Broke the dragon build:
libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
This reverts commit ed0b4eb366.
Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd
By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.
Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.
$ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
allow init device:chr_file { setattr read lock getattr write ioctl open append };
allow ueventd device:chr_file { read lock getattr write ioctl open append };
this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):
neverallow { domain -init -ueventd } device:chr_file { open read write };
Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.
Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.
The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.
While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.
Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.
Test: The phone boots successfully
Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
In general, apps shouldn't be executing data from their writable data
directories. Allowing this is a security risk and use cases for this are
almost always anti-patterns where saner alternatives are available such
as using one of the standard systems for shipping libraries (extracted
by the package manager or aligned/uncompressed in the apk) or using the
existing package system to handle plugins. It's reasonable for the
untrusted_app domain to have this (not just for backwards compatibility)
for priv_app should be held to a higher standard.
Ideally, untrusted apps would be able to opt-in to disabling this and
then the default could then be switched at a new API level. It could do
more than just hardening apps not requiring it by having documentation
explain the risks and offer alternatives to reduce 'legitimate' use. The
base system could disable it for all of the bundled untrusted apps.
Change-Id: I4efcfaf01c6b6c33c39e98c22a1934e8892e2147
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.
Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
Historically we pushed all system_server SD card interactions through
DefaultContainerService to avoid holding open FDs, but it's safe to
measure disk usage for internal emulated storage when looking
directly at /data/media, since there is no risk of unsafe ejection.
These rule changes give us just enough access to measure statistics.
avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
Test: builds, boots, and access allowed
Bug: 33298975
Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.
Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow
Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
Sdcardfs now supports bind mounts and remounts
instead of needing several separate mounts
bug: 30954918
Test: Enable Sdcardfs, verify mounts
Change-Id: Id94713752a08ceeb6aea7d3c29a29d3293a9b0c8
commit 221938cbee
introduces a fix that uses braces around a single item.
This is not within the normal style of no brace around
a single item. Drop the braces.
Change-Id: Ibeee1e682c0face97f18d5e5177be13834485676
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As of system/core commit a742d1027784a54c535cff69b375a9f560893155, this
functionality is no longer used.
Test: device boots and no obvious problems.
Change-Id: Ia3ad8add92f1cdaaff36f4935be8b03458fed7f2
No denials showing up in collected audit logs.
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508
auditallow has been in place since Apr 2016
(f84b798151) and no SELinux denials have
been generated / collected. Remove unused functionality.
Test: Device boots with no problems.
Test: no SELinux denials of this type collected.
Bug: 28035297
Change-Id: I52414832abb5780a1645a4df723c6f0c758eb5e6
recovery (update_binary) may need to set up cpufreq during an update.
avc: denied { write } for pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
Bug: 32463933
Test: Build a recovery image and apply an OTA package that writes to
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5
Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.
Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
Description stolen from
42a9699a9f
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
The service running the boot control HAL needs the permissions
provided by the boot_control_hal attribute. update_engine and
update_verifier still also need these permissions in order
to successfully call the new HAL in pass-through mode, but also
need permission to call the new service.
Bug: 31864052
Test: Built and confirmed no permission denials.
Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911
Signed-off-by: Connor O'Brien <connoro@google.com>
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.
Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
urandom_device and random_device have the exact same security
properties. Collapse them into one type.
Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41
auditallows have been in place for quite a while now, and nothing has
triggered. Let's do some cleanup!
Bug: 28760354
Test: device boots and no new denials
Test: SELinux denials collection has seen no instances of these
permissions
Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.
It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).
Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.
Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
HAL policy defines how the platform and a given HAL interact, but not how the
HAL is implemented. This policy should be represented as an attribute that all
processes implementing the HAL can include.
Bug: 32123421
Test: Builds.
Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.
The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.
This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.
References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a
TODO: Further unify /dev/kmsg permissions with syslog_read permissions.
Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
Grant boot_control_hal permissions to the hal_boot service;
update_engine and update_verifier can call that service rather
than using those permissions themselves.
Bug: 31864052
Test: `bootctl set-active-boot-slot 1`
Change-Id: I5188bc32e7933d4a0f5135b3246df119d3523d69
su is an appdomain, and as such, any auditallow statements applicable to
appdomain also apply to su. However, su is never enforced, so generating
SELinux denials for such domains is pointless. Exclude su from
ion_device auditallow rules.
Addresses the following auditallow spam:
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=10230 ioctlcmd=4906 scontext=u:r:su:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
Test: policy compiles
Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
Allow isolated apps to read/write/append/lock already open sdcard
file descriptors passed to it by normal app processes. isolated_apps are
used by processes like Google drive when handling untrusted content.
Addresses the following denial:
audit(0.0:1508): avc: denied { read } for
path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310
scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0
tclass=file permissive=0
This partially reverts the tightening added in
ce4b5eeaee.
Add a TODO to consider removing isolated_apps ability to write or append
to files on the sdcard. This limits the damage that can occur should the
isolated_app process be compromised.
Bug: 32896414
Test: Policy compiles. Rule add only, so no possibility of breakage.
Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.
Test: m
Test: angler boots
Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
Sort the entries in property.te. This will make it slightly easier to
read, and avoids merge conflicts by discouraging the common practice of
adding entries to the bottom of this file.
Test: policy compiles.
Change-Id: I87ae96b33156dba73fb7eafc0f9a2a961b689853
Allow the system_server to change. Allow the zygote to read it as well.
Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.
A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.
This reverts commit ec3285cde0.
(cherrypicked from commit 863ce3e7c7)
Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
Finish NAN -> Aware rename process. Removes old NAN service.
Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: I2f0d9595efea2494b56074752194e7a6e66070f2
Add Aware service - new name for NAN. But do not remove NAN
yet. Enables smooth transition.
Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: Ieb9f1ebf1d2f31ee27f228562b4601023da5282d
This is required for https://android-review.googlesource.com/#/c/295748
so that init can drop the capability bounding set for services.
Bug: 32438163
Test: With 295748 and a test service using ambient capabilities.
Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.
BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
