Commit graph

104 commits

Author SHA1 Message Date
Nikita Ioffe
269e7cfc51 Move allow rules from public/app.te to private/app.te
Allow rules in public/*.te can only reference types defined in
public/*.te files. This can be quite cumbersome in cases a rule needs to
be updated to reference a type that is only defined in private/*.te.

This change moves all the allow rules from public/app.te to
private/app.te to make it possible to reference private types in the
allow rules.

Bug: 211761016
Test: m
Test: presubmit
Change-Id: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
Merged-In: I0c4a3f1ef568bbfdfb2176869fcd92ee648617fa
2022-01-13 22:56:14 +00:00
Treehugger Robot
cb83d70584 Merge "Add persist.nfc property" 2021-07-06 08:05:46 +00:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Treehugger Robot
79f1fc195c Merge "sepolicy: Allow to receive FDs from app_zygote" 2021-06-21 10:58:13 +00:00
Diego Wilson
5908c353e3 Add camera2 extension property policies
These properties allow to vendors to provide their
own camera2 extensions service. The properties
must be accesible to any android app that wishes
to use camera2 extensions.

Change-Id: I94c7ac336b3103355124830320787472f0d2a8b6
2021-06-18 23:59:41 +00:00
Egor Pasko
c45bcd3cab sepolicy: Allow to receive FDs from app_zygote
The primary goal is to have an ashmem region shared between the main app
process in Chrome (=Browser Process) and the app zygote. It can only be
passed from the App Zygote, since there is no communication in the other
direction. Passing of the file descriptor should happen by:
(A) inheriting via fork(2)
(B) using binder IPC

Currently ashmem FDs are sufficiently allowed to be mmap(2)-ed in all
Chrome processes. The mode of mapping (read-only, read-write etc.) is
controlled by the settings of the region itself, not by sepolicy.

This change additionally allows an FD created in the app zygote to be
passed to the 'untrusted_app' domain.

Note: This change allows *any* FD, not just an ashmem one to be passed.
This is on purpose: in the future we will likely want to return to the
memfd story.  Other usecases (pipes, sockets) might appear.

The app zygote preload takes the responsibility not to share
capabilities in the form of FDs unintentionally with other app
processes.

Historical note: we tried to enable this for memfd (using additional
rules), but it required a 'write' permission when sending an FD. Reasons
for that are still puzzling, and there seems to be no easy workaround
for it. Decision: use ashmem.

Bug: 184808875
Test: Manual: Build and install Chrome (trichrome_chrome_google_bundle)
      from [1]. Make sure FileDescriptorAllowlist allows the FD, like
      [2]. Reach a NewTabPage, click on a suggested page, observe no
      errors related to binder transactions and selinux violations.

[1] A change in Chrome to create an ashmem region during app zygote
    preload and pass it to the browser process:
    https://crrev.com/c/2752872/29

[2] Allowlist change in review:
     https://android-review.googlesource.com/c/platform/frameworks/base/+/1739393
    (Alternatively: Remove gOpenFdTable checks in ForkCommon() in
    com_android_internal_os_Zygote.cpp)

Change-Id: Ide085f472c8fb6ae76ab0b094319d6924552fc02
2021-06-17 17:20:41 +02:00
Adam Shih
ff7ba7e301 make system_app_data_file shareable over binder
Apps should be able to share their private files over binder,
including system_app.

Bug: 188869889
Test: go to setting ==> system ==> multi-users ==> tap icon to change
profile photo with camera

Change-Id: I3dc732f727b9b697c9a73f6089392690109ae035
2021-06-16 00:49:53 +00:00
Jack Yu
4412ba4942 Add persist.nfc property
Allow system_app to set and get system property persist.nfc..

Bug: 187083201
Test: access persist.nfc.debug_enabled
Change-Id: Ia952f83d6206be458bcb56a9c4d44bc3e6db5e73
2021-06-11 00:28:31 +08:00
Emilian Peev
a974640390 Define vendor side property "ro.camerax.extensions.enabled"
Add "ro.camerax.extensions.enabled" vendor-specific property.
Allow public apps to read this property.

