android/system-sepolicy.git
2 years agoRemove some priv_app logspam. master
Joel Galenson [Fri, 20 Apr 2018 22:27:21 +0000 (15:27 -0700)]
Remove some priv_app logspam.

avc: denied { search } for name="/" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:fs_bpf:s0 tclass=dir permissive=0

Bug: 72749888
Test: Boot without seeing the denial.
Change-Id: Iaf3559928473c68066e6a42ba71655a683861901

2 years agoMerge "Allow dumpstate to read the update_engine logs"
Tianjie Xu [Fri, 20 Apr 2018 19:52:45 +0000 (19:52 +0000)]
Merge "Allow dumpstate to read the update_engine logs"

2 years agoMerge "Remove fixed bug from bug_map."
Alan Stokes [Fri, 20 Apr 2018 08:28:02 +0000 (08:28 +0000)]
Merge "Remove fixed bug from bug_map."

2 years agoA2DP offload: switch to new properties
Petri Gynther [Wed, 18 Apr 2018 05:13:27 +0000 (22:13 -0700)]
A2DP offload: switch to new properties

Bug: 63932139
Bug: 76201991
Test: Manual A2DP testing (A2DP offload enabled and disabled)
Change-Id: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a

2 years agoNeverallow unexpected domains to access bluetooth_prop and wifi_prop
Jaekyun Seok [Wed, 18 Apr 2018 02:24:15 +0000 (11:24 +0900)]
Neverallow unexpected domains to access bluetooth_prop and wifi_prop

And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae

2 years agoMerge "Allow vendor_init to access unencrypted_data_file"
Tom Cherry [Wed, 18 Apr 2018 22:08:57 +0000 (22:08 +0000)]
Merge "Allow vendor_init to access unencrypted_data_file"

2 years agoProtect dropbox service data with selinux
Jeff Vander Stoep [Mon, 16 Apr 2018 14:49:49 +0000 (07:49 -0700)]
Protect dropbox service data with selinux

Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

2 years agoAllow vendor_init to access unencrypted_data_file
Tom Cherry [Fri, 13 Apr 2018 00:30:56 +0000 (17:30 -0700)]
Allow vendor_init to access unencrypted_data_file

FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
(cherry picked from commit 18a284405f519ae49898031a4bea70e5e2d2fdac)

2 years agoMerge "Sepolicy for rw mount point for vendors."
Tri Vo [Wed, 18 Apr 2018 19:32:32 +0000 (19:32 +0000)]
Merge "Sepolicy for rw mount point for vendors."

2 years agoRemove fixed bug from bug_map.
Alan Stokes [Wed, 18 Apr 2018 15:23:09 +0000 (16:23 +0100)]
Remove fixed bug from bug_map.

Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af

2 years agoMerge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power."""
Alan Stokes [Wed, 18 Apr 2018 09:32:18 +0000 (09:32 +0000)]
Merge "Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power."""

2 years agoAllow dumpstate to read the update_engine logs
Tianjie Xu [Wed, 11 Apr 2018 23:44:00 +0000 (16:44 -0700)]
Allow dumpstate to read the update_engine logs

Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849

2 years agoSepolicy for rw mount point for vendors.
Tri Vo [Wed, 11 Apr 2018 03:49:45 +0000 (20:49 -0700)]
Sepolicy for rw mount point for vendors.

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b46782a2a49bf5338732cf8c6abaf95de)

2 years agoMerge "init: lock down access to keychord_device"
Treehugger Robot [Tue, 17 Apr 2018 19:59:58 +0000 (19:59 +0000)]
Merge "init: lock down access to keychord_device"

2 years agoMerge "Make traced_probes mlstrustedsubject."
Treehugger Robot [Tue, 17 Apr 2018 19:47:58 +0000 (19:47 +0000)]
Merge "Make traced_probes mlstrustedsubject."

2 years agoinit: lock down access to keychord_device
Mark Salyzyn [Tue, 17 Apr 2018 17:55:41 +0000 (10:55 -0700)]
init: lock down access to keychord_device

The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6

2 years agoMake traced_probes mlstrustedsubject.
Florian Mayer [Thu, 12 Apr 2018 12:54:15 +0000 (13:54 +0100)]
Make traced_probes mlstrustedsubject.

