Commit graph

192 commits

Author SHA1 Message Date
Tri Vo
bfe1e42143 Merge "SELinux type for vendor public libs." am: 59e9d2d8c9
am: 9d99ee2316

Change-Id: I50978971a2cf6221024d91edde0cb85b9415f7be
2018-05-03 13:11:21 -07:00
Tri Vo
29497b623e SELinux type for vendor public libs.
Vendor public libs are exposed to apps (not system), and their ABI
stability is guaranteed by vendor. Introducing new selinux type so that
we don't conflate concepts of same-process HAL and vendor public lib.
The former is exposed to all domains, while the latter should only be
acessible by apps.

Bug: 76413554
Test: build-only change, policy builds
Change-Id: I89dad351374f46c7fe2726991eb4c05064c37ed5
2018-05-02 14:51:05 -07:00
Paul Crowley
67861bcc03 Add metadata_file class for root of metadata folder. am: 42bd1638bf
am: b494ab07fb

Change-Id: I25139c13561468d585814daa2f79b35a390730ee
2018-04-24 10:41:23 -07:00
Paul Crowley
42bd1638bf Add metadata_file class for root of metadata folder.
Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
2018-04-23 14:14:49 -07:00
Jeff Vander Stoep
df6d77cd45 Protect dropbox service data with selinux am: 4d3ee1a5b6
am: 1874950d21

Change-Id: Id2e5359054ae6d1882b0c99011ee09d1b75fa604
2018-04-18 15:05:34 -07:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-18 19:53:03 +00:00
Tri Vo
8c1a1b2472 Sepolicy for rw mount point for vendors.
Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b46)
2018-04-17 21:04:15 +00:00
Tri Vo
5fd38baf04 Merge "Sepolicy for rw mount point for vendors." into pi-dev
am: ae0b835c58

Change-Id: I72eb24a252571974b8732facf500a6f23eb9ccf1
2018-04-17 13:42:27 -07:00
TreeHugger Robot
ae0b835c58 Merge "Sepolicy for rw mount point for vendors." into pi-dev 2018-04-17 19:16:56 +00:00
Jeff Sharkey
b469c30069 Add exFAT support; unify behind "sdcard_type".
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
2018-04-16 12:49:10 -06:00
Tri Vo
210a805b46 Sepolicy for rw mount point for vendors.
Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
2018-04-16 11:07:40 -07:00
Jeff Sharkey
ea3997beab Merge "Add exFAT support; unify behind "sdcard_type"." am: ba89007178
am: ff0369ad4c

Change-Id: I3d323c85ff019824be74fa6887b0578f308e6251
2018-04-14 16:28:52 -07:00
Jeff Sharkey
000cafc701 Add exFAT support; unify behind "sdcard_type".
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
2018-04-13 14:08:10 -06:00
Jeff Vander Stoep
e8db0b37ad Merge "Rename qtaguid_proc to conform to name conventions" am: 38a84cf8da
am: d093691cda

Change-Id: Ie6ffba47ea2164260d60115a738c57f0e47f04be
2018-04-03 21:53:11 -07:00
Jeff Vander Stoep
bdf2a9c417 Rename qtaguid_proc to conform to name conventions
Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250
2018-04-03 14:47:38 -07:00
Tri Vo
f350c884e0 silence innocuous denials to /proc and /sys am: 422fb98e2e
am: fc5fa22fa0

Change-Id: I2ebe936d736a8dfcd3abf969c4116bad52b4ae3c
2018-03-21 20:25:24 +00:00
Tri Vo
422fb98e2e silence innocuous denials to /proc and /sys
Bug: 74182216
Test: build bullhead, sailfish sepolicy
Change-Id: I6d0635a49c025870c9ecb46147e6c9a1c407fe16
2018-03-21 10:48:22 -07:00
Tri Vo
c8f2d0d476 Merge "Revert "silence innocuous denials to /proc and /sys"" am: 341d34b582
am: fc33d6eff1

Change-Id: I487eca7219014ebc257167e5af301f80a082d317
2018-03-21 17:12:21 +00:00
Tri Vo
cee3f687eb Revert "silence innocuous denials to /proc and /sys"
This reverts commit 09b1d962ef.

Reason for revert: bullhead broken

Change-Id: Ib4562f944cdc2618cc3ed3beb4f612f0ef8b3223
2018-03-21 16:37:23 +00:00
Tri Vo
59a1b52538 Merge changes from topic "dontaudit_proc_sys" am: 795eae3a41
am: 36f82363e4

Change-Id: I0ab2bc44fb7f788a188b00a5baa8dafb0f1da027
2018-03-20 23:18:48 +00:00
Tri Vo
f170dfb789 silence innocuous denials to /proc and /sys
Bug: 74182216
Test: build policy
Change-Id: Idf90c1a96943266d52508ce72b8554d8b5c594c9
(cherry picked from commit 09b1d962ef)
2018-03-20 14:22:16 -07:00
Tri Vo
62e6850a2b proc_type attribute for files under /proc.
With this attribute it will be easier to reference /proc files.

Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
(cherry picked from commit 41bf08e592)
2018-03-20 14:21:36 -07:00
Tri Vo
09b1d962ef silence innocuous denials to /proc and /sys
Bug: 74182216
Test: build policy
Change-Id: Idf90c1a96943266d52508ce72b8554d8b5c594c9
2018-03-19 14:58:25 -07:00
Tri Vo
41bf08e592 proc_type attribute for files under /proc.
With this attribute it will be easier to reference /proc files.

Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
2018-03-19 14:58:25 -07:00
Robert Sesek
869562e9e3 Remove rules for starting the webview_zygote as a child of init.
The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
2018-02-23 10:55:22 -05:00
TreeHugger Robot
d580a23ec1 Merge "Remove rules for starting the webview_zygote as a child of init." 2018-02-23 15:54:32 +00:00
Primiano Tucci
4120c8c94d perfetto: Make producer socket MLS-aware am: 5ef6669b04 am: 2337f2950c
am: 8bf6ccb78a

Change-Id: I40e25bbdec238c250308f8a09571e4c4a1bea363
2018-02-21 20:17:09 +00:00
Primiano Tucci
5ef6669b04 perfetto: Make producer socket MLS-aware
The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.

The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.

Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases
2018-02-21 14:37:58 +00:00
Robert Sesek
ca4c4e57b2 Remove rules for starting the webview_zygote as a child of init.
The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Change-Id: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
2018-02-16 16:26:42 -05:00
Jeff Vander Stoep
dc54573b81 Merge "label /data/vendor{_ce,_de}" am: 3721b0513d am: 7fd715ea82
am: 037f20b9c0

Change-Id: Ie7bcebebf47c7e0ea879ffb84c6dc3ce2e5b7259
2018-02-09 06:09:45 +00:00
Jeff Vander Stoep
d25ccabd24 label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 17:21:25 +00:00
Carmen Jackson
e3817434ae Merge changes from topic "user-build-traceur" am: 0fe4586bb1 am: 5f15d4edc7
am: a94aaeb0ff

Change-Id: I7c3006caae89234c1f9e77e93f870800f3552bac
2018-02-05 20:53:04 +00:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Paul Crowley
60676fd89d Merge "Allow vendor_init and e2fs to enable metadata encryption" am: 5d422a305d am: 55b3a9d21e
am: 72750a917f

Change-Id: I3a830a8622c14579b41e4182fcba8db46020e746
2018-02-02 16:56:27 +00:00
Paul Crowley
d9a4e06ec5 Allow vendor_init and e2fs to enable metadata encryption
Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.

Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26
2018-02-01 13:25:34 -08:00
Jeff Vander Stoep
ccf965e9ca Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d)
2018-01-30 10:11:38 -08:00
Jeffrey Vander Stoep
77a2d71fc2 Merge "Test that /data is properly labeled" 2018-01-25 00:57:23 +00:00
TreeHugger Robot
8cd8c42223 Merge "Fingerprint data is now stored in one of two ways depending on the" 2018-01-24 20:24:22 +00:00
Marissa Wall
dad1a1ee98 Merge "sepolicy: restrict access to uid_cpupower files" am: 24e8eff35d am: 6ad9b56176
am: 67d7275265

Change-Id: I2d5fe930c4cdca93f94a7b5cf1dc6ca609de05ce
2018-01-24 20:11:43 +00:00
Marissa Wall
dfe063c37d sepolicy: restrict access to uid_cpupower files
Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
2018-01-24 08:39:09 -08:00
Jeff Vander Stoep
bdd454792d Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
2018-01-24 08:15:49 -08:00
Joel Galenson
ac3c29d8cb Fix init error trying to access file. am: cf391269ac am: ff8bf596a4
am: e032393e9b

Change-Id: I7e0cb28c9e5c16c9fb1937698daedfce2c512bf8
2018-01-24 05:27:45 +00:00
Joel Galenson
cf391269ac Fix init error trying to access file.
Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d
2018-01-23 17:32:16 -08:00
Andreas Huber
6116daa71a Fingerprint data is now stored in one of two ways depending on the
shipping API version:

For devices shipped before Android P nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
2018-01-23 14:30:38 -08:00
Yi Jin
de962429dc Selinux permissions for incidentd project am: bc24ba7283 am: 6c112fb3b2
am: cf06833c4b

Change-Id: I5835260d115aab09c5107130240e2c4988b192b7
2018-01-23 21:11:33 +00:00
Tri Vo
32d201709a Merge "dumpstate: remove access to 'proc' and 'sysfs' types." am: 0a2f862715 am: 1452e0a235
am: cf8a45eaf4

Change-Id: Ia07f01de94a598994b2e390c7c2316f1a9290aca
2018-01-23 21:11:18 +00:00
Yi Jin
bc24ba7283 Selinux permissions for incidentd project
Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3
2018-01-23 19:08:49 +00:00
Tri Vo
218d87c01c dumpstate: remove access to 'proc' and 'sysfs' types.
And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
2018-01-23 03:24:37 +00:00
Max Bires
acc900f92f Adding write permissions to traceur am: 35c363897d am: ca824eb278
am: 311c3e1df1

Change-Id: Id3e056483b4726a2765869d0f4f46c093c3937ef
2018-01-23 00:29:28 +00:00
Max Bires
35c363897d Adding write permissions to traceur
Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
2018-01-22 21:06:36 +00:00