Commit graph

13 commits

Author SHA1 Message Date
Inseob Kim
09b27c7109 Add "DO NOT ADD statements" comments to public
For visibility

Bug: 232023812
Test: N/A
Change-Id: I0bc6dc568210b81ba1f52acb18afd4bcc454ea1c
2024-03-28 11:27:43 +09:00
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Mårten Kongstad
0547fb5ab2 Remove the last traces of idmap (replaced by idmap2)
Remove mention of the /system/bin/idmap binary: the file no longer
exists.

Remove interaction between the domains installd and idmap to interact:
installd used to fork and exec the idmap binary, but the idmap2 binary
has its own binder service.

Bug: 118711077
Bug: 119264713
Test: atest FrameworksServicesTests:com.android.server.om OverlayDeviceTests OverlayHostTests CtsAppSecurityHostTestCases:OverlayHostTest
Change-Id: I06d22057308984e43cb84ff365dbdd1864c7064b
2022-06-10 12:58:21 +02:00
Jeff Vander Stoep
0f00cd283e idmap: add binderservice permissions
Allow dumpsys to dump process information for bug reports.

Test: build
Test: adb bugreport
Bug: 140541614
Change-Id: Ia361e8c8de2cc5f798e746dffcf067393fd6bcae
2019-09-18 13:47:09 +02:00
Winson Chiu
7e7291a763 Allow idmap1 to read vmdl*.tmp APK install files
When upgrading a package, PackageParser acts on the temporary
APK file copied from the install location. This is passed to
idmap, which doesn't have read access because it's missing an
SELinux rule.

This is needed to fix a bug with manifest overlaying on updating
an app, a feature kept alive for Q.

Relevant logs when updating a target:
[  550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1

Bug: 130559507

Test: manual adb push /system/product/app/TestApp.apk with
/system/product/overlay/TestOverlay.apk enabling disabled launcher
Activity in TestApp; adb install -r TestApp.apk keeps enabled state
with changes

Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
2019-04-24 16:48:06 +00:00
Mårten Kongstad
f62362da52 Add idmap2 and idmap2d
Bug: 78815803
Test: builds, boots
Test: manual: adb shell idmap2 create ...
Test: manual: adb shell ps | grep -e idmap2d
Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d
2018-11-15 14:42:10 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Joel Galenson
b050dccdd8 Suppress denials from idmap reading installd's files.
We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
2018-01-25 10:07:19 -08:00
Sandeep Patil
9075699a28 sepolicy: restrict /vendor/overlay from most coredomains
The change makes 'vendor_overlay_file' accessible only to few platform
domains like idmap, system_server, zygote and appdomain.

The overlay files contains RROs (runtime resource overlays)

Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video

Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:28:16 -07:00
Sandeep Patil
1b5f81a2d2 sepolicy: restrict /vendor/app from most coredomains
The change makes 'vendor_app_file' accessible only to few platform
domains like dex2oat, idmap, installd, system_server and appdomain.

Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video

Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:28:12 -07:00
Mårten Kongstad
e096e5f54a Add service 'overlay' to service_contexts
The 'overlay' service is the Overlay Manager Service, which tracks
packages and their Runtime Resource Overlay overlay packages.

Change-Id: I897dea6a32c653d31be88a7b3fc56ee4538cf178
Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com>
Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com>
Bug: 31052947
Test: boot the Android framework
2017-02-22 11:28:15 -08:00
Nick Kralevich
6a259ccd9d remove more domain_deprecated
Test: no denials showing up in log collection
Test: device boots
Bug: 28760354
Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23
2016-12-09 19:57:43 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from idmap.te (Browse further)