Commit graph

13332 commits

Author SHA1 Message Date
Paul Crowley
d9a4e06ec5 Allow vendor_init and e2fs to enable metadata encryption
Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.

Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26
2018-02-01 13:25:34 -08:00
Treehugger Robot
a4b7a7cc14 Merge "Add this rule allows incidentd CTS tests be able to use incident command to fetch data from shell." 2018-02-01 19:01:31 +00:00
Bowgo Tsai
37d474f0e9 Fix boot failure on angler/bullhead
Need use 'nonplat_service_contexts_file' as the file context for
/vendor_service_context on non full-treble device.
Otherwise, servicemanager can't read the file.

Bug: 72787689
Test: build
Change-Id: Ib54e4f2501c7bbf8b397eacf4afadfae344ddd03
2018-02-01 22:25:21 +08:00
Treehugger Robot
310e8a559b Merge "Add neverallow rules to restrict reading radio_prop" 2018-02-01 04:35:49 +00:00
Treehugger Robot
829a88b7ee Merge "Remove app access to qtaguid ctrl/stats file" 2018-02-01 02:00:15 +00:00
Yin-Chia Yeh
15238f7cc9 Merge "Camera: sepolicy for external camera" 2018-01-31 22:35:24 +00:00
Treehugger Robot
c219fac94e Merge "Track priv_app SELinux denial." 2018-01-31 22:24:43 +00:00
Yi Jin
1002de4b24 Add this rule allows incidentd CTS tests be able to use incident
command to fetch data from shell.

Bug: 72502621
Test: N/A
Change-Id: I5b581f647c2f2932f0e3711965b98351ef7e6063
2018-01-31 12:33:57 -08:00
Joel Galenson
2218696a3d Track priv_app SELinux denial.
This should fix presubmit tests.

Bug: 72749888
Test: Built policy.
Change-Id: I588bba52d26bcc7d93ebb16e28458d9125f73108
2018-01-31 12:22:30 -08:00
Ruchi Kandoi
0be3fbf5b2 Add sepolicy for NFC 1.1 HAL service
Bug: 72746517
Test: Boot a device and check NFC 1.1 service loads
Change-Id: Ia281af8add0371525971f076bf513c694e7ea912
2018-01-31 11:18:35 -08:00
Treehugger Robot
31f2ec19e8 Merge "Clean up bug_map." 2018-01-31 17:32:27 +00:00
Joel Galenson
60575233bc Disallow most domains from getting dac_override and dac_read_search.
Instead of getting these permissions, it is better to add the process
to a group or change the permissions of the files it tries to access.

Test: Built the policy for many devices.
Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331
2018-01-31 08:45:03 -08:00
Bowgo Tsai
3506ad3f31 Using a python script to build sepolicy
Current sepolicy CIL files are built by several command-line tools
in Android.mk. This change extracts some of the build logic into a
python script to relief the effort in Android.mk.

The first command is `build_sepolicy build_cil`. It's possible to add
more sub-commands under the build_sepolicy script in the future.

Bug: 64240127
Test: build and boot a device
Test: checks the content of $OUT/vendor/etc/selinux/vendor_sepolicy.cil
      is the same as before
Change-Id: I0b64f1088f413172e97b579b4f7799fa392762df
2018-01-31 14:37:47 +08:00
Bowgo Tsai
9aa8496fc9 Renames nonplat_* to vendor_*
This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot an existing device
Change-Id: Iea87a502bc6191cfaf8a2201f29e4a2add4ba7bf
2018-01-31 14:37:39 +08:00
Treehugger Robot
6a12458fe4 Merge "Allow input system access to /dev/v4l-touchX" 2018-01-31 05:14:24 +00:00
Jaekyun Seok
5205905568 Add neverallow rules to restrict reading radio_prop
This CL will allow only specific components to read radio_prop.

