PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1a3ee382ec
android_system_sepolicy/private/system_app.te

169 lines
4.9 KiB
Plaintext
Raw Normal View History

Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings. These are not as privileged as the system
### server.
###
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 14:27:32 -07:00
typeattribute system_app coredomain;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 11:23:34 -08:00
app_domain(system_app)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
net_domain(system_app)
binder_service(system_app)
domain_deprecated: remove rootfs access Grant audited permissions collected in logs. tcontext=platform_app avc: granted { getattr } for comm=496E666C6174657254687265616420 path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=system_app avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir tcontext=update_engine avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0" ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/fstab.foo" dev="dm-0" ino=25 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0 tclass=file Bug: 28760354 Test: build Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
2017-07-10 20:39:50 -07:00
# android.ui and system.ui
allow system_app rootfs:dir getattr;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
Revert "Revert "Allow rule to let settings access apex files"" This reverts commit e47d2365a8955901e29a1b571f78f315f089ec38. Reason for revert: Original CL was not the cause of the breakage. It went green before this revert landed. https://android-build.googleplex.com/builds/branches/aosp-master/grid? Original CL went in 5695273. Went green in 5695399. Revert went in 5695588. Change-Id: Ie4d7065fe7d3c58cdff99c2b7d76b50b941895bb
2019-06-28 08:28:28 -07:00
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
allow system_app apex_data_file:dir search;
allow system_app staging_data_file:file r_file_perms;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Read icon file.
allow system_app icon_file:file r_file_perms;
# Write to properties
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-08 20:07:32 -07:00
set_prop(system_app, bluetooth_a2dp_offload_prop)
Add rules for accessing the related bluetooth_audio_hal_prop This change allows those daemons of the audio and Bluetooth which include HALs to access the bluetooth_audio_hal_prop. This property is used to force disable the new BluetoothAudio HAL. - persist.bluetooth.bluetooth_audio_hal.disabled Bug: 128825244 Test: audio HAL can access the property Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-17 20:07:32 -07:00
set_prop(system_app, bluetooth_audio_hal_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-08 20:07:32 -07:00
set_prop(system_app, exported_bluetooth_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported2_system_prop)
set_prop(system_app, exported3_system_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
set_prop(system_app, exported_system_radio_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
auditallow system_app exported_system_radio_prop:property_service set;
Sepolicy: add dynamic_system_prop and allow shell and system_app (Settings) to set it to enable Dynamic System Update. Also allow priv_app (user of the API) to read it. Bug: 119647479 Bug: 129060539 Test: run the following command on crosshatch-user: adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1 Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8 Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
2019-04-26 01:14:52 -07:00
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
# ctl interface
set_prop(system_app, ctl_default_prop)
set_prop(system_app, ctl_bugreport_prop)
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
selinux rules for apk files installed with Incremental Apk files installed with Incremental are actually stored under the /data/incremental directory. Since files under /data/incremental are labeled as apk_file_data, we need additional permissions to enable an apk installation. Denial messages: === vold === 02-04 14:22:45.756 599 599 I Binder:599_3: type=1400 audit(0.0:607): avc: denied { read } for name="mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1 02-04 14:22:45.756 599 599 I Binder:599_3: type=1400 audit(0.0:608): avc: denied { open } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1 02-04 14:22:45.760 599 599 I Binder:599_3: type=1400 audit(0.0:609): avc: denied { mounton } for path="/data/incremental/data_incremental_tmp_792314038/mount" dev="dm-5" ino=894 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1 02-04 14:22:45.766 1431 1431 I PackageInstalle: type=1400 audit(0.0:620): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/.index/f5c14952f6dde3b4a77a94e45388c012" dev="dm-5" ino=897 scontext=u:r:vold:s0 02-04 14:22:45.923 1431 1431 I PackageManager: type=1400 audit(0.0:637): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0" dev="dm-5" ino=896 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1 02-04 14:22:47.326 8839 8839 I android.vending: type=1400 audit(0.0:658): avc: denied { read write open } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_6_1/flipboard.app-KPIT2MBSpQYWG-USITOftw==/base.apk" dev="dm-5" ino=899 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:623): avc: denied { getattr } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1 02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:624): avc: denied { read } for name="vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1 02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:625): avc: denied { open } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1 02-04 14:22:45.780 599 599 I Binder:599_3: type=1400 audit(0.0:627): avc: denied { mounton } for path="/data/app/vmdl1155417082.tmp" dev="dm-5" ino=888 scontext=u:r:vold:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=1 02-04 15:32:02.386 591 591 I Binder:591_4: type=1400 audit(0.0:537): avc: denied { search } for name="incremental" dev="dm-5" ino=120 scontext=u:r:vold:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=1 === system_app === 02-04 14:22:45.793 5064 5064 I Binder:5064_1: type=1400 audit(0.0:633): avc: denied { write } for path="/data/incremental/data_incremental_tmp_792314038/backing_store/st_5_0/base.apk" dev="dm-5" ino=899 scontext=u:r:system_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 Test: manual BUG: 133435829 Change-Id: I70f25a6e63dd2be87ccbe9fb9e9d50fa64d88c36
