Commit graph

22567 commits

Author SHA1 Message Date
Lee Shombert
bafd0c762a SELinux changes for the hasSystemFeature() binder cache property.
The binder_cache_system_server_prop context allows any user to read the
property but only the system_server to write it.  The only property with
this context is currently binder.cache_key.has_system_feature but users
will be added.

Bug: 140788621

Test: this was tested on an image with a binder cache implementation.  No
permission issues were found.  The implementation is not part of the current
commit.

Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043
2020-01-13 10:21:54 -08:00
Ashwini Oruganti
65d6fd48c8 Merge "priv_app: Remove rules for system_update_service" 2020-01-11 00:49:14 +00:00
Zimuzo Ezeozue
34a19b76ce Merge "Revert "Allow MediaProvider to host FUSE devices."" 2020-01-10 21:17:15 +00:00
Treehugger Robot
623fb38952 Merge "priv_app: Remove rules allowing a priv-app to ptrace itself" 2020-01-10 20:23:06 +00:00
Ashwini Oruganti
a40840daa8 priv_app: Remove rules for system_update_service
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: Ic2f68b3af861e0c00e2dea731c4d6b3255ab5175
2020-01-10 11:17:00 -08:00
Treehugger Robot
1f9ecdc894 Merge "Allow zygote to relabel CE and DE dirs from tmpfs to system_data_file" 2020-01-10 19:11:33 +00:00
Treehugger Robot
6df27928dd Merge "priv_app: Remove rules for storaged" 2020-01-10 14:49:32 +00:00
Ricky Wai
b2b7c02e7d Allow zygote to relabel CE and DE dirs from tmpfs to system_data_file
Also, allow zygote to scan dirs in /mnt/expand and relabel.

Test: No denials at boot
Test: No denials seen when creating mounts
Bug: 143937733
Change-Id: I86e77d27f5e9fb2f5852f787c7e5d9179c7404aa
2020-01-10 14:26:40 +00:00
Luke Huang
ddbfce2080 Merge "Make cronet file_contexts as "android:path" property" 2020-01-10 13:43:57 +00:00
Luke Huang
a63ba2a0a1 Make cronet file_contexts as "android:path" property
It follows examples of other APEX to make file_contexts of cronet
module as "android:path" property

Bug: 146416755
Test: atest cronet_e2e_tests
Test: atest CronetApiTest
Change-Id: I0608eb4bb43cee50f49217f19fb53f297fbf5ead
Merged-In: I0608eb4bb43cee50f49217f19fb53f297fbf5ead
2020-01-10 13:15:07 +00:00
Treehugger Robot
1fbac29eba Merge "Using macro "rx_file_perms" instead of "execute_no_trans"." 2020-01-10 09:23:21 +00:00
Treehugger Robot
88f2ed8186 Merge "Add Selinux rule to allow iorapd to execute compiler." 2020-01-10 08:27:26 +00:00
Ashwini Oruganti
2ba18e99d8 priv_app: Remove rules allowing a priv-app to ptrace itself
We added an auditallow for these permissions on 12/11/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: Iaeaef560883b61644625b21e5c7095d4d9c68da9
2020-01-09 13:37:30 -08:00
Ashwini Oruganti
75ccb46de7 priv_app: Remove rules for keystore
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I18f99f54385b7c4e7c2ae923eff4c76800323a73
2020-01-09 13:23:40 -08:00
Yan Wang
67e8fcc902 Using macro "rx_file_perms" instead of "execute_no_trans".
Bug: 147320338
Test: Run the maintenance and check if the compiled is executed.
2020-01-09 13:23:01 -08:00
Ashwini Oruganti
d1a8f0dcb4 priv_app: Remove rules for storaged
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I2a59cac8041646b548ba1a73fcd5fddabb4d1429
2020-01-09 13:02:38 -08:00
Yan Wang
7d844ee436 Add Selinux rule to allow iorapd to execute compiler.
Bug: 147320338
Test: Run the maintenance and check if the compiled is executed.
Change-Id: Idbd193483a106969a8a421150101efa00aee460d
2020-01-09 12:43:18 -08:00
Nikita Ioffe
0b099c801d Merge "Add userspace_reboot_config_prop property type" 2020-01-09 10:05:18 +00:00
Anton Hansson
7130e677ed Merge "Rename sdkext sepolicy to sdkextensions" 2020-01-09 08:46:08 +00:00
Treehugger Robot
4f362b1c68 Merge "priv_app: Remove rules for update_engine" 2020-01-08 23:21:27 +00:00
Nikita Ioffe
f596cc859b Add userspace_reboot_config_prop property type
This property type will be used for read-only userspace reboot related
properties that are used to configure userspace reboot behaviour, e.g.:
* timeout for userspace reboot watchdog;
* timeout for services to terminate;
* timeout for services to shutdown;
* etc.

Since all this configuration is device specific, vendor_init should be
able to set these properties.

