Commit graph

41 commits

Author SHA1 Message Date
Todd Poynor
c3e9ff90d3 remove thermalcallback_hwservice
This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
(cherry picked from commit c6afcb7fc0)
2018-07-18 16:18:50 -07:00
Jeff Vander Stoep
0597ade15c Update socket ioctl restrictions
Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.

Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).

Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.

Bug: 110520616
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
2018-06-22 05:35:07 +00:00
Mark Salyzyn
d6eaed854d access to /proc/slabinfo
init, dumpstate and shell

Test: check avc for init is now gone
Bug: 7232205
Bug: 109821005
Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5
2018-06-14 10:18:45 -07:00
Steven Moreland
7baf725ea6 mediacodec->mediacodec+hal_omx{,_server,_client}
(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-30 18:12:32 +00:00
Pawin Vongmasa
19a74ec88a Put in sepolicies for Codec2.0 services
Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be2889477)
2018-05-04 21:36:41 +00:00
Jeff Vander Stoep
4d3ee1a5b6 Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-18 19:53:03 +00:00
Jeff Sharkey
000cafc701 Add exFAT support; unify behind "sdcard_type".
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
2018-04-13 14:08:10 -06:00
Jeff Vander Stoep
3aa7ca56fd Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
2018-04-03 12:25:51 -07:00
Jeff Vander Stoep
886aa54bab Improve neverallows on /proc and /sys
Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
2018-03-28 15:56:36 -07:00
Andrew Scull
64f35fa01e authsecret HAL policies.
Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5f8)
2018-02-05 11:19:46 +00:00
Ruchi Kandoi
8a2b4a783e SE Policy for Secure Element app and Secure Element HAL
Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-29 21:31:42 +00:00
Janis Danisevskis
97c56bdd78 Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-24 10:22:40 -08:00
Dongwon Kang
1134bd001e Allow mediaextractor to load libraries from apk_data_file
This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474
2018-01-23 11:21:11 -08:00
Michael Butler
ea331aa7b8 Allow applications to use NN API HAL services
The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)
2018-01-16 13:50:37 -08:00
Marissa Wall
80ee23f74a Restrict access to uid_concurrent_*_time
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
2017-12-12 19:19:04 +00:00
Jeff Vander Stoep
06cef4ff15 Neverallow write access to /sys files for untrusted apps
Test: build aosp_sailfish
Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2
2017-10-12 05:04:59 +00:00
Tri Vo
464f59ae10 Extend access to proc/asound/*
Renamed this type:
proc_asound_cards -> proc_asound

Labeled /proc/asound/devices as proc_asound.

We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.

Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.

Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0
2017-10-06 10:29:03 -07:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Dan Cashman
317c4171d2 Remove neverallow preventing hwservice access for apps.
am: 3e307a4de5

Change-Id: I90e567c8138fa75bf792af181890d0af627b6f48
2017-06-21 21:37:32 +00:00
Dan Cashman
3e307a4de5 Remove neverallow preventing hwservice access for apps.
Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP.  As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app.  This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition.  Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.

Bug: 62806062
Test: neverallow-only change builds.  Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 12:30:36 -07:00
Nick Kralevich
bd64d7fba8 Add untrusted_v2_app to all_untrusted_apps am: db5962cef5 am: eb710332cf
am: 16eb632a7f

Change-Id: Ifb5f7fd54973cf1de256404344bd8690a4f13c02
2017-04-27 01:08:25 +00:00
Nick Kralevich
db5962cef5 Add untrusted_v2_app to all_untrusted_apps
This was accidentally omitted from all_untrusted_app

While I'm here, split across mutiple lines and alphabetize.

Test: policy compiles.
Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
2017-04-26 16:19:47 -07:00
Nick Kralevich
7acd15174a Merge "relax fuse_device neverallow rules" into oc-dev
am: c78db706d4

Change-Id: I7b866f588980ebb068629e326155976629bf2223
2017-04-26 21:23:03 +00:00
TreeHugger Robot
c78db706d4 Merge "relax fuse_device neverallow rules" into oc-dev 2017-04-26 21:12:56 +00:00
Nick Kralevich
45766d4178 relax fuse_device neverallow rules
The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:43:40 -07:00
Alex Klyubin
cdcfb552ee Merge "Assert ban on framework <-> vendor comms over VndBinder" into oc-dev
am: a9d7b895da

Change-Id: I040a1874e3a08510d9b7c9a107a149845dd1976c
2017-04-26 04:51:44 +00:00
Alex Klyubin
00657834b8 Assert ban on framework <-> vendor comms over VndBinder
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
2017-04-25 14:15:52 -07:00
Alex Klyubin
3b1307672c Merge "Assert untrusted apps can't add or list hwservicemanager" into oc-dev
am: f84989e519

Change-Id: I4391c7b44d495efadf39b8f14cfccfe2d966b419
2017-04-25 00:32:50 +00:00
Alex Klyubin
5c5b626358 Assert untrusted apps can't add or list hwservicemanager
This adds a neverallow rules which checks that SELinux app domains
which host arbitrary code are not allowed to access hwservicemanager
operations other than "find" operation for which there already are
strict neverallow rules in the policy.

Test: mmm system/sepolicy -- neverallow-only change
Bug: 34454312
Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7
2017-04-24 15:11:13 -07:00
Alex Klyubin
7b021be44b Assert apps can access only approved HwBinder services
am: 2a7f4fb069

Change-Id: Ia77557e2ef5aa124cb0d4a9e5f05300005a97bfd
2017-04-24 21:06:22 +00:00
Alex Klyubin
2a7f4fb069 Assert apps can access only approved HwBinder services
App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-24 10:15:31 -07:00
Sandeep Patil
061174fb23 Merge "Do not allow untrusted apps any access to kernel configuration" into oc-dev
am: 393c8e9438

Change-Id: I82e1a41e1bd5c9195b5c4c21e7aa0848bc270ee5
2017-04-21 20:31:07 +00:00
Sandeep Patil
2da9cfdff7 Do not allow untrusted apps any access to kernel configuration
Bug: 37541374
Test: Build and boot sailfish

Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-21 11:27:11 -07:00
Jerry Zhang
9f152d98ea Split mediaprovider as a separate domain from priv_app
MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-17 15:30:35 -07:00
Nick Kralevich
92c44a578c app.te: prevent locks of files on /system
Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
2017-03-22 10:35:24 -07:00
Fyodor Kupolov
b238fe6662 Split preloads into media_file and data_file
Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-15 00:49:37 +00:00
Calin Juravle
2b291121b9 SElinux: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62
2017-03-07 10:59:26 -08:00
Chad Brubaker
a782a81627 Add new untrusted_v2_app domain
untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-21 12:39:55 -08:00
Jeff Vander Stoep
bacb6d7936 untrusted_app: policy versioning based on targetSdkVersion
Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-14 13:30:12 -08:00
Stephen Smalley
4921085d9c Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes.
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.

Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.

Test: policy builds

Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 14:24:41 -05:00
Chad Brubaker
46e5a060f6 Move neverallows from untrusted_app.te to app_neverallows.te
The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.

This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.

Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-02-06 10:16:50 -08:00