Commit graph

153 commits

Author SHA1 Message Date
Roshan Pius
37ee61f663 sepolicy: Rename hal_uwb -> hal_uwb_vendor
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific
internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts
with the AOSP HAL sepolicy rules that are going to be added in
Android T.

Android S Architecture:
|Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware

Android T Architecture:
|Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL
Implementation | Vendor driver/firmware

Ignore-AOSP-First: Dependent changes in internal-only projects.

Bug: 195308730
Test: Compiles
Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3
Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3
(cherry picked from commit 40465250e4)
(cherry picked from commit 27ab309fad)
2021-08-26 05:20:39 +00:00
Bart Van Assche
ec50aa5180 Allow the init and apexd processes to read all block device properties
Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.

Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-08-09 13:46:41 -07:00
Alan Stokes
fa10a14fac Refactor apex data file types.
We ended up with 4 labels for specific APEX files that were all
identical; I've replaced them with a single one
(apex_system_server_data_file).

Additionally I created an attribute to be applied to a "standard" APEX
module data file type that establishes the basics (it can be managed
by vold_prepare_subdirs and apexd), to make it easier to add new such
types - which I'm about to do.

Fix: 189415223
Test: Presubmits
Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
2021-07-12 14:41:04 +01:00
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Michael Ayoubi
0be7c67da0 Add support for hal_uwb
Bug: 187386527
Test: Boot and confirm HAL is up
Signed-off-by: Michael Ayoubi <mayoubi@google.com>
Change-Id: Ia866a9a72b6f2ea5b31de25baefd13c2fd0b9c22
2021-06-10 17:46:23 +00:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
Yi-Yo Chiang
806898db48 Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-29 03:09:35 +00:00
Darren Hsu
70ae5f4c34 sepolicy: Create new attribute to serve ISuspendControlServiceInternal
Bug: 178417023
Test: Verified manually
Change-Id: Ie058ecf6b31c260e7788cbf0e74fa4182129d3e1
Signed-off-by: Darren Hsu <darrenhsu@google.com>
2021-02-25 18:04:04 +08:00
Hridya Valsaraju
eab2858649 sepolicy: set expandattribute false for dmabuf_heap_device_type
This is needed to avoid build failure in target bertha_arm64.

Test: make
Bug: 176124106
Change-Id: Id24eaa00dc5d601deb7533ac1d484a76535c8df0
2020-12-23 05:14:31 +00:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
Shawn Willden
b41f4985a9 Revert^2 "Move keymint to android.hardware.security."
16d61d0383


Bug: 175345910
Bug: 171429297
Exempt-From-Owner-Approval: re-landing topic with no changes in this CL.
Change-Id: I1352c6b46b007dba3448b3c9cbdf454d7862a176
2020-12-11 20:36:53 +00:00
Orion Hodson
16d61d0383 Revert "Move keymint to android.hardware.security."
Revert submission 1522123-move_keymint

Reason for revert: Build breakage
Bug: 175345910
Bug: 171429297
Reverted Changes:
Ief0e9884a:Keystore 2.0: Move keymint spec to security namesp...
Idb54e8846:Keystore 2.0: Move keymint spec to security namesp...
I9f70db0e4:Remove references to keymint1
I2b4ce3349:Keystore 2.0 SPI: Move keymint spec to security na...
I2498073aa:Move keymint to android.hardware.security.
I098711e7d:Move keymint to android.hardware.security.
I3ec8d70fe:Configure CF to start KeyMint service by default.
Icbb373c50:Move keymint to android.hardware.security.
I86bccf40e:Move keymint to android.hardware.security.

Change-Id: Ib5591c2379bbd2fd6dde0558ba0e68f39d27fbaf
2020-12-11 10:45:43 +00:00
Selene Huang
2c3bdb28de Move keymint to android.hardware.security.
Test: VtsAidlKeyMintTargetTest
Change-Id: I098711e7ddbcac0fc761801a1bf582a71a8f9baa
2020-12-10 19:12:29 +00:00
Alan Stokes
668e74f6f4 Exempt app_data_file_type from neverallow rules.
We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.

To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.

Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches  violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975
2020-11-12 18:08:18 +00:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Steven Moreland
a43e26e3f2 untrusted_apps: AIDL vendor service parity w/ HIDL
Before, we completely dissallowed any untrusted app to access a service
operated by vendor. However, sometimes this is needed in order to
implement platform APIs. So now, vendor services which aren't explicitly
marked as 'protected_service' (like protected_hwservice in HIDL) are
blocked from being used by apps. This gives everyone a mechanism for
apps to directly access vendor services, when appropriate.

For instance:

                        VINTF
                          |
        vendor.img/etc    |   system.img/etc
                          |
 (vendor HAL) <----AIDL---|--> (public lib   <-- loaded by app
                          |     or platform
                          |     component)
                          |
                          |

Fixes: 163478173
Test: neverallow compiles
Change-Id: Ie2ccbff4691eafdd226e66bd9f1544be1091ae11
2020-10-21 22:33:42 +00:00
Mariia Sandrikova
44c7a7029e Add attribute for all vendor hwservice.
Bug: 159707777
Test: make
Change-Id: Ie3ab6d362b970ae8a9f0a8f1c0109bf03d521ce0
2020-09-25 22:15:33 +01:00
Steven Moreland
826b92fe34 Clarify comments on 3rd party app attributes.
Certain classes of 3rd party apps aren't untrusted_app_domain, but
some comments surrounding this are either outdated or wrong.

Bug: 168753404
Test: N/A
Change-Id: I019c16e26a3778536132f22c37fbea5ae7781af4
2020-09-17 17:15:26 +00:00
Inseob Kim
2eb0396cb4 Set expandattribute false for property attributes
To prevent these from being optimized away.

Bug: 161083890
Test: m selinux_policy
Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf
2020-09-15 12:22:44 +09:00
Steven Moreland
5c0a0a8190 Remove binder_in_vendor_violators.
It's release blocking if devices specify it. Since none are used
in-tree anymore, no reason to every use this again.

Bug: 131617943
Test: grepping source/build (which validates this isn't used)
Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
2020-08-27 00:00:35 +00:00
Inseob Kim
c9610def68 Fix product property type macros
Bug: N/A
Test: build with product_*_prop(...)
Change-Id: Iac906b41ec69023abd41881462f09e268944816b
2020-08-25 16:38:13 +09:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
Roshan Pius
d42c7571aa sepolicy: Remove offload HAL sepolicy rules
This is unused currently & there are no concrete plans to use it
in the future.

Bug: 130080335
Test: Device boots up & connects to networks.
Test: Will send for regression tests
Change-Id: I785389bc2c934c8792c8f631362d6aa0298007af
Merged-In: I785389bc2c934c8792c8f631362d6aa0298007af
(cherry picked from commit 56dfc06397)
2020-05-08 11:17:12 +09:00
Haoxiang Li
741b9cd5ac Sepolicy update for Automotive Display Service
Bug: 140395359
Test: make sepolicy -j
Change-Id: Ib6ddf55210d8a8ee4868359c88e3d177edce9610
Signed-off-by: Changyeon Jo <changyeon@google.com>
2020-01-21 18:43:27 +00:00
David Zeuthen
b8b5da4305 Add SELinux policy for Identity Credential HAL
Bug: 111446262
Test: VtsHalIdentityCredentialTargetTest
Change-Id: Icb5a0d8b24d463a2f1533f8dd3bfa84bf90acc6f
2020-01-14 20:13:39 -05:00
Kenny Root
76ea325a3d Support Resume on Reboot
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.

Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
2019-12-09 14:25:04 -08:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Inseob Kim
19b99f18c8 Add attributes for exported properties
This introduces some attributes that can be used to restrict access to
exported properties so that one can easily check from which the
properties can be accessed, and that OEMs can extend their own exported
properties.

Bug: 71814576
Bug: 131162102
Test: boot aosp_cf_x86_phone-userdebug
Test: logcat | grep "avc: "
Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
2019-09-19 05:07:50 +00:00
Jiyong Park
e95c704b6f Access to HALs from untrusted apps is blacklist-based
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.

This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.

All the hwservice context that were not in the whitelist are now put
to blacklist.

This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.

