Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.
This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.
Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
After checking the auditallow logs for the rule being monitored, it's
clear that the rule is not in use and can be removed. All unused rules
should be removed, as they present needless additional attack vectors.
Test: The device boots.
Change-Id: Ie9e060c4d134212e01309a536ac052851e408320
There were some auditallow rules left around in rild.te that had logs
showing nothing was triggering them. Thus the rules they were auditing
could be removed, as that's clear indication there's no use for them.
Having rules around that aren't being used does nothing except increase
attack surface and bloat sepolicy, and so should always be removed if
possible.
Test: The device boots
Change-Id: I906ffc493807fbae90593548d478643cda4864eb
Revise policy, to allow init and system_server to configure,
clear, and read kernel trace events. This will enable us to
debug certain WiFi failures.
Note that system_server is restricted to only accessing
a wifi-specific trace instance. (Hence, system_server is
not allowed to interfere with atrace.) Moreover, even for
the wifi trace instance, system_server is granted limited
permissions. (system_server can not, e.g., change which
events are traced.)
Note also that init and system_server are only granted these
powers on userdebug or eng builds.
The init.te and system_server.te changes resolve the
following denials:
// Denials when wifi-events.rc configures tracing
{ write } for pid=1 comm="init" name="instances" dev="debugfs" ino=755 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ add_name } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ create } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=1 comm="init" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=1 comm="init" name="buffer_size_kb" dev="debugfs" ino=18061 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=file permissive=1
// Denials when system_server sets up fail-safe
// (auto-terminate tracing if system_server dies)
{ search } for pid=882 comm="system_server" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=882 comm="system_server" name="free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
// Denials when system_server toggles tracing on or off
// (WifiStateMachine is a thread in system_server)
{ search } for pid=989 comm="WifiStateMachin" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
// Denials when system_server reads the event trace
// (This happens in response to a dumpsys request)
{ search } for pid=3537 comm="Binder:882_B" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
Bug: 27254565
Test: manual
Manual test:
- Build this CL along with CL:322337
- Verify that system boots, and that we can connect to GoogleGuest.
(Testing of actual trace functionality with require some more
patches in frameworks/opt/net/wifi.)
$ adb root && adb shell dmesg | egrep 'avc: denied.+debugfs'
Change-Id: Ib6eb4116549277f85bd510d25fb30200f1752f4d
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.
Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice
Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
New procfs file read by storaged to dump fg/bg IO usage.
Remove kmsg rule since it's no longer used by storaged.
Allow storaged to find permission_service to translate UID
to package name.
Test: adb shell storaged -u
Bug: 34198239
Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd
Previously we published appfuse mount points to apps and apps open
appfuse file by themselves. We changed the design and we don't allow
apps to access appfuse mount point. Instead system server opens a file
on appfuse mount points and passes FD to apps.
The change updates apps and system server policies to adopt new design.
Bug: 29970149
Test: None
Change-Id: I0b35fee9816f61565705eecb88a472754ccffdca
New procfs file written by the system_server to communicate fg/bg
state of UIDs to switch the statistics counter sets used.
avc: denied { write } for name="set" dev="proc" ino=4026531862 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
Test: builds, boots, counter sets updated
Bug: 34360629
Change-Id: I2efbfbba9e73f50ce50a80a3dffd3b14fa55c048
This improves readability and consistency for HAL implementation
domains which have only one implementation.
Test: No change to policy according to sesearch
Test: No change to which types are associated with haldomain according to "sepolicy-analyze <sepolicy file> attribute haldomain"
Bug: 34180936
Change-Id: Ice599ea4971cdfbd8b835b1fd02ad1e14c7a0386
This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.
This follows the pattern used for appdomain, netdomain and
bluetoothdomain.
Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
Move from fingerprintd to new fingerprint_hal and update SeLinux policy.
Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
The following are the avc denials that are addressed:
avc: denied { call } for pid=889 comm="system_server"
scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0
tclass=binder permissive=0
avc: denied { call } for scontext=u:r:hal_gnss_default:s0
tcontext=u:r:system_server:s0 tclass=binder permissive=0
avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837
scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0
avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43"
ino=1837 scontext=u:r:hal_gnss_default:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
Bug:31974439
Test: Checked that there no more related avc denial messages related to
the GNSS HAL in dmesg.
Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5
It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.
/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.
Bug: 33347297
Test: The phone boots without any apparent log spam.
Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
This leaves only the existence of ephemeral_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private. There are a few rules, defined by other domains'
files remaining in the public policy until the rules from these
domains also move to the private policy:
allow ephemeral_app_current appdomain:binder transfer;
allow ephemeral_app_current audioserver_current:binder transfer;
allow ephemeral_app_current drmserver_current:binder transfer;
allow ephemeral_app_current dumpstate_current:binder transfer;
allow ephemeral_app_current mediaserver_current:binder transfer;
allow ephemeral_app_current surfaceflinger_current:binder transfer;
allow ephemeral_app_current system_server_current:binder transfer;
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from platform_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I98687181434a98a141469ef676c461fcd1db2d4e
This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from platform_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
No relevant collected denials.
Test: device boots and no obvious problems.
Test: no collected denials.
Bug: 28760354
Change-Id: Idcf939b3cbdb1dec835d59150181047d062e6c48
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate
Bug: 32221677
Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
No denials collected.
Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec
No audits have been recorded for these rules. Remove them.
Originally added for backwards compatibility in
549ccf77e3 as part of the split
between cache_file and cache_recovery_file.
Bug: 25351711
Test: No audit records recorded
Change-Id: I5133028b5fcc99a731aabea90305171dee0edf47
Don't allow processes to list out the contents of the directory
/dev/__properties__. This is an implementation specific detail that
shouldn't be visible to processes.
Test: Device boots and no problems reading individual properties.
Test: ls -la /dev/__properties__ fails
Change-Id: I4df6a829b0d22e30fb2c38030c690fc4a356f6a3
This leaves only the existence of system_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from system_app_current
attribute (as expected).
Bug: 31364497
Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from isolated_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3
This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from priv_app_current
attribute (as expected) except for
allow priv_app_current update_engine_current:binder transfer;
which is caused by public update_engine.te rules and will go
away once update_engine rules go private.
Bug: 31364497
Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from untrusted_domain_current
attribute (as expected).
Bug: 31364497
Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
Commit fee49159e introduced the net_radio_prop and system_radio_prop
properties, and added allow rules for backwards compatibility. In
addition, auditallow rules were added to see if the allow rules were
necessary.
The auditallow rules for radio net_radio_prop are triggering, so it's
clear these properties are being set by the radio process. Drop the
auditallow statement.
Test: policy compiles.
Change-Id: I7fa6df18ed4dd4cb8e0c9098373cc28134615330
/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.
Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:
1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive
While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.
Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49
Allow init to send userspace generated SELinux denials to the kernel
audit subsystem.
Test: "setprop asdf asdf" from the unprivileged adb shell user
generated an SELinux denial processed by logd.
Bug: 27878170
Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1
We allow domains to manually transition to logpersist for userdebug
or eng debug logging permissions that would be counter to monitoring
limits on a released user build.
Test: compile
Bug: 30566487
Change-Id: I03a81c75cbd2b44617e4b27c4c083a26a0e0fa87
6e4508e625 inadvertently removed access
to ro.serialno and ro.boot.serialno from ADB shell. This is needed for
CTS. This commit thus reinstates the access.
Test: adb shell getprop ro.serialno
Bug: 33700679
Change-Id: I62de44b1631c03fcd64ceabaf33bbaeb869c2851
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.
The reason is that some of these properties may leak persistent
identifiers not resettable by the user.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.
Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c
SELinux policy compiler complained about a quote inside the
recovery_only section of recovery.te. This section's contents are
inside quotes and thus can't contain quotes.
Test: mmm system/sepolicy produces no warnings
Bug: 33700679
Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8
This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.
The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.
Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
Audio HAL server needs to set SCHED_FIFO scheduling policy
for its threads that communicate with FastMixer threads of
AudioFlinger that use the same scheduler.
Bug: 30222631
Change-Id: I405a69d097a6bfed455e3483365b27c4004e1063
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).
Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
Generate a compile time error if someone unexpectedly tries to
transition into logpersist or logd domain.
Test: compile
Bug: 30566487
Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
userdebug logging
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
auditallow (added in commit 758e6b3678)
has been in place for about 2 weeks now, and no hits. Remove
execute_no_trans.
The net effect of this change is that priv_apps won't be able to exec()
a file from their home directory, but dlopen() and friends will still
work.
Test: Compiles and boots successfully.
Test: No auditallow messages received via SELinux denial collection.
Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145
init switch from a setcon() based transition to an exec() based
transition in bug 19702273. Fixup stale comment.
Test: comment only change. Policy compiles.
Bug: 19702273
Change-Id: I6e1b4b3680193453adafa8952a7ea343d2977505
Bug: http://b/32905206
Test: Boot sailfish and no new selinux failures observed in logs
Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9
Signed-off-by: Sandeep Patil <sspatil@google.com>
Test: tested with default health HAL on angler running as service.
