Commit graph

471 commits

Author SHA1 Message Date
Ramji Jiyani
ba8615a186 Merge "system_dlkm: sepolicy: add system_dlkm_file_type" 2022-02-11 18:36:04 +00:00
Daniel Norman
ea98866236 Merge "Expose the APEX multi-install props to non-root getprop." 2022-02-11 18:25:27 +00:00
Ramji Jiyani
4a556890f9 system_dlkm: sepolicy: add system_dlkm_file_type
Add new attribute system_dlkm_file_type for
/system_dlkm partition files.

Bug: 218392646
Bug: 200082547
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3
2022-02-11 04:19:33 +00:00
Daniel Norman
2d1c5129d9 Expose the APEX multi-install props to non-root getprop.
Used for *TS testing to ensure that user devices do not multi-install
APEXes.

Bug: 216852347
Test: (non root) getprop | grep ro.boot.vendor.apex
Change-Id: Ibc670fefbf89c4a4c1fa5d2ab9d7784c04946690
2022-01-28 16:16:12 -08:00
Treehugger Robot
6003019fa8 Merge "Move mtectrl to private" 2022-01-26 09:30:59 +00:00
Inseob Kim
3bd63cc206 Move mtectrl to private
Because mtectrl is a system internal domain, and we don't need to expose
the type to vendor.

Test: build and boot
Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476
2022-01-26 08:59:55 +09:00
Etienne Ruffieux
bde2fc6c48 Added new context declaration for Bluetooth configs
As we need to create new sysprops for Bluetooth mainline
configs, we need to have a property context available to
vendors and be able to access configs from other packages.

Tag: #feature
Bug: 211570675
Test: Added overlays and logs
Change-Id: If9c61f251578b61c070619069519e0aa563a9573
2022-01-25 01:18:05 +00:00
Florian Mayer
23173455ab Add policy for command line tool to control MTE boot state.
Bug: 206895651

Change-Id: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16
2022-01-20 17:30:09 +00:00
Yifan Hong
aabea20d89 Remove healthd.
Test: pass
Bug: 203245871
Change-Id: I4eb0b4333d7fde2096c4c75b7655baf897900005
2021-10-20 18:47:41 -07:00
Ady Abraham
df28371462 Remove vrflinger
Not used anymore.

Test: build + presubmit
Bug: 170681929
Change-Id: I3ac9b842f89acf620e9f08516e44977d83064f2f
2021-10-20 02:02:57 +00:00
Bart Van Assche
398b0af20f Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these attributes since these will be removed soon.

Bug: 202520796
Test: (AOSP) source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Test: (sc-v2-dev) source build/envsetup.sh && lunch ...-userdebug && m && install-images-on-phone && adb root && adb dmesg | grep 'avc.*comm=.init'
Change-Id: I9f5a4c5c4d6c44fefa8e66c69fec62c99f9a728d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-14 09:13:58 -07:00
Bart Van Assche
6b53d731fd Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these attributes since these will be removed soon.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I61dffb482f4e952299156f34be642ae52fcbfeb3
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-12 09:45:11 -07:00
Christopher Ferris
f2acb20e1b Allow crash_dump to read from /data/local/tests.
Without this change, any crash from an executable in /data/local/tests
is incomplete. Specifically, function names are missing which makes
the crash nearly useless for debugging.

Bug: 197229540

Test: Used the crasher executable and copied it to /data/local/tests
Test: and verified that running it as root and shell results in
Test: tombstones that have full unwinds with function names.
Change-Id: Ic4862ca6ee9b02132a593ccd5fe26508ed5c8510
2021-09-09 14:49:36 -07:00
Jiyong Park
5e20d83cfb Add rules for virtualizationservice and crosvm
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.

Below is the summary of the added rules.

* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
  - permission_service: to check Android permission
  - apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.

Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json

without disabling selinux.

Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-26 10:45:08 +09:00
Janis Danisevskis
4678660d83 Rename vpnprofilestore to legacykeystore.
Bug: 191373871
Test: N/A
Merged-In: I3f11827909bd37a2127069de82670776a8e192b3
Change-Id: I3f11827909bd37a2127069de82670776a8e192b3
2021-06-30 12:40:39 -07:00
Hridya Valsaraju
920939df71 Allow /dev/dma_heap directory to be readable
Allow everyone to read /dev/dma_heap so that they can query the set of
available heaps with the GetDmabufHeapList() API in libdmabufheap.
This patch fixes the following denials that happen when clients use the
API:

avc: denied { read } for name="dma_heap" dev="tmpfs" ino=369
scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:dmabuf_heap_device:s0
tclass=dir permissive=0
9507:05-12 17:19:59.567  1647  1647 W com.android.systemui: type=1400
audit(0.0:93): avc: denied { read } for
comm=4E444B204D65646961436F6465635F name="dma_heap" dev="tmpfs" ino=369
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0 tclass=dir permissive=0
app=com.android.systemui

Test: manual
Bug: 184397788
Change-Id: I84672bc0be5b409cd49080501d0bf3c269ca610c
2021-05-14 05:09:30 +00:00
Yabin Cui
bd4c9e8530 Add permissions in profcollectd to parse kernel etm data.
To parse etm data for kernel and kernel modules, add below permissions
to profcollectd:
1. Get kernel start address and module addresses from /proc/kallsyms
and /proc/modules.
2. Get kernel build id from /sys/kernel/notes.
3. Read kernel module files in vendor dir.

Bug: 166559473
Test: run profcollectd.

Change-Id: I2e0b346379271fadc20e720722f7c9a687335ee2
2021-04-08 16:03:59 -07:00
Josh Gao
d6d8a0fa5e Merge "Add neverallow to prevent reading heap dumps." 2021-04-05 23:55:11 +00:00
Treehugger Robot
da7889276f Merge "Use postinstall file_contexts" 2021-03-30 18:01:34 +00:00
Alex Light
16dfb432b3 Use postinstall file_contexts
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.

Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
2021-03-24 17:00:35 -07:00
Thiébaud Weksteen
6620b476a8 Merge "Add SELinux lockdown policy" 2021-03-23 17:49:53 +00:00
Peter Collingbourne
228c1c396c Merge "Add support for a hw_timeout_multiplier system property." 2021-03-17 18:18:51 +00:00
Thiébaud Weksteen
bcfca1a686 Add SELinux lockdown policy
The lockdown hook defines 2 modes: integrity and confidentiality [1].
The integrity mode ensures that the kernel integrity cannot be corrupted
by directly modifying memory (i.e. using /dev/mem), accessing PCI
devices, interacting with debugfs, etc. While some of these methods
overlap with the current policy definition, there is value in enforcing
this mode for Android to ensure that no permission has been overly
granted. Some of these detection methods use arbitrary heuristic to
characterize the access [2]. Adapt part of the policy to match this
constraint.

The confidentiality mode further restricts the use of other kernel
facilities such as tracefs. Android already defines a fine-grained
policy for these. Furthermore, access to part of tracefs is required in
all domains (see debugfs_trace_marker). Allow any access related to this
mode.

[1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/
[2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/

Bug: 148822198
Test: boot cuttlefish with patched kernel; check logcat for denials.
Test: run simpleperf monitor to exercise tracefs; check logcat for denials.
Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
2021-03-17 15:26:01 +01:00
Janis Danisevskis
ac4a6e75fc Keystore 2.0: Allow apps to get the Keystore state.
Bug: 171305684
Test: atest com.android.server.locksettings
Change-Id: I348e02704a0ddacb7859821149dc97df1d298758
2021-03-15 19:04:03 -07:00
Peter Collingbourne
01e58e0fe3 Add support for a hw_timeout_multiplier system property.
In order to test the platform in emulators that are orders of magnitude
slower than real hardware we need to be able to avoid hitting timeouts
that prevent it from coming up properly. For this purpose introduce
a system property, ro.hw_timeout_multiplier, which may be set to
an integer value that acts as a multiplier for various timeouts on
the system.

Bug: 178231152
Change-Id: I6d7710beed0c4c5b1720e74e7abe3a586778c678
Merged-In: I6d7710beed0c4c5b1720e74e7abe3a586778c678
2021-03-11 14:04:18 -08:00
Janis Danisevskis
291bc98a36 Keystore 2.0: Add policy for vpnprofilestore
Test: N/A
Change-Id: Iba6ca7be95dfcead8ce8ee17d6a6d78a5441d58f
2021-02-23 13:24:52 -08:00
Elliott Hughes
adaf4fe7a9 Merge "init/ueventd and system_server no longer need access to /dev/hw_random." 2021-02-16 20:08:39 +00:00
Elliott Hughes
5aaf7f3461 init/ueventd and system_server no longer need access to /dev/hw_random.
We let the kernel worry about that now.