2020-02-04 12:39:45 -08:00
# Allow system_app (adb data loader) to write data to /data/incremental
allow system_app apk_data_file:file write;
permissions for incremental control file === for mounting and create file === 02-12 21:09:41.828 593 593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.841 1429 1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === for reading signature from file === 02-12 21:09:47.931 8972 8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:47.994 1429 1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 02-12 21:09:50.034 8972 8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:52.914 1429 1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === data loader app reading from log file === 02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 Test: manual with incremental installation BUG: 133435829 Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
2020-02-13 08:38:36 -08:00
# Allow system app (adb data loader) to read logs
allow system_app incremental_control_file:file r_file_perms;
Statsd allow shell in selinux policy CTS tests need to be able to call, from hostside: adb shell cmd stats dump-report (and others) On a user build, this will fail because of an selinux policy violation from shell. This cl fixes this by granting shell permission. Similarly, Settings needs to communicate with statsd, so system_app-statsd binder calls are given permission. Bug: 72961153 Bug: 73255014 Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests Test: manual confirmation Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 09:33:36 -08:00
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
Add incident command and incidentd daemon se policy. Test: adb shell incident Bug: 31122534 Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906
2016-11-20 23:23:04 -08:00
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
Game Driver: sepolicy update for plumbing GpuStats into GpuService Allow all the app process with GUI to send GPU health metrics stats to GpuService during the GraphicsEnvironment setup stage for the process. Bug: 123529932 Test: Build, flash and boot. No selinux denials. Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-07 15:00:55 -08:00
# Allow system apps to interact with gpuservice
binder_call(system_app, gpuservice)
Allow system_app to interact with Dumpstate HAL To let end user enable/disable the verbose vender logging, a developer option is added into Settings app which need directly interact with Dumpstate HAL. In the future, the same function may be added into SystemUI, eg. as a QuickSettings tile. To allow both Settings app and system.ui, system_app is the best candidate for the sepolicy change. Bug: 148822215 Test: make && make RunSettingsRoboTests Change-Id: Ic6ef497505719e07cc37518b78c9dc146cda2d2c
2020-02-12 19:06:04 -08:00
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
allow system_app {
service_manager_type
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 00:35:42 -07:00
-apex_service
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
-dnsresolver_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-dumpstate_service
-installd_service
iorapd: Add new binder service iorapd. This daemon is very locked down. Only system_server can access it. Bug: 72170747 Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-05 14:48:29 -07:00
-iorapd_service
Add rules for lpdump and lpdumpd - lpdump is a binary on the device that talks to lpdumpd via binder. - lpdumpd is a daemon on the device that actually reads dynamic partition metadata. Only lpdump can talk to it. Bug: 126233777 Test: boots (sanity) Test: lpdump Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-14 15:45:03 -07:00
-lpdump_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-netd_service
Restrict access to suspend control Test: m selinux_policy Change-Id: Ieccfd2aa059da065ace4f2db1b9634c52dd2cb24
2019-02-07 13:29:39 -08:00
-system_suspend_control_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-virtual_touchpad_service
-vold_service
-vr_hwc_service
More neverallows for default_android_service. We don't want to accidentally allow this, and a neverallow also means that the issue will be found during development, instead of review. Fixes: 148081219 Test: compile policy only Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
2020-01-21 10:18:57 -08:00
-default_android_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
}:service_manager find;
system_app: suppress denials for disallowed services Dontaudit denials for services that system_app may not use due to neverallow assertions. Bug: 67779088 Test: build Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
2017-10-13 13:33:46 -07:00
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
dnsresolver_service
system_app: suppress denials for disallowed services Dontaudit denials for services that system_app may not use due to neverallow assertions. Bug: 67779088 Test: build Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
2017-10-13 13:33:46 -07:00
dumpstate_service
installd_service
iorapd: Add new binder service iorapd. This daemon is very locked down. Only system_server can access it. Bug: 72170747 Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-05 14:48:29 -07:00
iorapd_service