Bug: 72459527
Test: tested with walleye
Change-Id: I6b6c90870987de976187ff675005c5d964b48cda
2018-01-31 13:23:08 +09:00
Treehugger Robot
fd6709c0ab Merge changes from topic "label_core_data"
* changes:
  Correctly label data types
  Test that /data is properly labeled
2018-01-31 03:56:04 +00:00
Siarhei Vishniakou
36a3df44ec Allow input system access to /dev/v4l-touchX
Bug: 62940136
Test: read /dev/v4l-touchX from inputflinger

Change-Id: Ifcece4192c567e0cbaba1b7ad40d25c8f34f8e40
2018-01-31 02:10:32 +00:00
Yin-Chia Yeh
746c61f015 Camera: sepolicy for external camera
Allow external camera HAL to monitor video device add/removal.

Bug: 64874137
Change-Id: I1a3116a220df63c0aabb3c9afd7450552e6cd417
2018-01-30 16:27:47 -08:00
Joel Galenson
26ccebd74a Clean up bug_map.
Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.

Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.

Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
2018-01-30 15:01:54 -08:00
Chenbo Feng
fad0b04de1 Remove app access to qtaguid ctrl/stats file
Remove the untrusted apps and priviledged apps from the group that can
directly access xt_qtaguid module related file. All apps that need to
access app network usage data need to use the public API provided in
framework.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with either wifi is on or off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsNativeNetTestCases
Bug: 68774956 30950746

Change-Id: I9b3db819d6622611d5b512ef821abb4c28d6c9eb
2018-01-30 15:00:06 -08:00
Jeff Vander Stoep
8be8322b78 Correctly label data types
Data outside /data/vendor must have the core_data_file_type
attribute.

Test: build (this is a build time test)
Bug: 34980020
Change-Id: Ia727fcad813d5fcfbe8f714246364bae0bda43bd
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
2018-01-30 13:18:06 -08:00
Jeff Vander Stoep
ccf965e9ca Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d)
2018-01-30 10:11:38 -08:00
Jeff Vander Stoep
be6489d1bf tools/build_policies.sh make tool executable
chmod +x

Test: build all sepolicy targets.
Change-Id: I9e47b78667e4a213c31ecce0e37fe7f84abd9655
2018-01-30 10:08:34 -08:00
Treehugger Robot
d0574f97d6 Merge "Allow Keystore to check security logging property." 2018-01-30 15:10:29 +00:00
Jeff Vander Stoep
e88d64944e priv_app: suppress denials for /proc/stat
Bug: 72668919
Test: build
Change-Id: Id156b40a572dc0dbfae4500865400939985949d9
2018-01-30 05:04:23 +00:00
Treehugger Robot
6b81d43537 Merge "Add a script to build multiple SELinux targets." 2018-01-30 02:49:25 +00:00
Ruchi Kandoi
6a60cb3e69 Merge "SE Policy for Secure Element app and Secure Element HAL" 2018-01-30 01:06:41 +00:00
Treehugger Robot
39ed6d6918 Merge "Track usbd SELinux denial." 2018-01-30 00:35:35 +00:00
Joel Galenson
c17c5abe22 Add a script to build multiple SELinux targets.
This script will build the SELinux policy for multiple targets in parallel.

To use it, run:
./build_policies.sh <Android root directory> <output directory> [specific targets to build]

If you do not pass any individual targets, it will build all targets it can find.

It will print out the list of failing targets.  You can open up the corresponding log file in the output directory to see the exact errors.

This script is still a work in progress.  It currently cannot discover all build targets (it misses ones "lunch" does not list).

Bug: 33463570
Test: Ran script to build multiple targets with and without failures.
Change-Id: Iee8ccf4da38e5eb7ce2034431613fe10c65696ab
2018-01-29 15:48:15 -08:00
Ruchi Kandoi
8a2b4a783e SE Policy for Secure Element app and Secure Element HAL
Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-29 21:31:42 +00:00
Primiano Tucci
426b1b468b Merge "SELinux policies for Perfetto cmdline client (/system/bin/perfetto)" 2018-01-29 19:41:06 +00:00
Joel Galenson
07efe37c5f Track usbd SELinux denial.
This should fix presubmit tests.

