Commit graph

126 commits

Author SHA1 Message Date
Josh Yang
9aeba4f661 Allow private apps to report offbody events.
Bug: b/183564407
Test: selinux error is gone.
Ignore-AOSP-First: AOSP change aosp/1973028 has merge conflict. This
change manually merges it to internal gerrit.

Change-Id: If40c2883edd39bee8e49e8e958eb12e9b29a0fe0
2022-02-07 11:55:37 -08:00
Lalit Maganti
4835071b17 Merge "sepolicy: add permissions for trace reporting" am: 34fb0d8933 am: dc933135a0 am: 6f8a4fc5d7 am: 5c159064bd
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1918625

Change-Id: Icf628f758f4590026e8a7bc2f98bae4a756c9108
2022-01-28 13:21:32 +00:00
Lalit Maganti
b549e2d837 sepolicy: add permissions for trace reporting
Bug: 205892741
Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2022-01-04 14:02:20 +00:00
Treehugger Robot
d5d189ed00 Merge "Grant BetterBug access ot WM traces attributes" am: 53b6de0642 am: 2c95edf2af am: af4b21ef5b am: fea7cd0639
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903230

Change-Id: I7c13e61bf009b2c6ce07aaf678dace4693c48323
2021-11-29 19:49:46 +00:00
Nataniel Borges
6b624a5a0c Grant BetterBug access ot WM traces attributes
Currently BetterBug (privileged app) cannot access the details form
/data/misc/wmtrace.

Test: access a trace from /data/misc/wmtrace/ in betterbug
Change-Id: I4cf864ab4729e85f05df8f9e601a75ff8b92bdc8
2021-11-29 18:22:58 +01:00
Jeff Vander Stoep
7f23ef4829 priv_app: remove sysfs_net permissions bypass
Access to files in sysfs_net allows bypassing permissions gated
information. Also remove permission for priv_app
to call SIOCGIFHWADDR, which is also a permissions bypass.

Examples:
 - Information in /sys/class/net/wlan0/statistics/rx_packets should
be gated by PACKAGE_USAGE_STATS.
 - Information in /sys/class/net/wlan0/address should be gated by
LOCAL_MAC_ADDRESS or READ_PRIVILEGED_PHONE_STATE.

Bug: 166269532
Test: build, boot, verify no denials in the log
Ignore-AOSP-First: Security patches are not allowed to go into AOSP
first.

Change-Id: I1eaf6351e50450b80cd7035b61add2e832d7ddb0
2021-10-18 16:23:47 +02:00
Hongguang
737b098a71 Allow priv_app to run the renderscript compiler.
Bug: 157478854
Test: manual test and check selinux log in logcat.
Change-Id: I0bebcc6b8e4ad7dfeeb0d1c20b3d093fd48891de
2021-06-15 09:51:05 -07:00
Yurii Zubrytskyi
b382f02bf4 [incfs] Allow everyone read the IncFS sysfs features
Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call

Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
2021-04-21 15:15:40 -07:00
Yi Kong
ae9645ecb5 Allow betterbug to read profile reports generated by profcollect
Test: presubmit
Change-Id: I833c0ebaa27a0c8feddf23e4b648ee067c41ae2b
2021-03-22 22:57:57 +08:00
Marco Ballesio
aa4ce95c6f sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
2021-02-11 23:40:38 +00:00
Elliott Hughes
e92be7b6a6 Merge "Allow priv_app system_linker_exec:file execute_no_trans" 2021-02-10 20:45:23 +00:00
Elliott Hughes
25cb9046ef Allow priv_app system_linker_exec:file execute_no_trans
Chrome Crashpad uses the the dynamic linker to load native executables
from an APK (b/112050209, crbug.com/928422)

We made the equivalent change to untrusted_app_all in
9ea8c0701d but webview also runs in
priv_app contexts.

Bug: http://b/112050209
Test: treehugger
Change-Id: I19bbadc7f9c9e668e2c6d932c7da24f18e7731bd
2021-02-10 10:32:44 -08:00
Songchun Fan
b4c9491aed [selinux] allow priv_app to get incremental progress
This allows phonesky to get incremental install progress.

