Commit graph

7955 commits

Author SHA1 Message Date
Treehugger Robot
ac3bfd1d28 Merge "Remove ENABLE_TREBLE from sepolicy." 2016-12-21 22:04:01 +00:00
Steven Moreland
52b759777b Remove ENABLE_TREBLE from sepolicy.
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).

Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
2016-12-21 12:29:02 -08:00
Treehugger Robot
7f46347a47 Merge "init: only allowed to transition to logpersist or logd" 2016-12-21 19:16:32 +00:00
Steven Moreland
4613628b04 Merge "hwbinder_use: allow for hwservicemanager callbacks." 2016-12-21 18:06:32 +00:00
Mark Salyzyn
df125b90b4 init: only allowed to transition to logpersist or logd
Generate a compile time error if someone unexpectedly tries to
transition into logpersist or logd domain.

Test: compile
Bug: 30566487
Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d
2016-12-21 07:40:30 -08:00
Mark Salyzyn
da62cb4dda logcat: introduce split to logd and logpersist domains
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-12-20 20:31:03 +00:00
Treehugger Robot
e8a292ce77 Merge "init.te: fixup stale comment" 2016-12-20 20:01:24 +00:00
Treehugger Robot
4134a4c171 Merge "Add coverage service." 2016-12-20 19:51:59 +00:00
Alex Klyubin
dfa42e59d3 Merge "Clarify what determines precedence rules in seapp_contexts" 2016-12-20 17:25:47 +00:00
Nick Kralevich
8fb4cb8bc2 priv_app.te: drop app_data_file:file execute_no_trans;
auditallow (added in commit 758e6b3678)
has been in place for about 2 weeks now, and no hits. Remove
execute_no_trans.

The net effect of this change is that priv_apps won't be able to exec()
a file from their home directory, but dlopen() and friends will still
work.

Test: Compiles and boots successfully.
Test: No auditallow messages received via SELinux denial collection.
Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145
2016-12-19 13:48:50 -08:00
Alex Klyubin
e392020b34 Clarify what determines precedence rules in seapp_contexts
Test: It's a comment -- no impact on build
Change-Id: Ibd7ff0dcd9d4c3d526ca20ab35dd4bac70d14f0a
2016-12-19 11:07:53 -08:00
Allen Hair
2328fec710 Add coverage service.
Bug: 31077138
Test: Device boots, coverage service works when tested manually.
Change-Id: Ia855cfefd5c25be5d1d8db48908c04b3616b5504
2016-12-19 11:04:33 -08:00
Nick Kralevich
92ade7480f init.te: fixup stale comment
init switch from a setcon() based transition to an exec() based
transition in bug 19702273. Fixup stale comment.

Test: comment only change. Policy compiles.
Bug: 19702273
Change-Id: I6e1b4b3680193453adafa8952a7ea343d2977505
2016-12-17 09:18:18 -08:00
Sandeep Patil
c82cf89f5f hal_health: express the sepolicy as attribute
Bug: http://b/32905206

Test: Boot sailfish and no new selinux failures observed in logs

Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9
Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-17 16:17:36 +00:00
Jeff Sharkey
1157e733af Merge "Allow installd to measure size of dexopt links." 2016-12-17 04:38:22 +00:00
Daniel Cashman
c81c44a8e5 Merge "Revert "Move sepolicy and recovery from on-device tree and add dependency."" 2016-12-17 00:59:43 +00:00
Daniel Cashman
65d01349a0 Revert "Move sepolicy and recovery from on-device tree and add dependency."
This reverts commit cf5c6ecb93.

Change-Id: Ie86a6ac20ab5a1611efc0e167c0430eb9df9482e
2016-12-17 00:53:26 +00:00
Treehugger Robot
2d4d8842e7 Merge "Move sepolicy and recovery from on-device tree and add dependency." 2016-12-17 00:17:13 +00:00
Treehugger Robot
16df99bdf6 Merge "Remove 'net_admin' capability from healthd" 2016-12-16 22:49:19 +00:00
Dan Cashman
cf5c6ecb93 Move sepolicy and recovery from on-device tree and add dependency.
Prevent sepolicy and sepolicy.recover from showing up in the root
filesystem when they will not be created as part of it.  Also make
sure both are added as dependencies to version_policy to ensure the
neverallow checks are run.

Bug: 31363362
Test: Builds and boots, including recovery, without additional
  denials.  Neverallow violations still caught at build time.

Change-Id: I39e3cbc150551c9316952523927d057538cd00a7
2016-12-16 14:29:59 -08:00
Jeff Sharkey
86c76890de Allow installd to measure size of dexopt links.
avc: denied { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot-core-libart.oat" dev="sda35" ino=1581062 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=lnk_file permissive=0

Test: builds, boots, quota stats match manual stats
Bug: 27948817
Change-Id: I65fb581a4732e03c46ac705f6693080c5f3be184
2016-12-16 15:05:03 -07:00
Treehugger Robot
d1499e3254 Merge "Switch recovery to versioned policy and split into components." 2016-12-16 19:55:37 +00:00
Sandeep Patil
18410d1a32 Remove 'net_admin' capability from healthd
Bug: https://b/32733887

Change-Id: Ie22756509b53b6e78a95c5a7763b48773cd52fd7
Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-16 11:45:22 -08:00
Steven Moreland
d86a30a273 Add hal_dumpstate attribute.
- Also allow dumpstate to talk to hal_dumpstate.

