Commit graph

254 commits

Author SHA1 Message Date
Nick Kralevich
caf42d615d Transient SELinux domain for system_server JIT
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.

Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-31 12:32:01 +00:00
Tri Vo
90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00
Tri Vo
3d2e200b69 asan: restore global access to system_asan_options_file.
Bug: 118161817
Test: SANITIZE_TARGET=address m selinux_policy
Change-Id: I4dabcb3692c59b810a06567e272bca9f0e9c3ecd
2018-10-22 13:05:05 -07:00
Tri Vo
e6b1a4caf9 Reland "Neverallow vendor code access to files on /system."
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229
2018-10-19 13:26:50 -07:00
Pavel Grafov
10b250df24 Revert "Neverallow vendor code access to files on /system."
This reverts commit c855629ebd.

Reason for revert: breaks builds for some devices in master

Change-Id: I02c0967d6607ef0173b4188c06d2e781c3c93f4b
2018-10-19 11:10:55 +00:00
Nick Kralevich
4c8eaba75a start enforcing ioctl restrictions on blk_file
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
2018-10-18 15:24:32 -07:00
Nick Kralevich
6790008920 Allow TCGETS on pipes (fifo_file)
Allow a process to determine if a fifo_file (aka pipe, created from the
pipe() or pipe2() syscall) is a tty.

Addresses the following denials:

type=1400 audit(0.0:1307): avc: denied { ioctl } for comm="ls" path="pipe:[213117]" dev="pipefs" ino=213117 ioctlcmd=5401 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:hal_dumpstate_impl:s0 tclass=fifo_file permissive=0
type=1400 audit(0.0:22): avc: denied { ioctl } for comm="sh" path="pipe:[54971]" dev="pipefs" ino=54971 ioctlcmd=5401 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=fifo_file permissive=0 app=com.zhihu.android
type=1400 audit(0.0:237): avc: denied { ioctl } for comm="sh" path="pipe:[56997]" dev="pipefs" ino=56997 ioctlcmd=5401 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=fifo_file permissive=0 app=fm.qingting.qtradio

Test: policy compiles and device builds.
Change-Id: Ic4c6441d0ec33de8cda3f13ff529e98374897364
2018-10-18 09:10:54 -07:00
Tri Vo
c855629ebd Neverallow vendor code access to files on /system.
What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175
2018-10-17 22:31:02 +00:00
Nick Kralevich
8ee8e26355 more ioctl work
Add a neverallow rule requiring fine-grain ioctl filtering for most file
and socket object classes. Only chr_file and blk_file are excluded. The
goal is to ensure that any file descriptor which supports ioctl commands
uses a whitelist.

Further refine the list of file / socket objects which require ioctl
filtering. The previous ioctl filtering did not cover the following:

1) ioctls on /proc/PID files
2) ioctls on directories in /dev
3) PDX unix domain sockets

Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX
are alternate, uncommon ways to set the O_CLOEXEC flag on a file
descriptor, which is a harmless operation.

Test: device boots and no problems.
Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618
2018-10-17 11:12:18 -07:00
Dario Freni
bab267a88f Allow apexd to create symlink in /apex.
Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-17 11:25:02 +01:00
Tri Vo
888b92135c Reland "Treat input files as public API."
Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: Ifaf9547993eb8c701fb63b7ee41971ea4e3f7cf9
2018-10-16 18:02:00 +00:00
Chong Zhang
52fb3edbb6 add media.codec.update service
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
2018-10-15 21:06:53 +00:00
Tri Vo
3a3a77d4e1 tcpdump: allow vendor access on userdebug builds.
Bug: 111243627
Test: m selinux_policy
Change-Id: I0bab79d1a3b7a8b5bf5d12ba2dc5ce46abea5332
2018-10-15 21:00:21 +00:00
David Anderson
c5b504da6b Revert "Treat input files as public API."
This reverts commit 7a560eb4d7.

Reason for revert: build bustage

Change-Id: Iba0ba7a899dca865129a9c715c5f60f8a6edcc2f
2018-10-15 20:51:06 +00:00
Tri Vo
235d48600b Finalize cgroup permissions.
Policy w.r.t to apps:
- cgroup access from untrusted apps and priv app is neverallow'ed.
- other apps (e.g. vendor apps) need to explicitly declare appropriate
access rules to cgroups.

