Commit graph

26 commits

Author SHA1 Message Date
Roshan Pius
d42c7571aa sepolicy: Remove offload HAL sepolicy rules
This is unused currently & there are no concrete plans to use it
in the future.

Bug: 130080335
Test: Device boots up & connects to networks.
Test: Will send for regression tests
Change-Id: I785389bc2c934c8792c8f631362d6aa0298007af
Merged-In: I785389bc2c934c8792c8f631362d6aa0298007af
(cherry picked from commit 56dfc06397)
2020-05-08 11:17:12 +09:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Kenny Root
76ea325a3d Support Resume on Reboot
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.

Bug: 63928581
Test: make
Test: boot emulator with default implementation
Test: boot Pixel 4 with default implementation
Change-Id: I1f02e7a502478715fd642049da01eb0c01d112f6
2019-12-09 14:25:04 -08:00
Amy
89b4bbd4d8 Tuner Hal 1.0 Enable ITuner service
Test: cuttlefish
Bug: 135708935
Change-Id: Ica063458860df45f0e2ab640a2ab35cd4da3da8e
2019-08-14 11:22:09 -07:00
Maciej Żenczykowski
ae68bf23b6 dontaudit su unlabeled:vsock_socket *
Fix for:
  type=1400 audit(): avc: denied { getopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { setopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { read } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { write } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket

Test: now less audit warnings!
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3bd1b2262dc6dcb099403d24611db66aac9aecb0
2019-05-06 14:36:39 -07:00
Tri Vo
a532088e7f Decouple system_suspend from hal attributes.
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.

Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.

Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
2019-02-26 18:10:28 -08:00
Jeff Vander Stoep
3b9fad192a Remove unused *_tmpfs types
Apps now all share the appdomain_tmpfs type.

Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: I5eac0adc7ecd10d19aa1bdf5f72efc7ed2a3a548
2019-01-30 21:54:40 +00:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Siarhei Vishniakou
41a871ba84 Permissions for InputClassifier HAL
Add the required permissions for the InputClassifier HAL.

Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76
2019-01-11 02:08:19 +00:00
Nick Kralevich
a194d3757a Tighten up handling of new classes
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
2018-11-16 03:10:14 -08:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Tri Vo
dac2a4a3a4 Sepolicy for system suspend HAL.
Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be
2018-08-13 17:26:34 -07:00
Nick Kralevich
690be8e80d suppress some su related denials
The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

  type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1

Test: policy compiles
Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4
2018-08-13 10:56:49 -07:00
Roshan Pius
d7b34a48ff sepolicy(hostapd): Add a HIDL interface for hostapd
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
2018-05-04 21:36:24 +00:00
Andrew Scull
64f35fa01e authsecret HAL policies.
Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5f8)
2018-02-05 11:19:46 +00:00
Ruchi Kandoi
8a2b4a783e SE Policy for Secure Element app and Secure Element HAL
Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-29 21:31:42 +00:00
Janis Danisevskis
97c56bdd78 Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-24 10:22:40 -08:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Sandeep Patil
35e308cf71 Make sure all public types are defined regardless of build variants
The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-21 12:34:12 -07:00
Dan Cashman
2f1c7ba75e Remove vndservice_manager object classes.
vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
2017-04-18 12:40:44 -07:00
Martijn Coenen
3ea47b9249 Add hwservice_contexts and support for querying it.
hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
2017-04-12 18:07:12 -07:00
Martijn Coenen
cf741dd7ff Allow 'su' domain access to vndbinder.
For example, for listing vndbinder services
using 'adb shell service -v list'

Test: adb shell service -v list
Bug: 36987120
Change-Id: Ibf3050710720ae4c920bc4807c9a90ba43717f3b
2017-04-06 18:14:39 -07:00
Josh Gao
cb3eb4eef9 Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00