Commit graph

135 commits

Author SHA1 Message Date
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Jonglin Lee
7ce5e714e5 Merge "Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2020-12-04 04:47:39 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Treehugger Robot
b18b39486f Merge "sepolicy: rules for uid/pid cgroups v2 hierarchy" 2020-12-02 19:50:11 +00:00
Elliott Hughes
ab5e7d3671 Merge "Revert^3 "Enforce RTM_GETLINK restrictions on all 3p apps"" 2020-12-01 18:30:28 +00:00
Bram Bonné
80b8e3cba3 Revert^3 "Enforce RTM_GETLINK restrictions on all 3p apps"
18ccf9725e

Revert submission 1498525-revert-1499099-revert-1450615-mac-address-restrictions-MNRMVNXRJM-OSETMCLBXY

Reason for revert: b/173384499#comment21
Reverted Changes:
I320d3bcf8:Revert^2 "Enforce RTM_GETLINK restrictions on all ...
I51c83733c:Revert^2 "Return anonymized MAC for apps targeting...
I0e8280c74:Revert "Revert "Updates tests for untrusted app MA...
Ia9f61819f:Revert^2 "Soft-enables new MAC address restriction...

Change-Id: I35a00e187f1b39f6aaa777709fb948f840565a82
2020-12-01 10:04:23 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Bram Bonné
aff923a469 Merge "Revert^2 "Enforce RTM_GETLINK restrictions on all 3p apps"" 2020-11-25 09:59:25 +00:00
Bram Bonné
18ccf9725e Revert^2 "Enforce RTM_GETLINK restrictions on all 3p apps"
f48d1f8e46

The original change was reverted due to InterfaceParamsTest failing.
This test has now been fixed in r.android.com/1498525.
The original change message is below.

This restriction was previously targetSdk gated for apps
with targetSdkVersion>=30.

This change is being posted for app-compat analysis and testing.

Bug: 170188668
Test: build

Change-Id: I320d3bcf8bb64badc39688b19902d532c802dc75
2020-11-16 12:55:39 +00:00
Tej Singh
d083d24c0d Merge "Revert "Enforce RTM_GETLINK restrictions on all 3p apps"" 2020-11-14 01:59:33 +00:00
Tej Singh
f48d1f8e46 Revert "Enforce RTM_GETLINK restrictions on all 3p apps"
Revert "Updates tests for untrusted app MAC address restrictions"

Revert submission 1450615-mac-address-restrictions

Reason for revert: DroidMonitor: Potential culprit for Bug 173243616 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted

Reverted Changes:
I08c709b2b:Enforce RTM_GETLINK restrictions on all 3p apps
I95d124ae8:Soft-enables new MAC address restrictions.
I5392f8339:Updates tests for untrusted app MAC address restri...
I9d214c5d0:Return anonymized MAC for apps targeting SDK < 30

Change-Id: I987dfc86dfba56a2d2a45075dc19885ca6f0a4ad
2020-11-13 22:27:15 +00:00
Bram Bonné
593c3b5c2f Merge "Enforce RTM_GETLINK restrictions on all 3p apps" 2020-11-12 17:07:11 +00:00
Alan Stokes
a0518b7fdb Make kmsg_device mlstrustedobject.
Few domains are granted access to this, but they should have access
from any user.

Also add some neverallows to prevent misuse.

Bug: 170622707
Test: presubmits
Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
2020-10-28 09:41:07 +00:00
Steven Moreland
a43e26e3f2 untrusted_apps: AIDL vendor service parity w/ HIDL
Before, we completely dissallowed any untrusted app to access a service
operated by vendor. However, sometimes this is needed in order to
implement platform APIs. So now, vendor services which aren't explicitly
marked as 'protected_service' (like protected_hwservice in HIDL) are
blocked from being used by apps. This gives everyone a mechanism for
apps to directly access vendor services, when appropriate.

