Corresponds to commit 410cdebaf966746d6667d6d0dd4cee62262905e1 in
system/extras.
Bug: 32286026
Test: m
Change-Id: I1e0934aa5bf4649d598ec460128de6f02711597f
This is needed in order to get the stat-size of the files.
Bug: 30934496
Test: gts-tradefed -m GtsAndroidRuntimeManagerHostTestCases
Change-Id: I1df0ba941e8f9ff13a23df4063acc3c4f1555c1b
/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.
Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>
Allow system_server to open profile snapshots for read.
System server never reads the actual content. It passes the descriptor to
to privileged apps which acquire the permissions to inspect the profiles.
Test: installd_dexopt_test
Bug: 30934496
Change-Id: I1d1f07a05261af25f6640040af1500c9a4d5b8d5
9b2e0cbeea changed all uses of capability
to global_capability_class_set but accidentally omitted one entry.
Fix the one entry.
Test: policy compiles.
Change-Id: I1bb8c494a2660d9f02783c93b07d4238a2575106
In P, we will be supporting privileged apps in vendor partition, thus
need to label /vendor/priv-app as vendor_app_file so that apps can exist
under the dir.
Bug: 35301609
Test: N/A since there is no /vendor/priv-app yet. Framework change
which is currently in the internal is required.
Change-Id: I86a765ef9da5267113e64a7cbb38ba0abf5c2835
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
Added access to proc_uptime and proc_asound to address these denials:
avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1
avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1
Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.
Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
Bug: 65643247
Test: cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
No denials from mediaserver domain to sysfs type are observed.
Change-Id: Icb5c12f04af213452d82e226993fe13085c5c33f
Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.
Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0
Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59
This reverts commit 248b6dc644.
Reason for revert: The dashboard complains that devices don't boot after this revert.
Change-Id: I6a4648b64b096cbaa97c67aae6bc38b76d54cb48
This reverts commit d1cf3a4056.
Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.
Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06
This restriction causes issues with dynamite.
Since untrusted_v2_app was about enforcing this constraint put installed
v2 applications back into the normal untrusted_app domain.
Bug: 64806320
Test: Manual test with app using dynamite module
(cherrypicked from commit fe83681794)
Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7
These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.
Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability
Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16
Add label update_engine_log_data_file for log files created by
update engine in directory /data/misc/update_engine_log.
Bug: 65568605
Test: manual
Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9
Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.
Addresses:
avc: denied { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
This CL does not change runtime behavior.
Change-Id: I82c520579b986ea2a4a6f030ec60d5345c00b54f
Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):
1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs
We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.
Bug: 68159582
Bug: 68792382
Test: build aosp_sailfish-user
Test: build aosp_sailfish-userdebug
Test: CP to internal and build walleye-user
Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7
This reverts commit 502e43f7d9.
Reason for revert: Suspected to have broken a build, see b/68792382
Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249
Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):
1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs
We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.
Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5
AIUI permissions should be in private unless they need to be public.
Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.
The dontaudit should be removed upon resolution of the linked bug.
Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7
Remove netd access to sysfs_type attribute.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717)
When we removed /data/dalvik-cache execute permission for system_server
(b/37214733, b/31780877), I forgot to fixup this neverallow rule.
Fix rule.
Test: policy compiles.
Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e
Don't allow apps to run with uid=shell or selinux domain=shell unless
the package is com.android.shell.
Add a neverallow assertion (compile time assertion + CTS test) to ensure
no regressions.
Bug: 68032516
Test: policy compiles, device boots, and no obvious problems.
Change-Id: Ic6600fa5608bfbdd41ff53840d904f97d17d6731
This is to simplify access for hal_audio
Test: ls -Z in /proc/asound correctly shows everything with proc_asound
selinux label
Change-Id: I66ed8babf2363bee27a748147eb358d57a4594c4
Now hwservicemanager can send ctl.interface_start messages
to init.
Note that 'set_prop(ctl.*, "foo")' maps to property context
for ctl.foo.
Bug: 64678982
Test: hwservicemanager can start interfaces
Change-Id: I9ab0bacd0c33edb0dcc4186fa0b7cc28fd8d2f30
rw access to sysfs_power file is not enough; in some cases search access
is also needed
Bug: 67895406
Test: system_server can access memory power statistics
Change-Id: I471e8e60626e6eed35e74e25a0f4be470885a459
Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.
Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
manual: marlin and <redacted> with artificially low temperature
threshold and logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629
Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629
Dontaudit denials for services that system_app may not use due
to neverallow assertions.
Bug: 67779088
Test: build
Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
This denial should not be allowed. Add bug information to the denial
to give context.
