Commit graph

30 commits

Author SHA1 Message Date
Felka Chang
1eb2669218 Fix mediaserver meets the void fd use denied
scenario: droid.apps.docs: type=1400 audit(0.0:77): avc: denied {
use } for path="/mnt/appfuse/10028_6/9" dev="fuse" ino=9
scontext=u:r:mediaserver:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0

root cause: DocumentsUI provides ArchiveProvider to browse the entries
in archive files by using StorageManager.openProxyFileDescriptor.
i.e. the file descriptor comes from the archive entries is belong to
the void fd.  The file descriptor is used by mediaserver but
mediaserver doesn't have the permission to use the file descriptor.

Fixes: 120491318
Test: build, flash, manual test
Change-Id: Ibaf9a625c7b68c3f1977fcaddd6c7d5419352f93
2019-03-22 22:41:49 +08:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Zheng Zhang
a26763ecb6 Allow mediaserver domain have getatrr perm on vendor_app_file
When running some apps in vendor partition, it report denials like:

avc: denied { getattr } for comm="Binder:901_2" path="/vendor/operator/app/Wechat/Wechat.apk" dev="sde14" ino=1707 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0
2018-10-18 03:10:52 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Jeff Vander Stoep
0b67bb88e5 Further lock down app data
Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
2018-09-22 22:38:42 -07:00
Zheng Zhang
cc82d194bd Limit mediaserver access to vendor_app_file
mediaserver is receiving a file passed as a file descriptor. Just read
and map is enough, and open should not be allowed for mediaserver.

Bug: 78436043
2018-08-17 16:15:09 -07:00
Nick Kralevich
23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00
Steven Moreland
7baf725ea6 mediacodec->mediacodec+hal_omx{,_server,_client}
(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
2018-05-30 18:12:32 +00:00
Jeff Vander Stoep
ab82125fc8 Improve tests protecting private app data
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.

In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.

Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 13:47:49 -07:00
Zheng Zhang
3623c2b6c0 Allow mediaserver to access vendor_app_file
Currently, when vendor APK try to use MediaPlayer to play its audio
resource, it would fail due to this neverallow rules.

avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0

Bug: 78436043
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063
2018-04-25 06:00:59 +00:00
Jeff Vander Stoep
0d1e52a50f Remove deprecated tagSocket() permissions
tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb
2018-04-03 13:56:58 +00:00
Tri Vo
2ea12cd345 mediaserver: remove access to 'sysfs' type.
Bug: 65643247
Test: cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
No denials from mediaserver domain to sysfs type are observed.
Change-Id: Icb5c12f04af213452d82e226993fe13085c5c33f
2017-11-16 17:34:14 -08:00
Hassan Shojania
a91e3e8294 Allow mediaserver to access fd allocated by hal_graphics_composer
Bug:  37713584
Test: With GtsMediaTestCases.apk installed, try:
      adb shell am instrument -w
      -e class 'com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC'
      'com.google.android.media.gts/android.support.test.runner.AndroidJUnitRunner'

Change-Id: Icc2066e9d9bbc5c020b6d694e9627487771ef35e
2017-04-28 17:55:20 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Martijn Coenen
fc80f48082 Remove mediacodec from binder violators.
The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829
2017-04-15 21:48:56 -07:00
Amit Mahajan
8b080ee260 rild does not communicate with BT/system_server/mediaserver over sockets
Test: manual (verified no denials in basic telephony operations)
Bug: 36613472
Change-Id: I31274adee2cb6293102446cd2d6d547c50616836
2017-04-04 14:04:49 -07:00
Alex Klyubin
f86d54f0d1 No access to tee domain over Unix domain sockets
The tee domain is a vendor domain. Thus it cannot be accessed by
non-vendor components over Unix domain sockets.

It appears that the rules granting this access are not needed.

Test: Flash a clean build with this change. Confirm that bullhead,
      angler, sailfish, ryu, boot without new denials.
      Confirm that YouTube, Netflix, Google Play Movies play back
      videos without new denials.
Bug: 36714625
Bug: 36715266

Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a
2017-04-03 11:26:01 -07:00
Alex Klyubin
7cda44f49f Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-24 13:54:43 -07:00
Steven Moreland
d3ce5dc38c Allow hals to read hwservicemanager prop.
Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2
2017-03-23 01:50:50 +00:00
Fyodor Kupolov
b238fe6662 Split preloads into media_file and data_file
Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-15 00:49:37 +00:00
Yin-Chia Yeh
6824dfd773 Camera: hal_camera FD access update
Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
2017-03-05 14:34:25 -08:00
Pawin Vongmasa
5559d21aa5 Sepolicy for OMX hal.
Bug: 31399200
Test: Compiles
Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57
2017-02-11 00:12:00 -08:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Hassan Shojania
8101bad7f2 Modular DRM for MediaPlayer
Bug:    34559906
Test:	Manual through the test app
Change-Id: Ib69d4fe6b0e21f162f08cea061260c683e4b8c9b
2017-01-25 12:26:37 -08:00
Ray Essick
391854000a rename mediaanalytics->mediametrics, wider access
reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
2017-01-24 16:57:19 -08:00
Nick Kralevich
d5b6043f51 more ephemeral_app cleanup
As of https://android-review.googlesource.com/324092, ephemeral_app is
now an appdomain, so places where both appdomain and ephemeral_app are
granted the same set of rules can be deleted.

Test: policy compiles.
Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415
2017-01-20 14:35:17 +00:00
Ray Essick
090f4a4d9f Allow access to mediaanalytics service
media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
2016-12-03 00:06:20 +00:00
Chia-I Wu
dd958e5a21 Add sepolicy for gralloc-alloc HAL
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
2016-11-14 01:09:51 +00:00
Chad Brubaker
06cf31eb63 Rename autoplay_app to ephemeral_app
Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-07 09:52:31 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from mediaserver.te (Browse further)