Commit graph

57 commits

Author SHA1 Message Date
John Wu
e5010a22a6 Remove key migration related changes
Migrating keys across UIDs is no longer required

Test: m
Bug: 228999189
Change-Id: I33e85635a4fe82bf1f98a9bfcf505a1067b4ed91
2022-07-20 15:19:37 +10:00
Thiébaud Weksteen
f412c13a02 Revert "Remove key migration related changes"
This reverts commit 65dcdf2921.

Reason for revert: broken internal target 

Change-Id: Idf57285d95f5466dfa3af08230af4c8f9d76326c
2022-07-07 08:40:23 +00:00
John Wu
65dcdf2921 Remove key migration related changes
Migrating keys across UIDs is no longer required

Test: m
Bug: 228999189
Change-Id: Icdecbdb3997f9c5b3d470578b1d61e580a1c3537
2022-06-26 01:04:02 +10:00
John Wu
3da8416b5d Revert "Revert "Revert "Remove key migration related changes"""
This reverts commit 82c4d9b474.

Reason for revert: b/235140708

Change-Id: Ifd14bcf4480c74b81602c16723efebef7aad10bd
2022-06-06 22:24:24 +00:00
John Wu
82c4d9b474 Revert "Revert "Remove key migration related changes""
This reverts commit e27f954836.

Reason for revert: this needs to land in AOSP

Change-Id: Ief92bf04eaff4235b0e33d427263bbff312837aa
2022-06-03 18:23:15 +00:00
John Wu
e27f954836 Revert "Remove key migration related changes"
This reverts commit cabed18a47.

Reason for revert: b/233922399

Change-Id: Ib371184de3c1bc4e3e0ca951e98d6b5e66952dcc
2022-05-25 23:36:42 +00:00
John Wu
cabed18a47 Remove key migration related changes
Migrating keys across UIDs is no longer required

Test: m
Bug: 228999189
Change-Id: Ic58a77285e105328a1f56ad9a8ca5d80bb559d83
2022-05-18 21:49:28 +00:00
Seth Moore
7e95d22296 Add keystore2 permission to get attestation keys
Contexts must have this permission to fetch remotely provisioned
attestation key blobs. It is expected that only credstore will have
this permission.

Test: manual, build and run cuttlefish
Bug: 194696876
Change-Id: Ieebd552129bc8be6b8831ec2e38eb6bda522b216
2022-01-18 16:17:45 -08:00
Treehugger Robot
1b0415fcb0 Merge changes I74797b13,I5d0b06e3
* changes:
  Dice HAL: Add policy for dice HAL.
  Diced: Add policy for diced the DICE daemon.
2021-11-17 23:56:14 +00:00
Janis Danisevskis
2b6c6063ae Diced: Add policy for diced the DICE daemon.
Bug: 198197213
Test: N/A
Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d
2021-11-17 13:36:18 -08:00
Ashwini Oruganti
41843731cc Define and add the migrate_any_key permission to system_server
This change adds a permission migrate_any_key that will help the system
server in migrating keys for an app that wants to leave a sharedUserId.

Bug: 179284822
Test: compiles
Change-Id: I2f35a1335092e69f5b3e346e2e27284e1ec595ec
2021-11-16 10:18:19 -08:00
Paul Crowley
bf29c3a2dc Allow vold to deleteAllKeys in Keystore
Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`

Bug: 187105270
Test: booted twice on Cuttlefish
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
2021-08-10 21:51:09 -07:00
Bram Bonné
ea5460ab6e untrusted_app_30: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest CtsSelinuxTargetSdk30TestCases
Test: atest CtsSelinuxTargetSdk29TestCases
Test: atest CtsSelinuxTargetSdk28TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CompatChangesSelinuxTest
Test: atest NetlinkSocketTest
Change-Id: I2167e6cd564854c2656ee06c2202cfff2b727af5
2021-07-05 11:42:31 +02:00
Hasini Gunasinghe
4334d35f01 Add keystore permission for metrics re-routing.
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.

Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce0)
2021-06-30 17:02:14 -07:00
Paul Hobbs
f6fc9377ad Revert "untrusted_app_30: add new targetSdk domain"
Revert "Ignore SELinux denials for all untrusted_app domains"

Revert "Update tests to check RTM_GETNEIGH{TBL} restrictions"

Revert submission 1748045-getneigh-enable-restrictions

Reason for revert: Breaks android.net.netlink.NetlinkSocketTest#testBasicWorkingGetNeighborsQuery with permissions error.

Bug: 192406650

Reverted Changes:
Iea29a1b36:Ignore SELinux denials for all untrusted_app domai...
I14b755020:Update tests to check RTM_GETNEIGH{TBL} restrictio...
I32ebb407b:untrusted_app_30: add new targetSdk domain
I8598662b7:libsepol: trigger new RTM_GETNEIGH{TBL} behavior

Change-Id: I525544191520607fdd238b5ac55aa5132f679253
2021-06-30 07:41:39 +00:00
Bram Bonné
55badc22c1 untrusted_app_30: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases

Change-Id: I32ebb407b8dde1c872f53a1bc3c1ec20b9a5cb49
2021-06-29 17:50:22 +02:00
Satya Tangirala
45ed18d96a Merge "Keystore 2.0: Add early_boot_ended permission" 2021-03-24 19:47:47 +00:00
Janis Danisevskis
23d9de7915 Merge "Keystore 2.0: Add report_off_body access vector." 2021-03-24 16:04:54 +00:00
Satya Tangirala
5ef8686428 Keystore 2.0: Add early_boot_ended permission
Add early_boot_ended permission to the keystore2 access vector. This
permission must be checked before allowing calls to earlyBootEnded() on
Keymint devices.

Bug: 181821046
Bug: 181910578
Change-Id: I8860a4424a249455ab540b6c2896e7d836ceb8a3
2021-03-24 05:20:58 -07:00
Janis Danisevskis
7ca6b48848 Keystore 2.0: Add report_off_body access vector.
This permission is required to call
IKeystoreMaintenance::onDeviceOffBody.

Test: N/A
Bug: 171305684
Change-Id: Idf2e496dce607d63497b55858652869d85529238
2021-03-23 19:01:06 -07:00
Satya Tangirala
0653374e71 Add convert_storage_key_to_ephemeral to keystore2_key access vector
Introduce the convert_storage_key_to_ephemeral permission to the
keystore2_key access vector and give vold permission to use it. This
permission must be checked when a caller wants to get a per-boot
ephemeral key from a long lived wrapped storage key.

Bug: 181806377
Bug: 181910578
Change-Id: I542c084a8fab5153bc98212af64234e62e9ad032
2021-03-21 14:14:28 -07:00
Treehugger Robot
baf84ee461 Merge "Add SELinux policy for using userfaultfd" 2021-03-17 15:04:51 +00:00
Lokesh Gidra
06edcd8250 Add SELinux policy for using userfaultfd
ART runtime will be using userfaultfd for a new heap compaction
algorithm. After enabling userfaultfd in android kernels (with SELinux
support), the feature needs policy that allows { create ioctl read }
operations on userfaultfd file descriptors.

Bug: 160737021
Test: Manually tested by exercising userfaultfd ops in ART
Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
2021-03-17 04:57:22 -07:00
Hasini Gunasinghe
db88d1555f Add get_auth_token permission to allow credstore to call keystore2.
This CL adds a new keystore2 permission "get_auth_token"and grants this
permission to credstore which needs to call keystore2 to obtain
authtokens.

Bug: 159475191
Test: CtsVerifier
Change-Id: I1c02ea73afa6fe0b12a2d74e51fb4a8a94fd4baf
2021-03-12 20:32:06 +00:00
Hasini Gunasinghe
685ca0c888 Keystore 2.0: Add permissions and policy for user manager AIDL.
Bug: 176123105
Test: User can set a password and unlock the phone.
Change-Id: I96c033328eb360413e82e82c0c69210dea2ddac9
2021-02-17 08:55:31 -08:00
Janis Danisevskis
144c822018 Move list permission from keystore2_key to keystore class.
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Ignore-AOSP-First: This needs to land in googleplex first to updated
                   prebuilt vendor images. Otherwise it breaks
                   aosp-with-phone builds.
Test: N/A
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-10-01 05:33:31 +00:00
Janis Danisevskis
24f3dce0ca Add security class keystore2_key.
Keystore 2.0 has a different set of permission that it enforces.
We introduce keystore2_key so that we can set up policy for both
Keystore 1.0 and Keystore 2.0 for a gradual transition from one to
the other.