For instance:

                        VINTF
                          |
        vendor.img/etc    |   system.img/etc
                          |
 (vendor HAL) <----AIDL---|--> (public lib   <-- loaded by app
                          |     or platform
                          |     component)
                          |
                          |

Fixes: 163478173
Test: neverallow compiles
Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
2020-10-21 22:33:42 +00:00
Jeff Vander Stoep
03fb6ee903 Enforce RTM_GETLINK restrictions on all 3p apps
This restriction was previously targetSdk gated for apps
with targetSdkVersion>=30.

This change is being posted for app-compat analysis and testing.

Bug: 170188668
Test: build
Change-Id: I08c709b2bb9a67157d0daf921e8ac7717a3bdf6f
2020-10-16 11:04:42 +02:00
Maciej Żenczykowski
e346fbc044 simplify neverallowxperm for tun_device
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia92fc0b9a805763779a13cad6ad3137c9327ca61
2020-07-07 18:41:56 -07:00
Jeff Vander Stoep
2aa8042f9d incident_service: only disallow untrusted access
Allow device-specific domains to access the incident_service.

Test: build
Bug: 156479626
Change-Id: I3b368c09087e2d3542b70be5aa22f8ef47392221
2020-05-13 15:06:17 +00:00
Martijn Coenen
fd54803f0b Allow mediaprovider_app access to /proc/filesystems.
It needs to be able to see supported filesystems to handle external
storage correctly.

Bug: 146419093
Test: no denials
Change-Id: Ie1e0313c73c02a73558d07ccb70de02bfe8c231e
2020-02-19 17:24:24 +01:00
Martijn Coenen
e3f1d5a314 Create new mediaprovider_app domain.
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-02-04 16:53:18 +01:00
Jeff Vander Stoep
b38a1d8804 untrusted_app: disallow bind RTM_ROUTE socket
Bug: 141455849
Change-Id: I27a8735626a5c3c8aad49e8a68de166f3a10cfde
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
2020-01-28 10:49:50 +01:00
Jeff Vander Stoep
1f7ae8ee3f reland: untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-22 09:47:53 +00:00
Santiago Seifert
1d241db7e5 Revert "untrusted_app_29: add new targetSdk domain"
This reverts commit a1aa2210a9.

Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission

Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
2020-01-21 11:35:24 +00:00
Jeff Vander Stoep
a1aa2210a9 untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
2020-01-20 15:31:52 +01:00
Zimuzo Ezeozue
34a19b76ce Merge "Revert "Allow MediaProvider to host FUSE devices."" 2020-01-10 21:17:15 +00:00
Zimuzo Ezeozue
74a6730767 Revert "Allow MediaProvider to host FUSE devices."
This reverts commit b56cc6fb1f.

Reason for revert: Not necessary

Change-Id: I99d7df2435294e78b753149e20377e78c1c60d36
2020-01-08 20:54:28 +00:00
Orion Hodson
b4d7815fe4 Merge "Reland "sepolicy: rework ashmem_device permissions"" 2019-10-16 12:56:59 +00:00
Tri Vo
b554a950f4 Reland "sepolicy: rework ashmem_device permissions"
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials

Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
2019-10-15 22:27:28 +00:00
Orion Hodson
5527d706c7 Revert "sepolicy: rework ashmem_device permissions"
This reverts commit d9dcea570c.

Reason for revert: http://b/142742451

Change-Id: If46d6dcbb5df21bad8b6a8215d8c21c6b6733476
2019-10-15 21:16:06 +00:00
Jeff Vander Stoep
28903d9829 untrusted_app_25: remove access to net.dns properties
Bug: 33308258
Test: build
Test: atest CtsSelinuxTargetSdk25TestCases
Change-Id: I0bd3dc60dd95e9fb621933f45115a42bbcbc2ccc
2019-10-15 21:17:29 +02:00
Tri Vo
d9dcea570c sepolicy: rework ashmem_device permissions
Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
2019-10-07 14:13:35 -07:00
Jiyong Park
e95c704b6f Access to HALs from untrusted apps is blacklist-based
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.

This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.

