Commit graph

4947 commits

Author SHA1 Message Date
dcashman
ab228bd8a6 am 354710e4: Prevent appdomain from creating globally readable symlinks.
* commit '354710e44058e38abcf2dc0fd81e63153900da98':
  Prevent appdomain from creating globally readable symlinks.
2015-07-15 21:27:40 +00:00
dcashman
354710e440 Prevent appdomain from creating globally readable symlinks.
Change-Id: I34db8855a55426f6a590a89cc6c157e1ccd50ff9
2015-07-15 11:18:09 -07:00
Evgenii Stepanov
30fd6a018a am 8e16deb9: Add /data/vendor/lib as a library location under ASan.
* commit '8e16deb94d4e05727b89bf782c2640022746081a':
  Add /data/vendor/lib as a library location under ASan.
2015-07-14 23:41:28 +00:00
Evgenii Stepanov
8e16deb94d Add /data/vendor/lib as a library location under ASan.
This is in addition to /data/lib.
Only affects SANITIZE_TARGET=address builds.

Bug: 21785137
Change-Id: Id1983cabb9479ae2d38fb23691de3eba236fe9cb
2015-07-14 16:10:35 -07:00
Nick Kralevich
de335a36a3 am f2c4e128: neverallow service_manager / service_manager_type
* commit 'f2c4e1283e91f7a91963d1d68a27f515027d97b4':
  neverallow service_manager / service_manager_type
2015-07-14 23:07:24 +00:00
dcashman
4ff31553b9 am 10a3a36a: Merge "Allow domains to read tmpfs symlinks."
* commit '10a3a36a6e9009664ecdb9a9d98100a897912469':
  Allow domains to read tmpfs symlinks.
2015-07-14 21:52:35 +00:00
Nick Kralevich
f2c4e1283e neverallow service_manager / service_manager_type
Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
2015-07-14 13:06:12 -07:00
dcashman
f5eb2247ca am 301555e6: Allow domains to read tmpfs symlinks.
* commit '301555e6f3445cda4ccec0240c37848a1d3b9d0e':
  Allow domains to read tmpfs symlinks.
2015-07-13 23:55:51 +00:00
dcashman
10a3a36a6e Merge "Allow domains to read tmpfs symlinks." 2015-07-13 22:50:30 +00:00
dcashman
301555e6f3 Allow domains to read tmpfs symlinks.
Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

(cherry-pick of commit: 2b0b8299b2)

Bug: 20755029
Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0
2015-07-13 15:35:52 -07:00
dcashman
2b0b8299b2 Allow domains to read tmpfs symlinks.
Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 20755029
Change-Id: I0268eb00e0eb43feb2d5bca1723b87b7a44f31a9
2015-07-13 15:31:01 -07:00
dcashman
aae2acd252 am 26cd912e: Give /proc/iomem a more specific label.
* commit '26cd912e6c4d6a125a646216fc22c2904407e295':
  Give /proc/iomem a more specific label.
2015-07-13 19:46:56 +00:00
dcashman
26cd912e6c Give /proc/iomem a more specific label.
/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.

Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f
2015-07-13 10:55:04 -07:00
Jeff Vander Stoep
6b88d624b1 am 099d6329: allow procrank to write to bug report
* commit '099d63290bc03dd5b98041bc93f105f1342b3596':
  allow procrank to write to bug report
2015-07-13 07:18:50 +00:00
Jeff Vander Stoep
099d63290b allow procrank to write to bug report
avc: denied { write } for pid=14742 comm="procrank" path="/data/data/com.android.shell/files/bugreports/bugreport-2015-07-02-22-17-43.txt.tmp" dev="dm-2" ino=44479 scontext=u:r:procrank:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

(cherry picked from af16c40ce6)

