PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
336b68d68e
android_system_sepolicy/public/uncrypt.te

43 lines
1.2 KiB
Plaintext
Raw Normal View History

initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 13:33:32 -08:00
# uncrypt
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b (cherry picked from commit 76aab82cb3a7560d3d78f93c7f2d00ed381192c4)
2017-05-15 13:19:03 -07:00
type uncrypt, domain, mlstrustedsubject;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 10:21:37 -07:00
type uncrypt_exec, system_file_type, exec_type, file_type;
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 13:33:32 -08:00
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-06 15:19:40 -07:00
allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 13:33:32 -08:00
uncrypt: allow /data/local/tmp on userdebug/eng Per https://android-review.googlesource.com/82814 , uncrypt needs to be able to read shell_data_files on userdebug / eng builds. Allow it. Bug: 13083922 Change-Id: I72299673bb5e36be79413227105b5cad006d504f
2014-02-20 11:47:00 -08:00
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
r_dir_file(uncrypt, shell_data_file)
')
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 13:33:32 -08:00
# Read /cache/recovery/command
Allow system server and uncrypt to operate pipe file System server and uncrypt need to communicate with a named pipe on the /cache partition. It will be created and deleted by system server. Bug: 20012567 Bug: 20949086 Change-Id: I9494a67016c23294e803ca39d377ec321537bca0
2015-05-20 16:29:42 -07:00
# Read /cache/recovery/uncrypt_file
domain_deprecated: remove cache access Address the "granted" permissions observed in the logs including: tcontext=uncrypt avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40" ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0 tclass=dir tcontext=install_recovery avc: granted { search } for comm="applypatch" name="saved.file" scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="applypatch" name="saved.file" dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=file avc: granted { getattr } for comm="applypatch" path="/cache/saved.file" dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=file tcontext=update_engine avc: granted { search } for comm="update_engine" name="cache" dev="sda35" ino=1409025 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0 tclass=dir" avc: granted { read } for comm="update_engine" name="update.zip" dev="sda35" ino=1409037 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file avc: granted { read } for comm="update_engine" name="cache" dev="dm-0" ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file Bug: 28760354 Test: build policy. Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e
2017-07-09 16:43:55 -07:00
allow uncrypt cache_file:dir search;
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2015-12-22 12:37:17 -08:00
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
Add /dev/socket/uncrypt. system_server used to communicate with uncrypt via files (e.g. /cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B devices may not have /cache partitions anymore, we switch to communicate via /dev/socket/uncrypt to allow things like factory reset to keep working. Bug: 27176738 Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca
2016-02-26 10:30:12 -08:00
Add ota_package_file label for OTA packages. (cherry picked from commit 6c3f2831aca571ec3b01f60996965a432aa8164d) Allow priv_app, uncrypt, update_engine to access the OTA packages at /data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks the existence of the folder, and downloads the package there if present. Bug: 28944800 Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
2016-05-24 21:07:48 -07:00
# Read OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
allow uncrypt ota_package_file:file r_file_perms;
Add /dev/socket/uncrypt. system_server used to communicate with uncrypt via files (e.g. /cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B devices may not have /cache partitions anymore, we switch to communicate via /dev/socket/uncrypt to allow things like factory reset to keep working. Bug: 27176738 Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca
2016-02-26 10:30:12 -08:00
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 13:33:32 -08:00
# Set a property to reboot the device.
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-04 18:22:45 -07:00
set_prop(uncrypt, powerctl_prop)
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 13:33:32 -08:00
# Raw writes to block device
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow uncrypt self:global_capability_class_set sys_rawio;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 14:04:39 -07:00
allow uncrypt misc_block_device:blk_file w_file_perms;
uncrypt: allow /dev/block directory access. Uncrypt needs search in /dev/block to open block devices. Allow it. Addresses the following denial: [11105.601711] type=1400 audit(1393550350.528:30): avc: denied { search } for pid=14597 comm="uncrypt" name="block" dev="tmpfs" ino=7200 scontext=u:r:uncrypt:s0 tcontext=u:object_r:block_device:s0 tclass=dir Change-Id: I4592784135a04ff5bff2715e1250661744f12aa1
2014-02-27 17:24:43 -08:00
allow uncrypt block_device:dir r_dir_perms;
Define types for userdata and cache block devices. Introduce separate types for the userdata and cache block devices so that we can assign them and allow access to them in device-specific policy without allowing access to any other block device (e.g. system). These types will only be used if assigned to device node paths in the device-specific file_contexts configuration. Otherwise, this change will have no impact - the userdata and cache block devices will continue to default to block_device type. To avoid breakage when these new types are assigned to the userdata block device, allow access by vold and uncrypt, but auditallow these accesses to confirm that these are required. Change-Id: I99d24f06506f51ebf1d186d9c393b3cad60e98d7 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-11 05:50:04 -07:00
