Commit graph

49 commits

Author SHA1 Message Date
Florian Mayer
6c689e8438 Allow shell and adb to read tombstones
tombstones are now openable by these domains:

allow adbd tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow adbd tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow dumpstate tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow dumpstate tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow init tombstone_data_file:dir { add_name create getattr ioctl open read relabelfrom relabelto remove_name rmdir search setattr write };
allow init tombstone_data_file:fifo_file { create getattr open read relabelfrom relabelto setattr unlink };
allow init tombstone_data_file:file { create getattr map open read relabelfrom relabelto setattr unlink write };
allow init tombstone_data_file:sock_file { create getattr open read relabelfrom relabelto setattr unlink };
allow shell tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads };
allow shell tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads };
allow system_server tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write };
allow system_server tombstone_data_file:file { append create getattr ioctl lock map open read rename setattr unlink watch watch_reads write };
allow tombstoned tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write };
allow tombstoned tombstone_data_file:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };

Test: adb unroot, ls, cat, adb pull
Bug: 312740614
Change-Id: I4a1af4fbdc48c5c5f4b0b33f124cea31af74dd87
2024-02-23 15:44:20 -08:00
Yuyang Huang
cfdea5f4f3 Blocks untrusted apps to access /dev/socket/mdnsd from U
The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.

Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525
2023-01-20 15:25:46 +09:00
Jason Macnak
a93398051c Adds GPU sepolicy to support devices with DRM gralloc/rendering
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
2022-04-18 17:30:56 -07:00
Gregory Montoir
0e1044ae8f Allow adbd to access /proc/net/{tcp,tcp6,udp,udp6}
File accesses go through com.android.ddmlib.SyncService for CTS
ListeningPortsTest.

Bug: 193151739
Change-Id: I0c66fb5e35cda3b1799cf003402e454d7a951e96
2021-09-09 14:31:15 +08:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Nikita Ioffe
681ad260b4 Give adbd and shell read access to /apex/apex-info-list.xml
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.

Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.

Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
2021-06-10 19:57:17 +01:00
satayev
e3571ab94d Allow adb to pull jar files from /vendor/framework/.
Bug: 187823488
Bug: 189417875
Test: atest GtsEdiHostTestCases in sc-dev
Change-Id: I8e1fa1682fb042d995585b4841cff97f32c4a09f
2021-06-02 14:18:56 +01:00
Nikita Ioffe
17bd4dda4a Allow adbd to pull apexes from /data/apex/active
Test: adb pull /data/apex/active/com.android.apex.cts.shim@v2.apex
Bug: 184886365
Change-Id: Ibaac390a99e65a8b388d3c62761d96ec8f8e0846
2021-04-12 23:34:31 +00:00
Inseob Kim
1ed26880cb Allow adbd to use vsock_socket
To allow microdroid's adbd connection to be forwarded, adbd should be
able to use vsock.

Bug: 181747352
Test: try to connect adb to microdroid after turning on selinux
Change-Id: Ia6662d5a028a82c8bbafa6c21da821e9a1144bdc
2021-03-29 14:04:21 +09:00
Josh Gao
0cac6fd17a Let adbd set service.adb.tcp.port.
Commit 67c36884 changed the label of service.adb.tcp.port to allow
vendor init to set it, but accidentally prevented adbd from setting it,
which broke `adb tcpip`.

Bug: http://b/171280882
Test: `adb tcpip`
Change-Id: I154e2f43a4d3b72b27508ce02d66298673939738
2020-11-06 13:08:04 -08:00
Jooyung Han
966d0445d9 Allow adbd to pull /vendor/apex files
These files are required by CTS tests.

Bug: 168540056
Bug: 170202980
Test: ApexSignatureVerificationTest
Change-Id: Ia88517d55003b67efaa94f500e3619bcacc91d80
2020-10-29 22:09:44 +09:00
Primiano Tucci
512bdb9c1b Create directory for shell<>perfetto interaction
Users are unable to pass config files directly to
perfetto via `perfetto -c /path/to/config` and have to
resort to awkward quirks like `cat config | perfetto -c -'.
This is because /system/bin/perfetto runs in its own SELinux
domain for reasons explained in the bug.
This causes problem to test infrastructures authors. Instead
of allowing the use of /data/local/tmp which is too ill-scoped
we create a dedicated folder and allow only shell and perfetto
to operate on it.

Bug: 170404111
Test: manual, see aosp/1459023
Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 21:27:27 +00:00
Hongguang Chen
67c3688497 Allow vendor_init to set service.adb.tcp.port
adbd and apps (SystemUI and CTS test apps) need to read it.

BUG: 162205386
Test: Connect to device which sets service.adb.tcp.port in vendor
      partition through TCP adb.

Change-Id: Ia37dd0dd3239381feb2a4484179a0c7847166b29
2020-07-28 02:13:03 +00:00
Inseob Kim
bfb3708234 Rename contexts of ffs props
Bug: 71814576
Bug: 154885206
Test: m sepolicy_test
Change-Id: Idacc3635851b14b833bccca177d784f4bb92c763
2020-05-11 21:23:37 +09:00
Ryan Savitski
5f1f1b6a7a perfetto: minor quality of life tweaks
Change 1: when running the "perfetto" binary via "adb shell
perfetto...", ctrl-Cing the host process doesn't propagate the teardown
to the on-device process (which normally should stop the tracing session
immediately). Allow signals adbd->perfetto to resolve.