All the hwservice context that were not in the whitelist are now put
to blacklist.

This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.

Bug: 139645938
Test: m

Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)

Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-09-06 14:10:38 +09:00
Steven Moreland
b27a746f50 Merge "Remove vintf_service."
am: cacefc6a78

Change-Id: Id30138a0955dc7883d83daa2b655a06efebcaaf7
2019-08-28 19:15:40 -07:00
Steven Moreland
4bb0a9802a Remove vintf_service.
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.

coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.

Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
2019-08-28 11:32:25 -07:00
Steven Moreland
88fedc2159 Merge "Reland "Re-open /dev/binder access to all.""
am: aa6793febd

Change-Id: I34360631751c98aab0c34fff9bdcdbae02c52297
2019-08-22 16:15:59 -07:00
Steven Moreland
aa6793febd Merge "Reland "Re-open /dev/binder access to all."" 2019-08-22 22:55:04 +00:00
Tri Vo
b5a4640f65 selinux: remove sysfs_mac_address
am: f1e71dc75c

Change-Id: I0bed37692eed895d8bad9af9ea4e507a6dc4f50f
2019-08-22 03:14:30 -07:00
Tri Vo
f1e71dc75c selinux: remove sysfs_mac_address
Nothing is actually labeled as 'sysfs_mac_address'.

Bug: 137816564
Test: m selinux_policy
Change-Id: I2d7e71ecb3a2b4ed76c13eb05ecac3064c1bc469
2019-08-21 13:07:09 -07:00
Maciej enczykowski
8f5e8e5b82 Do not allow untrusted apps to read sysfs_net files
am: 804d99ac76

Change-Id: I9be056dbdc7146857737bb6847fe51b90702a874
2019-08-20 23:25:28 -07:00
Maciej Żenczykowski
804d99ac76 Do not allow untrusted apps to read sysfs_net files
(this includes /sys/class/net/*/address device mac addresses)

Test: builds
Bug: 137816564
Change-Id: I84268b2e0207559ed00baafb8a3f231c676f8df1
Signed-off-by: Maciej Żenczykowski <maze@google.com>
2019-08-20 16:09:46 -07:00
Steven Moreland
b75b047f44 Reland "Re-open /dev/binder access to all."
This reverts commit 6b2eaade82.

Reason for revert: reland original CL

Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
2019-08-20 16:03:37 -07:00
Steven Moreland
db28fe2381 Revert "Re-open /dev/binder access to all."
am: 6b2eaade82

Change-Id: Ic2d53641d0cebee31be81307d7a31809fa326f2d
2019-08-20 15:55:40 -07:00
Steven Moreland
6b2eaade82 Revert "Re-open /dev/binder access to all."
This reverts commit 94ff361501.

Fix: 139759536
Test: marlin build fixed

Change-Id: I3ea2e29896722a80b22f09c405be205ffb7de6b2
2019-08-20 22:39:43 +00:00
Steven Moreland
169bfcfe88 Merge changes Icdf207c5,I20aa48ef
am: 30a06d278f

Change-Id: Ia505b1539cfd64bb93c2f5fe0dbd0603df5e9f5f
2019-08-20 13:41:45 -07:00
Steven Moreland
94ff361501 Re-open /dev/binder access to all.
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
2019-08-20 00:03:34 +00:00
Zim
cf289bc411 Allow MediaProvider to host FUSE devices.
am: b56cc6fb1f

Change-Id: Id6909432f50669e4450e6c9fa9de8cc1a8164b08
2019-08-07 19:28:53 -07:00
Zim
b56cc6fb1f Allow MediaProvider to host FUSE devices.
This change is part of enabling upcoming platform changes that are
described in the bug linked below.

Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
2019-08-07 19:00:15 +01:00
Pawin Vongmasa
e7e6fffb86 Merge "Properly define hal_codec2 and related policies" into qt-dev
am: cf48bfd082

Change-Id: I974ad8ddfa1c1ec9bacc120e6f892ed0e760df57
2019-05-24 00:33:45 -07:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00