Give dex2oat/patchoat link rights in /data/ota to produce a patched
image.
Give zygote rights to relabel links. Also give the zygote rights to
unlink, which is required when relabeling fails (to clean up the
dalvik-cache).
Bug: 25612095
Change-Id: I28bfb9cbeabe93b1f68ada9bcaf29f4f60028c2f
The zygote is reponsible for moving ART A/B OTA artifacts over to
the regular dalvik-cache.
Bug: 25612095
Change-Id: I838d9ec6ee5a0f0af5f379a4696abda69cea51ca
f063f461a9 marked several zygote.te
rules as "deprecated in M". Now that M is out the door, delete
the obsolete rules.
Change-Id: I7ff8abe8659bbcf7aa0b5c612ce3822a238df8ca
The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).
Bug: 25612377
Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.
Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.
Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <william.c.roberts@intel.com>
For example, when launching into an isolated process, we need to drop
all mounts inherited from the root namespace.
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1
Bug: 22192518
Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0
Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
Run idmap in its own domain rather than leaving it in installd's domain.
This prevents misuse of installd's permissions by idmap.
zygote also needs to run idmap. For now, just run it in zygote's
domain as it was previously since that is what is done for dex2oat
invocation by zygote. zygote appears to run idmap with system uid
while installd runs it with app UIDs, so using different domains
seems appropriate.
Remove system_file execute_no_trans from both installd and zygote;
this should no longer be needed with explicit labels for dex2oat and
idmap.
Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.
Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.
Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.
Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.
Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* zygote needs to be able to symlink from dalvik cache to system
to avoid having to copy boot.oat
(when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
(the one that zygote creates)
Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.
To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.
This change:
1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.
Addresses the following denial:
avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 17671501
(cherry picked from commit 2de02877a3)
Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.
To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.
This change:
1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.
Addresses the following denial:
avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20
Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.
dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.
Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
The following commits added support for runtime resource overlays.
New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591
During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.
This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.
Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py
Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These rules seem to be a legacy of old Android or perhaps old policy
before we began splitting types on /data. I have not been able to
trigger the auditallow rules on AOSP master. Reduce the rules to
only read access to system data. If we need write access to some
specific directory under /data, we should introduce a type for it.
Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.
Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.
These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.
The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.
(cherry picked from commit 032e5b0ae1)
Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361
In 66f25cb1af, auditallow entries
were added for some old zygote rules. They've never been triggered,
so they're not needed. Delete them.
Change-Id: Idb544c71410e263714f29cdbec0424a46f32898f
The environment has changed since b/10498304 and it may be the case
that some of the changes introduced thereby are no longer necessary.
Adding an auditallow will allow us to monitor the effects of
removing these changes, without blocking other development.
Change-Id: Id4ece1644877c4ba36df3050ac9073ea6320779c
This resolves denials such as:
type=1400 audit(7803852.559:251): avc: denied { getattr } for pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
(triggered on an art crash seen in recent AOSP master)
Rather than just adding this permission individually, just rewrite
the existing rule to use the rx_file_perms macro.
We already allowed most of these permissions by way of the
domain_auto_trans() rule via init_daemon_domain() and the rule
for the --invoke-with support. Using macros helps reduce
policy fragility/brittleness.
Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Now that all of /data outside of /data/data should be labeled
even on legacy devices as a result of
Ib8d9751a47c8e0238cf499fcec61898937945d9d, there
should be no reason to permit the system_server or zygote
execute access to unlabeled files.
This is the only remaining case where a type writable by
app domains can be executed by system services, so eliminating
it is desirable.
That said, I have not specifically tested the non-SE to SE
upgrade path to confirm that this causes no problems.
Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.
Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise all domains can create/write files that are executable
by all other domains. If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.
If required for others, add it to the individual
domain .te file, not for all domains.
Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.
Add a neverallow rule to prevent the reintroduction of
this bug.
Change-Id: I78d35e675fd142d880f15329471778c18972bf50