Change 2: don't print audit logs for a harmless isatty() check on adb
sockets when they're the stderr of a "perfetto" process.

Example denials from the isatty() check (ioctl is TCGETS):

avc: denied { getattr } for path="socket:[244990]" dev="sockfs"
ino=244990 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
avc: denied { ioctl } for path="socket:[244992]" dev="sockfs" ino=244992
ioctlcmd=0x5401 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0

Example denial from ctrl-c'ing "adb shell perfetto ...":

avc: denied { signal } for comm=7368656C6C20737663203134343537
scontext=u:r:adbd:s0 tcontext=u:r:perfetto:s0 tclass=process
permissive=0

Tested: patched onto an internal branch, then verified that denials are
        gone on a flashed crosshatch-userdebug.
Change-Id: I1dbe00ea91e3c3377d6e5eab05ad99620e02b965
2020-03-24 21:39:41 +00:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Joshua Duong
18988fcce3 Add adbd_prop, system_adbd_prop property types.
service.adb.tls.port contains the adbd tcp port running the TLS server.
persist.sys.adb.wifi tells adbd when to enable the TLS server.

Bug: 149348431
Bug: 111434128

Test: Enable wireless debugging, check if TLS port information is
displayed in the Developer options > Wireless debuggging.
Change-Id: I5b5c5a3d064bc003f41386ede9051609fefec53e
2020-02-20 07:52:34 -08:00
Josh Gao
b9c7001837 adbd should be able to shutdown shell:unix_stream_socket
adbd started calling shutdown and waiting for EOF before closing
sockets in commit 74b7ec72, because closing a TCP socket while you have
pending data to read is specified to send a TCP RST to the other end,
which can result in data that we've written into the socket to be
prematurely thrown away on the other end. Not being able to do so on a
Unix domain socket is benign, aside from the denial showing up in the
log.

Fixes the following selinux denial when installing a package:

  avc: denied { shutdown } for scontext=u:r:adbd:s0 tcontext=u:r:shell:s0 tclass=unix_stream_socket permissive=0

Test: manual
Change-Id: I266092a8323ac02bfe96738a8f4a8021f3a10387
2020-02-05 17:24:46 -08:00
Hector Dearman
b56a49d979 Allow adb forward to traced consumer socket
Currently shell can connect to the traced_consumer_socket allowing it to
configure/start/stop and collect traces. This allows a host tool (e.g. Android Studio or
https://ui.perfetto.dev) to connect to the device via adb and collect traces. It would
be better if rather than executing shell commands the host tool could directly communicate
with the consumer socket. This is possible using adb forward:

adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer

However in this case adbd is connecting to the socket - not shell.

This CL allows adbd to connect to the socket which allows host tools to collect
traces without having to do everything though shell commands.

Denial:
08-30 11:28:05.809 10254 10254 W adbd    : type=1400 audit(0.0:1129): avc: denied { write } for name="traced_consumer" dev="tmpfs" ino=6719 scontext=u:r:adbd:s0 tcontext=u:object_r:traced_consumer_socket:s0 tclass=sock_file permissive=0

Test: Cherry pick CL to master, make, flash
adb logcat | grep denied
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer

Bug: b/139536756
Change-Id: Ie08e687c0b06d0e1121009e8cd70319a8f907ae2
2019-09-05 10:12:47 +00:00
bohu
7c84772382 adbd: do not audit vsock_socket create
BUG: 123569840
Change-Id: I8f2b1dc05a0aef07ea5662b4febcbc3bc6f6a882
2019-02-25 14:55:27 -08:00
William Hester
5f486c74bf Add the testharness service to sepolicy rules
The testharness service will manage Test Harness Mode and provide a
command-line interface for users to enable Test Harness Mode; however it
does not directly provide a public API.

Bug: 80137798
Test: make
Test: flash crosshatch
Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e
2019-01-17 13:10:37 -08:00
Alex Buynytskyy
007586d92d Allow adbd to use a socket transferred from shell.
Used for e.g. abb.

Test: Build, flash and boot, use `adb abb` to verify

Change-Id: I4ad75498819edbcc0303f66420a58d06788ab5fb
2019-01-07 15:45:50 +00:00
Peiyong Lin
7924dc6054 [SEPolicy] Configure policy for gpu service.
Historically GPU service lives in SurfaceFlinger as a convenient hack.
Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU
capability, and shouldn't know about anything about GPU. This patch moves GPU
service out of SurfaceFlinger.

GPU service is a service that accesses to GPU driver, queries GPU capabilities
and reports back. Currently we use this information in CTS and some benchmarks.

BUG: 118347356
Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify
Change-Id: I007989e0f3f73b5caf80277979986820dd127c32
2018-11-08 12:31:11 -08:00
Florian Mayer
f270aea66a Allow adbd to read perfetto_traces_data_file.
This allows to use adb pull on Perfetto traces on user.

