These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.
The /proc/interrupts and /proc/stat files were covered in this paper:
https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/
The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.
Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.
Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs. Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.
Grant read access to the usb files under /sys/devices to prevent this
regression.
Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728
A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.
The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps
Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037
Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:
http://comments.gmane.org/gmane.comp.security.seandroid/2799
Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like
chmod 0755 /sys/kernel/debug/tracing
is necessary in init.${ro.hardware}.rc after debugfs was mounted.
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
(cherry picked from commit 4dafa72ac9)
Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a
am: 0b26e99b68
* commit '0b26e99b6870dc6ae5b9bc146b83c9537f9a5dc1':
sepolicy: add support for new tracefs
Change-Id: I9189f98cb7cff87c412c7b3e09030c723b70abd7
Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:
http://comments.gmane.org/gmane.comp.security.seandroid/2799
Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like
chmod 0755 /sys/kernel/debug/tracing
is necessary in init.${ro.hardware}.rc after debugfs was mounted.
Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
In order to allow set_prop() to function with platform_apps,
the property_socket file requires mlstrustedobject since
platform app uses category sets.
This does not allow untrusted_app access, as the following
neverallows still prevent type access:
untrusted_app.te:118:neverallow untrusted_app property_socket:sock_file write;
untrusted_app.te:120:neverallow untrusted_app property_type:property_service set;
Lastly, the internal socket to property_service is labeled with init
which is mlstrustedsubject, so no changes are required there.
Change-Id: I47296a2dc24b16785fd296deea7a54ae9966226a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
It's only used by the emulators, never by core policy.
Move the definition to the emulators.
Bug: 28221393
Change-Id: I7ca56e04d611cfccde507313ba9c2a0a71d54d06
postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.
Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.
(cherry picked from commit a9671c6b9e)
Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c
am: 786926a
* commit '786926a9a52491945862d1bf123ffb07b9146a23':
Allow postinstall_file to be an entrypoint.
Change-Id: I88c40cec600f7c573ca623059322e64f61b6951c
postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.
Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.
Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5
We decided a different approach for these policies in the
meeting today.
This reverts commit 5507fa6672.
Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb
update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).
Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.
Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49
To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.
type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0
BUG=23093747
(cherry picked from commit 4d19f98c72)
Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.
type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0
BUG=23093747
Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
(cherry picked from commit f2d07904f7)
/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.
Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.
Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
(cherry-pick of internal commit: 98eff7c3d4)
Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f
(cherry pick from commit 16fe52c90c)
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.
Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.
Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.
Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
Bug: 27809332
Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
(cherry-pick from internal commit: 85c0f8affa)
Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
