The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
`persist.sys.device_provisioned` is set (more precisely, "will be set",
via internal change in ag/7567585) by system_server based on device
privisioning state. This CL grants vendor_init to set up action triggers
based on the property value.
avc: denied { read } for property=persist.sys.device_provisioned pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:system_prop:s0 tclass=file permissive=0
Bug: 131702833
Bug: 132906936
Test: Set an init trigger that waits on `persist.sys.device_provisioned`.
Check that there's no longer a denial.
Change-Id: I64e50bd31c90db4b3bdd3bd014a90d7bef708b57
Fixes the following denial during boot:
[ 1.358156] selinux: SELinux: Could not set context for
/dev/block/platform/soc/1d84000.ufshc/by-name/super: Permission denied\x0a
[ 1.358275] audit: type=1400 audit(951562.676:7):
avc: denied { relabelto } for pid=1 comm="init" name="super"
dev="tmpfs" ino=17657 scontext=u:r:init:s0 tcontext=u:object_r:super_block_device:s0
tclass=lnk_file permissive=0
Bug: 124410201
Test: make
Change-Id: Ib6752b8a6ae4211ba8c0a7417295b8144a2fed67
installd has been deleting files on the primary (emulated) storage
device for awhile now, but it was lacking the ability to delete files
on secondary (physical) storage devices.
Even though we're always going through an sdcardfs layer, the
kernel checks our access against the label of the real underlying
files.
Instead of tediously listing each possible storage label, using
"sdcard_type" is more descriptive and future-proof as new
filesystems are added.
avc: denied { read open } for path="/mnt/media_rw/1B82-12F6/Android/data/com.android.cts.writeexternalstorageapp" dev="loop9p1" ino=1224 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { write search } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { remove_name } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { unlink } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
avc: denied { rmdir } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
Bug: 113277754
Test: atest android.appsecurity.cts.StorageHostTest
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/pm/
Change-Id: Id79d8f31627c0bfb490b4280c3b0120d0ef699bf
It doesn't make sense to write neverallow assertions where an attribute
negation exists allowing the operation. When such a negation exists,
domains can "opt-out" of the neverallow assertion by declaring their
use of the attribute. Such trivially bypassable assertions provide
no security nor architectural guarantees.
"netdomain" is such an attribute. This attribute is used by processes to
indicate that they communicate with the network, for example, using
TCP/UDP sockets. Vendor code is freely allowed to use network
communication by declaring their use of the attribute.
Because the attribute is usable to any vendor domain, the "no socket
connections to netd" restriction is pointless and provides a false sense
of security. Any process can opt-out of these restrictions by just
declaring their use of networking functionality. This also results in
ineffective policy bloat, making it difficult to reason about the policy
and make changes.
Delete the ineffective, misleading neverallow assertion.
Test: compiles
Change-Id: Ia72d9660a337ef811e56c9227af29b17d043b99f
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary. Netd is it's only launcher (via fork/exec) and
killer.
Generated via:
{ echo; cat public/clatd.te; echo; } >> private/clatd.te
rm -f public/clatd.te
plus a minor edit to put coredomain after clatd type declaration
and required changes to move netd's clatd use out of public into private.
Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
bpf programs/maps are now loaded by the bpfloader, not netd
Test: built/installed on crosshatch which uses eBPF - no avc denials
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0)
No longer needed, since this is now done by netd.
In a separate commit so it can potentially not be backported to Q
if we so desire.
Test: build/installed on crosshatch with netd/clatd changes,
and observed functioning ipv4 on ipv6 only network with no
avc denials
Bug: 65674744
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Merged-In: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
(cherry picked from commit 3e41b297d2)
This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.
This fixes:
type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0
Test: built and observed no more avc denials on crosshatch
Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
Merged-In: Ieab51aeb67ebb85b6c778410ba96963612277ae4
(cherry picked from commit afa10f7223)
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.
Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Merged-In: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
Merged-In: I8ac4c2f98f823120060e51438b39254898f4a27e
(cherry picked from commit 8fa5ebdee7)
No longer needed, since this is now done by netd.
In a separate commit so it can potentially not be backported to Q
if we so desire.
Test: build/installed on crosshatch with netd/clatd changes,
and observed functioning ipv4 on ipv6 only network with no
avc denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.
Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the ppp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Addresses the following denials:
04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
Bug: 130852066
Test: compiles
Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc
Merged-In: I00cc07108acaac5f2519ad0093d9db9572e325dc
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the ppp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Addresses the following denials:
04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
Bug: 130852066
Test: compiles
Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc
