Commit graph

3643 commits

Author SHA1 Message Date
Neda Topoljanac
bffe163b13 SELinux policy for new managed system update APIs
We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.

Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
2018-11-22 17:46:31 +00:00
Hongyi Zhang
6f324ffd22 Merge "grant permissions of dir /data/server_configurable_flags" 2018-11-20 23:51:10 +00:00
Hongyi Zhang
4aecb3f2eb grant permissions of dir /data/server_configurable_flags
grant rw_dir_perms of dir
/data/server_configurable_flags to flags_health_check.te, in order to
enable flags_health_check to record reset flags data as file under this
dir for later use. See function:
server_configurable_flags::ServerConfigurableFlagsReset for how the
permission is used.

Test: manual on device
Change-Id: I1df7b8cadfbe279f26bf828e9e725ce170a376f7
2018-11-20 12:40:01 -08:00
Dario Freni
5a6d94bc03 Merge "Allow PackageManager to communicate to apexd." 2018-11-20 13:32:32 +00:00
David Brazdil
95c8372b6d Merge "Remove 'dex2oat_exec' from untrusted_app" 2018-11-20 10:04:08 +00:00
David Brazdil
535c5d2be0 Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
2018-11-19 23:47:39 +00:00
Nick Kralevich
83f25e26f9 Revert "Add placeholder iris and face policy for vold data directory"
This reverts commit 92bde4b941.

Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.

Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change
2018-11-19 15:00:19 -08:00
Dario Freni
7ad743b7ed Allow PackageManager to communicate to apexd.
This is used for querying the installed packages, as well as
coordinating the installations of packages.

Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
2018-11-19 22:05:21 +00:00
Florian Mayer
0f3decf2f5 Property to enable heap profile from process startup.
This is world-readable so it can be checked in libc's process init.

Test: m
Test: flash sailfish

Bug: 117821125

Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d
2018-11-19 21:52:43 +00:00
Haibo Huang
544a0d5480 Add new cpu variant related rules to SELinux
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.

This change set SELinux rules for these properties and files.

For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).

This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.

Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.

Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
2018-11-19 18:29:36 +00:00
Hongyi Zhang
745d3839e4 Merge "sepolicies for sys prop enabling flag health check" 2018-11-19 17:48:55 +00:00
Treehugger Robot
b1f6942c79 Merge "vold: remove access to /proc/net files" 2018-11-19 16:01:28 +00:00
Bruno Martins
7bff13f9e8 sepolicy: Grant mediaextractor access to files over all types of sdcard fs
* Account for all possible sdcard-related filesystem types and not only
   sdcardfs:

   public/file.te:108:type fuse, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:109:type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:111:type vfat, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:112:type exfat, sdcard_type, fs_type, mlstrustedobject;

Change-Id: Ic508397bf4ca66a002ada33ac3f600c17b8a1a10
2018-11-17 19:05:53 +00:00
Jiyong Park
b1feedc2b1 Allow domain to getattr on apex_mnt_dir
The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.

Silence the spam by allowing getattr on apex_mnt_dir.

Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable

Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
2018-11-17 04:05:49 +00:00
Nick Kralevich
1c5d223b16 vold: remove access to /proc/net files
The auditallow added in commit
7a4af30b38 ("Start the process of locking
down proc/net", May 04 2018), has not been triggered. This is safe to
delete.

Test: Policy compiles
Test: no collected SELinux denials
Bug: 68016944
Change-Id: Ib45519b91742d09e7b93bbaf972e558848691a80
2018-11-16 17:46:56 -08:00
Tri Vo
d918c8df78 Remove redundant cgroup type/labelings.
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".

Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
2018-11-17 01:24:49 +00:00
Treehugger Robot
c2f8f67bbf Merge "SEPolicy for InputFlinger Service." 2018-11-17 00:40:21 +00:00
Hongyi Zhang
da492f4fca sepolicies for sys prop enabling flag health check
device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.

Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5
2018-11-17 00:09:36 +00:00
Treehugger Robot
02ce98eab4 Merge "remove system_server debugfs:file r_file_perms" 2018-11-16 22:52:38 +00:00
Robert Carr
a49b27af44 SEPolicy for InputFlinger Service.
Add an InputFlinger service in system_server and allow SurfaceFlinger to
exchange sockets with it.

