Commit graph

292 commits

Author SHA1 Message Date
David Anderson
6557d87b0f Add sepolicy for installing GSIs to external storage.
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
 - proc_cmdline and device-tree access to call ReadDefaultFstab().
   This is ultimately used to check whether system's dm-verity has
   check_at_most_once enabled, which is disallowed with sdcards.
 - vfat read/write access to write files to the sdcard. Note that
   adopted sdcards are not supported here.
 - read access to the sdcard block device. To enable this without
   providing access to vold_block_device, a new sdcard_block_device
   label was added. Devices must apply this label appropriately to
   enable gsid access.
 - FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
   This only appears to work by granting SYS_RAWIO.

Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
      works without setenforce 0

Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
2019-03-27 17:12:51 -07:00
Tri Vo
786b973c96 Don't audit audit_access denials to /dev/binder
Without VNDK, libcutils has to probe for /dev/binder access before
reaching to ashmemd via binder. Ignore denials generated when probing
/dev/binder.

Bug: 129073672
Test: boot sailfish without denials to /dev/binder
Change-Id: I07ba2e094586df353d54507458e891a3d14c1ca6
2019-03-25 17:23:36 -07:00
Andreas Gampe
d6fdcefaa8 Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 10:54:42 -07:00
Jayant Chowdhary
f7b53209a4 Allow camera hal to read serialno.
Bug: 128037879

Test: Camera HAL is able to read ro.serialno

Change-Id: I904c852a7100bc65456ee63ffb31d70681293d7d
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
2019-03-14 14:36:41 -07:00
Tri Vo
d6c5ff5f72 Allow global read access to /sys/kernel/mm/transparent_hugepage/
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.

Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1

Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
2019-03-13 23:47:25 +00:00
wenquan.zhang
182d50d10b ODM updates the recovery partition through vendor's materials
This is for Non-AB ota update recovery partition on GMS Express 2.0 project.
recovery partition update via /vendor/bin/install-recovery.sh from /vendor/etc/recovery.img

Bug: 124277294
Test: builds and test GOTA.
Change-Id: I97521c03a881bd0427e5d02836220ee2c0db7650
2019-03-13 03:24:55 -07:00
Steven Moreland
981f6c2d5e Clarify comment on tombstoned exception.
The OMX comment here seems unrelated. The linker (system) uses it to
talk to tombstoned.

Fixes: 112606643
Test: N/A
Change-Id: Ib3da832f120d3cc244aa22de5d4d655b874db38b
2019-03-07 15:24:07 -08:00
Suren Baghdasaryan
6155b2fd11 sepolicy for vendor cgroups.json and task_profiles.json files
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.

Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-01 00:32:15 +00:00
Joel Galenson
a92753538f Fix CTS neverallow violation.
Fixes: 126604492
Test: Build userdebug and user.
Test: Test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules129
on userdebug.

Change-Id: I0716e566570114878842644339401331513bae22
2019-02-27 19:33:11 -08:00
Tri Vo
8b12ff5f21 Neverallow app open access to /dev/ashmem
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.

Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
2019-02-27 21:17:25 +00:00
Andreas Gampe
f77bcdcf57 Sepolicy: Move dac_override checks to private
In preparation for moving other components to private, so that
private-only components can stay private.

Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
2019-02-26 13:12:05 -08:00
Andreas Gampe
63c7b0fa18 Sepolicy: Move dalvik cache neverallow to private
In preparation for additions that should be private-only, move
the neverallows to domain's private part.

Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e
2019-02-22 05:11:08 -08:00
Mark Salyzyn
bd80e63e03 fs_mgr: overlayfs support legacy devices (marlin) Part Deux
On legacy devices system_<other> partition is blocked from
becoming the backing store under certain circumstances.

Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 120448575
Bug: 123079041
Change-Id: I1803f072ca21bc116554eee1d01a1dbd2c9ed0c9
2019-02-15 15:56:16 +00:00
Pierre Lee
30c77c1695 add hal_bootctl to white-list of sys_rawio
VtsHalBootV1_0Target test cases fail on a platform when executing boot control operation.
The cases fail because of hal_bootctl has no sys_rawio permission to do storage IOCTL to
switch boot slot.

