Commit graph

13764 commits

Author SHA1 Message Date
Treehugger Robot
6cdc9a820d Merge "Hide sys_rawio SELinux denials." 2018-04-10 23:41:21 +00:00
Jeff Vander Stoep
9dc1d5381f priv_app: remove more logspam
avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
(cherry picked from commit 558cdf1e99)
2018-04-11 08:20:36 +09:00
Treehugger Robot
354a253077 Merge "Widen crash_dump dontaudit." 2018-04-10 23:14:42 +00:00
Tri Vo
fad493bff9 Add internal types to 27.0[.ignore].cil.
Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd65200d)
2018-04-11 08:02:06 +09:00
Joel Galenson
bf4afae140 Hide sys_rawio SELinux denials.
We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
2018-04-10 14:23:25 -07:00
Florian Mayer
589226dff9 Merge "Expose filesystem read events in SELinux policy." 2018-04-10 21:04:50 +00:00
Florian Mayer
7ad383f181 Expose filesystem read events in SELinux policy.
Without this, we only have visibility into writes.

Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.

See aosp/661782 for matching filesystem permission change.

Bug: 73625480

Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298
2018-04-10 18:44:20 +01:00
Joel Galenson
a3b3bdbb2f Widen crash_dump dontaudit.
We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac
2018-04-10 09:55:11 -07:00
Max Bires
5cac1aa99c Adding labeling for vendor security patch prop
This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49
2018-04-09 15:34:42 -07:00
Treehugger Robot
d4dd2f5710 Merge "hal_health: allow to write kernel logs." 2018-04-09 20:33:12 +00:00
Alan Stokes
12e73685b7 Revert "Add /sys/kernel/memory_state_time to sysfs_power."
This reverts commit db83323a03.

Reason for revert: breaks some builds due to duplicate genfs entries

Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a
2018-04-09 18:02:53 +00:00
Treehugger Robot
dceea5023c Merge "Add shell:fifo_file permission for audioserver" 2018-04-09 17:54:42 +00:00
Alan Stokes
cd61bc19ec Merge "Add /sys/kernel/memory_state_time to sysfs_power." 2018-04-09 16:29:30 +00:00
Alan Stokes
06bac37f51 Installd doesn't need to create cgroup files.
cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

(cherry picked from commit 8e8c109350)
2018-04-09 13:49:13 +01:00
Alan Stokes
db83323a03 Add /sys/kernel/memory_state_time to sysfs_power.
This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).

batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 72643420
Bug: 73947096

Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7

(cherry picked from commit a8b3634d3e)
2018-04-09 10:28:56 +01:00
Mikhail Naganov
05e12dba34 Add shell:fifo_file permission for audioserver
Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
(cherry picked from commit c5815891f8)
Merged-In: I09bdb74c9ecc317ea090643635ca26165efa423a
2018-04-06 15:18:22 -07:00
Yifan Hong
5ef48cf831 hal_health: allow to write kernel logs.
This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2
2018-04-06 10:24:48 -07:00
Florian Mayer
ff146962b2 Grant traced_probes search on directories.
This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480
2018-04-06 12:51:41 +00:00
Treehugger Robot
04529dc669 Merge "Track storaged SELinux denial." 2018-04-05 23:12:04 +00:00
Joel Galenson
c6b5a96bb6 Track storaged SELinux denial.
This should help fix presubmit tests.

