Commit graph

16235 commits

Author SHA1 Message Date
Tri Vo
d115b8ed24 Merge "Only maintain maps between current and previous selinux versions." 2018-10-04 01:04:57 +00:00
Nick Kralevich
8f08456a94 isolated_apps: no socket create
Isolated apps provide a very strict security guarantee, including the
inability to create networking sockets like TCP / UDP sockets. Add an
SELinux neverallow assertion to test for this and prevent regressions.

Test: policy compiles.
Change-Id: I2618abb17375707eb1048e89faa46f57d33e1df4
2018-10-02 21:43:20 -07:00
Treehugger Robot
7b785a9f5b Merge "Sepolicy for migrating storaged to statsd" 2018-10-03 01:13:37 +00:00
Tri Vo
438684b39f Only maintain maps between current and previous selinux versions.
New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.

Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.

Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-10-02 15:10:13 -07:00
Howard Ro
aabee5fe5f Merge "Update sepolicies for stats hal" 2018-10-02 20:17:18 +00:00
Treehugger Robot
0dd4167e2d Merge "Address TODOs in 28.0.cil mapping." 2018-10-01 23:46:45 +00:00
Tri Vo
4438339417 Address TODOs in 28.0.cil mapping.
Test: m selinux_policy
Change-Id: I6a8ff2200c82b6ecdc1404bc7cf186f439950a30
2018-10-01 14:32:05 -07:00
Tri Vo
f509e02ddb Fix incorrect 27.0 mappings.
Map proc_qtaguid_ctrl to qtaguid_proc, not qtaguid_device.
Map proc_slabinfo to proc in the correct place.

Test: m selinux_policy
Change-Id: I37c9dfe40bd20924215856b5d4ff7d9b3cbd0417
2018-10-01 13:46:50 -07:00
Jeff Vander Stoep
424517721c Remove access to /proc/net/{tcp,udp}
Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
2018-09-30 21:33:47 -07:00
Treehugger Robot
c62bdd0ec1 Merge "Remove untrusted app access to /proc/net" 2018-10-01 03:58:50 +00:00
Treehugger Robot
f505d74410 Merge "Don't require private types in mapping file." 2018-09-29 02:57:20 +00:00
Tri Vo
e3f4f77d39 Don't require private types in mapping file.
Private types are not visible to vendor/odm policy, so we don't need mapping
entries for them.

We build platform-only public policy .cil file and give it as input to
treble_sepolicy_tests. Using this public policy the test can now figure out if
the newly added type in public or private.

Bug: 116344577
Test: adding public type triggers mapping test failure, adding private type does
not.
Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-28 17:22:25 -07:00
Sudheer Shanka
ea44744f94 Merge "Allow zygote to mount on sdcardfs dirs." 2018-09-28 23:19:24 +00:00
Yifan Hong
289132e355 Merge "update_engine: allow to r/w super partition metadata" 2018-09-28 23:03:47 +00:00
Howard Ro
578a189178 Update sepolicies for stats hal
Bug: 116732452
Test: No sepolicy violations observed with this change
(cherry picked from commit I1958182dd8ecc496625da2a2a834f71f5d43e7bb)

Change-Id: Ib386767d8acfacf9fedafd9a79dd555ce233f41c
2018-09-28 13:34:37 -07:00
Sudheer Shanka
4fc64db5c1 Allow zygote to mount on sdcardfs dirs.
Bug: 111890351
Test: manual
Change-Id: I37d632c9877c6d6f929937d8e25098763807630c
2018-09-28 13:28:46 -07:00
Treehugger Robot
21eed51185 Merge "Block access to xt_qtaguid proc files" 2018-09-28 18:35:47 +00:00
Jeff Vander Stoep
d78e07cbb7 Remove untrusted app access to /proc/net
This change is for testing potential app-compat issues when removing
access to file in /proc/net. See: b/114475727#comment11.

