Commit graph

16979 commits

Author SHA1 Message Date
Hongyi Zhang
b61ac077dd grant system_server read permission of server_configurable_flags_data
server_configurable_flags_data_file is used for storing server
configurable flags which have been reset during current booting.
system_server needs to read the data to perform related disaster
recovery actions.
For how the data is read, see SettingsToPropertiesMapper.java.

Test: build succeeds & manual on device
Change-Id: Ifa22aecc13af2c574579299d28433622abbe6b85
2018-11-27 13:29:08 -08:00
Mikhail Naganov
d81a36ad47 Merge "Allow audioserver to access persist.log.tag" 2018-11-27 19:16:26 +00:00
Nick Kralevich
f56b5d9792 Merge "use hal_bootctl_server in neverallow rule" 2018-11-27 17:27:48 +00:00
Nick Kralevich
536d3413b8 use hal_bootctl_server in neverallow rule
Hals have 3 attributes associated with them, the attribute itself, the
_client attribute, and the _server attribute. Only the server attribute
isn't expanded using the expandattribute keyword, and as a result, is
the only attribute which can be used in neverallow rules.

Fix neverallow rule to use hal_bootctl_server, which is not expanded,
instead of hal_bootctl.

Introduced in: https://android-review.googlesource.com/c/platform/system/sepolicy/+/777178

Test: policy compiles
Bug: 119500144
Change-Id: I8cff9cc03f4c30704175afb203c68f237fbd61ca
2018-11-26 23:17:28 -08:00
Nick Kralevich
6b2a4aeacf use tmpfile during build
During the build process, use a temporary file until we've determined
that every step of the build process has completed. Failure to do this
may cause subsequent invocations of the make command to improperly
assume that this step ran to completion when it didn't.

Test: code compiles.
Change-Id: I9a28e653e33b61446a87278975789376769bcc6a
2018-11-26 14:29:06 -08:00
Treehugger Robot
c3b3fdf8d6 Merge "Remove permission for APEX manifest." 2018-11-24 21:04:17 +00:00
Dario Freni
4df603a038 Remove permission for APEX manifest.
There is no real need to access the manifest.json (which is being
renamed in other CLs anyway). So remove the access to it.

Bug: 119672727
Test: m, installed on device, boots.
Change-Id: I2d82062031da36f871b2a64d97a50a6f1e6fc3dd
2018-11-24 17:19:05 +00:00
Treehugger Robot
017c1ac1ed Merge "SELinux policy for new managed system update APIs" 2018-11-23 11:33:00 +00:00
Neda Topoljanac
bffe163b13 SELinux policy for new managed system update APIs
We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.

Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
2018-11-22 17:46:31 +00:00
Treehugger Robot
d1b18a797e Merge "Allow to execute postinstall in adb sideload" 2018-11-22 05:05:00 +00:00
Yifan Hong
1817cbde14 Allow to execute postinstall in adb sideload
In recovery, everything is labeled rootfs, including
/system/bin/*. Allow postinstall to execute them in recovery.

Test: sideload
Bug: 116608795
Fixes: 119877813
Change-Id: I5682bdecd0df1cb9ff3bc968ea29449b0b8588f4
2018-11-21 16:23:45 -08:00
Nick Kralevich
ddd43bfcc9 allow recovery FUNCTIONFS_ENDPOINT_DESC
Commit ebc3a1a34c ("Move to ioctl
whitelisting for plain files / directories", Oct 10th), enabled ioctl
filtering on all files, including functionfs files. However, recovery
performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so
allow it.

Addresses the following denial:

  audit: type=1400 audit(673009.476:507811): avc:  denied  { ioctl } for  pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

Test: policy compiles.
Bug: 119877813
Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962
2018-11-21 12:42:42 -08:00
Treehugger Robot
ac317b915e Merge "Add com.android.resolv-file_contexts to /system/sepolicy/apex" 2018-11-21 13:10:13 +00:00
chenbruce
a5121f64a6 Add com.android.resolv-file_contexts to /system/sepolicy/apex
Gathering file contexts for all APEXes there for easier auditing.

