Commit graph

212 commits

Author SHA1 Message Date
Suren Baghdasaryan
ee57f177d8 allow init to communicate with lmkd and lmkd to kill native processes
init should register native services with lmkd so that they can be killed
when necessary. Allow init to communicate with lmkd over dedicated socket
the same way AMS does. Allow lmkd to kill and manipulate native processes
that were registered with lmkd.

Bug: 129011369
Test: boot and verify native service registration
Test: verify lmkd can kill registered native processes using lmkd_unit_test
Change-Id: Idfc814bd08115c548e97f11a6bdb006790cbb4ed
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-11-07 18:19:44 +00:00
Tri Vo
b554a950f4 Reland "sepolicy: rework ashmem_device permissions"
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials

Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
2019-10-15 22:27:28 +00:00
Orion Hodson
5527d706c7 Revert "sepolicy: rework ashmem_device permissions"
This reverts commit d9dcea570c.

Reason for revert: http://b/142742451

Change-Id: If46d6dcbb5df21bad8b6a8215d8c21c6b6733476
2019-10-15 21:16:06 +00:00
Tri Vo
d9dcea570c sepolicy: rework ashmem_device permissions
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
2019-10-07 14:13:35 -07:00
Tom Cherry
7108a21d59 allow init to open kmsg_debug
The 'stdio_to_kmsg' option will print stdout and stderr to
kmsg_debug.  This requires init to be able to open kmsg_debug.

Test: services with stdio_to_kmsg can print to kmsg_debug
Change-Id: I63f0af8f079f7327c1224aa9e46f19d6549d875b
2019-09-24 12:45:57 -07:00
Treehugger Robot
4db20c6922 Merge "neverallow init *:process noatsecure" 2019-09-17 06:08:18 +00:00
Paul Crowley
2367ba358f Allow toolbox to rm -rf /data/per_boot
Bug: 140882488
Test: create files and dirs in /data/per_boot, check they're removed.
Change-Id: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343
2019-09-16 10:18:57 -07:00
Nick Kralevich
a1458c64d3 neverallow init *:process noatsecure
The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
when init is executing other binaries. The use of LD_PRELOAD for init spawned
services is generally considered a no-no, as it injects libraries which the
binary was not expecting. This is especially problematic for APEXes. The use
of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
code into a process which wasn't expecting that code, with potentially
unexpected side effects.

Test: compiles
Bug: 140789528
Change-Id: Ia781ec7318e700cddfd52df97c504b771f413504
2019-09-16 09:50:32 -07:00
Treehugger Robot
535d297a5f Merge "Root of /data belongs to init (re-landing)" 2019-09-10 04:14:17 +00:00
Paul Crowley
aed0f76ee9 Root of /data belongs to init (re-landing)
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.

Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-09-09 14:42:01 -07:00
Nick Kralevich
003e858205 domain.te: remove /proc/sys/vm/overcommit_memory read access
Remove everyone's ability to read /proc/sys/vm/overcommit_memory.
Android's jemalloc implementation no longer uses this file.

init.te had multiple rules which allowed writing to this file. Get rid of
the duplicate rule.

Bug: 140736217
Test: compiles and boots
Test: bypass setup wizard and start the browser, browse the web
Change-Id: I5a2d5f450f5dde5dd55a0cedd7fbd55a6ac0beed
2019-09-09 13:39:28 -07:00
Treehugger Robot
9aa263055b Merge "Revert "Root of /data belongs to init"" 2019-09-06 23:13:48 +00:00
Paul Crowley
d98e311952 Revert "Root of /data belongs to init"
This reverts commit 206b6535f1.

