Addresses the following denial:
avc: denied { read } for name="cache" dev="dm-0" ino=2755
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0
tclass=lnk_file permissive=0
which occurs when a priv-app attempts to follow the /cache symlink. This
symlink occurs on devices which don't have a /cache partition, but
rather symlink /cache to /data/cache.
Bug: 34644911
Test: Policy compiles.
Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc
This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.
Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80
auditallow this until we track down where the file is opened without
O_APPEND.
01-23 08:02:12.272 555 555 W tombstoned: type=1400 audit(0.0:11480): avc: denied { write } for path="/data/anr/traces.txt" dev="sda35" ino=4669445 scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file permissive=0
Bug: http://b/34193533
Test: mma
Change-Id: I77b854dce06231232004432839ebd5aa963ef035
Delete rule for permission_service since we use packages.list instead.
Test: adb shell storaged -u
Bug: 34198239
Change-Id: Ic69d0fe185e627a932bbf8e85fc13163077bbe6b
In order to dump hardware services using dumpsys, dumpsys needs to be
able to talk to the hwservicemanager.
Bug: 33382892
Test: dumpsys --hw works from unrooted shell
Change-Id: I31f0982193991428da465507f93d50646cb38726
Test: Device boots
Can take photos
Run "adb shell atrace -c -b 16000 -t 5 gfx" without root and check produces
output
Run "python systrace.py view gfx freq sched am wm dalvik
binder_driver" from external/chromium-trace after adb root and
check populated
Bug: 31856701
Change-Id: Ic319f8a0a3e395efa7ee8ba33a868ac55cb44fe4
In my commit f41d89eb24 I forgot to
switch rild and gatekeeperd rules from explicitly associating these
domains with the hal_telephony and hal_gatekeeper to using the
hal_impl_domain macro. As a result, the recent commit
a25192262b inadvertently revoked
HwBinder access from rild and gatekeeperd.
This commit fixes the issue by switching rild and gatekeeperd to the
hal_impl_domain macro.
Test: "sepolicy-analyze out/target/product/bullhead/root/sepolicy attribute haldomain"
now lists rild and gatekeeperd
Test: "sepolicy-analyze out/target/product/bullhead/root/sepolicy attribute hal_telephony"
still lists rild
Test: "sepolicy-analyze out/target/product/bullhead/root/sepolicy attribute hal_gatekeeper"
still lists gatekeeperd
Bug: 34180936
Bug: 34470443
Change-Id: I7949556f58c36811205d5ea3ee78ea5708e95b45
wificond_service is not a system_server service, so drop the
typeattribute.
Provide find permission for system_server so it can still call
wificond.
Test: compile and run on emulator. Also check built policy to verify
the permissions changes are as expected. system_server should have lost
the add permissions on wificond_service. Most importantly this needs
to be tested on a device with wificond.
Change-Id: I6dd655a5ac1dbfef809b8759a86429557a7c1207
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As of https://android-review.googlesource.com/324092, ephemeral_app is
now an appdomain, so places where both appdomain and ephemeral_app are
granted the same set of rules can be deleted.
Test: policy compiles.
Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415
This fixes the following issues introduced in commit
d225b6979d:
* plat_file_contexts was empty because the target was referencing
system/sepolicy/private/file_contexts via a misspelled variable
name.
* plat_file_contexts wasn't marked as dirty and thus wasn't rebuilt
when system/sepolicy/private/file_contexts changed. This is because
the file_contexts dependency was referenced via a misspelled
variable name.
* plat_file_contexts wasn't sorted (as opposed to other similar
targets, such as nonplat_file_contexts and file_contexts.bin). This
may lead to unnecessary non-determinism.
* nonplat_file_contexts wasn't marked dirty and thus wasn't rebuilt
when device-specific file_contexts file(s) changed. This is because
the file_contexts files were referenced via a misspelled variable
name.
Test: "make plat_file_contexts" produces a non-empty file containing
mappings from system/sepolicy/private/file_contexts
Test: "make plat_file_contexts" updates output when
system/sepolicy/private/file_contexts changes
Test: "make plat_file_contexts" produces output which is sorted
accroding to rules in fc_sort
Test: "make nonplat_file_contexts" updates output when
device/lge/bullhead/sepolicy/file_contexts changes (tested on
aosp_bullhead-eng)
Bug: 31363362
Change-Id: I540555651103f02c96cf958bb93618f600e47a75
wificond is a system_server service used by wifi, wifi doesnt start now
This reverts commit b68a0149c3.
