Commit graph

102 commits

Author SHA1 Message Date
Kweku Adams
49733255fb Allowing incidentd to get stack traces from processes. am: 985db6d8dd
am: 5f98693a77

Change-Id: Iaeaaeb8195e2ffcbf148b1764d57d4e1c7da6f4f
2018-04-04 09:13:58 -07:00
Kweku Adams
985db6d8dd Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-04-04 16:00:23 +00:00
Janis Danisevskis
3de9cd9515 Keystore needs to be able to call apps
The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.

Test: Device boots and no more denials when call back is delivered to
      apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a
2018-03-27 14:24:57 -07:00
Janis Danisevskis
a290f5760e Keystore needs to be able to call apps
The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.

Test: Device boots and no more denials when call back is delivered to
      apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a
2018-03-27 14:23:20 -07:00
Jeff Vander Stoep
9eb53c1c40 Merge "te_macros: remove print macro" am: 4ca98248ca am: 3f5dd22418
am: eca4e2d48f

Change-Id: Ie67323b905f4240b2c0b4571051bfd15951b3081
2018-02-02 21:09:51 +00:00
Jeff Vander Stoep
d28c0569ee te_macros: remove print macro
aosp/605217 adds the following lines:
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0

However, the m4 pre-processing step of selinux policy compilation outputs:
genfscon tracefs /options/-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/-tgid u:object_r:debugfs_tracing:s0

And as a result of the "print" it prints:
m4: system/sepolicy/private/genfs_contexts: 177:
m4: system/sepolicy/private/genfs_contexts: 203:

Due to the following macro:
https://android.googlesource.com/platform/system/sepolicy/+/oreo-mr1-dev/public/te_macros#580

This change removes the now-deprecated print macro to unblock
aosp/605217.

Bug: 72862003
Test: verify that the m4 output for aosp/605217 is correct.
Change-Id: Ia4ec96e16b98e8df241cceb64e3f3b7bea9a7f3d
2018-02-02 09:21:24 -08:00
Jaekyun Seok
e0909f482c Merge "Whitelist exported platform properties" am: 70d2bb432a am: 42f8d7b27a
am: f00d05634b

Change-Id: Id6276f733fb5d52b2437927e13343d40c7d53007
2018-01-10 23:53:09 +00:00
Jaekyun Seok
e49714542e Whitelist exported platform properties
This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2018-01-10 16:15:25 +00:00
Jeff Vander Stoep
6828bb1db4 Fix CTS regressions am: 6a28b68d54 am: 7dc46564d0
am: d5931d9773

Change-Id: Ic4eb8ed411864915d479c8a520a14119c818f196
2017-11-22 05:04:04 +00:00
Jeff Vander Stoep
7dc46564d0 Fix CTS regressions
am: 6a28b68d54

Change-Id: I774787b48c0b5f6f20313ee6f9c8062db4072e84
2017-11-22 04:58:48 +00:00
Jeff Vander Stoep
6a28b68d54 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
2017-11-22 04:54:41 +00:00
Jeffrey Vander Stoep
45f7f00ccc Revert "Fix CTS regressions" am: cd69bebf76 am: 51aba79e3a
am: 7a1af95822

Change-Id: I19c63133e7ecf5dbbb9feeac9efc72d627448af2
2017-11-21 20:44:33 +00:00
Jeffrey Vander Stoep
51aba79e3a Revert "Fix CTS regressions"
am: cd69bebf76

Change-Id: I6f3c20144c971d5040ee325e8bc0e9cff70085a0
2017-11-21 20:39:58 +00:00
Jeffrey Vander Stoep
cd69bebf76 Revert "Fix CTS regressions"
This reverts commit ed876a5e96.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4
2017-11-21 20:27:47 +00:00
Jeff Vander Stoep
989f6b0e04 Fix CTS regressions am: ed876a5e96 am: c76a25c106
am: 32663d46d1