Denials:
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5684): avc: denied { search } for name="1376" dev="proc" ino=204553 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5685): avc: denied { search } for name="1402" dev="proc" ino=204554 scontext=u:r:traced_probes:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.801   903   903 W traced_probes: type=1400 audit(0.0:5686): avc: denied { search } for name="1496" dev="proc" ino=204557 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app:s0:c85,c256,c512,c768 tclass=dir permissive=0
04-12 12:42:47.805   903   903 W traced_probes: type=1400 audit(0.0:5687): avc: denied { search } for name="1758" dev="proc" ino=204563 scontext=u:r:traced_probes:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0

Bug: 77955286

Change-Id: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
Merged-In: If0985d3ddd7d14c2b139be1c842c9c8df99b90db

2 years agoRevert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""
Alan Stokes [Tue, 17 Apr 2018 15:59:45 +0000 (15:59 +0000)]
Revert "Revert "Add /sys/kernel/memory_state_time to sysfs_power.""

This reverts commit 12e73685b75905fa5afa62cd1fb3631f9f2af818.

Reason for revert: Rolling original change forward again, more carefully.

Change-Id: I266b181915c829d743c6d8d0b8c0d70b6bf3d620

2 years agoMerge "Statsd sepolicy hal_health"
Treehugger Robot [Mon, 16 Apr 2018 23:51:12 +0000 (23:51 +0000)]
Merge "Statsd sepolicy hal_health"

2 years agoLet vold_prepare_subdirs completely clean deleted user data.
Joel Galenson [Mon, 16 Apr 2018 21:50:38 +0000 (14:50 -0700)]
Let vold_prepare_subdirs completely clean deleted user data.

After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc

2 years agoMerge "Add sepolicy for radio sap 1.2"
Treehugger Robot [Mon, 16 Apr 2018 23:08:50 +0000 (23:08 +0000)]
Merge "Add sepolicy for radio sap 1.2"

2 years agoMerge "Add bug_map entries for bugs we've seen."
Treehugger Robot [Mon, 16 Apr 2018 22:52:49 +0000 (22:52 +0000)]
Merge "Add bug_map entries for bugs we've seen."

2 years agoAdd sepolicy for radio sap 1.2
sqian [Thu, 29 Mar 2018 20:59:00 +0000 (13:59 -0700)]
Add sepolicy for radio sap 1.2

Bug: 74114758
Test: Checked radio-service and sap-service is on the lshal after running the service
Change-Id: I1b18711286e000a7d17664e7d3a2045aeeb8c285
Merged-In: I1b18711286e000a7d17664e7d3a2045aeeb8c285
(cherry picked from commit 64839e874b1ab4c94f2287827b9ac6bb351c27e2)

2 years agoAdd bug_map entries for bugs we've seen.
Joel Galenson [Mon, 16 Apr 2018 17:31:38 +0000 (10:31 -0700)]
Add bug_map entries for bugs we've seen.

This adds numerous bug_map entries to try to annotate all denials
we've seen.

Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49

2 years agoAllow dumpstate to read property_type
Jaekyun Seok [Thu, 5 Apr 2018 18:32:58 +0000 (03:32 +0900)]
Allow dumpstate to read property_type

dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee

3 years agoMerge "Add exFAT support; unify behind "sdcard_type"."
Jeff Sharkey [Fri, 13 Apr 2018 23:47:54 +0000 (23:47 +0000)]
Merge "Add exFAT support; unify behind "sdcard_type"."

3 years agoMerge "tombstoned: allow unlinking anr files"
Treehugger Robot [Fri, 13 Apr 2018 23:31:27 +0000 (23:31 +0000)]
Merge "tombstoned: allow unlinking anr files"

3 years agoMerge "whitelist test failure that bypassed presubmit"
Treehugger Robot [Fri, 13 Apr 2018 23:06:19 +0000 (23:06 +0000)]
Merge "whitelist test failure that bypassed presubmit"

3 years agowhitelist test failure that bypassed presubmit
Jeff Vander Stoep [Mon, 9 Apr 2018 21:15:28 +0000 (14:15 -0700)]
whitelist test failure that bypassed presubmit

avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs"
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 77816522
Test: build
Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
(cherry picked from commit 2ccd99a53a2efd0a62c0b2f2e2f8944cfd98891f)