Bug: 158500146
Test: None
Change-Id: I3dcab06d73d242d63d21883659c304dfab8bf74f
Merged-In: I3dcab06d73d242d63d21883659c304dfab8bf74f
2020-08-05 16:11:48 +00:00
Alistair Delva
178f0ac675 Add new perfmon capability2 and use it
There are probably more cases but this one blocks presubmit
for cuttlefish with mainline kernels.

Bug: 158304247
Change-Id: I6d769b16a230a113a804df61f8de4dcbce2193b6
2020-06-05 10:15:31 -07:00
Nick Kralevich
e4686b4d8e access_vectors: add lockdown class
Needed to support upstream patch
59438b4647

Bug: 148822198
Test: compiles
Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed
2020-02-13 13:05:54 -08:00
Treehugger Robot
73ed785807 Merge "access_vectors: remove flow_in and flow_out permissions from packet class" 2020-01-19 14:17:58 +00:00
Stephen Smalley
871546058d access_vectors: remove incorrect comment about mac_admin
CAP_MAC_ADMIN was originally introduced into the kernel for use
by Smack and not used by SELinux. However, SELinux later appropriated
CAP_MAC_ADMIN as a way to control setting/getting security contexts
unknown to the currently loaded policy for use in labeling filesystems
while running a policy that differs from the one being applied to
the filesystem, in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b29f34558b9b45a2c6eabd4f3c6be939a3980f
circa v2.6.27.

Hence, the comment about mac_admin being unused by SELinux is inaccurate.
Remove it.

The corresponding change to refpolicy is:
5fda529636

Test: policy builds

Change-Id: Ie3637882200732e498c53a834a27284da838dfb8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-16 10:29:15 -05:00
Stephen Smalley
51ed2f918d access_vectors: remove flow_in and flow_out permissions from packet class
These permissions were never checked upstream; they were only added to the
kernel definitions when the peer class was added for consistency with
Fedora SELinux policies by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f67f4f315f31e7907779adb3296fb6682e755342
and were removed from the kernel's classmap in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47ac19ea429aee561f66e9cd05b908e8ffbc498a
circa v2.6.39.

NB These permissions do not appear to have ever been used in any Android
policy, but the declarations do exist in the
prebuilts/api/*/private/access_vectors files.
This change does not update those files.

The corresponding change was made to refpolicy in:
f4459adf32

Test: policy still builds

Change-Id: Ic76c54b10fef2d5a688e5065e9f058f74f646820
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-16 10:17:12 -05:00
Stephen Smalley
cd62a4a56a access_vectors: re-organize common file perms
The open, audit_access, execmod, and watch* permissions
are all defined in the COMMON_FILE_PERMS in the kernel
classmap and inherited by all the file-related classes;
we can do the same in the policy by putting them into the
common file declaration.

refpolicy recently similarly reorganized its definitions and added the
watch* permissions to common file, see:
e5dbe75276
c656b97a28
3952ecb4dd

Adding new permissions to the end of the existing classes was only
required for kernels that predate the dynamic class/perm mapping
support (< v2.6.33).

Test: policy still builds

Change-Id: I44a2c3a94c21ed23410b6f807af7f1179e2c1747
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 14:59:08 -05:00
Ryan Savitski
80640c536c perf_event: define security class and access vectors
This patch allows us to write SELinux policies for the
perf_event_open() syscall LSM hooks added to the kernel in the following
commit:
da97e18458

Bug: 137092007
Change-Id: I0005759eb7a487faebe94a4653e3865343eb441e
2020-01-13 14:56:54 +00:00
Jeff Vander Stoep
fb69c8e64f netlink_route_socket: add new nlmsg_readpriv perm
Used when mapping RTM_GETLINK messages to this new permission.

Users of netlink_route_sockets that do not use the net_domain()
macro will need to grant this permission as needed. Compatibility
with older vendor images is preserved by granting all vendor domains
access to this new permission in *.compat.cil files.

