Commit graph

22 commits

Author SHA1 Message Date
Nicolas Geoffray
cf4d5265c2 Allow webview_zygote to JIT.
bug: 119800099
Test: device boots, no selinux denials
Change-Id: I737afbb4e826014fc91a68ac955199bb1d1a04c7
2018-11-20 13:31:49 +00:00
Nick Kralevich
a194d3757a Tighten up handling of new classes
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
2018-11-16 03:10:14 -08:00
Tri Vo
90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Jeff Vander Stoep
141b00fb1e Fix diff in cherry-pick
Changes 2d626fd84ea0246c963ce2c87ae62461a60f8826 and
869562e9e3 are the same
commit, but with a different comment. Fix them up to be
the same.

Test: build
Change-Id: I6311413357f457d6ba95886b729ffa53ab80e016
2018-05-16 14:38:51 -07:00
Jaekyun Seok
224921d18a Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-13 09:25:06 +09:00
Robert Sesek
869562e9e3 Remove rules for starting the webview_zygote as a child of init.
The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
2018-02-23 10:55:22 -05:00
Robert Sesek
febdfa4edf SELinux changes to accomodate starting the webview_zygote as a child of the zygote.
In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
2018-02-14 19:00:48 -05:00
Chris Morin
9644df47a3 prevent benign dex2oat selinux denial temporarily
Since we now call patchoat --verify in zygote art loading code, we have
the unintended effect of webview zygote calling patchoat --verify. This
is undesireable since webview zygote doesn't need to verify the .art
files after the app_process zygote has already done so. The exec of
patchoat fails for webview zygote, and this change hides that. This
change should be reverted when b/72957399 is resolved.

Bug: 66697305
Test: Ensure no new selinux denials were introduced.
Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8
2018-02-05 14:26:04 -08:00
Jeff Vander Stoep
42d82b42ff Fix permission typo
zygote->webview_zygote.

Forgot to ammend local change.

Test: webview_zygote denials are gone.
Change-Id: I02869812feafd127b39e567c28e7278133770e97
2018-01-03 08:46:05 -08:00
Jeff Vander Stoep
3588ddd06d webview_zygote: allow listing dirs in /system
For consistency with zygote, allow webview_zygote to list directories
in /system.

Test: Boot Taimen. Verify webiew_zygote denials during boot.
Bug: 70857705
Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59
2018-01-02 13:15:16 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Stephen Smalley
52909aca44 Define smc_socket security class.
am: 2be9799bcc

Change-Id: If42bc0d3fc50db8294c8a9fd083d915b8e47a95e
2017-06-26 22:02:28 +00:00
Stephen Smalley
2be9799bcc Define smc_socket security class.
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.

Test:  Policy builds

Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-26 21:44:58 +00:00
Sandeep Patil
1e149967a2 seapp_context: explicitly label all seapp context files
seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-29 10:20:11 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Stephen Smalley
4921085d9c Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes.
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 14:24:41 -05:00
Stephen Smalley
431bdd9f2f Define extended_socket_class policy capability and socket classes
Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class.  The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class.  Add
definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.

Allowing access by specific domains to the new socket security
classes is left to future commits.  Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.

The kernel support will be included upstream in Linux 4.11.  The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").

This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled.  This commit is already in
AOSP master.

Test: policy builds

Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 13:53:11 -05:00
Chad Brubaker
4c40d7344c Merge ephemeral data and apk files into app
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
2017-02-06 10:16:50 -08:00
Alex Klyubin
a7653ee2ed Move webview_zygote policy to private
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: Device boots, with Multiproces WebView developer setting
      enabled, apps with WebView work fine. No new denials.
Bug: 31364497

Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-27 17:01:43 +00:00
Robert Sesek
dc43f7cd84 Add the "webview_zygote" domain.
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
2016-11-11 10:13:17 -05:00