Test: build/soong/soong_ui.bash \
  --make-mode \
  TARGET_PRODUCT=full \
  TARGET_BUILD_VARIANT=eng \
  droid \
  dist DIST_DIR=/tmp/buildbot/dist_dirs/aosp-master-linux-full-eng/funwithprops \
  checkbuild
Bug: 135984674
Bug: 147374477

Change-Id: I1f69980aea6020e788d5d2acaf24c0231939907c
2020-01-08 22:43:57 +00:00
Treehugger Robot
c66a329a48 Merge "priv_app.te: Remove auditallows for shell_data_file" 2020-01-08 22:26:38 +00:00
Jon Spivack
c8c6c0060e Merge "Add aidl_lazy_test_server" 2020-01-08 22:26:31 +00:00
Ashwini Oruganti
5d395b253c priv_app: Remove rules for update_engine
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I554ace42852023521e94017b1e782b6a09129fdf
2020-01-08 13:54:38 -08:00
Ashwini Oruganti
977fdd98fe priv_app.te: Remove auditallows for shell_data_file
Looking at go/sedenials, we have learnt that other priv-apps rely on
this permission. The auditallow has served its purpose and can now be
removed.

Bug: 142672293
Test: TH
Change-Id: I9ba1cbfa9ae90ae64e78276e5c1a699aa2a7f864
2020-01-08 13:29:59 -08:00
Zimuzo Ezeozue
74a6730767 Revert "Allow MediaProvider to host FUSE devices."
This reverts commit b56cc6fb1f.

Reason for revert: Not necessary

Change-Id: I99d7df2435294e78b753149e20377e78c1c60d36
2020-01-08 20:54:28 +00:00
Tri Vo
0c687508d6 Merge "sepolicy: don't construct mappings for ignored types" 2020-01-08 20:53:22 +00:00
Andrei-Valentin Onea
5e4a45f403 Merge "Make platform_compat accessible on release builds." 2020-01-08 18:42:44 +00:00
Tri Vo
8c31ddf22e sepolicy: don't construct mappings for ignored types
Say, foo_type was introduced in 29.0 sepolicy and is in 29.0.ignore.cil.
Also assume (typeattributeset foo_type_29_0 (foo_type bar_type))

Make sure that above mapping is not expanded into 28.0.cil, 27.0.cil, etc.

Test: m selinux_policy
Test: build aosp/1199739
Change-Id: Ib564431ab67f555ea1ae650dc31a68121e9c6d84
2020-01-08 08:53:27 -08:00
Anton Hansson
b84133555a Rename sdkext sepolicy to sdkextensions
The module is getting renamed, so rename all the policy
relating to it at the same time.

Bug: 137191822
Test: presubmit
Change-Id: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
Merged-In: Ia9d966ca9884ce068bd96cf5734e4a459158c85b
(cherry picked from commit 6505573c36)
2020-01-08 11:41:18 +00:00
Treehugger Robot
3e93ffb62f Merge "vendor_init can set config.disable_cameraservice" 2020-01-08 06:59:48 +00:00
Jon Spivack
ae2df6b5de Add aidl_lazy_test_server
This is a test service for testing dynamic start/stop of AIDL services. In order to test realistic use cases with SELinux enabled, it requires the same permissions as a regular service.

Bug: 147153962
Test: aidl_lazy_test aidl_lazy_test_1 aidl_lazy_test_2
Change-Id: Ifc3b2eaefba9c06c94f9cf24b4474107d4e26563
2020-01-07 15:11:03 -08:00
Ashwini Oruganti
86e110e688 gmscore_app: Enforce all rules for the domain
This change flips the switch and stops running gmscore_app in permissive
mode. Looking at the data in go/sedenials, we don't see any untracked
denial that isn't occurring for the priv_app domain as well. gmscore
should have all the necessary permissions it had was running in the
priv_app domain.

Bug: 142672293
Test: Build, flash, boot.
Change-Id: I0db56671cdfccbd79cd303bc2a819260ef7677fe
2020-01-07 10:53:49 -08:00
Robin Lee
cbfe879fe6 vendor_init can set config.disable_cameraservice
This had been settable by vendors up to and including Q release by
making config_prop avendor_init writeable. We don't allow this any
more. This should be a real vendor settable property now.

Bug: 143755062
Test: adb logcat -b all | grep cameraservice
Test: atest CtsCameraTestCases
Change-Id: Id583e899a906da8a8e8d71391ff2159a9510a630
2020-01-07 06:57:42 +00:00
Adam Shih
d5a0edd75e Grant appdomain access to app_api_service
The original idea was to compartmentalize services for apps to access.
ex. an app that manage display brightness should not have access to
audio service.

However, identifying all services is hard and we often end up granting
app_api_service in practice to avoid unexpected crashes.

