It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.
Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0
Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
(cherry picked from commit a0d3ff8edd)
This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0
Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
This unbreaks user builds broken by recently landed changes to secilc
which is now aggressively removing attributes which aren't used in
allow rules, even when they are used in other places, such as being
referenced from *_contexts files.
User builds are broken by vndservice_manager_type not being found when
checkfc is run for *vndservice_contexts targets.
Test: On a clean user build: mmma system/sepolicy
Bug: 37319524
Bug: 36508258
Change-Id: I4a1727a74122ecd9020c3831462d56a65ee6d304
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.
Test: Use Google Camera app to take HDR+ photo, conventional photo,
record video with sound, record slow motion video with sound.
Check that the photos display correctly and that videos play
back fine and with sound. Check that there are no SELinux
denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
All HALs which are represented by hal_* attributes in SELinux policy
are required to run in binderized mode on Treble devices. This commit
thus makes the SELinux policy for Treble devices no longer associate
domains in hal_x_client with hal_x attribute, which is what was
granting domains hosting clients of hal_x the rules needed to run this
HAL in-process. The result is that core components have now less
access.
This commit has no effect on non-Treble devices.
Test: Device boots -- no new denials
Test: Play movie using Google Play Movies and Netflix
Test: Play YouTube clip in YouTube app and in Chrome
Test: Unlock lock screen using fingerprint
Test: Using Google Camera, take a photo, an HDR+ photo, record a
video with sound, a slow motion video with sound. Photos and
videos display/play back fine (incl. sound).
Test: adb screencap
Test: $ monitor
take screenshot
Test: In all tests, no deials to do with hal_*, except pre-existing
denials to do with hal_gnss.
Bug: 37160141
Bug: 34274385
Bug: 34170079
Change-Id: I1ca91d43592b466114af13898f5909f41e59b521
CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.
This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.
This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.
Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.
Following directories will remain world readable
/vendor/etc
/vendor/lib(64)/hw/
Following are currently world readable but their scope
will be minimized to platform processes that require access
/vendor/app
/vendor/framework/
/vendor/overlay
Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.
Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803
All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
current location, take pictures and record video in camera,
playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass
Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.
This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.
Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.
P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.
Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff
ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.
Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.
Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file
Test: lunch aosp_marlin-userdebug;
cd system/sepolicy; mm SANITIZE_TARGET=address;
Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
cd system/sepolicy; mm;
Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
cd system/sepolicy; mm SANITIZE_TARGET=address;
Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8
All previous users of this macro have been switched to
hal_server_domain macro.
Test: no hal_impl_domain in system/sepolicy/ and device/**/sepolicy
Test: mmm system/sepolicy
Bug: 34170079
Change-Id: I4a71b3fd5046c0d215b056f1cae25fe6bda0fb45
This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.
Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).
Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936
This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
- compared to ro.boottime, this one does not pass time info
bug: 35178781
bug: 34274385
Test: reboot
Change-Id: I6a7bf636a3f201653e2890751d5fa210274c9ede
- hal clients checking hal_binderization prop also need to check
ro.boottime.persistent_properties.
bug: 35178781
Test: reboot
Change-Id: I413c663537dc118e0492416e3e5a2af721b18107
This removes the compile-time deprecation warning about
hal_impl_domain macro. The warning was introduced in
86e87806f5777a7fc09ea962e694442297e4f8d6. We don't want to spam all
Android platform developers about something internal to the ongoing
SELinux policy restructuring.
Test: Policy compiles without any warnings
Test: Google Play Movies plays back movies (i.e., DRM HAL works)
Bug: 34170079
Change-Id: Icbd4d1283196f7ccc84c2a041c5601113d3c9f21
This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
against the hal_foo attribute. This policy is granted to domains
which offer the Foo HAL service over HwBinder and, if Foo HAL runs
in the so-called passthrough mode (inside the process of each
client), also granted to all domains which are clients of Foo HAL.
hal_foo is there to avoid duplicating the rules for hal_foo_client
and hal_foo_server to cover the passthrough/in-process Foo HAL and
binderized/out-of-process Foo HAL cases.
A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.
This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.
Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.
Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.
Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This improves readability and consistency for HAL implementation
domains which have only one implementation.
Test: No change to policy according to sesearch
Test: No change to which types are associated with haldomain according to "sepolicy-analyze <sepolicy file> attribute haldomain"
Bug: 34180936
Change-Id: Ice599ea4971cdfbd8b835b1fd02ad1e14c7a0386
This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.
This follows the pattern used for appdomain, netdomain and
bluetoothdomain.
Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).
Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
In order for hal clients to use IServiceManager::registerForNotifications,
the hwservicemanager needs to be able to call into client processes.
Test: WIP
Bug: 33383725
Change-Id: I59470e9cd5cbeafda010fedc0b91eeb41280e0a1
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea019)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
Description stolen from
42a9699a9f
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec