Commit graph

215 commits

Author SHA1 Message Date
Ajay Panicker
a45672614d Allow bluetooth service to access bluetooth directory and add /logs (6/6)
Bug: 31466840
Change-Id: I3984754034349e6c41de6ae9cccbaab95ca5a918
2016-09-16 20:20:31 +00:00
Tao Bao
e06ed7d09a Add ota_package_file label for OTA packages.
(cherry picked from commit 6c3f2831ac)

Allow priv_app, uncrypt, update_engine to access the OTA packages at
/data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks
the existence of the folder, and downloads the package there if present.

Bug: 28944800
Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
2016-09-13 03:29:37 +00:00
Christopher Wiley
d29c1a0af2 SEPolicy to start hostapd via init
While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.

Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.

Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f8553)
2016-08-26 13:18:05 -07:00
Christopher Wiley
97db27d8c5 Define explicit label for wlan sysfs fwpath
avc: denied { write } for name="fwpath" dev="sysfs" ino=6863
scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0
tclass=file permissive=0

Test: wificond and netd can write to this path, wifi works
Test: `runtest frameworks-wifi` passes

Bug: 29579539

Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994
(cherry picked from commit 7d13dd806f)
2016-08-26 13:15:41 -07:00
Nick Kralevich
9cb9c4bdfa Merge "fine-grained policy for access to /proc/zoneinfo"
am: 89a8ed4e9a

Change-Id: I3733a74a23b3ece3a38fa2d7a2b3ea996f95c87f
2016-08-14 18:28:49 +00:00
Daniel Micay
7078e8b67a fine-grained policy for access to /proc/zoneinfo
Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f
2016-08-08 13:48:01 -04:00
dcashman
5e6aa65f62 resolve merge conflicts of 5423db6 to stage-aosp-master
Change-Id: I16706423534069f69bd0305ac500a9cd74db55a6
2016-08-05 15:01:15 -07:00
Daniel Micay
5423db6eb3 restrict access to timing information in /proc
These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.

The /proc/interrupts and /proc/stat files were covered in this paper:

https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/

The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.

Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.

Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-08-05 13:57:25 -04:00
Daniel Rosenberg
c15090b315 sepolicy: Add policy for sdcardfs and configfs
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
2016-07-22 13:34:23 -07:00
Jeff Vander Stoep
17d3d23d89 domain: allow reading /proc/sys/vm/overcommit_memory
am: bc1986fbff

Change-Id: I7707dfb170b31df7e344bf695c124e84a5049b11
2016-06-28 15:27:17 +00:00
Jeff Vander Stoep
bc1986fbff domain: allow reading /proc/sys/vm/overcommit_memory
Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a
2016-06-28 04:58:01 +00:00
dcashman
b271017cc7 Merge \"Allow access to sysfs usb nodes.\" into nyc-dev
am: 43151dd49b

Change-Id: Ifc7481d101a62ae204e00d16cc01713bcd3c3987
2016-06-13 23:01:34 +00:00
dcashman
b144ebab48 Allow access to sysfs usb nodes.
Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728
2016-06-10 09:04:58 -07:00
David Sehr
90b0089568 SELinux policy for /data/misc/profman
am: a5d0792508

* commit 'a5d07925080f59073b03d24d3997aecd6d4bbf2c':
  SELinux policy for /data/misc/profman

Change-Id: I1329afb3191abaa1b08ce9a706228a02a0c53a47
2016-06-01 14:01:32 +00:00
David Sehr
a5d0792508 SELinux policy for /data/misc/profman
Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5
2016-05-31 17:36:41 -07:00
Fyodor Kupolov
72f0fbb2f7 SELinux policies for /data/preloads directory
am: 49ac2a3d7a

* commit '49ac2a3d7a40d998e3b1be0b0172be8f651bc935':
  SELinux policies for /data/preloads directory

Change-Id: Ib928cda316ef31f361ad09ef29b264eb9df754d5
2016-05-24 22:18:41 +00:00
Fyodor Kupolov
49ac2a3d7a SELinux policies for /data/preloads directory
A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.

The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps

Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037
2016-05-24 20:17:45 +00:00
Christian Poetzsch
97573fdfaa sepolicy: add support for new tracefs
Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799

Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

(cherry picked from commit 4dafa72ac9)

Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a
2016-05-13 08:39:03 -07:00
Christian Poetzsch
6b2d897822 sepolicy: add support for new tracefs am: 4dafa72ac9
am: 0b26e99b68

* commit '0b26e99b6870dc6ae5b9bc146b83c9537f9a5dc1':
  sepolicy: add support for new tracefs

Change-Id: I9189f98cb7cff87c412c7b3e09030c723b70abd7
2016-05-13 14:55:24 +00:00
Christian Poetzsch
4dafa72ac9 sepolicy: add support for new tracefs
Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799

Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2016-05-13 12:38:15 +00:00
Jeff Vander Stoep
e806cc9699 move gpsd domain to device specific policy am: 3ba2d46616
am: 30a5ea5c72

* commit '30a5ea5c72e61ac2a2025d938e644847ea31efc7':
  move gpsd domain to device specific policy

Change-Id: If892add123561972e6008615ce055de5c6befa9c
2016-05-13 00:15:05 +00:00
Jeff Vander Stoep
3ba2d46616 move gpsd domain to device specific policy
Only used by Flounder.

Bug: 8435593
Change-Id: I06655e897ab68a1724190950e128cd390617f2bd
2016-05-12 15:46:07 -07:00
William Roberts
fa4b16736d property_socket: add mlstrustedobject attribute am: 9fca8a398d
am: 78b4370e8f

* commit '78b4370e8f92799c7372ea55c7b6844218332492':
  property_socket: add mlstrustedobject attribute

Change-Id: I430d100fd5432d0426c26f39811145b3e4578f7a
2016-05-06 17:45:44 +00:00
William Roberts
9fca8a398d property_socket: add mlstrustedobject attribute
In order to allow set_prop() to function with platform_apps,
the property_socket file requires mlstrustedobject since
platform app uses category sets.

This does not allow untrusted_app access, as the following
neverallows still prevent type access:

untrusted_app.te:118:neverallow untrusted_app property_socket:sock_file write;
untrusted_app.te:120:neverallow untrusted_app property_type:property_service set;

Lastly, the internal socket to property_service is labeled with init
which is mlstrustedsubject, so no changes are required there.

Change-Id: I47296a2dc24b16785fd296deea7a54ae9966226a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-05-06 09:20:28 -07:00
Nick Kralevich
7be485e56f Delete sysfs_writable from core policy. am: a007594
am: 7cb08dd793

* commit '7cb08dd7931be152e914332ba94e3e5e512c3990':
  Delete sysfs_writable from core policy.

Change-Id: I1c487f0d532eafe10504c34135e9d95f071e4c5b
2016-04-19 00:29:12 +00:00
Nick Kralevich
a007594150 Delete sysfs_writable from core policy.
It's only used by the emulators, never by core policy.
Move the definition to the emulators.

Bug: 28221393
Change-Id: I7ca56e04d611cfccde507313ba9c2a0a71d54d06
2016-04-18 15:14:03 -07:00
Alex Deymo
ac52f460c0 Allow postinstall_file to be an entrypoint.
postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

(cherry picked from commit a9671c6b9e)

Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c
2016-04-08 23:07:08 -07:00
Alex Deymo
56240c6775 Allow postinstall_file to be an entrypoint. am: a9671c6
am: 786926a

* commit '786926a9a52491945862d1bf123ffb07b9146a23':
  Allow postinstall_file to be an entrypoint.

Change-Id: I88c40cec600f7c573ca623059322e64f61b6951c
2016-04-06 21:44:17 +00:00
Alex Deymo
a9671c6b9e Allow postinstall_file to be an entrypoint.
postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5
2016-04-06 11:13:37 -07:00
Alex Deymo
5c4f7a89dc Merge "Revert "Remove "exec_type" from postinstall_file."" am: 2f72269
am: 4eecbd7

* commit '4eecbd7a6f5da67067658f4c12a76b659458f936':
  Revert "Remove "exec_type" from postinstall_file."

