Commit graph

16067 commits

Author SHA1 Message Date
Nick Kralevich
d90d001a78 Revert "Remove legacy execmod access."
This reverts commit 0f11ffccf9.

Reason for revert: libmono crashes

Bug: 112292089
Bug: 111544476
Test: policy compiles, device boots
Change-Id: I064090aa9337cf17b80cd2c9af9342df851a3b27
2018-08-07 17:03:07 +00:00
Xin Li
c05fa1a5cf Merge Android Pie into master
Bug: 112104996
Change-Id: Icf411d8b04e12dd33dd82a26328b4156585cb5ff
2018-08-07 09:46:55 -07:00
Treehugger Robot
0860253239 Merge "fs_use: Enabled loading security xattrs for erofs" 2018-08-07 16:09:53 +00:00
Tom Cherry
07dfaec076 Merge "Second stage init is on system" 2018-08-07 16:08:55 +00:00
Gao Xiang
910cd95354 fs_use: Enabled loading security xattrs for erofs
Bug: 112292714
Change-Id: I0026c13fd4335e0365496bc00c26021d83f3c39d
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
2018-08-07 22:13:12 +08:00
Nick Kralevich
ca8749a0b3 auditallow app_data_file execute
am: 4738b93db2

Change-Id: I4278bd3d4e7786be716324d1817a81b6c19eec2e
2018-08-06 18:59:55 -07:00
Nick Kralevich
fed2c09cfa Delete untrusted_v2_app
am: 41b21ee96a

Change-Id: I85087c37b7c575e9b50d7090d155281d4f7c4f74
2018-08-06 15:35:16 -07:00
Nick Kralevich
4738b93db2 auditallow app_data_file execute
Executing files from an application home directory violates
W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
from a writable file) and is an unsafe application behavior. Test to see if we
can get rid of it and establish some baseline metrics.

Test: device boots and no obvious problems.
Change-Id: I756c281fcbf750821307327642cc0d06605951b0
2018-08-06 14:49:45 -07:00
Nick Kralevich
41b21ee96a Delete untrusted_v2_app
As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6
2018-08-06 12:52:37 -07:00
Joel Galenson
1588241555 [automerger skipped] Allow ephemeral_app to execute system_file.
am: 8b2c858053  -s ours

Change-Id: If21fba6ab5506a8ba74a55d4cd816c218b4078b1
2018-08-06 12:41:26 -07:00
Joel Galenson
8b2c858053 Allow ephemeral_app to execute system_file.
(cherrypicked from commit f2afca7cf0)

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
2018-08-06 10:42:17 -07:00
Nick Kralevich
bd39081ea3 resolve merge conflicts of 601b4422ae to stage-aosp-master
Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Ic6dd370d6549c9dd1eb1e690c1c2f2fa441624b9
2018-08-03 17:37:32 -07:00
Treehugger Robot
601b4422ae Merge "Change priv-apps /home/home labels to privapp_data_file" 2018-08-04 00:07:44 +00:00
Sudheer Shanka
19e85dfb68 Merge "Allow vold to mount at /mnt/user/.*"
am: c5601de4cd

Change-Id: Ie61645bd9b276f67e96ac7f823c1a1048a35ef8e
2018-08-03 16:10:04 -07:00
Tom Cherry
5f49b6a2d6 Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
am: 938ab05d72

Change-Id: If632608a9e7acc6e59b468674207bc80a4833a26
2018-08-03 16:07:11 -07:00
Tom Cherry
2faf4854d6 Second stage init is on system
Test: boot hikey
Change-Id: I8f26f858af8ccde1d7f4b346966bbb6bbeab5a92
2018-08-03 22:45:01 +00:00
Sudheer Shanka
c5601de4cd Merge "Allow vold to mount at /mnt/user/.*" 2018-08-03 22:25:58 +00:00
Nick Kralevich
4df57822fc Change priv-apps /home/home labels to privapp_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

Commit 23c9d91b46 introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.