Bug: 118747482

Change-Id: Ie4deed90597b412ccb0e9e6512ffed2acead82d8
2018-11-08 16:13:55 +00:00
Nick Kralevich
ebc3a1a34c Move to ioctl whitelisting for plain files / directories
Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2
2018-10-10 13:02:57 +00:00
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
2018-08-15 09:38:40 +00:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
2018-08-14 20:21:36 +00:00
Mark Salyzyn
7ab1450d8c fs_mgr: use ro.persistent_properties.ready
Replace more complicated logic that determines that persistent
properties are now valid with a simple check of
ro.persistent_properties.ready.

Test: manual
Bug: 109821005
Change-Id: I8c63beb294377ea9ce6eb6336b83f529deedd830
2018-08-14 07:51:49 -07:00
Jiyong Park
bacf36480d adbd is allowed to execute shell in recovery mode
The shell is now available directly in the recovery ramdisk. We no
longer need to mount system.img to /system as the recovery ramdisk is
self-contained. However, there is a problem that every file in the
ramdisk is labeled as rootfs because the ramdisk does not support xattr.

This CL adds several recovery-only rules that are required to make the
recovery ramdisk self-contained. Most importantly, adbd is allowed to
domain_trans to shell. Also shell is allowe to execute files of type
rootfs. Finally, the recovery is allowed to mount on tmpfs since it now
mounts system.img to /mnt/system.

Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.

Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e
2018-06-09 02:23:10 +09:00
Jeff Vander Stoep
621668568a adbd: dontaudit sys_resource denials
avc: denied { sys_resource } for comm="adbd" capability=24
scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=capability

Test: build aosp_sailfish-userdebug
Bug: 78935353
Change-Id: I094e54cbd61245d368f3164e30222dfdff902ffa
2018-05-01 23:38:13 +00:00
Max Bires
35c363897d Adding write permissions to traceur
Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
2018-01-22 21:06:36 +00:00
Jaekyun Seok
e49714542e Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2018-01-10 16:15:25 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Bowgo Tsai
5846c79e80 Moving adbd from rootdir to system/bin
Bug: 63910933
Test: boot sailfish in normal mode, checks adbd is started
Test: boot sailfish in recovery mode, checks adbd is started
Test: boot bullhead in normal mode, checks adbd is started
Test: boot bullhead in recovery mode, checks adbd is started

Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
(cherry picked from commit e2423d149b)
2017-08-28 17:38:13 +08:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00
Yifan Hong
19a87733c5 Allow adbd and shell to read /proc/config.gz
for CTS device info collection purposes.

Bug: 28656227
Test: m cts -j && cts-tradefed run cts -m Gesture --test
android.gesture.cts.GestureTest#testGetStrokes

Change-Id: I8caf3580fb05fb489dc5abb917c8cb78cb089fb7
2017-05-08 14:40:25 -07:00
Steven Moreland
26ce838838 Revert "Remove unnecessary adbd permissions."
This reverts commit 97848f0516.

Reason for revert: b/37218817

Change-Id: I3280be8873d60d66852b4f01f4af4eeaee6b5502
2017-04-11 00:07:04 +00:00
Steven Moreland
97848f0516 Remove unnecessary adbd permissions.
Test: adbd_test (with and without adb root)
  Note: one test fails without root with and without this change
        because of an unrelated shell selinux denial.
Test: adb screencap, pull, and verify
Test: Android Studio screenshot
Bug: 36643190
Change-Id: Ib534240bc9bb3a1f32b8865ca66db988902a0f4a
2017-04-05 16:07:00 +00:00
Jeff Vander Stoep
892d1e40ce adbd/shell: grant access to sepolicy for cts
Test: Test: make cts && \
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan
      Fails as expected.
Bug: 36002573

Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0
2017-04-03 16:31:09 -07:00
Sandeep Patil
1e149967a2 seapp_context: explicitly label all seapp context files
seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-29 10:20:11 -07:00
Sandeep Patil
c9cf7361c1 file_context: explicitly label all file context files
file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-29 10:17:21 -07:00
Sandeep Patil
939d16b59f service_contexts: label service_contexts explicitly
The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.

Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospServiceContexts

Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-29 10:13:34 -07:00
Steven Moreland
7bd7d417bf adbd: use hal_client_domain
Bug: 36546152
Bug: 36278706

Test: `adb shell screencap ...` and pull and visually verify image.
Change-Id: Iab2ddcfc145cb7f55104cd8f1ce0d58286bca282
2017-03-24 18:55:56 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Chia-I Wu
8585788d9f Allow adbd to use graphics fds
Bug: 35708449
Test: AS screen capture
Change-Id: I53f1604e1ee9c9b32c6932f1b8944708f5012e5f
2017-02-24 09:07:27 -08:00
Alex Klyubin
8309f0a299 Move adbd policy to private
This leaves only the existence of adbd domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with adbd_current except
      those created by other domains' allow rules referencing adbd
      domain from public and vendor policies.

Bug: 31364497
Change-Id: Icdce8b89f67c70c6c4c116471aaa412e55028cd8
2017-02-07 09:55:05 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00