Change-Id: If958c852e5d8adf8e8d82346554d2d6b3e8306c9
/sys/class/leds is the standard location for linux files dealing with
leds, however the exact contents of this directory is non-standard
(hence the need for a hal).
Bug: 32022100
Test: compiles and works for the subset of common files
Change-Id: I7571d7267d5ed531c4cf95599d5f2acc22287ef4
wificond_service is not a system_server service, so drop the
typeattribute.
Test: compile
Change-Id: Ic212dd2c8bc897fbdc13ca33a9864ac8d4e68732
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This fixes a bug introduced in the HIDL port where fingerprint no
longer notifies keystore of authentications.
Test: keyguard, FingerprintDialog
Fixes bug 34200870
Change-Id: I8b1aef9469ff4f4218573a6cde4c3a151512c226
Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.
Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.
This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.
Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
After checking the auditallow logs for the rule being monitored, it's
clear that the rule is not in use and can be removed. All unused rules
should be removed, as they present needless additional attack vectors.
Test: The device boots.
Change-Id: Ie9e060c4d134212e01309a536ac052851e408320
There were some auditallow rules left around in rild.te that had logs
showing nothing was triggering them. Thus the rules they were auditing
could be removed, as that's clear indication there's no use for them.
Having rules around that aren't being used does nothing except increase
attack surface and bloat sepolicy, and so should always be removed if
possible.
Test: The device boots
Change-Id: I906ffc493807fbae90593548d478643cda4864eb
Revise policy, to allow init and system_server to configure,
clear, and read kernel trace events. This will enable us to
debug certain WiFi failures.
Note that system_server is restricted to only accessing
a wifi-specific trace instance. (Hence, system_server is
not allowed to interfere with atrace.) Moreover, even for
the wifi trace instance, system_server is granted limited
permissions. (system_server can not, e.g., change which
events are traced.)
Note also that init and system_server are only granted these
powers on userdebug or eng builds.
The init.te and system_server.te changes resolve the
following denials:
// Denials when wifi-events.rc configures tracing
{ write } for pid=1 comm="init" name="instances" dev="debugfs" ino=755 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ add_name } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ create } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=1 comm="init" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=1 comm="init" name="buffer_size_kb" dev="debugfs" ino=18061 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=file permissive=1
// Denials when system_server sets up fail-safe
// (auto-terminate tracing if system_server dies)
{ search } for pid=882 comm="system_server" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=882 comm="system_server" name="free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
// Denials when system_server toggles tracing on or off
// (WifiStateMachine is a thread in system_server)
{ search } for pid=989 comm="WifiStateMachin" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
// Denials when system_server reads the event trace
// (This happens in response to a dumpsys request)
{ search } for pid=3537 comm="Binder:882_B" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
Bug: 27254565
Test: manual
Manual test:
- Build this CL along with CL:322337
- Verify that system boots, and that we can connect to GoogleGuest.
(Testing of actual trace functionality with require some more
patches in frameworks/opt/net/wifi.)
$ adb root && adb shell dmesg | egrep 'avc: denied.+debugfs'
Change-Id: Ib6eb4116549277f85bd510d25fb30200f1752f4d
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.
Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice
Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
New procfs file read by storaged to dump fg/bg IO usage.
Remove kmsg rule since it's no longer used by storaged.
Allow storaged to find permission_service to translate UID
to package name.
Test: adb shell storaged -u
Bug: 34198239
Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd
Some recent CLs changed the list of files that are installed in the
root directory. Incremental builds have no way to uninstall files
that were previously installed, which results in old stray files lying
around. If the root directory is contained in system.img, this causes
an error while building system.img:
error: build_directory_structure: cannot lookup security context for /service_contexts
Update CleanSpec.mk to remove files obsoleted by:
Ide67d37d85273c60b9e387e72fbeb87be6da306a
I7881af8922834dc69b37dae3b06d921e05206564
Ide67d37d85273c60b9e387e72fbeb87be6da306a
This is not seen on the incremental build servers because they run
make installclean between builds.
Test: incremental build passes
Change-Id: I22ecd1d3698404df352263fa99b56cb65247a23b