Policy w.r.t native domains:
- libcutils exports API to /dev/{cpuset, stune}/*. This API is used
abundantly in native vendor code. So we are not going to limit non-app
access to cgroup.

Bug: 110043362
Bug: 117666318
Test: m selinux_policy, boot device
Change-Id: I83aee21ca3e8941725c70706769ea9dbdc76b9c5
2018-10-15 19:34:10 +00:00
Tri Vo
7a560eb4d7 Treat input files as public API.
Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: I7545b190f35b6b2c86c5dc42c0814f7bccbf1281
2018-10-13 21:22:19 +00:00
Tri Vo
81ade3dd1d Audit access to same_process_hal_file.
same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.

Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
2018-10-13 05:27:03 +00:00
Nick Kralevich
6586fe3110 Allow more file ioctls
The shell script interpreter checks if file descriptors are ttys, which
causes a bunch of denials. Allow the benign ioctl TCGETS. Addresses the
following denials:

  type=1400 audit(0.0:321): avc: denied { ioctl } for comm="sh"
  path="/data/misc/perfprofd/perferr.txt" dev="sda13" ino=6817306
  ioctlcmd=5401 scontext=u:r:perfprofd:s0
  tcontext=u:object_r:perfprofd_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3189): avc: denied { ioctl } for comm="ps"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3004): avc: denied { ioctl } for comm="top"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Include the virtual sdcard when allowing F2FS specific sqlite ioctls,
since apps write sqlite files to the virtual sdcard. Addresses the
following denials:

  type=1400 audit(0.0:324): avc: denied { ioctl } for comm="amapLocManagerT"
  path="/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db"
  dev="sdcardfs" ino=3546650 ioctlcmd=f50c
  scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0
  tclass=file permissive=0 app=com.xiaomi.hm.health

Test: policy compiles.
Change-Id: I7fc570f2bbf69485b1ee6e6b2d9a421639d29123
2018-10-12 22:07:25 +00:00
Nick Kralevich
186466e955 move cgroup auditallow into userdebug_or_eng block
By convention, auditallow statements are typically put into
userdebug_or_eng blocks, to ensure we don't accidentally ship
unnecessary audit rules. Let's do the same here.

Test: policy compiles.
Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e
2018-10-12 13:26:40 -07:00
Chong Zhang
bdbfff1b00 add mediaswcodec service
Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
2018-10-11 15:10:17 -07:00
Tri Vo
f55c989d18 Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-10 17:41:09 -07:00
Nick Kralevich
6695c50dee enable ioctl filtering on other filesystem types
ebc3a1a34c enabled ioctl filtering on
normal files and directories. However, no per-ioctl permissions were
enforced for symbolic links, named pipes ("mkfifo"), or
named sockets.

Start enforcing fine-grain ioctl restrictions for symbolic links, named
pipes, and named sockets.

Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from
being usable on nonsensical filesystem objects and provide a layer of
defense for kernel bugs.

Test: Device boots and no obvious problem.
Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc
2018-10-10 10:07:32 -07:00
Nick Kralevich
ebc3a1a34c Move to ioctl whitelisting for plain files / directories
Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2
2018-10-10 13:02:57 +00:00
Nick Kralevich
cacea25ed0 Revert "Constrain cgroups access."
This reverts commit 9899568f6c.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0
2018-10-10 04:25:17 +00:00
Tri Vo
9899568f6c Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b
2018-10-09 23:42:06 +00:00
Tri Vo
93318192a0 asan: global read access to /system/asan.options
Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143
2018-10-08 17:27:06 +00:00
Martijn Coenen
ac097ac4c7 Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-10-04 07:06:45 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Nick Kralevich
ff1c765ff2 Label /system/usr/share/zoneinfo differently
/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879
2018-09-27 10:18:40 -07:00
Jeff Vander Stoep
0b67bb88e5 Further lock down app data
Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728
2018-09-22 22:38:42 -07:00
Tri Vo
5c1fe61eaa More granular vendor access to /system files.
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
2018-09-20 03:07:50 +00:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Tri Vo
ca4217e211 system_writes_mnt_vendor_violators for device launched before P.
In cases when a device upgrades to system-as-root from O to P, it needs a mount
point for an already existing partition that is accessed by both system and
vendor.

Devices launching with P must not have /mnt/vendor accessible to system.