Reason for revert: Droidfood is blocked
Bug: 140402208
Change-Id: I1d1eb014747ba5c5bb656342e53b8c4e434878d1
2019-09-06 19:59:17 +00:00
Martin Stjernholm
d7951d2647 Rename the context for the ART APEX.
Test: Boot (with default flattened APEXes)
Bug: 135753770
Change-Id: I551e88a250d3bd891f63a6bccee0682d0d0de7cf
2019-09-05 19:49:05 +01:00
Paul Crowley
e9465fceb6 Merge "Root of /data belongs to init"
am: b935b6c664

Change-Id: I39a36ec663c98ac55be886e886da4afbf34e9cf2
2019-08-29 23:10:42 -07:00
Paul Crowley
206b6535f1 Root of /data belongs to init
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
2019-08-29 15:08:21 -07:00
Zim
7cfc15c68c Merge "Allow remounting /mnt/user/0 as slave mount"
am: 83b28e267e

Change-Id: Ibf8c5c37b8c56fa6c2775b4a591c31ebef6e4dd2
2019-08-27 15:34:10 -07:00
Zim
4e100f2704 Allow remounting /mnt/user/0 as slave mount
This is required for Idf851b3a42910e0ce8fdd75daea1cce91dd1aa98
And is part of enabling upcoming platform changes that are
described in the bug linked below.

Bug: 135341433
Test: m
Change-Id: I1d842fcfae3740d51e7cb2050decf1f83543af7e
2019-08-13 10:45:10 +01:00
Steven Moreland
003b8e9c40 Merge "Remove unused permissions in init."
am: 3f063ca932

Change-Id: I7af3e66d6de3c01b978a6fcb1f51b478b7582b07
2019-07-11 13:54:52 -07:00
Steven Moreland
587008a40b Remove unused permissions in init.
There was some plan to use binder from init, but it was abandoned. As
ServiceManager was recently re-written in C++, and as part of a
continued effort to reduce large dependencies in init and make sure it
is reliable, I'm removing these here.

Bug: 135768100
Test: N/A
Change-Id: I12b57709399c87ee25f689b601572b19abf7fb00
2019-07-10 10:23:52 -07:00
Jiyong Park
6ece872622 Merge "Don't use apexd when TARGET_FLATTEN_APEX == true" am: 825b11ef6f
am: f902b4eb7d

Change-Id: I122aba3ce61085e123b40eda4a02361dd7c50138
2019-05-29 09:33:37 -07:00
Jiyong Park
04d2392c35 Don't use apexd when TARGET_FLATTEN_APEX == true
/system/apex/com.android.runtime is labeled as runtime_apex_dir
and init is allowed to mount on it.

When TARGET_FLATTEN_APEX is true (= ro.apex.updatable is unset or set to
false), apexd is not used to activate the built-in flattened APEXes.
Init simply bind-mounts /system/apex to /apex.

However, there is a special case here. The runtime APEX is installed as
either /system/apex/com.android.runtime.debug or
/system/apex/com.android.runtime.release, whereas it should be activated
on /apex/com.android.runtime - without the .debug or .release suffix.
To handle that case, the build system creates an empty directory
/system/apex/com.android.runtime and the .debug or .release directory
is bind-mounted to the empty directory by init at runtime.

Bug: 132413565
Test: marlin is bootable
Merged-In: I3fde5ff831429723fecd1fa5c10e44f636a63f09
Change-Id: I3fde5ff831429723fecd1fa5c10e44f636a63f09
(cherry picked from commit 99902a175b)
2019-05-29 07:06:28 +09:00
David Anderson
e79bc46748 Merge "Allow init to mkdir inside /data/gsi." am: e93049f9f1
am: 36b2737cd0

Change-Id: I19d53e2cc0910749bdb95968a03a074a8cc092d7
2019-05-28 08:18:19 -07:00
David Anderson
0b1094cc23 Allow init to mkdir inside /data/gsi.
Bug: 133435561
Test: adb shell gsi_tool install
Change-Id: Iaa610c72d8098e157bb89e321624369f86f4ea19
2019-05-23 13:45:00 -07:00
Hridya Valsaraju
075a477735 Merge "Allow init to set context for super_block_device" am: 21770a1603
am: d54aba532c

Change-Id: I3aeacb4ee6a35f2ac4f3384018e34055a76a3d51
2019-05-17 17:24:48 -07:00
Treehugger Robot
21770a1603 Merge "Allow init to set context for super_block_device" 2019-05-17 23:16:33 +00:00
Hridya Valsaraju
217e977107 Allow init to set context for super_block_device
Fixes the following denial during boot:

