Commit graph

17327 commits

Author SHA1 Message Date
Treehugger Robot
055286fc94 Merge "Update sepolicy with new native boot flag for activity_manager" 2019-01-24 22:00:53 +00:00
Andreas Gampe
a1198e58c3 Merge "Sepolicy: Allow apexd to log to kmsg" 2019-01-24 21:45:20 +00:00
Nick Kralevich
87e91237a4 disallow priv-apps from following untrusted app symlinks.
Untrustworthy symlinks dereferenced by priv-apps could cause those apps
to access files they weren't intending to access. Trusted components
such as priv-apps should never trust untrustworthy symlinks from
untrusted apps.

Modify the rules and add a neverallow assertion to prevent regressions.

Bug: 123350324
Test: device boots and no obvious problems.
Change-Id: I8c4a5c9c8571fd29b2844b20b4fd1126db4128c0
2019-01-24 13:08:10 -08:00
Martijn Coenen
e0bbb9f85a Add more neverallows to app_zygote policy.
The app_zygote should never use any unix sockets, except the
logd socket and some sockets only available on userdebug/eng.

Prevent it from using ptrace.

Bug: 111434506
Test: builds
Change-Id: Ic47cfca51fba0b150a136194ba0e4a8a488c9996
2019-01-24 20:27:54 +00:00
Ng Zhi An
c5bf4a3994 Update sepolicy with new native boot flag for activity_manager
Whitelist the persistent system properties that will be used as
flags in activity manager experiments.

Bug: 120794810
Test: m, flash, test getting flag value in ActivityManagerService.java
Change-Id: I90a10bc87d6db3a64347b62fd02e6f0b12ac9fa8
2019-01-24 11:07:17 -08:00
Yabin Cui
31bd80439f Merge "Add sepolicy for simpleperf_app_runner." 2019-01-24 18:39:13 +00:00
Chenbo Feng
b761636b9d Merge "Allow system_server to write to bpf maps" 2019-01-24 18:16:25 +00:00
Andreas Gampe
aada5013aa Sepolicy: Allow apexd to log to kmsg
Allow apexd to log to the kernel log. This aids in low-level
diagnostics, when adb is not available.

Test: m
Change-Id: Ib8f286bd917b34f5e8992b37ab230313a4820bf9
2019-01-24 09:21:27 -08:00
Torne (Richard Coles)
0375302f41 Track SELinux denial caused by webview zygote.
The new codepath for creating the classloader in the webview zygote
triggers an selinux denial; track this until it is fixed.

Bug: 123246126
Test: DeviceBootTest.SELinuxUncheckedDenialBootTest
Merged-In: I6835947e81364b5dd43898199108af7b14d31088
Change-Id: I6835947e81364b5dd43898199108af7b14d31088
2019-01-24 11:38:05 -05:00
Peter Kalauskas
b6388fe753 Merge "Allow lazy HAL to run" 2019-01-24 15:11:02 +00:00
Treehugger Robot
74ea1f29eb Merge "Allow dumpstate to write into privileged apps private files" 2019-01-24 12:48:21 +00:00
Treehugger Robot
26d79ed694 Merge "gpuservice: allow cmd gpu vkjson in interactive shell" 2019-01-24 09:53:26 +00:00
Treehugger Robot
551eeaf5d5 Merge "Make Android Studio Instant Run work again" 2019-01-24 05:49:02 +00:00
Chenbo Feng
3c3d52e460 Allow system_server to write to bpf maps
The bpf maps for per uid stats need to be regularly cleaned now to
optimize the memory usage and performance. It can only done by
system_server since it is the process that scrapes and read the stats.
So allow it to write to maps to clean the stats. This change also
allows the system server to create PF_KEY sockets since we need a
reliable way to force synchronize the rcu on devices with 4.9 kernel.

