Commit graph

172 commits

Author SHA1 Message Date
Inseob Kim
3bd63cc206 Move mtectrl to private
Because mtectrl is a system internal domain, and we don't need to expose
the type to vendor.

Test: build and boot
Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476
2022-01-26 08:59:55 +09:00
Yabin Cui
f17fb4270c Add sepolicy for simpleperf_boot.
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.

Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
2022-01-15 16:12:51 -08:00
Yabin Cui
927d7a752b Restrict write access to etm sysfs interface.
Bug: 213519191
Test: boot device
Change-Id: I40d110baea5593a597efa3c14fd0adecee23fc0f
2022-01-11 14:12:52 -08:00
Alan Stokes
2914610f17 Allow composd to delete odrefresh target files
We need to remove any existing files (and the directory) to allow
odrefresh in the VM to re-create them via authfs.

But we don't need, and shouldn't have, any other access to them.

Bug: 210460516
Test: composd_cmd async-odrefresh
Change-Id: Iaafe33934146a6b8dda7c28cc1239c2eed167379
2021-12-16 16:24:56 +00:00
Alan Stokes
8dc7800578 Allow compos_fd_server to create artifacts
Previously this was always done by odrefresh. But now we are running
odrefresh in the VM we need to allow FD server to do it as its proxy.

Bug: 209572241
Bug: 209572296
Test: composd_cmd forced-oderefresh
Change-Id: I4bc10d6a3ec73789721a0541f04dd7e3865fe826
2021-12-14 16:06:31 +00:00
Victor Hsieh
33aa1a3c52 Allow composd to create odrefresh staging directory
composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.

Bug: 205750213
Test: No denials

Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
2021-12-06 08:41:31 -08:00
Rajesh Nyamagoud
ce542660c9 Added sepolicy rule for vendor uuid mapping config
New type added in sepolicy to restrict Vendor defined uuid mapping
config file access to SecureElement.

Bug: b/180639372
Test: Run OMAPI CTS and VTS tests
Change-Id: I81d715fa5d5a72c893c529eb542ce62747afcd03
2021-11-20 01:08:11 +00:00
Yifan Hong
aabea20d89 Remove healthd.
Test: pass
Bug: 203245871
Change-Id: I4eb0b4333d7fde2096c4c75b7655baf897900005
2021-10-20 18:47:41 -07:00
Jooyung Han
970166fb4a virtualizationservice to use "staged" apexes
Virtualizationservice queries "package_native" service to get staged
apex info and then reads staged apexes to VM.

Bug: 199146189
Test: MicrodroidHostTestCases
Change-Id: Icbfe5b9a05abc08d3e0270d15969f632b3f57c66
2021-10-05 19:57:20 +09:00
Jiyong Park
3fee5a43c1 Don't prevent crosvm from accessing vendor-owned VM disk images
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.

Don't prevent crosvm from reading such a SoC-specific VM disk images.

Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.

Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 11:13:54 +09:00
Jiyong Park
5e20d83cfb Add rules for virtualizationservice and crosvm
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.

Below is the summary of the added rules.

* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
  - permission_service: to check Android permission
  - apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.

Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json

without disabling selinux.

Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-26 10:45:08 +09:00
Jooyung Han
6d4179a66e Fix virtualizationservice rules
Virtualizationservice should be able to read
* /apex/apex-info-list.xml: apex_info_file
* /data/apex/{active, uncompressed}: staging_data_file,
apex_data_file

and pass them to guest OS.

Bug: n/a
Test: atest MicrodroidHostTestCases
  (see logcat for denials)
Change-Id: Ia9dab957a6f912aa193d58e2817a00d4a39b4536
2021-07-16 13:58:03 +09:00
David Anderson
8a525d768f Fix e2fsck denials introduced by latest e2fsprogs merge.
This resulted from changes in e2fsprogs logic which traverses
/proc/mounts to warn about fixing a mounted filesystem.

Denials:

        07-08 15:08:21.207   853   853 I auditd  : type=1400 audit(0.0:88): avc: denied { getattr } for comm="e2fsck" path="/metadata" dev="vda12" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0
        07-08 15:08:21.207   853   853 I auditd  : type=1400 audit(0.0:89): avc: denied { search } for comm="e2fsck" name="/" dev="tmpfs" ino=1 scontext=u:r:fsck:s0 tcontext=u:object_r:mirror_data_file:s0 tclass=dir permissive=0

Bug: 193137337
Test: treehugger
Change-Id: Ib050463f7fa6ea453795c933ff388d3594bb7c23
2021-07-13 10:17:30 -07:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Inseob Kim
5d269aaa55 Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
2021-06-07 19:22:18 +09:00
Jooyung Han
55393cc42b Allow microdroid_manager to execute shell, etc.
Microdroid_manager should execute a command passed via a VM payload
config. Ideally, the spawned process should be in a dedicated domain
which has the right set of permissions.