[    1.358156] selinux: SELinux: Could not set context for
/dev/block/platform/soc/1d84000.ufshc/by-name/super:  Permission denied\x0a
[    1.358275] audit: type=1400 audit(951562.676:7):
avc:  denied  { relabelto } for  pid=1 comm="init" name="super"
dev="tmpfs" ino=17657 scontext=u:r:init:s0 tcontext=u:object_r:super_block_device:s0
tclass=lnk_file permissive=0

Bug: 124410201
Test: make
Change-Id: Ib6752b8a6ae4211ba8c0a7417295b8144a2fed67
2019-05-17 09:35:51 -07:00
Nick Kralevich
e80b3ea8bc Merge "Add TODOs" am: 3db3b1148b
am: a0d0c96fc0

Change-Id: I54c5fb7ae2079cc3b1c73249d79548487948ffc1
2019-05-02 12:03:45 -07:00
Nick Kralevich
44b0efb332 Add TODOs
Bug: 131761776
Test: compiles
Change-Id: Iba3ad475ce25a1ece96717ceecb7c4df8e358d48
2019-05-02 08:29:21 -07:00
Wei Wang
d2aa8da5de Merge "Allow psi monitor users to setched kernel threads" am: 1415c2da7d
am: b8aa92f212

Change-Id: Ifd4f3a350c275da0f26b120cdee287f104e51f6a
2019-05-02 08:12:00 -07:00
Wei Wang
e95d8e9550 Allow psi monitor users to setched kernel threads
psi monitor sched_setscheduler(kworker->task, SCHED_FIFO, &param) was added into pa/1282597

Bug: 131252752
Bug: 129476847
Test: build
Change-Id: I69fdd90e4a39da8d33b417efc7ea7a0da9d9290b
2019-05-01 10:23:02 -07:00
Bowgo Tsai
d7959076b9 Merge "Fix denial of /debug_ramdisk/adb_debug.prop" am: 98fcefb276
am: 65c01163ba

Change-Id: Ie7b5536f2cfa997e8fb34ccb407393da56f959d3
2019-04-23 10:13:58 -07:00
Bowgo Tsai
5a234338c1 Fix denial of /debug_ramdisk/adb_debug.prop
This CL fix the following SELinux denial, by allowing init to getatter
for tmpfs:file.

audit: type=1400 audit(15464939.926:4): avc:  denied  { getattr } for
pid=1 comm="init" path="/debug_ramdisk/adb_debug.prop" dev="tmpfs"
ino=25480 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=file
permissive=0

Note: the current sepolicy (before this change) has the following rules
for tmpfs:file:

$ sesearch --allow -t tmpfs -c file $OUT/vendor/etc/selinux/precompiled_sepolicy
  allow dex2oat tmpfs:file { read map getattr };
  allow init tmpfs:file { read unlink open setattr };
  allow postinstall_dexopt tmpfs:file read;
  allow profman tmpfs:file { read map };
  allow vendor_init tmpfs:file { read map open setattr };

Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: I6dd356de989d597828a6e04846b793d611c477fa
2019-04-23 06:40:10 +00:00
Tri Vo
c0b2e059f2 Merge "Deprecate /mnt/sdcard -> /storage/self/primary symlink." am: bf7ae04865
am: de8d7a0da4

Change-Id: I86207a187cea992a18e971b239861ee21c97ffb9
2019-04-12 09:45:14 -07:00
Jiyong Park
3ccbb08f74 Allow bootstrap bionic only to init, ueventd, and apexd am: a0f998e6de
am: e2236b3158

Change-Id: I91c1cb98e140a93b61693612a62c17c41cf8ef2d
2019-04-12 05:08:31 -07:00
Tri Vo
8eff3e23d8 Deprecate /mnt/sdcard -> /storage/self/primary symlink.
"This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on."
https://android.googlesource.com/platform/system/core/+/d2f0a2c%5E!/

Apps targeting R+ must NOT use that symlink.

For older apps we allow core init.rc to create
/mnt/sdcard -> /storage/self/primary symlink.

