Commit graph

67 commits

Author SHA1 Message Date
Treehugger Robot
9e2f8aa7a1 Merge "Update SELinux policy for app compilation CUJ." 2022-07-29 17:22:44 +00:00
Jiakai Zhang
c871c1cc75 Update SELinux policy for app compilation CUJ.
- Adapt installd rules for app compilation.

- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.

Bug: 229268202
Test: -
  1. adb shell pm art optimize-package -m speed-profile -f \
       com.google.android.youtube
  2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
2022-07-29 14:07:52 +00:00
Jooyung Han
ccfb0ef146 Added properties for rebootless apex install
When apexd installs an apex without reboot, init also need to do some
work around the installation (e.g. terminating services from the apex
and remove data read from the apex and updating linker configuration
etc)

Apexd sets control properties to unload and load apex and init notifies
the completion with state properties.

These new properties are supposed to be used by apexd/init interaction.

Bug: 232114573
Bug: 232173613
Test: CtsStagedInstallHostTestCases
Test: CtsInitTestCases
Change-Id: I5af6b36310f3c81f1cd55537473e54756541d347
2022-07-08 12:12:45 +09:00
Jiakai Zhang
76bfb7ecbf Allow artd to check optimization status.
Bug: 233383589
Test: -
  1. adb shell pm art get-optimization-status com.google.android.youtube
  2. See no SELinux denials.
Test: -
  1. adb shell pm compile -m speed com.google.android.youtube
  2. adb shell pm art get-optimization-status com.google.android.youtube
  3. See no SELinux denials.
Test: -
  1. adb shell pm install /product/app/YouTube/YouTube.apk
  2. adb shell pm art get-optimization-status com.google.android.youtube
  3. See no SELinux denials.
Change-Id: I943ebca4ec02c356fa0399b13f6154e7623f228b
2022-05-31 14:05:04 +01:00
Jeff Vander Stoep
b07c12c39d Iorapd and friends have been removed
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.

Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
2022-05-18 12:07:39 +02:00
Yabin Cui
f17fb4270c Add sepolicy for simpleperf_boot.
simpleperf_boot is the secontext used to run simpleperf from init,
to generate boot-time profiles.

Bug: 214731005
Test: run simpleperf manually
Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
2022-01-15 16:12:51 -08:00
Yifan Hong
aabea20d89 Remove healthd.
Test: pass
Bug: 203245871
Change-Id: I4eb0b4333d7fde2096c4c75b7655baf897900005
2021-10-20 18:47:41 -07:00
Bart Van Assche
6b53d731fd Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these attributes since these will be removed soon.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I61dffb482f4e952299156f34be642ae52fcbfeb3
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-12 09:45:11 -07:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n)
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-03-03 10:34:06 +08:00
Ryan Savitski
8b26472177 traced_perf: allow RO tracefs access + fix neverallow
We're adding support for counting and/or sampling on the static kernel
tracepoints in traced_perf (via perf_event_open). This requires traslating
a human-readable tracepoint name to its id for the running kernel.
For that, we need to read the "id" files like:
  /sys/kernel/tracing/events/sched/sched_switch/id

While the current implementation should only need "file r_file_perms",
as it constructs the full path to the id file, I've also added the
directory-level rule to allow for a possible change in implementation,
as we might want to enumerate all available events ahead of time, which
would require listing the tracefs events/ dir.

The changed neverallow macro was a copypaste mistake.

Example denials without the change:
  avc: denied { read } for name="id" dev="tracefs" ino=5721
  scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0
  tclass=file permissive=1

  avc: denied { open } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

  avc: denied { getattr } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

Tested: collected a profile sampled on "sched/sched_switch" on
        crosshatch-userdebug.
Bug: 170284829
Bug: 178961752
Change-Id: I75427e848ccfdc200c5f9b679ea18fc78e1669d6
2021-01-31 16:44:00 +00:00
Inseob Kim
e0ebc571bd Add ro.zygote.disable_gl_preload to policy
It's used by ZygoteInit, and vendor_init should be able to set it.

Bug: 176210699
Test: boot
Change-Id: I27bb59c145f3257281fb8d6007be60eb2bcc93ca
2021-01-18 02:11:57 +00:00
Inseob Kim
150355b1c3 Merge "Revert^2 "Make default_prop only readable from coredomain"" 2021-01-14 09:42:25 +00:00
Inseob Kim
5c011e57a5 Revert^2 "Make default_prop only readable from coredomain"
This reverts commit 32fbfbc016.