Test: None
Bug: 80101428
Bug: 113136004
Bug: 111440400
Change-Id: I1533ab7a1da0ca61d8a28037fffbc189d796f737
2018-11-16 21:52:01 +00:00
Nick Kralevich
fe4061da83 remove system_server debugfs:file r_file_perms
Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.

Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
2018-11-16 11:29:44 -08:00
Joel Galenson
3d533078ab Allow vendor_init to relabelfrom unlabeled.
This will be needed if vendors remove a label, as vendor_init would
need to relabel from it (which would be unlabeled) to the new label.

Test: Build policy.
Change-Id: Ieea0fcd7379da26b2864b971f7773ed61f413bb9
2018-11-16 10:30:21 -08:00
Treehugger Robot
6567cc2653 Merge "Further protect app private data files" 2018-11-16 15:50:59 +00:00
Nick Kralevich
a194d3757a Tighten up handling of new classes
1b1d133be5 added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
66a337eec6

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
2018-11-16 03:10:14 -08:00
Nick Kralevich
598a75c11d Further protect app private data files
Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc8 has never triggered.

Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
2018-11-16 01:03:11 -08:00
Treehugger Robot
e00ca14cbb Merge "Delete get_prop(su, ...) rules" 2018-11-16 06:16:30 +00:00
Nick Kralevich
40d4b0b6cc Delete get_prop(su, ...) rules
It is unnecessary to use get_prop() rules for the su domain. The
su domain is always in permissive mode [1] and not subject to SELinux
enforcement. It's also possible these rules were added to avoid SELinux
denial log spam from showing up, however, there are already dontaudit
rules in place [2] to prevent this.

Delete the unnecessary rules.

[1] 96b62a60c2/private/su.te (19)
[2] 96b62a60c2/public/su.te (42)

Test: policy compiles
Change-Id: I5913f360738725bf915f0606d381029b9ba4318f
2018-11-15 19:01:19 -08:00
Kevin Chyn
92bde4b941 Add placeholder iris and face policy for vold data directory
Test: vold is able to create directories, ag/5534962

Bug: 116528212

Change-Id: I61dd8802c13b1c42d334a80b678ca6a877848fc2
2018-11-15 17:32:03 -08:00
Treehugger Robot
cf7f20cfb4 Merge "racoon: allow ioctl TUNSETIFF" 2018-11-15 21:48:22 +00:00
Tri Vo
c7f56cdc83 Remove kmem_device selinux type.
kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
2018-11-15 21:31:56 +00:00
Treehugger Robot
fb79404e3a Merge "allow apps tun_device ioctl TUNGETIFF;" 2018-11-15 21:06:26 +00:00
Yifan Hong
77fd9dbda4 Merge "Allow BLKIOMIN and BLKALIGNOFF to super device in update_engine." 2018-11-15 18:56:10 +00:00
Nick Kralevich
3ddaa63bde racoon: allow ioctl TUNSETIFF
Used by
bf16586a33/main.c (116)

Addresses the following denial:

audit(0.0:8126): avc: denied { ioctl } for comm="racoon" path="/dev/tun" dev="tmpfs" ino=25329 ioctlcmd=0x54ca scontext=u:r:racoon:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles.
Change-Id: Ia26077d4a9e810c7006d4b979d6b7e9ca154b485
2018-11-15 10:32:45 -08:00
Mårten Kongstad
f62362da52 Add idmap2 and idmap2d
Bug: 78815803
Test: builds, boots
Test: manual: adb shell idmap2 create ...
Test: manual: adb shell ps | grep -e idmap2d
Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d
2018-11-15 14:42:10 +00:00
Nick Kralevich
3b2df198d1 allow apps tun_device ioctl TUNGETIFF;
Commit 619c1ef2ac ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.

Fixes the following denial:

audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android

Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332
2018-11-15 06:14:07 -08:00
Yifan Hong
8d32223bdc Allow BLKIOMIN and BLKALIGNOFF to super device in update_engine.
These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.

The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.

