Commit graph

36146 commits

Author SHA1 Message Date
Treehugger Robot
e6bd93d6b6 Merge "selinux: allow bpfloader bpffs_type:file getattr" 2022-07-04 07:51:45 +00:00
Maciej Żenczykowski
1fcf7c8e7e selinux: allow bpfloader bpffs_type:file getattr
(to be able to stat() nodes in /sys/fs/bpf)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic71ebea683844a8d5ac0b542da815bae2816973a
2022-07-02 02:02:51 -07:00
David Brazdil
28b34f1bca crash_dump: Remove permission to dump crosvm
A crosvm instance running a protected VM contains a memory mapping of
the VM's protected memory. crash_dump can trigger a kernel panic if it
attaches to such crosvm instance and tries to dump this memory region.

Until we have a means of excluding only the protected memory from
crash_dump, prevent crash_dump from dumping crosvm completely by taking
away its SELinux permission to ptrace crosvm.

Bug: 236672526
Test: run 'killall -s SIGSEGV crosvm' while running crosvm
Change-Id: I6672746c479183cc2bbe3dce625e5b5ebcf6d822
2022-07-01 17:30:54 +01:00
Mitch Phillips
038018e113 Merge "Add persistent gwp-asan sysprops" 2022-06-29 20:56:56 +00:00
David Anderson
af348da192 Merge "Allow fastbootd to execute dmesg in userdebug builds." 2022-06-24 21:10:55 +00:00
Kelvin Zhang
f70d708544 Merge "Add proper permission for AIDL bootcontrol server" 2022-06-23 23:44:39 +00:00
Mitch Phillips
add13f0783 Add persistent gwp-asan sysprops
Like the non-persistent variants, should be settable by shell without
root to allow external developer use on locked bootloaders.

Bug: 236738714
Test: atest bionic-unit-tests
Change-Id: Id9fc4abe491f560134267b06dd53c2dacca9422d
2022-06-23 11:11:35 -07:00
Thiébaud Weksteen
091943f99d Merge "Ignore access to /sys for dumpstate" 2022-06-23 13:22:45 +00:00
Maciej Żenczykowski
afa8ca689f Merge "much more finegrained bpf selinux privs for networking mainline" 2022-06-23 11:05:03 +00:00
Almaz Mingaleev
0e70ea793f Merge "Remove TZUvA feature." 2022-06-23 07:47:26 +00:00
Treehugger Robot
0235cbf4b9 Merge changes I036e4853,I55e03a3c,Ic98c6fc6
* changes:
  sepolicy: allow TUNSETLINK and TUNSETCARRIER
  Add xfrm netlink permissions for system server
  Fix system server and network stack netlink permissions
2022-06-23 01:43:56 +00:00
Maciej Żenczykowski
b13921c3f0 much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.

BPFFS (ie. /sys/fs/bpf) labelling is as follows:
  subdirectory   selinux context      mainline  usecase / usable by
  /              fs_bpf               no (*)    core operating system (ie. platform)
  /net_private   fs_bpf_net_private   yes, T+   network_stack
  /net_shared    fs_bpf_net_shared    yes, T+   network_stack & system_server
  /netd_readonly fs_bpf_netd_readonly yes, T+   network_stack & system_server & r/o to netd
  /netd_shared   fs_bpf_netd_shared   yes, T+   network_stack & system_server & netd [**]
  /tethering     fs_bpf_tethering     yes, S+   network_stack
  /vendor        fs_bpf_vendor        no, T+    vendor

* initial support for bpf was added back in P,
  but things worked differently back then with no bpfloader,
  and instead netd doing stuff by hand,
  bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
  (and was definitely there in R)

** additionally bpf programs are accesible to netutils_wrapper
   for use by iptables xt_bpf extensions

'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).

The reason for splitting net_private vs tethering is that:
  S+ must support 4.9+ kernels and S era bpfloader v0.2+
  T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+

The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions.  Older kernels have
a tendency to reject programs that newer kernels allow.

/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.

Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32)
2022-06-22 16:07:42 -07:00
Patrick Rohr
f1c63a4e91 sepolicy: allow TUNSETLINK and TUNSETCARRIER
This is required for testing new ethernet APIs in T.

This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.

Test: TH
Bug: 171872016
(cherry picked from commit 02b55354bd)
(cherry picked from commit 69fa8ca6f2)
Change-Id: I036e48530e37f7213a21b250b858a37fba3e663b
2022-06-22 16:07:28 -07:00
Benedict Wong
a6471611cc Add xfrm netlink permissions for system server
This change enables xfrm netlink socket use for the system server,
and the network_stack process. This will be used by IpSecService
to configure SAs, and network stack to monitor counters & replay
bitmaps for monitoring of IPsec tunnels.

This patch updates the prebuilts, in addition to the changes to the
master source.

Bug: 233392908
Test: Compiled
(cherry picked from commit b25b4bf53f)
(cherry picked from commit 8b7c1cbd5e)
Change-Id: I55e03a3ca7793b09688f603c973c38bd2f6e7c7f
2022-06-22 16:07:16 -07:00
Patrick Rohr
7e3e7e4a41 Fix system server and network stack netlink permissions
Give system_server and network_stack the same permissions as netd.
This is needed as we are continuously moving code out of netd into
network_stack and system_server.

