Commit graph

96 commits

Author SHA1 Message Date
Tianjie
b729aa6c5e Add context for checkin directory
Checkin apps use /data/misc_ce/<id>/checkin to backup the checkin
metadata. So users won't lose the checkin tokens when they clear
the app's storage.

One example is when GMScore is used for checkin, users may clear
GMScore data via "settings". If the device accidentally loses the
token without backup, it won't be able to checkin again until
factory reset.

The contents in checkin dir will be cleaned up when a user is removed
from the device. We also plan to add Gmscore test to ensure the dir
is cleaned up at checkin time, thus prevent other Gmscore modules
from using this storage by mistake.

Bug: 197636740
Test: boot device, check selinux label, check gmscore writes to the new dir
Change-Id: If3ff5e0fb75b4d49ce80d91b0086b58db002e4fb
2021-10-14 16:21:10 -07:00
Alan Stokes
39f497013c SEPolicy for compos_verify_key.
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.

Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.

Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.

As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).

I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)

Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-03 16:31:02 +01:00
Jiyong Park
5e20d83cfb Add rules for virtualizationservice and crosvm
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.

Below is the summary of the added rules.

* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
  - permission_service: to check Android permission
  - apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.

Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json

without disabling selinux.

Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-26 10:45:08 +09:00
Calin Juravle
0b2ca6c22c Enable ART properties modularization
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:

- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART

Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
2021-06-01 16:14:55 -07:00
liuyg
04c85dcfc4 Revert "Allow the MediaProvider app to set FUSE passthrough property"
This reverts commit c1e2918fd9.

Reason for revert: Build broke

Change-Id: I4b95e977cf66c586b0d0b465f1b3654c01074152
2021-05-13 18:18:28 +00:00
Alessio Balsini
c1e2918fd9 Allow the MediaProvider app to set FUSE passthrough property
Allow the MediaProvider app to write the system property
fuse.passthrough.enabled in case FUSE passthrough is enabled.
The need for this additional system property is due to the ScopedStorage
CTS tests that are assuming FUSE passtrhough is always on for devices
supporting it, but there may be some cases (e.g., GSI mixed builds)
where this is not possible true and the feature is disabled at runtime,
thus causing the tests to fail.
This additional system property is only set when FUSE passthrough is
actually being used by the system.

Bug: 186635810
Test: CtsScopedStorageDeviceOnlyTest
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I623042d67399253a9167188c3748d93eb0f2d41f
2021-05-13 17:38:16 +00:00
Orion Hodson
13ee65392e app.te: enable mapping ART apexdata cache executable
Some jars, such com.android.location.provider.jar, are both on the
system_server classpath and loaded as libraries. If the .oat files are
in the ART apexdata cache (due to being system_server classpath), they
need to be execute permission to be usable as AOT compiled libraries.

Bug: 184881321
Test: install an updated ART apex, open apps, see no more denials
Change-Id: I89b74dfa047699c568575d99a29c5e74abdef076
2021-04-27 16:41:23 +01:00
Zim
b61bcc87ed Allow appdomain sepolicy search access to /mnt/media_rw
untrusted apps were already granted this policy and we now extend it
to all apps. This allows FileManager apps with the
MANAGE_EXTERNAL_STORAGE permisssion to access USB OTG volumes mounted
on /mnt/media_rw/<vol>.

This permission access in the framework is implemented by granting
those apps the external_storage gid. And at the same time USB volumes
will be mounted on /mnt/media_rw/<vol> with the external_storage gid.
There is no concern of interferring with FUSE on USB volumes because
they are not FUSE mounted.

For sdcards (non-USB) volumes mounted on /mnt/media_rw/<vol>, those
volumes are mounted with the media_rw gid, so even though they are
FUSE mounted on /storage/<vol>, arbitrary apps cannot access the
/mnt/media_rw path since only the FUSE daemon is granted the media_rw
gid.

Test: Manual
Bug: 182732333
Change-Id: I70a3eb1f60f32d051f44253b0db2c7b852d79ba1
2021-04-13 14:56:44 +00:00
Martijn Coenen
4825e8662d Allow apps to read apex_art_data_file:dir
This should be ok since apps are already allowed to read the contained
files; the dir is iterated by tests to ensure that all files are signed
correctly.

Bug: 165630556
Test: new test passes

Change-Id: Ib6c298f2b267839a802c17288230a8151a1eec86
2021-03-29 13:51:47 +02:00
Yifan Hong
4f3a86d1e9 Revert "Allow CTS DeviceInfo to read VAB prop."
This reverts commit 809eb75553.

Reason for revert: should allow shell to do it instead

Change-Id: Ie07b86d1308cb41885957d2214ed7ce190f5ae18
Test: pass
Bug: 179427873
2021-02-18 12:46:42 -08:00
Josh Gao
ce1c4a54ae Let apps read tombstones given to them.
Bug: http://b/159164105
Test: atest CtsNativeTombstoneTestCases
Change-Id: I278c7ab815bb044b939afeb1f8a5ae37ec2f4c91
2021-02-08 17:19:43 -08:00
Yifan Hong
809eb75553 Allow CTS DeviceInfo to read VAB prop.
Test: adb shell am instrument -w \
  com.android.compatibility.common.deviceinfo/androidx.test.runner.AndroidJUnitRunner
Fixes: 179427873
Change-Id: I1dd2c480408b7695ab0285645de5b06b8b6137c5
2021-02-04 19:56:07 -08:00
Seigo Nonaka
9c3707f76a Add /data/fonts/files directory
The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).

Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
2021-01-22 11:58:55 -08:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Inseob Kim
0cef0fe5ac Add contexts for sqlite debug properties
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.

Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-18 12:14:20 +09:00
Inseob Kim
4ae7ec1915 Remove exported3_radio_prop
It's renamed to radio_control_prop

Bug: 162214733
Test: boot
Change-Id: Idede1a1ab471a354a6f5df12b6889abc7c1ad869
2020-08-03 09:23:39 +00:00
Hongguang Chen
67c3688497 Allow vendor_init to set service.adb.tcp.port
adbd and apps (SystemUI and CTS test apps) need to read it.

BUG: 162205386
Test: Connect to device which sets service.adb.tcp.port in vendor
      partition through TCP adb.

Change-Id: Ia37dd0dd3239381feb2a4484179a0c7847166b29
2020-07-28 02:13:03 +00:00
Inseob Kim
c97a97cd3f Move more properties out of exported3_default_prop
This is to remove exported3_default_prop. Contexts of these properties
are changed.

- ro.boot.wificountrycode
This becomes wifi_config_prop

- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.

- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.

Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
2020-07-21 13:11:57 +09:00
Inseob Kim
c80b024241 Relabel various exported3_default_prop
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.

- ro.config.per_app_memcg
This becomes lmkd_config_prop.

- ro.zygote
This becomes dalvik_config_prop.

- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.

- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.

- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.

There are still 3 more exported3_default_prop, which are going to be
tracked individually.

Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
2020-07-20 16:11:58 +09:00
Inseob Kim
d2c0b7bf9e Remove redundant get_prop rule
The rule "get_prop(coredomain, vts_status_prop)" is duplicated by
mistake. It's already in coredomain.te, and it should be deleted from
app.te

Bug: N/A
Test: m selinux_policy
Change-Id: I816c8da74940fc6ccdd50fe377aa54eae36237b4
2020-07-16 16:10:57 +00:00
Inseob Kim
212e2b621a Add property contexts for vts props
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.

Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
      VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
2020-07-16 16:26:17 +09:00
Inseob Kim
dddf6f561f Relabel media.recorder.show_manufacturer_and_model
To remove exported*_default_prop

Bug: 155844385
Test: capture video
Test: atest writerTest
Change-Id: I74223c8daa44acf0aba33bff31cfe21f6242f941
2020-07-08 15:32:57 +09:00
Inseob Kim
5eacf72460 Allow apps to read packagemanager_config_prop
To fix regression of CTS privappPermissionsMustBeEnforced

Bug: 159647344
Test: atest PrivappPermissionsTest#privappPermissionsMustBeEnforced
Change-Id: I88af05305f9aef6e813d0a72adad63b6b8f99487
Merged-In: I88af05305f9aef6e813d0a72adad63b6b8f99487
2020-07-01 02:29:53 +00:00
Peiyong Lin
37dea070ce Update sepolicy for GPU profiling properties.
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.

Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
2020-06-05 12:03:29 -07:00
Inseob Kim
641cffeb0e Grant app and hal access to telephony_config_prop
To resolve regression.

Bug: 158254452
Test: m selinux_policy
Change-Id: If0db9b9a4af6c34a007d0549aa7a5dd465e4ed63
2020-06-05 10:40:16 +09:00
Inseob Kim
dbcc459b90 Take new types out of compatible_property_only
compatible_property_only is meaningless to new types introduced after
Android P because the macro is for types which should have different
accessibilities depending on the device's launching API level.

Bug: N/A
Test: system/sepolicy/tools/build_policies.sh
Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4
2020-05-25 17:31:26 +09:00
Daniel Rosenberg
afede84ad5 Add sdcardfs variable to storage_config_props
This property allows us to disable sdcardfs if it is present. The old
property ended up getting repurposed, so a new one was needed.
Mediaprovider will also need to access this to determine what actions it
needs to take.

Test: builds
Bug: 155222498
Change-Id: I66ac106613cbb374f54659601e4ba3f61eaecd2f
2020-05-19 00:30:52 -07:00
Jeff Vander Stoep
67896eef07 Reduce graphics logspam
There is no change in behavior. These denials were already
being blocked.

Bug: 79617173
Test: build
Change-Id: Iffd1e5ba42854615eeea9490fe9150678ac98796
2020-04-02 13:43:26 +02:00
Jeff Vander Stoep
607bc67cc9 Prevent apps from causing presubmit failures
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.

These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.

Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
2019-12-16 11:19:05 +01:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Xiao Ma
e2876a3d11 revert ipmemorystore selinux policy.
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.

Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
2019-04-01 16:37:25 +09:00
Jeff Vander Stoep
9f5d0d90a3 Initial selinux policy support for memfd
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.

Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.

Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
2019-01-30 19:11:49 +00:00
William Hester
5f486c74bf Add the testharness service to sepolicy rules
The testharness service will manage Test Harness Mode and provide a
command-line interface for users to enable Test Harness Mode; however it
does not directly provide a public API.

Bug: 80137798
Test: make
Test: flash crosshatch
Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e
2019-01-17 13:10:37 -08:00
Chalard Jean
fb15c9f12f Add sepolicy for IpMemoryStoreService
Bug: 116512211
Test: Builds, boots, including upcoming changes needing this
Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399
2019-01-10 18:06:56 +09:00
Nick Kralevich
0eb0a16fbd bless app created renderscript files
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00
Nick Kralevich
1e5021c450 Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00
ji, zhenlong z
fdfa42bf29 sepolicy: Allow apps to get info from priv_app by ashmem
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.

Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.

Bug: 117961216

[Android Version]:
android_p_mr0_r0

[Kernel Version]:
4.19.0-rc8

[CTS Version]:
cts-9.0_r1

[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies

[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0

[Test Result With This Patch]:
PASS

Change-Id: I45efacabe64af36912a53df60ac059889fde1629
2018-10-23 12:37:03 +08:00
Benjamin Gordon
360559e7bb sepolicy: Allow apps to read ashmem fds from system_server
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file.  Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.

Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened.  Restore this ability by giving apps read
access to system_server_tmpfs.  system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.

Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
2018-09-10 17:04:09 +00:00
Nathan Harold
252b015365 Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-04-03 21:52:14 +00:00
Nathan Harold
ee268643c1 Allow More Apps to Recv UDP Sockets from SystemServer
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2018-01-15 23:10:42 +00:00
Jeff Vander Stoep
77b290f303 app: move appdomain to public policy
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.

Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
2017-12-19 21:31:01 -08:00
Marissa Wall
80ee23f74a Restrict access to uid_concurrent_*_time
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
2017-12-12 19:19:04 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00
Nick Kralevich
881fe06f34 Validate no-cross-domain /proc/PID access
am: 7a46380969

Change-Id: Iba80938afccd21f0c3b69626223b35c672358e77
2017-08-11 19:17:29 +00:00
Nick Kralevich
7a46380969 Validate no-cross-domain /proc/PID access
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
2017-08-11 10:05:22 -07:00
Andreas Gampe
22a8918b2b App: Allow wrapped app to send pid
am: ee694980d0

Change-Id: Ic572585b380405f135646731f9fc749fcee86a3b
2017-07-13 05:28:51 +00:00
Andreas Gampe
ee694980d0 App: Allow wrapped app to send pid
Allow wrapped app to send pid back to zygote.

Bug: 63566721
Bug: 63635227
Test: lunch angler-userdebug && m
Test: lunch angler-user && m
Test: lunch angler-user && m && fastboot flashall && m cts && cts-tradefed run commandAndExit cts-dev -m CtsWrapWrapDebugTestCases
Change-Id: Ie1b41c3eb124aa5ee321c124d0121a0e965f0f0e
2017-07-12 18:24:58 -07:00