Bug: 171572972
Test: Camera CTS
Change-Id: Id5fadedff6baaaebe5306100c2a054e537aa61ed
2021-04-13 16:42:10 -07:00
Janis Danisevskis
ac4a6e75fc Keystore 2.0: Allow apps to get the Keystore state.
Bug: 171305684
Test: atest com.android.server.locksettings
Change-Id: I348e02704a0ddacb7859821149dc97df1d298758
2021-03-15 19:04:03 -07:00
Treehugger Robot
01a9e4de24 Merge "Allow third-party apps to access tuner hal fd" 2021-02-16 22:25:18 +00:00
Amy Zhang
db13ae741e Allow third-party apps to access tuner hal fd
The fd shared here is the fast message queue descriptor of the Tuner
Filter MQ or DVR MQ, sent from the Tuner HAL HIDL interface to Tuner Service.

Tuner service would convert the hidl mq descriptor into an aidl one then
passed to the Tuner JNI. Tuner JNI would read/write data into fmq
through the shared fd when the third-party app calls corresponding APIs.
The fd won't be exposed through SDK APIs.

The same fd won't be shared among apps. Each app only has access to
their own Tuner java instance through Tuner SDK, and read/write their
own Filter/Dvr.

Test: atest TunerDvrTest#testDvrPlayback
Bug: 159067322
Bug: 174500129
Bug: 171378420
Bug: 158868205
Change-Id: I34c113a092673f8ea9bcb7428b5562101c4d35ec
2021-02-16 11:17:49 -08:00
Dorin Drimus
84cd7087d5 Add vendor_public_framework_file type to SEPolicy
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.

Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
2021-01-26 15:59:37 +01:00
Orion Hodson
74b129b77c Merge "Permissions for odrefresh and /data/misc/apexdata/com.android.art" 2021-01-19 09:37:36 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Hridya Valsaraju
c68de664f9 Allow codec2 to allocate from system-secure heap
Codec2 clients should have the permission to allocate from the
system-secure DMA-BUF heap for secure playback.

avc: denied { ioctl } for path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649
ioctlcmd=0x4800 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system-secure" dev="tmpfs" ino=649 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649
scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
 avc: denied { ioctl } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 ioctlcmd=0x4800
scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for name="system-secure" dev="tmpfs" ino=649
scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for
comm=4E444B204D65646961436F6465635F name="system-secure" dev="tmpfs" ino=649
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1 app=com.android.systemui 0:145):
 avc: denied { open } for
comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { ioctl } for
comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 ioctlcmd=0x4800 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1

Bug: 172527615
Test: manual
Change-Id: I465e5fcd660bb548e93d683e9d20cace7421ed2d
2021-01-12 12:45:01 -08:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Songchun Fan
a3c0b3f447 system_app: remove unnecessary changes to neverallow
Follow-up for aosp/1520729. These are no longer needed.

Test: build
BUG: 175121264
Change-Id: I7f01d4d4cee18751f4321ef8efa68f9faae06d4f
2020-12-10 19:03:25 +00:00
Janis Danisevskis
144c822018 Move list permission from keystore2_key to keystore class.
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Ignore-AOSP-First: This needs to land in googleplex first to updated
                   prebuilt vendor images. Otherwise it breaks
                   aosp-with-phone builds.
Test: N/A
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-10-01 05:33:31 +00:00
Hridya Valsaraju
a0e1be0fd3 Add permissions required for new DMA-BUF heap allocator
avc: denied { read } for comm=4E444B204D65646961436F6465635F name="system" dev="tmpfs" ino=379
scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system" dev="tmpfs" ino=379 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read }
for comm="HwBinder:413_3" name="system" dev="tmpfs" ino=379 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0 avc: denied { ioctl }
for comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system" dev="tmpfs" ino=379
ioctlcmd=0x4800 scontext=u:r:system_server:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0
tclass=chr_file permissive=1 avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui it(0.0:83): avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system" dev="tmpfs" ino=379 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=0
app=com.android.systemui

Test: video playback without denials with DMA-BUF heaps enabled
Bug: 168333162
Change-Id: If936c5561ebf891e4b687a2c18760d16e0d31275
2020-09-16 13:21:50 -07:00
Janis Danisevskis
abb93f24c0 Make Keystore equivalent policy for Keystore2
Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
2020-08-05 16:11:48 +00:00
Joel Galenson
b0d74a1f5b Update sepolicy to use inclusive language
See https://source.android.com/setup/contribute/respectful-code for reference

#inclusivefixit

Bug: 161896447
Test: Build
Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 16:52:04 +00:00
Alan Stokes
81e4e877f3 Make cross-user apps mlstrustedsubject.
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).