Bug: 63801215
Test: build
Change-Id: I3dc5ce6a5aa1c6bf74c6fd13cab082c7f263c4e8
New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons
Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons
Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.
Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5
Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
- update_verifier to read sysfs_dm dir and file at
/sys/devices/virtual/block/dm-X.
- vold to write sysfs_dm.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95
isolated_apps are intended to be strictly limited in the /sys files
which can be read. Add a neverallow assertion to guarantee this on all
Android compatible devices.
Test: policy compiles.
Change-Id: I2980291dcf4e74bb12c81199d61c5eb8a182036c
Bullhead and dragon are broken. Revert until I can fix
those builds.
Dragon:
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26264 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open };
Bullhead:
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_power_management:file { ioctl read lock open };
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open };
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_thermal:file { ioctl read lock open };
libsepol.check_assertions: 3 neverallow failures occurred
This reverts commit 579366a0ba.
Change-Id: I1ea4824e226c06628769898299f2e322060d0d06
Test: policy compiles.
Renamed this type:
proc_asound_cards -> proc_asound
Labeled /proc/asound/devices as proc_asound.
We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.
Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.
Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0
isolated_apps are intended to be strictly limited in the /sys files
which can be read. Add a neverallow assertion to guarantee this on all
Android compatible devices.
Test: policy compiles.
Change-Id: I47aceefa3f43a7ea9e526f6f0ef377d0b4efbe3a
A parallel Wi-Fi RTT service is being added in parallel. Switch-over
will occur once the new service is ready.
Bug: 65014552
Test: integration tests
Change-Id: Ie4b15592140462af70c7092511aee3f603aaa411
Used to display kernel version in settings app.
avc: denied { read } for name="version" dev="proc"
scontext=u:r:system_app:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0
Bug: 66985744
Test: kernel version now displayed in settings app.
Change-Id: I53f92f63362b900347fd393a40d70ccf5d220d30
This CL was accidentally reverted a second time by commit:
cb5129f9de. Submit it for the third,
and final, time.
(cherry-pick of 5637587d37
which was in AOSP and internal master but not stage-aosp-master)
Bug: 62102757
Test: Builds and boots.
Change-Id: I0394907e808c737422e644aec452baa3e777cf6f
labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to
proc_kmsg, and added a compat mapping.
Bug: 65643247
Test: device boots without selinux denials to the newly introduced proc_kmsg
Test: logd-unit-tests passes
Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
(cherry picked from commit 528da6fe3a)
labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to
proc_kmsg, and added a compat mapping.
Bug: 65643247
Test: device boots without selinux denials to the newly introduced proc_kmsg
Test: logd-unit-tests passes
Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
(partial CP of commit 528da6fe3a)
Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: I379567772c73e52f532a24acf640c21f2bab5c5b
(cherry picked from commit 6d1ecdcb5a)
Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792
(cherry picked from commit 5f573ab2aa)
Bug: 63910933
Test: boot sailfish in normal mode, checks adbd is started
Test: boot sailfish in recovery mode, checks adbd is started
Test: boot bullhead in normal mode, checks adbd is started
Test: boot bullhead in recovery mode, checks adbd is started
Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79
(cherry picked from commit e2423d149b)
Switch from /data/misc/reboot/last_reboot_reason to persistent
Android property persist.sys.boot.reason for indicating why the
device is rebooted or shutdown.
Introduce protection for all boot reason properties
Protect the following properties with these labels
ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
sys.boot.reason u:object_r:sys_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
Setup the current as-need access rules for each.
ToDo: Remove u:object_r:reboot_data_file after internal fixes.
Test: system/core/bootstat/boot_reason_test.sh
Bug: 64687998
Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
Commit 780a71e7 changed ueventd's selinux label lookup from /dev/input/
to /dev/input which no longer matches the regex in core policy
file_contexts. Fix the regex to match /dev/input and /dev/input/.
avc: denied { read } for name="input" dev="tmpfs" ino=14092
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0
tclass=dir
avc: denied { open } for path="/dev/input" dev="tmpfs"
ino=14092 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=dir
Change-Id: I8f42f5cd96fc8353bf21d3ee6c3de9e2872f229f
Fixes: 64997761
Fixes: 64954704
Test: no camera HAL denials
Vendor HAL extentsions are currently allowed to discover hardware
services that are labelled with 'untrusted_app_visible_hwservice'.
However, the policy doesn't allow these apps to talk to these services.
This CL makes sure that is now possible via the
'untrusted_app_visible_halserver' attribute for vendor domains that host
such a service.
Bug: 64382381
Test: Boot device and observe no new denials.
Change-Id: I1ffc1a62bdf7506a311f5a19acdab8c7caec902b
Signed-off-by: Sandeep Patil <sspatil@google.com>