This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46, there should be no
noticeable effect from this change.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Merged-In: I9a476726bf01f4bcc7952d11fd57dba803a9fd8d
Change-Id: I23a26cd3906fc43cbd225c05c3a2abd3cab8bd06
2018-08-03 13:50:21 -07:00
Sudheer Shanka
a2bacea876 Allow vold to mount at /mnt/user/.*
Bug: 111890351
Test: Device boots and no selinux denials when vold mounts
      at /mnt/user/.*

Change-Id: Id962a85af9f99c54421f0820a22880be36c2e478
2018-08-03 12:55:09 -07:00
Tom Cherry
938ab05d72 Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy

avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process

Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
2018-08-03 19:41:03 +00:00
Tom Cherry
09386d41a8 Move watchdogd out of init and into its own domain
am: d840374e65

Change-Id: I93264ded0479ab0e101d0449c2ff52b9a92e3d6e
2018-08-03 12:39:53 -07:00
Tom Cherry
d840374e65 Move watchdogd out of init and into its own domain
Bug: 73660730
Test: watchdogd still runs
Change-Id: I31697c7c6fa2f7009731ff48c659af051838e42f
2018-08-03 19:28:05 +00:00
Nick Kralevich
930614c7e6 Start partitioning off privapp_data_file from app_data_file
am: 23c9d91b46

Change-Id: Id99688b1e9b4d8d43eb1833904ac47c2796166ab
2018-08-02 21:27:57 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Tom Cherry
dada008159 Merge "Allow ueventd to insert modules"
am: b520169832

Change-Id: I03af3fbdecde072ab326ee47fd614f7340aeb908
2018-08-02 12:40:54 -07:00
Tom Cherry
b520169832 Merge "Allow ueventd to insert modules" 2018-08-02 19:22:35 +00:00
Alan Stokes
a8898820d6 Remove legacy execmod access.
am: 0f11ffccf9

Change-Id: I0f85ecb4a1dc6464becce64fb8539cd2f8e1a779
2018-08-02 06:59:12 -07:00
Alan Stokes
0f11ffccf9 Remove legacy execmod access.
Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.

Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7
2018-08-02 11:57:16 +01:00
Tom Cherry
13f118314c Merge "allow init to run fsck for early mount partitions"
am: 9c8d054639

Change-Id: I8976234923363b2d05f1369753a453b6077c06fb
2018-08-01 14:11:43 -07:00
Tom Cherry
9c8d054639 Merge "allow init to run fsck for early mount partitions" 2018-08-01 21:02:35 +00:00
Tom Cherry
52a80ac1f1 Allow ueventd to insert modules
avc:  denied  { sys_module } for comm="ueventd" capability=16 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability
avc:  denied  { module_load } for  pid=581 comm="ueventd" path="/vendor/lib/modules/module.ko" dev="dm-2" ino=1381 scontext=u:r:ueventd:s0 tcontext=u:object_r:vendor_file:s0 tclass=system
avc:  denied  { search } for  pid=556 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:kernel:s0 tclass=key

Bug: 111916071
Test: ueventd can insert modules
Change-Id: I2906495796c3655b5add19af8cf64458f753b891
2018-08-01 13:21:20 -07:00
Bowgo Tsai
7f16c35ed7 Merge "Allowing vold to search /mnt/vendor/*"
am: 209c9066f4

Change-Id: Ic09209f75efba3d76963411666df8bfbe9d7965f
2018-07-31 23:40:03 -07:00
Treehugger Robot
209c9066f4 Merge "Allowing vold to search /mnt/vendor/*" 2018-08-01 06:31:39 +00:00
Tom Cherry
47157353af allow init to run fsck for early mount partitions
Bug: 111883560
Test: fsck runs successfully during early mount
Change-Id: I697d0ab8ba51824d5c5062b48370a73438311566
2018-07-31 13:58:54 -07:00
Nick Kralevich
a343844dee Allow mmap for vendor_init
am: 99ceb07ec1

Change-Id: Idf1d381cee6ba9946b9185a7d5f4475303ad8062
2018-07-30 21:05:44 -07:00
Nick Kralevich
99ceb07ec1 Allow mmap for vendor_init
vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.

