Commit graph

38 commits

Author SHA1 Message Date
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Florian Mayer
d54f4487bc Merge "Allow shell to unlink perfetto_traces_data_file." 2019-09-30 17:40:01 +00:00
Florian Mayer
c069bc134e Allow shell to unlink perfetto_traces_data_file.
Bug: 141704436
Test:
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 186
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0    3488 2019-09-30 14:12 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0             3488 2019-09-30 14:08 ..
-rw-------  1 shell  shell u:object_r:perfetto_traces_data_file:s0  180467 2019-09-30 14:12 profile-shell
blueline:/ $ rm /data/misc/perfetto-traces/profile-shell
rm ro /data/misc/perfetto-traces/profile-shell (y/N):y
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 6
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0  3488 2019-09-30 14:13 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0           3488 2019-09-30 14:08 ..
blueline:/ $


Change-Id: Ia710068c3cca53a415347fb0a7064740e500d15d
2019-09-30 13:13:14 +00:00
Eric Biggers
b57af5d0e6 Allow shell to get encryption policy for CTS
Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.

The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.

For more details see change I9082241066cba82b531e51f9a5aec14526467162

Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
2019-09-27 15:24:27 -07:00
Kiyoung Kim
82c87ede24 Define sepolicy with property for linker
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.

Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
2019-08-14 12:35:15 +09:00
Yifan Hong
18ade868ff Add rules for lpdump and lpdumpd
- lpdump is a binary on the device that talks to lpdumpd
  via binder.

- lpdumpd is a daemon on the device that actually reads
  dynamic partition metadata. Only lpdump can talk to it.

Bug: 126233777
Test: boots (sanity)
Test: lpdump

Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-25 10:14:20 -07:00
Nick Kralevich
68e27caeb6 allow shell rs_exec:file rx_file_perms
Hostside tests depend on being able to execute /system/bin/bcc. Allow
it.

From bug:

In the NDK:

  $ ./checkbuild.py
  $ virtualenv -p ../out/bootstrap/bin/python3 env
  $ source env/bin/activate
  $ ./run_tests.py --filter rs-cpp-basic
  FAIL rs-cpp-basic.rstest-compute [armeabi-v7a-19]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0xee70f000
  Segmentation fault

  FAIL rs-cpp-basic.rstest-compute [arm64-v8a-21]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0x7a91e13000
  Segmentation fault

  02-23 23:00:45.635  9516  9518 V RenderScript: Successfully loaded runtime: libRSDriver_adreno.so
  02-23 23:00:45.650  9518  9518 W rstest-compute: type=1400 audit(0.0:15): avc: denied { read } for name="bcc" dev="dm-0" ino=390 scontext=u:r:shell:s0 tcontext=u:object_r:rs_exec:s0 tclass=file permissive=0
  02-23 23:00:45.651  9516  9518 E RenderScript: Cannot open file '/system/bin/bcc' to compute checksum
  02-23 23:00:45.652  9516  9516 E rsC++   : Internal error: Object id 0.

Test: compiles
Fixes: 126388046
Change-Id: I28e591d660c4ba9a33135e940d298d35474ef0b6
2019-02-26 13:09:28 -08:00
Nick Kralevich
905b4000cb Fix dl.exec_linker* tests
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.

Addresses the following denial:

audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0

Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
2019-02-25 15:11:40 -08:00
Florian Mayer
aeca04b967 Allow to signal perfetto from shell.
When daemonizing perfetto, SIGINT should be sent to ensure clean
shutdown.

Denial:
12-06 11:12:16.566  3099  3099 I sh      : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1

Test: m
Test: flash walleye
Test: SIGINT perfetto from shell

Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
2018-12-13 10:46:42 +00:00
Fan Xu
ffffed28fa Remove unused bufferhub sepolicy
These selinux policy rules were added for bufferhub to run a binder
service. But later we decided to use a hwbinder service instead, and the
original binder service was removed in git/master. Now we can safely
remove these rules.

Test: Build passed. Device boot successfully without selinux denial.
Bug: 118891412
Change-Id: I349b5f0f2fa8fb6a7cfe7869d936791355c20753
2018-12-10 13:36:11 -08:00
Yiwei Zhang
ff0f79c195 [gpuservice] allow "adb shell cmd gpu vkjson"
Also allow adb shell dumpsys gpu to not return error.

