tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
22803 commits 1 branch 0 tags 50 MiB
Commit graph

4784 commits

Author SHA1 Message Date
Mike Ma
ab61935ac2 Fix selinux denials for incidentd 
This is to fix selinux denials on incident-helper-cmd.
incident-helper-cmd is a Java program spawn from app_process. There are
currently some selinux denials because app_process tries to read boot
flags, read dalvik cache, run JIT and exec from JIT cache.

This change:
- allows incidentd to read the runtime feature flag properties. This is
a normal behavior during app_process startup
- allows incidentd to lock a few java libraries under
/apex/com.android.art. Again, this is normal when ART starts
- mutes denial of writing to and exec from dalvik cache / JIT cache

Fixes: 149011438
Test: Run $ incident 1116, and verify there's no selinux denial
Change-Id: I95a6b93e6a5510c749bebe7ecbcab9a803be0801
 2020-02-18 21:51:40 -08:00
Songchun Fan
ff40f150e8 Merge changes Ie973be6b,Ie090e085 
* changes:
  permissions for incremental control file
  new label for incremental control files
 2020-02-14 18:00:02 +00:00
George Chang
9cc657e43e Merge "Add sepolicy for persist.nfc_cfg." 2020-02-14 11:37:33 +00:00
Treehugger Robot
98d0a95753 Merge "access_vectors: add lockdown class" 2020-02-14 10:18:17 +00:00
stevensd
e3e16a313b Merge "selinux policy for buffer queue config" 2020-02-14 02:54:20 +00:00
Nick Kralevich
e4686b4d8e access_vectors: add lockdown class 
Needed to support upstream patch
59438b4647

Bug: 148822198
Test: compiles
Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed
 2020-02-13 13:05:54 -08:00
Songchun Fan
3922253de9 permissions for incremental control file 
=== for mounting and create file ===

02-12 21:09:41.828   593   593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.841  1429  1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== for reading signature from file ===
02-12 21:09:47.931  8972  8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:47.994  1429  1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
02-12 21:09:50.034  8972  8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:52.914  1429  1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== data loader app reading from log file ===
02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

Test: manual with incremental installation
BUG: 133435829
Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
 2020-02-13 12:53:36 -08:00
Songchun Fan
b1512f3ab7 new label for incremental control files 
Test: manual with incremental installation
Test: coral:/data/incremental/MT_data_incremental_tmp_1658593565/mount # ls -lZ .pending_reads
Test: -rw-rw-rw- 1 root root u:object_r:incremental_control_file:s0  0 1969-12-31 19:00 .pending_reads
BUG: 133435829
Change-Id: Ie090e085d94c5121bf61237974effecef2dcb180
 2020-02-13 12:52:51 -08:00
Songchun Fan
d9b78b4c84 remove incfs genfscon label 
Test: manual with incremental installation
BUG: 133435829
Change-Id: I8b38db18851a5b3baf925be621de3eb0e83efbb4
 2020-02-13 08:44:48 -08:00
David Stevens
3942fe1682 selinux policy for buffer queue config 
Test: boot and check for no policy violations

Change-Id: I1ea2a79b9a45b503dcb061c196c5af1d0ddab653
 2020-02-13 20:11:47 +09:00
George Chang
db1dbd94a1 Add sepolicy for persist.nfc_cfg. 
Add a new nfc_cfg persist property for nfc features

Bug: 142626304
Test: set property and load target files.
Change-Id: I853c97e8113dbcf729cf59ad45895402b0c82b3e
 2020-02-12 16:20:52 +00:00
Songchun Fan
2ddfad3709 Merge "Use setxattr for incremental-fs" 2020-02-11 23:56:51 +00:00
Songchun Fan
ecafc55b70 Use setxattr for incremental-fs 
BUG: b/133435829
Test: manual
Change-Id: I782f2041da5824fe28917789208e00d6ed10de79
 2020-02-11 14:33:08 -08:00
Songchun Fan
fcbfe3155f Merge "selinux rules for apk files installed with Incremental" 2020-02-11 21:24:04 +00:00
Jerry Chang
e8b7cecad3 Merge "sepolicy: new prereboot_data_file type" 2020-02-11 02:49:29 +00:00
Alec Mouri
c95ae9044d Merge "Update sepolicy to allow pushing atoms from surfaceflinger to statsd" 2020-02-11 01:01:20 +00:00
Jon Spivack
a85454834d Merge "Revert "Add sepolicy for persist.nfc"" 2020-02-10 23:42:41 +00:00
Jon Spivack
c7bc7ee309 Revert "Add sepolicy for persist.nfc" 
This reverts commit 34240604aa.

Reason for revert: Droidcop: Potential culprit for Bug149218822- verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.