Test: CtsUsageStatsTestCases
Bug: 79171384
Change-Id: I6564a56a5906a958f7d8e1d290b85de3f6fa121d
2019-01-24 03:44:25 +00:00
Peter Kalauskas
b1bdbb58cf Allow lazy HAL to run
Test: Manual
Change-Id: Ic4c3fd5b2d8d709573f8cc6332a6340d28d3ba26
2019-01-23 15:29:05 -08:00
Yabin Cui
e5fc21c787 Add sepolicy for simpleperf_app_runner.
Bug: 118835348
Test: build and boot pixel 3.
Test: run simpleperf_app_runner manually.

Change-Id: Ifb6c2ab78e075684bc197d06f761becced8281d1
2019-01-23 23:23:09 +00:00
Nikita Ioffe
1ab6affc5c Allow dumpstate to write into privileged apps private files
Bug: 123006652
Bug: 111441001
Fix: 123006652
Test: Wrote a test app using BugreportManager, checked denials in logcat
Change-Id: Id1c4b1d166bc70aec833c3d644e8aea6ae94c35a
2019-01-23 23:13:23 +00:00
Treehugger Robot
b1f34ddaf7 Merge "Permissions for input_native_boot flags" 2019-01-23 23:08:07 +00:00
Nick Kralevich
3e5668f173 Make Android Studio Instant Run work again
system/sepolicy commit ffa2b61330 made
run-as spawned processes run in the runas_app SELinux domain, instead of
the untrusted_app domain.

https://android-review.googlesource.com/q/topic:%22runas_exec%22+(status:open%20OR%20status:merged)

This broke unix socket connections from untrusted_app* to runas_app.
This functionality is used by Android Studio for the Instant Run
feature. See https://developer.android.com/studio/run/

Allow untrusted_apps to connect to listening abstract sockets hosted by
runas_app.

Addresses the following denial:

01-23 11:11:56.084 16272 16272 W e.myapplication: type=1400 audit(0.0:68): avc: denied { connectto } for path=006972736F636B6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=u:r:untrusted_app_27:s0:c169,c256,c512,c768 tcontext=u:r:runas_app:s0:c169,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.myapplication
01-23 11:11:56.086 16272 16272 V SwapperAgent: Prior agent invocations in this VM: 1
01-23 11:11:56.088 16272 16272 E SwapperAgent: Could not connect to socket

Change-Id: Ia1203f44aebcbec0ff858b8316e147cba7a048a2
Fixes: 123297648
Test: acleung manual testing
2019-01-23 14:58:12 -08:00
Primiano Tucci
79d1dbbc05 Allow iorapd to access perfetto
This requires moving the type declaration of
perfetto traced to public, because iorapd
needs to refer to it.

Denials without this CL:
https://pastebin.com/raw/sxHMeLEU

Bug: 72170747
Test: 1. runcon u:r:iorapd:s0 iorap.cmd.perfetto \
          -v --output-proto /data/misc/iorapd/test
      2. Check that no selinux denials other than
         avc: denied { entrypoint } for path="/system/bin/iorap.cmd.perfetto" dev="sda6" ino=21 scontext=u:r:iorapd:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
         show up (this is a side-effect of runcon).

Change-Id: Iacd1ab201fe9fb2a6302dbd528f42f709cbca054
2019-01-23 22:43:47 +00:00
Yiwei Zhang
6e8191ead0 gpuservice: allow cmd gpu vkjson in interactive shell
Bug: 122860343
Test: adb shell, then 'cmd gpu vkjson'
Change-Id: I2720d1bbc27152f416cd7e61f4dcccb4a13c7b82
2019-01-23 14:28:56 -08:00
Tri Vo
1824e25b1c Split system and product sepolicy hashes.
We need to be able to tell if /system was updated independently
/product, and vice versa.  Otherwise, the device might accidentally load
the precompiled_policy after a /product sepolicy update.

Also change the name of the hash file to more closely reflect how its
generated.