3 years agoSelinux: Give lmkd read access to /proc/meminfo
Suren Baghdasaryan [Thu, 29 Mar 2018 19:30:58 +0000 (12:30 -0700)]
Selinux: Give lmkd read access to /proc/meminfo

Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
3 years agotombstoned: allow unlinking anr files
Jeff Vander Stoep [Fri, 13 Apr 2018 21:33:32 +0000 (14:33 -0700)]
tombstoned: allow unlinking anr files

Tombstoned unlinks "trace_XX" files if there are too many of them.

avc: denied { unlink } for comm="tombstoned" name="trace_12"
scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0
tclass=file

Bug: 77970585
Test: Build/boot taimen. adb root; sigquit an app.
Change-Id: I2c7cf81a837d82c4960c4c666b38cd910885d78d

3 years agoMerge "Allow some vold_prepare_subdirs denials."
Treehugger Robot [Fri, 13 Apr 2018 20:44:44 +0000 (20:44 +0000)]
Merge "Allow some vold_prepare_subdirs denials."

3 years agoAdd exFAT support; unify behind "sdcard_type".
Jeff Sharkey [Fri, 30 Mar 2018 18:22:54 +0000 (12:22 -0600)]
Add exFAT support; unify behind "sdcard_type".

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

3 years agoMake persist.sys.sf.native_mode an integer
Chia-I Wu [Fri, 13 Apr 2018 17:19:20 +0000 (10:19 -0700)]
Make persist.sys.sf.native_mode an integer

This allows for more native modes.

Bug: 73824924
Test: adb shell setprop persist.sys.sf.native_mode 2
Change-Id: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1

3 years agoAllow some vold_prepare_subdirs denials.
Joel Galenson [Wed, 11 Apr 2018 19:13:25 +0000 (12:13 -0700)]
Allow some vold_prepare_subdirs denials.

This addresses the following denials:

avc: denied { fowner } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability
avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:storaged_data_file:s0 tclass=file
avc: denied { relabelfrom } for comm="vold_prepare_su" name="storaged" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 77875245
Test: Boot device.
Test: Mislabel directories used by vold_prepare_subdirs, reboot, and
ensure it can relabel them without denials.
Test: Add user, reboot, delete user, reboot, observe no denials.

(cherry picked from commit 855dd5a8562494f78f99e5bd5096f617ac70438f)

Merged-In: Id67bc99f151a6ccb9619bbfb7080452956405121
Change-Id: I2f6b5abfaf81570d03a30f2edf7296b5afd10c9b

3 years agoAllow vendor_init to write to misc_block_device
Tom Cherry [Wed, 11 Apr 2018 21:56:47 +0000 (14:56 -0700)]
Allow vendor_init to write to misc_block_device

Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.

Bug: 77881566
Test: build
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56

3 years agoWhitelist vendor-init-settable bluetooth_prop and wifi_prop
Jaekyun Seok [Mon, 9 Apr 2018 03:07:32 +0000 (12:07 +0900)]
Whitelist vendor-init-settable bluetooth_prop and wifi_prop

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5

3 years agoMerge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete"
Treehugger Robot [Thu, 12 Apr 2018 22:34:40 +0000 (22:34 +0000)]
Merge "Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete"

3 years agoStatsd sepolicy hal_health
Bookatz [Thu, 12 Apr 2018 16:14:27 +0000 (09:14 -0700)]
Statsd sepolicy hal_health

Statsd monitors battery capacity, which requires calls to the health
hal.