system_app: suppress denials for disallowed services Dontaudit denials for services that system_app may not use due to neverallow assertions. Bug: 67779088 Test: build Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72
2017-10-13 13:33:46 -07:00
netd_service
virtual_touchpad_service
vold_service
vr_hwc_service
}:service_manager find;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
allow system_app keystore:keystore_key {
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
user_changed
};
Remove proc and sysfs access from system_app and platform_app. Bug: 65643247 Test: manual Test: browse internet Test: take a picture Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
2018-01-10 12:51:51 -08:00
# settings app reads /proc/version
Allow system settings to read /proc/version Used to display kernel version in settings app. avc: denied { read } for name="version" dev="proc" scontext=u:r:system_app:s0 tcontext=u:object_r:proc_version:s0 tclass=file permissive=0 Bug: 66985744 Test: kernel version now displayed in settings app. Change-Id: I53f92f63362b900347fd393a40d70ccf5d220d30
2017-09-27 12:27:03 -07:00
allow system_app {
proc_version
}:file r_file_perms;
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-25 16:43:49 -07:00
Constrain cgroups access. What changed: - Removed cgroup access from untrusted and priv apps. - Settings app writes to /dev/stune/foreground/tasks, so system_app domain retains access to cgroup. - libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used abundantly in native code. So added a blanket allow rule for (coredomain - apps) to access cgroups. - For now, only audit cgroup access from vendor domains. Ultimately, we want to either constrain vendor access to individual domains or, even better, remove vendor access and have platform manage cgroups exclusively. Changes from original aosp/692189 which was reverted: - There seem to be spurious denials from vendor-specific apps. So added back access from { appdomain -all_untrusted_apps -priv_app } to cgroup. Audit this access with intent to write explicit per-domain rules for it. Bug: 110043362 Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates /dev/memcg on a per app basis on a device that supports that. Test: aosp_sailfish, wahoo boot without cgroup denials This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a. Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
2018-10-10 15:48:15 -07:00
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
Move system_app policy to private This leaves only the existence of system_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from system_app_current attribute (as expected). Bug: 31364497 Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
2017-01-05 17:18:32 -08:00
control_logd(system_app)
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-07 15:11:39 -08:00
read_runtime_log_tags(system_app)
Allow system apps to read log props. This is needed to allow system apps to know whether security logging is enabled, so that they can in this case log additional audit events. Test: logged a security event from locally modified KeyChain app. Bug: 70886042 Change-Id: I9e18d59d72f40510f81d1840e4ac76a654cf6cbd
2018-01-18 09:22:28 -08:00
get_prop(system_app, device_logging_prop)
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-14 18:20:30 -08:00
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
Allow getsockopt and setsockopt for Encap Sockets Because applications should be able to set the receive timeout on UDP encapsulation sockets, we need to allow setsockopt(). getsockopt() is an obvious allowance as well. Bug: 68689438 Test: compilation Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c
2018-03-27 06:34:54 -07:00
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
Allow More Apps to Recv UDP Sockets from SystemServer This gives the privilege to system apps, platform apps, ephemeral apps, and privileged apps to receive a UDP socket from the system server. This is being added for supporting UDP Encapsulation sockets for IPsec, which must be provided by the system. This is an analogous change to a previous change that permitted these sockets for untrusted_apps: 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d Bug: 70389346 Test: IpSecManagerTest, System app verified with SL4A Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31
2017-12-14 18:20:30 -08:00
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
###
### Neverallow rules
###
# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
system_app: neverallow /data/local/tmp access /data/local/tmp is an attacker controlled location which system_apps should not be depending on. system_apps should only depend on files in their home directory and files passed to them by file descriptor. To support this best practice, neverallow access to /data/local/tmp. This adds a compile time assertion and CTS test to assert that this rule is never present. This is conceptually a tightening of already defined neverallow rules in domain.te. The existing neverallow assertions exclude appdomain, which is too broad: neverallow { domain -adbd -appdomain -dumpstate -init -installd -simpleperf_app_runner -system_server # why? userdebug_or_eng(`-uncrypt') } shell_data_file:dir { open search }; # Same as above for /data/local/tmp files. We allow shell files # to be passed around by file descriptor, but not directly opened. neverallow { domain -adbd -appdomain -dumpstate -installd userdebug_or_eng(`-uncrypt') } shell_data_file:file open; Test: compiles Change-Id: Ib7178e2b9d5a41c03837a535f7db5eaf10319aac
2019-09-05 09:24:41 -07:00
# Apps which run as UID=system should not rely on any attacker controlled
# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
# allow writes to files passed by file descriptor to support dumpstate and
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
Reference in New Issue Copy Permalink