Change-Id: Iaba9f6e9125ac456a5787b1fcbb67d68c91c5f42
 2020-02-10 19:08:31 +00:00
Alec Mouri
b254ff2d5b Update sepolicy to allow pushing atoms from surfaceflinger to statsd 
Bug: 148543048
Test: builds
Test: statsd_testdrive
Change-Id: I8ea6659d575fa2e7e5961dc1fea3219c238c9e41
 2020-02-10 09:50:53 -08:00
Nikita Ioffe
4119b07d1b Merge "Add userspace_reboot_log_prop" 2020-02-10 17:22:03 +00:00
Treehugger Robot
036eb2518d Merge "Add sepolicy for persist.nfc" 2020-02-10 11:15:36 +00:00
Songchun Fan
3cf7d1b5ee Merge "selinux rules for loading incremental module" 2020-02-07 19:33:08 +00:00
Jeffrey Huang
53114d6184 Merge "GpuService binder call StatsManagerService" 2020-02-07 18:03:26 +00:00
Jeffrey Huang
aac4b2f8c0 Merge "Allow system server to add StatsHal" 2020-02-07 18:03:04 +00:00
Songchun Fan
99d9374760 selinux rules for loading incremental module 
Defining incremental file system driver module, allowing vold to load
and read it.

=== Denial messages ===
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193   595   595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1

Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
 2020-02-07 09:52:34 -08:00
Songchun Fan
020e3ab035 selinux rules for apk files installed with Incremental 
Apk files installed with Incremental are actually stored under the
/data/incremental directory.

Since files under /data/incremental are labeled as apk_file_data, we
need additional permissions to enable an apk installation.

Denial messages:

=== vold ===
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.756   599   599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.760   599   599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:45.766  1431  1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0
02-04 14:22:45.923  1431  1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1
02-04 14:22:47.326  8839  8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1
02-04 14:22:45.780   599   599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1

02-04 15:32:02.386   591   591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1

=== system_app ===
02-04 14:22:45.793  5064  5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Test: manual
BUG: 133435829
Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
 2020-02-07 16:34:42 +00:00
Jerry Chang
5594f307c8 sepolicy: new prereboot_data_file type 
This adds the type and permissions for dumping and appending prereboot
information.

Bug: 145203410
Test: Didn't see denials while dumping and appending prereboot info.
Change-Id: Ic08408b9bebc3648a7668ed8475f96a5302635fa
 2020-02-07 10:22:47 +08:00
Nikita Ioffe
44f5ffca15 Add userspace_reboot_log_prop 
This properties are used to compute UserspaceRebootAtom and are going to
be written by system_server. Also removed now unused
userspace_reboot_prop.

Test: builds
Bug: 148767783
Change-Id: Iee44b4ca9f5d3913ac71b2ac6959c232f060f0ed
 2020-02-07 01:57:55 +00:00
Jeffrey Huang
b481e320a1 GpuService binder call StatsManagerService 
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd

The binder call to statsd can be removed after the migration.

Test: m -j
Bug: 148641240
Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009
 2020-02-06 11:54:33 -08:00
Andrei-Valentin Onea
c79be18ddd Merge "Make platform_compat discoverable everywhere" 2020-02-06 13:40:34 +00:00
Jeffrey Vander Stoep
9788ca1738 Merge "net_dns_prop: neverallow most access" 2020-02-06 12:16:22 +00:00
Andrei Onea
25b39acefe Make platform_compat discoverable everywhere 
The binder's methods are protected by signature
permissions (LOG_COMPAT_CHANGE, READ_COMPAT_CHANGE_CONFIG and
OVERRIDE_COMPAT_CHANGE_CONFIG).

This is a re-landing of https://r.android.com/1210143, which was
reverted due to http://b/142942524. The actual fix was done in
http://ag/10234812.

Bug: 142650523
Test: atest PlatformCompatGatingTest
Change-Id: Ibddac8933ea58d44457a5d80b540347e796ebe71
 2020-02-06 12:11:37 +00:00
Treehugger Robot
15d70fec33 Merge "sepolicy: Relabel wifi. properties as wifi_prop" 2020-02-06 02:53:51 +00:00
Treehugger Robot
ca3d3dfa70 Merge "adbd should be able to shutdown shell:unix_stream_socket" 2020-02-06 02:17:31 +00:00
Howard Ro
f8ddb83890 Merge "Surfaceflinger binder call StatsManagerService" 2020-02-06 01:52:40 +00:00
Jeffrey Huang
dd1ce53b27 Allow system server to add StatsHal 
Bug: 148794952
Test: m -j
Change-Id: I14cc282bb262f1ec62ab3473d9229763c1a02e21
Merged-In: I14cc282bb262f1ec62ab3473d9229763c1a02e21
 2020-02-05 17:24:48 -08:00
Josh Gao
b9c7001837 adbd should be able to shutdown shell:unix_stream_socket 
adbd started calling shutdown and waiting for EOF before closing
sockets in commit 74b7ec72, because closing a TCP socket while you have
pending data to read is specified to send a TCP RST to the other end,
which can result in data that we've written into the socket to be
prematurely thrown away on the other end. Not being able to do so on a
Unix domain socket is benign, aside from the denial showing up in the
log.