Bug: 72472544
Test: Built policy.
Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7
2018-01-29 10:39:34 -08:00
Treehugger Robot
eed08f6eff Merge "Track untrusted_app SELinux denial." 2018-01-29 18:37:36 +00:00
Treehugger Robot
de8c30d1d2 Merge "Fix compatible property neverallows" 2018-01-29 18:09:33 +00:00
Tom Cherry
9c778045b2 Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-29 18:07:41 +00:00
Treehugger Robot
03ba445326 Merge "Neverallow vendor_init from writing system_data_file" 2018-01-29 18:05:39 +00:00
Primiano Tucci
1a9f4f7a7a SELinux policies for Perfetto cmdline client (/system/bin/perfetto)
Instead of having statsd linking the perfetto client library
and talk directly to its socket, we let just statsd exec()
the /system/bin/perfetto cmdline client.

There are two reasons for this:
1) Simplify the interaction between statsd and perfetto, reduce
  dependencies, binary size bloat and isolate faults.
2) The cmdline client also takes care of handing the trace to
  Dropbox. This allows to expose the binder interaction surface
  to the short-lived cmdline client and avoid to grant binder
  access to the perfetto traced daemon.

This cmdline client will be used by:
 - statsd
 - the shell user (for our UI and Studio)

Bug: 70942310
Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-29 11:06:00 +00:00
Joel Galenson
56345fdecd Track untrusted_app SELinux denial.
This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: I51345468b7e74771bfa2958efc45a2a839c50283
2018-01-28 08:40:55 -08:00
Treehugger Robot
2c11ff5d2f Merge "Track crash_dump selinux denial." 2018-01-28 00:00:18 +00:00
Treehugger Robot
f340d9c0ea Merge "Sepolicy: Allow stack dumps of statsd" 2018-01-26 03:52:14 +00:00
Treehugger Robot
db8f5465ac Merge "Neverallow vendor_init from accessing stats_data_file" 2018-01-25 22:59:46 +00:00
Treehugger Robot
a5ac7a1310 Merge "OWNERS: add trong, remove klyubin" 2018-01-25 22:53:48 +00:00
Joel Galenson
6e705357c3 Track crash_dump selinux denial.
This should fix presubmit tests.

Bug: 72507494
Test: Built policy.
Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39
2018-01-25 14:14:24 -08:00
Tom Cherry
d1dd6fcdee Neverallow vendor_init from writing system_data_file
This neverallow exception is not needed.

Bug: 62875318
Test: build walleye, bullhead
Change-Id: Ide37ef9fe7a0e1cc4a1809589f78052007698cf5
2018-01-25 13:52:45 -08:00
Jeff Vander Stoep
83814ec368 OWNERS: add trong, remove klyubin
Test: n/a
Change-Id: I7c46d5f984955f963b668fe8d978e68e6b7b9a83
2018-01-25 12:42:23 -08:00
Tom Cherry
c2653ae86d Neverallow vendor_init from accessing stats_data_file
The exception for vendor_init in this neverallow was never needed.

Bug: 62875318
Test: Build walleye, bullhead
Change-Id: Iac2b57df30b376492851d7520994e0400a87f1e1
2018-01-25 19:42:11 +00:00
Tom Cherry
eed2e84a95 Fix compatible property neverallows
The current neverallow rules for compatible properties restrict
domains from write file permissions to the various property files.
This however is the wrong restriction, since only init actually writes
to these property files.  The correct restriction is to restrict 'set'
for 'property_service' as this change does.

Note there is already a restriction preventing {domain -init} from
writing to these files in domain.te.

Test: build
Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09
2018-01-25 10:35:50 -08:00
Joel Galenson
b050dccdd8 Suppress denials from idmap reading installd's files.
We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
2018-01-25 10:07:19 -08:00
Andreas Gampe
7468db67f6 Sepolicy: Allow stack dumps of statsd
Allow dumpstate & system server watchdog to dump statsd stacks.

Bug: 72461610
Test: m
Change-Id: I4c3472881da253f85d54b5e5b767b06e2618af9c
2018-01-25 09:31:19 -08:00