Commit graph

34 commits

Author SHA1 Message Date
Max Bires
89bbb2581b Allow GMSCore to read RKP properties.
GMSCore requires access to read RKP properties in order for test suites
to validate the hostname is properly set.

Test: N/A
Change-Id: If537e58d4df74516435bec8955c83bb5494a80f0
2023-02-08 17:14:47 -08:00
Treehugger Robot
dbd0da73ba Merge "Revert system app/process profileability on user builds" am: 829acbee3a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2142152

Change-Id: Idf3f36723d703f55141b97aaa0605194283d723e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-07-04 15:56:18 +00:00
Ryan Savitski
babba5e83b Revert system app/process profileability on user builds
Please see bug for context.

This reverts commits:
* 6111f0cfc8
* bb197bba02
* 20d0aca7e6

And updates prebuilts/api/33.0 accordingly.

Bug: 217368496
Tested: builds successfully (barbet-userdebug)
Change-Id: If7fcf3d5a2fdb1a48dcaf8ef8f97e8375d461e61
2022-07-01 12:41:01 +00:00
Treehugger Robot
b21531f2b0 Merge "Fix gmscore selinux denial on rmdir/setattr" am: 6d0b6a3011 am: 5c29a6830f am: fa37029c9f
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2058447

Change-Id: I235677935d609e680ee60cd7cab1f447568ba197
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-04-08 04:06:28 +00:00
Kelvin Zhang
4d59166d11 Fix gmscore selinux denial on rmdir/setattr
Partners reported an OTA failure caused by selinux denial. GMSCore is
trying to call setattr()/rmdir() on /data/ota_package. Give GMSCore
proper permissions to do so.

Test: th
Bug: 227422503
Change-Id: Ic64ce88e137976149813888a0d6d2910fda359e7
2022-04-07 09:23:19 -07:00
Lalit Maganti
08324f2ad1 Merge "sepolicy: Allow system domains to be profiled" am: fb9d097d03 am: 139cce7cc7 am: 170b791250 am: 3590d71207
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1966610

Change-Id: I84b31c4867bf1819a7f2de346500b2000c913dad
2022-02-02 13:00:51 +00:00
Lalit Maganti
bb197bba02 sepolicy: Allow system domains to be profiled
Bug: 217368496
Doc: go/field-tracing-t
Change-Id: Ie95c0cc2b1f9e8fa03f6112818936af692edf584
2022-02-01 16:27:26 +00:00
Lalit Maganti
4835071b17 Merge "sepolicy: add permissions for trace reporting" am: 34fb0d8933 am: dc933135a0 am: 6f8a4fc5d7 am: 5c159064bd
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1918625

Change-Id: Icf628f758f4590026e8a7bc2f98bae4a756c9108
2022-01-28 13:21:32 +00:00
Lalit Maganti
b549e2d837 sepolicy: add permissions for trace reporting
Bug: 205892741
Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2022-01-04 14:02:20 +00:00
TreeHugger Robot
dc445113c4 Merge "priv_app: remove sysfs_net permissions bypass" 2021-10-20 19:24:33 +00:00
Jeff Vander Stoep
7f23ef4829 priv_app: remove sysfs_net permissions bypass
Access to files in sysfs_net allows bypassing permissions gated
information. Also remove permission for priv_app
to call SIOCGIFHWADDR, which is also a permissions bypass.

Examples:
 - Information in /sys/class/net/wlan0/statistics/rx_packets should
be gated by PACKAGE_USAGE_STATS.
 - Information in /sys/class/net/wlan0/address should be gated by
LOCAL_MAC_ADDRESS or READ_PRIVILEGED_PHONE_STATE.

Bug: 166269532
Test: build, boot, verify no denials in the log
Ignore-AOSP-First: Security patches are not allowed to go into AOSP
first.

Change-Id: I1eaf6351e50450b80cd7035b61add2e832d7ddb0
2021-10-18 16:23:47 +02:00
Tianjie
b729aa6c5e Add context for checkin directory
Checkin apps use /data/misc_ce/<id>/checkin to backup the checkin
metadata. So users won't lose the checkin tokens when they clear
the app's storage.