This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.

Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).

This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.

A neverallow rule is added to ensure this remains true.

Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.

Test: builds, boots, no new denials.
Bug: 141677108

Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
2020-07-22 14:41:31 +01:00
Daniel Rosenberg
afede84ad5 Add sdcardfs variable to storage_config_props
This property allows us to disable sdcardfs if it is present. The old
property ended up getting repurposed, so a new one was needed.
Mediaprovider will also need to access this to determine what actions it
needs to take.

Test: builds
Bug: 155222498
Change-Id: I66ac106613cbb374f54659601e4ba3f61eaecd2f
2020-05-19 00:30:52 -07:00
Martijn Coenen
c3917f0ea9 Merge "Add external_storage properties." 2020-04-16 08:06:53 +00:00
Martijn Coenen
01234d371e Add external_storage properties.
Since these need to be set from a vendor context.

Bug: 152170470
Bug: 153525566
Test: N/A
Change-Id: I2e90ad08fa0a5bd2b4759d92f95d35cec2b316df
2020-04-15 17:30:41 +02:00
Yiwei Zhang
f3adf2eaaf sepolicy: allow app to access gpuservice
Previously we have allowed many kinds of app processes to access
gpuservice. However, upon sharing files through bluetooth, bluetooth
process starts an activity to handle this task. At the meanwhile, any
processes with an activity launched shall access gpuservice for stats
purpose. This change amends the rules so that we don't miss anything.

Bug: 153472854
Test: use bluetooth to share a photo and check logcat
Change-Id: I3d620b703d3afe92ac1f61cfb2a2f343352ddd4d
2020-04-15 05:36:23 -07:00
Sudheer Shanka
975215578f Allow apps to use mmap on fuse fds.
This is needed for the following denial:
type=1400 audit(0.0:124): avc: denied { map } for
comm=54696D652D6C696D69746564207465 path="/mnt/appfuse/10182_2/2"
dev="fuse" ino=2 scontext=u:r:untrusted_app:s0:c182,c256,c512,c768
tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

Bug: 150801745
Test: atest CtsBlobStoreTestCases:com.android.cts.blob.BlobStoreManagerTest#testOpenBlob -- --abi x86
Merged-In: Ib7ca64e11b24f8835874698df15a9a0fdce67454
Change-Id: I4dc4ce91da3513a2d1f08ada401741f6d5a090c3
2020-03-04 17:21:18 -08:00
Jeff Vander Stoep
789ebf03ba app: allow PROT_EXEC on ashmem objects
This fixes a bug introduced in aosp/1143430 where the permission
should have been included for the newly introduced
ashmem_libcutils_device type.

Test: Build
Bug: 150193534
Change-Id: I5b1ed8d9548f9dab4ad9373f98e21614c07c3d38
2020-02-25 20:00:39 +01:00
David Zeuthen
02bf814aa2 Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL.
The credstore service is a system service which backs the
android.security.identity.* Framework APIs. It essentially calls into
the Identity Credential HAL while providing persistent storage for
credentials.

Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60
2020-02-19 13:46:45 -05:00
Songchun Fan
020e3ab035 selinux rules for apk files installed with Incremental
Apk files installed with Incremental are actually stored under the
/data/incremental directory.

Since files under /data/incremental are labeled as apk_file_data, we
need additional permissions to enable an apk installation.

Denial messages:

=== vold ===
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.760   599   599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.766  1431  1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0
02-04 14:22:45.923  1431  1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:47.326  8839  8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1

02-04 15:32:02.386   591   591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1

=== system_app ===
02-04 14:22:45.793  5064  5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Test: manual
BUG: 133435829
Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
2020-02-07 16:34:42 +00:00
Adam Shih
5fb053eaa8 Revert "Grant appdomain access to app_api_service"
This reverts commit d5a0edd75e.

Reason for revert: CTS failure
There are apps that relies on SELinux regulations to constrain their access. We'll need to analyze them before introducing the sepolicy.

Bug: 147695658
Change-Id: Ic57fcb90371b50a978ab7b2e0d20c4cb3d2da7f6
Test: cts-tradefed run cts -m CtsPermissionTestCases
2020-02-04 02:51:38 +00:00
Adam Shih
d5a0edd75e Grant appdomain access to app_api_service
The original idea was to compartmentalize services for apps to access.
ex. an app that manage display brightness should not have access to
audio service.

