Commit graph

8335 commits

Author SHA1 Message Date
Jiyong Park
9eff8526b7 Merge "configstore: add selinux policy for configstore@1.0 hal" 2017-02-02 23:07:18 +00:00
Eugene Susla
b598b47f1a Merge "SELinux permissions for companion device system service" 2017-02-02 21:11:34 +00:00
Jiyong Park
ebec1aa2b7 configstore: add selinux policy for configstore@1.0 hal
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.

Bug: 34314793
Test: build & run

Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964
Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
(cherry picked from commit 5ff0f178ba)
2017-02-02 17:46:41 +09:00
Josh Gao
943d7ed51e crash_dump: dontaudit CAP_SYS_PTRACE denial.
Bug: http://b/34853272
Test: debuggerd -b `pidof zygote`
Change-Id: I0b18117754e77cfa94cf0b95aff32edb578b1a95
2017-02-01 17:56:07 -08:00
Josh Gao
4d140237b5 crash_dump: don't allow CAP_SYS_PTRACE or CAP_KILL.
Bug: http://b/34853272
Test: debuggerd -b `pidof system_server`
Change-Id: I4c08efb9dfcc8610143f722ae0674578a2ed6869
2017-02-01 17:56:07 -08:00
Max Bires
3171829af3 Removing init and ueventd access to generic char files
There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
2017-02-01 21:35:08 +00:00
Mark Salyzyn
542a46267f Merge "logd: add getEventTag command and service" 2017-02-01 21:24:06 +00:00
Eugene Susla
3411dfb6b0 SELinux permissions for companion device system service
Required for I0aeb653afd65e4adead13ea9c7248ec20971b04a

Test: Together with I0aeb653afd65e4adead13ea9c7248ec20971b04a, ensure that the
system service works
Bug: b/30932767
Change-Id: I994b1c74763c073e95d84222e29bfff5483c6a07
2017-02-01 13:07:17 -08:00
Calin Juravle
01ee59a7b4 Remove SElinux audit to libart_file
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
2017-01-31 23:43:14 +00:00
Alex Klyubin
9e90f83e7b Merge "Device-agnostic policy for vendor image" 2017-01-31 21:29:10 +00:00
Mark Salyzyn
384ce66246 logd: add getEventTag command and service
The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
2017-01-31 15:50:42 +00:00
Mark Salyzyn
d33a9a194b logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2017-01-31 15:50:15 +00:00
Alex Klyubin
5596172d23 Device-agnostic policy for vendor image
Default HAL implementations are built from the platform tree and get
placed into the vendor image. The SELinux rules needed for these HAL
implementations to operate thus need to reside on the vendor
partition.

Up to now, the only place to define such rules in the source tree was
the system/sepolicy/public directory. These rules are placed into the
vendor partition. Unfortunately, they are also placed into the
system/root partition, which thus unnecessarily grants these rules to
all HAL implementations of the specified service, default/in-process
shims or not.

This commit adds a new directory, system/sepolicy/vendor, whose
rules are concatenated with the device-specific rules at build time.
These rules are thus placed into the vendor partition and are not
placed into the system/root partition.

Test: No change to SELinux policy.
Test: Rules placed into vendor directory end up in nonplat* artefacts,
      but not in plat* artefacts.
Bug: 34715716
Change-Id: Iab14aa7a3311ed6d53afff673e5d112428941f1c
2017-01-30 18:48:17 -08:00
Treehugger Robot
04641948c0 Merge "recovery: Allow accessing sysfs_leds." 2017-01-31 00:52:06 +00:00
Treehugger Robot
81a73508be Merge "Camera: grant system file perm for Treble" 2017-01-31 00:45:52 +00:00
Alex Klyubin
29f1e21d31 Merge "Remove hal_light from system_server domain" 2017-01-30 23:11:01 +00:00
Yin-Chia Yeh
8a6d397f48 Camera: grant system file perm for Treble
Test: Google Camera app working
Bug: 34786432
Change-Id: Ie14ac8a58a331f96a56fb6fc09318e2d737c4076
2017-01-30 14:52:21 -08:00
Tao Bao
f0f4db9f01 recovery: Allow accessing sysfs_leds.
Bug: 34077703
Test: recovery image can set the backlight brightness.
Change-Id: I34d72e1a0e959c2d9f48b3b9c55c4eb2d1cc41bf
2017-01-30 14:25:32 -08:00
Sandeep Patil
a86316e852 property_context: split into platform and non-platform components.
Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-29 21:09:11 +00:00
Janis Danisevskis
e8acd7695b Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.

IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.

Test: Run keystore CTS tests
Bug: 32020919

(cherry picked from commit 5090d6f324)

Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
2017-01-27 15:02:57 -08:00
Alex Klyubin
384a73deb2 Remove hal_light from system_server domain
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

Test: Boot sailfish, adjust screen brightness from the system UI, no
      SELinux denials for system_server to do with sysfs_leds.
Bug: 34715716

Change-Id: Iccb4224d770583e3c38930e8562723d57d283077
2017-01-27 11:09:14 -08:00
Alex Klyubin
a7653ee2ed Move webview_zygote policy to private
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: Device boots, with Multiproces WebView developer setting
      enabled, apps with WebView work fine. No new denials.
Bug: 31364497

Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-27 17:01:43 +00:00
Treehugger Robot
deefb43328 Merge "sepolicy for usb hal" 2017-01-27 01:40:46 +00:00
Treehugger Robot
aa10429b6c Merge "Dumpstate: hwbinder_use" 2017-01-27 00:25:48 +00:00
Badhri Jagan Sridharan
ae206f1623 sepolicy for usb hal
Bug: 31015010

cherry-pick from b6e4d4bdf1

Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
2017-01-27 00:05:19 +00:00
Treehugger Robot
6d26506cb6 Merge "Fix cleanspec for property_contexts" 2017-01-26 23:45:00 +00:00
Steven Moreland
ba68f5547e Dumpstate: hwbinder_use
Dumpstate needs the hwbinder_use permission in order to talk to hardware
services.

Bug: 34709307
Test: no denials submitting bugreport
Change-Id: Ic51da5371cd346c0fa9fb3881a47adaf53c93566
2017-01-26 15:00:21 -08:00
Sandeep Patil
4ca1f427b9 Fix cleanspec for property_contexts
The CLs that split the property_contexts at
topic:prop_ctx_split status:merged broke incremental build,
which was later fixed in I22ecd1d3698404df352263fa99b56cb65247a23b.

The prop_ctx CLs were later reverted due to updater breakage as in
b/34370523. So, this change adds the property_contexts clean steps
to fix the incremental builds

Change-Id: Ic32b144dbfada3a6c34f9502099220e7e3c63682
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-26 13:38:30 -08:00
Alex Klyubin
966efedec8 Move zygote policy to private
This leaves only the existence of zygote domain and its
executable's zygote_exec file label as public API. All other rules are
implementation details of this domain's policy and are thus now
private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie37128531be841b89ecd602992d83d77e26533bc
2017-01-26 13:31:16 -08:00
Alex Klyubin
8429a331aa Move appdomain policy to private
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497

Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
2017-01-26 11:26:49 -08:00
Alex Klyubin
6fe344e350 Remove hal_gatekeeper from gatekeeperd domain
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This partially reverts the moving of rules out of gatekeeperd in
commit a9ce208680.

Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
      unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
2017-01-26 07:17:51 -08:00
Steven Moreland
cd597cd52a property: add persist.hal.binderization
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.

Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
2017-01-26 06:06:24 +00:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Alex Klyubin
4106507226 Merge "Remove hal_drm from mediadrmserver domain" 2017-01-26 04:40:55 +00:00
Treehugger Robot
4118516109 Merge "Modular DRM for MediaPlayer" 2017-01-26 01:03:13 +00:00
Alex Klyubin
5bfda51eeb Remove hal_drm from mediadrmserver domain
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This reverts the moving of rules out of mediadrmserver in commit
c86f42b9a7.

Test: YouTube videos play back, no mediadrmserver denials
Bug: 34715716
Bug: 32815560
Change-Id: Ib57ef880bcc306c6e01f2c24c0f3a4298598eb9a
2017-01-25 15:43:33 -08:00
Hassan Shojania
8101bad7f2 Modular DRM for MediaPlayer
Bug:    34559906
Test:	Manual through the test app
Change-Id: Ib69d4fe6b0e21f162f08cea061260c683e4b8c9b
2017-01-25 12:26:37 -08:00
Jeff Tinker
c86f42b9a7 Add sepolicy for drm HALs
bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f
2017-01-25 11:21:03 -08:00
Treehugger Robot
f65641e989 Merge "racoon: Add SIOCSIFNETMASK" 2017-01-25 17:08:53 +00:00
Treehugger Robot
727e543f77 Merge "haldomain: search for passthrough hals" 2017-01-25 02:47:41 +00:00
Nick Kralevich
a675ca60a4 racoon: Add SIOCSIFNETMASK
XAUTH based VPNs
1. IPSec XAUTH PSK
2. IPSec XAUTH RSA
fail with the following error from racoon

  01-24 16:46:05.583 18712 18712 W ip-up-vpn: type=1400 audit(0.0:390):
  avc: denied { ioctl } for path="socket:[954683]" dev="sockfs" ino=954683
  ioctlcmd=891c scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0
  tclass=udp_socket permissive=0

"setenforce 0" on the device fixed the issue.

Bug: 34690009
Test: Policy compiles
Change-Id: Idc0d156ec32e7a9be3825c380c3cb0359fe4fabe
2017-01-24 17:12:58 -08:00
Ray Essick
391854000a rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
2017-01-24 16:57:19 -08:00
Steven Moreland
18d7f8c1b8 haldomain: search for passthrough hals
Bug: 34366227
Test: passthrough services successfully found
Change-Id: If2cad09edc42f01cc5a444229758ecdfe2017cf2
2017-01-24 16:41:00 -08:00
Calin Juravle
9559550791 Merge "SElinux policies for compiling secondary dex files" 2017-01-25 00:33:03 +00:00
Calin Juravle
e5a1f64a2e SElinux policies for compiling secondary dex files
This CLs adds SElinux policies necessary to compile secondary dex files.

When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).

What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.

Test: devices boots
      compilation of secondary dex files works without selinux denials
      cmd package compile --secondary-dex -f -m speed
com.google.android.gms

Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
2017-01-24 14:28:07 -08:00
Max Bires
50e7d0f597 Merge "Adding a neverallow rule to prevent renaming of device and char files" 2017-01-24 22:27:33 +00:00
Steven Moreland
2ec9184e79 Merge "update_verifier: read dir perms" 2017-01-24 21:10:44 +00:00
Steven Moreland
bafa38e0ce update_verifier: read dir perms
Allow update_verifier to load the boot_control_hal in passthrough mode.

Test: update_verifier works, no denials
Bug: 34656553
Change-Id: I5c20ce67c8f1fd195f2429dae497221514ed95a8
2017-01-24 20:45:18 +00:00
Treehugger Robot
e996d1770d Merge "system_server: add hal_lights permission" 2017-01-24 18:53:27 +00:00
Steven Moreland
0223ca51f9 system_server: add hal_lights permission
system_server needs the permissions to open the lights hal in the same
process.

Bug: 34634317
Test: can change brightness on marlin (tested on internal master)
Change-Id: I11fe59b4ab32e13d6dad246f4e6c56951e051181
2017-01-24 10:19:30 -08:00