/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956
This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886
Test: boot Taimen. Walk through setup-wizard. Make phone call and
video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.
Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.
This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.
Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.
Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
Previously we published appfuse mount points to apps and apps open
appfuse file by themselves. We changed the design and we don't allow
apps to access appfuse mount point. Instead system server opens a file
on appfuse mount points and passes FD to apps.
The change updates apps and system server policies to adopt new design.
Bug: 29970149
Test: None
Change-Id: I0b35fee9816f61565705eecb88a472754ccffdca
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.
The reason is that some of these properties may leak persistent
identifiers not resettable by the user.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.
Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.
It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).
Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.
The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.
This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.
References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a
TODO: Further unify /dev/kmsg permissions with syslog_read permissions.
Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
su is an appdomain, and as such, any auditallow statements applicable to
appdomain also apply to su. However, su is never enforced, so generating
SELinux denials for such domains is pointless. Exclude su from
ion_device auditallow rules.
Addresses the following auditallow spam:
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=10230 ioctlcmd=4906 scontext=u:r:su:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
Test: policy compiles
Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
Remove and neverallow isolated_app access to external storage and
USB accessories.
Test: aosp_angler-userdebug builds
Bug: 21643067
Change-Id: Ie912706a954a38610f2afd742b1ab4b8cd4b1f36
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
