Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.
Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).
Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.
Bug: 110520616
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
For 4.14+ kernels, we need map permissions for vendor_config_files,
for things like kernel loaded firmware blobs, etc.
Change-Id: I8144c50b0239aedf4124569003187cc50c963080
Signed-off-by: John Stultz <john.stultz@linaro.org>
Legacy hardware and code still depends on the ueventd helpers to
locate the firmware supported files which are on new mount path
labeled with mnt_vendot_file. For ueventd helper to work we need dir search
and read permission on this new label so moving ueventd to exempted list.
Already ueventd has the vendor_file_type read access.
Bug:110083808
Change-Id: Ia15cc39ecef9e29b4f1f684efdddbeb78b427988
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.
In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.
Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
shipping API version:
For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...
Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.
Support for /data/vendor_de and /data/vendor_ce has been added to vold.
Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa71a)
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
abbb65899a%5E%21/#F3
for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html
Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit
Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
Vendor public libs are exposed to apps (not system), and their ABI
stability is guaranteed by vendor. Introducing new selinux type so that
we don't conflate concepts of same-process HAL and vendor public lib.
The former is exposed to all domains, while the latter should only be
acessible by apps.
Bug: 76413554
Test: build-only change, policy builds
Change-Id: I89dad351374f46c7fe2726991eb4c05064c37ed5
Currently, when vendor APK try to use MediaPlayer to play its audio
resource, it would fail due to this neverallow rules.
avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0
Bug: 78436043
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063
FBE needs to access these files to set up or verify encryption for
directories during mkdir.
Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
(cherry picked from commit 18a284405f)
The out-of-tree keychord driver is only intended for use by init.
Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6
After adding a new user, deleting it, and rebooting, some of the user's data still remained. This adds the SELinux permissions necessary to remove all of the data. It fixes the followign denials:
avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.
Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
dumpstate needs to read all the system properties for debugging.
Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.
Bug: 77881566
Test: build
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
cgroupfs doesn't allow files to be created, so this can't be needed.
Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.
Bug: 74182216
Test: Denials remain silenced.
Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f
(cherry picked from commit 8e8c109350)
See also go/perfetto-io-tracing-security.
* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.
Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.
We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.
Bug: 72643420
Bug: 74182216
Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d077)
In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.
Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1
Bug: 72643420
Bug: 74182216
Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb4f)
A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.
Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
This reverts commit 016f0a58a9.
Reason for revert: Was temporarily reverted, merging back in with fix.
Test: Basic telephony sanity, treehugger
Bug: 74486619
Bug: 36427227
Merged-in: Ide68726a90d5485c2758673079427407aee1e4f2
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
(cherry picked from commit 312248ff72)
/odm partition isn't mandatory and the following symlinks will exist on
a device without /odm partition.
/odm/app ->/vendor/odm/app
/odm/bin ->/vendor/odm/bin
/odm/etc ->/vendor/odm/etc
/odm/firmware ->/vendor/odm/firmware
/odm/framework ->/vendor/odm/framework
/odm/lib -> /vendor/odm/lib
/odm/lib64 -> /vendor/odm/lib64
/odm/overlay -> /vendor/odm/overlay
/odm/priv-app -> /vendor/odm/priv-app
This CL allows all domains to access the symlinks, also removes the
Treble compliance neverallows on them because the actual restrictions
should apply to the real path directly.
Bug: 70678783
Test: boot a device
Change-Id: If1522780a13710d8a592272dc688685cbae29f52
The kernel is unusual in that it's both a core process, but vendor
provided. Exempt it from the restriction against accessing files from
on /vendor. Also, rework the neverallow rule so that it disallows
opening/modifying files, but allows reading files passed over IPC.
Bug: 68213100
Test: build (this is a build-time test)
Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446
The webview_zygote is now launched as a child-zygote process from the
main zygote process.
Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.
This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.
Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
tests)
Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db
This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.
Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.
Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04
Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>
In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.
A follow-up CL will remove the rules for starting webview_zygote via
init.
Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.
Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
No new denials.
Change-Id: I65f904bb28952d4776aab947515947e14befbe34
And grant explicit exemption from system_executes_vendor_violators
neverallow rules.
This does not change the policy, but is needed to test the violator
attribute for emptiness.
Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.
Bug: 64762598
Test: Successfully took traces in user mode.
Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
Instead of getting these permissions, it is better to add the process
to a group or change the permissions of the files it tries to access.
Test: Built the policy for many devices.
Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.
Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.
Test: build sepolicy for all targets in master (this is a build time
test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d)
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.
Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
This is an experimental feature only on userdebug and eng build.
Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
These property sets will be long term restricted with
compatible_property but allowing them now eases the transition.
Bug: 62875318
Test: boot marlin without audits for setprop in vendor_init
Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2
