Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons. Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced. Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.
This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types. In
particular, this has caused an issue with the neverallows added in our
macros. Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this. Also add corresponding rules
for other types which have been removed due to no corresponding rules.
Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes. sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.
Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.
Bug: 32064548
Test: Manual
(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)
(cherry picked from commit 11bfcc1e96)
Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.
Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.
Bug: 32064548
Test: Manual
(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)
Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f
Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.
Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).
Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
With build/core eaa9d88cf, system_server should not be loading code
from /data.
https://bugs.chromium.org/p/project-zero/issues/detail?id=955
Bug: 37214733
Bug: 31780877
Test: Device boots and no obvious problems.
Test: No collected SELinux denials for build-server generated builds.
Change-Id: I37b1e9e6c4555c937730ab491b6c38801b38ad38
Adding the default label/mapping is important because:
1. Lookups of services without an selinux label should generate
a denial.
2. In permissive mode, lookups of a service without a label should be
be allowed, without the default label service manager disallows
access.
3. We can neverallow use of the default label.
Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
Add/find of unlabeled vendor services generate a denial.
Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b842c)
Adding the default label/mapping is important because:
1. Lookups of services without an selinux label should generate
a denial.
2. In permissive mode, lookups of a service without a label should be
be allowed, without the default label service manager disallows
access.
3. We can neverallow use of the default label.
Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
Add/find of unlabeled vendor services generate a denial.
Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.
Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.
Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.
P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.
Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
currently does not expose caller UID information and, even if it
did, many HwBinder services either operate at a layer below that of
apps (e.g., HALs) or must not rely on app identity for
authorization. Thus, to be safe, the default assumption is that
a HwBinder service treats all its clients as equally authorized to
perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
higher incidence rate of security issues than system/core
components and have access to lower layes of the stack (all the way
down to hardware) thus increasing opportunities for bypassing the
Android security model.
HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.
Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.
This commit thus introduces these two categories of HwBinder services
in neverallow rules.
Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
* isolated_app is no longer permitted to access /dev/hwbinder -- this
was granted by mistake.
* There are now neverallows which enforce that isolated_app can't
access HwBinder and VendorBinder.
* There are now neverallows which enforce that isolated_app can't add
Binder and VendorBinder services to servicemanager and
vndservicemanager.
Test: mmm system/sepolicy
Bug: 34454312
Change-Id: I8ba90a0dcb6a9fccd8f50c78cbd2409381376f7a
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
installd needs to check whether idmap is outdated or not compared to
vendor overlay file.
Test: building succeeded and tested on sailfish.
Bug: 37179531
Change-Id: I934c1ae39e3f806bca1e3d68cf8190addeebb499
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.
Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
record video (slow motion and normal), and check that photos
look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
make and install CtsMediaTestCases.apk
adb shell am instrument -e size small \
-w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
fingerprint
Test: Apply OTA update:
Make some visible change, e.g., rename Settings app.
make otatools && \
make dist
Ensure device has network connectivity
ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
Remove neverallow exemption allowing other processes to run in
the bluetooth app's selinux domain.
The bluetooth domain is intended to host the zygote spawned
bluetooth app. It is not intended to host other bluetooth related
processes. Please define new domains for these processes.
Test: build Marlin
Change-Id: I1fd3dd0fe85f73457d77b63a65b4307821cbd41c
Add asanwrapper support for system server under sanitization.
Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0
vndservicemanager is a copy of servicemanager, and so has the exact
same properties. This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels. hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions. Keep the new
hwservice_manager object manager but remove the vndservice_manager one.
(preemptive cherry-pick of commit: 2f1c7ba75e
to avoid merge conflict)
Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
vndservicemanager is a copy of servicemanager, and so has the exact
same properties. This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels. hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions. Keep the new
hwservice_manager object manager but remove the vndservice_manager one.
Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish
Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
--skip-device-info --skip-preconditions --skip-connectivity-check \
--abi arm64-v8a
Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>
Bug: 36463595
Test: Boot sailfish, make wifi call, internet over data and wifi
Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e
Signed-off-by: Sandeep Patil <sspatil@google.com>
* changes:
suppress audit logs from rild's access to core domain through system()
sepolicy: auditallow vendor components to execute files from /system
vendor_shell: add sepolicy for vendor shell
toolbox: add sepolicy for vendor toybox
Do not allow priv_apps to scan all exec files