Bug: b/32754732
Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd9159)
- allows binder calls to hwservicemanager
- allows healthd to read system_file for passthrough HAL
Test: Tested healthd with and without a board specific health HAL on
Angler.
Bug: b/32724915
Change-Id: Icf621859f715cb44bce5d8d3b60320ef495d1543
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 32cacb42b9)
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.
While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.
Test: Tested all modes {recovery, charger-only, android} with new policy
Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
In order for hal clients to use IServiceManager::registerForNotifications,
the hwservicemanager needs to be able to call into client processes.
Test: WIP
Bug: 33383725
Change-Id: I59470e9cd5cbeafda010fedc0b91eeb41280e0a1
Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.
Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6
system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:
[ro.boottime.init]: [5294587604]
[ro.boottime.InputEventFind]: [10278767840]
[ro.boottime.adbd]: [8359267180]
...
These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.
bullhead:/ $ getprop -Z ro.boottime.adbd
u:object_r:default_prop:s0
Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.
bullhead:/ $ getprop -Z ro.boottime.adbd
u:object_r:boottime_prop:s0
New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).
Additional read access can be granted as-needed.
This is part of a larger effort to implement fine-grain access control
on the properties managed by init.
Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.
Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.
Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2
There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.
Bug: 26901147
Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec
The new domain wasn't fully tested, and it caused many regressions
on the daily build. Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.
Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.
Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb
Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.
Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf
Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.
The new MtpServer permissions fix the following denials:
avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
denial from setting property sys.usb.ffs.mtp.ready, context priv_app
Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4
Need write permissions on the specified sysfs path for reloading
firmware.
Denials:
01-21 23:39:01.650 4669 4669 W android.hardwar: type=1400
audit(0.0:103): avc: denied { write } for name="fwpath" dev="sysfs"
ino=6847 scontext=u:r:hal_wifi:s0
tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0
01-21 23:39:01.653 4669 4669 E android.hardware.wifi@1.0-service:
Failed to open wlan fw path param: Permission denied
Bug: 32018162
Test: Denials no longer present in the logs.
Change-Id: I1a468e7c2a2a4360a2b61f04f1940471d52d0dd6
We're going to be using Android framework directly to invoke Wifi HIDL
calls. So, change permissions appropriately.
Bug: 33398154
Test: Verfied that framework is able to make HIDL calls using
go/aog/310610.
Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a
This is unused by core policy and by any device policy except for hikey.
Test: device boots
Test: no denials ever collected
Change-Id: I36a6790499e4aeedd808457b43fd72370fa48e53
After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.
Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea019)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.
Addresses the following auditallow messages:
avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776
Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types. Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.
Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
webview_zygote needs to preload the WebView implementation, which may be
an installed APK, so must be able to read and execute code from inside
the APK.
Also add additional neverallow assertions to strengthen some
restrictions on this domain.
Test: WebView apps work after installing a WebView APK.
Bug: 21643067
Change-Id: I58aedc5e0a25259e2e20c70d4260579a354b6789
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
Most of this CL mirrors what we've already done for the "netd" Binder
interface, while sorting a few lists alphabetically.
Migrating installd to Binder will allow us to get rid of one of
the few lingering text-based command protocols, improving system
maintainability and security.
Test: builds, boots
Bug: 13758960, 30944031
Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7
system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later
amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd
doesn't want it's memory accessible by anyone else. Unfortunately,
setting DUMPABLE isn't sufficient against a root level process such with
ptrace. Only one such process exists, "debuggerd".
Block debuggerd from accessing logd's memory on user builds. Userdebug
and eng builds are unaffected. Add a neverallow rule (compile time
assertion + CTS test) to prevent regressions.
Bug: 32450474
Test: Policy compiles.
Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
Broke the dragon build:
libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
This reverts commit ed0b4eb366.
Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd
By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.
Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.
$ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
allow init device:chr_file { setattr read lock getattr write ioctl open append };
allow ueventd device:chr_file { read lock getattr write ioctl open append };
this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):
neverallow { domain -init -ueventd } device:chr_file { open read write };
Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.
Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.
The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.
While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.
Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.
Test: The phone boots successfully
Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
In general, apps shouldn't be executing data from their writable data
directories. Allowing this is a security risk and use cases for this are
almost always anti-patterns where saner alternatives are available such
as using one of the standard systems for shipping libraries (extracted
by the package manager or aligned/uncompressed in the apk) or using the
existing package system to handle plugins. It's reasonable for the
untrusted_app domain to have this (not just for backwards compatibility)
for priv_app should be held to a higher standard.