Bug: 22400298
Change-Id: Ibf5dcf9f7edf416e977577afc32bbbef62e50974
2015-07-10 15:12:07 -07:00
William Roberts
b2420cf4ec am ffc86bea: Correct local variables for file_contexts_asan
* commit 'ffc86bea0e38147a9330177708aedbccd603627a':
  Correct local variables for file_contexts_asan
2015-07-10 20:34:46 +00:00
William Roberts
ffc86bea0e Correct local variables for file_contexts_asan
Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-10 19:55:35 +00:00
Jeff Vander Stoep
0cc4b90f2c am 75268b04: Merge "allow procrank to write to bug report"
* commit '75268b04034848589abb352483d99255bf9a6bd1':
  allow procrank to write to bug report
2015-07-10 19:26:16 +00:00
Jeff Vander Stoep
75268b0403 Merge "allow procrank to write to bug report" 2015-07-10 19:04:46 +00:00
Jeff Vander Stoep
af16c40ce6 allow procrank to write to bug report
avc: denied { write } for pid=14742 comm="procrank" path="/data/data/com.android.shell/files/bugreports/bugreport-2015-07-02-22-17-43.txt.tmp" dev="dm-2" ino=44479 scontext=u:r:procrank:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Bug: 22400298
Change-Id: Ibf5dcf9f7edf416e977577afc32bbbef62e50974
2015-07-10 11:13:16 -07:00
William Roberts
75d095a214 am 7028bdcc: neverallow: domain execute data_file_type
* commit '7028bdccd5b3e91928d345990587738212973f1d':
  neverallow: domain execute data_file_type
2015-07-09 19:00:21 +00:00
William Roberts
7028bdccd5 neverallow: domain execute data_file_type
To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-08 00:45:24 +00:00
William Roberts
e1a2001fc5 am 99fe8df2: hide checkseapp command invocation
* commit '99fe8df245f4346c14a3dfaf856006c7ebf51ad2':
  hide checkseapp command invocation
2015-07-07 19:13:59 +00:00
William Roberts
0046404b2c am b876993f: use a general sepolicy when building general targets
* commit 'b876993f4ee25fb299b7521b0dc565248d3db2a6':
  use a general sepolicy when building general targets
2015-07-07 19:13:58 +00:00
William Roberts
99fe8df245 hide checkseapp command invocation
Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-07-07 17:45:51 +00:00
William Roberts
807b8a6f9d am 3a74555c: Drop unused variable in Android.mk
* commit '3a74555c4e6c3b87c43b1eb311a2e418f6d88453':
  Drop unused variable in Android.mk
2015-07-07 15:49:25 +00:00
Jeff Sharkey
5577127c2a am 24f3bcdb: Let Zygote unmount inherited storage devices.
* commit '24f3bcdb8fc6e6490438f496c1bf1d45b9caeec9':
  Let Zygote unmount inherited storage devices.
2015-07-01 00:30:41 +00:00
Jeff Sharkey
24f3bcdb8f Let Zygote unmount inherited storage devices.
For example, when launching into an isolated process, we need to drop
all mounts inherited from the root namespace.

avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1

Bug: 22192518
Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
2015-06-30 15:56:46 -07:00
William Roberts
b876993f4e use a general sepolicy when building general targets
Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-30 14:02:17 -07:00
William Roberts
3a74555c4e Drop unused variable in Android.mk
Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 16:14:15 -07:00
William Roberts
bf4568d1cd am 4ee7131a: Introduce seapp_neverallow test
* commit '4ee7131ade43a046ad784a91bdded7c3c77206cd':
  Introduce seapp_neverallow test
2015-06-29 20:36:17 +00:00
William Roberts
4ee7131ade Introduce seapp_neverallow test
Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.

Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-29 10:57:06 -07:00
William Roberts
8f519b3f0f am da52e859: correct colon usage on make targets
* commit 'da52e85906289d5b691404ffed1fb830065140f9':
  correct colon usage on make targets
2015-06-29 17:53:41 +00:00
William Roberts
da52e85906 correct colon usage on make targets
Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-27 07:22:34 -07:00
William Roberts
942c0ea901 am 81e1f90c: check_seapp: add support for "neverallow" checks
* commit '81e1f90cd13b262f9e3021f64ae3574b8f5cd5d0':
  check_seapp: add support for "neverallow" checks
2015-06-26 21:02:10 +00:00
Jeff Sharkey
025ca795d2 am 6b75d099: Let\'s reinvent storage, yet again!
* commit '6b75d099e17dad2cf691e0a31a084d4d15d5b5ab':
  Let's reinvent storage, yet again!
2015-06-26 16:05:28 +00:00
Jeff Sharkey
6b75d099e1 Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0

Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
2015-06-25 22:26:30 -07:00
William Roberts
81e1f90cd1 check_seapp: add support for "neverallow" checks
Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-25 23:53:46 +00:00
Daniel Cashman
115292ac1a am 33edd308: Merge "neverallow PROT_EXEC stack or heap."
* commit '33edd308bd228e7b85b9270c6ed08e469a84f337':
  neverallow PROT_EXEC stack or heap.
2015-06-25 21:46:04 +00:00
Daniel Cashman
33edd308bd Merge "neverallow PROT_EXEC stack or heap." 2015-06-25 21:17:15 +00:00
William Roberts
6ddcb84d3a am 7d65b547: check_seapp: mac build memory leak
* commit '7d65b547d3959b9f98334cf0da6afe9ab418b17a':
  check_seapp: mac build memory leak
2015-06-23 22:52:45 +00:00
William Roberts
7d65b547d3 check_seapp: mac build memory leak
rule_map_free() took as a parameter a boolean menu rule_map_switch
that was used to determine if it should free the key pointer that
is also in the table. On GLIBC variants, calls to hdestroy do not
free the key pointer, on NON-GLIBC variants, it does. The original
patch was meant to correct this, however, it always passes "destroy"
as the rule_map_switch. On GLIBC variants this is fine, however on
NON-GLIBC variants, that free was compiled out, and the free() was
handled by hdestroy. In cases of failure where the rule_map was not
in the htable, those key's were not properly free'd.

Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-23 12:25:35 -07:00
Stephen Smalley
5328d9749d neverallow PROT_EXEC stack or heap.
Despite removing these from AOSP policy they seem to still be
present in device policies.  Prohibit them via neverallow.

We would also like to minimize execmem to only app domains
and others using ART, but that will first require eliminating it
from device-specific service domains (which may only have it
due to prior incorrect handling of text relocations).

Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-23 18:47:52 +00:00
Jeff Vander Stoep
bbcd055afc am 9c7570ef: Fix grouper build by allowing mknod in recovery
* commit '9c7570ef799616e683471ebdb22ee34a424a0aa0':
  Fix grouper build by allowing mknod in recovery
2015-06-23 18:34:55 +00:00
Daniel Cashman
8328eaf672 am 3cba84e2: Merge "Run idmap in its own domain."
* commit '3cba84e2638a47df8aacefb56ccc728b165e7a23':
  Run idmap in its own domain.
2015-06-23 18:06:52 +00:00
Jeff Vander Stoep
9c7570ef79 Fix grouper build by allowing mknod in recovery
Change-Id: I2aef01ba72cae028d5e05deddbdeff674f9a534d
2015-06-23 18:04:54 +00:00
Daniel Cashman
306a3c1be6 am e956b315: Merge "drop unused option -s"
* commit 'e956b31526866014f3cba6bf8f93982ecce487c7':
  drop unused option -s
2015-06-23 17:46:06 +00:00
Daniel Cashman
3cba84e263 Merge "Run idmap in its own domain." 2015-06-23 17:44:27 +00:00
Nick Kralevich
861ec73f84 am 31d88a70: Allow /dev/klog access, drop mknod and __null__ access
* commit '31d88a704ecd16d67633ee8d46370b282c67bfbc':
  Allow /dev/klog access, drop mknod and __null__ access
2015-06-23 17:34:28 +00:00
Daniel Cashman
e956b31526 Merge "drop unused option -s" 2015-06-23 17:30:56 +00:00