Addresses denial message like below:

W/BlockingExecuto: type=1400 audit(0.0:5582): avc: denied { ioctl } for path="/data/incremental/MT_data_app_vmdl133/mount/.index/04abf89d12c3fe8f6fe9b381a670255c" dev="incremental-fs" ino=52957 ioctlcmd=0x6722 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.android.vending

Test: builds
BUG: 172965880
Change-Id: Ibecd4e07746e7bb3ca6bdf762382744b38f677cb
2021-02-09 22:46:27 +00:00
Alex Buynytskyy
0f01076482 Allow dataloaders (priv_app) access to IncFs enabled property.
Bug: 179395351
Test: install an app incrementally using dev phonesky
Change-Id: I47496622ecef3f5552126a96d88cc0732cdf5dce
2021-02-04 20:11:04 -08:00
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Yurii Zubrytskyi
80dfa06984 IncFS: update SE policies for the new API
IncFS in S adds a bunch of new ioctls, and requires the users
to read its features in sysfs directory. This change adds
all the features, maps them into the processes that need to
call into them, and allows any incfs user to query the features

Bug: 170231230
Test: incremental unit tests
Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
2021-01-19 12:57:15 -08:00
Primiano Tucci
2bb8587933 Allow shell + priv_app to traverse /data/misc/perfetto-traces
This is a follow-up to r.android.com/1542764.
1. In order to allow priv_app to
   stat(/data/misc/perfetto-traces/bugreport/*) we need
   also the `search` permission to traverse the parent
   directory /data/misc/perfetto-traces.
2. Allow shell to read the new bugreport/ directory.
   shell can read bugreports anyways and this is needed
   for CTS tests.

Bug: 177761174
Bug: 177684571
Test: manual (changpa@)
Change-Id: I39d6a1c7941bcdcdc314a7538c0accfd37c52ca2
2021-01-18 14:16:03 +00:00
Primiano Tucci
2f99809c43 Allow dumpstate to snapshot traces and attach them to bug reports
Feature description: if a background trace is happening at the
time dumpstate is invoked, the tracing daemon will snapshot
the trace into a fixed path (/data/misc/perfetto-traces/bugreport/).
Dumpstate will attach the trace, if present, to the bugreport.
From a SELinux viewpoint this involves the following permissions:
- Allow dumpstate to exec+trans perfetto --save-for-bugreport
  (this will just send an IPC to traced, which will save the trace).
- Allow dumpstate to list, read and unlink the trace file.
- Create a dedicated label for bugreport traces, to prevent that
  dumpstate gets access to other traces not meant for bug reporting.

Note that this does NOT allow dumpstate to serialze arbitary traces.
Traces must be marked as "eligible for bugreport" upfront in the
trace config (which is not under dumpstate control), by
setting bugreport_score > 0.

Design doc: go/perfetto-betterbug

Bug: 170334305
Test: manual:
      1. start a perfetto trace with bugreport_score > 0
      2. adb shell dumpstate
      3. check that the bugreport zip contains the trace

Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-12 14:06:24 +00:00
Mohammad Samiul Islam
a45cddae5e Allow priv_app read access to /data/app-staging directory
During staged installation, we no longer create duplicate sessions for
verification purpose. Instead, we send the original files in
/data/app-staging folder to package verifiers for verification. That
means, Phonesky needs access to /data/app-staging folder to be able to
verify the apks inside it.

Bug: 175163376
Test: atest StagedInstallTest#testPlayStoreCanReadAppStagingDir
Test: atest StagedInstallTest#testAppStagingFolderCannotBeReadByNonPrivApps
Change-Id: I5cbb4c8b7dceb63954c747180b39b4a21d2463af
2020-12-10 23:46:15 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Alan Stokes
a0518b7fdb Make kmsg_device mlstrustedobject.
Few domains are granted access to this, but they should have access
from any user.

Also add some neverallows to prevent misuse.

Bug: 170622707
Test: presubmits
Change-Id: Iacbe7b0525604f2339f8bf31c105af738bc3cd75
2020-10-28 09:41:07 +00:00
Nick Moukhine
affe2399b5 Add sepolicy for music recognition service.
Denial when not listed in priv_app.te:
E SELinux : avc:  denied  { find } for pid=3213 uid=10170 name=music_recognition scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:music_recognition_service:s0 tclass=service_manager permissive=0


Bug: 158194857
Test: patched and tested on internal master
Change-Id: I30e9ea79a57d9c353b732b629bd5a829c89bbcb0
2020-09-23 10:57:19 +00:00
Inseob Kim
3dbf3d8ac8 Add wifi_hal_prop and remove exported_wifi_prop
To remove bad context names "exported*_prop"

Bug: 155844385
Test: boot and see no denials
Change-Id: Icd30be64355699618735d4012461835eca8cd651
Merged-In: Icd30be64355699618735d4012461835eca8cd651
(cherry picked from commit 37c2d4d0c9)
(cherry picked from commit 3b66e9b9f8)
2020-07-17 17:38:13 +09:00
tianli
0709fbca5f Allow private app to access system app data file for ContentProvider
For ContentProvider case, private app can not access system app data. So we added this rule to solve this issue.
Bug: 157448040
Test: <Before modifying the rules, when the private app accesses files in the app-specific directory shared by the system app through the ContentProvider, the system will report selinux permission issue.
After modifying the rules and compiling the new version, the private app can access the files in the app-specific directory shared by the system app through the ContentProvider without any permission issues.>

Change-Id: I2433a6808d899c3729c6aa37c6c2d955e91e54a3
2020-06-17 18:29:11 +08:00
Nikita Ioffe
01d4c99175 Allow priv_app to search apex_data_file and read staging_data_file
This changes are necessary to make files under /data/apex/active
be readable by Phonesky.

Test: builds
Bug: 154635217
Merged-In: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2
Change-Id: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2
(cherry picked from commit 89d43a51ba)
2020-04-24 23:41:13 +01:00
Yiwei Zhang
3db5a3140f sepolicy: clean up redundant rules around gpuservice
Test: m selinux_policy
Change-Id: I67389253aa3c6071a553e123fa9883cbdb331614
2020-04-15 09:24:16 -07:00
Songchun Fan
2679d8e3a3 [selinux] permissions on new ioctls for filling blocks
(Cherry-picking)

Denial messages:

03-17 20:30:54.274  1445  1445 I PackageInstalle: type=1400 audit(0.0:6): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313134353234353836342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

03-17 20:30:54.274  1445  1445 I PackageInstalle: type=1400 audit(0.0:7): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_1145245864/mount/.index/2b300000000000000000000000000000" dev="incremental-fs" ino=6794 ioctlcmd=0x6720 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:13): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3537383539353635322F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending

03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:14): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_578595652/mount/.index/626173652e61706b0000000000000000" dev="incremental-fs" ino=5810 ioctlcmd=0x6720 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending

Test: manual
BUG: 150809360
Merged-In: If43fa9edad0848a59c0712b124adfcdbbd0c99a4
Change-Id: I10e95caba43e1e1c272b59b7191b36b1cff4ff67
2020-03-19 16:31:52 -07:00
Songchun Fan
82ea55def0 allow priv_apps to read from incremental_control_file
Denial messages:

02-21 20:19:41.817  1439  1439 I Binder:1439_3: type=1400 audit(0.0:1851): avc: denied { read } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-21 20:19:41.817 20337 20337 I Binder:20337_2: type=1400 audit(0.0:1852): avc: denied { getattr } for path=2F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending

Test: manual
Change-Id: Ie188f294ea2a6aff71a49a6f17679c3cf810b69d
2020-02-24 18:26:47 +00:00
Songchun Fan
3922253de9 permissions for incremental control file
=== for mounting and create file ===

02-12 21:09:41.828   593   593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.838   593   593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 21:09:41.841  1429  1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== for reading signature from file ===
02-12 21:09:47.931  8972  8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:47.994  1429  1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
02-12 21:09:50.034  8972  8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending
02-12 21:09:52.914  1429  1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

=== data loader app reading from log file ===
02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1
02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

Test: manual with incremental installation
BUG: 133435829
Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
2020-02-13 12:53:36 -08:00
Martijn Coenen
e3f1d5a314 Create new mediaprovider_app domain.
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-02-04 16:53:18 +01:00
Zimuzo Ezeozue
5119becf5d Merge "Grant vold, installd, zygote and apps access to /mnt/pass_through" 2020-01-28 22:26:58 +00:00
Zim
fcf599c89c Grant vold, installd, zygote and apps access to /mnt/pass_through
/mnt/pass_through was introduced to allow the FUSE daemon unrestricted
 access to the lower filesystem (or sdcardfs).

At zygote fork time, the FUSE daemon will have /mnt/pass_through/0
bind mounted to /storage instead of /mnt/user/0. To keep /sdcard
(symlink to /storage/self/primary) paths working, we create a
'self' directory  with an additional 'primary' symlink to
/mnt/pass_through/0/emulated/0 which is a FUSE mount point.