Change-Id: I0e502214e25b025e08746b46367ac5773c3c3e8f
2016-04-05 23:20:57 +00:00
Alex Deymo
f43af3a63e Revert "Remove "exec_type" from postinstall_file."
We decided a different approach for these policies in the
meeting today.

This reverts commit 5507fa6672.

Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb
2016-04-05 23:00:31 +00:00
Alex Deymo
6db54e0b5e Remove "exec_type" from postinstall_file. am: 5507fa6
am: bcf75fd

* commit 'bcf75fdf7d577035fb457de085f1f30222a44210':
  Remove "exec_type" from postinstall_file.

Change-Id: I7e56d028eafa37adea9d5dca3cff85c3fde453e5
2016-04-05 15:48:03 +00:00
Alex Deymo
5507fa6672 Remove "exec_type" from postinstall_file.
update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).

Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.

Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49
2016-04-04 18:58:07 -07:00
Daichi Hirono
f19fb0c973 Add mlstrustedobject to appfuse object type.
To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

(cherry picked from commit 4d19f98c72)

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
2016-03-29 21:36:37 +09:00
Daichi Hirono
023eb98020 Add mlstrustedobject to appfuse object type.
am: 4d19f98

* commit '4d19f98c728373860c5628d46fe5f4d664c601d2':
  Add mlstrustedobject to appfuse object type.
2016-03-28 00:20:55 +00:00
Daichi Hirono
4d19f98c72 Add mlstrustedobject to appfuse object type.
To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
2016-03-28 00:06:45 +00:00
Jeffrey Vander Stoep
6b65143f79 Merge "sysfs_uio: declare type in core policy" into nyc-dev 2016-03-25 15:42:39 +00:00
Jeff Vander Stoep
8cce41288d sysfs_uio: declare type in core policy
am: f2d0790

* commit 'f2d07904f7754a066c7e15a072cf57126ff348d3':
  sysfs_uio: declare type in core policy
2016-03-25 15:42:38 +00:00
Jeff Vander Stoep
cf37f9ea95 sysfs_uio: declare type in core policy
(cherry picked from commit f2d07904f7)

/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f
2016-03-25 08:32:23 -07:00
Jeff Vander Stoep
f2d07904f7 sysfs_uio: declare type in core policy
/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f
2016-03-25 08:22:24 -07:00
dcashman
df72abb3a2 Move sysfs_thermal to global policy and grant access.
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

(cherry-pick of internal commit: 98eff7c3d4)

Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f
2016-03-24 14:18:27 -07:00
Mark Salyzyn
6705526ddf Merge "Add recovery_persist & recovery_refresh" into nyc-dev 2016-03-24 19:53:14 +00:00
Mark Salyzyn
05806470b7 Add recovery_persist & recovery_refresh
(cherry pick from commit 16fe52c90c)

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
2016-03-24 12:48:26 -07:00
Mark Salyzyn
000c03b481 Add recovery_persist & recovery_refresh
am: 16fe52c

* commit '16fe52c90caae18c0d91918d6bfc471f2e637207':
  Add recovery_persist & recovery_refresh
2016-03-24 19:37:02 +00:00
Mark Salyzyn
16fe52c90c Add recovery_persist & recovery_refresh
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
2016-03-24 11:30:29 -07:00
dcashman
4750685464 Move sysfs_thermal to global policy and grant access.
am: 98eff7c

* commit '98eff7c3d46abe2db996c0718b7386a3e368f344':
  Move sysfs_thermal to global policy and grant access.
2016-03-24 17:12:52 +00:00
dcashman
98eff7c3d4 Move sysfs_thermal to global policy and grant access.
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

Bug: 27809332
Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d
2016-03-24 09:40:39 -07:00
Daniel Rosenberg
bc2f0e50f2 Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
am: cf8719e

* commit 'cf8719e7bad53d6c38b2825b736c27c3f37dbf4e':
  sepolicy: Add policy for sdcardfs and configfs
2016-03-22 00:51:44 +00:00
Daniel Rosenberg
cf8719e7ba Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev 2016-03-22 00:46:48 +00:00
dcashman
f100b2c4e6 Create sysfs_hwrandom type.
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

(cherry-pick from internal commit: 85c0f8affa)

Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
2016-03-14 10:27:33 -07:00