Reason for revert: Fixed breakages

Change-Id: I474ee7dd7b82b4f2e02353e8a3fb55e3c410941f
2021-01-14 04:08:16 +00:00
Florian Mayer
a8a3d8b1bf Allow heapprofd central mode on user builds.
This simplifies operation by removing a special case for user builds.

Test: atest CtsPerfettoTestCases on user
Test: atest CtsPerfettoTestCases on userdebug
Test: atest perfetto_integrationtests on userdebug
Bug: 153139002
Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 17:19:02 +00:00
Jackal Guo
32fbfbc016 Revert "Make default_prop only readable from coredomain"
This reverts commit 082ced1951.

Reason for revert: b/176784961

Change-Id: Ia85667216d63084e9e23aefe1d3bfd7942d51a2a
2021-01-05 08:47:57 +00:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
Inseob Kim
082ced1951 Make default_prop only readable from coredomain
default_prop has been readable from coredomain and appdomain. It's too
broad, because default_prop is a context for properties which don't have
matching property_contexts entries.

From now on, only coredomain can read default_prop. It's still broad,
but at least random apps can't read default_prop anymore.

Bug: 170590987
Test: SELinux denial boot test for internal devices
Change-Id: Ieed7e60d7e4448705c70e4f1725b2290e4fbcb4a
2020-12-14 16:58:23 +09:00
Inseob Kim
0cef0fe5ac Add contexts for sqlite debug properties
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.

Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-18 12:14:20 +09:00
Inseob Kim
d5a0448a53 Add entries for some properties in default_prop
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.

This adds some missing properties to property_contexts. Newly added
property contexts are:

- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.

- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.

- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.

Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.

Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
2020-11-06 14:02:34 +09:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Inseob Kim
4ae7ec1915 Remove exported3_radio_prop
It's renamed to radio_control_prop

Bug: 162214733
Test: boot
Change-Id: Idede1a1ab471a354a6f5df12b6889abc7c1ad869
2020-08-03 09:23:39 +00:00
Jeff Sharkey
a0e7a6da28 Update language to comply with Android's inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for reference

Bug: 161896447
Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 12:28:11 -06:00
Inseob Kim
c97a97cd3f Move more properties out of exported3_default_prop
This is to remove exported3_default_prop. Contexts of these properties
are changed.

- ro.boot.wificountrycode
This becomes wifi_config_prop

- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.

- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.

Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
2020-07-21 13:11:57 +09:00
Inseob Kim
c80b024241 Relabel various exported3_default_prop
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.

- ro.config.per_app_memcg
This becomes lmkd_config_prop.

- ro.zygote
This becomes dalvik_config_prop.

- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.

- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.

- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.

There are still 3 more exported3_default_prop, which are going to be
tracked individually.

Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
2020-07-20 16:11:58 +09:00
Inseob Kim
98fe6847bd Merge "Add property contexts for vts props" 2020-07-16 10:24:08 +00:00
Inseob Kim
212e2b621a Add property contexts for vts props
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.

Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
      VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
2020-07-16 16:26:17 +09:00
Calin Juravle
de7244cf23 Fix sepolicy for secondary dex files
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.

Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro

Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
2020-07-15 16:43:40 +00:00
Alexander Mishkovets
f0be89be1d Define sepolicy for locale filter property
Bug: 154133013
Test: Manual
Change-Id: I28ae279e4fd47553fcf4ab9421944f552490b49f
2020-07-09 20:32:58 +02:00
Treehugger Robot
8759915731 Merge "GPU Memory: add sepolicy rules around bpf for gpuservice" 2020-06-05 17:46:55 +00:00
Inseob Kim
ad6317018c Add contexts for exported telephony props
To remove bad context names, two contexts are added.

- telephony_config_prop
- telephony_status_prop

exported_radio_prop, exported2_radio_prop are removed. Cleaning up
exported3_radio_prop will be a follow-up task.

Exempt-From-Owner-Approval: cherry-pick

Bug: 152471138
Bug: 155844385
Test: boot and see no denials
Test: usim works on blueline
Change-Id: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
Merged-In: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
(cherry picked from commit 4d36eae8af)
2020-06-04 16:10:44 +09:00
Yiwei Zhang
4b63ce9dd0 GPU Memory: add sepolicy rules around bpf for gpuservice
1. Allow gpuservice to access tracepoint id
2. Allow gpuservice to access bpf program
3. Allow gpuservice to attach bpf program to tracepoint
4. Allow gpuservice to access bpf filesystem
5. Allow gpuservice to run bpf program and read map through bpfloader
6. Allow gpuservice to check a property to ensure bpf program loaded

Bug: 136023082
Test: adb shell dumpsys gpu --gpumem
Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8
2020-06-03 11:23:16 -07:00
Inseob Kim
26408bda38 Fix denial of reading init_service_status_prop
Exported properties init.svc.* were world-readable, so making them
world-readable again to fix selinux denials.

