Move wifi services out of system_server into a separate APK/process.
Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).
Used 'audit2allow' tool to gather list of permissions required.
Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.
Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary. Netd is it's only launcher (via fork/exec) and
killer.
Generated via:
{ echo; cat public/clatd.te; echo; } >> private/clatd.te
rm -f public/clatd.te
plus a minor edit to put coredomain after clatd type declaration
and required changes to move netd's clatd use out of public into private.
Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
bpf programs/maps are now loaded by the bpfloader, not netd
Test: built/installed on crosshatch which uses eBPF - no avc denials
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Allow netd to send network events to the NetworkStack, and allow the
NetworkStack to interact with netlink_route_socket for neighbor
monitoring.
Test: built, booted, WiFi works, no more violations
Bug: 112869080
Change-Id: If212b2897e37e9d249f81ba8139461bce461528e
For experiment flag testing, we add a flag netd and have
SEPolicy updates.
Test: add sepolicy, m -j, check GetServerConfigurableFlag function in netd
Bug:122050512
Change-Id: I21c844c277afc358085d80447f16e4c0d4eba5b3
Recent change in netd and bpfloader switched the creater of bpf maps
from netd to bpfloader. Change the rules related to it to make sure it
doesn't fail.
Test: dumpsys netd trafficcontroller
Bug: 112334572
Change-Id: I016ff68b58ef7b12bdfdebc2fd178be1d0206a62
The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.
Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks. Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission. Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.
Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
dumpstate needs to read all the system properties for debugging.
Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.
Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746
Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
This reverts commit 640e595a68. The
corresponding code in libcutils was removed, so this is now unneeded.
Bug: 71632076
Test: aosp_sailfish still works
Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4
Add the new classes for eBPF map and program to limit the access to eBPF
object. Add corresponding rules to allow netd module initialize bpf
programs and maps, use the program and read/wirte to eBPF maps.
Test: no bpf sepolicy violations when device boot
Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.
Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
After move qtaguid control interface into netd. Netd need to open the
xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is
successfully initialized before taking action. This selinux rule change
allows netd to do so and it is the same privilege normal apps currently
have.
Test: No more selinux denials on netd access qtaguid_device
Bug: 30950746
Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518
Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.
Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.
Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
Remove netd access to sysfs_type attribute.
These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net
Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b717)
Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.
Continue to disallow app access to netd via binder.
Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
This was previously relying on domain_deprecated rules deleted in
change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431.
Bug: 28760354
Test: unbreaks networking on AOSP bullhead
Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085
This change must only be submitted when device-specific policies
have been reverted.
This reverts commit 07e631d2e0.
Bug: 17613910
Test: builds
Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad
Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:
1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
net_stable_secret_vendor_prop) and applying it to
persist.netd.stable_secret results in the device not booting
due to attempting to apply two different contexts to the same
property.
Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.
Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.
This reverts commit abb1ba6532.
Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709
This is used to persist RFC 7217 stable secrets across device reboots.
First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.
Test: as follows
- Manually tested that stable_secret is generated on first use and
persists until reset of user data partition (factory reset).
- Tested that "adb shell getprop" was denied access to
persist.netd.stable_secret after running "adb unroot".
Bug: 17613910
Change-Id: I0a609c724799a15b1926e62534c16810d34f2275
This broke the build on master. See b/17613910#comment17
for details.
This reverts commit ef1fd98b6a.
Change-Id: I11f7d463061a9b6340c11827135586266e26f016
This is used to persist RFC 7217 stable secrets across device reboots.
Test: as follows
- Manually tested that stable_secret is generated on first use and
persists until reset of user data partition (factory reset).
- Tested that "adb shell getprop" was denied access to
persist.netd.stable_secret after running "adb unroot".
Bug: 17613910
Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.
Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file
And potentially some other bugs that have yet to surface.
Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.
Addresses the following logspam similar to:
avc: granted { lock } for comm="iptables"
path="/system/etc/xtables.lock" dev="sda22" ino=3745
scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file
avc: granted { lock } for comm="dex2oat"
path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file
Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
In order to perform XFRM operations NetD needs the
ability to both read and write Netlink XFRM messages.
Bug: 34811756
Test: 34812052
Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee
(cherry picked from commit 7eb3dd3b02)
In order to perform XFRM operations NetD needs the
ability to both read and write Netlink XFRM messages.
Bug: 34811756
Test: 34812052
Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee
No SELinux domains can create dccp_socket instances, so it doesn't make
any sense to allow netd to minipulate already-open dccp sockets.
Bug: 35784697
Test: policy compiles.
Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
