Commit graph

26 commits

Author SHA1 Message Date
Jiakai Zhang
a7774c2cba Allow installd to kill profman.
installd needs to kill profman if profman times out.

Bug: 242352919
Test: -
  1. Add an infinate loop to profman.
  2. Run `adb shell pm compile -m speed-profile com.android.chrome`
  3. See profman being killed after 1 minute.

Change-Id: I71761eaab027698de0339d855b9a436b56580ed8
2023-01-30 11:09:08 +00:00
Alex Buynytskyy
37a0dcbbbc Allow installd delete staging folders.
Apparently readdir uses getattr and skips a folder if denied.

Bug: 244638667
Test: adb root; adb shell mkdir -p
/data/app-staging/session_917335144/lib; adb reboot; adb logcat | grep
session_917335144, check if the folder was removed

Change-Id: I39de49c77d3bf3428d75f0cf4d4c603ea7e03ed5
2022-09-02 13:16:24 -07:00
Mohammad Samiul Islam
d2ffd35cc0 Create a separate label for sandbox root directory
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.

By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.

Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
2022-05-19 16:01:15 +01:00
Keun young Park
d577958598 allow installd to kill dex2oat and dexoptanalyzer
Bug: 179094324
Bug: 156537504

Test: confirm that installd killing those processes are not brininging
      selinux violation
Change-Id: Icac3f5acc3d4d398bbe1431bb02140f3fe9cdc45
2021-08-17 09:48:47 -07:00
Orion Hodson
f135ce393c Allow zygotes and installd to read odsign properties
Bug: 192049377
Test: manual
Change-Id: I88cfd0b7fa63f195a1ec8f498c106cbf95f649ec
2021-07-01 14:18:51 +01:00
Yo Chiang
a14b839cf5 Revert "Suppress avc denials due to missing kernel config on mixed version boot test"
This reverts commit f3f4985479.

Reason for revert: selinux denial should be fixed by aosp/1554151

Change-Id: I9393b45a6adbfe94b24c23542c3a424a002be573
2021-01-22 11:05:43 +00:00
Yo Chiang
f3f4985479 Suppress avc denials due to missing kernel config on mixed version boot test
auditd  : type=1400 audit(0.0:104): avc: denied
{ write } for comm="Binder:1830_4" name="tasks" dev="tmpfs" ino=16681
scontext=u:r:installd:s0 tcontext=u:object_r:device:s0 tclass=file
permissive=0

As described in aosp/1552554, these denials seems to be triggered by
timing issues thus being caught by DeviceBootTest. Add these dontaudit
lines so these errors don't block normal feature development.

Bug: 177187042
Test: SELinuxUncheckedDenialBootTest on S-on-Q device configuration
Change-Id: I5e8754aae5a58e26c98c97664eac0fd9febb9d33
2021-01-18 07:16:27 +00:00
Victor Hsieh
8b65b0b12d sepolicy: allow rules for apk verify system property
ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.

ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split.  It is also read by system_server and installd
currently.

Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
2019-12-03 10:09:35 -08:00
Paul Crowley
1fc44958bd Merge "Move layout_version to /data/misc/installd"
am: 7f9c607b4f

Change-Id: I05c2ba0b7f2f44c72bb6c6eba16a4ab385c15939
2019-08-28 13:35:17 -07:00
Paul Crowley
d1ff87530c Move change from ag/7565384 aside
Commit I35d35016680379e3a9363408704ee890a78a9748 is not yet in AOSP
and is causing a merge conflict with my change aosp/1105757.
Move the lines causing the conflict elsewhere.

Bug: 1105489
Test: treehugger
Cherrypicked-From: 1da93c9f32
Merged-In: I35dca026e40c9e2f89b831395db3958e399bfbb7
Change-Id: I35dca026e40c9e2f89b831395db3958e399bfbb7
2019-08-27 17:55:07 +00:00
Paul Crowley
04023ade9a Move layout_version to /data/misc/installd
Bug: 139543295
Test: Boot, ensure file is properly created
Change-Id: I577b25bcf61505970b153884d8ac3567957bb50a
2019-08-21 10:11:35 -07:00
Narayan Kamath
0574e4cdab sepolicy: Add policy for migrate_legacy_obb_data.sh
.. and let installd execute it. Required to migrate legacy obb contents

Bug: 129167772
Test: make

Change-Id: I35d35016680379e3a9363408704ee890a78a9748
2019-05-23 17:26:08 +01:00
Nicolas Geoffray
c8cb42e27d Allow installd to access device_config_runtime_native_boot_prop.
Test: m && boot
Bug: 119800099
Change-Id: I3d9c48b9474ed68c98cf65110ed9375a2c4c8aa1
2019-02-26 08:56:57 +00:00
shafik
9f8ff76e35 Allow installd to delete directories in staging dir
In order to support deleting session files after a staged session reaches
a final state, installd will need to delete the session directories from
/data/staging.

Bug: 123624108
Test: triggered 2 flows in which a staged session reaches a final state
and made sure installd can delete the session files

Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
2019-02-25 12:02:20 +00:00
Mathieu Chartier
26a5699773 Add runtime_native property permission to installd
Installd will read one of these properties as a feature flag.

(cherry-picked from commit e59e731dd1)

Bug: 116059983
Bug: 123524494
Test: adb shell /data/nativetest64/installd_dexopt_test/installd_dexopt_test

Change-Id: I6c5c058ba316b98f58d8d08f7cb13828cf311833
Merged-In: I6c5c058ba316b98f58d8d08f7cb13828cf311833
2019-02-01 16:54:49 +00:00
Eric Holk
f8dfb5f83b [layout compilation] Modify sepolicy to allow installd to run viewcompiler
We will generate precompiled layouts as part of the package install or upgrade
process. This means installd needs to be able to invoke viewcompiler. This
change gives installd and viewcompiler the minimal set of permissions needed for
this to work.

Bug: 111895153
Test: manual
Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
2019-01-18 23:29:47 +00:00
Narayan Kamath
802cfe0f3d Allow installd sufficient permissions to rollback_data_file.
Used to capture and restore app data snapshots as implemented in change
I3e4d36c11e52fb885b585b1946e215cf986206fd.

Test: make, manual
Bug: 112431924

Change-Id: I1cd1ec3f9c93c4af65b662a5ada582299b595a8f
2019-01-17 16:56:42 +00:00
Nick Kralevich
fb66c6f81b rename rs_data_file to app_exec_data_file
There are multiple trusted system components which may be responsible
for creating executable code within an application's home directory.
Renderscript is just one of those trusted components.

Generalize rs_data_file to app_exec_data_file. This label is intended to
be used for any executable code created by trusted components placed
into an application's home directory.

Introduce a typealias statement to ensure files with the previous label
continue to be understood by policy.

This change is effectively a no-op, as it just renames a type, but
neither adds or removes any rules.

Bug: 121375718
Bug: 112357170
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 20:07:20 +00:00
Nick Kralevich
0eb0a16fbd bless app created renderscript files
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00
Joel Galenson
03ff9f91c1 Ensure taking a bugreport generates no denials.
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: I10882e7adda0bb51bf373e0e62fda0acc8ad34eb
2018-03-05 12:23:25 -08:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Calin Juravle
e5a1f64a2e SElinux policies for compiling secondary dex files
This CLs adds SElinux policies necessary to compile secondary dex files.

When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).

What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.

Test: devices boots
      compilation of secondary dex files works without selinux denials
      cmd package compile --secondary-dex -f -m speed
com.google.android.gms

Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
2017-01-24 14:28:07 -08:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00