Commit graph

18065 commits

Author SHA1 Message Date
Roshan Pius
d8790b66e1 wifi: Add a new property to indicate active wifi iface
Denial:
libc    : Unable to set property "wifi.active_interface" to "wlan0":
error code: 0x18

Bug: 129506593
Test: Verified that the denial is no longer seen in the logs
Change-Id: Ia345f5df1446e7ba3a44d6e8299bdc1f5f6ad9c8
2019-04-02 11:47:23 -07:00
Treehugger Robot
6273b696eb Merge "sepolicy: allow init to tune f2fs" 2019-04-01 16:10:28 +00:00
Treehugger Robot
2c6a0eb2d9 Merge "netutils_wrapper: suppress sysfs denials" 2019-03-30 04:38:39 +00:00
Treehugger Robot
aed7273584 Merge " Allow radio server to client binder callback" 2019-03-30 04:28:09 +00:00
Dan Harms
c3b573598b Allow radio server to client binder callback
Test: Built, flashed, test radio
Change-Id: Idb6f50386508119694afc54d52eb32df381df4b7
2019-03-29 15:22:16 -07:00
Jaegeuk Kim
4439b5785e sepolicy: allow init to tune f2fs
This allows init to tune some f2fs knobs like cp_interval.

Bug: 127511432
Change-Id: I9353444578cb47bc7965cd7b068954a8270c5391
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2019-03-29 22:15:08 +00:00
Jeff Vander Stoep
c510da9918 netutils_wrapper: suppress sysfs denials
Addresses spurious denials caused by users of netutils_wrapper which
open files in /sys without O_CLOEXEC.
avc: denied { read } for comm="iptables-wrappe"
dev="sysfs" ino=47786 scontext=u:r:netutils_wrapper:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

Test: build
Change-Id: I1c1f82428555be6a9798a189420dd85a9db107f7
2019-03-29 14:29:42 -07:00
Peiyong Lin
d50d36242c [sepolicy] Add sysprop for SurfaceFlinger GPU protected contents.
Not every device can support GPU protected contents, add a sysprop to allow
configuration.

BUG: 35315015
Test: N/A
Change-Id: I59f1b3ea81db742bc4d0b5a22e82de7385a726b7
2019-03-29 14:12:51 -07:00
Tim Murray
251591fa04 sepolicy: Grant system_server and init access to /proc/pressure/memory
Need ability for system components to access psi memory pressure file.
Add required permissions for system_server and init to access
/proc/pressure/memory file.

Bug: 129476847
Test: system_server can read /proc/pressure/memory
Change-Id: I10ce4f4fe0e3618fa77539e93246d0aae933082c
Signed-off-by: Tim Murray <timmurray@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-28 22:11:25 +00:00
Yifan Hong
93b81f30ae Merge "super_block_device -> super_block_device_type" 2019-03-28 19:55:44 +00:00
Florian Mayer
eda65027c7 Merge "Allow heapprofd to read test files." 2019-03-28 18:21:10 +00:00
Yifan Hong
ab85caaa56 super_block_device -> super_block_device_type
Domains that access super_block_device should instead
access super_block_device_type, which includes appropriate
block devices for retrofit DAP devices.

Test: boots (sanity)
Test: manual OTA
Bug: 128991918
Change-Id: Ie025b1e3c17e82330042aaa4a3e2e4a02ec1265b
2019-03-28 18:08:19 +00:00
Florian Mayer
7145b25226 Merge "Relabel /data/system/packages.list to new type." 2019-03-28 17:36:36 +00:00
Treehugger Robot
a2186d08ca Merge "sepolicy: add sepolicy rules for vold to write sysfs gc_urgent" 2019-03-28 14:19:20 +00:00
Hector Dearman
2d4894323c Merge "Fix typos in genfs_contexts" 2019-03-28 10:51:03 +00:00
Florian Mayer
4ab64c940f Relabel /data/system/packages.list to new type.
Conservatively grant access to packages_list_file to everything that had
access to system_data_file:file even if the comment in the SELinux
policy suggests it was for another use.

