These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.
The /proc/interrupts and /proc/stat files were covered in this paper:
https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/
The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.
Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.
Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
Since there is "write /proc/sys/vm/overcommit_memory 1" line in init.rc
Change-Id: I5899d2802e7fa56b438a06d4cadb4eb6827bfe16
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
am: 0b26e99b68
* commit '0b26e99b6870dc6ae5b9bc146b83c9537f9a5dc1':
sepolicy: add support for new tracefs
Change-Id: I9189f98cb7cff87c412c7b3e09030c723b70abd7
Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:
http://comments.gmane.org/gmane.comp.security.seandroid/2799
Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like
chmod 0755 /sys/kernel/debug/tracing
is necessary in init.${ro.hardware}.rc after debugfs was mounted.
Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
avc: denied { read } for name="device" dev="sysfs" ino=36099 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_rmtfs:s0 tclass=lnk_file
init is already allowed to read directories, this is an obvious omission.
Change-Id: I5131a84bb67e73aaed235c3cbab95c365eaaa2f0
Some of the init allow rules were well passed 100 characters and
were difficult to read. Format them to use the one-per-line
set subtraction format as seen in other locations within sepolicy.
Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
(cherry picked from commit 6cb2c893b1)
Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.
sepolicy must be adapted to this new requirement.
Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
This will allow init to terminate services cleanly (SIGTERM, wait,
SIGKILL) when needed.
Bug: 26216447
Test: manual: init is able to send a SIGTERM signal without denials.
Change-Id: Id2471ca08c0b011be64a36956628e965bc999bc6
Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc
Also allow shell getattr access to the tracing file. That way
"ls -la" returns something meaningful.
Bug: 26217098
Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.
Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.
This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label. This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.
This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__. Future
commits will restrict the access.
Bug: 21852512
Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
For userdebug and eng builds enforce that:
- only logd and shell domains may access logd files
- logd is only allowed to write to /data/misc/logd
Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
Revert the neverallow change portion of
356df32778, in case others need to
do dynamic policy updates.
(cherrypicked from commit e827a8ab27)
Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647
Remove the ability to dynamically update SELinux policy on the
device.
1) This functionality has never been used, so we have no idea if
it works or not.
2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
* https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826
3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.
(cherrypicked from commit e827a8ab27)
Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8
Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:
f3ef1271f2
Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe
Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:
Warning! Service %s needs a SELinux domain defined; please fix!
is ignored.
In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.
Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
This reverts commit c450759e8e.
There was nothing wrong with this change originally --- the companion
change in init was broken.
Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387