Commit graph

3323 commits

Author SHA1 Message Date
Martijn Coenen
5fbbf2613c Add policy for /metadata/apex.
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.

Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
2019-03-12 18:31:07 +01:00
Tri Vo
131fa73add Restrict access to suspend control
Test: m selinux_policy
Change-Id: Ieccfd2aa059da065ace4f2db1b9634c52dd2cb24
2019-03-07 18:31:58 +00:00
David Anderson
d99b7fd3f9 Add sepolicy for /metadata/password_slots.
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.

To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.

Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
2019-03-07 16:19:15 +00:00
Luke Huang
a116e1afe5 Merge "Add sepolicy for resolver service" 2019-03-07 05:35:12 +00:00
Treehugger Robot
c67985a067 Merge "Sepolicy: Allow crash_dump to ptrace apexd in userdebug" 2019-03-06 22:12:11 +00:00
Andreas Gampe
efece54e06 Sepolicy: Allow crash_dump to ptrace apexd in userdebug
In userdebug, for better diagnostics, allow crash_dump to "connect
to" apexd.

Considering apexd is quite powerful, user devices remain restricted.

Bug: 118771487
Test: m
Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
2019-03-05 09:59:50 -08:00
Luke Huang
524f25ebb0 Add sepolicy for resolver service
Bug: 126141549
Test: built, flashed, booted
Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-03-05 15:49:33 +00:00
Joel Galenson
19c90604ad Fix denials during bugreport.
Bug: 124465994
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials
Test: Build all policies.

Change-Id: Ic20b1e0fd3a8bdea408d66f33351b1f5ebc5d84c
(cherry picked from commit f24854f8e8)
2019-03-04 14:01:12 -08:00
Treehugger Robot
e146c216cc Merge "Fix typo." 2019-03-04 21:52:58 +00:00
Jayant Chowdhary
bfb9f7caa5 Merge changes from topic "fwk-cameraservice-sepolicy"
* changes:
  Abstract use of cameraserver behind an attribute
  Add selinux rules for HIDL ICameraServer.
2019-03-04 19:43:07 +00:00
Florian Mayer
3b601a5e59 Fix typo.
Change-Id: I03d31ea03d7a1e3e230a97ac1f0ead82d5962f34
2019-03-04 16:43:37 +00:00
Florian Mayer
315d8bfa15 Allow profilable domains to use heapprofd fd and tmpfs.
This is needed to allow to communicate over shared memory.

Bug: 126724929

Change-Id: I73e69ae3679cd50124ab48121e259fd164176ed3
2019-03-04 12:05:35 +00:00
Nicolas Geoffray
d4536b0814 Merge "Allow ota_preopt to read runtime properties." 2019-03-04 10:15:28 +00:00
Dario Freni
5ed5072e06 Use label staging_data_file for installed APEX.
This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.

Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.

This CL also remove some stale rules being addressed since.

Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c
2019-03-03 20:53:42 +00:00
Jayant Chowdhary
fe0af517db Abstract use of cameraserver behind an attribute
Bug: 124128212

Test: Builds

Change-Id: Ia0df765e15a72b3bdd1cba07ff1cf16128da5ae2
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
2019-03-01 14:02:59 -08:00
Jayant Chowdhary
ca41deb378 Add selinux rules for HIDL ICameraServer.
Bug: 110364143

Test: lshal->android.frameworks.cameraservice.service@2.0::ICameraService/default
      is registered.

Merged-In: I689ca5a570c169581b2bfb9d117fcdafced0a7e0
Change-Id: I689ca5a570c169581b2bfb9d117fcdafced0a7e0
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
(cherry picked from commit 039d4151da)
2019-03-01 14:01:07 -08:00
Treehugger Robot
f669b1393d Merge "Update fence event path for kernel 4.10+" 2019-03-01 20:56:05 +00:00
Suren Baghdasaryan
e3f15e2abc Merge "sepolicy for vendor cgroups.json and task_profiles.json files" 2019-03-01 18:01:39 +00:00
Jesse Hall
17b29bd523 Update fence event path for kernel 4.10+
The sysfs path for controlling dma fence events changed yet again in
Linux 4.10, see kernel commit f54d1867005c3.