Fixes: 77923174
Bug: 77916472
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests#testFullBatteryCapacity
Change-Id: I2d6685d4b91d8fbc7422dfdd0b6ed96bbddc0886

3 years agoMerge "priv_app: remove more logspam"
Treehugger Robot [Thu, 12 Apr 2018 16:23:20 +0000 (16:23 +0000)]
Merge "priv_app: remove more logspam"

3 years agoAllow vendor-init-readable for sys.boot_completed and dev.bootcomplete
Jaekyun Seok [Wed, 11 Apr 2018 23:12:25 +0000 (08:12 +0900)]
Allow vendor-init-readable for sys.boot_completed and dev.bootcomplete

Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
Merged-In: I2d8bc91c305e665ed9c69459e51204117afb3eee
(cherry picked from commit ac2e4cce71fd9b379bced6c4aae5308c55c66367)

3 years agoMerge "hal_tetheroffload: move hwservice mapping to core policy"
Treehugger Robot [Thu, 12 Apr 2018 00:34:22 +0000 (00:34 +0000)]
Merge "hal_tetheroffload: move hwservice mapping to core policy"

3 years agohal_tetheroffload: move hwservice mapping to core policy
Jeff Vander Stoep [Wed, 11 Apr 2018 21:52:48 +0000 (14:52 -0700)]
hal_tetheroffload: move hwservice mapping to core policy

Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
(cherry picked from commit 3a346ea73208dcb38adc9b33fac5527926166e3b)

3 years agoMerge changes If2413c30,Ic5d7c961
Treehugger Robot [Wed, 11 Apr 2018 21:51:37 +0000 (21:51 +0000)]
Merge changes If2413c30,Ic5d7c961

* changes:
  Suppress spurious denial
  Suppress spurious denial

3 years agoSuppress spurious denial
Jeff Vander Stoep [Wed, 11 Apr 2018 19:06:01 +0000 (12:06 -0700)]
Suppress spurious denial

Addresses:
avc: denied { sys_resource } scontext=u:r:zygote:s0
tcontext=u:r:zygote:s0 tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: If2413c3005df02a70661464d695211acbcda4094
(cherry picked from commit 816e744d998cb327fbd20f3124b22398bea2b8e4)

3 years agoSuppress spurious denial
Jeff Vander Stoep [Wed, 11 Apr 2018 17:46:30 +0000 (10:46 -0700)]
Suppress spurious denial

Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
(cherry picked from commit 443a43c98121363929f268b1f77bd229a3247d3a)

3 years agoMerge "Add internal types to 27.0[.ignore].cil."
Treehugger Robot [Wed, 11 Apr 2018 00:44:44 +0000 (00:44 +0000)]
Merge "Add internal types to 27.0[.ignore].cil."

3 years agoMerge "Hide sys_rawio SELinux denials."
Treehugger Robot [Tue, 10 Apr 2018 23:41:21 +0000 (23:41 +0000)]
Merge "Hide sys_rawio SELinux denials."

3 years agopriv_app: remove more logspam
Jeff Vander Stoep [Wed, 4 Apr 2018 21:36:13 +0000 (14:36 -0700)]
priv_app: remove more logspam

avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
(cherry picked from commit 558cdf1e9925ca7b1420569abab677090d3d9528)

3 years agoMerge "Widen crash_dump dontaudit."
Treehugger Robot [Tue, 10 Apr 2018 23:14:42 +0000 (23:14 +0000)]
Merge "Widen crash_dump dontaudit."

3 years agoAdd internal types to 27.0[.ignore].cil.
Tri Vo [Wed, 7 Feb 2018 17:45:39 +0000 (09:45 -0800)]
Add internal types to 27.0[.ignore].cil.

Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd65200d5da704e8eff1fdd5a4e7ab46eb3a45)

3 years agoHide sys_rawio SELinux denials.
Joel Galenson [Tue, 10 Apr 2018 17:46:45 +0000 (10:46 -0700)]
Hide sys_rawio SELinux denials.

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a

3 years agoMerge "Expose filesystem read events in SELinux policy."
Florian Mayer [Tue, 10 Apr 2018 21:04:50 +0000 (21:04 +0000)]
Merge "Expose filesystem read events in SELinux policy."

3 years agoExpose filesystem read events in SELinux policy.
Florian Mayer [Tue, 10 Apr 2018 15:12:54 +0000 (16:12 +0100)]
Expose filesystem read events in SELinux policy.

Without this, we only have visibility into writes.

Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.

See aosp/661782 for matching filesystem permission change.

Bug: 73625480

Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298

3 years agoWiden crash_dump dontaudit.
Joel Galenson [Tue, 10 Apr 2018 16:55:11 +0000 (09:55 -0700)]
Widen crash_dump dontaudit.