Bug: 141455849
Test: build (this change is a no-op without kernel changes)
Change-Id: I18f1c9fc958120a26b7b3bea004920d848ffb26e
2019-10-16 16:14:16 +02:00
Nick Kralevich
dddbaaf1e8 update sepolicy for fs notification hooks
Update access_vectors and global_macros to account for the changes in
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ac5656d8a4cdd93cd2c74355ed12e5617817e0e7

This change is needed to allow Android to boot on linux-next

Test: compiles
Change-Id: I35c59fc50fa9c94ab94399ce74d637e49d38129d
2019-08-27 15:31:59 -07:00
Nick Kralevich
ea1775dcb5 Update access_vectors
Update access_vectors to support newer kernel functionality.
This change does not grant any new access.

Inspired by the following refpolicy commits:
* 25a5b24274
* 109ab3296b
* 437e48ac53

Bug: 118843234
Test: policy compiles
Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
2018-11-01 19:53:50 -07:00
Nick Kralevich
f5a1b1bfa9 Move class bpf definition
No functional change. This reorg just makes it easier to perform diffs
against https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors

Test: policy builds.
Change-Id: I10cf9547d57981c76ee7e76daa382bb504e36d0b
2018-10-18 09:08:26 -07:00
Nick Kralevich
1b1d133be5 Add nnp_nosuid_transition policycap and related class/perm definitions.
af63f4193f
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.

Define these permissions, so that they're usable to policy writers.

This change is modeled after refpolicy
1637a8b407

Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
   kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
2018-09-07 10:52:31 -07:00
Chenbo Feng
08f92f9c01 sepolicy: New sepolicy classes and rules about bpf object
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.

Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
2018-01-02 11:52:33 -08:00
Stephen Smalley
9fbc408f93 sepolicy: Define validate_trans permission
am: 509923116f

Change-Id: Ia24ef33e8cdbee7c3336fda2a5c0ec0e4ca751f0
2017-07-13 17:04:15 +00:00
Stephen Smalley
90f46dd922 Merge "sepolicy: Define and allow map permission"
am: 770214abda

Change-Id: I253dad49662831625a17162b18f013e0b4a87af4
2017-07-13 17:04:02 +00:00
Stephen Smalley
509923116f sepolicy: Define validate_trans permission
Kernel commit f9df6458218f4fe ("selinux: export validatetrans
decisions") introduced a /sys/fs/selinux/validatetrans pseudo file
for use by userspace file system servers and defined a new validatetrans
permission to control its use.

Define the new permission in the Android SELinux policy.
This change only defines the new permission; it does not allow it
to any domains by default.

This avoids a kernel message warning about the undefined permission on
the policy load, ala:
SELinux:  Permission validate_trans in class security not defined in policy.

Test: Policy builds

Change-Id: Ib922a83b7d8f94905207663a72f7a1bc3db8d2c2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-13 16:57:27 +00:00
Stephen Smalley
4397f08288 sepolicy: Define and allow map permission
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 16:31:23 -04:00
Stephen Smalley
52909aca44 Define smc_socket security class.
am: 2be9799bcc

Change-Id: If42bc0d3fc50db8294c8a9fd083d915b8e47a95e
2017-06-26 22:02:28 +00:00
Stephen Smalley
a77096b02a Merge "Define getrlimit permission for class process"
am: e02e0ad1cc

Change-Id: I67eea67d667005d5ac357e1131a319ed57b33894
2017-06-26 22:02:12 +00:00
Stephen Smalley
2be9799bcc Define smc_socket security class.
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.

Test:  Policy builds

Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-26 21:44:58 +00:00
Stephen Smalley
91a3eeac8f Define getrlimit permission for class process
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so it is not required for getrlimit(2), only for prlimit(2)
on another process.

Test:  Policy builds

Change-Id: Ic0079a341e959f1c5a3d045974df4b756fd4ab67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 12:13:15 -04:00
Dan Cashman
2f1c7ba75e Remove vndservice_manager object classes.
vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
2017-04-18 12:40:44 -07:00
Shawn Willden
a0c7f01299 Add keystore_key:attest_unique_id to priv_app.
Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-12 06:39:14 -06:00