Bug: 157474281
Test: m selinux_policy
Change-Id: I6d5a28b68061896e9cd2584c47aa60f6d36ed53f
2020-05-28 09:04:36 +09:00
Inseob Kim
dbcc459b90 Take new types out of compatible_property_only
compatible_property_only is meaningless to new types introduced after
Android P because the macro is for types which should have different
accessibilities depending on the device's launching API level.

Bug: N/A
Test: system/sepolicy/tools/build_policies.sh
Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4
2020-05-25 17:31:26 +09:00
Inseob Kim
15e5e0a470 Add contexts for init.svc.* props
To remove bad context names "exported*_prop". Other init.svc.*
properties explicitly become system internal prop.

Bug: 155844385
Test: boot and see no denials
Change-Id: I7a3b4103a4cea77035a6e831e3b6a49a45f15a35
2020-05-20 12:08:02 +09:00
Inseob Kim
dc1e5019d6 Rename system_radio_prop
For whatever reason sys.usb.config* has been labeled as
system_radio_prop, which doesn't make sense. Changing context name as
usb_prop. For the same reason exported_system_radio_prop is also
renamed to usb-related names.

Bug: 71814576
Bug: 154885206
Test: m selinux_policy
Change-Id: If30bc620dbeac926a8b9bcde908357fda739a6c1
Merged-In: If30bc620dbeac926a8b9bcde908357fda739a6c1
(cherry picked from commit 44fbcdb677)
2020-05-15 15:06:10 +09:00
Inseob Kim
1337e15717 Add new context dalvik_runtime_prop
persist.sys.dalvik.vm.lib.2 is moved to a new context
dalvik_runtime_prop from bad context name.

Bug: 154885206
Test: boot device and see logcat
Change-Id: I9dea95105c266088d5f071bf2d890048f0999b0b
2020-05-13 23:33:03 +09:00
Inseob Kim
df0008802e Add hdmi_config_prop for hdmi properties
To remove bad context names.

Bug: 154885206
Bug: 155844385
Test: m selinux_policy
Change-Id: I5712bf836e07b3b26a51c3433234b986843076ea
2020-05-12 23:04:51 +09:00
Inseob Kim
8880f7700a Merge "Rename contexts of ffs props" 2020-05-12 03:52:18 +00:00
Inseob Kim
a28428e7bf Move camera config props to camera_config_prop
Bug: 155844385
Test: sepolicy_tests
Change-Id: Iebe81d9af48e68e6499272bd5815e959f5945567
2020-05-11 21:55:26 +09:00
Inseob Kim
bfb3708234 Rename contexts of ffs props
Bug: 71814576
Bug: 154885206
Test: m sepolicy_test
Change-Id: Idacc3635851b14b833bccca177d784f4bb92c763
2020-05-11 21:23:37 +09:00
Inseob Kim
cc4d888f52 Move ro.lmk. properties to lmkd_config_prop
Bug: 155844385
Test: sepolicy_tests
Change-Id: I6a4412b3e7d3c46eae699bd8e7d2941f56b31773
2020-05-08 12:19:54 +09:00
Jeongik Cha
832a8a9389 mediaserver, mediaextractor, drmserver: allow vendor_overlay_file
MediaPlayer cannot load a video from RRO packages.
So, add allow rules which is necessary to play the video.

Bug: b/154795779
Test: check if MediaPlayer can load a video in RRO
Change-Id: I06eed146b6e70a548b6b4f4faf56ba2bccd68140
2020-04-29 11:52:45 +09:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00
Connor O'Brien
e3f0b2ca13 Allow system_server to attach bpf programs to tracepoints
In order to track time in state data using eBPF, system_server needs
to be able to attach BPF programs to tracepoints, which involves:
- calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl
- running BPF programs
- reading tracepoint ids from tracefs

Grant system_server the necessary permissions for these tasks

Test: modify system_server to try to attach programs; check for
denials
Bug: 138317993
Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328
Signed-off-by: Connor O'Brien <connoro@google.com>
2020-01-31 19:47:24 -08:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00