Test: adb shell atrace --list_categories | grep sync
Change-Id: Id6332f794ee4e350c936e1e777e9d94fc7cd6d11
2019-03-01 09:55:11 -08:00
Sudheer Shanka
45d73adc62 Merge "Remove priv_app SELinux denial tracking." 2019-03-01 17:01:06 +00:00
Nicolas Geoffray
400147579a Allow ota_preopt to read runtime properties.
Test: m
Bug: 126646365
Change-Id: I20770fd73b8ccc876c3d9042074a754d89e324a2
2019-03-01 10:05:35 +00:00
Andreas Gampe
67e14adba6 Sepolicy: Add runtime APEX postinstall fsverity permissions
Add rights to check and enable fsverity data.

Bug: 125474642
Test: m
Change-Id: I35ce4d6ac3db5b00d35860033a5751de26acf17c
2019-02-28 16:51:12 -08:00
Suren Baghdasaryan
6155b2fd11 sepolicy for vendor cgroups.json and task_profiles.json files
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.

Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-01 00:32:15 +00:00
Sudheer Shanka
a32080bcc2 Remove priv_app SELinux denial tracking.
The underlying issue has been fixed, so this
SELinux denial shouldn't occur anymore.

Bug: 118185801
Test: manual
Change-Id: I5656e341bcb7b554bcd29e00315648eb75ec0a3d
2019-02-28 14:15:47 -08:00
David Anderson
753225ce9c Merge "Allow system_server and shell to start gsid on-demand." 2019-02-28 22:08:10 +00:00
Tri Vo
e8cb09db42 Merge "ashmem: expand app access" 2019-02-28 22:00:50 +00:00
Tri Vo
9fbc87c89f ashmem: expand app access
We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem

Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
2019-02-28 10:47:35 -08:00
Andreas Gampe
4c2d06c458 Sepolicy: Add base runtime APEX postinstall policies
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.

Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
2019-02-28 09:24:17 -08:00
David Anderson
64bbf05150 Allow system_server and shell to start gsid on-demand.
gsid is started lazily to reduce memory pressure. It can be started
either via gsi_tool (invoked by adb shell), or by DynamicAndroidService
via system_server.

Bug: 126622385
Test: no denials running "gsi_tool status"
Change-Id: I90a5f3f28fe4f294fb60e7c87a62e76716fbd5c0
2019-02-28 07:54:25 -08:00
Andreas Gampe
57346a0566 Sepolicy: Add runtime APEX preinstall fsverity permissions
Add rights to create and install fsverity data.

Bug: 125474642
Test: m
Change-Id: I752c40c7b396b2da082cb17641702a2c5c11b9c3
2019-02-28 05:12:56 -08:00
Andreas Gampe
ae127d8340 Sepolicy: Add base runtime APEX preinstall policies
Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.

Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
2019-02-28 05:12:56 -08:00
Kevin Rocard
83f65ebbb2 Allow audioserver to access the package manager
This can not be done from the system server as there are native API that
do not go through it (aaudio, opensles).

Test: adb shell dumpsys media.audio_policy | grep -i 'Package manager'
Bug: 111453086
Signed-off-by: Kevin Rocard <krocard@google.com>
Change-Id: I0a4021f76b5937c6191859892fefaaf47b77967f
2019-02-28 01:50:22 +00:00
Tri Vo
7eb9143e46 Merge "Neverallow app open access to /dev/ashmem" 2019-02-28 00:02:14 +00:00
Tri Vo
c67a1ff8d9 Merge "Decouple system_suspend from hal attributes." 2019-02-27 21:25:27 +00:00
Tri Vo
8b12ff5f21 Neverallow app open access to /dev/ashmem
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.

Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
2019-02-27 21:17:25 +00:00
Alan Stokes
1c8b376f81 Merge "Audit execution of app_data_file by untrusted_app." 2019-02-27 21:07:19 +00:00
Alan Stokes
931623e5b9 Audit execution of app_data_file by untrusted_app.
Test: Builds
Bug: 126536482
Change-Id: I9fe7623353cbb980db3853a8979f03ba033c7f45
2019-02-27 18:07:09 +00:00
Andreas Gampe
025cab88ab Merge changes I6a76eba4,Iff1ecabc
* changes:
  Sepolicy: Move dex2oat and postinstall_dexopt to private
  Sepolicy: Move dac_override checks to private
2019-02-27 16:56:52 +00:00
Nikita Ioffe
53c0743d79 Merge "Allow apexd to reboot device" 2019-02-27 08:49:32 +00:00
Tri Vo
a532088e7f Decouple system_suspend from hal attributes.
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.

Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.

Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
2019-02-26 18:10:28 -08:00
Andreas Gampe
6d5baca452 Sepolicy: Move dex2oat and postinstall_dexopt to private
In preparation for additions that should be private-only, move the
types to private. Both have to be moved as they are dependent.

Bug: 125474642
Test: m
Change-Id: I6a76eba41b036bc6fb83588adbe9d63767d3e159
2019-02-26 13:13:45 -08:00
Andreas Gampe
f77bcdcf57 Sepolicy: Move dac_override checks to private
In preparation for moving other components to private, so that
private-only components can stay private.

Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 13:12:05 -08:00
Nick Kralevich
68e27caeb6 allow shell rs_exec:file rx_file_perms
Hostside tests depend on being able to execute /system/bin/bcc. Allow
it.

From bug:

In the NDK:

  $ ./checkbuild.py
  $ virtualenv -p ../out/bootstrap/bin/python3 env
  $ source env/bin/activate
  $ ./run_tests.py --filter rs-cpp-basic
  FAIL rs-cpp-basic.rstest-compute [armeabi-v7a-19]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0xee70f000
  Segmentation fault

  FAIL rs-cpp-basic.rstest-compute [arm64-v8a-21]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0x7a91e13000
  Segmentation fault

  02-23 23:00:45.635  9516  9518 V RenderScript: Successfully loaded runtime: libRSDriver_adreno.so
  02-23 23:00:45.650  9518  9518 W rstest-compute: type=1400 audit(0.0:15): avc: denied { read } for name="bcc" dev="dm-0" ino=390 scontext=u:r:shell:s0 tcontext=u:object_r:rs_exec:s0 tclass=file permissive=0
  02-23 23:00:45.651  9516  9518 E RenderScript: Cannot open file '/system/bin/bcc' to compute checksum
  02-23 23:00:45.652  9516  9516 E rsC++   : Internal error: Object id 0.

Test: compiles
Fixes: 126388046
Change-Id: I28e591d660c4ba9a33135e940d298d35474ef0b6
2019-02-26 13:09:28 -08:00
Bo Hu
67bce94bd4 Merge "adbd: do not audit vsock_socket create" 2019-02-26 17:10:11 +00:00
Nikita Ioffe
cfe7f7b2ab Allow apexd to reboot device
In some scenarios (native watchdog finding a regression, apexd failing
to mount apexes), a rollback of apexd will be triggered which requires
device reboot.

Bug: 123622800
Test: manually triggered apexd rollback and verified it reboots phone
Change-Id: I4c5d785a69dd56a63348c75c1897601749db9bc5
2019-02-26 13:29:22 +00:00
Nicolas Geoffray
c8cb42e27d Allow installd to access device_config_runtime_native_boot_prop.
Test: m && boot
Bug: 119800099
Change-Id: I3d9c48b9474ed68c98cf65110ed9375a2c4c8aa1
2019-02-26 08:56:57 +00:00
Treehugger Robot
5946759331 Merge "Fix dl.exec_linker* tests" 2019-02-26 03:08:38 +00:00
Treehugger Robot
9ad7758c2e Merge "bug_map: remove tracking for b/79414024" 2019-02-26 00:08:18 +00:00
Nick Kralevich
905b4000cb Fix dl.exec_linker* tests
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.

Addresses the following denial:

audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0

Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
2019-02-25 15:11:40 -08:00
bohu
7c84772382 adbd: do not audit vsock_socket create
BUG: 123569840
Change-Id: I8f2b1dc05a0aef07ea5662b4febcbc3bc6f6a882
2019-02-25 14:55:27 -08:00