Commit graph

81 commits

Author SHA1 Message Date
Suren Baghdasaryan
c8ed855ede Selinux: Allow lmkd write access to sys.lmk. properties
Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.

Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2018-08-10 20:05:46 +00:00
Samuel Ha
eda0f3f372 Revert "Revert "Reduce the number of processes that can start adbd""
am: 22f98197b2

Change-Id: Ie2678a964788b3a064ec12b06cb7b129ccc9b4b5
2018-06-26 13:06:04 -07:00
Samuel Ha
22f98197b2 Revert "Revert "Reduce the number of processes that can start adbd""
This reverts commit b5dc6137ad.

Reason for revert: Reverted incorrect change

Change-Id: Ieafa3338e28ffeed40bcceb73486cffbfbd08b9d
2018-06-26 19:52:21 +00:00
Samuel Ha
d2bc137aed Revert "Reduce the number of processes that can start adbd"
am: b5dc6137ad

Change-Id: I27e69743664613630765598869203b71437182b2
2018-06-26 12:49:35 -07:00
Samuel Ha
b5dc6137ad Revert "Reduce the number of processes that can start adbd"
This reverts commit faebeacaa0.

Reason for revert: broke the build

Change-Id: I3d61ce011ad42c6ff0e9f122de3daa37e846407a
2018-06-26 19:36:38 +00:00
Luis Hector Chavez
72bebcec37 Reduce the number of processes that can start adbd
am: faebeacaa0

Change-Id: I263f10cc06e23a01f1928d3c8dae3ab4e6357788
2018-06-26 07:17:06 -07:00
Luis Hector Chavez
faebeacaa0 Reduce the number of processes that can start adbd
This change makes it such that only init can start adbd directly. It
also introduces new rules for ctl.{start,stop,restart} properties such
that only usbd and recovery (and su, since it's permissive) can directly
ask init to start adbd.

Bug: 64720460
Test: adbd still runs
Test: /data/nativetest64/adbd_test/adbd_test
Test: python system/core/adb/test_adb.py
Test: "USB debugging" in System Settings still start/stop adbd
Test: Recovery menu still make the device show as "recovery" in adb
      devices
Test: "Apply update from ADB" in recovery menu still works
Change-Id: Iafcda8aa44e85129afcc958036b472d856fa1192
2018-06-26 14:10:26 +00:00
Eino-Ville Talvala
67bd625c19 Make system property audio.camerasound.force a vendor-writable property,
am: 3ac71f8d82

Change-Id: Ia0db4d6a305d7f815f38a119475ebb346e873249
2018-06-25 22:00:50 -07:00
Eino-Ville Talvala
3ac71f8d82 Make system property audio.camerasound.force a vendor-writable property,
This property is read by the audio service in system server to toggle
camera shutter sound enforcement on a device-specific basis.

Test: Camera shutter sound enforcement works when audio.camerasound.force is set
Bug: 110126976
Change-Id: I2720d3c699c4712d1a328f59dde0b16bbf1016f3
2018-06-25 22:50:14 +00:00
Neil Fuller
43d2c3d0b5 Add label for time (zone) system properties
am: b794ad0f8d

Change-Id: I46c7aa4b511da69d7f852023cff23871b6c8468e
2018-06-25 13:31:29 -07:00
Neil Fuller
b794ad0f8d Add label for time (zone) system properties
This adds a label for system properties that will affect system-wide
time / time detection logic.

The first example will be something like:
persist.time.detection_impl_version

Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a
2018-06-25 17:59:56 +01:00
Tri Vo
ba79e154e5 Revert "Remove neverallow coredomain to set vendor prop."
Bug: 80466516
Bug: 78598545
This reverts commit 6f6fbebcef.

Change-Id: I3c0f374b846241571b5db6f061503f0ea2d6396a
2018-06-01 16:37:38 +00:00
Jiyong Park
d8ae007189 add extended_core_property_type
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.

Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.

Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Merged-In: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
(cherry picked from commit c0f8f2f82a)
2018-06-01 13:27:54 +09:00
Tom Cherry
5897e23ea1 neverallow coredomain from writing vendor properties
System properties can be abused to get around Treble requirements of
having a clean system/vendor split.  This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.

Bug: 78598545
Test: build 2017 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
(cherry picked from commit cdb1624c27)
2018-06-01 13:26:49 +09:00
Tri Vo
6f6fbebcef Remove neverallow coredomain to set vendor prop.
We are not forbidding system_writes_vendor_properties_violators in P,
i.e. this neverallow rule is not strictly enforced.