Bug: 77634061
Test: Built policy.
Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c
2018-04-05 10:39:03 -07:00
Jong Wook Kim
c9dd7149a2 Merge "Wifi HAL SIOCSIFHWADDR sepolicy" 2018-04-05 10:05:29 +00:00
Jeff Vander Stoep
f3220aa6b9 Remove direct qtaguid access from platform/system apps
System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef
2018-04-04 20:26:56 +00:00
Jeff Vander Stoep
9d28625fc4 shell: move shell qtaguid perms to shell.te
Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92
2018-04-04 20:26:18 +00:00
Kweku Adams
985db6d8dd Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-04-04 16:00:23 +00:00
Treehugger Robot
38a84cf8da Merge "Rename qtaguid_proc to conform to name conventions" 2018-04-04 02:26:56 +00:00
Treehugger Robot
c69cbe5590 Merge "Block SDK 28 app from using proc/net/xt_qtaguid" 2018-04-03 23:46:24 +00:00
Nathan Harold
252b015365 Allow getsockopt and setsockopt for Encap Sockets
Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-04-03 21:52:14 +00:00
Jeff Vander Stoep
bdf2a9c417 Rename qtaguid_proc to conform to name conventions
Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250
2018-04-03 14:47:38 -07:00
Chenbo Feng
c411ff70d3 Block SDK 28 app from using proc/net/xt_qtaguid
The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
(cherry picked from commit 5ec8f8432b)
2018-04-03 14:41:41 -07:00
Jeff Vander Stoep
3aa7ca56fd Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc)
2018-04-03 12:25:51 -07:00
Jeff Vander Stoep
0d1e52a50f Remove deprecated tagSocket() permissions
tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb
2018-04-03 13:56:58 +00:00
Treehugger Robot
f22c062c16 Merge "Allow vendor_init_settable for persist.sys.sf.native_mode" 2018-04-02 22:15:02 +00:00
Andreas Gampe
c8fe29ff1e Selinux: Fix perfprofd policy
Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661
2018-04-02 08:10:09 -07:00
Jaekyun Seok
0dc3587393 Allow vendor_init_settable for persist.sys.sf.native_mode
A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d
2018-04-02 16:20:51 +09:00
Jiyong Park
a6d9d6b68a Reland "Allow dexopt to follow /odm/lib(64) symlinks.""
This reverts commit 942500b910.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
2018-04-02 10:43:22 +09:00
Treehugger Robot
8b11302e89 Merge "Update sepolicy to have system_server access stats_data" 2018-03-31 01:19:49 +00:00
Treehugger Robot
855c6c162a Merge "Allow incidentd to read LAST_KMSG only for userdebug builds" 2018-03-30 23:24:24 +00:00
yro
36dd2a410c Update sepolicy to have system_server access stats_data
Test: manually tested to prevent sepolicy violation
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
2018-03-30 15:58:58 -07:00
Treehugger Robot
4fb1a145d1 Merge "Allow netutils_wrapper to use pinned bpf program" 2018-03-30 20:03:19 +00:00
Yi Jin
76238cd4ef Allow incidentd to read LAST_KMSG only for userdebug builds
Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6
2018-03-30 10:15:24 -07:00
Treehugger Robot
8cafb58a2e Merge "Test frozen sepolicy has not diverged from prebuilts." 2018-03-30 17:11:36 +00:00
Florian Mayer
9fcf22bb81 SELinux changes for I/O tracing.
See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-30 00:32:34 +00:00
Tri Vo
81198bb8bb Test frozen sepolicy has not diverged from prebuilts.
This will test that system/sepolicy/{public/, private/} are identical to
prebuilts if PLATFORM_SEPOLICY_VERSION is not 10000.0.

Bug: 74622750
Test: build policy
Test: correctly catches divergence from prebuilts for frozen policies

Change-Id: I2fa14b672544a021c2d42ad5968dfbac21b72f6a
2018-03-29 15:42:28 -07:00
Joel Galenson
4b625e4a35 Label /proc/sys/kernel/sched_schedstats.
This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413bc)
2018-03-29 14:57:10 -07:00
Elliott Hughes
242399a1cf Merge "Remove unused dalvik.vm.stack-trace-dir." 2018-03-29 21:15:16 +00:00
Treehugger Robot
9a76c280d6 Merge "Suppress harmless denials for file creation in cgroupfs." 2018-03-29 19:54:04 +00:00
Treehugger Robot
2c36eb6d91 Merge "Test that /proc files have proc_type attribute." 2018-03-29 19:04:06 +00:00
Chenbo Feng
2623ebcf8e Allow netutils_wrapper to use pinned bpf program
The netutils_wrapper is a process used by vendor code to update the
iptable rules on devices. When it update the rules for a specific chain.
The iptable module will reload the whole chain with the new rule. So
even the netutils_wrapper do not need to add any rules related to xt_bpf
module, it will still reloading the existing iptables rules about xt_bpf
module and need pass through the selinux check again when the rules are
reloading. So we have to grant it the permission to reuse the pinned
program in fs_bpf when it modifies the corresponding iptables chain so
the vendor module will not crash anymore.

Test: device boot and no more denials from netutils_wrapper
Bug: 72111305
Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be
2018-03-29 10:26:29 -07:00
Alan Stokes
832a7042b0 Suppress harmless denials for file creation in cgroupfs.
The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d077)
2018-03-29 10:18:54 -07:00
Treehugger Robot
4bdefb59ca Merge "Improve neverallows on /proc and /sys" 2018-03-29 17:08:34 +00:00