Commit graph

47 commits

Author SHA1 Message Date
Igor Murashkin
f48951a939 am 0ae33a8d: Merge "zygote/dex2oat: Grant additional symlink permissions"
* commit '0ae33a8d1439800439db1c22da0d9a2073fb3a42':
  zygote/dex2oat: Grant additional symlink permissions
2014-10-29 12:32:35 +00:00
Igor Murashkin
83c5612e69 zygote/dex2oat: Grant additional symlink permissions
* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62
2014-10-27 17:22:40 -07:00
Robin Lee
51bfecf49d Pull keychain-data policy out of system-data
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-15 18:02:03 +00:00
Nick Kralevich
f2c011892d zygote: allow replacing /proc/cpuinfo
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501

(cherry picked from commit 2de02877a3)

Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb
2014-09-26 13:06:22 -07:00
Nick Kralevich
2de02877a3 zygote: allow replacing /proc/cpuinfo
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20
2014-09-26 18:35:26 +00:00
Ed Heyl
8ee37b4f1c reconcile aosp (c103da877b) after branching. Please do not merge.
Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
2014-07-14 23:32:08 -07:00
Nick Kralevich
75d63fcfd2 Put dex2oat in it's own sandbox
Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.

dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.

Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
2014-07-10 15:33:11 -07:00
Nick Kralevich
fad4d5fb00 Fix SELinux policies to allow resource overlays.
The following commits added support for runtime resource overlays.

  New command line tool 'idmap'
  * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
  Runtime resource overlay, iteration 2
  * 48d22323ce39f9aab003dce74456889b6414af55
  Runtime resource overlay, iteration 2, test cases
  * ad6ed950dbfa152c193dd7e49c369d9e831f1591

During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.

This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.

Test cases are available for this by running:
  * python frameworks/base/core/tests/overlaytests/testrunner.py

Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
2014-06-16 14:20:08 -07:00
Stephen Smalley
356f4be679 Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 13:14:22 -04:00
Stephen Smalley
df48bd2ca8 Remove zygote write access to system_data_file.
These rules seem to be a legacy of old Android or perhaps old policy
before we began splitting types on /data.  I have not been able to
trigger the auditallow rules on AOSP master.  Reduce the rules to
only read access to system data.  If we need write access to some
specific directory under /data, we should introduce a type for it.

Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 08:58:06 -04:00
Stephen Smalley
0099148ee4 Audit zygote create/write access to system_data_file.
Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.

Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-12 11:55:20 -04:00
Narayan Kamath
3a06a72c16 Change zygote sepolicy whitelist.
Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.

These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.

The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.

(cherry picked from commit 032e5b0ae1)

Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361
2014-05-01 11:19:00 +01:00
Nick Kralevich
a268f48a1f zygote: clean up unnecessary rules.
In 66f25cb1af, auditallow entries
were added for some old zygote rules. They've never been triggered,
so they're not needed. Delete them.

Change-Id: Idb544c71410e263714f29cdbec0424a46f32898f
2014-04-08 16:04:04 -07:00
dcashman
66f25cb1af Add auditallow to revaluate b/10498304
The environment has changed since b/10498304 and it may be the case
that some of the changes introduced thereby are no longer necessary.
Adding an auditallow will allow us to monitor the effects of
removing these changes, without blocking other development.

Change-Id: Id4ece1644877c4ba36df3050ac9073ea6320779c
2014-03-10 14:35:59 -07:00
Stephen Smalley
3bfdc6b420 Allow stat of /system/bin/app_process by zygote.
This resolves denials such as:
type=1400 audit(7803852.559:251): avc:  denied  { getattr } for  pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file

(triggered on an art crash seen in recent AOSP master)

Rather than just adding this permission individually, just rewrite
the existing rule to use the rx_file_perms macro.
We already allowed most of these permissions by way of the
domain_auto_trans() rule via init_daemon_domain() and the rule
for the --invoke-with support.  Using macros helps reduce
policy fragility/brittleness.

Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-10 10:40:44 -04:00
Stephen Smalley
37afd3f6c3 Remove system_server and zygote unlabeled execute access.
Now that all of /data outside of /data/data should be labeled
even on legacy devices as a result of
Ib8d9751a47c8e0238cf499fcec61898937945d9d, there
should be no reason to permit the system_server or zygote
execute access to unlabeled files.

This is the only remaining case where a type writable by
app domains can be executed by system services, so eliminating
it is desirable.

That said, I have not specifically tested the non-SE to SE
upgrade path to confirm that this causes no problems.

Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-27 08:55:48 -05:00
Stephen Smalley
49c995d1c8 Do not allow zygote to execve dalvikcache files.
x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.

Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 14:05:49 -08:00
Stephen Smalley
959fdaaa25 Remove unlabeled execute access from domain, add to appdomain.
Otherwise all domains can create/write files that are executable
by all other domains.  If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 18:30:16 +00:00
Nick Kralevich
a730e50bd9 Don't allow zygote init:binder call
init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50
2014-01-03 20:45:42 -08:00
Nick Kralevich
268a612e20 am d1083bf2: am e9c4181b: zygote.te: fix comment.
* commit 'd1083bf2103290df376ef67d3108d4cbfb59e392':
  zygote.te: fix comment.
2013-09-23 11:42:26 -07:00
Nick Kralevich
cccfa17336 am 882d09db: am 199fc73f: Revert "Give Zygote the ability to write app data files."
* commit '882d09db04c4d4e13b45822c6d97b4cb03233af9':
  Revert "Give Zygote the ability to write app data files."
2013-09-23 11:37:53 -07:00
Nick Kralevich
e9c4181b1c zygote.te: fix comment.
per the discussion in https://android-review.googlesource.com/#/c/65063/1/zygote.te
adjust the comment in this file.