Bug: 80466516
Bug: 78598545
Test: build policy
Change-Id: Iaf0ebbd2b27adf8c48082caa874e53f32bf999fc
2018-05-31 23:46:02 +00:00
TreeHugger Robot
d009682c2e Merge "add extended_core_property_type" into pi-dev 2018-05-31 22:45:21 +00:00
Jiyong Park
c0f8f2f82a add extended_core_property_type
The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.

Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.

Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46
2018-05-30 17:38:09 +09:00
TreeHugger Robot
b5e493d821 Merge "Use non-expanded types in prop neverallows" into pi-dev 2018-05-23 19:08:01 +00:00
Jeff Vander Stoep
7745770bca Use non-expanded types in prop neverallows
Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.

Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.

Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da
2018-05-23 10:03:15 -07:00
Tom Cherry
7b8be35ddf Finer grained permissions for ctl. properties
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e)
2018-05-22 13:47:16 -07:00
Tom Cherry
2208f96e9e Finer grained permissions for ctl. properties
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions

Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
2018-05-22 09:13:16 -07:00
Tom Cherry
cdb1624c27 neverallow coredomain from writing vendor properties
System properties can be abused to get around Treble requirements of
having a clean system/vendor split.  This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.

Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
2018-05-18 20:15:19 +09:00
Mark Salyzyn
1b748766e3 FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Had to use precise property definition as com.android.phone accesses
test properties as well.

Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
2018-05-09 11:01:39 -07:00
Mark Salyzyn
3443cafa98 FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Had to use precise property definition as com.android.phone accesses
test properties as well.

Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7
2018-05-04 07:33:56 -07:00
Jeffrey Vander Stoep
9c6749d772 Revert "FrameworksServicesTests: allow access to test.sys.boot.reason property"
This reverts commit 0ab13a8dff.

Reason for revert: broken presubmit tests
https://sponge.corp.google.com/target?show=FAILED&sortBy=STATUS&id=83e847b2-8e30-4417-9b15-8e66af4b2bc3&target=DeviceBootTest

Change-Id: Id173c8e7fa28ba04070f507098f301f076e4aae7
2018-05-04 06:23:42 +00:00
Mark Salyzyn
0ab13a8dff FrameworksServicesTests: allow access to test.sys.boot.reason property
com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Test: compile
Bug: 78245377
Change-Id: Id21436d281bab27823969a9f7e92318d70b5a2d6
2018-05-03 16:45:36 +00:00
Max Bires
30d80f0c1c Adding labeling for vendor security patch prop am: 5cac1aa99c
am: ad3602d262

Test: Vendor security patch prop is properly labeled
Bug: 76428542
Change-Id: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
Merged-In: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
(cherry picked from commit 15a9fbc277)
2018-04-26 01:36:23 +00:00
Lalit Maganti
00c8e3d95a sepolicy: allow shell to read/write traced prop
This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

(cherry picked from commit 673b4db777)

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e
2018-04-23 16:18:34 +00:00
Lalit Maganti
673b4db777 sepolicy: allow shell to read/write traced prop
This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e
2018-04-23 09:55:04 +00:00
Jaekyun Seok
dce86b3cc6 Neverallow unexpected domains to access bluetooth_prop and wifi_prop
And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae
Merged-In: I468b8fd907c6408f51419cfb58eb2b8da29118ae
(cherry picked from commit 41e42d63fe)
2018-04-19 09:51:02 +09:00
Jaekyun Seok
41e42d63fe Neverallow unexpected domains to access bluetooth_prop and wifi_prop
And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae
2018-04-19 08:22:26 +09:00
Jaekyun Seok
a11b16c9ee Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d18a)
2018-04-13 11:08:48 +09:00
Jaekyun Seok
224921d18a Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-13 09:25:06 +09:00
Max Bires
5cac1aa99c Adding labeling for vendor security patch prop
This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49
2018-04-09 15:34:42 -07:00
Jaekyun Seok
7d3bd8dbc3 Allow vendor-init-settable to persist.radio.multisim.config
A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
Merged-In: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
(cherry picked from commit ac8c6e3d44)
2018-03-28 12:55:30 +09:00
Jaekyun Seok
ac8c6e3d44 Allow vendor-init-settable to persist.radio.multisim.config
A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
2018-03-27 13:41:47 +09:00
Primiano Tucci
4f673cf4a9 Revert "Allow system server to set persist.traced.enable"
This reverts commit 6f2040f873.

Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that 
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.

Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784
2018-03-26 17:48:11 +00:00
Hector Dearman
6f2040f873 Allow system server to set persist.traced.enable
To enable/disable the traced and traced_probes deamons remotely we would
like system server to be able to set persist.traced.enable.
See also ag/3736001.

Denial:
selinux: avc: denied { set } for
property=persist.traced.enable
pid=1606 uid=1000 gid=1000
scontext=u:r:system_server:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service
permissive=0\x0a

Run:
$ adb shell 'ps -A | grep traced'
Should see traced.
$ adb shell 'settings put global sys_traced 0'
$ adb shell 'ps -A | grep traced'
Should no longer see traced.

Test: See above.
Change-Id: I245b7df3853cabeb0e75db41fb4facaa178ab8f1
2018-03-19 15:48:50 +00:00
Jaekyun Seok
6f3e73db05 Allow only public-readable to ro.secure and ro.adb.secure
Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
Merged-In: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
(cherry picked from commit 62acbce4a2)
2018-03-19 08:35:39 +09:00
Jaekyun Seok
62acbce4a2 Allow only public-readable to ro.secure and ro.adb.secure
Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
2018-03-16 04:49:45 +00:00
Amit Mahajan
3007344dcd Revert "Revert "Move rild from public to vendor.""
This reverts commit 016f0a58a9.

Reason for revert: Was temporarily reverted, merging back in with fix.

Test: Basic telephony sanity, treehugger
Bug: 74486619
Bug: 36427227
Merged-in: Ide68726a90d5485c2758673079427407aee1e4f2
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
(cherry picked from commit 312248ff72)
2018-03-12 13:13:39 -07:00
Amit Mahajan
58758dc222 Revert "Move rild from public to vendor."
This reverts commit aed57d4e4d.

Reason for revert: This CL is expected to break pre-submit tests (b/74486619)

Merged-in: I103c3faa1604fddc27b3b4602b587f2d733827b1
Change-Id: I0eb7a744e0d43ab15fc490e7e7c870d0f44e1401
2018-03-12 17:35:17 +00:00
Amit Mahajan
312248ff72 Revert "Revert "Move rild from public to vendor.""
This reverts commit 016f0a58a9.

Reason for revert: Was temporarily reverted, merging back in with fix.

Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
2018-03-12 17:12:53 +00:00
Jeffrey Vander Stoep
016f0a58a9 Revert "Move rild from public to vendor."
This reverts commit eeda6c6106.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1
2018-03-11 20:46:50 +00:00
Amit Mahajan
aed57d4e4d Move rild from public to vendor.
Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Merged-in: If892b28416d98ca1f9c241c5fcec70fbae35c82e
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e
2018-03-10 00:10:16 +00:00
Amit Mahajan
eeda6c6106 Move rild from public to vendor.
Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e
2018-03-08 12:50:13 -08:00
Jaekyun Seok
64ade65d17 Add tests for compatible property (1/2)
The feature of compatible property has its own neverallow rules and it
is enforced on devices launchig with Android P.

This CL changes hal_nfc to hal_nfc_server in neverallow rules because
sepolicy-analyze doesn't recognize it. Additionally one more neverallow
rule is added to restrict reading nfc_prop.

Bug: 72013705
Bug: 72678352
Test: 'run cts -m CtsSecurityHostTestCases' on walleye with
ro.product.first_api_level=28

Change-Id: I753cc81f7ca0e4ad6a2434b2a047052678f57671
2018-02-06 03:06:21 +09:00
Jaekyun Seok
5205905568 Add neverallow rules to restrict reading radio_prop
This CL will allow only specific components to read radio_prop.

Bug: 72459527
Test: tested with walleye
Change-Id: I6b6c90870987de976187ff675005c5d964b48cda
2018-01-31 13:23:08 +09:00
Tom Cherry
eed2e84a95 Fix compatible property neverallows
The current neverallow rules for compatible properties restrict
domains from write file permissions to the various property files.
This however is the wrong restriction, since only init actually writes
to these property files.  The correct restriction is to restrict 'set'
for 'property_service' as this change does.

Note there is already a restriction preventing {domain -init} from
writing to these files in domain.te.

Test: build
Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09
2018-01-25 10:35:50 -08:00
Jaekyun Seok
f9d27887eb Fix TODOs of duplicate property names for prefix and exact matching
Duplicate property names are supported now for prefix and exact
matching.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458
2018-01-16 22:41:04 +00:00