Bug: 114475727
Test: build/boot taimen.
Test: atest CtsLibcoreOjTestCases
Test: FileSystemPermissionTest
Test: ListeningPortsTest b/114772424
Change-Id: I1db1c2b41308e47c9ec9db57ea8597a650c8906d
(cherry picked from commit 6784f80bad)
2018-09-28 10:46:19 -07:00
Chenbo Feng
16dbe82eaf Block access to xt_qtaguid proc files
In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.

Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest

Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2
2018-09-28 01:33:02 +00:00
Wei Wang
da427a33c9 Allow traceur to call atrace HAL
Bug: 116783882
Bug: 111098596
Test: turn on/off system_tracing
Change-Id: I089851924bdb1a5cd71598a7014d17fedc87625a
2018-09-27 23:18:49 +00:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Yifan Hong
37427dbce1 update_engine: allow to r/w super partition metadata
and (un)map on dev mapper.

Test: resize partitions during OTA
Bug: 110717529

Change-Id: Ia0b66a188232795cf7c649b48af985a583f3471d
2018-09-27 15:39:12 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Nick Kralevich
ff1c765ff2 Label /system/usr/share/zoneinfo differently
/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879
2018-09-27 10:18:40 -07:00
Treehugger Robot
0e0feac01b Merge "Fix building error for multi-line dontaudit statement" 2018-09-27 16:29:39 +00:00
Treehugger Robot
91bde1d771 Merge "gracefully handle hashtab_search failures" 2018-09-27 02:21:11 +00:00
Nick Kralevich
bb880a2826 gracefully handle hashtab_search failures
Otherwise we crash on a null pointer exception.

Test: Reference a non-existent type in test code and make sure
    the test doesn't crash.

Change-Id: I5839d2740d51c0df7a8909a3f8430850ae1b2675
2018-09-26 14:28:44 -07:00
Nick Kralevich
dbddbe42d2 system_linker_exec: Remove exec_type
system/sepolicy/public/attributes defines exec_type as:

  # All types used for domain entry points.
  attribute exec_type;

The linker is not a standalone executable, but rather, used by other
executables to resolve shared libraries. It isn't, and must never be, an
allowed entrypoint for a domain.

Remove the exec_type attribute from system_linker_exec.

Test: Device compiles and boots, no obvious problems running the system.
Change-Id: I8f2f608bc1a642193524396f46b22933faac5468
2018-09-26 12:22:59 -07:00
huangyanjun
250957202f Fix building error for multi-line dontaudit statement
All the *.conf.dontaudit files are generated from *.conf
with the command of 'sed '/dontaudit/d' $@ > $@.dontaudit',
but this command can not be applied to multi-line dontaudit statement.

Test: Set plat_policy.conf.dontaudit as the input_file parameter of
checkpolicy tool, then selinux syntax error will occur during building.

Change-Id: I281de923d8a5f0b46256ec7de4df12a1c1d7e061
2018-09-26 20:42:27 +08:00
Nick Kralevich
1b2ea497aa Android.mk: conditional compilation of odm_sepolicy.cil
Do not attempt to build odm_sepolicy.cil if BOARD_ODM_SEPOLICY_DIRS is
not defined. Attempting to do so will create an empty file, which causes
build problems when
0c6ea1e812
is applied.

Test: "cd system/sepolicy && mma -j55" succeeds
Test: "make checkbuild" succeeds
Change-Id: Iefc458bddff3d08e5fcb86f8be3cad16d7e36e73
2018-09-25 11:03:48 -07:00
Tri Vo
6cd9bd078a Label /system/bin/linker* symlinks as system_file.
Fixes:
avc: denied { read } for comm="init" name="linker_asan64" dev="sda22" ino=1833
scontext=u:r:init:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=lnk_file
permissive=0

Bug: 116486312
Test: adb unroot && adb shell ls -l /system/bin/linker_asan
Change-Id: I754daaf3576e83d516cc9189b8be04dcc41bbc5c
2018-09-24 16:22:38 -07:00
Fan Xu
26fa914cb2 Update SELinux Policy for bufferhubd
Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
2018-09-24 12:29:43 -07:00
Treehugger Robot
06ddf4b44e Merge "Add label for /system/bin/fsck.exfat" 2018-09-24 18:38:45 +00:00
Tej Singh
44d47c035e Sepolicy for migrating storaged to statsd
This adds /proc/uid_io/stats to the files that system server is able to
read.

