Allow init the ability to relabel recovery block devices. In the case
where we have recovery as a chain partition, due to its presence in
early mount node, init, in first stage itself would require relabel
permissions for the restorecon operation on recovery block device.
Bug: 73642793
Test: On bootup, recovery partition gets the appropriate se-label.
Perform OTA on non-A/B device with recovery as chain partition,
now the recovery partition gets upgraded successfully, now that
it has the correct se-label.
Change-Id: I370c510320e78ab78c9c55573073415b4983d0f6
This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.
Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.
Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04
Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.
Bug: 64762598
Test: Successfully took traces in user mode.
Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial. This gives the file a new label and gives init the
ability to write it.
Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
Allow init to create a serialized property_info file and allow all
processes to read it.
Bug: 36001741
Test: boot bullhead, walleye using property_info
Change-Id: Ie51d4c0f0221b128dd087029c811fda15b4d7093
Now that creating a symlink automatically sets its context,
init needs permission to create this file.
Bug: 69965807
Test: Booted device and tested wifi and camera.
Change-Id: I41f5ca8f4d877312c9b2a909001fe9cd80c3d458
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
avc: denied { relabelto } for pid=1 comm="init" name="misc" dev="tmpfs" ino=3855 scontext=u:r:init:s0 tcontext=u:object_r:misc_block_device:s0 tclass=lnk_file
If misc partition is used during early mount, it will carry a label of
tmpfs (instead of block_device), which will fail restorecon with the
above denial.
Bug: 65378733
Test: Build and flash a target that uses misc in early mount. No longer
observe the above denial.
Change-Id: I44cd43dbd2a8a4f9f423ebc8ac0dd046b167ef72
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I6ffe11bc613e88198893e82712719522b74fe1be
Test: I solemnly swear I tested this conflict resolution.
Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I1f087fe5e7a71761a16673331619f52998473b44
This should improve performance, as file_contexts is slower than
genfs_contexts.
Bug: 62413700
Test: Built, flashed, and booted Sailfish. Verified that the
files have the correct context and that wifi, web, and atrace work.
Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I9546f3af3c95e3443684ae4764881b69987611ef
In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM. We must send the signal both to all
processes within a POSIX process group and a cgroup. To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing. If they are, we skip sending a second signal. This requires
getpgid permissions, hence this SELinux change.
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
In the init scripts for socket, the type can have a suffix of
"+cred" to request that the socket be bound to report SO_PASSCRED
credentials on socket transactions. Here we add socket setopt
to selinux rules.
Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
(fails without logd.rc change)
Bug: 37985222
Change-Id: I37cdf7eea93c3e8fa52964e765eaf3007e431b1f
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.
Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.
P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.
Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
Bug: 36463595
Test: Boot sailfish and make sure all vendor services that are shell scripts
work. (Checke exited status)
Change-Id: I3d1d564114a914dec8179fb93a9e94493c2808da
Signed-off-by: Sandeep Patil <sspatil@google.com>
These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.
Addresses denial:
init : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0
Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.
Following directories will remain world readable
/vendor/etc
/vendor/lib(64)/hw/
Following are currently world readable but their scope
will be minimized to platform processes that require access
/vendor/app
/vendor/framework/
/vendor/overlay
Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.
Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803
All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
current location, take pictures and record video in camera,
playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass
Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
sepolicy files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.
Bug: 36527360
Test: no new 'sepolicy_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
video
Change-Id: I6fe8ba31588c2d75521c6e2b0bf7e6d6eaf80a19
Signed-off-by: Sandeep Patil <sspatil@google.com>
file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.
Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi \
arm64-v8a --module CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testAospFileContexts
Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
Bug: 35979722
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Test: no more avc errors on debugfs
Change-Id: I91d98428aaec915b3206535559a0c096e6de1603
Fix restorecon failue on second call
Bug: 35803475
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Change-Id: Ia5496fcba031616297fa0a4c0f45e3ece0b4d662
early mounted block device are created by 'init' in its first stage, so
the following restorecon() now finds device nodes and their corresponding
symlinks. The CL adds rule to make sure the block and
system_block_devices can be relabeled by init in this case.
Bug: 35792677
Bug: 27805372
Test: tested ota using 'adb sideload' on sailfish
Change-Id: I7d9d89878919c1267bf3c74f0cdbb4367b5ad458
Signed-off-by: Sandeep Patil <sspatil@google.com>
Previously, we'd restricted WifiService's use of
the kernel's tracing feature to just userdebug_or_eng
builds.
This restriction was in place because the feature
had not yet been reviewed from a privacy perspective.
Now that the feature has passed privacy review, enable
the feature on all builds.
Note that other safeguards remain in place (on all
builds):
- The set of events to be monitored is configured by
init, rather than WifiService (part of system_server).
This privilege separation prevents a compromised
system_server from tracing additional information.
- The trace events are kept only in RAM, until/unless
WifiService receives a dump request. (This would happen,
for example, in the case of adb dumpsys, or generating
a bugreport.)
Bug: 35679234
Test: manual (see below)
Manual test details:
- flash device
- connect device to a wifi network
$ adb shell dumpsys wifi | grep rdev_connect
[should see at least one matching line]
Change-Id: I85070054857d75177d0bcdeb9b2c95bfd7e3b6bc
For early mount we end up creating the device nodes for partitions
under /dev/block before selinux is initialized. Which means, that
restorecon_recursive on /dev/block will have to relabel these nodes
and their symlinks.
This change adds the rule to allow init do the same.
b/27805372
Test: boot marlin / sailfish with early mount device node creation
but mount partitions using the default 'mountall' without any selinux
denials.
Change-Id: Ib9335f3f961d485d2120a175dbdbf85d6f70b160
Signed-off-by: Sandeep Patil <sspatil@google.com>
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.
See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103
The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.
The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.
Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .
This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.
Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
auditallows have been in place for a while, and no obvious denials.
Remove domain_deprecated from init.te
While I'm here, clean up the formatting of the lines in
domain_deprecated.te.
Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056
Init has access to a number of character devices inherited via
domain.te. Exclude those character devices from the auditallow
logging.
In addition, init has access to a number of character devices explicitly
listed in init.te. Exclude those from auditallow logging too.
Addresses various auditallow spam, including:
avc: granted { read open } for comm="init" path="/dev/urandom"
dev="tmpfs" ino=1197 scontext=u:r:init:s0
tcontext=u:object_r:random_device:s0 tclass=chr_file
avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs"
ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0
tclass=chr_file
avc: granted { read } for comm="init" name="keychord" dev="tmpfs"
ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0
tclass=chr_file
avc: granted { read open } for comm="init" path="/dev/keychord"
dev="tmpfs" ino=1326 scontext=u:r:init:s0
tcontext=u:object_r:keychord_device:s0 tclass=chr_file
and others not covered above.
Bug: 35197529
Bug: 33347297
Test: policy compiles and no auditallow denials.
Change-Id: Id869404a16c81c779943e9967eb32da226b6047e