Ran a diff on the resulting SEPolicy, the only difference of domains
being granted is those that had system_data_file:dir permissiosn which
is clearly not applicable for packages.list

diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new)
--- /proc/self/fd/16	2019-03-19 20:01:44.378409146 +0000
+++ /proc/self/fd/18	2019-03-19 20:01:44.378409146 +0000
@@ -3 +2,0 @@
-allow appdomain packages_list_file:dir getattr;
@@ -6 +4,0 @@
-allow coredomain packages_list_file:dir getattr;
@@ -8 +5,0 @@
-allow domain packages_list_file:dir search;
@@ -35 +31,0 @@
-allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name };
@@ -40 +35,0 @@
-allow tee packages_list_file:dir { search read lock getattr ioctl open };
@@ -43,3 +37,0 @@
-allow traced_probes packages_list_file:dir { read getattr open search };
-allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name };
-allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name };
@@ -48 +39,0 @@
-allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name };
@@ -50 +40,0 @@
-allow zygote packages_list_file:dir { search read lock getattr ioctl open };

Bug: 123186697

Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-28 10:27:43 +00:00
David Anderson
6557d87b0f Add sepolicy for installing GSIs to external storage.
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
 - proc_cmdline and device-tree access to call ReadDefaultFstab().
   This is ultimately used to check whether system's dm-verity has
   check_at_most_once enabled, which is disallowed with sdcards.
 - vfat read/write access to write files to the sdcard. Note that
   adopted sdcards are not supported here.
 - read access to the sdcard block device. To enable this without
   providing access to vold_block_device, a new sdcard_block_device
   label was added. Devices must apply this label appropriately to
   enable gsid access.
 - FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
   This only appears to work by granting SYS_RAWIO.

Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
      works without setenforce 0

Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-27 17:12:51 -07:00
Steven Moreland
180ffccc8f Merge "private: allow zygote mnt_expand_file:dir getattr;" 2019-03-27 22:59:49 +00:00
Treehugger Robot
3337a33609 Merge "Move fs-verity key loading into fsverity_init domain" 2019-03-27 20:31:19 +00:00
Hector Dearman
714b917411 Fix typos in genfs_contexts
Each tracing event is listed twice in this file, once in
debugfs and once in tracefs:

genfscon debugfs /tracing/events/sched/sched_switch/
genfscon tracefs /events/sched/sched_switch/

Some of the debugfs entries are missing the required leading
/tracing/ prefix, probably a copy paste error from when they were
added.

Test: make
Change-Id: I6e64eac0c2b95b38c4648b92765c748c631348b7
2019-03-27 17:06:39 +00:00
Treehugger Robot
76a1a76b35 Merge "Revert "Temporarily hide denial to fix tests."" 2019-03-27 16:54:12 +00:00
Victor Hsieh
3d4ee1dba5 Move fs-verity key loading into fsverity_init domain
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading.  Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.

This gives us two benefits:
 - Better compatibility to keyctl(1), which doesn't have "dadd"
 - Pave the way to specify key's security labels, since keyctl(1)
   doesn't support, and we want to avoid adding incompatible option.

Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-27 16:31:01 +00:00
Nick Kralevich
9097360049 Revert "Temporarily hide denial to fix tests."
This reverts commit 94b5fe4af5.

Reason for revert: Obsoleted by https://android-review.googlesource.com/933916

Bug: 129298168
Change-Id: I6b34cfdf76b5094db17ee06831d8a662ea360956
Test: Build.
2019-03-27 13:56:20 +00:00
Florian Mayer
12f7e0e658 Allow heapprofd to read test files.
This is needed to test the unwinding of test binaries.

