id: I1040e314a58eae8a516a2e999e9d4e2aa51786e7
2019-10-25 22:32:32 +00:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Tao Bao
987aa96d30 install_recovery no longer needs to access /cache.
applypatch (called by install_recovery) used to back up the source
partition to /cache when installing the recovery image on non-A/B
devices. The change from the same topic drops the backup behavior.

The access to /cache was also the reason for having dac_override_allowed
(applypatch runs as root:root, while /cache is owned by system:cache
with 0770).

Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
      is installed successfully without denials.
Change-Id: I0533ba82260d0adb23b328e6eef8bd6dda3d0439
2019-09-23 11:35:47 -07:00
Tobias Thierer
02924043e3 Merge "SEPolicy for boringssl_self_test." 2019-09-07 23:46:00 +00:00
Tobias Thierer
353ad0fd47 SEPolicy for boringssl_self_test.
This CL adds hand-written SELinux rules to:
 - define the boringssl_self_test security domain
 - label the corresponding files at type boringssl_self_test_marker
   and boringssl_self_test_exec.
 - define an automatic transition from init to boringssl_self_test
   domains, plus appropriate access permissions.

Bug: 137267623
Test: When run together with the other changes from draft CL topic
      http://aosp/q/topic:bug137267623_bsslselftest, check that:
      - both /dev/boringssl/selftest/* marker files are
        present after the device boots.
      - Test: after the boringssl_self_test{32,64} binaries have
        run, no further SELinux denials occur for processes
        trying to write the marker file.

Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f
2019-09-05 02:40:57 +01:00
Kiyoung Kim
039549102c Merge changes from topic "use_generated_linkerconfig"
am: aff00188eb

Change-Id: I82225595e27aee8677c94d6a713d6ef5a195e2d7
2019-08-14 02:47:24 -07:00
Kiyoung Kim
98d2042b00 Add more permission for linkerconfig
am: 70e931caba

Change-Id: I734adf5a17214c895a3799cf04bdabb8dbf53039
2019-08-14 02:47:20 -07:00
Kiyoung Kim
82c87ede24 Define sepolicy with property for linker
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.

Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
2019-08-14 12:35:15 +09:00
Kiyoung Kim
70e931caba Add more permission for linkerconfig
Additional permission is required for linkerconfig from domain to get
access to ld.config.txt file from linker. This change allows linker to
get /dev/linkerconfig/ld.config.txt

Bug: 138920271
Test: m -j && confirmed from cuttlefish
Change-Id: Id130a072add8ae82840b0b4d9e997e146f502124
2019-08-08 17:18:21 +09:00
Elliott Hughes
509135ac69 Merge "Remove perfprofd references."
am: c807b3fd8a

Change-Id: I90501f397c29847e2e497f10515571fa10f9d992
2019-07-23 17:10:33 -07:00
Elliott Hughes
132b081ee3 Remove perfprofd references.
perfprofd was never finished, and has been removed.

Test: treehugger
Change-Id: I4fc8aa9b737360a66d89c5be39651284ee2d6ffd
2019-07-19 11:15:12 -07:00
Kiyoung Kim
fa21eb75f7 Merge "Add linker config generator and output file to sepolicy"
am: 8231ac82e5

Change-Id: I266798bc918e0bc2cf7db54d456431428eba872b
2019-07-15 17:39:47 -07:00
Kiyoung Kim
affa6f323c Add linker config generator and output file to sepolicy
Sepolicy for linkerconfig generator and ld.config.txt file from
generator

Bug: 135004088
Test: m -j & tested from device
Change-Id: I2ea7653a33996dde67a84a2e7a0efa660886434a
2019-07-12 12:32:19 +09:00
Andrew Sapperstein
41ca891c57 Merge "Revert "Revert "Allow rule to let settings access apex files""" am: 6eaf8a2d62
am: 48353bf0af

Change-Id: I91b9edc07fbc1cbefae611017c409a9bfd27bf0e
2019-06-28 09:30:18 -07:00
Cosmo Hsieh
7f1dd65024 Merge "Revert "Allow rule to let settings access apex files"" am: 71e1c36956
am: be678acc85

Change-Id: I29ea36768d5b129777eb41cd3275f25b14f8edf0
2019-06-28 09:16:02 -07:00
Andrew Sapperstein
9b6ad1d5b0 Merge "Allow rule to let settings access apex files" am: bfe6fdedba
am: f7c9b8a1fc

Change-Id: Ie8a88d458f234477d2311a6a8f0f9fde3533de5c
2019-06-28 09:03:26 -07:00
Andrew Sapperstein
544a9b1c51 Revert "Revert "Allow rule to let settings access apex files""
This reverts commit e47d2365a8.

