To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
- proc_cmdline and device-tree access to call ReadDefaultFstab().
This is ultimately used to check whether system's dm-verity has
check_at_most_once enabled, which is disallowed with sdcards.
- vfat read/write access to write files to the sdcard. Note that
adopted sdcards are not supported here.
- read access to the sdcard block device. To enable this without
providing access to vold_block_device, a new sdcard_block_device
label was added. Devices must apply this label appropriately to
enable gsid access.
- FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
This only appears to work by granting SYS_RAWIO.
Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
works without setenforce 0
Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
Without VNDK, libcutils has to probe for /dev/binder access before
reaching to ashmemd via binder. Ignore denials generated when probing
/dev/binder.
Bug: 129073672
Test: boot sailfish without denials to /dev/binder
Change-Id: I07ba2e094586df353d54507458e891a3d14c1ca6
Move complete domain to private/. Move referencing parts in domain
and kernel to private.
Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
Bug: 128037879
Test: Camera HAL is able to read ro.serialno
Change-Id: I904c852a7100bc65456ee63ffb31d70681293d7d
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.
Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1
Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea
This is for Non-AB ota update recovery partition on GMS Express 2.0 project.
recovery partition update via /vendor/bin/install-recovery.sh from /vendor/etc/recovery.img
Bug: 124277294
Test: builds and test GOTA.
Change-Id: I97521c03a881bd0427e5d02836220ee2c0db7650
The OMX comment here seems unrelated. The linker (system) uses it to
talk to tombstoned.
Fixes: 112606643
Test: N/A
Change-Id: Ib3da832f120d3cc244aa22de5d4d655b874db38b
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Fixes: 126604492
Test: Build userdebug and user.
Test: Test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules129
on userdebug.
Change-Id: I0716e566570114878842644339401331513bae22
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.
Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
In preparation for moving other components to private, so that
private-only components can stay private.
Bug: 125474642
Test: m
Change-Id: Iff1ecabc4f45051d06e062b3338a117c09b39ff9
In preparation for additions that should be private-only, move
the neverallows to domain's private part.
Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e
On legacy devices system_<other> partition is blocked from
becoming the backing store under certain circumstances.
Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 120448575
Bug: 123079041
Change-Id: I1803f072ca21bc116554eee1d01a1dbd2c9ed0c9
VtsHalBootV1_0Target test cases fail on a platform when executing boot control operation.
The cases fail because of hal_bootctl has no sys_rawio permission to do storage IOCTL to
switch boot slot.
Bug: 118011561
Test: VtsHalBootV1_0Target can pass
Change-Id: Idbbb9ea8b76fe62b2d4b71356cef7a07ad4de890
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
cgroups.json file contains cgroup information required to mount
cgroup controllers and is readable only by init process.
cgroup.rc contains cgroup map information consisting of the list of
cgroups available in the system and their mounting locations. It is
created by init process and should be readable by any processes that
uses cgroups and should be writable only by init process.
task_profiles.json file contains task profiles used to operate on
cgroups. This information should be readable by any process that uses
cgroups and should be writable only by init process.
Bug: 111307099
Test: builds, boots
Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Merged-In: Ib2c87c0fc3663c7fc69628f05c846519b65948b5
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.
Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.
In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.
Bug: 120266448
Test: device boots to the UI
Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1
Bug: 118835348
Test: build and boot blueline user device.
Test: test simpleperf_app_runner manually.
Change-Id: I022d7f10f6164e6980f55badd4edcdc76a73c004
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
The dynamic linker always calls access(2) on the path. Don't generate SElinux
denials since the linker does not actually access the path in case the path
does not exist or isn't accessible for the process.
Bug: 120996057
Test: copy ping to /data/local/tmp, run it, no selinux denials
Test: bionic unit tests
Change-Id: Idf33ba7bc6c0d657b6ab0abde6bd078e4bb024e5
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.
Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.
The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.
1) The app_zygote runs under the UID of the application that spawned
it.
2) During app_zygote launch, it will call a callback that is
controlled by the application, that allows the application to
pre-load code and data that it thinks is relevant.
Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.
Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
This was a regression in Q, and the file is an implementation of
liblog.
Bug: 113083310
Test: use tags from vendor and see no denials
Change-Id: I726cc1fcfad39afc197b21e431a687a3e4c8ee4a
rss_hwm_reset is binary that reset RSS high-water mark counters for all
currently running processes. It runs in a separate process because it
needs dac_override capability.
Bug: 119603799
Test: no errors in logcat
Change-Id: I6221a5eca3427bf532830575d8fba98eb3e65c29
After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.
Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.
This change set SELinux rules for these properties and files.
For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).
This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.
Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.
Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.
Silence the spam by allowing getattr on apex_mnt_dir.
Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable
Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.
Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
It is unnecessary to use get_prop() rules for the su domain. The
su domain is always in permissive mode [1] and not subject to SELinux
enforcement. It's also possible these rules were added to avoid SELinux
denial log spam from showing up, however, there are already dontaudit
rules in place [2] to prevent this.
Delete the unnecessary rules.
[1] 96b62a60c2/private/su.te (19)
[2] 96b62a60c2/public/su.te (42)
Test: policy compiles
Change-Id: I5913f360738725bf915f0606d381029b9ba4318f
Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.
Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.
Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.
The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
11cee2be0c%5E%21
Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.
Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
Already has permissions to remove the scratch partition, but to allow
more refined cleansing (eg: just remove vendor override), need the
ability to mount and scrub overlay directories.
Test: manual
Bug: 117605276
Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.
Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)
Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)
TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.
Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.
Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
Allow a process to determine if a fifo_file (aka pipe, created from the
pipe() or pipe2() syscall) is a tty.
Addresses the following denials:
type=1400 audit(0.0:1307): avc: denied { ioctl } for comm="ls" path="pipe:[213117]" dev="pipefs" ino=213117 ioctlcmd=5401 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:hal_dumpstate_impl:s0 tclass=fifo_file permissive=0
type=1400 audit(0.0:22): avc: denied { ioctl } for comm="sh" path="pipe:[54971]" dev="pipefs" ino=54971 ioctlcmd=5401 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=fifo_file permissive=0 app=com.zhihu.android
type=1400 audit(0.0:237): avc: denied { ioctl } for comm="sh" path="pipe:[56997]" dev="pipefs" ino=56997 ioctlcmd=5401 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=fifo_file permissive=0 app=fm.qingting.qtradio
Test: policy compiles and device builds.
Change-Id: Ic4c6441d0ec33de8cda3f13ff529e98374897364
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)
TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.
Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175
Add a neverallow rule requiring fine-grain ioctl filtering for most file
and socket object classes. Only chr_file and blk_file are excluded. The
goal is to ensure that any file descriptor which supports ioctl commands
uses a whitelist.
Further refine the list of file / socket objects which require ioctl
filtering. The previous ioctl filtering did not cover the following:
1) ioctls on /proc/PID files
2) ioctls on directories in /dev
3) PDX unix domain sockets
Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX
are alternate, uncommon ways to set the O_CLOEXEC flag on a file
descriptor, which is a harmless operation.
Test: device boots and no problems.
Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.
Bug: 111407413
Bug: 117290290
Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4