Commit graph

13 commits

Author SHA1 Message Date
Jeff Vander Stoep
60bb29fcdf crash_dump: suppress devpts denials
The following denial caused a presubmit failure:
06-15 15:16:24.176   956   956 I auditd  : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.

Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507
2019-03-19 04:05:51 +00:00
Jeff Vander Stoep
1795d0bcfd crash_dump: dontaudit devices passed by exec()
avc: denied { read } for comm="crash_dump64" name="v4l-touch22"
dev="tmpfs" ino=18821 scontext=u:r:crash_dump:s0
tcontext=u:object_r:input_device:s0 tclass=chr_file

Test: build
Change-Id: Iac66b77ad255c950b21fd267c88fdbc382be2877
2019-03-13 20:50:25 -07:00
Andreas Gampe
efece54e06 Sepolicy: Allow crash_dump to ptrace apexd in userdebug
In userdebug, for better diagnostics, allow crash_dump to "connect
to" apexd.

Considering apexd is quite powerful, user devices remain restricted.

Bug: 118771487
Test: m
Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
2019-03-05 09:59:50 -08:00
Jeff Vander Stoep
504a654983 crash_dump: dontaudit gpu_device access
And add neverallow so that it's removed from partner policy if
it was added there due to denials.

Fixes: 124476401
Test: build
Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
2019-02-18 21:06:42 +00:00
Jeff Sharkey
d101896ec8 Allow system watchdog to collect traces from vold.
We're investigating a bug where vold gets wedged, and we need to
collect ANR stack traces from it to debug further.

avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0
avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0

Bug: 122090837
Test: manual
Change-Id: I738e63717715189b9ae2317472f671e3563afaa9
2019-02-06 09:25:00 -07:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Alan Stokes
b9cb73ad4e Ensure crash_dump cannot be allowed to ptrace itself.
This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5
2018-09-03 17:27:54 +01:00
Jeff Vander Stoep
08aa715966 crash_dump: disallow ptrace of TCB components
Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f1588)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c
2018-08-28 08:28:25 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Josh Gao
3067af1436 Revert "crash_dump: temporarily make permissive."
This reverts commit 9cfe34b5ee.

Bug: http://b/34978531
Change-Id: I0702641c48fad273f16fa1a5f0e4483dfe408c05
2017-02-14 16:13:30 -08:00
Josh Gao
9cfe34b5ee crash_dump: temporarily make permissive.
Test: policy compiles.
Bug: http://b/34450704
Change-Id: I1381f9de8e4c8cdde4920be423ab32adc2f7a8a2
2017-01-19 10:28:43 -08:00