Commit graph

35 commits

Author SHA1 Message Date
Chenbo Feng
566411edf2 Add sepolicy to lock down bpf access
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-17 23:19:30 +00:00
Luis Hector Chavez
7ae939e84b Revert "Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid"
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.

Bug: 71632076
Test: aosp_sailfish still works

Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
2018-01-08 13:09:34 -08:00
Chenbo Feng
08f92f9c01 sepolicy: New sepolicy classes and rules about bpf object
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.

Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
2018-01-02 11:52:33 -08:00
Chenbo Feng
254ad0da3a sepolicy: Allow mount cgroupv2 and bpf fs
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.

Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
2018-01-02 11:52:33 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Chenbo Feng
cc781f76c9 Allow netd to read the /dev/xt_qtaguid
After move qtaguid control interface into netd. Netd need to open the
xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is
successfully initialized before taking action. This selinux rule change
allows netd to do so and it is the same privilege normal apps currently
have.

Test: No more selinux denials on netd access qtaguid_device
Bug: 30950746
Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518
2017-11-15 13:36:00 -08:00
Chenbo Feng
185941aaff sepolicy: allow netd to write to qtaguid file
Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.

Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.

Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b
2017-11-09 14:35:23 -08:00
Luis Hector Chavez
640e595a68 Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
2017-11-08 01:39:28 +00:00
Tri Vo
8dabc2ce74 Restrict netd fwk policy.
Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717)
2017-10-20 22:07:01 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeffrey Vander Stoep
d7989e8bd2 Merge "netd: relax binder neverallow rules for hwservices"
am: 4fc64f2fc3

Change-Id: I7dd6ea7bb5d767afb98a39e56214dd05d4585c93
2017-07-27 19:38:15 +00:00
Jeff Vander Stoep
07c650ebf2 netd: relax binder neverallow rules for hwservices
Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
2017-07-27 16:51:27 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Lorenzo Colitti
f692d2fd91 Explicitly allow netd to take the iptables lock.
am: 9273c1bb5c

Change-Id: Ie4aec7f6b6cfe675bd69df399fa63ef1194b84ac
2017-07-16 17:20:56 +00:00
Lorenzo Colitti
9273c1bb5c Explicitly allow netd to take the iptables lock.
This was previously relying on domain_deprecated rules deleted in
change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431.

Bug: 28760354
Test: unbreaks networking on AOSP bullhead
Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085
2017-07-16 17:54:01 +09:00
Lorenzo Colitti
34bc175d4f Merge "Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret.""
am: 580a0f2b98

Change-Id: Ibc29f16dac70c4c44ea4b1bfff5afcf513d2dbfa
2017-07-13 12:35:18 +00:00
Lorenzo Colitti
5b3efd3b36 Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret."
This change must only be submitted when device-specific policies
have been reverted.

This reverts commit 07e631d2e0.

Bug: 17613910
Test: builds
Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad
Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
2017-07-13 12:26:32 +00:00
Lorenzo Colitti
9822937597 Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret."
am: c501c34523

Change-Id: I1b62a13240b49654fe8667909d23989d4651b37a
2017-07-12 00:19:41 +00:00
Lorenzo Colitti
07e631d2e0 Temporarily revert the SELinux policy for persist.netd.stable_secret.
This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:

1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
   in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
   net_stable_secret_vendor_prop) and applying it to
   persist.netd.stable_secret results in the device not booting
   due to attempting to apply two different contexts to the same
   property.

Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.

Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.

This reverts commit abb1ba6532.

Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709
2017-07-11 02:46:40 +09:00
Joel Scherpelz
14a3cb2848 SELinux policy for secure persistent netd storage am: abb1ba6532
am: 5ee87b0092

Change-Id: Id2dc995f88a60fe865387453234e3630a9975381
2017-06-14 05:41:10 +00:00
Joel Scherpelz
abb1ba6532 SELinux policy for secure persistent netd storage
This is used to persist RFC 7217 stable secrets across device reboots.

First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I0a609c724799a15b1926e62534c16810d34f2275
2017-06-12 11:00:59 +09:00
Bartosz Fabianowski
0f52004b97 Revert "SELinux policy for secure persistent netd storage" am: 06486796a4
am: edcfb2e10d

Change-Id: I86565448fa4d5ccd412772825decb5dc62cd6343
2017-06-08 18:53:36 +00:00
Bartosz Fabianowski
06486796a4 Revert "SELinux policy for secure persistent netd storage"
This broke the build on master. See b/17613910#comment17
for details.

This reverts commit ef1fd98b6a.

Change-Id: I11f7d463061a9b6340c11827135586266e26f016
2017-06-08 10:57:55 +00:00
Joel Scherpelz
36efd0c454 SELinux policy for secure persistent netd storage am: ef1fd98b6a
am: 9381cb3dce

Change-Id: I3ae9005ee76b51105ec215cefc5a81c25405c482
2017-06-08 07:51:19 +00:00
Joel Scherpelz
ef1fd98b6a SELinux policy for secure persistent netd storage
This is used to persist RFC 7217 stable secrets across device reboots.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054
2017-06-08 15:07:57 +09:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Jeff Vander Stoep
f627e5581c restore permissions to /vendor for non-treble devices
Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
2017-04-14 10:01:14 -07:00
Nathan Harold
516c9abfcd Merge changes from topic 'ipsec-svc-pick' into oc-dev
* changes:
  Add IpSecService SEPolicy
  Update Common NetD SEPolicy to allow Netlink XFRM
2017-04-06 01:34:37 +00:00
Nick Kralevich
4a580ccabb Fix lock logspam and remove domain_deprecated rule
Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.

Addresses the following logspam similar to:

  avc: granted { lock } for comm="iptables"
  path="/system/etc/xtables.lock" dev="sda22" ino=3745
  scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file

  avc: granted { lock } for comm="dex2oat"
  path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
  scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file

Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
2017-04-04 18:37:28 -07:00
Nathan Harold
63a9315601 Update Common NetD SEPolicy to allow Netlink XFRM
In order to perform XFRM operations NetD needs the
ability to both read and write Netlink XFRM messages.

Bug: 34811756
Test: 34812052

Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee
(cherry picked from commit 7eb3dd3b02)
2017-03-29 18:33:29 -07:00
Nathan Harold
7eb3dd3b02 Update Common NetD SEPolicy to allow Netlink XFRM
In order to perform XFRM operations NetD needs the
ability to both read and write Netlink XFRM messages.

Bug: 34811756
Test: 34812052

Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee
2017-03-22 18:29:43 -07:00
Nick Kralevich
5251ad1aa6 netd.te: drop dccp_socket support
No SELinux domains can create dccp_socket instances, so it doesn't make
any sense to allow netd to minipulate already-open dccp sockets.

Bug: 35784697
Test: policy compiles.
Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
2017-02-27 09:23:31 -08:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Nick Kralevich
dd649da84b domain_deprecated.te: remove /proc/net access
Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.

Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
2016-11-30 15:23:26 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from netd.te (Browse further)