Bug: 119305624
Test: boot aosp_taimen, precompiled policy is loaded
Test: If either of these hashes
/system/etc/selinux/plat_sepolicy_and_mapping.sha256
/product/etc/selinux/product_sepolicy_and_mapping.sha256
are removed, then init falls back to compiling sepolicy at boot time.
Change-Id: I14af81c8d3c5cb85c01592518e22077a8c8c3e5e
2019-01-23 09:19:35 -08:00
Roland Levillain
7094d4f505 Allow oatpreopt_chroot to deactivate APEX packages in /postinstall/apex.
Allow `otapreopt_chroot` to:
- unmount APEX packages (ext4 images) mounted in `/postinstall/apex`;
- access `/dev/block`.

Deactivating APEX packages (unmounting them from `/postinstall/apex`
and detaching the corresponding loop devices) is part of the tear-down
phase run at the end of `oatpreopt_chroot`.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: Ida07d2ceda31c7296228d973b26ff642f6533274
2019-01-23 16:19:28 +00:00
Roland Levillain
ab9c053078 Allow oatpreopt to run dex2oat from the Runtime APEX.
- Allow `postinstall_dexopt` to transition to domain `dex2oat` when
  executing `dex2oat` from the Runtime APEX
  (`/postinstall/apex/com.android.com/bin/dex2oat`).
- Allow `dex2oat` (from the Runtime APEX) to read files under
  `/postinstall` (e.g. APKs under `/system`, `/system/bin/linker`);

- Also allow `dex2oat` (from the Runtime APEX) to use libraries under
  `/postinstall/system` (e.g. `/system/lib/libc.so`). This is
  temporary change until Bionic libraries are part of the Runtime
  APEX.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I0a8a6ac485f725753ee909b1561becd3bd908ce4
2019-01-23 16:18:35 +00:00
Ryan Savitski
283761cfca Merge "Allow heap profiling of certain app domains on user builds" 2019-01-23 03:23:12 +00:00
Treehugger Robot
1e6055f172 Merge "Add selinux policy for Sensors HAL 2.0" 2019-01-23 03:15:05 +00:00
Treehugger Robot
d99018cfd5 Merge "Add ro.surface_flinger.* to property_contexts" 2019-01-23 02:03:00 +00:00
Siarhei Vishniakou
c0c9155589 Permissions for input_native_boot flags
For input experiments that are enabled at boot time, allow system_server
to read and write the device config flags.

Bug: 120794829
Test: presubmit
Change-Id: I0f075a7579c593d4e07c3e31be529e34554068a6
2019-01-22 16:18:47 -08:00
Remi NGUYEN VAN
050936239c Merge "Fix permissions for bluetooth tethering." 2019-01-22 22:27:12 +00:00
Brian Stack
b8baed8fa7 Add selinux policy for Sensors HAL 2.0
Bug: 122267378
Test: Builds, no dmesg errors when starting Sensors HAL 2.0
Change-Id: Ieb52449579f72421bf8f36fb6af0cb110d04bd1c
2019-01-22 21:02:21 +00:00
Tri Vo
1b02031d18 Merge changes from topic "product_mapping_file"
* changes:
  Split mapping file into system and product parts
  Rename plat_pub_policy -> pub_policy
  Remove obsolete mapping build rules.
2019-01-22 18:49:21 +00:00
Hongyi Zhang
d71144a922 Merge "Clean up server_configurable_flags test prop" 2019-01-22 18:27:29 +00:00
Sundong Ahn
b9796da741 Add ro.surface_flinger.* to property_contexts
The ro.surface_flinger.* properties are added to property_contexts.
Because these properties are located in vendor partition, but
surfaceflinger service which use these properties is in the system
partition.

Bug: 112386364
Test: m -j & boot test
Change-Id: I98d71d4c03297a2a3fe92ba17bfdcb428f763753
2019-01-22 11:00:14 +09:00
Hongyi Zhang
f3db0085f0 Clean up server_configurable_flags test prop
Test: m -j & manually on device
Change-Id: I3f5ddeb26ddf1bf280ef5e7b3e62b4b892b83a3c
2019-01-22 01:42:36 +00:00
Leo Liou
51373ec7a3 Add selinux policy for ext4 fs-verity feature
avc: denied { read } for comm="init" name="verity" dev="sysfs" ino=44746
scontext=u:r:init:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file
permissive=0

Bug: 117437571
Test: bootable for phone projects
Change-Id: I4c53e03ec55c2064f1b23c0cbd0302de3f8aa38e
2019-01-22 08:12:54 +08:00
Ryan Savitski
ca0690e8eb Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.