We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac

3 years agoAdding labeling for vendor security patch prop
Max Bires [Fri, 30 Mar 2018 01:21:31 +0000 (18:21 -0700)]
Adding labeling for vendor security patch prop

This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49

3 years agoMerge "hal_health: allow to write kernel logs."
Treehugger Robot [Mon, 9 Apr 2018 20:33:12 +0000 (20:33 +0000)]
Merge "hal_health: allow to write kernel logs."

3 years agoRevert "Add /sys/kernel/memory_state_time to sysfs_power."
Alan Stokes [Mon, 9 Apr 2018 18:01:21 +0000 (18:01 +0000)]
Revert "Add /sys/kernel/memory_state_time to sysfs_power."

This reverts commit db83323a0336cb000e2d708d8b840019e1dedfda.

Reason for revert: breaks some builds due to duplicate genfs entries

Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a

3 years agoMerge "Add shell:fifo_file permission for audioserver"
Treehugger Robot [Mon, 9 Apr 2018 17:54:42 +0000 (17:54 +0000)]
Merge "Add shell:fifo_file permission for audioserver"

3 years agoMerge "Add /sys/kernel/memory_state_time to sysfs_power."
Alan Stokes [Mon, 9 Apr 2018 16:29:30 +0000 (16:29 +0000)]
Merge "Add /sys/kernel/memory_state_time to sysfs_power."

3 years agoInstalld doesn't need to create cgroup files.
Alan Stokes [Fri, 6 Apr 2018 10:59:38 +0000 (11:59 +0100)]
Installd doesn't need to create cgroup files.

cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

(cherry picked from commit 8e8c109350f4cd636a7bc9dee154e8a295538681)

3 years agoAdd /sys/kernel/memory_state_time to sysfs_power.
Alan Stokes [Tue, 6 Mar 2018 09:15:19 +0000 (09:15 +0000)]
Add /sys/kernel/memory_state_time to sysfs_power.

This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).

batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 72643420
Bug: 73947096

Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7

(cherry picked from commit a8b3634d3e4ded11036a529b561aa25682308d34)

3 years agoAdd shell:fifo_file permission for audioserver
Mikhail Naganov [Fri, 6 Apr 2018 21:52:15 +0000 (14:52 -0700)]
Add shell:fifo_file permission for audioserver

Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
(cherry picked from commit c5815891f87eee9fd4d1442aecfa6fb60bdf3ad6)
Merged-In: I09bdb74c9ecc317ea090643635ca26165efa423a

3 years agohal_health: allow to write kernel logs.
Yifan Hong [Fri, 6 Apr 2018 01:27:49 +0000 (18:27 -0700)]
hal_health: allow to write kernel logs.

This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

3 years agoGrant traced_probes search on directories.
Florian Mayer [Fri, 6 Apr 2018 11:55:22 +0000 (12:55 +0100)]
Grant traced_probes search on directories.

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

3 years agoMerge "Track storaged SELinux denial."
Treehugger Robot [Thu, 5 Apr 2018 23:12:04 +0000 (23:12 +0000)]
Merge "Track storaged SELinux denial."

3 years agoTrack storaged SELinux denial.
Joel Galenson [Thu, 5 Apr 2018 17:39:03 +0000 (10:39 -0700)]
Track storaged SELinux denial.

This should help fix presubmit tests.

Bug: 77634061
Test: Built policy.
Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c

3 years agoMerge "Wifi HAL SIOCSIFHWADDR sepolicy"
Jong Wook Kim [Thu, 5 Apr 2018 10:05:29 +0000 (10:05 +0000)]
Merge "Wifi HAL SIOCSIFHWADDR sepolicy"

3 years agoRemove direct qtaguid access from platform/system apps
Jeff Vander Stoep [Wed, 4 Apr 2018 20:21:37 +0000 (13:21 -0700)]
Remove direct qtaguid access from platform/system apps

System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef

3 years agoshell: move shell qtaguid perms to shell.te
Jeff Vander Stoep [Wed, 4 Apr 2018 19:59:11 +0000 (12:59 -0700)]
shell: move shell qtaguid perms to shell.te

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92

3 years agoAllowing incidentd to get stack traces from processes.
Kweku Adams [Mon, 12 Mar 2018 23:21:40 +0000 (16:21 -0700)]
Allowing incidentd to get stack traces from processes.