# Access userdata block device.
uncrypt: fix OTAs uncrypt needs to be able to read OTA files in GMS core's home directory, which is protected with MLS. Mark uncrypt as an mlstrustedsubject so that it can read the files. Addresses the following denial (and probably others): uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Remove the auditallow line for uncrypt. Per dd053a9b891195439b1c0848cb0e8a6e17b4b9bc, the auditallow line was added to confirm that uncrypt was actually accessing the userdata block device. The access to the userdata block device is definitely occurring, and auditing it doesn't add any value. Remove the auditing. Eliminates the following unnecessary audit lines: avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file Tighten up userdata block access to write-only. uncrypt never reads directly from the block device. Testing: 1) Create the file /cache/recovery/command with a line like: --update_package=/data/data/com.google.android.gms/foo.zip 2) Create the file /data/data/com.google.android.gms/foo.zip (contents not important) 3) Run "setprop ctl.start pre-recovery" Expected: No SELinux denials. Actual: SELinux denials Bug: 18875451 Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d
2015-01-05 15:03:43 -08:00
allow uncrypt userdata_block_device:blk_file w_file_perms;
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(uncrypt, rootfs)
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-25 16:43:49 -07:00
# uncrypt reads /proc/cmdline
Give uncrypt access to /proc/cmdline. Removes uncrypt access to the rest of /proc. Fixes this denial, which can be triggered from recovery_component_test: [ 142.540819] type=1400 audit(1506983074.139:23): avc: denied { read } for pid=5767 comm=uncrypt name=cmdline dev=proc ino=4026532114 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc_cmdline:s0 tclass=file permissive=0 Bug: 66497047 Test: recovery_component_test --gtest_filter=UncryptTest.* no more denials to /proc/cmdline Change-Id: If1a7630779d667d52a0cc44114ef6177982de21c
2017-10-02 15:31:46 -07:00
allow uncrypt proc_cmdline:file r_file_perms;
domain_deprecated: remove sysfs rules Clean up the remaining granted permissions in domain_deprecated. avc: granted { read open } for comm="uncrypt" path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible" dev="sysfs" ino=17591 scontext=u:r:uncrypt:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { getattr } for comm="uncrypt" path="/sys/firmware/devicetree/base/firmware/android/compatible" dev="sysfs" ino=17583 scontext=u:r:uncrypt:s0 tcontext=u:object_r:sysfs:s0 tclass=file vc: granted { read open } for comm="update_engine" path="/sys/firmware/devicetree/base/firmware/android/fstab" dev="sysfs" ino=17258 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="update_engine" path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible" dev="sysfs" ino=17259 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file Bug: 28760354 Test: build Change-Id: Id318ce84894c1001361923f5205de093a15c1e6a
2017-07-27 06:43:30 -07:00
# Read files in /sys
/proc, /sys access from uncrypt, update_engine, postinstall_dexopt New types: 1. proc_random 2. sysfs_dt_firmware_android Labeled: 1. /proc/sys/kernel/random as proc_random. 2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab, vbmeta} as sysfs_dt_firmware_android. Changed access: 1. uncrypt, update_engine, postinstall_dexopt have access to generic proc and sysfs labels removed. 2. appropriate permissions were added to uncrypt, update_engine, update_engine_common, postinstall_dexopt. Bug: 67416435 Bug: 67416336 Test: fake ota go/manual-ab-ota runs without denials Test: adb sideload runs without denials to new types Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
2017-10-04 10:34:11 -07:00
r_dir_file(uncrypt, sysfs_dt_firmware_android)
Reference in New Issue Copy Permalink