Commit graph

24 commits

Author SHA1 Message Date
Hridya Valsaraju
faa29331cd Add permission required by libdm_test
This CL fixes the following denials during libdm_test
that is part of VTS.

avc: denied { read } for comm="loop1" path=2F6D656D66643A66696C655F32202864656C6574656429
dev="tmpfs" ino=97742 scontext=u:r:kernel:s0 tcontext=u:object_r:appdomain_tmpfs:s0
tclass=file permissive=0
W loop1   : type=1400 audit(0.0:371): avc: denied { read } for
path=2F6D656D66643A66696C655F32202864656C6574656429 dev="tmpfs" ino=97742 scontext=u:r:kernel:s0
tcontext=u:object_r:appdomain_tmpfs:s0 tclass=file permissive=0

Bug: 135004816
Test: adb shell libdm_test
Change-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa
Merged-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa
2019-06-18 03:47:58 +00:00
Jooyung Han
ea61d198f2 Adding vendor_apex_file for /vendor/apex
apexd needs to read /vendor/apex dir and files in it.

Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
      -> see if boot succeeds with new policy
      2. Add flattened apex to /vendor/apex
      -> see if only root files are labelled as vendor_apex_file

Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
2019-04-25 02:54:14 +09:00
Andreas Gampe
d6fdcefaa8 Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 10:54:42 -07:00
Roland Levillain
0a6c2d013a Allow otapreopt_chroot to mount APEX packages using apexd logic.
Allow `otapreopt_chroot` to:
- read SELinux policy files;
- open and read the contents of `/postinstall/system/apex`;
- read the `persist.apexd.verity_on_system` system property;
- create loop devices with `/dev/loop-control`;
- access loop devices;
- configure read-ahead of loop devices;
- mount a tmpfs filesystem in `/postinstall/apex`;
- manipulate the tmpfs filesystem mounted in `/postinstall/apex`;
- mount APEX packages in `/postinstall/apex`.

Allow the kernel to:
- read `otapreopt_chroot`'s file descriptors;
- read files under `/postinstall`.

Allow `otapreopt` (running as "postinstall_dexopt") to:
- read data from `/postinstall/apex`.

Allow `dex2oat` to:
- access `/postinstall/apex`.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I204df92611dc710fdc97b22cd67d088ffd991210
2019-01-17 21:42:46 +00:00
Martijn Coenen
b85acbb889 Allow the kernel to read staging_data_file.
These are APEX files in /data/staging, and will be accessed by the loop
driver in the kernel.

Bug: 118865310
Test: no denials on emulator
Change-Id: I5c849b6677566cb00d28011352b9dc6b787a0bc4
2019-01-16 21:05:26 +01:00
Martijn Coenen
ac2b2d44b3 Allow the kernel to access apexd file descriptors.
In earlier kernel versions (<4.0), the loopback driver issues
requests from a kernel thread. Therefore, the kernel needs access
to APEX file descriptors and data files (which are loopback
mounted).

Bug: 119220815
Test: mounting works on sailfish
Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
2018-11-08 11:22:48 +01:00
Nick Kralevich
fb13ddda26 kernel: allow write access to /data/misc/vold/virtual_disk
The kernel thread which manages this file really needs read/write access
to this file, not read-only. This was suspected in b/36626310 but
apparently something must have changed in the kernel surrounding
permission checking for kernel threads (still unknown)

Bug: 36626310
Bug: 117148019
Bug: 116841589
Test: policy compiles
Change-Id: I9c42541e2567a79b2d741eebf3ddf219f59478a9
2018-10-09 19:50:48 -07:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Jiyong Park
90b21ee4b4 init is a dynamic executable
init is now a dynamic executable. So it has to be able to execute the
dynamic linker (/system/bin/linker) and shared libraries (e.g.,
/system/lib/libc.so). Furthermore, when in recovery mode, the files are
all labeled as rootfs - because the recovery ramdisk does not support
xattr, so files of type rootfs is allowed to be executed.

Do the same for kernel and ueventd because they are executing the init
executable.

Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396
2018-06-14 01:56:36 +09:00
Yongqin Liu
64ff9e9523 domain.te & kernel.te: allow kernel to write nativetest_data_file
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
abbb65899a%5E%21/#F3

for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html

Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.

Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit

Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2018-05-15 19:19:05 +00:00
Sandeep Patil
34e35e9e95 Add label for kernel test files and executables
This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.

Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.

Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04

Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>
2018-02-22 12:55:30 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Tri Vo
bc1c5453be Remove proc label access from kernel domain.
Bug: 65643247
Test: sailfish boots, can take pictures, use browser without denials
form kernel domain.
Change-Id: I4fc0555f0b65fc5537e0b2765142b384ed0560c8
2017-10-09 13:19:31 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jerry Zhang
1c5ea06a04 Merge "Add drm and kernel permissions to mediaprovider" am: 224b4eace9 am: 34b7684401
am: b0e13e8103

Change-Id: If711595a894ad6c70f8d4df1ad5f76ad4a9ab50c
2017-04-26 21:27:39 +00:00
Jerry Zhang
6f9ac6e4cc Add drm and kernel permissions to mediaprovider
These were missing when the sepolicy was migrated.

Addresses denials:

E SELinux : avc:  denied  { find } for service=drm.drmManager pid=11769
uid=10018 scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for
path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg"
dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0
tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0

Bug: 37685394
Bug: 37686255
Test: Sync files
Test: Open downloaded file

Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d
2017-04-26 11:15:44 -07:00
Jerry Zhang
204da47188 Merge commit '24d3a1cc3fd0705d4dc8c7484e55c7107dc8b928' into manual_merge_24d3a1cc
Change-Id: Iafa4abcff36fe75e031fc6b6c2108a7617d34b97
2017-04-17 20:14:33 -07:00
Jerry Zhang
9f152d98ea Split mediaprovider as a separate domain from priv_app
MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-17 15:30:35 -07:00
Sandeep Patil
c9cf7361c1 file_context: explicitly label all file context files
file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-29 10:17:21 -07:00
Jeff Sharkey
3f724c95a8 Grant kernel access to new "virtual_disk" file.
This is a special file that can be mounted as a loopback device to
exercise adoptable storage code on devices that don't have valid
physical media.  For example, they may only support storage media
through a USB OTG port that is being used for an adb connection.

avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Bug: 34903607
Change-Id: I84721ec0e9495189a7d850461875df1839826212
2017-03-26 16:00:56 -06:00
Jeff Vander Stoep
3927086dba kernel: neverallow dac_{override,read_search} perms
The kernel should never be accessing files owned by other users.

Disallow this access.

Test: Marlin builds. Neverallow are build time assertions,
they do not policy on the device.

Change-Id: I6ba2eb27c0e2ecf46974059588508cd3223baceb
2017-02-22 14:33:08 -08:00
Nick Kralevich
02cfce49ae kernel.te: tighten entrypoint / execute_no_trans neverallow
The kernel domain exists solely on boot, and is used by kernel threads.
Because of the way the system starts, there is never an entrypoint for
that domain, not even a file on rootfs. So tighten up the neverallow
restriction.

Remove an obsolete comment. The *.rc files no longer have a setcon
statement, and the transition from the kernel domain to init occurs
because init re-execs itself. The statement no longer applies.

Test: bullhead policy compiles.
Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
2016-10-30 18:46:44 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from kernel.te (Browse further)