One example is when GMScore is used for checkin, users may clear
GMScore data via "settings". If the device accidentally loses the
token without backup, it won't be able to checkin again until
factory reset.

The contents in checkin dir will be cleaned up when a user is removed
from the device. We also plan to add Gmscore test to ensure the dir
is cleaned up at checkin time, thus prevent other Gmscore modules
from using this storage by mistake.

Bug: 197636740
Test: boot device, check selinux label, check gmscore writes to the new dir
Change-Id: If3ff5e0fb75b4d49ce80d91b0086b58db002e4fb
2021-10-14 16:21:10 -07:00
Michael Ayoubi
77c10eff1e Add DCK eligibility properties
Bug: 186488185
Test: Confirm GMSCore access
Change-Id: I20baf5c9ae9fbebc9e43d2798401ad49776fb74a
2021-05-21 23:31:09 +00:00
Kalesh Singh
7de79540fb Revert "gmscore_app: Don't audit memtrack hal denials"
This reverts commit cdf7b0f374.

Reason for revert: libmemtrack now uses a memtrackproxy_service, which allows app access

Change-Id: Id3858a0b813b822fc17f77e14d46525942048066
2021-04-09 00:04:53 +00:00
Kalesh Singh
cdf7b0f374 gmscore_app: Don't audit memtrack hal denials
Bug: b/177664629
Test: Check logcat for no memtrack denial on boot
Change-Id: I3b6644d2374c97e7f4a0f90aa2c596e0a870d00f
2021-02-26 16:12:47 -05:00
Elliott Hughes
25cb9046ef Allow priv_app system_linker_exec:file execute_no_trans
Chrome Crashpad uses the the dynamic linker to load native executables
from an APK (b/112050209, crbug.com/928422)

We made the equivalent change to untrusted_app_all in
9ea8c0701d but webview also runs in
priv_app contexts.

Bug: http://b/112050209
Test: treehugger
Change-Id: I19bbadc7f9c9e668e2c6d932c7da24f18e7731bd
2021-02-10 10:32:44 -08:00
Kelvin Zhang
84105de0ef Grant gmscore permission to read virtual ab properties
Bug: 168059475
Test: Serve an update over gmscore
Change-Id: Iefd88f4189b50ee68ee09bcb5a20556ba4ea3e1a
2020-09-21 10:27:20 -04:00
Xin Li
11da9e6792 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: I6d0b1be1a46288fff42c3689dbef2f7443efebcc
Change-Id: I133180d20457b9f805f3da0915e2cf6e48229132
2020-08-29 01:45:24 -07:00
Janis Danisevskis
abb93f24c0 Make Keystore equivalent policy for Keystore2
Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
2020-08-05 16:11:48 +00:00
Inseob Kim
3dbf3d8ac8 Add wifi_hal_prop and remove exported_wifi_prop
To remove bad context names "exported*_prop"

Bug: 155844385
Test: boot and see no denials
Change-Id: Icd30be64355699618735d4012461835eca8cd651
Merged-In: Icd30be64355699618735d4012461835eca8cd651
(cherry picked from commit 37c2d4d0c9)
(cherry picked from commit 3b66e9b9f8)
2020-07-17 17:38:13 +09:00
Inseob Kim
3b66e9b9f8 Add wifi_hal_prop and remove exported_wifi_prop
To remove bad context names "exported*_prop"

Bug: 155844385
Test: boot and see no denials
Change-Id: Icd30be64355699618735d4012461835eca8cd651
Merged-In: Icd30be64355699618735d4012461835eca8cd651
(cherry picked from commit 37c2d4d0c9)
2020-07-17 14:01:17 +09:00
Adam Shih
0058302270 gmscore_app: suppress denials on /mnt
Bug: 149543390
Bug: 149062700
Bug: 151195371
Test: boot with no gmscore_app avc error
Change-Id: I70f20b88ce5b9e017e644cdbb5dc81f798c61640
2020-03-11 16:20:07 +08:00
Ashwini Oruganti
22a8c14971 Allow gmscore to read tcp sockets passed by priv-apps
In the GTS test NetStatsHostTest#testASetThreadStatsUid,
com.android.vending appears to be passing a tcp socket by file
descriptor to gmscore. This change updates the gmscore_app permissions
to allow this.

