Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
Hals have 3 attributes associated with them, the attribute itself, the
_client attribute, and the _server attribute. Only the server attribute
isn't expanded using the expandattribute keyword, and as a result, is
the only attribute which can be used in neverallow rules.
Fix neverallow rule to use hal_bootctl_server, which is not expanded,
instead of hal_bootctl.
Introduced in: https://android-review.googlesource.com/c/platform/system/sepolicy/+/777178
Test: policy compiles
Bug: 119500144
Change-Id: I8cff9cc03f4c30704175afb203c68f237fbd61ca
We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.
Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
In recovery, everything is labeled rootfs, including
/system/bin/*. Allow postinstall to execute them in recovery.
Test: sideload
Bug: 116608795
Fixes: 119877813
Change-Id: I5682bdecd0df1cb9ff3bc968ea29449b0b8588f4
Commit ebc3a1a34c ("Move to ioctl
whitelisting for plain files / directories", Oct 10th), enabled ioctl
filtering on all files, including functionfs files. However, recovery
performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so
allow it.
Addresses the following denial:
audit: type=1400 audit(673009.476:507811): avc: denied { ioctl } for pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1
Test: policy compiles.
Bug: 119877813
Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962
grant rw_dir_perms of dir
/data/server_configurable_flags to flags_health_check.te, in order to
enable flags_health_check to record reset flags data as file under this
dir for later use. See function:
server_configurable_flags::ServerConfigurableFlagsReset for how the
permission is used.
Test: manual on device
Change-Id: I1df7b8cadfbe279f26bf828e9e725ce170a376f7
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.
Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.
Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
This reverts commit 92bde4b941.
Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.
Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
This is used for querying the installed packages, as well as
coordinating the installations of packages.
Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
This is world-readable so it can be checked in libc's process init.
Test: m
Test: flash sailfish
Bug: 117821125
Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.
This change set SELinux rules for these properties and files.
For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).
This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.
Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.
Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.
Silence the spam by allowing getattr on apex_mnt_dir.
Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable
Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
The auditallow added in commit
7a4af30b38 ("Start the process of locking
down proc/net", May 04 2018), has not been triggered. This is safe to
delete.
Test: Policy compiles
Test: no collected SELinux denials
Bug: 68016944
Change-Id: Ib45519b91742d09e7b93bbaf972e558848691a80
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".
Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.
Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
Add an InputFlinger service in system_server and allow SurfaceFlinger to
exchange sockets with it.
Test: None
Bug: 80101428
Bug: 113136004
Bug: 111440400
Change-Id: I1533ab7a1da0ca61d8a28037fffbc189d796f737
Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.
Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
This will be needed if vendors remove a label, as vendor_init would
need to relabel from it (which would be unlabeled) to the new label.
Test: Build policy.
Change-Id: Ieea0fcd7379da26b2864b971f7773ed61f413bb9
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.
Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6
Add xdp_socket to various other neverallow rules.
Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc8 has never triggered.
Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
It is unnecessary to use get_prop() rules for the su domain. The
su domain is always in permissive mode [1] and not subject to SELinux
enforcement. It's also possible these rules were added to avoid SELinux
denial log spam from showing up, however, there are already dontaudit
rules in place [2] to prevent this.
Delete the unnecessary rules.
[1] 96b62a60c2/private/su.te (19)
[2] 96b62a60c2/public/su.te (42)
Test: policy compiles
Change-Id: I5913f360738725bf915f0606d381029b9ba4318f
Commit 619c1ef2ac ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.
Fixes the following denial:
audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android
Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332
These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.
The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.
Test: manual OTA on retrofit device
Bug: 118506262
Change-Id: I3dd3c99d86d63f97bcd393cff374e27f5ed2da2e
BLKDISCARD is used by vold while wiping block devices
b2455747a9/Utils.cpp (619)
BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Vold indirectly uses this when executing /system/bin/newfs_msdos.
Arguably this is a bug in newfs_msdos, as BLKGETSIZE64 should be used
instead.
Code: 0c7e133c7f/mkfs_msdos.c (845)
Addresses the following denials:
audit(0.0:24): avc: denied { ioctl } for comm="Binder:588_2" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1277 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
audit(0.0:25): avc: denied { ioctl } for comm="newfs_msdos" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1260 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
Test: policy compiles.
Bug: 119562530
Change-Id: Ib7198daf150d6f2578545a6a402e0313069ea2b4
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.
Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)
Change-Id: I827a108bd118090542354360a8c90b295e6a0fef
