Commit graph

170 commits

Author SHA1 Message Date
Mark Salyzyn
d33a9a194b logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2017-01-31 15:50:15 +00:00
Steven Moreland
cd597cd52a property: add persist.hal.binderization
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.

Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
2017-01-26 06:06:24 +00:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Alex Klyubin
b68cee2576 1-arg variant of hal_impl_domain
This improves readability and consistency for HAL implementation
domains which have only one implementation.

Test: No change to policy according to sesearch
Test: No change to which types are associated with haldomain according to "sepolicy-analyze <sepolicy file> attribute haldomain"
Bug: 34180936
Change-Id: Ice599ea4971cdfbd8b835b1fd02ad1e14c7a0386
2017-01-17 16:34:02 -08:00
Alex Klyubin
f41d89eb24 Group all HAL impls using haldomain attribute
This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.

This follows the pattern used for appdomain, netdomain and
bluetoothdomain.

Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
2017-01-17 11:20:49 -08:00
Mikhail Naganov
dd70dfbecf Allow audioserver to use IAllocator
Bug: 30222631
Change-Id: I30ad019872881e21f61a53e4397112ea0e99688b
2017-01-09 18:23:12 -08:00
Richard Uhler
c5c3abc6bc Remove option for non-pic dex preopt.
Test: make checkbuild, aosp_bullhead-userdebug boots.
Bug: 33192586

Change-Id: I386df8b6c04fb162f79a4409801ce3e882026ea8
2016-12-28 08:49:55 +00:00
Steven Moreland
72d18125c1 Sepolicy for allocator hal.
Bug: 32123421
Test: full build/test of allocator hal using hidl_test
Change-Id: I253b4599b6fe6e7f4a2f5f55b34cdeed9e5d769b
2016-12-22 11:39:23 -08:00
Steven Moreland
52b759777b Remove ENABLE_TREBLE from sepolicy.
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).

Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
2016-12-21 12:29:02 -08:00
Glen Kuhne
9147a23835 hwbinder_use: allow for hwservicemanager callbacks.
In order for hal clients to use IServiceManager::registerForNotifications,
the hwservicemanager needs to be able to call into client processes.

Test: WIP
Bug: 33383725
Change-Id: I59470e9cd5cbeafda010fedc0b91eeb41280e0a1
2016-12-15 14:17:27 -08:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
Nick Kralevich
d070b67190 Remove "eng" macro
Never used.

Test: policy compiles.
Change-Id: I0ce6c46bb05925a4b3eda83531b28f873b0c9b99
2016-11-27 16:03:26 -08:00
Nick Kralevich
07c3a5a522 Move to ioctl whitelisting for /dev/pts/* files
In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 18:59:38 -08:00
Nick Kralevich
11dc03e5a2 access_vectors: Remove unused permission definitions
Description stolen from
42a9699a9f

Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
2016-11-21 23:41:18 +00:00
Jorge Lucangeli Obes
2899434716 Add WITH_DEXPREOPT_PIC to 'with_dexpreopt' SELinux macro.
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.

Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
2016-11-21 11:57:08 -05:00
Jorge Lucangeli Obes
84db84e6cd Use with_dexpreopt macro for zygote execute permissions.
When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.

Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 14:22:37 -05:00
Jeff Vander Stoep
f579ef15a8 Rename macros for (non)binderized HALs
Test: builds
Bug: 32243668
Change-Id: I1ad4b53003462e932cf80b6972db1520dc66d735
2016-10-26 10:04:18 -07:00
Jeff Vander Stoep
d733d161cf Add macros for treble and non-treble only policy
Test: builds
Change-Id: Idd1d90a89a9ecbb2738d6b483af0e8479e87aa15
2016-10-19 15:05:05 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from te_macros (Browse further)