Change-Id: I8db31e22ec34493442bc8e86bcd0bc0136b7bae4
2013-09-23 11:29:41 -07:00
Nick Kralevich
199fc73f79 Revert "Give Zygote the ability to write app data files."
This was a mistaken attempt to fix bug 10498304, but it didn't
actually have any impact. Revert.

This reverts commit fc2bd01b60.

Bug: 10498304
2013-09-23 11:29:40 -07:00
Alex Klyubin
82140be931 Follow-up to rename system to system_server.
1fdee11df2 renamed domain system to
system_server in AOSP. This CL applies the rename to the rules that
weren't in AOSP at the time.

Change-Id: I0e226ddca2e01ed577204ddb4886a71f032a01ed
2013-09-17 10:07:01 -07:00
Alex Klyubin
d343fd582c am 3d94272a: am 1fdee11d: 1/2: Rename domain "system" to "system_server".
* commit '3d94272a754a4ea0727c1d4d880944d1d9efd3e7':
  1/2: Rename domain "system" to "system_server".
2013-09-17 09:57:21 -07:00
Alex Klyubin
1fdee11df2 1/2: Rename domain "system" to "system_server".
This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
2013-09-17 08:40:12 -07:00
Alex Klyubin
e42aa03d18 am b9bbfeb0: Fix bug report notification not showing up.
* commit 'b9bbfeb003042b386e4025cdb3c3ee9b9f0c4432':
  Fix bug report notification not showing up.
2013-09-09 18:02:21 -07:00
Alex Klyubin
b9bbfeb003 Fix bug report notification not showing up.
Bug: 10498304
Change-Id: I74cac92368353694612dbd94f0d072b97ec9878b
2013-09-09 17:17:08 -07:00
Nick Kralevich
0e48af3d22 am d629b87e: Fix bug report notification not showing up.
* commit 'd629b87e896171023569ab207f55cfeae560c711':
  Fix bug report notification not showing up.
2013-09-09 15:49:10 -07:00
Nick Kralevich
d629b87e89 Fix bug report notification not showing up.
Bug: 10498304
Change-Id: Ic0e30bdf6cc35f9d9e2752f36940e75e7ae37d83
2013-09-09 15:40:15 -07:00
Geremy Condra
d615ef3477 Fix miscellaneous long-tail denials.
Change-Id: Ie0947f79c63f962220d3c9316c5d5d82f677821f
2013-09-04 16:09:50 -07:00
Geremy Condra
090645b36d Give Zygote the ability to write app data files.
This fixes another bug encountered while taking bugreports.

Bug: 10498304
Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd
2013-09-04 12:49:29 -07:00
Geremy Condra
fc2bd01b60 Give Zygote the ability to write app data files.
This fixes another bug encountered while taking bugreports.

Bug: 10498304
Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd
2013-08-30 15:48:56 -07:00
Geremy Condra
81560733a4 Fix denials encountered while getting bugreports.
Bug: 10498304
Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74
2013-08-30 15:10:17 -07:00
Geremy Condra
e03626021e Add capabilities to Zygote to fix valgrind.
Bug: 10455872
Change-Id: I98885e8cd1e4f9ab0d3e2af6d79b078a000db539
2013-08-27 18:47:08 -07:00
Geremy Condra
aee5a18a82 Give zygote the ability to execute dalvik cache files.
Change-Id: I129536c3d9f6359228165d8a5ec373780b312c86
2013-07-09 22:37:51 -07:00
Nick Kralevich
6aca515cd3 zygote: enable SELinux restrictions
This change enables SELinux security enforcement on zygote
(but not zygote spawned apps).

For the zygote.te file only, this change is equivalent to reverting
the following commits:

* 50e37b93ac
* 77d4731e9d

No other changes were required.

Testing: As much as possible, I've tested that zygote properly
starts up, and that there's no problem spawning zygote or zygote
apps. There were no denials in the kernel dmesg log, and
everything appears to work correctly. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9657732
Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:11:28 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
William Roberts
7bb2a55c47 Give domains read access to security_file domain.
/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
2013-04-05 13:11:23 -07:00
Geremy Condra
06575ee40c Add remount capability to Zygote.
This is a consequence of https://googleplex-android-review.googlesource.com/#/c/278069/

Change-Id: I9b310860534a80e7145950f6c632cf5ba0ad56a7
2013-03-29 16:29:54 -07:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
rpcraig
8b3b4fe756 Allow zygote to search tmpfs.
Change-Id: Ib0bdcbc1a7e45e1d1a046c9fa8aff89183ebfe0d
2013-03-22 18:03:31 -07:00
William Roberts
c195ec3148 Split internal and external sdcards
Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-22 15:26:39 -04:00
Stephen Smalley
e468016b1b zygote requires setpcap in order to drop from its bounding set.
I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote
to limit the bounding capability set to CAP_NET_RAW.  This triggers
a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission.

Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-02-19 13:20:55 -05:00
Stephen Smalley
61c80d5ec8 Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-19 09:55:10 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00