Bug: 129497117
Test: boot device, /mnt/sdcard still around.
Change-Id: I6ecd1928c0f598792d9badbf6616e3acc0450b0d
2019-04-12 03:15:52 +00:00
Jiyong Park
a0f998e6de Allow bootstrap bionic only to init, ueventd, and apexd
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.

Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
2019-04-11 09:51:38 +09:00
Jaegeuk Kim
b9ac23f198 Merge "sepolicy: allow init to tune f2fs" am: 6273b696eb am: a3602ee5ec
am: f88544580f

Change-Id: I88e76f29fb45e42e1f8d51860a30fdde9a277939
2019-04-01 09:34:42 -07:00
Jaegeuk Kim
4439b5785e sepolicy: allow init to tune f2fs
This allows init to tune some f2fs knobs like cp_interval.

Bug: 127511432
Change-Id: I9353444578cb47bc7965cd7b068954a8270c5391
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2019-03-29 22:15:08 +00:00
Tim Murray
af3639d08a sepolicy: Grant system_server and init access to /proc/pressure/memory am: 251591fa04 am: efd9d3fdb1
am: 50cd647f85

Change-Id: Iab4b3442c6e34595e660a8a4bbd01700eaedcec3
2019-03-29 13:37:17 -07:00
Tim Murray
251591fa04 sepolicy: Grant system_server and init access to /proc/pressure/memory
Need ability for system components to access psi memory pressure file.
Add required permissions for system_server and init to access
/proc/pressure/memory file.

Bug: 129476847
Test: system_server can read /proc/pressure/memory
Change-Id: I10ce4f4fe0e3618fa77539e93246d0aae933082c
Signed-off-by: Tim Murray <timmurray@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-28 22:11:25 +00:00
Victor Hsieh
05db7d5400 Merge "Move fs-verity key loading into fsverity_init domain" am: 3337a33609 am: db2334d3aa
am: 0f94ee2784

Change-Id: I1350caf6c1ab61c14b69dbb31cfa132d0c7b7b76
2019-03-27 13:51:36 -07:00
Victor Hsieh
3d4ee1dba5 Move fs-verity key loading into fsverity_init domain
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading.  Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.

This gives us two benefits:
 - Better compatibility to keyctl(1), which doesn't have "dadd"
 - Pave the way to specify key's security labels, since keyctl(1)
   doesn't support, and we want to avoid adding incompatible option.

Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-27 16:31:01 +00:00
Yifan Hong
b9182b37a5 Merge changes from topic "lpdumpd" am: 40f1682ba6 am: 7f891f414f
am: 75117c19c9

Change-Id: I43b884e08059e242830b56e7ddee62c17e6af422
2019-03-26 16:36:36 -07:00
Yifan Hong
5d89abde99 Allow to getattr kmsg_device
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.

Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.

04-28 06:15:22.290   618   618 I auditd  : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431   900   900 I auditd  : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316     1     1 W init    : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
2019-03-25 10:14:20 -07:00
Jiyong Park
1d8e623fe5 No need to bind-mount bionic libraries am: 5a74473d1b am: 1ec1f839e2
am: 8cd372736f

Change-Id: Ie908baad42e9b2faa2b1c1149f7678b0a5607b6c
2019-03-15 02:44:50 -07:00
Jiyong Park
5a74473d1b No need to bind-mount bionic libraries
This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474

The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.

Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590
2019-03-15 14:28:27 +09:00
Xiaoyong Zhou
f184b1233e Merge "add label for /proc/sys/fs/verity/require_signatures" am: 3637592a2d am: b846522a7f
am: 2c77cd209d

Change-Id: I6f792869110ef5ca72215cc2d6c80fc5cb8cf9ae
2019-03-14 16:32:40 -07:00
Xiaoyong Zhou
a711d375ab add label for /proc/sys/fs/verity/require_signatures
This CL add new label for files created by fsverity.

Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a
2019-03-14 12:44:31 -07:00
Suren Baghdasaryan
a52c22172b Merge "sepolicy for vendor cgroups.json and task_profiles.json files" am: e3f15e2abc am: b582791324
am: 14a03c82a4

Change-Id: Ibd4f155feae6b925952b90e0078a5229aa74c7bb
2019-03-01 10:29:38 -08:00