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912

3 years agoMerge "Rename qtaguid_proc to conform to name conventions"
Treehugger Robot [Wed, 4 Apr 2018 02:26:56 +0000 (02:26 +0000)]
Merge "Rename qtaguid_proc to conform to name conventions"

3 years agoMerge "Block SDK 28 app from using proc/net/xt_qtaguid"
Treehugger Robot [Tue, 3 Apr 2018 23:46:24 +0000 (23:46 +0000)]
Merge "Block SDK 28 app from using proc/net/xt_qtaguid"

3 years agoAllow getsockopt and setsockopt for Encap Sockets
Nathan Harold [Tue, 27 Mar 2018 13:34:54 +0000 (06:34 -0700)]
Allow getsockopt and setsockopt for Encap Sockets

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

3 years agoRename qtaguid_proc to conform to name conventions
Jeff Vander Stoep [Tue, 3 Apr 2018 16:53:23 +0000 (09:53 -0700)]
Rename qtaguid_proc to conform to name conventions

Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250

3 years agoBlock SDK 28 app from using proc/net/xt_qtaguid
Chenbo Feng [Thu, 8 Feb 2018 20:52:13 +0000 (12:52 -0800)]
Block SDK 28 app from using proc/net/xt_qtaguid

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
       android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
(cherry picked from commit 5ec8f8432be8072711b388eb0e6696945c04950f)

3 years agoAdd untrusted_app_27
Jeff Vander Stoep [Tue, 3 Apr 2018 18:22:38 +0000 (11:22 -0700)]
Add untrusted_app_27

This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339)

3 years agoRemove deprecated tagSocket() permissions
Jeff Vander Stoep [Mon, 2 Apr 2018 21:17:59 +0000 (14:17 -0700)]
Remove deprecated tagSocket() permissions

tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb

3 years agoMerge "Allow vendor_init_settable for persist.sys.sf.native_mode"
Treehugger Robot [Mon, 2 Apr 2018 22:15:02 +0000 (22:15 +0000)]
Merge "Allow vendor_init_settable for persist.sys.sf.native_mode"

3 years agoSelinux: Fix perfprofd policy
Andreas Gampe [Fri, 30 Mar 2018 20:10:35 +0000 (13:10 -0700)]
Selinux: Fix perfprofd policy

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661

3 years agoAllow vendor_init_settable for persist.sys.sf.native_mode
Jaekyun Seok [Mon, 2 Apr 2018 07:13:36 +0000 (16:13 +0900)]
Allow vendor_init_settable for persist.sys.sf.native_mode

A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d

3 years agoReland "Allow dexopt to follow /odm/lib(64) symlinks.""
Jiyong Park [Mon, 2 Apr 2018 01:42:25 +0000 (10:42 +0900)]
Reland "Allow dexopt to follow /odm/lib(64) symlinks.""

This reverts commit 942500b910bedc9c778b330333bb7cc87d717da9.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df

3 years agoMerge "Update sepolicy to have system_server access stats_data"
Treehugger Robot [Sat, 31 Mar 2018 01:19:49 +0000 (01:19 +0000)]
Merge "Update sepolicy to have system_server access stats_data"

3 years agoMerge "Allow incidentd to read LAST_KMSG only for userdebug builds"
Treehugger Robot [Fri, 30 Mar 2018 23:24:24 +0000 (23:24 +0000)]
Merge "Allow incidentd to read LAST_KMSG only for userdebug builds"

3 years agoUpdate sepolicy to have system_server access stats_data
yro [Thu, 29 Mar 2018 18:07:13 +0000 (11:07 -0700)]
Update sepolicy to have system_server access stats_data

Test: manually tested to prevent sepolicy violation
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785

3 years agoMerge "Allow netutils_wrapper to use pinned bpf program"
Treehugger Robot [Fri, 30 Mar 2018 20:03:19 +0000 (20:03 +0000)]
Merge "Allow netutils_wrapper to use pinned bpf program"

3 years agoAllow incidentd to read LAST_KMSG only for userdebug builds
Yi Jin [Fri, 30 Mar 2018 17:14:08 +0000 (10:14 -0700)]
Allow incidentd to read LAST_KMSG only for userdebug builds

Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6

3 years agoMerge "Test frozen sepolicy has not diverged from prebuilts."
Treehugger Robot [Fri, 30 Mar 2018 17:11:36 +0000 (17:11 +0000)]
Merge "Test frozen sepolicy has not diverged from prebuilts."

