Commit graph

2732 commits

Author SHA1 Message Date
Yabin Cui
ffa2b61330 Add runas_app domain to allow running app data file via run-as.
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.

Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
2018-11-07 18:11:40 +00:00
Yabin Cui
5dc2c8c740 Revert "Revert "Enforce execve() restrictions for API > 28""
This reverts commit 15d1a12f7f.

Bug: 118737210
Bug: 112357170
Test: boot marlin
Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca
2018-11-07 18:07:18 +00:00
Tri Vo
2bb0085dbd Merge "Don't label /dev/{ akm8973.* accelerometer } from system sepolicy" 2018-11-06 22:43:49 +00:00
Tri Vo
fe39ed33dc Don't label /dev/{ akm8973.* accelerometer } from system sepolicy
These /dev nodes are device-specific and should be labeled from device
policy. Moreover, pixels don't have these /dev nodes.

Bug: 110962171
Test: boot pixel 3
Change-Id: I37ca9a956130eb4763c75f5e8a0decbd4f7b97a7
2018-11-06 10:20:50 -08:00
Felipe Leme
5bf0c6369b New service: intelligence_service
Bug: 111276913
Test: manual verification

Change-Id: Icb309bb07e4e4b39cdc912b1d3dc1ece9cb55f5f
2018-11-05 09:18:03 -08:00
Treehugger Robot
5c48444346 Merge "Update access_vectors" 2018-11-02 19:46:37 +00:00
Nick Kralevich
ced51ddd7c Merge "tun_device: enforce ioctl restrictions" 2018-11-02 12:21:04 +00:00
Jiyong Park
b3b94614f7 apexd exports its status via sysprop
A sysprop apexd.status is set by apexd, to that other components (i.e.
init) can determine whether APEXs are all successfully mounted or no
(i.e., being mounted).

The sysprop is only writable by apexd.

Bug: 117403679
Test: adb shell getprop apexd.status returns 'ready'.
Change-Id: I81bcb96e6c5cb9d899f29ffa84f91eab3820be25
2018-11-02 12:23:42 +09:00
Nick Kralevich
ea1775dcb5 Update access_vectors
Update access_vectors to support newer kernel functionality.
This change does not grant any new access.

Inspired by the following refpolicy commits:
* 25a5b24274
* 109ab3296b
* 437e48ac53

Bug: 118843234
Test: policy compiles
Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
2018-11-01 19:53:50 -07:00
Nick Kralevich
619c1ef2ac tun_device: enforce ioctl restrictions
Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.

Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.

Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.

The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
11cee2be0c%5E%21

Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.

Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45
2018-11-01 12:13:27 -07:00
Hongyi Zhang
a6f989241b sepolicy for server configurable flags
Test: manual on device
Change-Id: Ibafe1b345489c88a49a7ed3e2e61e5cc5e1880a1
2018-11-01 03:28:56 +00:00
Nick Kralevich
00252207f8 isolated_app: add mmaps
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.

Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.

Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
2018-10-31 12:55:01 -07:00
Nick Kralevich
caf42d615d Transient SELinux domain for system_server JIT
Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.

Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-31 12:32:01 +00:00
Treehugger Robot
29db0ebf3d Merge "Revert "Enforce execve() restrictions for API > 28"" 2018-10-31 09:31:02 +00:00
Nick Kralevich
15d1a12f7f Revert "Enforce execve() restrictions for API > 28"
This reverts commit 0dd738d810.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b
2018-10-31 03:40:13 +00:00
Nick Kralevich
c4cf98605d Revert "SELinux changes for AppFuse"
This reverts commit 67ed4328eb.

Reason for revert: Broken CTS test. See b/118642091

Bug: 118642091
Bug: 110379912
Change-Id: I5afd16bf23149c74f2740720cdd248a255ff1497
2018-10-30 03:30:55 +00:00
Treehugger Robot
581e6c471c Merge "Enforce execve() restrictions for API > 28" 2018-10-29 21:07:36 +00:00
Nick Kralevich
0dd738d810 Enforce execve() restrictions for API > 28
untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0
2018-10-29 09:24:09 -07:00
Nick Kralevich
e1ddd741de drop priv_app app_data_file:file execute;
system/sepolicy commit 23c9d91b46
introduced a new type called privapp_data_file. This type is used to
label priv-app's /home files. For backwards compatibility, priv-app
rules involving normal app_data_files were preserved. Subsequently,
system/sepolicy commit 5d1755194a
assigned the file label privapp_data_file to /home files owned
by priv-apps.