03-26 19:55:44.311   939   939 W heapprofd: type=1400 audit(0.0:13): avc: denied { search } for name="nativetest" dev="sda45" ino=6815745 scontext=u:r:heapprofd:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=dir permissive=0

Change-Id: Icfbc6060a8755934f1c3935aac55ce7792dc7d85
2019-03-27 11:07:05 +00:00
Yifan Hong
40f1682ba6 Merge changes from topic "lpdumpd"
* changes:
  Add rules for lpdump and lpdumpd
  Allow to getattr kmsg_device
2019-03-26 20:35:36 +00:00
Nick Kralevich
a2b90b5efc Merge "Temporarily hide denial to fix tests." 2019-03-26 20:06:49 +00:00
Nick Kralevich
f3e8dce5d4 Merge "Don't audit audit_access denials to /dev/binder" 2019-03-26 19:51:01 +00:00
Yifan Hong
b9be03d63a Merge "Add super_block_device_type" 2019-03-26 19:30:12 +00:00
Joel Galenson
94b5fe4af5 Temporarily hide denial to fix tests.
This shoud be removed once the offending code is fixed.

Bug: 129298168
Test: Build.
Change-Id: Ie94a626be777a094fb587f72b3987994e085a23e
2019-03-25 17:37:51 -07:00
Tri Vo
786b973c96 Don't audit audit_access denials to /dev/binder
Without VNDK, libcutils has to probe for /dev/binder access before
reaching to ashmemd via binder. Ignore denials generated when probing
/dev/binder.

Bug: 129073672
Test: boot sailfish without denials to /dev/binder
Change-Id: I07ba2e094586df353d54507458e891a3d14c1ca6
2019-03-25 17:23:36 -07:00
Tri Vo
a109fa645c Merge "Allow system_suspend access to /sys/power/wake_[un]lock." 2019-03-25 23:38:09 +00:00
Yifan Hong
e3ee390c6b Add super_block_device_type
This is the type used on super partition block devices.
- On devices launch with DAP, super is already marked
as super_block_device_type.
- On retrofit devices, appropriate block devices must
be marked as super_block_device_type, for example:

    typeattribute system_block_device super_block_device_type;

Bug: 128991918
Test: builds
Change-Id: I7e26d85b577ce08d8dc1574ddc43146d65843d9c
2019-03-25 17:58:10 +00:00
Yifan Hong
18ade868ff Add rules for lpdump and lpdumpd
- lpdump is a binary on the device that talks to lpdumpd
  via binder.

- lpdumpd is a daemon on the device that actually reads
  dynamic partition metadata. Only lpdump can talk to it.

Bug: 126233777
Test: boots (sanity)
Test: lpdump

Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-25 10:14:20 -07:00
Yifan Hong
5d89abde99 Allow to getattr kmsg_device
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.

Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.

04-28 06:15:22.290   618   618 I auditd  : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431   900   900 I auditd  : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316     1     1 W init    : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
2019-03-25 10:14:20 -07:00
Przemyslaw Szczepaniak
37f5cb2db0 Merge "Make package_native_serice an (ephemeral_)?app_api_service." 2019-03-25 15:49:57 +00:00
Treehugger Robot
db4ac6f02c Merge "Fix mediaserver meets the void fd use denied" 2019-03-24 23:25:19 +00:00
Joe Onorato
d7148b99cb Merge "Allow incidentd to communicate with clients over pipes." 2019-03-24 22:41:01 +00:00
YH_Lin
a5ff1bae61 sepolicy: add sepolicy rules for vold to write sysfs gc_urgent
03-22 02:01:02.656   561   561 W Binder:561_4: type=1400 audit(0.0:1895354): avc: denied { write } for name="gc_urgent" dev="sysfs" ino=76829 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_fs_f2fs:s0 tclass=file permissive=0

Test: adb shell sm idle-maint run
Bug: 128935241

Change-Id: I2ae5477c9e605e6d1060565cacc520d696469af2
Signed-off-by: YH_Lin <yhli@google.com>
2019-03-24 13:19:46 +08:00
Joe Onorato
9cc5c09be5 Allow incidentd to communicate with clients over pipes.
Previously we dumped the data into dropbox.  This improves a couple
things:
  - We write into dropbox via the fd, so dropbox doesn't pull from the
    incidentd directory anymore.
  - There is a new API to for priv apps to explicitly read incident
    reports. That gives incidentd finer grained control over who can
    read it (specifically, it only allows apps to access the incident
    reports they requested, or were requested for them via statsd,
    instead of getting DUMP and reading whatever they want from
    dropbox).