Bug: 118011561
Test: VtsHalBootV1_0Target can pass
Change-Id: Idbbb9ea8b76fe62b2d4b71356cef7a07ad4de890
2019-02-13 12:38:22 +00:00
Tri Vo
1ded205bd2 Restore ephemeral app access to /dev/ashmem
Bug: 124061057
Test: m selinux_policy
Test: vimeo aia launches
Change-Id: I8b49675c35a227737418c1b85c410bfac0e7e584
2019-02-08 17:20:40 -08:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Jeff Vander Stoep
0ac2eece90 Neverallow executable files and symlink following
Test: build
Change-Id: Iec30d8a7642c34f12571c5654914ddbdc3d8355e
2019-02-04 18:38:05 +00:00
Suren Baghdasaryan
561ce801b0 sepolicy changes to configure cgroup.rc and task_profiles.json access
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.

Bug: 111307099
Test: builds, boots

Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-02-02 16:56:08 +00:00
Jiyong Park
4b3f2c6245 Label the bootstrap linker and bionic mount points
Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.

Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.

In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.

Bug: 120266448
Test: device boots to the UI

Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1
2019-01-31 13:44:21 +09:00
Yabin Cui
84c70929be Fix running simpleperf_app_runner on user device.
Bug: 118835348
Test: build and boot blueline user device.
Test: test simpleperf_app_runner manually.
Change-Id: I022d7f10f6164e6980f55badd4edcdc76a73c004
2019-01-30 11:09:43 -08:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Jiyong Park
4372bfb5cd Don't audit access for postinstall_mnt_dir
The dynamic linker always calls access(2) on the path. Don't generate SElinux
denials since the linker does not actually access the path in case the path
does not exist or isn't accessible for the process.

Bug: 120996057
Test: copy ping to /data/local/tmp, run it, no selinux denials
Test: bionic unit tests

Change-Id: Idf33ba7bc6c0d657b6ab0abde6bd078e4bb024e5
2019-01-25 20:48:58 +09:00
Yabin Cui
e5fc21c787 Add sepolicy for simpleperf_app_runner.
Bug: 118835348
Test: build and boot pixel 3.
Test: run simpleperf_app_runner manually.

Change-Id: Ifb6c2ab78e075684bc197d06f761becced8281d1
2019-01-23 23:23:09 +00:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00
Steven Moreland
b7246ac0b6 system/etc/event-log-tags available to all
This was a regression in Q, and the file is an implementation of
liblog.

Bug: 113083310
Test: use tags from vendor and see no denials

Change-Id: I726cc1fcfad39afc197b21e431a687a3e4c8ee4a
2019-01-11 18:42:02 +00:00
Rafal Slawik
4e1c5764b5 SELinux policy for rss_hwm_reset
rss_hwm_reset is binary that reset RSS high-water mark counters for all
currently running processes. It runs in a separate process because it
needs dac_override capability.

Bug: 119603799
Test: no errors in logcat
Change-Id: I6221a5eca3427bf532830575d8fba98eb3e65c29
2018-12-15 10:13:03 +00:00
Tri Vo
02c4c3fa7b Remove sepolicy for /dev/alarm.
After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be
2018-12-06 04:23:22 +00:00
Nick Kralevich
1e5021c450 Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00
Florian Mayer
b1dad09679 Allow heap profiling everything except TCB on userdebug.
Bug: 117762471
Test: m
Test: flash sailfish
Test: profile all running processes with setenforce 1

Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-28 22:01:58 +00:00
Haibo Huang
544a0d5480 Add new cpu variant related rules to SELinux
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.

This change set SELinux rules for these properties and files.

For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).

This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.

Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.

Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
2018-11-19 18:29:36 +00:00
Jiyong Park
b1feedc2b1 Allow domain to getattr on apex_mnt_dir
The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.

Silence the spam by allowing getattr on apex_mnt_dir.

Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable

Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
2018-11-17 04:05:49 +00:00
Nick Kralevich
fe4061da83 remove system_server debugfs:file r_file_perms
Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.

Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
2018-11-16 11:29:44 -08:00
Nick Kralevich
40d4b0b6cc Delete get_prop(su, ...) rules
It is unnecessary to use get_prop() rules for the su domain. The
su domain is always in permissive mode [1] and not subject to SELinux
enforcement. It's also possible these rules were added to avoid SELinux
denial log spam from showing up, however, there are already dontaudit
rules in place [2] to prevent this.

Delete the unnecessary rules.

