Commit graph

32 commits

Author SHA1 Message Date
Inseob Kim
09b27c7109 Add "DO NOT ADD statements" comments to public
For visibility

Bug: 232023812
Test: N/A
Change-Id: I0bc6dc568210b81ba1f52acb18afd4bcc454ea1c
2024-03-28 11:27:43 +09:00
Inseob Kim
75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00
Suchang Woo
6b4c45393b Allow ueventd to read apexd property
To run external firmware handler, ueventd should wait for apexd activation
by reading 'apexd.status' property.

Test: loading firmware from vendor apex using external firmware handler
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Ic2057ab2d014540ce5eeb26bcac35d39294b5dc9
2023-05-23 14:12:40 +09:00
David Anderson
e09c0eee36 Allow ueventd to access device-mapper.
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.

Bug: 270183812
Test: libdm_test, treehugger
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
2023-05-17 11:07:19 -07:00
Jiyong Park
16c1ae3a3d Add use_bionic_libs macro
... to dedupe rules for allowing access to bootstrap bionic libraries.

Bug: N/A
Test: m
Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4
2022-01-25 09:47:56 +09:00
Devin Moore
74ed0f622f Give ueventd permissions to read /proc/bootconfig
It needs to read parameters that have been moved from /proc/cmdline
to /proc/bootconfig

Test: boot Cuttlefish with 5.10 and 4.19 kernels
Bug: 173815685
Change-Id: I437b76634b7c8e779e32b68cd3043d02f4228be5
2021-03-05 09:21:19 -08:00
Jooyung Han
68c1986c21 Allow ueventd to read apex mount directories.
ueventd now scans /apex/*/firmware/ directories to find firmwares.

Bug: 167942098
Test: loading firmware from vibrator apex (sunfish)
Change-Id: I76e32e3c290fa07307377bc6fbea41c1783e40a6
2020-09-18 15:21:37 +09:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Harpreet \"Eli\" Sangha
0487fe0252 ueventd: allow using external firmware handlers
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.

Bug: 138352500
Test: Manually via custom handlers (compiled binary + shell script).
Change-Id: Ib1330cd3b049e23ef066c6e08d3785b344d1feed
2019-08-15 11:34:07 +09:00
Tom Cherry
2a67e947c6 Use a property instead of file to communicate cold boot done
Ueventd can't set properties currently, but this is an artificial
limitation, since ueventd communicates to init that it has finished
cold boot via a file, and init polls this file instead of returning to
the epoll loop, where properties are handled.

A related change replaces that file with a property and thus frees
ueventd to be able to set properties.  This change creates the
cold_boot_done property type for this property and gives only ueventd
permissions to set it.

Bug: 62301678
Test: boot, check that properties are set
Change-Id: I40843b423b192ea841db6a82f648e5bab9738e0e
2019-06-20 08:37:46 -07:00
Jiyong Park
a0f998e6de Allow bootstrap bionic only to init, ueventd, and apexd
The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.

Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
2019-04-11 09:51:38 +09:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Tri Vo
c7f56cdc83 Remove kmem_device selinux type.
kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
2018-11-15 21:31:56 +00:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Tom Cherry
52a80ac1f1 Allow ueventd to insert modules
avc:  denied  { sys_module } for comm="ueventd" capability=16 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability
avc:  denied  { module_load } for  pid=581 comm="ueventd" path="/vendor/lib/modules/module.ko" dev="dm-2" ino=1381 scontext=u:r:ueventd:s0 tcontext=u:object_r:vendor_file:s0 tclass=system
avc:  denied  { search } for  pid=556 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:kernel:s0 tclass=key

Bug: 111916071
Test: ueventd can insert modules
Change-Id: I2906495796c3655b5add19af8cf64458f753b891
2018-08-01 13:21:20 -07:00
Inseob Kim
d8612deee8 Suppress denial for ueventd to getattr
From now on, linker will resolve dir.${section} paths of ld.config.txt.
This is added to suppress SELinux denial during resolving /postinstall.

Bug: http://b/80422611
Test: on taimen m -j, logcat | grep denied, atest on bionic/linker/tests
Change-Id: I12c2bb76d71ae84055b5026933dcaa6ef2808590
2018-06-21 10:31:25 +09:00
Jiyong Park
90b21ee4b4 init is a dynamic executable
init is now a dynamic executable. So it has to be able to execute the
dynamic linker (/system/bin/linker) and shared libraries (e.g.,
/system/lib/libc.so). Furthermore, when in recovery mode, the files are
all labeled as rootfs - because the recovery ramdisk does not support
xattr, so files of type rootfs is allowed to be executed.

Do the same for kernel and ueventd because they are executing the init
executable.

Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396
2018-06-14 01:56:36 +09:00
Bowgo Tsai
98ef2abb12 ueventd: allow reading kernel cmdline
This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.

Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
2018-05-17 18:47:42 +08:00
Luis Hector Chavez
7ae939e84b Revert "Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid"
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.

Bug: 71632076
Test: aosp_sailfish still works

Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
2018-01-08 13:09:34 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Luis Hector Chavez
640e595a68 Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
2017-11-08 01:39:28 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Sandeep Patil
277a20ebec sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-05 13:58:32 -07:00
Sandeep Patil
c9cf7361c1 file_context: explicitly label all file context files
file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-29 10:17:21 -07:00
Max Bires
3171829af3 Removing init and ueventd access to generic char files
There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
2017-02-01 21:35:08 +00:00
Max Bires
9e7a5b0a7c Auditing init and ueventd access to chr device files.
It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-13 17:38:39 +00:00
Nick Kralevich
e78fa1bf37 Revert "ueventd.te: auditallow device:chr_file"
Broke the dragon build:

libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

This reverts commit ed0b4eb366.

Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd
2016-12-05 17:29:25 +00:00
Nick Kralevich
ed0b4eb366 ueventd.te: auditallow device:chr_file
By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.

Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.

  $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
  allow init device:chr_file { setattr read lock getattr write ioctl open append };
  allow ueventd device:chr_file { read lock getattr write ioctl open append };

this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):

  neverallow { domain -init -ueventd } device:chr_file { open read write };

Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.

Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.

The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.

While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.

Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
2016-12-05 14:22:18 +00:00
Max
c27c23fbdb /dev/port does not seem to be used, adding in rules to confirm.
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 16:46:11 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from ueventd.te (Browse further)