Bug: 120095213
Test: flash non-eng build and adb shell cmd gpu vkjson
Change-Id: Ia4a50a475ce76ec35e082dd52d4a6c80dde7f571
2018-11-27 15:58:20 -08:00
Jeff Vander Stoep
424517721c Remove access to /proc/net/{tcp,udp}
Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
2018-09-30 21:33:47 -07:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Fan Xu
26fa914cb2 Update SELinux Policy for bufferhubd
Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
2018-09-24 12:29:43 -07:00
Bookatz
022ab0e738 Statsd allow shell in selinux policy
CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 09:34:55 -08:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Primiano Tucci
1a9f4f7a7a SELinux policies for Perfetto cmdline client (/system/bin/perfetto)
Instead of having statsd linking the perfetto client library
and talk directly to its socket, we let just statsd exec()
the /system/bin/perfetto cmdline client.

There are two reasons for this:
1) Simplify the interaction between statsd and perfetto, reduce
  dependencies, binary size bloat and isolate faults.
2) The cmdline client also takes care of handing the trace to
  Dropbox. This allows to expose the binder interaction surface
  to the short-lived cmdline client and avoid to grant binder
  access to the perfetto traced daemon.

This cmdline client will be used by:
 - statsd
 - the shell user (for our UI and Studio)

Bug: 70942310
Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-29 11:06:00 +00:00
Yifan Hong
00ab5d86be Allow shell to start vendor shell
Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
2018-01-16 18:28:51 +00:00
Primiano Tucci
c80f9e037b Perfetto SELinux policies
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2018-01-10 00:18:46 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00
Joel Galenson
47966cecbb resolve merge conflicts of 27c0aa7a to stage-aosp-master
Test: I solemnly swear I tested this conflict resolution.

Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I1f087fe5e7a71761a16673331619f52998473b44
2017-07-27 17:18:04 +00:00
Joel Galenson
27c0aa7a42 Move file labeling to genfs_contexts.
This should improve performance, as file_contexts is slower than
genfs_contexts.

Bug: 62413700
Test: Built, flashed, and booted Sailfish.  Verified that the
files have the correct context and that wifi, web, and atrace work.

Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I9546f3af3c95e3443684ae4764881b69987611ef
2017-07-27 13:19:55 +00:00
Siarhei Vishniakou
295a27a31c Merge "Allow shell access on /dev/uhid node" am: 216b377d78 am: c1e8f82545
am: 45c4b14245

Change-Id: I6cb948d50f22f162d4b647259d12143cff7b61de
2017-05-12 01:00:52 +00:00
Siarhei Vishniakou
2a7f571028 Allow shell access on /dev/uhid node
Node for /dev/uhid driver needs to be accessible
by shell for the 'hid' command in frameworks/base/cmds.
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master.

Bug: 34052337
Test: CTS test for GamepadTestCase#testButtonA; Checked that
cat /dev/uhid does not raise permission error.

Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478
2017-05-10 19:37:06 -07:00
Yifan Hong
d868e839a2 Merge "Allow adbd and shell to read /proc/config.gz" into oc-dev
am: e1074f8bfc

Change-Id: I4854065d0fd85782076ef96aeed137170e2e7a32
2017-05-09 02:42:44 +00:00
Yifan Hong
19a87733c5 Allow adbd and shell to read /proc/config.gz
for CTS device info collection purposes.

Bug: 28656227
Test: m cts -j && cts-tradefed run cts -m Gesture --test
android.gesture.cts.GestureTest#testGetStrokes

Change-Id: I8caf3580fb05fb489dc5abb917c8cb78cb089fb7
2017-05-08 14:40:25 -07:00
Nick Kralevich
c4df0d71d2 Merge "Further restrict SELinux API access" am: 076677330d am: b49bc8212a
am: 1ffa6f80da

Change-Id: I4e1669df2067738858c2d7a1e79e0a153cfeef5b
2017-05-08 19:10:23 +00:00
Nick Kralevich
14e2e9261f Further restrict SELinux API access
Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
2017-05-08 09:51:59 -07:00
Carmen Jackson
25788df115 Add selinux rules for additional file contexts in userdebug
These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd
2017-04-18 14:33:41 -07:00
Jin Qian
a239f30fd6 storaged: allow shell to call dumpsys storaged
Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
2017-03-31 10:53:55 -07:00
Jin Qian
af3eaf0d20 storaged: allow shell to call dumpsys storaged
Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
2017-03-30 16:21:29 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Nick Kralevich
4cae28d43c tracefs: avoid overly generic regexes
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.

See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103

The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.

The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.

Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .

This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.

Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
2017-02-12 08:40:32 -08:00
dcashman
3e8dbf01ef Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373f to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea019)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 14:42:43 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00