Ideally, untrusted apps would be able to opt-in to disabling this and
then the default could then be switched at a new API level. It could do
more than just hardening apps not requiring it by having documentation
explain the risks and offer alternatives to reduce 'legitimate' use. The
base system could disable it for all of the bundled untrusted apps.
Change-Id: I4efcfaf01c6b6c33c39e98c22a1934e8892e2147
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.
Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
Historically we pushed all system_server SD card interactions through
DefaultContainerService to avoid holding open FDs, but it's safe to
measure disk usage for internal emulated storage when looking
directly at /data/media, since there is no risk of unsafe ejection.
These rule changes give us just enough access to measure statistics.
avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
Test: builds, boots, and access allowed
Bug: 33298975
Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.
Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow
Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
Sdcardfs now supports bind mounts and remounts
instead of needing several separate mounts
bug: 30954918
Test: Enable Sdcardfs, verify mounts
Change-Id: Id94713752a08ceeb6aea7d3c29a29d3293a9b0c8
commit 221938cbee
introduces a fix that uses braces around a single item.
This is not within the normal style of no brace around
a single item. Drop the braces.
Change-Id: Ibeee1e682c0face97f18d5e5177be13834485676
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As of system/core commit a742d1027784a54c535cff69b375a9f560893155, this
functionality is no longer used.
Test: device boots and no obvious problems.
Change-Id: Ia3ad8add92f1cdaaff36f4935be8b03458fed7f2
No denials showing up in collected audit logs.
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508
auditallow has been in place since Apr 2016
(f84b798151) and no SELinux denials have
been generated / collected. Remove unused functionality.
Test: Device boots with no problems.
Test: no SELinux denials of this type collected.
Bug: 28035297
Change-Id: I52414832abb5780a1645a4df723c6f0c758eb5e6
recovery (update_binary) may need to set up cpufreq during an update.
avc: denied { write } for pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
Bug: 32463933
Test: Build a recovery image and apply an OTA package that writes to
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5
Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.
Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
Description stolen from
42a9699a9f
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
The service running the boot control HAL needs the permissions
provided by the boot_control_hal attribute. update_engine and
update_verifier still also need these permissions in order
to successfully call the new HAL in pass-through mode, but also
need permission to call the new service.
Bug: 31864052
Test: Built and confirmed no permission denials.
Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911
Signed-off-by: Connor O'Brien <connoro@google.com>
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.
Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
urandom_device and random_device have the exact same security
properties. Collapse them into one type.
Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41
auditallows have been in place for quite a while now, and nothing has
triggered. Let's do some cleanup!
Bug: 28760354
Test: device boots and no new denials
Test: SELinux denials collection has seen no instances of these
permissions
Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.
It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).
Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.
Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
HAL policy defines how the platform and a given HAL interact, but not how the
HAL is implemented. This policy should be represented as an attribute that all
processes implementing the HAL can include.
Bug: 32123421
Test: Builds.
Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.
The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.
This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.
References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a
TODO: Further unify /dev/kmsg permissions with syslog_read permissions.
Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
Grant boot_control_hal permissions to the hal_boot service;
update_engine and update_verifier can call that service rather
than using those permissions themselves.
Bug: 31864052
Test: `bootctl set-active-boot-slot 1`
Change-Id: I5188bc32e7933d4a0f5135b3246df119d3523d69
su is an appdomain, and as such, any auditallow statements applicable to
appdomain also apply to su. However, su is never enforced, so generating
SELinux denials for such domains is pointless. Exclude su from
ion_device auditallow rules.
Addresses the following auditallow spam:
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=10230 ioctlcmd=4906 scontext=u:r:su:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
Test: policy compiles
Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
Allow isolated apps to read/write/append/lock already open sdcard
file descriptors passed to it by normal app processes. isolated_apps are
used by processes like Google drive when handling untrusted content.
Addresses the following denial:
audit(0.0:1508): avc: denied { read } for
path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310
scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0
tclass=file permissive=0
This partially reverts the tightening added in
ce4b5eeaee.
Add a TODO to consider removing isolated_apps ability to write or append
to files on the sdcard. This limits the damage that can occur should the
isolated_app process be compromised.
Bug: 32896414
Test: Policy compiles. Rule add only, so no possibility of breakage.
Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.
Test: m
Test: angler boots
Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
Sort the entries in property.te. This will make it slightly easier to
read, and avoids merge conflicts by discouraging the common practice of
adding entries to the bottom of this file.
Test: policy compiles.
Change-Id: I87ae96b33156dba73fb7eafc0f9a2a961b689853