Test: m com.android.resolv
Bug: 119527674
Change-Id: I0f06c21c77f4b537e7c7d590204569f4531b5302
2018-11-21 14:39:33 +08:00
Nick Kralevich
bacf448bdb allow system_server BLKSECDISCARD BLKDISCARD
Used at:
7271c452a9/services/core/jni/com_android_server_PersistentDataBlockService.cpp (60)

Addresses the following denials:
  audit(0.0:413): avc: denied { ioctl } for comm="Binder:1365_1C" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=127d scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0
  audit(0.0:410): avc: denied { ioctl } for comm="Binder:1365_3" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=1277 scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: I7614b6269031b7912a7b93dc5307f5687458fba8
2018-11-20 17:57:04 -08:00
Hongyi Zhang
6f324ffd22 Merge "grant permissions of dir /data/server_configurable_flags" 2018-11-20 23:51:10 +00:00
Treehugger Robot
7e44292ed2 Merge "place dex2oat auditallow statements in userdebug_or_eng blocks" 2018-11-20 21:53:20 +00:00
Hongyi Zhang
4aecb3f2eb grant permissions of dir /data/server_configurable_flags
grant rw_dir_perms of dir
/data/server_configurable_flags to flags_health_check.te, in order to
enable flags_health_check to record reset flags data as file under this
dir for later use. See function:
server_configurable_flags::ServerConfigurableFlagsReset for how the
permission is used.

Test: manual on device
Change-Id: I1df7b8cadfbe279f26bf828e9e725ce170a376f7
2018-11-20 12:40:01 -08:00
Nick Kralevich
cfe1baea25 place dex2oat auditallow statements in userdebug_or_eng blocks
By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).

Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
2018-11-20 10:50:22 -08:00
Nick Kralevich
d9047e66c7 Remove obsolete BOARD_SEPOLICY_REPLACE / BOARD_SEPOLICY_IGNORE
Commit b4f17069b3 ("sepolicy:  Drop
BOARD_SEPOLICY_IGNORE/REPLACE support.", Mar 2015) made it a compile
time failure to use BOARD_SEPOLICY_REPLACE or BOARD_SEPOLICY_IGNORE.
As these restrictions have been in place since 2015, we can safely
assume all usages of this have been cleaned up, and there is no further
need to check for this.

8 lines deleted from Android.mk, 1720 lines to go.

Test: compiles.
Change-Id: I23249e4b2e9ec83cb6356a6c5a6e187ae1fc9744
2018-11-20 09:35:26 -08:00
Nicolas Geoffray
c7be91d58b Merge "Allow webview_zygote to JIT." 2018-11-20 16:38:52 +00:00
Hector Dearman
b78af6cdb4 Merge "Allow adb root to send config to perfetto" 2018-11-20 15:08:30 +00:00
Dario Freni
5a6d94bc03 Merge "Allow PackageManager to communicate to apexd." 2018-11-20 13:32:32 +00:00
Nicolas Geoffray
cf4d5265c2 Allow webview_zygote to JIT.
bug: 119800099
Test: device boots, no selinux denials
Change-Id: I737afbb4e826014fc91a68ac955199bb1d1a04c7
2018-11-20 13:31:49 +00:00
Roland Levillain
04dcdeacee Merge "Add file_contexts for Release Runtime APEX module." 2018-11-20 11:54:17 +00:00
Hector Dearman
3fa4ac55aa Allow adb root to send config to perfetto
The perfetto binary (the frontend to traced) reads an input config
from stdin. This CL adds allows perfetto to read the config
from adb shell when the user is rooted

Sample denials:
avc: denied { read } for comm="perfetto" path="pipe:[92340]"
dev="pipefs" ino=92340 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0
tclass=fifo_file permissive=0
avc: denied { read } for comm="perfetto" path="pipe:[92491]"
dev="pipefs" ino=92491 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0
tclass=fifo_file permissive=0

Test: adb root
adb shell
echo 'duration_ms: 1000;' > /sdcard/config
cat /sdcard/config | perfetto --txt -c - -d

Change-Id: I12042dfa9a2c262cec907f0231ce2184f46d1be8
2018-11-20 10:05:45 +00:00
David Brazdil
95c8372b6d Merge "Remove 'dex2oat_exec' from untrusted_app" 2018-11-20 10:04:08 +00:00
David Brazdil
535c5d2be0 Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:47:39 +00:00
Nick Kralevich
83f25e26f9 Revert "Add placeholder iris and face policy for vold data directory"
This reverts commit 92bde4b941.

Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.

Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
2018-11-19 15:00:19 -08:00
Dario Freni
7ad743b7ed Allow PackageManager to communicate to apexd.
This is used for querying the installed packages, as well as
coordinating the installations of packages.

Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
2018-11-19 22:05:21 +00:00
Lalit Maganti
41ddb80cd8 Merge "sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout" 2018-11-19 21:54:28 +00:00
Florian Mayer
0f3decf2f5 Property to enable heap profile from process startup.
This is world-readable so it can be checked in libc's process init.