Bug: 78598545
Test: m selinx_policy
Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f
2018-09-17 19:26:12 -07:00
Nick Kralevich
095fbea563 Strengthen ptrace neverallow rules
Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-14 18:32:20 +00:00
Hridya Valsaraju
073efc34e7 Allow fastbootd to wipe metadata.
Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa
2018-09-13 17:55:28 +00:00
Nick Kralevich
6cf9160e82 add links to docs explaining motivations behind neverallow assertions.
Test: comments only. Policy compiles.
Change-Id: Ic51533d37fff6c553950a122f33a48e3c119c67c
2018-09-12 15:53:48 -07:00
Martijn Coenen
a720d3d00a Allow init to use binder.
But in a very restricted form:
1) Nobody can initiate calls into init
2) Nobody can transfer binder objects into init, except servicemanager

Bug: 112684055
Test: device boots
Change-Id: Icfb218f2871e234284c74e096eccd7a2e786cf94
2018-09-11 07:28:59 +00:00
Nick Kralevich
eef72d34b4 dumpstate: remove JIT and /data execute
Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
2018-09-06 13:28:34 -07:00
Mark Salyzyn
275ea12d84 llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-09-04 17:02:30 +00:00
Mark Salyzyn
0722b5aab6 init: drop /dev/keychord access
Test: compile
Bug: 64114943
Change-Id: I1d20cc027dbd1a94e2a79b6aebdd265cefe8a6a5
2018-08-28 10:33:49 -07:00
Benjamin Gordon
7ed266c678 sepolicy: Fix references to self:capability
commit 9b2e0cbeea added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
2018-08-21 15:55:23 +00:00
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
2018-08-15 09:38:40 +00:00
Steven Moreland
fa3c138a9c Remove old incidentd socket allow.
Forgotten cleanup item.

Bug: 35870313
Test: making sepolicy (neverallows resolved at compile time)
Change-Id: If9a583c4508db63356869502ec374727afa84b0b
2018-08-14 23:47:00 +00:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
2018-08-14 20:21:36 +00:00
Tri Vo
44b7d5b80c neverallow fwk access to /vendor
This rule prevents adding further fwk->vendor access.
Left a TODO to clean up already existing access.

Bug: 37168747
Test: build sailfish, walleye policies
Change-Id: I5e61d0b94b81df228628dba5746e084f291a7904
2018-08-11 16:04:49 -07:00
Nick Kralevich
f3eb985447 Remove legacy execmod access from API >= 26.
Text relocation support was removed from the linker for apps targeting
API >= 23. See
https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23

However, the security policy was not updated to remove the execmod
permission at that time, since we didn't have support for targeting
SELinux policies to API versions.

Remove execmod permissions for apps targeting API 26 or greater. The
linker support was removed, so it's pointless to keep around the SELinux
permissions.

Retain execmod support for apps targeting API 25 or lower. While in
theory we could remove support for API 23-25, that would involve the
introduction of a new SELinux domain (and the associated rule
explosion), which I would prefer to avoid.

This change helps protect application executable code from modification,
enforcing W^X properties on executable code pages loaded from files.
https://en.wikipedia.org/wiki/W%5EX

Test: auditallow rules were added and nothing triggered for apps
      targeting API >= 26. Code compiles and device boots.
Bug: 111544476

Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41
2018-08-08 01:39:09 +00:00
Tri Vo
dd253e9019 Add support for RS vendor executables.
/vendor/bin/bcc being a dependency of renderscript should be labeled as
same_process_hal_file. To facilitate that we relax neverallow rules for
executing same_process_hal_file from coredomain.

See details on /vendor/bin/bcc:
https://source.android.com/devices/architecture/vndk/renderscript

Bug: n/a
Test: build-time change
Change-Id: Ie996fb863090bf08b3d3ef653da827d0b22937d7
2018-08-07 23:05:08 +00:00
Nick Kralevich
bd3e300a13 Relax some neverallow rules
Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.

Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
2018-08-07 13:47:36 -07:00
Nick Kralevich
d90d001a78 Revert "Remove legacy execmod access."
This reverts commit 0f11ffccf9.

Reason for revert: libmono crashes

Bug: 112292089
Bug: 111544476
Test: policy compiles, device boots
Change-Id: I064090aa9337cf17b80cd2c9af9342df851a3b27
2018-08-07 17:03:07 +00:00