Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.
Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.
Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.
Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
This reverts commit 0dd738d810.
Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.
Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b
These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.
The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.
Bug: 116802789
Test: fastboot flashall
Change-Id: I38282904828105cf5f16ce9d4b5884d2b0e89d38
This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.
Bug: 113124961
Bug: 111243627
Change-Id: I83d6efad0ff5c7d87a4b990560c390b66aeb3653
Test: m selinux_policy
untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.
Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.
untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.
seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.
Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
Update the "allowxperm" to reflect the various ioctl() performed in
the vold source code.
Bug: 118437832
Test: atest android.os.storage.cts.StorageManagerTest
Change-Id: Ide3a09104d8b4ce7fa2b7e23e9b215139186f595
system/sepolicy commit 23c9d91b46
introduced a new type called privapp_data_file. This type is used to
label priv-app's /home files. For backwards compatibility, priv-app
rules involving normal app_data_files were preserved. Subsequently,
system/sepolicy commit 5d1755194a
assigned the file label privapp_data_file to /home files owned
by priv-apps.
Because of the previous labeling of priv-app data files, priv-apps were
granted the ability to mmap(PROT_EXEC) any other app's /home files,
regardless of how trustworthy or untrustworthy those files were. Commit
23c9d91b46 preserved the status quo.
However, now that we have a more refined label for priv-app /home files,
we no longer need to be as permissive.
Drop the ability for priv-apps to map executable code from
untrusted_apps home directories. "execute" is removed in this change,
and "execute_no_trans" was previously removed in commit
8fb4cb8bc2. Add a neverallow assertion
(compile time assertion + CTS test) to prevent regressions.
Further clarify why we need to support priv-apps loading executable code
from their own home directories, at least for now. b/112037137 covers
further tightening we can do in this area.
Bug: 112357170
Test: Device boots and no problems.
Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
The current rule is missing mmap. r_file_perm implicitly adds mmap, so
we should just use that instead.
Test: policy compiles.
Change-Id: I4051d1eb4c36a2b6ff2b5f26ce53355287cbe2b4
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.
Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)
Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)
Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
apexd is using following additional ioctl cmds to mount the mini
filesystem inside APEXs:
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot
/apex/com.android.example.apex exists
Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc
/dev/tegra.* is not used in android platform and is device-specific
Bug: 110962171
Test: boot walleye
Change-Id: I4cc790d28457b429a3ed9829de223dae357eb498
This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.
Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I291b7cc3c8c07b838f1ea22e55550c42c5083d8f
Added a new flag to specify the IWLAN operation mode. Also
allowed this system properties for vendor native service to
access.
Test: Manual
Bug: 73659459
Change-Id: I23197e451557fae36a0cc5da4b50b3a00f9233dc
Historically, vendor-init-actionable was created since the various
property_contexts files were not yet available when init parses its
scripts. Since then, the property_contexts files are now always
available when init parses its scripts, so we can collapse these two
categories.
Specifically, this change ensures that all of the properties in the
previous 'stable_properties.h' file in init, which contained the
vendor-init-actionable properties, are able to be read by init
according to SEPolicy.
Bug: 71814576
Test: vendor_init fails to use non-readable properties as a trigger
Test: vendor_init successfully uses readable properties as a trigger
Change-Id: Ic6d9919b6047f3076a1a19fc26295c6a77aca627
Update engine is responsible for updating various partitions, which
includes enabling or disabling the read-only bit on the underlying block
device.
Rather than try to list out each block device separately, generalize the
ioctl rules to apply to all block device nodes. If the ioctl permission
is granted via a normal allow rule, then the allowxperm statement will
allow BLKROGET and BLKROSET by default on those block devices.
Test: policy compiles
Bug: 118150702
Change-Id: I7bca52e0f442df7320748f6d6371e5016aa6dd0b
Copied from device/google/crosshatch-sepolicy.
Test: diff files in system/etc/selinux before and after for aosp_marlin
Change-Id: I518c43af9c217483bdab02424e4aef0270aad366
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.
Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.
Bug: 117961216
[Android Version]:
android_p_mr0_r0
[Kernel Version]:
4.19.0-rc8
[CTS Version]:
cts-9.0_r1
[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies
[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0
[Test Result With This Patch]:
PASS
Change-Id: I45efacabe64af36912a53df60ac059889fde1629
This prevents denials while taking a bugreport.
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I381b39fa127f82fcef5d820a04209fd1ba4f63cd
Allow BLKROGET and BLKROSET on the block devices underlying the /system
and rootfs partitions. As part of the Android boot process, the system
sets the block devices read-only to prevent accidental modification to
these partitions. Update engine needs the ability to adjust the block
device read-only flag in order to apply updates.
Addresses the following denials:
update_engine: type=1400 audit(0.0:96): avc: denied { ioctl } for path="/dev/block/sda33" dev="tmpfs" ino=15369 ioctlcmd=125e scontext=u:r:update_engine:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:97): avc: denied { ioctl } for path="/dev/block/sda33" dev="tmpfs" ino=15369 ioctlcmd=125d scontext=u:r:update_engine:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0
Test: policy compiles
Bug: 118150702
Change-Id: I65a3d041b6d6b7955bcd901637a543524fc34a06
system/sepolicy commit 4c8eaba75a, reviewed in
https://android-review.googlesource.com/c/platform/system/sepolicy/+/793958
started enforcing explicit ioctl permission checks for all block device
files. As part of that commit, the following lines were added to
domain.te:
# If a domain has access to perform an ioctl on a block device, allow these
# very common, benign ioctls
allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
In essence, if a domain is granted ioctl access to any device in
policy (for example, via adding "ioctl" to the allow rule, or by using
the macro "r_file_perms" which includes the ioctl permission), then the
two ioctls BLKGETSIZE64 and BLKSSZGET will be automatically allowed. As
such, it is redundent for a domain to explicitly request these two
ioctls.
Delete the now redundant allowxperm rule.
Test: policy compiles
Change-Id: I1964ed93a7c7601393cc9e2416f3640ea22db51b
