This exception is needed for overriding gated changes in tests.
Bug: 140367850
Test: http://aosp/1113771
Change-Id: I2a76f92fe06c1c759a537dea7539a8899f02b15e
This reverts commit a9b718a1ed.
Reason for revert: No longer be necessary after
http://r.android.com/1120246 lands as this causes BoringSSL to only write
flag files if a particular environment variable is set, and this variable
will only be set for the self test binaries which have permission to
write to /dev/boringssl.
Bug: 140918050
Test: Manually observed audit log after change
Change-Id: I851f4aea991d91c67b64535829eea5b9594a3e2c
Binaries other than boringssl_self_test_exec are not allowed
to create marker files /dev/boringssl/selftest/[hash].
Right now, some processes still attempt to because:
- Some binaries run so early during early-init that
boringssl_self_test{32,64} hasn't had a chance to
run yet, so the marker file doesn't exist yet, so
the unprivileged process attempts to create it.
- Some binaries statically link libcrypto so their
[hash] is different from that used by
boringssl_self_test{32,64}.
There's some ongoing work to stop those binaries even
attempting to create the marker files but it's not a
big deal if they do. Similarly, there is ongoing work
to minimize or eliminate static linking of this library.
For now, this CL turns off audit logs for this behavior
since it is harmless (a cosmetic issue) and in order to
not hold up the bulk of the logic being submitted.
Bug: 137267623
Test: Treehugger
Change-Id: I3de664c5959efd130f761764fe63515795ea9b98
app_zygote used by for example Google Chrome needs access
to at least search /oem partition.
Google chrome version: 76.0.3809.132 is running in app_zygote
and the following access is blocked by selinux causing Chrome
to hang.
avc: denied { search } for pid=813 comm="d.chrome_zygote"
name="/" dev="sda42" ino=2 scontext=u:r:app_zygote:s0:c214,c256,c512,c768
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0 ppid=798
pcomm="d.chrome_zygote" pgid=798 pgcomm="d.chrome_zygote"
Change-Id: Idcce1a5ad1a8be3d7bd057c12ec477baa9669235
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.
Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
Include coredomain in initial definition of boringssl_self_test
rather than adding it later. This addresses an outstanding review
comment from http://r.android.com/1110523
Test: Treehugger
Bug: 137267623
Change-Id: I4e8d4e2e76b1c3a9b5a1f806e43e885b51cb7a60
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.
This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.
All the hwservice context that were not in the whitelist are now put
to blacklist.
This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.
Bug: 139645938
Test: m
Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)
Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
/data/local/tmp is an attacker controlled location which system_apps
should not be depending on. system_apps should only depend on files in
their home directory and files passed to them by file descriptor. To
support this best practice, neverallow access to /data/local/tmp. This
adds a compile time assertion and CTS test to assert that this rule is
never present.
This is conceptually a tightening of already defined neverallow rules in
domain.te. The existing neverallow assertions exclude appdomain, which
is too broad:
neverallow {
domain
-adbd
-appdomain
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
# to be passed around by file descriptor, but not directly opened.
neverallow {
domain
-adbd
-appdomain
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
Test: compiles
Change-Id: Ib7178e2b9d5a41c03837a535f7db5eaf10319aac
Currently shell can connect to the traced_consumer_socket allowing it to
configure/start/stop and collect traces. This allows a host tool (e.g. Android Studio or
https://ui.perfetto.dev) to connect to the device via adb and collect traces. It would
be better if rather than executing shell commands the host tool could directly communicate
with the consumer socket. This is possible using adb forward:
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer
However in this case adbd is connecting to the socket - not shell.
This CL allows adbd to connect to the socket which allows host tools to collect
traces without having to do everything though shell commands.
Denial:
08-30 11:28:05.809 10254 10254 W adbd : type=1400 audit(0.0:1129): avc: denied { write } for name="traced_consumer" dev="tmpfs" ino=6719 scontext=u:r:adbd:s0 tcontext=u:object_r:traced_consumer_socket:s0 tclass=sock_file permissive=0
Test: Cherry pick CL to master, make, flash
adb logcat | grep denied
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer
Bug: b/139536756
Change-Id: Ie08e687c0b06d0e1121009e8cd70319a8f907ae2
This CL adds hand-written SELinux rules to:
- define the boringssl_self_test security domain
- label the corresponding files at type boringssl_self_test_marker
and boringssl_self_test_exec.
- define an automatic transition from init to boringssl_self_test
domains, plus appropriate access permissions.
Bug: 137267623
Test: When run together with the other changes from draft CL topic
http://aosp/q/topic:bug137267623_bsslselftest, check that:
- both /dev/boringssl/selftest/* marker files are
present after the device boots.
- Test: after the boringssl_self_test{32,64} binaries have
run, no further SELinux denials occur for processes
trying to write the marker file.
Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
When fsverity_init tries to access files in /system or /product
partition AFTER adb remount, SELinux denial is generated:
avc: denied { sys_admin } for capability=21
scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0
tclass=capability permissive=0
This is due to some internal access to an xattr inside overlayfs, but it
should not report this.
Before the message can be surpressed, dontaudit it to keep the log clean.
Test: no more error log
Bug: 132323675
Change-Id: I323c9330ee6e6b897d1a4e1e74f6e7e0ef1eaa89
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.
coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.
Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
Commit I35d35016680379e3a9363408704ee890a78a9748 is not yet in AOSP
and is causing a merge conflict with my change aosp/1105757.
Move the lines causing the conflict elsewhere.
Bug: 1105489
Test: treehugger
Cherrypicked-From: 1da93c9f32
Merged-In: I35dca026e40c9e2f89b831395db3958e399bfbb7
Change-Id: I35dca026e40c9e2f89b831395db3958e399bfbb7
On cuttlefish devices, the resource loading code apparently maps the file rather
than just reading it.
Denial log:
viewcompiler: type=1400 audit(0.0:308): avc: denied { map } for
path="/data/app/android.startop.test-Z2JxVhtKPw2wx4o-nmo5NA==/base.apk"
dev="vdb" ino=139269 scontext=u:r:viewcompiler:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=android.startop.test
Bug: 139018973
Change-Id: I4bbbc44abc3c4315137f76a0be737236cf10f4ef
Instead of relying on the regular iteration through the system
services inside dumpstate, dumpstate now uses a dedicated incident CLI
to capture incident report. This patch makes required SELinux changes
to make it happen.
Bug: 137493082
Test: Manually takes a bugreport from command line, power button, and
BetterBug. Verifies /proto/incident_report.proto exists in the
zip file, and no unintended avc denial.
Change-Id: I0d93b015b7a9d32db4f3bf10d1c25e5a3ca04e48
Since this service no longer exists.
Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
This reverts commit 6b2eaade82.
Reason for revert: reland original CL
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
This service is requested by AOSP framework, but there is no context for
it defined.
Bug: 136023468
Test: N/A
Change-Id: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
Merged-In: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
(cherry picked from commit 67cb30fabf)
This service is requested by AOSP framework, but there is no context for
it defined.
Bug: 136023468
Test: N/A
Change-Id: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
Merged-In: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
(cherry picked from commit 67cb30fabf)
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to dexoptanalyzer(d) in cases where it could already access files (in
particular, secondary dex files).
Addresses denials of the form:
avc: denied { map } for […] path="/data/data/[…]" […]
scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0
Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel
and check the absence of SELinux denials
Bug: 138683603
Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.
Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
This should be available in user and userdebug builds.
Bug: 137289935
Test: Alongside atrace changes, recorded a trace using Traceur and
verified that the tracepoints were included in the recorded trace in
both user and userdebug builds.
Change-Id: I6131557bdd0a298be9e75b39759599b189b9b988
Additional permission is required for linkerconfig from domain to get
access to ld.config.txt file from linker. This change allows linker to
get /dev/linkerconfig/ld.config.txt
Bug: 138920271
Test: m -j && confirmed from cuttlefish
Change-Id: Id130a072add8ae82840b0b4d9e997e146f502124
This change is part of enabling upcoming platform changes that are
described in the bug linked below.
Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
DEFAULT_SYSTEM_DEV_CERTIFICATE is not appropriate as some OEMs may need
to change only the certificates used to generate
plat_mac_permissions.xml for mainline modules.
Test: m, checked output plat_mac_permissions.xml
Bug: 138097611
Bug: 134995443
Change-Id: Ie19130a243db043f432039c54c379f06e60ab6c6
Allow dexoptanalyzer(d) to lock `system_file` files, so that it can
lock `/system/framework/$ISA/*.art` files (which is harmless as these
files live in a read-only partition, but admittedly simplifies the
corresponding logic in ART).
Addresses denials of the form:
avc: denied { lock } for path="/system/framework/arm/boot.art"
dev="dm-0" ino=1330 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:system_file:s0 tclass=file permissive=0 […]
Test: Reproduce steps in bug 138683603 and check the absence of SELinux denials
Bug: 138683603
Change-Id: I8a08822b4908b3b37bd0e450dd1356ed92332327
Used to restrict properties init.svc_debug_pid.*
Bug: 138114550
Test: getprop | grep init.svc_debug_pid only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678
Used to lazily start AIDL services.
Bug: 138756857
Test: Manual (using mediaextractor as a test service)
Change-Id: Ia1f2c10072e42d8917985c38500be0955f98b8eb
Now that our tools are routed to system_suspend, there is no reason for
system_suspend to write to /sys/power/wake_[un]lock.
Bug: 128923994
Bug: 115946999
Test: boot blueline, no denials from system_suspend
Change-Id: I1097d30c050ce7d88677e07f4aaef07ce78dc958
