Commit graph

34 commits

Author SHA1 Message Date
Kweku Adams
985db6d8dd Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-04-04 16:00:23 +00:00
Yi Jin
76238cd4ef Allow incidentd to read LAST_KMSG only for userdebug builds
Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6
2018-03-30 10:15:24 -07:00
Primiano Tucci
feaf22b130 Reland: perfetto: allow traced_probes to execute atrace
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039
2018-03-22 01:51:39 +00:00
Jerry Zhang
1d40154575 Add functionfs access to system_server.
UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98
2018-03-01 12:07:15 -08:00
Primiano Tucci
b4b31f9d72 Allow perfetto traced_probes to access tracefs on user
Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-13 15:54:11 +00:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Jeff Vander Stoep
de04528c3b Enable Traceur on user builds.
Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448
2018-02-02 12:46:36 -08:00
Tom Cherry
9c778045b2 Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-29 18:07:41 +00:00
Tri Vo
218d87c01c dumpstate: remove access to 'proc' and 'sysfs' types.
And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5
2018-01-23 03:24:37 +00:00
Tri Vo
f92cfb9e4f priv_app: remove access to 'proc' and 'sysfs' types.
Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
2018-01-20 01:05:56 +00:00
Tri Vo
06d7dca4a1 Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-20 01:05:21 +00:00
Tri Vo
5dab913441 neverallow shell access to 'device' type
Bug: 65643247
Test: builds, the change doesn't affect runtime behavior.

Change-Id: I621a8006db7074f124cb16a12662c768bb31e465
2018-01-18 21:56:00 +00:00
Tri Vo
48027a0067 storaged: remove access to sysfs_type
Bug: 68388678
Test: storaged-unit-tests
Change-Id: Iea1ba0131a389dc4396ff3ebe2cdf68dbd688c8a
2018-01-16 18:39:29 -08:00
Primiano Tucci
c80f9e037b Perfetto SELinux policies
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2018-01-10 00:18:46 +00:00
Max Bires
4ea5569f53 Adding a traceur_app domain to remove it from shell
This CL creates a traceur_app domain with userdebug privileges akin to
what shell has with regards to being able to find most services on
device. Previously, traceur was running as shell which was an
unintentional abuse of selinux architecture.

Bug: 68126425
Test: Traceur functions outside of shell user privilege
Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
2018-01-02 15:29:03 -08:00
Tri Vo
d276b4349d Remove access to 'sysfs' files from healtd and charger.
We rely on vendors to label all dependencies of healthd/charger under
/sys/class/power_supply with sysfs_batteryinfo type.

Bug: 65643247
Bug: 32659667
Test: boots without denials from healthd, to sysfs_batteryinfo or to
sysfs_msm_subsys.
Test: charging with device turned off works without /sys denials.

Change-Id: I893f309ecad8a0caf7d0b81f5f945725907255c2
2017-12-11 16:31:24 +00:00
Andreas Gampe
e40d676058 Sepolicy: Update rules for perfprofd
Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915
2017-12-08 15:21:09 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Tri Vo
c4ef363006 shell: neverallow access to 'proc' label.
Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
2017-11-17 18:39:07 +00:00
Tri Vo
2ea12cd345 mediaserver: remove access to 'sysfs' type.
Bug: 65643247
Test: cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
No denials from mediaserver domain to sysfs type are observed.
Change-Id: Icb5c12f04af213452d82e226993fe13085c5c33f
2017-11-16 17:34:14 -08:00
Tri Vo
7dd4d90628 update_verifier: neverallow access to 'sysfs' label.
Bug: 65643247
Test: aosp_walleye-userdebug builds
Test: aosp_sailfish-userdebug builds
Change-Id: Iaebd368b84259783fbdc4778988bdb7ba0df300b
2017-11-14 19:27:55 -08:00
Tri Vo
23e58d1970 Revert "update_verifier: neverallow access to 'sysfs' label."
This reverts commit a61b99bba3.

