Commit graph

19 commits

Author SHA1 Message Date
Pete Bentley
e6da3b80d1 Add SEPolicy for PRNG seeder daemon.
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
  correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
  label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
  data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
  (e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance

Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
2022-09-22 15:13:20 +00:00
Lokesh Gidra
b016e51150 Add userfaultfd selinux policy for app_zygote
Like zygote, webview_zygote, add userfaultfd policy for app_zygote as
well.

Bug: 160737021
Test: manual (use userfaultfd in an app-zygote)
Change-Id: I42f558c5b646bb0bd83b81fddfb608567f95c811
2022-03-09 21:50:52 -08:00
Orion Hodson
829f582107 Merge "Allow app_zygote to read zygote_tmpfs." 2021-07-05 09:10:23 +00:00
Orion Hodson
57907a87dc Allow app_zygote to read zygote_tmpfs.
app_zygote inherits tmpfs files from zygote, and needs to be able to
stat them after fork.

Bug: 192634726
Bug: 192572973
Bug: 119800099
Test: manually configure JIT zygote and run
 atest \
   CtsExternalServiceTestCases:\
   android.externalservice.cts.ExternalServiceTest\
   #testBindExternalServiceWithZygote
Change-Id: I401808c984edd4e3e4ef335f6a75cecc5cf69eca
2021-07-02 14:36:00 +00:00
Orion Hodson
f135ce393c Allow zygotes and installd to read odsign properties
Bug: 192049377
Test: manual
Change-Id: I88cfd0b7fa63f195a1ec8f498c106cbf95f649ec
2021-07-01 14:18:51 +01:00
Calin Juravle
0b2ca6c22c Enable ART properties modularization
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:

- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART

Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
2021-06-01 16:14:55 -07:00
Orion Hodson
90d3351ad1 app_zygote.te: allow reading and searching the ART module dalvik-cache
Fix: 185637711
Test: SELinux denials gone for chrome_zygote
Change-Id: I31ba5d5b4fa8cb002814809a533bf2b2dc465c99
2021-04-29 15:29:12 +00:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Martijn Coenen
d40dfdc4c0 Don't give uid-based categories to app_zygote and isolated processes.
The mapping of UIDs to categories can only take 16 bits, yet isolated
processes start at UID 90000. Additionally, the main purpose of these
categories was to isolate app-private storage, but since isolated
processes don't have access to app-private storage anyway, removing them
doesn't hurt.

The upside is that this allows us to remove mIstrustedsubject from the
app_zygote domain, which prevents app code running in that context from
assigning itself arbitrary categories.

Bug: 157598026
Test: inspect categories of app_zygote and children; verify Chrome works
Merged-In: Idfa8625d939cf30f3683436949bb4f335851622a
Change-Id: Idfa8625d939cf30f3683436949bb4f335851622a
2020-06-09 12:32:59 +00:00
Ryan Savitski
845569e2e5 debug builds: allow perf profiling of most domains
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).

Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
2020-01-22 22:04:02 +00:00
Jing Ji
2b12440ff7 Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.

Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
2020-01-16 16:09:48 -08:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Henrik Baard
8c94186ca5 app_zygote need access to oem partition
app_zygote used by for example Google Chrome needs access
to at least search /oem partition.

Google chrome version: 76.0.3809.132 is running in app_zygote
and the following access is blocked by selinux causing Chrome
to hang.

avc:  denied  { search } for  pid=813 comm="d.chrome_zygote"
name="/" dev="sda42" ino=2 scontext=u:r:app_zygote:s0:c214,c256,c512,c768
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0 ppid=798
pcomm="d.chrome_zygote" pgid=798 pgcomm="d.chrome_zygote"

Change-Id: Idcce1a5ad1a8be3d7bd057c12ec477baa9669235
2019-09-11 13:31:12 +02:00
Cheney Ni
e55a74bdff Add rules for accessing the related bluetooth_audio_hal_prop
This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-20 03:12:25 +00:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Martijn Coenen
e0bbb9f85a Add more neverallows to app_zygote policy.
The app_zygote should never use any unix sockets, except the
logd socket and some sockets only available on userdebug/eng.

Prevent it from using ptrace.

Bug: 111434506
Test: builds
Change-Id: Ic47cfca51fba0b150a136194ba0e4a8a488c9996
2019-01-24 20:27:54 +00:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00