Commit graph

14 commits

Author SHA1 Message Date
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Jeff Vander Stoep
60bb29fcdf crash_dump: suppress devpts denials
The following denial caused a presubmit failure:
06-15 15:16:24.176   956   956 I auditd  : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.

Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507
2019-03-19 04:05:51 +00:00
Jeff Vander Stoep
1795d0bcfd crash_dump: dontaudit devices passed by exec()
avc: denied { read } for comm="crash_dump64" name="v4l-touch22"
dev="tmpfs" ino=18821 scontext=u:r:crash_dump:s0
tcontext=u:object_r:input_device:s0 tclass=chr_file

Test: build
Change-Id: Iac66b77ad255c950b21fd267c88fdbc382be2877
2019-03-13 20:50:25 -07:00
Andreas Gampe
efece54e06 Sepolicy: Allow crash_dump to ptrace apexd in userdebug
In userdebug, for better diagnostics, allow crash_dump to "connect
to" apexd.

Considering apexd is quite powerful, user devices remain restricted.

Bug: 118771487
Test: m
Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
2019-03-05 09:59:50 -08:00
Jeff Vander Stoep
504a654983 crash_dump: dontaudit gpu_device access
And add neverallow so that it's removed from partner policy if
it was added there due to denials.

Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
2019-02-18 21:06:42 +00:00
Jeff Sharkey
d101896ec8 Allow system watchdog to collect traces from vold.
We're investigating a bug where vold gets wedged, and we need to
collect ANR stack traces from it to debug further.

avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0

Bug: 122090837
Test: manual
Change-Id: I738e63717715189b9ae2317472f671e3563afaa9
2019-02-06 09:25:00 -07:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Alan Stokes
b9cb73ad4e Ensure crash_dump cannot be allowed to ptrace itself.
This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5
2018-09-03 17:27:54 +01:00
Jeff Vander Stoep
08aa715966 crash_dump: disallow ptrace of TCB components
Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f1588)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c
2018-08-28 08:28:25 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Josh Gao
3067af1436 Revert "crash_dump: temporarily make permissive."
This reverts commit 9cfe34b5ee.

Bug: http://b/34978531
Change-Id: I0702641c48fad273f16fa1a5f0e4483dfe408c05
2017-02-14 16:13:30 -08:00
Josh Gao
9cfe34b5ee crash_dump: temporarily make permissive.
Test: policy compiles.
Bug: http://b/34450704
Change-Id: I1381f9de8e4c8cdde4920be423ab32adc2f7a8a2
2017-01-19 10:28:43 -08:00