These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.

For more context, see go/heapprofd-security & go/heapprofd-design.

Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.

Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-21 14:30:57 +00:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00
Remi NGUYEN VAN
44fd885246 Fix permissions for bluetooth tethering.
Allow bluetooth to find the NetworkStack service so tethering can be
started.

Test: booted, BT tethering obtains IP address and denials not shown
Bug: b/112869080
Change-Id: I726d818f4f9a9adcd98c834726ed22376076ac7b
2019-01-19 11:52:32 +09:00
Tri Vo
937e66496d Split mapping file into system and product parts
Both mapping files need to be included when building sepolicy at boot
time.

Bug: 119305624
Test: boot taimen
Test: "cnd" type is declared in /vendor; "dataservice_app" type is
declared in /product. This permission is preserved
"allow cnd dataservice_app:binder { transfer call };"
Change-Id: I138f34208ea05e170defd2b4ef4700ffa81f9573
2019-01-18 16:07:33 -08:00
Tri Vo
e68ba59fb3 Rename plat_pub_policy -> pub_policy
Public policy that is available to vendor (and odm) sepolicy is a
combination of system and product public sepolicy. Since "plat_" prefix
implies a pure system sepolicy component, drop "plat_" prefix from
"plat_pub_policy" to be consistent with naming in this file.

Bug: 119305624
Test: m selinux_policy
Change-Id: Iaf094702556ce97371fa1c58c01d707103d7f7d6
2019-01-18 16:07:33 -08:00
Tri Vo
8a2b65244f Remove obsolete mapping build rules.
Mapping files for previous releases are unconditionally packaged on the
device. No need to account for case when BOARD_SEPOLICY_VERS and
PLATFORM_SEPOLICY_VERSION are different.

Bug: 119305624
Test: m selinux_policy
Change-Id: I36c3c43f96870d9a71adf91c8fb8926587c5a50e
2019-01-18 16:07:33 -08:00
Eric Holk
f8dfb5f83b [layout compilation] Modify sepolicy to allow installd to run viewcompiler
We will generate precompiled layouts as part of the package install or upgrade
process. This means installd needs to be able to invoke viewcompiler. This
change gives installd and viewcompiler the minimal set of permissions needed for
this to work.

Bug: 111895153
Test: manual
Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
2019-01-18 23:29:47 +00:00
Treehugger Robot
d25f1303de Merge "Android.mk: remove some build-log spam" 2019-01-18 21:42:19 +00:00
Christian Wailes
0f466d76d9 Merge "Add SELinux policies for blastula pool sockets." 2019-01-18 20:24:46 +00:00
Jeff Vander Stoep
e71f4e0c50 Android.mk: remove some build-log spam
This line always prints when building master branch, it's not
particularly useful.

system/sepolicy/Android.mk:77: warning: BOARD_SEPOLICY_VERS not
specified, assuming current platform version

Test: build
Change-Id: I52f8dc2a77966bc0c21168b1339f3029185e5339
2019-01-18 11:33:57 -08:00
Narayan Kamath
ea8b87fd36 Merge "Allow installd sufficient permissions to rollback_data_file." 2019-01-18 08:27:15 +00:00
Jeffrey Vander Stoep
3a7f33b44d Merge "rs: add tests to ensure rs cannot abuse app data" 2019-01-18 03:10:50 +00:00
Treehugger Robot
a0fb112a8a Merge "Revoke ftrace selinux access from dumpstate" 2019-01-18 01:39:21 +00:00
William Hester
1fefa6c0e8 Merge "Add the testharness service to sepolicy rules" 2019-01-18 01:07:22 +00:00
Jeff Vander Stoep
561aa01ccb rs: add tests to ensure rs cannot abuse app data
Test: build
Change-Id: I2ea39c767264339e300fceeb23c506883d23a14c
2019-01-17 15:24:34 -08:00