Because of the previous labeling of priv-app data files, priv-apps were
granted the ability to mmap(PROT_EXEC) any other app's /home files,
regardless of how trustworthy or untrustworthy those files were. Commit
23c9d91b46 preserved the status quo.
However, now that we have a more refined label for priv-app /home files,
we no longer need to be as permissive.

Drop the ability for priv-apps to map executable code from
untrusted_apps home directories. "execute" is removed in this change,
and "execute_no_trans" was previously removed in commit
8fb4cb8bc2. Add a neverallow assertion
(compile time assertion + CTS test) to prevent regressions.

Further clarify why we need to support priv-apps loading executable code
from their own home directories, at least for now. b/112037137 covers
further tightening we can do in this area.

Bug: 112357170
Test: Device boots and no problems.
Change-Id: Ia6a9eb4c2ed8a02ad45644d025181ba3c8424cda
2018-10-27 15:20:38 -07:00
Treehugger Robot
de8dfc752c Merge "Switch to r_file_perms" 2018-10-26 22:51:47 +00:00
Nick Kralevich
0bfa7b5385 Switch to r_file_perms
The current rule is missing mmap. r_file_perm implicitly adds mmap, so
we should just use that instead.

Test: policy compiles.
Change-Id: I4051d1eb4c36a2b6ff2b5f26ce53355287cbe2b4
2018-10-26 13:25:51 -07:00
Risan
67ed4328eb SELinux changes for AppFuse
We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
2018-10-26 19:45:50 +00:00
Tri Vo
3eae9de2e8 Merge "same_process_hal_file: access to individual coredomains" 2018-10-26 18:03:13 +00:00
Tri Vo
90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00
Tri Vo
5292449e3d Merge "Don't label /dev/tegra.* from core policy" 2018-10-26 18:02:30 +00:00
Jiyong Park
173a1d9add Allow apexd more ioctl cmds for loop devices
apexd is using following additional ioctl cmds to mount the mini
filesystem inside APEXs:

 LOOP_SET_STATUS64
 LOOP_SET_FD
 LOOP_SET_BLOCK_SIZE
 LOOP_SET_DIRECT_IO
 LOOP_CLR_FD

Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot

/apex/com.android.example.apex exists

Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc
2018-10-26 21:33:29 +09:00
Tri Vo
2ea956c03b Don't label /dev/tegra.* from core policy
/dev/tegra.* is not used in android platform and is device-specific

Bug: 110962171
Test: boot walleye
Change-Id: I4cc790d28457b429a3ed9829de223dae357eb498
2018-10-26 02:33:51 +00:00
Jiwen 'Steve' Cai
d5c5ef900c Sepolicy for bufferhub hwservice
Bug: 118124442
Test: device can boot with android.frameworks.bufferhub@1.0-service
      running
Change-Id: I1d186d5350671b0d2dd4e831429b8fba828316e0
2018-10-25 10:08:05 -07:00
Anton Hansson
564eb9d6d6 Merge "Properly escape dots in file_contexts filenames" 2018-10-25 11:25:17 +00:00
Treehugger Robot
554f18163a Merge "sepolicy: Allow apps to get info from priv_app by ashmem" 2018-10-24 18:02:23 +00:00
Anton Hansson
854adfd6a8 Merge "Add sepolicy for preloads_copy script" 2018-10-24 17:09:11 +00:00
Tom Cherry
fc1980eb8a Merge "Combine vendor-init-actionable with vendor-init-readable" 2018-10-24 15:52:06 +00:00
Anton Hansson
c6742dbbf9 Properly escape dots in file_contexts filenames
I found these with the regex (?<!\\)\.(?!\*|\+)

Test: make
Change-Id: I1c2e817d164b1074cb359cdb6d46bcf71e220765
2018-10-24 14:50:22 +01:00
Tom Cherry
30dd711157 Combine vendor-init-actionable with vendor-init-readable
Historically, vendor-init-actionable was created since the various
property_contexts files were not yet available when init parses its
scripts.  Since then, the property_contexts files are now always
available when init parses its scripts, so we can collapse these two
categories.

Specifically, this change ensures that all of the properties in the
previous 'stable_properties.h' file in init, which contained the
vendor-init-actionable properties, are able to be read by init
according to SEPolicy.