Bug: 148974132
Test: TH
Change-Id: Ia9e7869dda231329ae56c05d430631710779bf30
2020-02-18 08:38:44 -08:00
Ashwini Oruganti
86e110e688 gmscore_app: Enforce all rules for the domain
This change flips the switch and stops running gmscore_app in permissive
mode. Looking at the data in go/sedenials, we don't see any untracked
denial that isn't occurring for the priv_app domain as well. gmscore
should have all the necessary permissions it had was running in the
priv_app domain.

Bug: 142672293
Test: Build, flash, boot.
Change-Id: I0db56671cdfccbd79cd303bc2a819260ef7677fe
2020-01-07 10:53:49 -08:00
Ashwini Oruganti
c9de5b531f gmscore_app: anr_data_file permissions
More historical context in http://b/18504118

This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggering.

Bug: 142672293
Test: TH
Change-Id: I5729b89af83090e6e31c012c8acb0f0114c87d3d
2019-12-18 22:15:08 +00:00
Treehugger Robot
4c78a608f9 Merge "Allow gmscore to write to /cache" 2019-12-18 17:56:34 +00:00
Ashwini Oruganti
f31e862cac gmscore_app: shell_data_file permissions
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.

Bug: 142672293
Test: TH
Change-Id: I554e0cb00a53fd254c450c20e6c632e58472c3c8
2019-12-17 15:09:30 -08:00
Ashwini Oruganti
fe746ae453 Allow gmscore to write to /cache
Bug: 142672293
Test: TH
Change-Id: If3c2a5c91ffb497330531ad8a57ac5840d602d34
2019-12-17 14:55:01 -08:00
Ashwini Oruganti
384858e0ec Allow gmscore_app to write to /data/ota_package for OTA packages
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.

Bug: 142672293
Test: TH
Change-Id: I57f887e96d721ca69a7228df0a75515596776778
2019-12-16 10:00:07 -08:00
Jeff Vander Stoep
607bc67cc9 Prevent apps from causing presubmit failures
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.

These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.

Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
2019-12-16 11:19:05 +01:00
Ricky Wai
5b1b423039 Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00
Ashwini Oruganti
e80d00ff34 gmscore_app: suppress denials for system_data_file
This denial is generally a sign that apps are attempting to access
encrypted storage before the ACTION_USER_UNLOCKED intent is delivered.
Suppress this denial to prevent logspam.

While gmscore_app is running in permissive mode, there might be other
denials for related actions (that won't show up in enforcing mode after
the first action is denied). This change adds a bug_map entry to track
those denials and prevent presubmit flakes.

Bug: 142672293
Test: Happy builds
Change-Id: Id2f8f8ff5cde40e74be24daa0b1100b91a7a4dbb
2019-12-12 14:38:40 -08:00
Ashwini Oruganti
9ba277df83 Allow gmscore to ptrace itself
This is needed to debug native crashes within the gmscore app.

Now that GMS core is running in gmscore_app and not in the priv_app
domain, we need this rule for the new domain. This also adds an
auditallow to the same rule for priv_app, so we can delete it once no
logs show up in go/sedenials for this rule triggerring.

Bug: 142672293
Test: TH
Change-Id: I7d28bb5df1a876d0092758aff321e62fa2979694
2019-12-11 17:09:05 -08:00
Ashwini Oruganti
c46a7bc759 Create a separate SELinux domain for gmscore
This change creates a gmscore_app domain for gmscore. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update the gmscore_app rules
accordingly.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.gms runs in the gmscore_app domain. Tested different
flows on the Play Store app, e.g., create a new account, log in, update
an app, etc. and verified no new denials were generated.
Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
2019-11-22 10:39:19 -08:00