This change is not identical to the corresponding AOSP change
because it also needs to update the T prebuilts.

Test: TH
Bug: 233300834
(cherry picked from commit ab02397814)
(cherry picked from commit d0478822ce)
Change-Id: Ic98c6fc631ee98bef4b5451b6b52d94e673b4f3c
2022-06-22 16:06:55 -07:00
Treehugger Robot
612f706737 [automerger skipped] Merge "RESTRICT AUTOMERGE Revert "Add policy for command line tool to control MTE boot state. am: 949e1d0a76"" into android12L-tests-dev am: 50e1cfc192 -s ours
am skip reason: subject contains skip directive

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2133982

Change-Id: I7e3dfa585643361ef08073fb7895fde555a8a417
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-22 22:31:32 +00:00
Florian Mayer
1b2b7649ca [automerger skipped] RESTRICT AUTOMERGE Revert "Add policy for command line tool to control MTE boot state. am: 949e1d0a76" am: fdee5eddfa -s ours
am skip reason: subject contains skip directive

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2133982

Change-Id: Id9dd5cb89701923cca7f0376361efe6b44bf09df
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-22 22:31:08 +00:00
Treehugger Robot
50e1cfc192 Merge "RESTRICT AUTOMERGE Revert "Add policy for command line tool to control MTE boot state. am: 949e1d0a76"" into android12L-tests-dev 2022-06-22 22:15:55 +00:00
Kelvin Zhang
65d6bf5391 Add proper permission for AIDL bootcontrol server
Bug: 227536004
Test: th
Change-Id: I6aff2742fb23bf7e7ce8d09493f02c4be9262fd3
2022-06-22 13:38:01 -07:00
Thiébaud Weksteen
5e8a384f5a Ignore access to /sys for dumpstate
avc: denied { read } for name="stat" dev="sysfs" ino=26442
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=0

Bug: 236566714
Test: TH
Change-Id: Id4e781908573607b28782fbb2da7cd553d6826fe
2022-06-23 01:48:23 +10:00
Treehugger Robot
11a9ff428d Merge "Allow remote_prov_app to find mediametrics." 2022-06-22 06:14:28 +00:00
David Anderson
9a33615580 Allow fastbootd to execute dmesg in userdebug builds.
This enables users to run "fastboot getvar dmesg" which is important to
debugging flashing failures in automation. The command is only allowed on
unlocked devices running userdebug builds.

Bug: 230269532
Test: fastboot getvar dmesg
Change-Id: Ia27268fd984f903ca73e69b5717f4206a3cf1ae9
2022-06-21 18:01:52 -07:00
Florian Mayer
fdee5eddfa RESTRICT AUTOMERGE Revert "Add policy for command line tool to control MTE boot state. am: 949e1d0a76"
This reverts commit 069435505e.

Reason for revert: b/236099211

Change-Id: Ia3538caebdf7ccea943a16c594a3ff6a645014a2
2022-06-22 00:51:24 +00:00
Jiyong Park
6fb4511df4 Label ro.build.version.known_codenames in Microdroid
Bug: 236602028
Test: atest ComposHostTestCases
Change-Id: I7a479f32f58964b60468b7d19c9cd9f47a334741
2022-06-21 10:59:03 +09:00
Alan Stokes
1035ba1023 Allow compos_verify to write VM logs
Previously I've resisted granting write access to these files, since
it allows the instance image to be altered. But that doesn't allow an
attacker to do anything other than render it invalid, since it's
protected by the VM key.

Note that logs are only written when the VM is debuggable, which is
currently only when only non-protected VMs are available.

Bug: 235350758
Test: Force debug on, stage APEX, compile, reboot -> see vm logs
Test: Presubmit
Change-Id: I17c9a17db83d15adfab97b8cfe4ccd67393a08c1
2022-06-17 13:41:51 +01:00
Xin Li
5a7531590f Merge "Merge Android 12 QPR 3" 2022-06-16 18:51:57 +00:00
Treehugger Robot
13b939a91a Merge "SELinux configuration for memory safety device configs." 2022-06-16 06:27:04 +00:00
Max Bires
d1cd55f660 Allow remote_prov_app to find mediametrics.
This change allows remote_prov_app to find mediametrics. This is a
permission that all apps have. It is now needed for remote_prov_app due
to a new feature related to provisioning Widevine through the MediaDrm
framework.

Bug: 235491155
Test: no selinux denials related to remote_prov_app
Change-Id: Id3057b036486288358a9a84100fe808eb56df5fe
Merged-In: Id3057b036486288358a9a84100fe808eb56df5fe
2022-06-15 13:42:32 -07:00
Avichal Rakesh
fb2097c1fd Merge "Allow camera provider services following AIDL naming conventions" 2022-06-15 19:46:16 +00:00
Treehugger Robot
558915461b Merge "Dontaudit chmod of virtualizationsevice_data_file" 2022-06-15 18:04:46 +00:00
Florian Mayer
5b3a8333af SELinux configuration for memory safety device configs.
These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.

Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
2022-06-15 10:34:54 -07:00
Florian Mayer
981f5581f6 Merge "Add property for MTE permissive mode." 2022-06-15 16:58:25 +00:00
Alan Stokes
40f33c1da1 Dontaudit chmod of virtualizationsevice_data_file
Init attempts to rm -rf these files, to ensure any that are owned by
the old virtualizationservice UID get deleted. This fails for newer
directories, now we use the system UID, which is harmless. But rm
attempts to chmod the directories since it can't read them, which also
fails and generates a spurious audit. So here we suppress that.

Bug: 235338094
Test: No denials seen even when there are stale directories present
Change-Id: If55fbe151174ee08a12b64b301e4aa86ffc1a5bf
2022-06-15 17:25:20 +01:00
Treehugger Robot
f31b1f45d5 Merge "Don't audit mnt_produt_file in dumpstate." 2022-06-15 09:42:49 +00:00
Xin Li
1be8100d8f Merge Android 12 QPR 3
Bug: 236045730
Merged-In: Id7ae2a2160eeea687a3a6876ce43baf05bb3bb8b
Change-Id: I342b75ca067e813bbd9092efd33dc078b2d6312e
2022-06-14 16:48:21 -07:00
Avichal Rakesh
3baabb9157 Allow camera provider services following AIDL naming conventions
Android 13 moved to using AIDL for HALs, which have different version
and naming conventions as compared to the new deprecated HIDL. This CL
updates the regex to include camera provider implementations that follow
AIDL naming conventions in the allowlist.

Bug: 219974678
Test: Manually tested that AIDL implementation is allowed to run
Change-Id: Ic005703bdaaa6376ca4714f22f89271b2a8878f2
2022-06-14 22:39:54 +00:00
Florian Mayer
56af9a268a Add property for MTE permissive mode.
Bug: 202037138
Change-Id: I272996f124ca8391f9312150d1d8757751fe6acb
2022-06-14 10:21:25 -07:00
Inseob Kim
4e71f7d8c8 Merge "Allow microdroid_manager to write serial device" am: ff418d6499
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2121197

Change-Id: Id7ae2a2160eeea687a3a6876ce43baf05bb3bb8b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-14 03:17:46 +00:00
Inseob Kim
ff418d6499 Merge "Allow microdroid_manager to write serial device" 2022-06-14 02:51:12 +00:00
Neil Fuller
37888b33ba Remove TZUvA feature.
The feature was superseded by tzdata mainline module(s).

Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
2022-06-13 11:45:50 +00:00
Inseob Kim
44f68942fa Allow microdroid_manager to write serial device
A serial device is used to pass failure reason to host.

Bug: 220071963
Test: atest MicrodroidTests
Change-Id: I085e902b4f0a79d3c8d2cd5c737ad169caac3659
2022-06-13 18:00:11 +09:00
Treehugger Robot
4ed1cb5a1e Merge "Remove the last traces of idmap (replaced by idmap2)" am: 850045ae07
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2122593

Change-Id: I3a13d0387b86db5744d15775699f2192b6804e2e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-13 07:40:54 +00:00
Treehugger Robot
850045ae07 Merge "Remove the last traces of idmap (replaced by idmap2)" 2022-06-13 07:19:11 +00:00
Yi-yo Chiang
fcbd51b544 Merge "Label ro.force.debuggable as build_prop" am: c85ac2ea3a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2122376

Change-Id: Ibbe3afff89ca75284e9d4705b03095d0c3fc36f9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-13 06:41:14 +00:00
Yi-yo Chiang
c85ac2ea3a Merge "Label ro.force.debuggable as build_prop" 2022-06-13 06:17:47 +00:00
Devin Moore
ff958713a2 Merge "Add permissions for new netd AIDL HAL" am: e47782171a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2095165

Change-Id: I28a8dea121386f90f48850326a8d1c1a41984d6d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-10 19:41:26 +00:00
Devin Moore
e47782171a Merge "Add permissions for new netd AIDL HAL" 2022-06-10 18:04:28 +00:00
Mårten Kongstad
0547fb5ab2 Remove the last traces of idmap (replaced by idmap2)
Remove mention of the /system/bin/idmap binary: the file no longer
exists.

Remove interaction between the domains installd and idmap to interact:
installd used to fork and exec the idmap binary, but the idmap2 binary
has its own binder service.

Bug: 118711077
Bug: 119264713
Test: atest FrameworksServicesTests:com.android.server.om OverlayDeviceTests OverlayHostTests CtsAppSecurityHostTestCases:OverlayHostTest
Change-Id: I06d22057308984e43cb84ff365dbdd1864c7064b
2022-06-10 12:58:21 +02:00
Inseob Kim
cf9c59241d Merge "Fix policy file order for hal_attributes" am: b2984a49bd
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2121272

Change-Id: I5613be959f16d63d21cab13eda4343f2055e7b70
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-06-10 09:29:27 +00:00
Inseob Kim
b2984a49bd Merge "Fix policy file order for hal_attributes" 2022-06-10 09:07:02 +00:00