Bug: 31982882
Test: compiles
Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
2016-12-16 10:48:32 -08:00
Dan Cashman
1c04027795 Switch recovery to versioned policy and split into components.
And do some clean up:
Replace LOCAL_TARGET_ARCH with global arch specifier that won't get
clobbered, clean up sepolicy.recovery's eng specification, ensure that
build macros are applied across all policy generation, not just
plat_policy, and make sure that all private variables are cleared and
alphabetized at the end.

Bug: 31363362
Bug: 31369363
Test: Boot into recovery and observe no selinux denials.
Change-Id: Ibc15b097f6d19acf01f6b22bee0e083b15f4ef75
2016-12-16 10:19:17 -08:00
Sandeep Patil
137a13d5f5 healthd: restore healthd sepolicy for charger mode
Test: Boot charge-only and android on sailfish

Bug: https://b/33672744

Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 3b25e38410)
2016-12-15 18:17:13 -08:00
Sandeep Patil
60e8886c1f health: add sepolicy for health hal service
Test: tested with default health HAL on angler running as service.
Bug: b/32754732

Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd9159)
2016-12-15 18:17:13 -08:00
Sandeep Patil
82467a9561 health: allow rules for passthrough health HAL
- allows binder calls to hwservicemanager
- allows healthd to read system_file for passthrough HAL

Test: Tested healthd with and without a board specific health HAL on
Angler.

Bug: b/32724915

Change-Id: Icf621859f715cb44bce5d8d3b60320ef495d1543
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 32cacb42b9)
2016-12-15 18:17:13 -08:00
Sandeep Patil
dc08245c3f healthd: create SEPolicy for 'charger' and reduce healthd's scope
healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.

While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.

Test: Tested all modes {recovery, charger-only, android} with new policy

Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022ad)
2016-12-15 18:17:13 -08:00
Jeff Sharkey
59cd88e262 Merge "Allow installd to get/set filesystem quotas." 2016-12-15 22:32:44 +00:00
Glen Kuhne
9147a23835 hwbinder_use: allow for hwservicemanager callbacks.
In order for hal clients to use IServiceManager::registerForNotifications,
the hwservicemanager needs to be able to call into client processes.

Test: WIP
Bug: 33383725
Change-Id: I59470e9cd5cbeafda010fedc0b91eeb41280e0a1
2016-12-15 14:17:27 -08:00
Jeff Sharkey
fe1de04626 Allow installd to get/set filesystem quotas.
To support upcoming disk usage calculation optimizations, this change
grants installd access to work with filesystem quotas.

avc: denied { search } for name="block" dev="tmpfs" ino=15279 scontext=u:r:installd:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=1
avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1

Test: builds
Bug: 27948817
Change-Id: Ic166e8ced30e15ce84223576729888a824037691
2016-12-15 13:50:49 -07:00
Treehugger Robot
a24fae4f87 Merge "Split mac_permissions.xml into plat and non-plat components." 2016-12-15 20:13:28 +00:00
dcashman
90b3b94897 Split mac_permissions.xml into plat and non-plat components.
Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710
2016-12-15 10:20:35 -08:00
Treehugger Robot
62f0b8ea0e Merge "Enforce assumptions around metadata_block_device" 2016-12-15 18:14:12 +00:00
Steven Moreland
5b8d87b239 Merge "All hal policies expressed as attributes." 2016-12-15 17:10:26 +00:00
Nick Kralevich
5207ca6af4 Enforce assumptions around metadata_block_device
Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.

Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6
2016-12-15 08:28:38 -08:00
Chad Brubaker
0046853f66 Merge "Allow binder IPC between ephemeral app and appdomain" 2016-12-15 00:04:44 +00:00
Nick Kralevich
bb9a388840 Assign a label to the ro.boottime.* properties
system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
2016-12-14 13:45:01 -08:00
Chad Brubaker
641d5d8f9b Allow binder IPC between ephemeral app and appdomain
Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702
2016-12-14 21:06:57 +00:00
Treehugger Robot
d57dd813a2 Merge "Do not allow new additions to core_property_type" 2016-12-14 02:22:40 +00:00
Steven Moreland
29eed9faea All hal policies expressed as attributes.
Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 17:18:27 -08:00
Nick Kralevich
d310df20bd Do not allow new additions to core_property_type
core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2
2016-12-13 16:02:39 -08:00
Max
16c889c51f Removing file system remount permission from vold
There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.

Bug: 26901147

Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec
2016-12-13 15:37:33 -08:00
Connor O'Brien
a95c52e347 Add sepolicy for consumerir HIDL HAL
Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>
2016-12-13 15:23:13 -08:00
Treehugger Robot
1282df7c7a Merge "Split policy for on-device compilation." 2016-12-13 23:03:50 +00:00
dcashman
1faa644c81 Split policy for on-device compilation.
Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579
2016-12-13 10:06:12 -08:00
Jeff Sharkey
52da39d9a4 Partially revert "mediaprovider" SELinux domain.
The new domain wasn't fully tested, and it caused many regressions
on the daily build.  Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.

Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.

Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb
2016-12-13 09:34:03 -07:00
Treehugger Robot
0a80782877 Merge changes I1a468e7c,I4d0d8896
* changes:
  hal_wifi: Allow HAL to reload wifi firmware
  hal_wifi: Allow system_server to access wifi HIDL services
2016-12-13 00:32:42 +00:00
Jerry Zhang
35aa81ad51 Merge "Move MediaProvider to its own domain, add new MtpServer permissions" 2016-12-13 00:12:04 +00:00