Test: m
Test: flash sailfish

Bug: 117821125

Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-19 21:52:43 +00:00
Treehugger Robot
e80631ff53 Merge "Add new cpu variant related rules to SELinux" 2018-11-19 21:37:32 +00:00
Hongyi Zhang
d600c0c380 allow system_server to read device_config_reset_performed_prop
system server reads this property to keep track of whether server
configurable flags have been reset during current boot.
system server needs this information to decide whether to perform
following disaster recovery actions on framework level.

the get_prop added in this cl in system_server.te is not grouped
in the same place as the set_prop in system_server.te in another
cl (https://android-review.googlesource.com/c/platform/system/sepolicy/+/828284).
This is because these 2 properties are serving for different purposes:
device_config_flags_health_check_prop is used to control features(so will be
all the future set_prop added by other feature teams under "# server configurable flags properties"),
while device_config_reset_performed_prop is used by our API's internal implementation.
So I feel like it might be clearer if I put this get_prop in a different place rather than
appending to "# server configurable flags properties".

Test: build suceeded.

Change-Id: I64379aa8f0bbe093969b98d62093696a32aabe59
2018-11-19 18:52:14 +00:00
Haibo Huang
544a0d5480 Add new cpu variant related rules to SELinux
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.

This change set SELinux rules for these properties and files.

For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).

This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.

Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.

Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
2018-11-19 18:29:36 +00:00
Hongyi Zhang
745d3839e4 Merge "sepolicies for sys prop enabling flag health check" 2018-11-19 17:48:55 +00:00
Treehugger Robot
b1f6942c79 Merge "vold: remove access to /proc/net files" 2018-11-19 16:01:28 +00:00
Nicolas Geoffray
99ce20e52e Merge "Allow zygote to JIT." 2018-11-18 19:14:15 +00:00
Treehugger Robot
39a39054fb Merge "Audit /dev access that might no longer be needed after Treble" 2018-11-18 15:17:51 +00:00
Nicolas Geoffray
6949a392b3 Allow zygote to JIT.
bug: 110870380
Test: device boots, artificially creating a rwx mapping in zygote works.

Change-Id: I81a32b616a68f186867af25528a0348d1ad73a50
2018-11-17 19:46:11 +00:00
Bruno Martins
7bff13f9e8 sepolicy: Grant mediaextractor access to files over all types of sdcard fs
* Account for all possible sdcard-related filesystem types and not only
   sdcardfs:

   public/file.te:108:type fuse, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:109:type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:111:type vfat, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:112:type exfat, sdcard_type, fs_type, mlstrustedobject;

Change-Id: Ic508397bf4ca66a002ada33ac3f600c17b8a1a10
2018-11-17 19:05:53 +00:00
Jiyong Park
b1feedc2b1 Allow domain to getattr on apex_mnt_dir
The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.

Silence the spam by allowing getattr on apex_mnt_dir.

Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable

Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
2018-11-17 04:05:49 +00:00
Treehugger Robot
b16dcf5f87 Merge "Set filecontext for the test apex" 2018-11-17 03:52:26 +00:00
Nick Kralevich
1c5d223b16 vold: remove access to /proc/net files
The auditallow added in commit
7a4af30b38 ("Start the process of locking
down proc/net", May 04 2018), has not been triggered. This is safe to
delete.

Test: Policy compiles
Test: no collected SELinux denials
Bug: 68016944
Change-Id: Ib45519b91742d09e7b93bbaf972e558848691a80
2018-11-16 17:46:56 -08:00
Tri Vo
d918c8df78 Remove redundant cgroup type/labelings.
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".

Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
2018-11-17 01:24:49 +00:00
Tri Vo
fe14d483da Merge "Don't label /dev/cam from system sepolicy" 2018-11-17 01:12:02 +00:00
Tri Vo
3e09808915 Audit /dev access that might no longer be needed after Treble
Bug: 110962171
Test: boot aosp_walleye, aosp_blueline, no log spam from new audit
Change-Id: Ibeeb317e2cf15584395e3dbb73eb01b827e19a09
2018-11-16 17:05:16 -08:00
Treehugger Robot
c2f8f67bbf Merge "SEPolicy for InputFlinger Service." 2018-11-17 00:40:21 +00:00
Hongyi Zhang
da492f4fca sepolicies for sys prop enabling flag health check
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.

Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
2018-11-17 00:09:36 +00:00
Treehugger Robot
6e92480d6c Merge "[SEPolicy] Name GPU service back to "gpu"" 2018-11-16 23:44:30 +00:00