Bug: 139645938
Test: m

Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)

Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
2019-09-06 14:10:38 +09:00
Steven Moreland
b27a746f50 Merge "Remove vintf_service."
am: cacefc6a78

Change-Id: Id30138a0955dc7883d83daa2b655a06efebcaaf7
2019-08-28 19:15:40 -07:00
Steven Moreland
ebc39c37ab Merge "Clarify vendor_service/vintf_service."
am: 961bf003d6

Change-Id: Ibe65d802dff7d54ed1886800568840e0434dd696
2019-08-28 13:27:44 -07:00
Steven Moreland
4bb0a9802a Remove vintf_service.
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.

coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.

Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
2019-08-28 11:32:25 -07:00
Steven Moreland
df0a65785c Clarify vendor_service/vintf_service.
These attributes are intended to be used w/ services using the system
copy of libbinder (for vendor, this is libbinder_ndk).

Switching vndservicemanager users using the libbinder copy of vendor to
be able to use the system copy of libbinder for registration is an open
problem.

Bug: 136027762
Test: N/A
Change-Id: I1d70380edcb39ca8ef2cb98c25617701b67ba7e1
2019-08-27 15:37:11 -07:00
Steven Moreland
88fedc2159 Merge "Reland "Re-open /dev/binder access to all.""
am: aa6793febd

Change-Id: I34360631751c98aab0c34fff9bdcdbae02c52297
2019-08-22 16:15:59 -07:00
Steven Moreland
b75b047f44 Reland "Re-open /dev/binder access to all."
This reverts commit 6b2eaade82.

Reason for revert: reland original CL

Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
2019-08-20 16:03:37 -07:00
Steven Moreland
db28fe2381 Revert "Re-open /dev/binder access to all."
am: 6b2eaade82

Change-Id: Ic2d53641d0cebee31be81307d7a31809fa326f2d
2019-08-20 15:55:40 -07:00
Steven Moreland
6b2eaade82 Revert "Re-open /dev/binder access to all."
This reverts commit 94ff361501.

Fix: 139759536
Test: marlin build fixed

Change-Id: I3ea2e29896722a80b22f09c405be205ffb7de6b2
2019-08-20 22:39:43 +00:00
Steven Moreland
169bfcfe88 Merge changes Icdf207c5,I20aa48ef
am: 30a06d278f

Change-Id: Ia505b1539cfd64bb93c2f5fe0dbd0603df5e9f5f
2019-08-20 13:41:45 -07:00
Steven Moreland
94ff361501 Re-open /dev/binder access to all.
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
2019-08-20 00:03:34 +00:00
Amy Zhang
3b62596f4f Merge "Tuner Hal 1.0 Enable ITuner service"
am: 3e7429359f

Change-Id: Ic4442460d60d51e97c84ea430830cd12c205e5f6
2019-08-15 13:23:33 -07:00
Amy
89b4bbd4d8 Tuner Hal 1.0 Enable ITuner service
Test: cuttlefish
Bug: 135708935
Change-Id: Ica063458860df45f0e2ab640a2ab35cd4da3da8e
2019-08-14 11:22:09 -07:00
Tomasz Wasilczyk
0540154021 SEPolicy rules for CAN bus HAL
am: 602b30302a

Change-Id: I5ae916b8f4c3d6038c48a522df1efc2ce8fc3d39
2019-08-01 19:34:47 -07:00
Tomasz Wasilczyk
602b30302a SEPolicy rules for CAN bus HAL
Bug: 135918744
Test: VTS (separate new change)
Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9
2019-08-01 10:24:00 -07:00
Kalesh Singh
533363bb54 Merge "Sepolicy for IAshmem HIDL interface" am: b374835ffb
am: 99a5e65385

Change-Id: I15778c78f997acdc3422ea941301f0ea61dabff4
2019-05-30 00:52:03 -07:00
Kalesh Singh
46303aa1f7 Sepolicy for IAshmem HIDL interface
Change-Id: Id78f995661120f136d671ea0084db358e7662122
Bug: 133443879
Test: Manually check logcat for sepolicy denials (logcat | grep IAshmem)
2019-05-29 14:44:47 -07:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00