Change-Id: I17de5133481362dc5d8d102745c31fc8b0e797cd
2017-11-21 19:10:03 +00:00
Jeff Vander Stoep
c76a25c106 Fix CTS regressions
am: ed876a5e96

Change-Id: Ic41e1b997968acfd68ade6e9b9901a4dd9b8d2d2
2017-11-21 19:04:54 +00:00
Jeff Vander Stoep
ed876a5e96 Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e
2017-11-21 18:06:20 +00:00
Benjamin Gordon
65214c688a Merge "sepolicy: Add rules for non-init namespaces" am: b9ea282c65 am: d41e616199
am: 44957a90f3

Change-Id: I363639d2cdf70b1772da3d6c7f7c814554063dfc
2017-11-21 17:47:23 +00:00
Benjamin Gordon
d41e616199 Merge "sepolicy: Add rules for non-init namespaces"
am: b9ea282c65

Change-Id: I77676d7adb39747b9195489ef83d72e57cdb3b59
2017-11-21 17:43:02 +00:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Xin Li
c667a0ed64 Merge commit 'd9664064dd09ae254aa3e6ce28fec5fde68c1fb6' into HEAD
Change-Id: Icec8dfff5cff17cf1b557882db62b148a7218b98
2017-11-14 11:46:58 -08:00
TreeHugger Robot
29c7ef84c3 Merge "Remove userbuild macro" 2017-11-07 01:32:16 +00:00
William Roberts
6d7a5ae0f8 Merge "te_macros: add map to tpmfs_domain" am: e39e948390
am: 2001a8f3d1

Change-Id: I484086841ef21651f76b0689cf711e38224cd97d
2017-11-07 00:49:00 +00:00
Jeff Vander Stoep
31f158fdbe Remove userbuild macro
It's unnecessary.

Test: build Marlin
Change-Id: Ice80c51fb319de033b788bc3e5e6d4a2c2e07462
2017-11-06 15:46:16 -08:00
William Roberts
87cba6e883 te_macros: add map to tpmfs_domain
domain based tmpfs file access has getattr, read and write.

However newer kernels support map. Add this map permission so they
can use mmap based access.

Test: build test.

Change-Id: I2e128967e10a1332b3c1c908550360a52fbceaf8
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-11-06 22:36:29 +00:00
Dan Cashman
df5469d864 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-27 18:55:47 -07:00
Jeff Vander Stoep
4bf8710a06 Merge "Add userbuild() macro for user-build-only policy" into oc-mr1-dev am: 8c8994f50b
am: 6395a91b0f

Change-Id: I95926f376ebb42c9b3109e7dec1245b19b4e438a
2017-09-27 19:41:42 +00:00
Jeff Vander Stoep
6395a91b0f Merge "Add userbuild() macro for user-build-only policy" into oc-mr1-dev
am: 8c8994f50b

Change-Id: I5327bcea18feabc38427948fcfa0e505846629e4
2017-09-27 19:39:44 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
994cbf4d39 Add userbuild() macro for user-build-only policy
Particularly useful for suppressing selinux logspam for debug-only
permissions.

Bug: 65843095
Test: build, boot, and run tests on user and userdebug builds.
Change-Id: I18ce0b2cf1e96ca037e93309dddb476a150b677f
2017-09-26 12:31:50 -07:00
Steven Moreland
7688161c12 hal_*_(client|server) => hal(client|server)domain
Test: only a compile-time change (adds neverallow rules), so, did
     m -j sepolicy on the following targets:
  - marlin
  - sailfish
  - 2017 devices
Bug: 36162501
Change-Id: I1092aff40da9dcf09bd044400bedd1f549eb7e38
2017-09-07 21:18:27 +00:00
John Stultz
9f3f378450 sepolicy: Define and allow map permission for vendor dir
This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Signed-off-by: John Stultz <john.stultz@linaro.org>

(cherry picked from commit 24537b2e96)

Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717
2017-08-24 09:01:56 -07:00
John Stultz
d15ac5ba36 sepolicy: Define and allow map permission for vendor dir am: 24537b2e96 am: e63f7f32ac
am: 01cd12a0d6

Change-Id: I4318fedbee9c45b7a3b738743dfac59a76329336
2017-08-23 15:07:56 +00:00
John Stultz
24537b2e96 sepolicy: Define and allow map permission for vendor dir
This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>
2017-08-23 05:41:36 +00:00
Nick Kralevich
457c08cc0b Validate no-cross-domain /proc/PID access am: 7a46380969 am: 881fe06f34
am: 25d4a090ed

Change-Id: I4e9bd171ca88b955d3ae2a7217336a9fa2b103fe
2017-08-11 19:22:00 +00:00
Nick Kralevich
881fe06f34 Validate no-cross-domain /proc/PID access
am: 7a46380969

Change-Id: Iba80938afccd21f0c3b69626223b35c672358e77
2017-08-11 19:17:29 +00:00
Nick Kralevich
7a46380969 Validate no-cross-domain /proc/PID access
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
2017-08-11 10:05:22 -07:00
Josh Gao
fde0e02a2c crash_dump_fallback: allow writing to system_server pipes.
Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
(cherry picked from commit 3c9b91977d)
2017-07-20 20:14:05 +00:00
Josh Gao
326ea2216a crash_dump_fallback: allow writing to system_server pipes. am: 3c9b91977d am: 762a2b85ab
am: ba10fd49f6

Change-Id: I095d29e9319e65c988aeed6a4e916b055857b511
2017-07-20 18:54:53 +00:00
Josh Gao
762a2b85ab crash_dump_fallback: allow writing to system_server pipes.
am: 3c9b91977d

Change-Id: If292e297a21af84c35131ed42c2a65658bec2ed9
2017-07-20 18:30:39 +00:00
Josh Gao
3c9b91977d crash_dump_fallback: allow writing to system_server pipes.
Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
2017-07-20 01:14:16 +00:00
Stephen Smalley
090a64a5d5 Merge "sepolicy: Define and allow map permission" am: 770214abda am: 90f46dd922
am: 5724715380

Change-Id: Iadf138fc64bad940308cb01b3a3b8159b8b33704
2017-07-13 17:09:30 +00:00
Stephen Smalley
90f46dd922 Merge "sepolicy: Define and allow map permission"
am: 770214abda

Change-Id: I253dad49662831625a17162b18f013e0b4a87af4
2017-07-13 17:04:02 +00:00
Stephen Smalley
4397f08288 sepolicy: Define and allow map permission
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 16:31:23 -04:00
Jeff Vander Stoep
5f5aa96286 Preserve attributes needed for CTS
Change fb889f23d "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c
2017-07-05 23:06:35 +00:00
Jeff Vander Stoep
4b7cf4fba1 Suppress su access to pdx sockets
Su runs in permissive mode and denials should be suppressed.

avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_manager_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_vsync_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_bufferhub_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_performance_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1

Bug: 35197529
Test: policy builds
Change-Id: Ia643c6e776e5e5bd473d857d523c3be91d32c40a
2017-06-26 16:33:14 -07:00
Dan Cashman
939b50ff61 Add extraneous neverallow rule to enforce attribute inclusion.
Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
2017-06-16 11:19:53 -07:00
Josh Gao
715955b78a crash_dump_fallback: allow dumpstate:pipe_file write.
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
(cherry picked from commit 7aa085233a)
2017-06-05 17:26:29 -07:00
Josh Gao
7aa085233a crash_dump_fallback: allow dumpstate:pipe_file write.
It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
2017-06-05 14:50:31 -07:00
Josh Gao
2a00056a95 crash_dump_fallback: allow dumpstate:fd use.
Bug: http://b/62297059
Test: mma
Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
(cherry picked from commit 17885f148d)
2017-06-02 15:04:29 -07:00