Reason for revert: breaks aosp_walleye-userdebug

Change-Id: I3246b8cac862b53fc76609df60b90149fbc8098d
2017-11-13 21:24:53 +00:00
Tri Vo
a61b99bba3 update_verifier: neverallow access to 'sysfs' label.
Bug: 65643247
Test: walleye-userdebug builds
Change-Id: I12d8239ca85bb68eab76a2d0001a722fea3045c5
2017-11-13 10:29:21 -08:00
Tri Vo
84e181bcd7 init: label /proc dependencies and remove access to proc
New types and files labeled with them:
1. proc_abi:
  /proc/sys/abi/swp

2. proc_dirty:
  /proc/sys/vm/dirty_background_ratio
  /proc/sys/vm/dirty_expire_centisecs

3. proc_diskstats:
  /proc/diskstats

4. proc_extra_free_kbytes:
  /proc/sys/vm/extra_free_kbytes

5. proc_hostname:
  /proc/sys/kernel/domainname
  /proc/sys/kernel/hostname

6. proc_hung_task:
  /proc/sys/kernel/hung_task_timeout_secs

7. proc_max_map_count:
  /proc/sys/vm/max_map_count

8. proc_panic:
  /proc/sys/kernel/panic_on_oops

9. proc_sched:
  /proc/sys/kernel/sched_child_runs_first
  /proc/sys/kernel/sched_latency_ns
  /proc/sys/kernel/sched_rt_period_us
  /proc/sys/kernel/sched_rt_runtime_us
  /proc/sys/kernel/sched_tunable_scaling
  /proc/sys/kernel/sched_wakeup_granularity_ns

10. proc_uptime:
  /proc/uptime

Files labeled with already existing types:
1. proc_perf:
  /proc/sys/kernel/perf_event_paranoid

2. proc_sysrq:
  /proc/sys/kernel/sysrq

3. usermodehelper:
  /proc/sys/kernel/core_pipe_limit

Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.

Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2
2017-11-08 14:46:09 -08:00
Tri Vo
19f8b868f0 system_server: neverallow sysfs file access.
Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
Change-Id: Ic7a212ce226dcfa4b363ed1acd3b2a249cee576b
2017-11-07 04:05:38 +00:00
Tri Vo
5aac163bb7 radio: neverallow access to proc and sysfs types.
Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
This CL does not change runtime behavior.
Change-Id: I82c520579b986ea2a4a6f030ec60d5345c00b54f
2017-11-03 12:18:47 -07:00
Tri Vo
233c7a6b40 Neverallow coredomain to kernel interface files.
Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Bug: 68792382
Test: build aosp_sailfish-user
Test: build aosp_sailfish-userdebug
Test: CP to internal and build walleye-user
Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7
2017-11-02 10:12:27 -07:00
Tobias Thierer
83a06805f0 Revert "Neverallow coredomain to kernel interface files."
This reverts commit 502e43f7d9.

Reason for revert: Suspected to have broken a build, see b/68792382

Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249
2017-11-02 16:03:36 +00:00
Tri Vo
502e43f7d9 Neverallow coredomain to kernel interface files.
Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5
2017-10-31 16:20:58 -07:00
Shawn Willden
a0c7f01299 Add keystore_key:attest_unique_id to priv_app.
Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-12 06:39:14 -06:00
Nick Kralevich
d419ed8fb7 Remove crash_dump from sys_ptrace neverallow exception
CAP_SYS_PTRACE is no longer used by crash_dump. There's no reason to
exclude it from the neverallow compile time assertion.

Test: policy compiles.
Change-Id: Ib2dced19091406553c16e6ce538cfb68bbc1e5aa
2017-02-16 09:17:35 -08:00
Josh Gao
cb3eb4eef9 Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00
ynwang
e68d2d2c72 Storaged permissions for task I/O
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2017-01-07 01:12:51 +00:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00