Bug: 71814576
Test: vendor_init fails to use non-readable properties as a trigger
Test: vendor_init successfully uses readable properties as a trigger

Change-Id: Ic6d9919b6047f3076a1a19fc26295c6a77aca627
2018-10-24 01:58:32 +00:00
Sudheer Shanka
95767cce45 Track vrcore_app SELinux denial
Bug: 118185801
Test: bug no. appears in the denial logs
Change-Id: Ib1d1bbbdf25e0e63ac8a7dec98aca08cafc3f870
2018-10-23 12:19:27 -07:00
Anton Hansson
edd13bc3b2 Add sepolicy for preloads_copy script
Copied from device/google/crosshatch-sepolicy.

Test: diff files in system/etc/selinux before and after for aosp_marlin
Change-Id: I518c43af9c217483bdab02424e4aef0270aad366
2018-10-23 17:11:36 +01:00
ji, zhenlong z
fdfa42bf29 sepolicy: Allow apps to get info from priv_app by ashmem
This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.

Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.

Bug: 117961216

[Android Version]:
android_p_mr0_r0

[Kernel Version]:
4.19.0-rc8

[CTS Version]:
cts-9.0_r1

[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies

[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0

[Test Result With This Patch]:
PASS

Change-Id: I45efacabe64af36912a53df60ac059889fde1629
2018-10-23 12:37:03 +08:00
Treehugger Robot
faba431221 Merge "priv_app: remove /proc/net access" 2018-10-22 17:33:48 +00:00
Nick Kralevich
674b168480 start enforcing ioctl restrictions on blk_file
am: 4c8eaba75a

Change-Id: Ic97b8aafa7f6edcf54e08230905b34500fbe677e
2018-10-19 00:00:42 -07:00
Nick Kralevich
acb41aca25 Move class bpf definition
am: f5a1b1bfa9

Change-Id: Idd4890670d766d71d4b2f6feb0066993ca079b90
2018-10-18 23:58:19 -07:00
Jiyong Park
6d474849e8 Allow apexd to realpath(3) on apex_key_files
am: ecc09871ba

Change-Id: I43f3d98669537d24879f3a734e2684968813e148
2018-10-18 23:46:29 -07:00
Nick Kralevich
4c8eaba75a start enforcing ioctl restrictions on blk_file
Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
2018-10-18 15:24:32 -07:00
Nick Kralevich
dfc3c33689 priv_app: remove /proc/net access
Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.

Access for most third party applications was removed in commit
d78e07cbb7. This change applies the same
constraints to priv-apps that we apply to normal apps.

Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3
2018-10-18 09:44:50 -07:00
Nick Kralevich
f5a1b1bfa9 Move class bpf definition
No functional change. This reorg just makes it easier to perform diffs
against https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors

Test: policy builds.
Change-Id: I10cf9547d57981c76ee7e76daa382bb504e36d0b
2018-10-18 09:08:26 -07:00
Jiyong Park
ecc09871ba Allow apexd to realpath(3) on apex_key_files
apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.

The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.

Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists

Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67
2018-10-18 20:39:37 +09:00
Nick Kralevich
f00935a550 mediaprovider: add functionfs ioctl
am: a73f58aee1

Change-Id: I573c72eb0795862a498772e74cb7f230876fa914
2018-10-17 14:02:36 -07:00
Nick Kralevich
a73f58aee1 mediaprovider: add functionfs ioctl
Addresses the following denial:

type=1400 audit(0.0:51894): avc: denied { ioctl } for comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=30291 ioctlcmd=0x6782 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0 app=com.android.providers.media

Test: policy compiles.
Change-Id: I5290abb2848e5824669dae4cea829d4cbea98ab4
2018-10-17 10:14:40 -07:00
Dario Freni
84a010c48c Allow apexd to create symlink in /apex.
am: bab267a88f

Change-Id: I2ae046cd9434b983abe6366bd72e595b48ddfdf4
2018-10-17 09:32:41 -07:00
Dario Freni
bab267a88f Allow apexd to create symlink in /apex.
Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-17 11:25:02 +01:00
Bowgo Tsai
0a2efc1698 Merge "Allow input config to be under /vendor/odm"
am: 247f061a65

Change-Id: Ibec2927b80068cedc0c7ba7391e6fe53d9ae0892
2018-10-16 17:27:24 -07:00