Addresses the following denial:

  avc:  denied  { map } for  pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

While I'm here, add mmap() support to other areas where it's likely
needed.

Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
2018-07-30 18:57:53 -07:00
Nick Kralevich
315f2fb260 Protect apps from ptrace by other system components
am: 84a42eadb2

Change-Id: Ib4e55bd3a56639c993314d3732b5dc406fbed0bd
2018-07-27 08:47:19 -07:00
Nick Kralevich
84a42eadb2 Protect apps from ptrace by other system components
The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.

Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d
2018-07-25 23:49:30 -07:00
Jeff Vander Stoep
b1f4302819 Merge "OWNERS: add nnk and smoreland"
am: 719fa6db00

Change-Id: Iecca10575cadd8cd8e155f18eadbca4f93f37a2e
2018-07-25 13:12:12 -07:00
Treehugger Robot
719fa6db00 Merge "OWNERS: add nnk and smoreland" 2018-07-25 19:57:23 +00:00
Jeff Vander Stoep
904416562c OWNERS: add nnk and smoreland
Test: none
Change-Id: I5023f3f3f9362d456f30c81ec67580509101e81e
2018-07-25 10:10:40 -07:00
Bowgo Tsai
7b67a617dd Allowing vold to search /mnt/vendor/*
vold will trim rw mount points about daily, but it is denied by SELinux:

root   603   603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied {
search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0

Allowing vold to search /mnt/vendor/* to fix the denials.

Note that device-specific sepolicy needs to be extended to allow vold
to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs:

    allow vold persist_file:dir { ioctl open read };

Bug: 111409607
Test: boot a device, checks the above denial is gone
Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad
2018-07-25 10:18:42 +08:00
Yi Kong
59b5de0b43 Modernize codebase by replacing NULL with nullptr
am: 16544eb94f

Change-Id: I0790ed88b45665c9087562144a73cd0294cb4c31
2018-07-24 16:54:14 -07:00
Yi Kong
16544eb94f Modernize codebase by replacing NULL with nullptr
Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: Ib3f0a25a5129c34d94ebebff818feb5e6fd349dd
2018-07-24 14:54:56 -07:00
Wale Ogunwale
c1ebd93528 Added sepolicy for uri_grants service
am: 3280985971

Change-Id: I17244cba89aa30d1fa560648f618e21d320ed87c
2018-07-23 17:36:57 -07:00
Wale Ogunwale
3280985971 Added sepolicy for uri_grants service
Bug: 80414790
Test: boots
Change-Id: I15233721fa138e0fdf1a30f66d52b64cbab18b81
2018-07-23 15:31:40 -07:00
Tri Vo
f832f2149d 28 mapping workaround for devices upgrading to P.
am: 0cc68ea0b2

Change-Id: Ie3d39420403eaba08ccfd2c3f3fb42a9594f07e6
2018-07-22 19:27:05 -07:00
Tri Vo
0cc68ea0b2 28 mapping workaround for devices upgrading to P.
Bug: 72458734
Test: Compile current system sepolicy with P vendor sepolicy
Test: Plug in a P device then do:
m selinux_policy
cp $OUT/system/etc/selinux/plat_sepolicy.cil  plat_sepolicy.cil
cp $ANDROID_BUILD_TOP/system/sepolicy/private/compat/28.0/28.0.cil 28.0.cil
adb pull /vendor/etc/selinux/plat_pub_versioned.cil
adb pull /vendor/etc/selinux/vendor_sepolicy.cil
secilc plat_sepolicy.cil -m -M true -G -N -c 30 28.0.cil \
plat_pub_versioned.cil vendor_sepolicy.cil
Change-Id: I399b3a204eb94bee0ba1b5024b1c3463219c678e
2018-07-20 15:19:36 -07:00
Alan Stokes
95b223b46f Merge "Re-order rules to match AOSP." into stage-aosp-master 2018-07-20 14:37:53 +00:00
Alan Stokes
a55f637a3d Temporarily add auditing of execmod by apps.
am: 708aa90dd2

Change-Id: I4a0fdea7adead3baceb089644ed37a0c479d2e62
2018-07-20 06:52:41 -07:00