Fixes the following selinux denial when installing a package:

  avc: denied { shutdown } for scontext=u:r:adbd:s0 tcontext=u:r:shell:s0 tclass=unix_stream_socket permissive=0

Test: manual
Change-Id: I266092a8323ac02bfe96738a8f4a8021f3a10387
 2020-02-05 17:24:46 -08:00
Jeffrey Huang
225850bd0c Surfaceflinger binder call StatsManagerService 
This binder call is needed because we want to migrate
libstatspull to use StatsManagerService instead of Statsd

The binder call to statsd can be removed after the migration.

Test: m -j
Bug: 148641240
Change-Id: If6cf7eb77aa229751c44e5291d49f05177dbb8dd
 2020-02-05 14:40:40 -08:00
Treehugger Robot
231b89410f Merge "GpuStats: sepolicy change for using new statsd puller api" 2020-02-05 21:58:42 +00:00
Yifan Hong
df701f3e45 Merge "Only write snapshotctl_log when debug" 2020-02-05 21:23:11 +00:00
Jeff Vander Stoep
5afd6d788c net_dns_prop: neverallow most access 
Prepare for these properties to be completely removed.

Bug: 33308258
Test: build
Change-Id: Ie22918247db1d6e85a36e0df958916b6752629d0
 2020-02-05 09:55:30 +01:00
Martijn Coenen
164359b952 Merge "Create new mediaprovider_app domain." 2020-02-05 07:58:54 +00:00
Yifan Hong
b6b35b7c46 Only write snapshotctl_log when debug 
Only write snapshotctl_log_data_file for userdebug_or_eng.

Test: boot, still see log
Bug: 148818798
Change-Id: I03e979efd65e3992bd8ef30e6408768a14aa1de2
 2020-02-04 17:15:06 -08:00
Yiwei Zhang
dbbe3bd7d8 GpuStats: sepolicy change for using new statsd puller api 
Bug: 148421389
Test: statsd_testdrive 10054
Change-Id: Icf1a4bf809b1413c0e413290bbeadd987faff710
 2020-02-04 15:55:59 -08:00
Yifan Hong
28d5e87d39 Merge "snapshotctl better logging" 2020-02-04 22:18:33 +00:00
Connor O'Brien
d90d4aa2bb Merge "Allow system_server to attach bpf programs to tracepoints" 2020-02-04 21:11:47 +00:00
Yifan Hong
589bb6f369 snapshotctl better logging 
Test: snapshotctl merge --log-to-file
Bug: 148818798
Change-Id: I0e9c8ebb6632a56670a566f7a541e52e0bd24b08
 2020-02-04 10:09:24 -08:00
Martijn Coenen
e3f1d5a314 Create new mediaprovider_app domain. 
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
 2020-02-04 16:53:18 +01:00
Songchun Fan
f09db16c56 [selinux] properly labeling dirs under /data/incremental 
Setting files and dirs under /data/incremental as apk_data_file, so that
they will have the same permissions as the ones under /data/app.

Current layout of the dirs:
1. /data/incremental/[random]/mount -> holds data files (such as base.apk) and
control files (such as .cmd). Its subdirectory is first bind-mounted to
/data/incremental/tmp/[random], eventually bind-mounted to
/data/app/~~[randomA]/[packageName]-[randomB].

2. /data/incremental/[random]/backing_mount -> hold incfs backing image.

3. /data/incremental/tmp/[random] -> holds temporary mountpoints (bind-mount targets)
during app installation.

Test: manual
Change-Id: Ia5016db2fa2c7bad1e6611d59625731795eb9efc
 2020-02-03 14:28:37 -08:00
Connor O'Brien
e3f0b2ca13 Allow system_server to attach bpf programs to tracepoints 
In order to track time in state data using eBPF, system_server needs
to be able to attach BPF programs to tracepoints, which involves:
- calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl
- running BPF programs
- reading tracepoint ids from tracefs

Grant system_server the necessary permissions for these tasks

Test: modify system_server to try to attach programs; check for
denials
Bug: 138317993
Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328
Signed-off-by: Connor O'Brien <connoro@google.com>
 2020-01-31 19:47:24 -08:00