Test: bit incident_test:* GtsIncidentManagerTestCases:*
Bug: 123543706
Change-Id: I9a323e372c4ff95d91419a61e8a20ea5a3a860a5
2019-03-22 17:04:49 -07:00
Andreas Gampe
30186cf611 Sepolicy: Allow otapreopt access to vendor overlay files
A handful of APKs are vendor overlay files. Allow access.

Test: m
Change-Id: I791fa37a3bcb07729386047f0cda178753af9de5
2019-03-22 12:13:53 -07:00
Andreas Gampe
1a5db599ce Sepolicy: Allow otapreopt to mount logical partitions
Logical partitions are handled through libdm. Allow access to
device-mapper.

Bug: 128867786
Test: m
Change-Id: I6979487b91d24b7309c876f2bdc26a827e2fcd1e
2019-03-22 12:13:05 -07:00
Felka Chang
1eb2669218 Fix mediaserver meets the void fd use denied
scenario: droid.apps.docs: type=1400 audit(0.0:77): avc: denied {
use } for path="/mnt/appfuse/10028_6/9" dev="fuse" ino=9
scontext=u:r:mediaserver:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0

root cause: DocumentsUI provides ArchiveProvider to browse the entries
in archive files by using StorageManager.openProxyFileDescriptor.
i.e. the file descriptor comes from the archive entries is belong to
the void fd.  The file descriptor is used by mediaserver but
mediaserver doesn't have the permission to use the file descriptor.

Fixes: 120491318
Test: build, flash, manual test
Change-Id: Ibaf9a625c7b68c3f1977fcaddd6c7d5419352f93
2019-03-22 22:41:49 +08:00
David Brazdil
c848dee19c Merge "dexoptanalyzer: Allow writing into installd's pipe" 2019-03-22 13:48:58 +00:00
Florian Mayer
3b641a60a2 Merge "Give heapprofd dac_read_search on userdebug." 2019-03-22 10:37:05 +00:00
Treehugger Robot
d125ab8f21 Merge "Allow dumpstate to dump wlan hal log on userbuild" 2019-03-22 07:15:13 +00:00
Alan Stokes
5c378a5374 Clarify priv_app.te.
No semantic changes. Just trying to make this easier to understand:
- Separate out common bundles of services from individual services
  (the naming doesn't make this obvious).
- Comment the common ones.
- Put related binder_call and service_manager:find rules together.

Test: Builds
Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
2019-03-21 23:52:30 +00:00
Florian Mayer
e922aa38bf Give heapprofd dac_read_search on userdebug.
This is needed because some oat dex files are generated without world
readable permissions. See the bug for details.

We are still constrained by the SELinux rules above.

Bug: 129048073

Change-Id: I84e34f83ceb299ff16b29a78f16c620fc0aa5d68
2019-03-21 17:22:09 +00:00
Treehugger Robot
75e7d2886c Merge "Allow lmkd to setched kernel threads" 2019-03-21 10:39:36 +00:00
Roger Wang
49f2954275 Allow dumpstate to dump wlan hal log on userbuild
To check issue on userbuild, wlan hal log
is helpful.

Bug: 122265104
Test: Manully, log collected on user build
Change-Id: I5aa96aa796ca7dfb92e97df3e7be054ff79f6e3d
2019-03-21 12:27:44 +08:00
Wei Wang
eff6ddf668 Allow lmkd to setched kernel threads
psi monitor sched_setscheduler(kworker->task, SCHED_FIFO, &param) was added into pa/1282597

Bug: 127637796
Test: build
Change-Id: I8f2470fc40bc8d02a7fbbbe186afe580c5f53aa4
2019-03-20 23:06:32 +00:00