Commit graph

19 commits

Author SHA1 Message Date
Tri Vo
90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Nick Kralevich
930614c7e6 Start partitioning off privapp_data_file from app_data_file
am: 23c9d91b46

Change-Id: Id99688b1e9b4d8d43eb1833904ac47c2796166ab
2018-08-02 21:27:57 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Yifan Hong
65c568d0dd perfprofd: talk to health HAL.
Test: perfprofd tests
Bug: 110890430
Change-Id: I0f7476d76b8d35b6b48fe6b77544ca8ccc71534d
2018-07-17 11:37:26 -07:00
Andreas Gampe
c8fe29ff1e Selinux: Fix perfprofd policy
Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661
2018-04-02 08:10:09 -07:00
Andreas Gampe
488030ee6f Statsd: Allow statsd to contact perfprofd in userdebug
Give statsd rights to connect to perfprofd in userdebug.

Test: mmma system/extras/perfprofd
Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd
2018-03-27 12:08:45 -07:00
Andreas Gampe
3fa95acb1e Sepolicy: Allow perfprofd to contact dropbox
Give rights to call dropbox via binder.

Test: m
Test: manual
Change-Id: I968c432a27bc8fbe677a2dd03671908d555f9df6
2018-01-12 09:39:20 -08:00
Andreas Gampe
aa9711f82b Sepolicy: Introduce perfprofd binder service
Add policy for the perfprofd binder service.

For now, only allow su to talk to it.

Test: m
Change-Id: I690f75460bf513cb326314cce633fa25453515d6
2017-12-28 17:31:21 -08:00
Tri Vo
ae20791517 perfprofd: allow traversing sysfs directories.
Bug: 70275668
Test: walleye builds, boots.
This change only expands the existing permissions, so shouldn't regress
runtime behavior.
Change-Id: I36e63f11d78998a88e3f8d1e6913e20762a359af
2017-12-14 00:00:17 +00:00
Andreas Gampe
e40d676058 Sepolicy: Update rules for perfprofd
Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915
2017-12-08 15:21:09 -08:00
Andreas Gampe
365dd03cb1 Sepolicy: Give perfprofd access to kernel notes
Simpleperf reads kernel notes.

Bug: 70275668
Test: m
Test: manual
Change-Id: I1a2403c959464586bd52f0398ece0f02e3980fc4
2017-12-06 13:55:06 -08:00
Andreas Gampe
ec5bcd70b0 Sepolicy: Silence /data/local/tmp access of perfprofd
Until simpleperf does not optimistically try /data/local/tmp for
tmp storage, silence the denials.

Bug: 70232908
Test: m
Test: manual
Change-Id: Icbc230dbfbfa6493b4e494185c536a10e3b0ae7b
2017-12-06 10:19:39 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Sandeep Patil
35e308cf71 Make sure all public types are defined regardless of build variants
The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-21 12:34:12 -07:00
Jeff Vander Stoep
4a478c47f4 Ban vendor components access to core data types
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
2017-03-28 15:44:39 -07:00
dcashman
0c8ad1dc94 Fix build.
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types.  Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.

Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
2016-12-06 16:49:25 -08:00