Commit graph

16609 commits

Author SHA1 Message Date
Nick Kralevich
787fc8d0e6 vold.te: allow BLKSECDISCARD
vold needs to securely delete content from various block devices. Allow
it.

Addresses the following denials:

type=1400 audit(0.0:66): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/dm-3" dev="tmpfs" ino=17945 ioctlcmd=0x127d scontext=u:r:vold:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
type=1400 audit(0.0:43): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/sda45" dev="tmpfs" ino=17485 ioctlcmd=127d scontext=u:r:vold:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Ie7b4b8ac4698d9002a4e8d142d4e463f8d42899a
2018-10-23 03:35:08 -07:00
Treehugger Robot
962ad6fecb Merge "Allow dumpstate to call mediaswcodec over binder" 2018-10-22 22:21:23 +00:00
Treehugger Robot
a90ab78e97 Merge "asan: restore global access to system_asan_options_file." 2018-10-22 22:21:21 +00:00
Tri Vo
3d2e200b69 asan: restore global access to system_asan_options_file.
Bug: 118161817
Test: SANITIZE_TARGET=address m selinux_policy
Change-Id: I4dabcb3692c59b810a06567e272bca9f0e9c3ecd
2018-10-22 13:05:05 -07:00
Joel Galenson
33ded4a69b Allow dumpstate to call mediaswcodec over binder
This prevents denials while taking a bugreport.

Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I381b39fa127f82fcef5d820a04209fd1ba4f63cd
2018-10-22 12:39:28 -07:00
Nick Kralevich
eacbcc980f update_engine_common: allow BLKROGET and BLKROSET
Allow BLKROGET and BLKROSET on the block devices underlying the /system
and rootfs partitions. As part of the Android boot process, the system
sets the block devices read-only to prevent accidental modification to
these partitions. Update engine needs the ability to adjust the block
device read-only flag in order to apply updates.

Addresses the following denials:

update_engine: type=1400 audit(0.0:96): avc: denied { ioctl } for path="/dev/block/sda33" dev="tmpfs" ino=15369 ioctlcmd=125e scontext=u:r:update_engine:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:97): avc: denied { ioctl } for path="/dev/block/sda33" dev="tmpfs" ino=15369 ioctlcmd=125d scontext=u:r:update_engine:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles
Bug: 118150702
Change-Id: I65a3d041b6d6b7955bcd901637a543524fc34a06
2018-10-22 12:20:41 -07:00
Treehugger Robot
2779f92caf Merge "fastbootd.te: Delete allowxperm statement" 2018-10-22 18:52:23 +00:00
Treehugger Robot
faba431221 Merge "priv_app: remove /proc/net access" 2018-10-22 17:33:48 +00:00
Nick Kralevich
392ac0fd53 fastbootd.te: Delete allowxperm statement
system/sepolicy commit 4c8eaba75a, reviewed in
https://android-review.googlesource.com/c/platform/system/sepolicy/+/793958
started enforcing explicit ioctl permission checks for all block device
files. As part of that commit, the following lines were added to
domain.te:

  # If a domain has access to perform an ioctl on a block device, allow these
  # very common, benign ioctls
  allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };

In essence, if a domain is granted ioctl access to any device in
policy (for example, via adding "ioctl" to the allow rule, or by using
the macro "r_file_perms" which includes the ioctl permission), then the
two ioctls BLKGETSIZE64 and BLKSSZGET will be automatically allowed. As
such, it is redundent for a domain to explicitly request these two
ioctls.

Delete the now redundant allowxperm rule.

Test: policy compiles
Change-Id: I1964ed93a7c7601393cc9e2416f3640ea22db51b
2018-10-22 10:01:10 -07:00
Tri Vo
93d34842de Merge "Reland "Neverallow vendor code access to files on /system."" 2018-10-20 21:55:43 +00:00
Treehugger Robot
24e2b82446 Merge "Add input_device permission to hal_sensors_default" 2018-10-19 22:24:54 +00:00
Tri Vo
e6b1a4caf9 Reland "Neverallow vendor code access to files on /system."
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229
2018-10-19 13:26:50 -07:00
Bill Yi
cdef1dbc6e Merge pi-dr1-dev to aosp-master
Change-Id: I19a9051a0ff3863db1be9ff706a8b31b1c151419
2018-10-19 12:20:56 -07:00
Tri Vo
da394462ab Merge "init: access to /dev based on audit results"
am: 368c7c08f5

Change-Id: Iad5faaaffc92f669a1eb6887ecb1d2ecaa246ee6
2018-10-19 10:29:03 -07:00
Tri Vo
368c7c08f5 Merge "init: access to /dev based on audit results" 2018-10-19 17:11:44 +00:00
Pavel Grafov
c996ce76c8 Revert "Neverallow vendor code access to files on /system."
am: 10b250df24

Change-Id: I1bbfc88a988bb5519cbd91fb5dd0e6d212e42b39
2018-10-19 07:03:46 -07:00
Pavel Grafov
10b250df24 Revert "Neverallow vendor code access to files on /system."
This reverts commit c855629ebd.

