Some jars, such com.android.location.provider.jar, are both on the
system_server classpath and loaded as libraries. If the .oat files are
in the ART apexdata cache (due to being system_server classpath), they
need to be execute permission to be usable as AOT compiled libraries.
Bug: 184881321
Test: install an updated ART apex, open apps, see no more denials
Change-Id: I89b74dfa047699c568575d99a29c5e74abdef076
untrusted apps were already granted this policy and we now extend it
to all apps. This allows FileManager apps with the
MANAGE_EXTERNAL_STORAGE permisssion to access USB OTG volumes mounted
on /mnt/media_rw/<vol>.
This permission access in the framework is implemented by granting
those apps the external_storage gid. And at the same time USB volumes
will be mounted on /mnt/media_rw/<vol> with the external_storage gid.
There is no concern of interferring with FUSE on USB volumes because
they are not FUSE mounted.
For sdcards (non-USB) volumes mounted on /mnt/media_rw/<vol>, those
volumes are mounted with the media_rw gid, so even though they are
FUSE mounted on /storage/<vol>, arbitrary apps cannot access the
/mnt/media_rw path since only the FUSE daemon is granted the media_rw
gid.
Test: Manual
Bug: 182732333
Change-Id: I70a3eb1f60f32d051f44253b0db2c7b852d79ba1
This should be ok since apps are already allowed to read the contained
files; the dir is iterated by tests to ensure that all files are signed
correctly.
Bug: 165630556
Test: new test passes
Change-Id: Ib6c298f2b267839a802c17288230a8151a1eec86
This reverts commit 809eb75553.
Reason for revert: should allow shell to do it instead
Change-Id: Ie07b86d1308cb41885957d2214ed7ce190f5ae18
Test: pass
Bug: 179427873
The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).
Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).
There are two types of change here:
1) enabling odrefresh to run dex2oat and write updated boot class path
and system server AOT artifacts into the ART APEX data directory.
2) enabling the zygote and assorted diagnostic tools to use the
updated AOT artifacts.
odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.
Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.
Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
adbd and apps (SystemUI and CTS test apps) need to read it.
BUG: 162205386
Test: Connect to device which sets service.adb.tcp.port in vendor
partition through TCP adb.
Change-Id: Ia37dd0dd3239381feb2a4484179a0c7847166b29
This is to remove exported3_default_prop. Contexts of these properties
are changed.
- ro.boot.wificountrycode
This becomes wifi_config_prop
- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.
- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.
Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.
- ro.config.per_app_memcg
This becomes lmkd_config_prop.
- ro.zygote
This becomes dalvik_config_prop.
- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.
- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.
- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.
There are still 3 more exported3_default_prop, which are going to be
tracked individually.
Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
The rule "get_prop(coredomain, vts_status_prop)" is duplicated by
mistake. It's already in coredomain.te, and it should be deleted from
app.te
Bug: N/A
Test: m selinux_policy
Change-Id: I816c8da74940fc6ccdd50fe377aa54eae36237b4
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.
Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.
Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
compatible_property_only is meaningless to new types introduced after
Android P because the macro is for types which should have different
accessibilities depending on the device's launching API level.
Bug: N/A
Test: system/sepolicy/tools/build_policies.sh
Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4
This property allows us to disable sdcardfs if it is present. The old
property ended up getting repurposed, so a new one was needed.
Mediaprovider will also need to access this to determine what actions it
needs to take.
Test: builds
Bug: 155222498
Change-Id: I66ac106613cbb374f54659601e4ba3f61eaecd2f
There is no change in behavior. These denials were already
being blocked.
Bug: 79617173
Test: build
Change-Id: Iffd1e5ba42854615eeea9490fe9150678ac98796
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
This is needed to get Java heap graphs.
Test: flash aosp; profile system_server with setenforce 1
Bug: 136210868
Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
Since ipmemorystore service has been moved to network stack from
system service, also should revert the relevant sepolicy which is
corresponding to the previous configuration.
Bug: 128392280
Test: atest FrameworksNetTests NetworkStackTests
Change-Id: I1ae09696e620b246f817db71e7b71c32aae9be05
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.
Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.
Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
The testharness service will manage Test Harness Mode and provide a
command-line interface for users to enable Test Harness Mode; however it
does not directly provide a public API.
Bug: 80137798
Test: make
Test: flash crosshatch
Change-Id: Ie396e40fcea8914b4dd2247f2314e029b66ad84e
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.
Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.
This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.
Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.
Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.
This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.
Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.
Bug: 117961216
[Android Version]:
android_p_mr0_r0
[Kernel Version]:
4.19.0-rc8
[CTS Version]:
cts-9.0_r1
[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies
[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0
[Test Result With This Patch]:
PASS
Change-Id: I45efacabe64af36912a53df60ac059889fde1629
Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file. Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.
Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened. Restore this ability by giving apps read
access to system_server_tmpfs. system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.
Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.
Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.
This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e2c
Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd4)
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.
b/68399339
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf
Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.
TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.
Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem
Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem
Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>
tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).
Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.
Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c
Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.
Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.
Bug: 32064548
Test: Manual
(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)
(cherry picked from commit 11bfcc1e96)
Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f