Reason for revert: Original CL was not the cause of the breakage. It went green before this revert landed. https://android-build.googleplex.com/builds/branches/aosp-master/grid?

Original CL went in 5695273.
Went green in 5695399.
Revert went in 5695588.

Change-Id: Ie4d7065fe7d3c58cdff99c2b7d76b50b941895bb
2019-06-28 15:28:28 +00:00
Cosmo Hsieh
e47d2365a8 Revert "Allow rule to let settings access apex files"
This reverts commit 0c0ba46192.

Reason for revert: <Broken build 5695273 on aosp-master on aosp_x86_64-eng>

Change-Id: I763f19aa5b72f2e1aaebbc78bb8ab3020c3d2a7b
2019-06-28 09:51:28 +00:00
Todd Kennedy
0c0ba46192 Allow rule to let settings access apex files
In order to show licensing information, we need to read it from
an asset stored in the .apex file.

Bug: 135183006
Test: Manual; settings can access apex files stored on /data
Change-Id: I71fbde6e295d9c890c9b9b0449e5150834a6680e
2019-06-27 18:34:25 +00:00
Narayan Kamath
0574e4cdab sepolicy: Add policy for migrate_legacy_obb_data.sh
.. and let installd execute it. Required to migrate legacy obb contents

Bug: 129167772
Test: make

Change-Id: I35d35016680379e3a9363408704ee890a78a9748
2019-05-23 17:26:08 +01:00
David Anderson
6557d87b0f Add sepolicy for installing GSIs to external storage.
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
 - proc_cmdline and device-tree access to call ReadDefaultFstab().
   This is ultimately used to check whether system's dm-verity has
   check_at_most_once enabled, which is disallowed with sdcards.
 - vfat read/write access to write files to the sdcard. Note that
   adopted sdcards are not supported here.
 - read access to the sdcard block device. To enable this without
   providing access to vold_block_device, a new sdcard_block_device
   label was added. Devices must apply this label appropriately to
   enable gsid access.
 - FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
   This only appears to work by granting SYS_RAWIO.

Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
      works without setenforce 0

Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-27 17:12:51 -07:00
Victor Hsieh
3d4ee1dba5 Move fs-verity key loading into fsverity_init domain
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading.  Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.

This gives us two benefits:
 - Better compatibility to keyctl(1), which doesn't have "dadd"
 - Pave the way to specify key's security labels, since keyctl(1)
   doesn't support, and we want to avoid adding incompatible option.

Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-27 16:31:01 +00:00
Florian Mayer
e922aa38bf Give heapprofd dac_read_search on userdebug.
This is needed because some oat dex files are generated without world
readable permissions. See the bug for details.

We are still constrained by the SELinux rules above.

Bug: 129048073

Change-Id: I84e34f83ceb299ff16b29a78f16c620fc0aa5d68
2019-03-21 17:22:09 +00:00
Andreas Gampe
d6fdcefaa8 Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 10:54:42 -07:00
Andreas Gampe
59d5d90da8 Sepolicy: Allow everyone to search keyrings
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.

This set of permissions is analogous to allowances for the fscrypt
keyring and keys.

Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-14 13:21:07 -07:00
Andreas Gampe
1845b406fc Sepolicy: ART APEX boot integrity
Add ART boot integrity check domain. Give it rights to run
fsverity and delete boot classpath artifacts.

Bug 125474642
Test: m
Test: boot
Change-Id: I933add9b1895ed85c43ec712ced6ffe8f820c7ec
2019-03-12 22:26:17 -07:00
Florian Mayer
315d8bfa15 Allow profilable domains to use heapprofd fd and tmpfs.
This is needed to allow to communicate over shared memory.

Bug: 126724929

Change-Id: I73e69ae3679cd50124ab48121e259fd164176ed3
2019-03-04 12:05:35 +00:00
Suren Baghdasaryan
6155b2fd11 sepolicy for vendor cgroups.json and task_profiles.json files
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.

Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-01 00:32:15 +00:00
Andreas Gampe
4c2d06c458 Sepolicy: Add base runtime APEX postinstall policies
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.

Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
2019-02-28 09:24:17 -08:00