Test: Manual test on master produces no selinux violations.
Change-Id: I2c7afec149f893b000094739d91531dec559de6f
2018-09-24 10:42:03 -07:00
Oleksiy Avramchenko
65a0b50763 Add label for /system/bin/fsck.exfat
Allow vold to run exFAT filesystem check.

Test: build, mount exFAT volume
Bug: 80202067
Change-Id: I68f3438de89246e806cebe483f37e31c68aaa3d7
2018-09-24 14:04:05 +02:00
Jeff Vander Stoep
0b67bb88e5 Further lock down app data
Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
2018-09-22 22:38:42 -07:00
Kevin Chyn
7087bf1256 Merge "Rename biometric_prompt_service to biometric_service" 2018-09-22 03:47:00 +00:00
Tri Vo
6816044271 Merge "More granular vendor access to /system files." 2018-09-22 01:30:25 +00:00
Nick Kralevich
0d690d34a9 Merge "version_policy.c: be less verbose at build time" 2018-09-21 21:32:32 +00:00
Jeffrey Vander Stoep
7776cc3bc5 Merge "system_server: add policy for getConnectionOwnerUid API" 2018-09-21 21:04:20 +00:00
Nick Kralevich
5fe07c724b version_policy.c: be less verbose at build time
Avoid generating build time noise so that real errors stand out.

https://en.wikipedia.org/wiki/Unix_philosophy

  Rule of Silence
  Developers should design programs so that they do not print
  unnecessary output. This rule aims to allow other programs
  and developers to pick out the information they need from a
  program's output without having to parse verbosity.

Test: Info messages no longer show up at build time.
Bug: 115998215
Change-Id: I33c18e2c7d77ed1bb4132debe13de2ae0907c34c
2018-09-21 10:31:54 -07:00
Kevin Chyn
75ded482df Rename biometric_prompt_service to biometric_service
Bug: 111461540
Bug: 112570477

Test: builds
Change-Id: Icc68720ebe931c2d917703b2d34aa0f4eec3f549
Merged-In: Icc68720ebe931c2d917703b2d34aa0f4eec3f549
2018-09-20 23:09:54 -07:00
Tri Vo
b4ef6e7333 Merge "Make dalvik.vm.boot-dex2oat-threads vendor-init-settable." 2018-09-21 00:23:46 +00:00
Tri Vo
260a275836 Make dalvik.vm.boot-dex2oat-threads vendor-init-settable.
Bug: 115741899
Test: m selinux_policy
Change-Id: I5d80a1d9bd5500a82ebf282fb02f0db3a0b0a4c1
2018-09-20 11:05:12 -07:00
Tianjie Xu
26605f4b20 Merge "Gives recovery-persist access to /cache/recovery" 2018-09-20 17:39:36 +00:00
Yifan Hong
1cef6a94eb health.filesystem HAL renamed to health.storage
...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
2018-09-20 04:12:45 +00:00
Tri Vo
5c1fe61eaa More granular vendor access to /system files.
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
2018-09-20 03:07:50 +00:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Primiano Tucci
51dc7cb1d4 Allow perfetto traced_probes to poll /proc/{meminfo,stat,vmstat,...}
This allows the trace producer daemon to snapshot counters at
high frequency in the trace. As usual for Perfetto, this data is
NOT made available to arbitrary apps but only to an extremely
limited subset of processes governed by selinux rules (currently
shell and statsd).

Bug: 115956288
Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
2018-09-19 11:29:17 +00:00
Tri Vo
ca4217e211 system_writes_mnt_vendor_violators for device launched before P.
In cases when a device upgrades to system-as-root from O to P, it needs a mount
point for an already existing partition that is accessed by both system and
vendor.

Devices launching with P must not have /mnt/vendor accessible to system.

Bug: 78598545
Test: m selinx_policy
Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f
2018-09-17 19:26:12 -07:00