Test: manual OTA on retrofit device
Bug: 118506262
Change-Id: I3dd3c99d86d63f97bcd393cff374e27f5ed2da2e
2018-11-14 16:16:11 -08:00
Nick Kralevich
fefc887eda vold: allow ioctls BLKDISCARD and BLKGETSIZE
BLKDISCARD is used by vold while wiping block devices
b2455747a9/Utils.cpp (619)

BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Vold indirectly uses this when executing /system/bin/newfs_msdos.
Arguably this is a bug in newfs_msdos, as BLKGETSIZE64 should be used
instead.
Code: 0c7e133c7f/mkfs_msdos.c (845)

Addresses the following denials:

audit(0.0:24): avc: denied { ioctl } for comm="Binder:588_2" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1277 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
audit(0.0:25): avc: denied { ioctl } for comm="newfs_msdos" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1260 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Bug: 119562530
Change-Id: Ib7198daf150d6f2578545a6a402e0313069ea2b4
2018-11-14 13:01:00 -08:00
Florian Mayer
a8dd89f80f Merge "Add userdebug selinux config for heapprofd." 2018-11-14 10:14:46 +00:00
Treehugger Robot
b32113e106 Merge "Added system property (dumpstate.unroot) to run dumpstate as shell." 2018-11-14 09:50:08 +00:00
Florian Mayer
45f4847c21 Add userdebug selinux config for heapprofd.
Test: m
Test: flash sailfish
Test: profile system_server

Change-Id: I577793af655146ee91be86bb286fcf9d6e6d081d
2018-11-14 09:22:07 +00:00
Risan
0c1848b170 SELinux changes for AppFuse
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I827a108bd118090542354360a8c90b295e6a0fef
2018-11-13 22:45:51 +00:00
Tri Vo
ced1751e45 Remove mtd_device type.
mtd_device does not label any /dev node present on walleye, and the only
permission to that type is:
allow hal_telephony_server mtd_device:dir search;
I suspect there is no need to keep mtd_device around.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: If74b1258b21edeca38c8b7dc07a3a10b751a7e85
2018-11-12 23:11:03 +00:00
Treehugger Robot
ca5b01b0a6 Merge "Remove dead *_device types from system sepolicy." 2018-11-12 22:29:32 +00:00
Eugene Susla
c496db327e Add SELinux service for RoleManagerService
Test: ensure no build failures;
add RoleManagerService as a boot phase
ensure no SecurityException in logcat on boot
Change-Id: Ia0803c0fb084fe2b12f5c20f5e46354d0dd1aedf
2018-11-12 17:10:59 +00:00
Tri Vo
b805adaa16 Remove dead *_device types from system sepolicy.
No coredomain domain has access to these types and corresponding /dev
nodes don't exist on the device:

audio_seq_device
audio_timer_device
full_device
i2c_device
vcs_device

Bug: 110962171
Test: m selinux_policy
Test: boot walleye
Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672
2018-11-09 15:45:59 -08:00
Hongyi Zhang
b965e3c5f9 Sepolicies for server configural flags reset
Test: m -j succeeded and manual tested on device

Change-Id: I3415c58335361a9da4ef2368e61bc4e0250a91bb
2018-11-09 18:55:55 +00:00
Felipe Leme
da54e5f2dd Added system property (dumpstate.unroot) to run dumpstate as shell.
This is useful to test how it would behave on devices with user builds.

Bug: 117980186
Test: adb shell setprop dumpstate.unroot true && \
      adb shell cmd activity bug-report --progress

Change-Id: If9094bbe0c29e8180f1b35d2b4ac95343a1bd0eb
2018-11-08 08:25:32 -08:00
Martijn Coenen
6a62606115 Merge changes Ie0396d59,I75b2bade
* changes:
  Allow apexd to configure /sys/block/dm-
  Allow the kernel to access apexd file descriptors.
2018-11-08 15:28:53 +00:00
Martijn Coenen
ac2b2d44b3 Allow the kernel to access apexd file descriptors.
In earlier kernel versions (<4.0), the loopback driver issues
requests from a kernel thread. Therefore, the kernel needs access
to APEX file descriptors and data files (which are loopback
mounted).

Bug: 119220815
Test: mounting works on sailfish
Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
2018-11-08 11:22:48 +01:00
Kevin Chyn
52261e78c0 Add placeholder sepolicy for iris and face
See aosp/660242 and aosp/608396

Fixes: 116530289

Test: builds
Change-Id: I220ece0d6751839fe764ff91fd7bd20c50104f8f
2018-11-07 14:11:56 -08:00