[1] 96b62a60c2/private/su.te (19)
[2] 96b62a60c2/public/su.te (42)

Test: policy compiles
Change-Id: I5913f360738725bf915f0606d381029b9ba4318f
2018-11-15 19:01:19 -08:00
Tri Vo
c7f56cdc83 Remove kmem_device selinux type.
kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
2018-11-15 21:31:56 +00:00
Florian Mayer
45f4847c21 Add userdebug selinux config for heapprofd.
Test: m
Test: flash sailfish
Test: profile system_server

Change-Id: I577793af655146ee91be86bb286fcf9d6e6d081d
2018-11-14 09:22:07 +00:00
Tri Vo
9410105cc7 Neverallow vendor access to system_file.
Bug: 111243627
Test: m selinux_policy
Change-Id: I37d03906b93c8810f1d33af736f19fd6ab241c35
2018-11-05 17:21:44 +00:00
Nick Kralevich
619c1ef2ac tun_device: enforce ioctl restrictions
Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.

Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.

Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.

The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
11cee2be0c%5E%21

Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.

Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
2018-11-01 12:13:27 -07:00
Mark Salyzyn
33442f57e7 fastboot: /mnt/scratch refined access on userdebug
Already has permissions to remove the scratch partition, but to allow
more refined cleansing (eg: just remove vendor override), need the
ability to mount and scrub overlay directories.

Test: manual
Bug: 117605276
Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f
2018-11-01 14:57:01 +00:00
Nick Kralevich
caf42d615d Transient SELinux domain for system_server JIT
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.

Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-31 12:32:01 +00:00
Tri Vo
90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00
Tri Vo
3d2e200b69 asan: restore global access to system_asan_options_file.
Bug: 118161817
Test: SANITIZE_TARGET=address m selinux_policy
Change-Id: I4dabcb3692c59b810a06567e272bca9f0e9c3ecd
2018-10-22 13:05:05 -07:00
Tri Vo
e6b1a4caf9 Reland "Neverallow vendor code access to files on /system."
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229
2018-10-19 13:26:50 -07:00
Pavel Grafov
10b250df24 Revert "Neverallow vendor code access to files on /system."
This reverts commit c855629ebd.

Reason for revert: breaks builds for some devices in master

Change-Id: I02c0967d6607ef0173b4188c06d2e781c3c93f4b
2018-10-19 11:10:55 +00:00
Nick Kralevich
4c8eaba75a start enforcing ioctl restrictions on blk_file
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
2018-10-18 15:24:32 -07:00
Nick Kralevich
6790008920 Allow TCGETS on pipes (fifo_file)
Allow a process to determine if a fifo_file (aka pipe, created from the
pipe() or pipe2() syscall) is a tty.

Addresses the following denials:

type=1400 audit(0.0:1307): avc: denied { ioctl } for comm="ls" path="pipe:[213117]" dev="pipefs" ino=213117 ioctlcmd=5401 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:hal_dumpstate_impl:s0 tclass=fifo_file permissive=0
type=1400 audit(0.0:22): avc: denied { ioctl } for comm="sh" path="pipe:[54971]" dev="pipefs" ino=54971 ioctlcmd=5401 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=fifo_file permissive=0 app=com.zhihu.android
type=1400 audit(0.0:237): avc: denied { ioctl } for comm="sh" path="pipe:[56997]" dev="pipefs" ino=56997 ioctlcmd=5401 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=fifo_file permissive=0 app=fm.qingting.qtradio

Test: policy compiles and device builds.
Change-Id: Ic4c6441d0ec33de8cda3f13ff529e98374897364
2018-10-18 09:10:54 -07:00
Tri Vo
c855629ebd Neverallow vendor code access to files on /system.
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175
2018-10-17 22:31:02 +00:00
Nick Kralevich
8ee8e26355 more ioctl work
Add a neverallow rule requiring fine-grain ioctl filtering for most file
and socket object classes. Only chr_file and blk_file are excluded. The
goal is to ensure that any file descriptor which supports ioctl commands
uses a whitelist.

Further refine the list of file / socket objects which require ioctl
filtering. The previous ioctl filtering did not cover the following:

1) ioctls on /proc/PID files
2) ioctls on directories in /dev
3) PDX unix domain sockets

Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX
are alternate, uncommon ways to set the O_CLOEXEC flag on a file
descriptor, which is a harmless operation.

Test: device boots and no problems.
Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618
2018-10-17 11:12:18 -07:00
Dario Freni
bab267a88f Allow apexd to create symlink in /apex.
Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-17 11:25:02 +01:00
Tri Vo
888b92135c Reland "Treat input files as public API."
Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: Ifaf9547993eb8c701fb63b7ee41971ea4e3f7cf9
2018-10-16 18:02:00 +00:00
Chong Zhang
52fb3edbb6 add media.codec.update service
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
2018-10-15 21:06:53 +00:00