Bug: 147198856
Test: Remove device app_api_service related sepolicy and related process
remain functional

Change-Id: I3aafcf1a91847a97c86f1d7992653b806a713bd4
2020-01-07 09:59:34 +08:00
Treehugger Robot
4c37de9b44 Merge "Don't run permissioncontroller_app in permissive mode" 2020-01-06 19:12:46 +00:00
Ashwini Oruganti
7d54f0367f Don't run permissioncontroller_app in permissive mode
Looking at go/sedenials, we're fairly confident that this domain has all
the necessary permissions. This change enforces all the defined rules
for the permissioncontroller_app domain and unsets the permissive mode.
Bug: 142672293
Test: Green builds, no new selinux denials.
Change-Id: Idaaf2f7aa88b2981f9fab2f74350a934fe415d71
2020-01-06 09:41:22 -08:00
Treehugger Robot
50c5d731e0 Merge "Add sepolicy for binderfs" 2020-01-06 16:09:45 +00:00
Jeff Vander Stoep
5357e7672a Temporarily whitelist system_server->storage denials
Make presubmit less flaky.

Bug: 145267097
Test: build
Change-Id: I45dd2f03a5db98fa70c950378538d32eb97a44df
2020-01-06 14:28:31 +01:00
Justin Yun
ed0a8ebe50 Revert "Revert "Define sepolicy for ro.product.vndk.version""
This reverts commit f536a60407.

Reason for revert: Resubmit the CL with the fix in vendor_init.te

Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
2020-01-06 15:12:14 +09:00
Justin Yun
f536a60407 Revert "Define sepolicy for ro.product.vndk.version"
This reverts commit 59e3983d1f.

Reason for revert: postsubmit fails in aosp/master

Change-Id: Icb10402ccdb6cff942a91adef341fe8f867f308a
2020-01-06 05:28:37 +00:00
Justin Yun
59e3983d1f Define sepolicy for ro.product.vndk.version
Define a new property_context vndk_prop for ro.product.vndk.version.
It is set by init process but public to all modules.

Bug: 144534640
Test: check if ro.product.vndk.version is set correctly.
Change-Id: If739d4e25de93d9ed2ee2520408e07a8c87d46fe
2020-01-06 11:08:23 +09:00
Ashwini Oruganti
6570d6d3c7 permissioncontroller_app: add a rule for IProxyService_service
Noticed denials in go/sedenials. This permission is currently granted to
priv_app via app_api_service.

Bug: 142672293
Test: TH
Change-Id: I9834044b2ba13b12694e88ae5cec8eb5c38c658c
2019-12-26 15:34:00 -08:00
Nikita Ioffe
2848fa4d8b Revert "Reland: "Add userspace_reboot_config_prop property type""
This reverts commit 7b53803b53.

Reason for revert: breaks build
Exempt-From-Owner-Approval: revert to fix broken build
Change-Id: Ic26ee0a8b0a54b86034970e2b18edf0b5f4ec46f
2019-12-26 16:14:45 +00:00
Nikita Ioffe
7b53803b53 Reland: "Add userspace_reboot_config_prop property type"
Only difference with
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1198254
is userspace_reboot_config_prop is now system_restricted_prop.

Marking it as system_internal_prop breaks build:
neverallow check failed at out/target/product/generic/obj/ETC/built_plat_sepolicy_intermediates/built_plat_sepolicy:11968 from system/sepolicy/public/property.te:230
(neverallow base_typeattr_210 base_typeattr_467 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open watch watch_mount watch_sb watch_with_perm watch_reads)))
<root>
allow at out/target/product/generic/obj/ETC/built_plat_sepolicy_intermediates/built_plat_sepolicy:13021
(allow vendor_init base_typeattr_502 (file (read getattr map open)))

Test: flash && adb shell getprop ro.init.userspace_reboot.is_supported
Test: m checkbuild
Bug: 135984674
Change-Id: I6f54dcff8d9b62224f315452e9c320648422b5db
2019-12-24 12:44:36 +00:00
Jon Spivack
a2f0fdfddd Merge "binder_use: Allow servicemanager callbacks" 2019-12-23 20:04:33 +00:00
Jayachandran Chinnakkannu
3bd8767540 Revert "Add userspace_reboot_config_prop property type"
This reverts commit 8b570f0c60.

Reason for revert: b/146792618 multiple build breaks

Change-Id: Ieab05ce56826d2fc84d46940935705abd2e1a55f
2019-12-23 19:01:13 +00:00
Nikita Ioffe
8b570f0c60 Add userspace_reboot_config_prop property type
This type will be used for read-only properties used to configure
userspace reboot behaviour (e.g. whenever device supports it, watchdog
timeout, etc.).

Test: adb shell getprop ro.init.userspace_reboot.is_supported
Bug: 135984674
Change-Id: I387b2f2f6e3ca96c66c8fa3e6719d013d71f76c7
2019-12-23 15:10:40 +00:00
Treehugger Robot
8a40d6e70d Merge "sepolicy: new file_integrity_service" 2019-12-20 22:36:21 +00:00
Alan Stokes
c639fb6607 Merge "Don't audit data_mirror in dumpstate" 2019-12-20 10:16:16 +00:00