3 years agoSELinux changes for I/O tracing.
Florian Mayer [Fri, 2 Mar 2018 10:52:56 +0000 (10:52 +0000)]
SELinux changes for I/O tracing.

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad

3 years agoTest frozen sepolicy has not diverged from prebuilts.
Tri Vo [Thu, 15 Mar 2018 18:38:08 +0000 (11:38 -0700)]
Test frozen sepolicy has not diverged from prebuilts.

This will test that system/sepolicy/{public/, private/} are identical to
prebuilts if PLATFORM_SEPOLICY_VERSION is not 10000.0.

Bug: 74622750
Test: build policy
Test: correctly catches divergence from prebuilts for frozen policies

Change-Id: I2fa14b672544a021c2d42ad5968dfbac21b72f6a

3 years agoLabel /proc/sys/kernel/sched_schedstats.
Joel Galenson [Thu, 29 Mar 2018 19:15:48 +0000 (12:15 -0700)]
Label /proc/sys/kernel/sched_schedstats.

This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413bc7380c45c85b26c71afe14849a96fae)

3 years agoMerge "Remove unused dalvik.vm.stack-trace-dir."
Elliott Hughes [Thu, 29 Mar 2018 21:15:16 +0000 (21:15 +0000)]
Merge "Remove unused dalvik.vm.stack-trace-dir."

3 years agoMerge "Suppress harmless denials for file creation in cgroupfs."
Treehugger Robot [Thu, 29 Mar 2018 19:54:04 +0000 (19:54 +0000)]
Merge "Suppress harmless denials for file creation in cgroupfs."

3 years agoMerge "Test that /proc files have proc_type attribute."
Treehugger Robot [Thu, 29 Mar 2018 19:04:06 +0000 (19:04 +0000)]
Merge "Test that /proc files have proc_type attribute."

3 years agoAllow netutils_wrapper to use pinned bpf program
Chenbo Feng [Wed, 28 Mar 2018 23:51:26 +0000 (16:51 -0700)]
Allow netutils_wrapper to use pinned bpf program

The netutils_wrapper is a process used by vendor code to update the
iptable rules on devices. When it update the rules for a specific chain.
The iptable module will reload the whole chain with the new rule. So
even the netutils_wrapper do not need to add any rules related to xt_bpf
module, it will still reloading the existing iptables rules about xt_bpf
module and need pass through the selinux check again when the rules are
reloading. So we have to grant it the permission to reuse the pinned
program in fs_bpf when it modifies the corresponding iptables chain so
the vendor module will not crash anymore.

Test: device boot and no more denials from netutils_wrapper
Bug: 72111305
Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be

3 years agoSuppress harmless denials for file creation in cgroupfs.
Alan Stokes [Mon, 26 Mar 2018 16:06:23 +0000 (17:06 +0100)]
Suppress harmless denials for file creation in cgroupfs.

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d07744ae589d47602c7971371ee7dc7ab0)

3 years agoMerge "Improve neverallows on /proc and /sys"
Treehugger Robot [Thu, 29 Mar 2018 17:08:34 +0000 (17:08 +0000)]
Merge "Improve neverallows on /proc and /sys"

3 years agoMerge "Stop O_CREAT logspam in permissive mode."
Treehugger Robot [Thu, 29 Mar 2018 16:27:11 +0000 (16:27 +0000)]
Merge "Stop O_CREAT logspam in permissive mode."

3 years agoMerge "Hide some denials."
Treehugger Robot [Thu, 29 Mar 2018 09:04:32 +0000 (09:04 +0000)]
Merge "Hide some denials."

3 years agoStop O_CREAT logspam in permissive mode.
Alan Stokes [Wed, 28 Mar 2018 14:07:59 +0000 (15:07 +0100)]
Stop O_CREAT logspam in permissive mode.

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb4f49057300b69fe77deca8bd0a0604a0)