Commit graph

25 commits

Author SHA1 Message Date
Devin Moore
49a4a06264 Allow crash_dump to read misctrl properties
This is used to determine if the device has been in 16k page size mode
to help debug issues with that.

Test: debuggerd_test with ro.misctl.16kb_before="1"
Bug: 335247092
Change-Id: I7b5fcd39cc5b3247d866814fbcf53299d68846c2
2024-05-06 15:40:12 +00:00
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Steven Moreland
91497cc9db crash_dump: read bootstrap libs
Required for nicer stacks for crashes
and ANRs, etc..

Bug: N/A
Test: adb shell am hang, check servicemanager
  section no longer displays warnings now that
  that it is dumped by watchdog
Change-Id: I49a93c1fec9c3219c11dc1a82440c7c2a1944010
2023-12-06 01:43:46 +00:00
Jooyung Han
18a42afb49 Allow crash_dump to read vendor apex dir.
Bug: 298699169
Test: crash dumps from a binary in vendor apex
Change-Id: I4eb2c4162ae2e78ef126987e7de0f838b6db205c
2023-09-05 17:51:38 +09:00
Alice Wang
5e94b1698c [dice] Remove all the sepolicy relating the hal service dice
As the service is not used anywhere for now and in the near future.

Bug: 268322533
Test: m
Change-Id: I0350f5e7e0d025de8069a9116662fee5ce1d5150
2023-02-24 08:34:26 +00:00
Frederick Mayle
4f5390d640 Allow crash_dump on crosvm
Protected guest memory maps are now unmapped when crash_dump forks off
of crosvm, so we don't need or want this exception anymore.

Bug: 238324526
Test: ran debuggerd on protected vm
Change-Id: Iccff5dcc441dcf769fcdaa89e7b8e686341821fd
2023-02-17 19:36:51 +00:00
Ryan Savitski
941ba723ba sepolicy: rework perfetto producer/profiler rules for "user" builds
This patch:
* allows for heap and perf profiling of all processes on the system
  (minus undumpable and otherwise incompatible domains). For apps, the
  rest of the platform will still perform checks based on
  profileable/debuggable manifest flags. For native processes, the
  profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
  writers (=perfetto_producer) for the ART java heap graph plugin
  (perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
  graphs.

Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
2023-02-03 15:05:14 +00:00
Max Bires
da19b45a14 Remove inapplicable comment.
There don't seem to be any security issues raised by allowing crash dump
to access keystore. More specifically, all key material is encrypted by
KeyMint anyways in the absolute worst case, so even if key exposure
occurred, there would be no harm.

Fixes: 186868271
Test: The comment is gone.
Change-Id: Ib09fc8e1eaa3f1a0876139e175dc28be9e0d4a4a
2022-08-02 11:01:25 -07:00
David Brazdil
28b34f1bca crash_dump: Remove permission to dump crosvm
A crosvm instance running a protected VM contains a memory mapping of
the VM's protected memory. crash_dump can trigger a kernel panic if it
attaches to such crosvm instance and tries to dump this memory region.

Until we have a means of excluding only the protected memory from
crash_dump, prevent crash_dump from dumping crosvm completely by taking
away its SELinux permission to ptrace crosvm.

Bug: 236672526
Test: run 'killall -s SIGSEGV crosvm' while running crosvm
Change-Id: I6672746c479183cc2bbe3dce625e5b5ebcf6d822
2022-07-01 17:30:54 +01:00
Janis Danisevskis
2b6c6063ae Diced: Add policy for diced the DICE daemon.
Bug: 198197213
Test: N/A
Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d
2021-11-17 13:36:18 -08:00
Max Bires
f09391624a Allowing userdebug/eng builds crash dump access to ks
This will make debugging of keystore issues in dogfood populations much
easier than it previously was, as developers will have detailed crash
dump reporting on any issues that do occur.

Bug: 186868271
Bug: 184006658
Test: crash dumps appear if keystore2 explodes
Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99
2021-04-30 18:50:54 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Jeff Vander Stoep
60bb29fcdf crash_dump: suppress devpts denials
The following denial caused a presubmit failure:
06-15 15:16:24.176   956   956 I auditd  : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.

Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507
2019-03-19 04:05:51 +00:00
Jeff Vander Stoep
1795d0bcfd crash_dump: dontaudit devices passed by exec()
avc: denied { read } for comm="crash_dump64" name="v4l-touch22"
dev="tmpfs" ino=18821 scontext=u:r:crash_dump:s0
tcontext=u:object_r:input_device:s0 tclass=chr_file

Test: build
Change-Id: Iac66b77ad255c950b21fd267c88fdbc382be2877
2019-03-13 20:50:25 -07:00
Andreas Gampe
efece54e06 Sepolicy: Allow crash_dump to ptrace apexd in userdebug
In userdebug, for better diagnostics, allow crash_dump to "connect
to" apexd.

Considering apexd is quite powerful, user devices remain restricted.

Bug: 118771487
Test: m
Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
2019-03-05 09:59:50 -08:00
Jeff Vander Stoep
504a654983 crash_dump: dontaudit gpu_device access
And add neverallow so that it's removed from partner policy if
it was added there due to denials.

Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
2019-02-18 21:06:42 +00:00
Jeff Sharkey
d101896ec8 Allow system watchdog to collect traces from vold.
We're investigating a bug where vold gets wedged, and we need to
collect ANR stack traces from it to debug further.

avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0

Bug: 122090837
Test: manual
Change-Id: I738e63717715189b9ae2317472f671e3563afaa9
2019-02-06 09:25:00 -07:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Alan Stokes
b9cb73ad4e Ensure crash_dump cannot be allowed to ptrace itself.
This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5
2018-09-03 17:27:54 +01:00
Jeff Vander Stoep
08aa715966 crash_dump: disallow ptrace of TCB components
Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f1588)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c
2018-08-28 08:28:25 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Josh Gao
3067af1436 Revert "crash_dump: temporarily make permissive."
This reverts commit 9cfe34b5ee.

Bug: http://b/34978531
Change-Id: I0702641c48fad273f16fa1a5f0e4483dfe408c05
2017-02-14 16:13:30 -08:00
Josh Gao
9cfe34b5ee crash_dump: temporarily make permissive.
Test: policy compiles.
Bug: http://b/34450704
Change-Id: I1381f9de8e4c8cdde4920be423ab32adc2f7a8a2
2017-01-19 10:28:43 -08:00