The following components need varying sepolicy privileges:

Vold: Creates the self/primary symlink and mounts the lower filesystem
on /mnt/pass_through/0/emulated. So needs create_dir and mount access
+ create_file access for the symlink

zygote: In case zygote starts an app before vold sets up the paths.
This is unlikely but can happen if the FUSE daemon (a zygote forked app)
is started before system_server completes vold mounts.
Same sepolicy requirements as vold

installd: Needs to clear/destroy app data using lower filesystem
mounted on /mnt/pass_through so needs read_dir access to walk
/mnt/pass_through

priv_app (FUSE daemon): Needs to server content from the lower
filesystem mounted on /mnt/pass_through so needs read_dir access to
walk /mnt/pass_through

Bug: 135341433
Test: adb shell ls /mnt/pass_through/0/self/primary
Change-Id: I16e35b9007c2143282600c56adbc9468a1b7f240
2020-01-28 20:56:36 +00:00
Treehugger Robot
9baf6d6609 Merge "priv_app: Remove permissions for config_gz" 2020-01-27 22:44:13 +00:00
Ashwini Oruganti
5ab5e8ad20 priv_app: Remove permissions for config_gz
Looking at go/sedenials, we see this permission being used by
MediaProvider once like so:

type=1400 audit(0.0:569759): avc: granted { getattr } for comm=4173796E635461736B202331 path="/proc/config.gz" dev="proc" ino=4026532157 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:config_gz:s0 tclass=file app=com.google.android.providers.media.module

This permission should not be granted to all priv-apps now that GMS core
has been split out into its own domain. This change removes the
permission for the priv_app domain and the corresponding auditallow.

Bug: 147833123
Test: TH
Change-Id: I4f60daefcbdd4991c5d2c32330e907a03bfe6fe5
2020-01-27 10:03:22 -08:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Ashwini Oruganti
db553aa416 priv_app: Remove permissions for selinuxfs
Looking at go/sedenials, we see this permission being used by
MediaProvider like so:

type=1400 audit(0.0:3651): avc: granted { getattr } for comm=4173796E635461736B202331 path="/sys/fs/selinux/class/tipc_socket/perms/recvfrom" dev="selinuxfs" ino=67111391 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file app=com.google.android.providers.media.module

... and numerous other directories, apparently from a filesystem walk.

It appears that this permission should not be granted to all priv-apps
now that GMS core has been split out into its own domain. This change
removes the permission for the priv_app domain and the corresponding
auditallow.

Bug: 147833123
Test: TH
Change-Id: I88146785c7ac3a8c15fe9b5f34f05d936f08ea48
2020-01-21 15:30:12 -08:00
Treehugger Robot
2e5ce26f17 Merge "priv_app: Remove permission to read from /data/anr/traces.txt" 2020-01-17 01:10:45 +00:00
Ashwini Oruganti
565c685b35 priv_app: Remove permission to read from /data/anr/traces.txt
We added an auditallow for this permission on 12/17/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 147833123
Test: TH
Change-Id: I96f810a55e0eb8f3778aea9598f6437de0f65c7f
2020-01-16 14:42:43 -08:00
Ashwini Oruganti
d61b0ce1bc priv_app: Remove rules for ota_package_file
We added auditallows for these permissions on 12/16/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 147833123
Test: TH
Change-Id: I4789b29462ef561288aeaabbdb1e57271d5fcd2a
2020-01-16 14:20:12 -08:00
Ashwini Oruganti
65d6fd48c8 Merge "priv_app: Remove rules for system_update_service" 2020-01-11 00:49:14 +00:00
Treehugger Robot
623fb38952 Merge "priv_app: Remove rules allowing a priv-app to ptrace itself" 2020-01-10 20:23:06 +00:00
Ashwini Oruganti
a40840daa8 priv_app: Remove rules for system_update_service
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: Ic2f68b3af861e0c00e2dea731c4d6b3255ab5175
2020-01-10 11:17:00 -08:00
Treehugger Robot
6df27928dd Merge "priv_app: Remove rules for storaged" 2020-01-10 14:49:32 +00:00
Ashwini Oruganti
2ba18e99d8 priv_app: Remove rules allowing a priv-app to ptrace itself
We added an auditallow for these permissions on 12/11/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: Iaeaef560883b61644625b21e5c7095d4d9c68da9
2020-01-09 13:37:30 -08:00
Ashwini Oruganti
75ccb46de7 priv_app: Remove rules for keystore
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I18f99f54385b7c4e7c2ae923eff4c76800323a73
2020-01-09 13:23:40 -08:00
Ashwini Oruganti
d1a8f0dcb4 priv_app: Remove rules for storaged
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I2a59cac8041646b548ba1a73fcd5fddabb4d1429
2020-01-09 13:02:38 -08:00
Treehugger Robot
4f362b1c68 Merge "priv_app: Remove rules for update_engine" 2020-01-08 23:21:27 +00:00
Ashwini Oruganti
5d395b253c priv_app: Remove rules for update_engine
We added an auditallow for these permissions on 11/26/2019, and have not
seen any recent logs for this in go/sedenials. No other priv-app should
rely on this now that gmscore is running in its own domain.

Bug: 142672293
Test: TH
Change-Id: I554ace42852023521e94017b1e782b6a09129fdf
2020-01-08 13:54:38 -08:00