Reason for revert: breaks builds for some devices in master

Change-Id: I02c0967d6607ef0173b4188c06d2e781c3c93f4b
2018-10-19 11:10:55 +00:00
Nick Kralevich
674b168480 start enforcing ioctl restrictions on blk_file
am: 4c8eaba75a

Change-Id: Ic97b8aafa7f6edcf54e08230905b34500fbe677e
2018-10-19 00:00:42 -07:00
Nick Kralevich
e7298b0f77 Merge "Allow TCGETS on pipes (fifo_file)"
am: 2581761e68

Change-Id: I42e8156eddf6315ff13fe16ad8ed7bc550f31c40
2018-10-18 23:59:50 -07:00
Nick Kralevich
acb41aca25 Move class bpf definition
am: f5a1b1bfa9

Change-Id: Idd4890670d766d71d4b2f6feb0066993ca079b90
2018-10-18 23:58:19 -07:00
Tri Vo
c8723e8fe2 Merge "Neverallow vendor code access to files on /system."
am: a813114831

Change-Id: Idf41a715fd959069be989a2d2000c21afad6290b
2018-10-18 23:55:59 -07:00
Jiyong Park
6d474849e8 Allow apexd to realpath(3) on apex_key_files
am: ecc09871ba

Change-Id: I43f3d98669537d24879f3a734e2684968813e148
2018-10-18 23:46:29 -07:00
Zheng Zhang
b9c0ab6f88 Allow mediaserver domain have getatrr perm on vendor_app_file
am: a26763ecb6

Change-Id: I7f4be177f11ec0211b492b74f2c342df50d2617f
2018-10-18 23:32:33 -07:00
Tri Vo
887ef16336 init: access to /dev based on audit results
This change assumes that init need access to types, access to which
was not audited.

go/sedenials reports additional types needed by init: pmsg_device and
tty_device.

Bug: 110962171
Test: m selinux_policy
Change-Id: I227956b2c12efeef68cbfa041b9604d4e4f9b967
2018-10-19 01:08:54 +00:00
Nick Kralevich
4c8eaba75a start enforcing ioctl restrictions on blk_file
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
2018-10-18 15:24:32 -07:00
Treehugger Robot
2581761e68 Merge "Allow TCGETS on pipes (fifo_file)" 2018-10-18 19:04:56 +00:00
Nick Kralevich
dfc3c33689 priv_app: remove /proc/net access
Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.

Access for most third party applications was removed in commit
d78e07cbb7. This change applies the same
constraints to priv-apps that we apply to normal apps.

Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3
2018-10-18 09:44:50 -07:00
Nick Kralevich
6790008920 Allow TCGETS on pipes (fifo_file)
Allow a process to determine if a fifo_file (aka pipe, created from the
pipe() or pipe2() syscall) is a tty.

Addresses the following denials:

type=1400 audit(0.0:1307): avc: denied { ioctl } for comm="ls" path="pipe:[213117]" dev="pipefs" ino=213117 ioctlcmd=5401 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:hal_dumpstate_impl:s0 tclass=fifo_file permissive=0
type=1400 audit(0.0:22): avc: denied { ioctl } for comm="sh" path="pipe:[54971]" dev="pipefs" ino=54971 ioctlcmd=5401 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=fifo_file permissive=0 app=com.zhihu.android
type=1400 audit(0.0:237): avc: denied { ioctl } for comm="sh" path="pipe:[56997]" dev="pipefs" ino=56997 ioctlcmd=5401 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=fifo_file permissive=0 app=fm.qingting.qtradio

Test: policy compiles and device builds.
Change-Id: Ic4c6441d0ec33de8cda3f13ff529e98374897364
2018-10-18 09:10:54 -07:00
Nick Kralevich
f5a1b1bfa9 Move class bpf definition
No functional change. This reorg just makes it easier to perform diffs
against https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors

Test: policy builds.
Change-Id: I10cf9547d57981c76ee7e76daa382bb504e36d0b
2018-10-18 09:08:26 -07:00
Tri Vo
a813114831 Merge "Neverallow vendor code access to files on /system." 2018-10-18 15:37:45 +00:00
Jiyong Park
ecc09871ba Allow apexd to realpath(3) on apex_key_files
apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.

The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.

Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists

Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67
2018-10-18 20:39:37 +09:00
Zheng Zhang
a26763ecb6 Allow mediaserver domain have getatrr perm on vendor_app_file
When running some apps in vendor partition, it report denials like:

avc: denied { getattr } for comm="Binder:901_2" path="/vendor/operator/app/Wechat/Wechat.apk" dev="sde14" ino=1707 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0
2018-10-18 03:10:52 +00:00
Nick Kralevich
063068f8c8 Merge "FIONCLEX: fix MIPS ioctl number"
am: afdcd959d7

Change-Id: Id2fe422a32a818648e7c31f27a5a894396061627
2018-10-17 17:06:35 -07:00
Tri Vo
c855629ebd Neverallow vendor code access to files on /system.
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175
2018-10-17 22:31:02 +00:00
Treehugger Robot
afdcd959d7 Merge "FIONCLEX: fix MIPS ioctl number" 2018-10-17 22:22:45 +00:00
Nick Kralevich
da8e03da6c Merge "more ioctl work"
am: 5a7b82062c

Change-Id: I753b83b0f59aa5ecec568ffb3cd11d88de99011c
2018-10-17 14:34:58 -07:00
Treehugger Robot
5a7b82062c Merge "more ioctl work" 2018-10-17 21:21:15 +00:00
Nick Kralevich
f00935a550 mediaprovider: add functionfs ioctl
am: a73f58aee1

Change-Id: I573c72eb0795862a498772e74cb7f230876fa914
2018-10-17 14:02:36 -07:00
Nick Kralevich
6bb05751ef FIONCLEX: fix MIPS ioctl number
The ioctl number varies between MIPS devices and other devices.

Test: policy compiles.
Change-Id: I107ccd2eca626148d2573f51753ec433e20d6b74
2018-10-17 12:03:17 -07:00
Nick Kralevich
8ee8e26355 more ioctl work
Add a neverallow rule requiring fine-grain ioctl filtering for most file
and socket object classes. Only chr_file and blk_file are excluded. The
goal is to ensure that any file descriptor which supports ioctl commands
uses a whitelist.

Further refine the list of file / socket objects which require ioctl
filtering. The previous ioctl filtering did not cover the following:

1) ioctls on /proc/PID files
2) ioctls on directories in /dev
3) PDX unix domain sockets

Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX
are alternate, uncommon ways to set the O_CLOEXEC flag on a file
descriptor, which is a harmless operation.

Test: device boots and no problems.
Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618
2018-10-17 11:12:18 -07:00
Nick Kralevich
a73f58aee1 mediaprovider: add functionfs ioctl
Addresses the following denial:

type=1400 audit(0.0:51894): avc: denied { ioctl } for comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=30291 ioctlcmd=0x6782 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0 app=com.android.providers.media

Test: policy compiles.
Change-Id: I5290abb2848e5824669dae4cea829d4cbea98ab4
2018-10-17 10:14:40 -07:00
Dario Freni
84a010c48c Allow apexd to create symlink in /apex.
am: bab267a88f

Change-Id: I2ae046cd9434b983abe6366bd72e595b48ddfdf4
2018-10-17 09:32:41 -07:00
Dario Freni
bab267a88f Allow apexd to create symlink in /apex.
Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-17 11:25:02 +01:00
Bowgo Tsai
0a2efc1698 Merge "Allow input config to be under /vendor/odm"
am: 247f061a65

Change-Id: Ibec2927b80068cedc0c7ba7391e6fe53d9ae0892
2018-10-16 17:27:24 -07:00
Treehugger Robot
247f061a65 Merge "Allow input config to be under /vendor/odm" 2018-10-17 00:19:34 +00:00
Tri Vo
708be5e19e Reland "Treat input files as public API."
am: 888b92135c

Change-Id: I11b5fcd8a8ff1429b8454c87bab3c4a3b7b39372
2018-10-16 16:50:09 -07:00
Tri Vo
888b92135c Reland "Treat input files as public API."
Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: Ifaf9547993eb8c701fb63b7ee41971ea4e3f7cf9
2018-10-16 18:02:00 +00:00
Nick Kralevich
2e7ac24b58 add map permission to rw_socket_perms
am: 9c22895c85

Change-Id: Icf1b28c653ed40e827ad087dec13bcd02b9ba484
2018-10-16 09:15:51 -07:00
Bowgo Tsai
591293111e Allow input config to be under /vendor/odm
Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").

However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important

Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc
2018-10-16 18:18:53 +08:00
Nick Kralevich
9c22895c85 add map permission to rw_socket_perms
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for
mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific
files for which we need to ensure that every access is revalidated,
particularly useful for scenarios where we expect the file to be
relabeled at runtime in order to reflect state changes (e.g.
cross-domain solution, assured pipeline without data copying).

system/sepolicy commit 4397f08288 added
the map permission to common file macros, to ensure that file access
would continue working even in the presence of a newer kernel. However,
that change did not affect socket access.

Certain socket classes, such as AF_NETLINK and AF_PACKET, also support
mmap operations. This change adds the map permission to rw_socket_perms,
to ensure continued support for newer kernels.

This technically allows mmap even in cases where the socket family
doesn't support it (such as TCP and UDP sockets), but granting it
is harmless in those cases.

In particular, this fixes a bug in clatd, where the following error
would occur:

  10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064
  10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
  10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
  10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied

Test: policy compiles
Bug: 117791876
Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b
2018-10-15 21:34:49 -07:00