This reverts commit 6b2eaade82.
Reason for revert: reland original CL
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
In b/73062966, we add new AID ranges for each partition that doesn't
yet have them (system, system_ext, odm, product). We also add group
and passwd files to these partitions to be able to map these AIDs into
human readable user and group names, and vice versa.
All processes should be able to read all users and groups. We divide
the ranges into non-overlapping regions for each partition and we
namespace the names with the partition name as a prefix.
Allow domain r_file_perms to
/(system|product|system_ext)/etc/(group|passwd).
Vendor and odm passwd and group files already have this access, since
/(vendor|odm)/etc/* is already domain readable.
Example contents:
blueline:/ $ cat /system/etc/passwd
system_tom::6050:6050::/:/bin/sh
blueline:/ $ cat /product/etc/passwd
product_tom::7013:7013::/:/bin/sh
Bug: 73062966
Test: tree-hugger selinux denial during boot test
Change-Id: Ib4dc31778e95e952174e1365497feaf93dca7156
There was some plan to use binder from init, but it was abandoned. As
ServiceManager was recently re-written in C++, and as part of a
continued effort to reduce large dependencies in init and make sure it
is reliable, I'm removing these here.
Bug: 135768100
Test: N/A
Change-Id: I12b57709399c87ee25f689b601572b19abf7fb00
Bug: http://b/135139675
Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type). Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.
Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.
Test: Build 32-bit cuttlefish with coverage:
m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
and verify that there are no selinux denials in kernel log and
logcat.
Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
Although this may appear very permissive, it ok since the current allow
rule already gives every domain access to /dev/ashmem.
Change-Id: I1f121a3c6a911819b2c3e0605a0544a039cb5503
Bug: 134161662
Test: Check logcat for Sepolicy denials (logcat -d | grep shmem)
The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
Merged-In: I4c18d78171a839ae5497b3a61800193ef9e51b3b
(cherry picked from commit 42c05cfcc1)
The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
It doesn't make sense to write neverallow assertions where an attribute
negation exists allowing the operation. When such a negation exists,
domains can "opt-out" of the neverallow assertion by declaring their
use of the attribute. Such trivially bypassable assertions provide
no security nor architectural guarantees.
"netdomain" is such an attribute. This attribute is used by processes to
indicate that they communicate with the network, for example, using
TCP/UDP sockets. Vendor code is freely allowed to use network
communication by declaring their use of the attribute.
Because the attribute is usable to any vendor domain, the "no socket
connections to netd" restriction is pointless and provides a false sense
of security. Any process can opt-out of these restrictions by just
declaring their use of networking functionality. This also results in
ineffective policy bloat, making it difficult to reason about the policy
and make changes.
Delete the ineffective, misleading neverallow assertion.
Test: compiles
Change-Id: Ia72d9660a337ef811e56c9227af29b17d043b99f
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
- proc_cmdline and device-tree access to call ReadDefaultFstab().
This is ultimately used to check whether system's dm-verity has
check_at_most_once enabled, which is disallowed with sdcards.
- vfat read/write access to write files to the sdcard. Note that
adopted sdcards are not supported here.
- read access to the sdcard block device. To enable this without
providing access to vold_block_device, a new sdcard_block_device
label was added. Devices must apply this label appropriately to
enable gsid access.
- FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
This only appears to work by granting SYS_RAWIO.
Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
works without setenforce 0
Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
Without VNDK, libcutils has to probe for /dev/binder access before
reaching to ashmemd via binder. Ignore denials generated when probing
/dev/binder.
Bug: 129073672
Test: boot sailfish without denials to /dev/binder
Change-Id: I07ba2e094586df353d54507458e891a3d14c1ca6
Move complete domain to private/. Move referencing parts in domain
and kernel to private.
Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
Bug: 128037879
Test: Camera HAL is able to read ro.serialno
Change-Id: I904c852a7100bc65456ee63ffb31d70681293d7d
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.
Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1
Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
This is for Non-AB ota update recovery partition on GMS Express 2.0 project.
recovery partition update via /vendor/bin/install-recovery.sh from /vendor/etc/recovery.img
Bug: 124277294
Test: builds and test GOTA.
Change-Id: I97521c03a881bd0427e5d02836220ee2c0db7650
The OMX comment here seems unrelated. The linker (system) uses it to
talk to tombstoned.
Fixes: 112606643
Test: N/A
Change-Id: Ib3da832f120d3cc244aa22de5d4d655b874db38b
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Fixes: 126604492
Test: Build userdebug and user.
Test: Test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules129
on userdebug.
Change-Id: I0716e566570114878842644339401331513bae22
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.
Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
In preparation for moving other components to private, so that
private-only components can stay private.
Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
In preparation for additions that should be private-only, move
the neverallows to domain's private part.
Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e
On legacy devices system_<other> partition is blocked from
becoming the backing store under certain circumstances.
Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 120448575
Bug: 123079041
Change-Id: I1803f072ca21bc116554eee1d01a1dbd2c9ed0c9
VtsHalBootV1_0Target test cases fail on a platform when executing boot control operation.
The cases fail because of hal_bootctl has no sys_rawio permission to do storage IOCTL to
switch boot slot.
Bug: 118011561
Test: VtsHalBootV1_0Target can pass
Change-Id: Idbbb9ea8b76fe62b2d4b71356cef7a07ad4de890
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.
Bug: 111307099
Test: builds, boots
Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.
Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.
In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.
Bug: 120266448
Test: device boots to the UI
Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1