However, identifying all services is hard and we often end up granting
app_api_service in practice to avoid unexpected crashes.

Bug: 147198856
Test: Remove device app_api_service related sepolicy and related process
remain functional

Change-Id: I3aafcf1a91847a97c86f1d7992653b806a713bd4
2020-01-07 09:59:34 +08:00
Roshan Pius
d804a76d03 Revert "sepolicy: Permission changes for new wifi mainline module"
This reverts commit 3aa1c1725e.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 09:49:32 -08:00
Roshan Pius
a483b5df72 Revert "wifi_stack: Move to network_stack process"
This reverts commit 1086c7d71d.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: I69ccc6afbe15db88f516cdc64e13d8cfdb0c743c
2019-11-22 09:48:54 -08:00
Chiachang Wang
e063585bbf Add permission for NetworkStack updatability
NetworkStack will need to use netlink_tcpdiag_socket to get tcp
info. In order to support updatability for NetworkStack as it's
a mainline module, get the information from kernel directly to
reduce the dependecy with framework.

Test: Build and test if NetworkStack can get the tcp_info without
SEPolicy exception
Bug: 136162280

Change-Id: I8f584f27d5ece5e97090fb5fafe8c70c5cbbe123
2019-10-12 21:21:10 +09:00
Roshan Pius
1086c7d71d wifi_stack: Move to network_stack process
The wifi stack APK will run inside the network_stack process. So, move
the sepolicy rules for wifi stack inside the network stack rules.

Bug: 135691051
Test: Manual tests
- manual connect to wifi networks
- Remove networks
Test: Will send for ACTS wifi regression testing
Change-Id: I9d5da80852f22fa1d12b2dbbc76b9e06c1275310
(cherry-picked from b83abf7af3df64e0d3c1b22548f2344b55aece28)
2019-10-02 11:49:43 -07:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Roshan Pius
3aa1c1725e sepolicy: Permission changes for new wifi mainline module
Move wifi services out of system_server into a separate APK/process.

Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).

Used 'audit2allow' tool to gather list of permissions required.

Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.

Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
2019-07-16 13:30:15 -07:00
Kalesh Singh
46303aa1f7 Sepolicy for IAshmem HIDL interface
Change-Id: Id78f995661120f136d671ea0084db358e7662122
Bug: 133443879
Test: Manually check logcat for sepolicy denials (logcat | grep IAshmem)
2019-05-29 14:44:47 -07:00
Jiyong Park
a0f998e6de Allow bootstrap bionic only to init, ueventd, and apexd
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.

Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
2019-04-11 09:51:38 +09:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Jeff Vander Stoep
9f5d0d90a3 Initial selinux policy support for memfd
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.

Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.

Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
2019-01-30 19:11:49 +00:00
Nick Kralevich
87e91237a4 disallow priv-apps from following untrusted app symlinks.
Untrustworthy symlinks dereferenced by priv-apps could cause those apps
to access files they weren't intending to access. Trusted components
such as priv-apps should never trust untrustworthy symlinks from
untrusted apps.

Modify the rules and add a neverallow assertion to prevent regressions.

Bug: 123350324
Test: device boots and no obvious problems.
Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 13:08:10 -08:00
Jeff Vander Stoep
d8bec4ac72 app: remove redundant neverallow rule
Access to zygote_socket is already neverallowed to
{ domain -system_server }.

Test: build
Change-Id: I6353ef09f769c8d64c97b1bdef93f0ab4d5dae6a
2019-01-15 20:31:01 -08:00
Remi NGUYEN VAN
5f3ba92c61 sepolicy changes for network stack app
The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.

Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597
2018-12-20 12:05:31 +09:00
Florian Mayer
aeca04b967 Allow to signal perfetto from shell.
When daemonizing perfetto, SIGINT should be sent to ensure clean
shutdown.

Denial:
12-06 11:12:16.566  3099  3099 I sh      : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1

Test: m
Test: flash walleye
Test: SIGINT perfetto from shell

Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
2018-12-13 10:46:42 +00:00
Nick Kralevich
1e5021c450 Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00
David Brazdil
535c5d2be0 Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:47:39 +00:00