Commit graph

23 commits

Author SHA1 Message Date
Joel Galenson
ba0c279de4 Ensure taking a bugreport generates no denials.
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5a)
2018-03-08 02:25:18 +00:00
Tri Vo
c936223c51 Merge "storaged: remove access to sysfs_type" am: e3b05cf614 am: 2a415167a4
am: 38b224666f

Change-Id: Ifc0122974741000970b19e3053b380087291cdc4
2018-01-18 02:36:46 +00:00
Tri Vo
48027a0067 storaged: remove access to sysfs_type
Bug: 68388678
Test: storaged-unit-tests
Change-Id: Iea1ba0131a389dc4396ff3ebe2cdf68dbd688c8a
2018-01-16 18:39:29 -08:00
Benjamin Gordon
65214c688a Merge "sepolicy: Add rules for non-init namespaces" am: b9ea282c65 am: d41e616199
am: 44957a90f3

Change-Id: I363639d2cdf70b1772da3d6c7f7c814554063dfc
2017-11-21 17:47:23 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Yifan Hong
b9aa010089 healthd provides health@2.0 service.
* remove binder calls to healthd (storaged, system_server)
* Allow healthd to serve health HAL

Bug: 62229583
Test: no health related denials
Test: VTS health test
Test: BatteryManagerTest

Change-Id: I0cf1872c0ba69e7de7c3f529d548f9ffe39812ac
2017-10-17 13:48:42 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jin Qian
4b6e673a2a storaged: allow storaged to access /data/misc/storaged directory
storaged will use this directory to store internal data files.

Bug: 63740245
Change-Id: Ie77961c2b398cc464b7199d3acbcc6287312d3b4
2017-08-15 11:19:12 -07:00
Todd Kennedy
8bb80471b9 Allow PackageManager to create a new service
A new API [getNamesForUids] was recently added to the PackageManager
and this API needs to be accessible to native code. However, there
were two constraints:
1) Instead of hand-rolling the binder, we wanted to auto generate
the bindings directly from the AIDL compiler.
2) We didn't want to expose/annotate all 180+ PackageManager APIs
when only a single API is needed.
So, we chose to create a parallel API that can be used explicitly
for native bindings without exposing the entirety of the
PackageManager.

Bug: 62805090
Test: Manual
Test: Create a native application that calls into the new service
Test: See the call works and data and returned
Change-Id: I0d469854eeddfa1a4fd04b5c53b7a71ba3ab1f41
2017-08-04 13:33:42 -07:00
William Roberts
c4a732877d Merge "storaged: add permissions for dumpstate" am: 611202ef53 am: 702605c62f
am: fbb96d8a62

Change-Id: I258cec0012787532b7bdcdbac6fecacd5a2cd33b
2017-05-09 15:37:27 +00:00
William Roberts
fd8f305bd3 storaged: add permissions for dumpstate
The service "storaged" implememnts a dump() interface for
dumpsys, and thus it needs to write its state to the fd
provided by dumpstate.

To correct this, and fix dumpstate, allow the permission.

Fixes:
avc: denied { use } for pid=3298 comm="dumpsys" path="pipe:[33470]" dev="pipefs" ino=33470 scontext=u:r:storaged:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0

Test:
With a device that has storaged, issue the command:
$ adb shell dumpstate

Change-Id: I515e20f0328b6edc01ea2a7c53b1d3c4ca0e72ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-05-03 10:40:18 -07:00
Jin Qian
00a1789c79 Allow GMSCore to call dumpsys storaged
Test: trigger dumpsys storaged from GMScore
Bug: 37284569
Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176
2017-04-12 18:02:13 -07:00
Jin Qian
a239f30fd6 storaged: allow shell to call dumpsys storaged
Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
2017-03-31 10:53:55 -07:00
Jin Qian
af3eaf0d20 storaged: allow shell to call dumpsys storaged
Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
2017-03-30 16:21:29 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Jin Qian
d3a11613c3 storaged: remove rules no longer necessary
Test: adb shell dumpsys storaged --force
Bug: 35323867
Change-Id: I6944ca357875a24465054d3891a00dbcd67495cf
2017-02-27 22:40:34 +00:00
Jin Qian
61670b8623 storaged: allow register and callback from batteryproperties
Test: adb shell dumpsys storaged
Bug: 33086174
Bug: 34198239
Change-Id: I85d6bd05192a205662f69466d7d6208e8b834eff
2017-02-06 11:06:05 -08:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Jin Qian
8ad57ef664 storaged: allow reading packages.list
Delete rule for permission_service since we use packages.list instead.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: Ic69d0fe185e627a932bbf8e85fc13163077bbe6b
2017-01-20 20:34:59 -08:00
Jin Qian
d345906b14 Define policy for /proc/uid_io/stats
New procfs file read by storaged to dump fg/bg IO usage.

Remove kmsg rule since it's no longer used by storaged.

Allow storaged to find permission_service to translate UID
to package name.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd
2017-01-18 11:00:57 -08:00
Nick Kralevich
1a022cbbe7 storaged.te: Remove redundant permission.
All SELinux domains are already granted the ability to read the
filenames in /proc, so it's unnecessary to add it to storaged.te.

  $ grep "proc:dir r_dir_perms" public/domain.te
  allow domain proc:dir r_dir_perms;

Remove redundant rule.

Test: policy compiles.
Change-Id: I8779cda19176f7eb914778f131bb5b14e5b14448
2017-01-06 18:56:29 -08:00
ynwang
e68d2d2c72 Storaged permissions for task I/O
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2017-01-07 01:12:51 +00:00
ynwang
9fa8823cdf Storaged permission setting
Allowing storaged for reading from pseudo filesystems and debugfs.

Bug: 32221677

Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335
2017-01-07 01:12:45 +00:00