Bug: http://b/179086242
Test: treehugger
Change-Id: I51bdfaf7488717cc4e4c642261e31d1801cfba68
2021-02-12 09:33:22 -08:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Florian Mayer
ea00b68ee5 Allow shell to create shell_[test_]_data_file sockets.
This makes it easier to write some tests without requiring root for
creating a temporary socket.

Test: m
Test: atest perfetto_integrationtests with https://r.android.com/1575345
      passed with this CL
      failed without with
        avc: denied { create } for name="traced_consumer"
        scontext=u:r:shell:s0 tcontext=u:object_r:shell_data_file:s0
        tclass=sock_file permissive=0

Change-Id: I281778259a55973cda9d6e7af6dea5637591502c
2021-02-09 13:29:05 +00:00
Florian Mayer
5cefb23c4f Allow heapprofd to read shell_test_data_file.
This is so we can run integrationtests on user.

Change-Id: Ie6afad9758968e6cdeb030fbf4d3b75a61813269
2021-02-09 13:28:49 +00:00
Treehugger Robot
96acdc0b22 Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"" 2021-02-05 01:59:16 +00:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Treehugger Robot
883de3cd2e Merge "Add vendor_public_framework_file type to SEPolicy" 2021-01-28 11:41:00 +00:00
Oliver Woodman
bc41c14ffd Merge "Define SOC sysprop policy" 2021-01-28 09:12:52 +00:00
Oliver Woodman
164ba2bd39 Define SOC sysprop policy
BUG: 158284209
Test: atest android.os.cts.BuildTest
Change-Id: I7df7e575072c37ca379b97f60cc6c0850a02bcd1
2021-01-27 13:49:00 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Dorin Drimus
84cd7087d5 Add vendor_public_framework_file type to SEPolicy
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.

Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
2021-01-26 15:59:37 +01:00
Orion Hodson
74b129b77c Merge "Permissions for odrefresh and /data/misc/apexdata/com.android.art" 2021-01-19 09:37:36 +00:00
Inseob Kim
150355b1c3 Merge "Revert^2 "Make default_prop only readable from coredomain"" 2021-01-14 09:42:25 +00:00
Inseob Kim
5c011e57a5 Revert^2 "Make default_prop only readable from coredomain"
This reverts commit 32fbfbc016.

Reason for revert: Fixed breakages

Change-Id: I474ee7dd7b82b4f2e02353e8a3fb55e3c410941f
2021-01-14 04:08:16 +00:00
Mitch Phillips
e0bab54ba6 Merge "[MTE] Add memtag sysprop sepolicy." 2021-01-13 18:07:36 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Florian Mayer
a8a3d8b1bf Allow heapprofd central mode on user builds.
This simplifies operation by removing a special case for user builds.

Test: atest CtsPerfettoTestCases on user
Test: atest CtsPerfettoTestCases on userdebug
Test: atest perfetto_integrationtests on userdebug
Bug: 153139002
Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 17:19:02 +00:00
Mitch Phillips
eaf1404d8a [MTE] Add memtag sysprop sepolicy.
These flags should be writeable to the shell for both root and non-root
users. They should be readable everywhere, as they're read in libc
during initialization (and there's nothing secret to hide). We just
don't want to allow apps to set these properties.

These properties are non-persistent, are for local developer debugging
only.

Bug: 135772972
Bug: 172365548
Test: `adb shell setprop memtag.123 0` in non-root shell succeeds.
Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
2021-01-11 08:35:58 -08:00
Inseob Kim
726dc022db Merge "Revert "Make default_prop only readable from coredomain"" 2021-01-05 08:56:07 +00:00
Jackal Guo
32fbfbc016 Revert "Make default_prop only readable from coredomain"
This reverts commit 082ced1951.

Reason for revert: b/176784961

Change-Id: Ia85667216d63084e9e23aefe1d3bfd7942d51a2a
2021-01-05 08:47:57 +00:00
Treehugger Robot
3acee7da98 Merge "Make default_prop only readable from coredomain" 2021-01-05 05:25:14 +00:00
Josh Gao
0f48b76e72 Add neverallow to prevent reading heap dumps.
Bug: http://b/172518739
Test: mma
Change-Id: I12342015ddd1d8666f62317e027dae6816f53c7e
2020-12-17 16:51:50 -08:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00