For now, it is allowed to execute shell/toybox for testing/debuging. And
also it is allowed to access fusefs to load a library or a config file.

Bug: 189301496
Test: MicrodroidHostTestCases
Change-Id: I7872514b40a9e23bbbed2b3e1ccd322f4e9cf832
2021-06-02 09:54:12 +09:00
Jiyong Park
6645ad3b1f Add rules for microdroid_launcher
Microdroid_launcher is an executable in microdroid. It's role is to load
a shared library in an APK that is shared from the host Android and
execute it by calling an entry point (android_native_main) in it.

For now, it is executed from shell, but will eventually be executed from
a binder service (which also is running in microdroid) called
microdroid_manager.

Bug: 188513012
Test: atest MicrodroidHostTestCases
Change-Id: I150a958c1ed0e3e960f4b4b577e808e54e898644
2021-05-25 17:22:01 +09:00
Jiyong Park
cf1eb370d8 Allow zipfuse to mount /dev/vd* on /mnt/apk
zipfuse is a FUSE implementation that runs in microdroid. In the virtual
machine, it reads a block device (/dev/vd* via the symlink
/dev/block/by-name/microdroid-apk) whose content is read from an apk
in the host side. Then the makes the entries in the zip file (apk is
also a zip) as regular files in the virtual machine.

Note that the filesystem is mounted as default 'fuse:filesystem' because
it's mounted without the `fcontext` option, which is due to the libfuse
library we are importing from crosvm (b/188400186).

Bug: 188388851
Test: atest MicrodroidHostTestCases
Change-Id: Ide9bac88088535f4f335f2725fa929d23015e6e1
2021-05-25 14:10:55 +09:00
David Anderson
018004d9d1 Allow fastbootd to mount /metadata in recovery.
It is important that fastbootd is able to mount /metadata in recovery, in
order to check whether Virtual A/B snapshots are present. This is
enabled on userdebug builds, but currently fails on user builds.

Fixes:

        audit: type=1400 audit(7258310.023:24): avc:  denied  { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 181097763
Test: fastboot flash on user build
Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc
2021-05-05 16:37:56 -07:00
Hridya Valsaraju
498318cc65 Revert "Revert "Exclude vendor_modprobe from debugfs neverallow restrictions""
This reverts commit 231c04b2b9.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: If26ba23df19e9854a121bbcf10a027c738006515
2021-05-04 22:07:08 -07:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
a885dd84c7 Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
2021-05-02 21:41:53 -07:00
Yurii Zubrytskyi
b382f02bf4 [incfs] Allow everyone read the IncFS sysfs features
Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call

Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
2021-04-21 15:15:40 -07:00
Nikita Ioffe
17bd4dda4a Allow adbd to pull apexes from /data/apex/active
Test: adb pull /data/apex/active/com.android.apex.cts.shim@v2.apex
Bug: 184886365
Change-Id: Ibaac390a99e65a8b388d3c62761d96ec8f8e0846
2021-04-12 23:34:31 +00:00
Yabin Cui
bd4c9e8530 Add permissions in profcollectd to parse kernel etm data.
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.

Bug: 166559473
Test: run profcollectd.

Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
2021-04-08 16:03:59 -07:00
Kalesh Singh
326fc27064 Sepolicy for mm_events
Allow mm_events to periodically arm the mm_events
perfetto trace config if mm_events is enabled.

Bug: 183037386
Test: boot; setprop persist.mm_events.enabled true; No avc denials
Change-Id: Ia9760001e7fb591f18e3e816a63281167a658c74
2021-04-06 22:46:32 -04:00
Alex Light
16dfb432b3 Use postinstall file_contexts
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.

Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
2021-03-24 17:00:35 -07:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Martijn Coenen
9e794114b2 Merge "SELinux policy for on-device signing binary." 2021-02-05 11:22:37 +00:00
Treehugger Robot
96acdc0b22 Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2021-02-05 01:59:16 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Martijn Coenen
6afdb72cbb SELinux policy for on-device signing binary.
Bug: 165630556
Test: no denials on boot
Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3
2021-02-03 16:15:48 +01:00
Treehugger Robot
883de3cd2e Merge "Add vendor_public_framework_file type to SEPolicy" 2021-01-28 11:41:00 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Dorin Drimus
84cd7087d5 Add vendor_public_framework_file type to SEPolicy
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.

Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
2021-01-26 15:59:37 +01:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Florian Mayer
a8a3d8b1bf Allow heapprofd central mode on user builds.
This simplifies operation by removing a special case for user builds.

Test: atest CtsPerfettoTestCases on user
Test: atest CtsPerfettoTestCases on userdebug
Test: atest perfetto_integrationtests on userdebug
Bug: 153139002
Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 17:19:02 +00:00
Mohammad Samiul Islam
a45cddae5e Allow priv_app read access to /data/app-staging directory
During staged installation, we no longer create duplicate sessions for
verification purpose. Instead, we send the original files in
/data/app-staging folder to package verifiers for verification. That
means, Phonesky needs access to /data/app-staging folder to be able to
verify the apks inside it.

Bug: 175163376
Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir
Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps
Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
2020-12-10 23:46:15 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Suren Baghdasaryan
37f1a137b6 Add rules for per-API level task profiles and cgroup description files
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.

Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
2020-11-23 09:30:26 -08:00
Alan Stokes
8bf8a262e5 Exempt older vendor images from recent mls changes.
We no longer allow apps with mlstrustedsubject access to app_data_file
or privapp_data_file. For compatibility we grant access to all apps on
vendor images for SDK <= 30, whether mlstrustedsubject or not. (The
ones that are not already have access, but that is harmless.)

Additionally we have started adding categories to system_data_file
etc. We treat these older vendor apps as trusted for those types only.

The result is that apps on older vendor images still have all the
access they used to but no new access.

We add a neverallow to prevent the compatibility attribute being
abused.

Test: builds
Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
2020-11-17 17:30:10 +00:00
Yifan Hong
f5f4c1207a Revert "Add /boot files as ramdisk_boot_file."
This reverts commit 2576a2fc30.

Reason for revert: conflict with device-specific sepolicy

Bug: 170411692
Change-Id: Ie5fde9dd91b603f155cee7a9d7ef432a05dc6827
Test: pass
2020-10-08 22:13:44 +00:00
Yifan Hong
2576a2fc30 Add /boot files as ramdisk_boot_file.
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.

The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.

Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
2020-10-08 07:55:12 -07:00
Orion Hodson
76ce7f5eaa Remove policy for deprecated ART apex update scripts
Earlier changes removed the scripts for ART APEX pre- and post-install
hooks (I39de908ebe52f06f19781dc024ede619802a3196) and the associated
boot integrity checks (I61b8f4b09a8f6695975ea1267e5f5c88f64a371f), but
did not cleanup the SELinux policy.

Bug: 7456955
Test: Successful build and boot
Test: adb install com.android.art.debug && adb reboot
Change-Id: I1580dbc1c083438bc251a09994c28107570c48c5
2020-09-30 16:14:41 +01:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Yi Kong
1be8dfacfd Move a couple of treble policies to private
We need to add an exception for a private type, it can only be
recognised if these are private policies.

Bug: 79161490
Test: TreeHugger
Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466
2020-08-31 13:55:41 +00:00
Inseob Kim
96b9d86a0e Remove exported2_system_prop
It's not used anymore.

Bug: 161659925
Test: boot
Change-Id: I5b08bdace28a509d464759a66025c951178225c6
Merged-In: I5b08bdace28a509d464759a66025c951178225c6
(cherry picked from commit 7d96ddbfb0)
2020-08-06 12:52:32 +09:00
Janis Danisevskis
abb93f24c0 Make Keystore equivalent policy for Keystore2
Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
2020-08-05 16:11:48 +00:00
Inseob Kim
acd02fc5e4 Rename exported3_radio_prop to radio_control_prop
The context name exported3_radio_prop is ambiguous and does not reflect
the usage and role of the properties. This changes its name to
radio_control_prop.

Some downstream branches are still using exported3_radio_prop, so
get_prop(domain, radio_control_prop) is added to avoid regression. It's
just a workaround and to be removed soon, after all exported3_radio_prop
are cleaned up.

Bug: 162214733
Test: boot a device with a sim and see basic functions work
Change-Id: If5fe3be7c64b36435c4ad0dc9a8089077295d502
Merged-In: If5fe3be7c64b36435c4ad0dc9a8089077295d502
2020-08-03 09:23:02 +00:00