From 607bc67cc97b4059a57c978fb6be39665f5a58ff Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Mon, 16 Dec 2019 10:59:03 +0100 Subject: [PATCH] Prevent apps from causing presubmit failures Apps can cause selinux denials by accessing CE storage and/or external storage. In either case, the selinux denial is not the cause of the failure, but just a symptom that storage isn't ready. Many apps handle the failure appropriately. These denials are not helpful, are not the cause of a problem, spam the logs, and cause presubmit flakes. Suppress them. Bug: 145267097 Test: build Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124 --- private/app.te | 16 ++++++++++++++++ private/bug_map | 8 -------- private/gmscore_app.te | 9 --------- private/priv_app.te | 6 ------ private/untrusted_app_all.te | 6 ------ 5 files changed, 16 insertions(+), 29 deletions(-) diff --git a/private/app.te b/private/app.te index e8397efc1..5590ca57b 100644 --- a/private/app.te +++ b/private/app.te @@ -4,6 +4,22 @@ get_prop(appdomain, test_harness_prop) userdebug_or_eng(`perfetto_producer({ appdomain })') +# Prevent apps from causing presubmit failures. +# Apps can cause selinux denials by accessing CE storage +# and/or external storage. In either case, the selinux denial is +# not the cause of the failure, but just a symptom that +# storage isn't ready. Many apps handle the failure appropriately. +# +# Apps cannot access external storage before it becomes available. +dontaudit appdomain storage_stub_file:dir getattr; +# Attempts to write to system_data_file is generally a sign +# that apps are attempting to access encrypted storage before +# the ACTION_USER_UNLOCKED intent is delivered. Apps are not +# allowed to write to CE storage before it's available. +# Attempting to do so will be blocked by both selinux and unix +# permissions. +dontaudit appdomain system_data_file:dir write; + neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind relabelfrom relabelto setattr shutdown }; diff --git a/private/bug_map b/private/bug_map index 076aeba4d..c6c8278db 100644 --- a/private/bug_map +++ b/private/bug_map @@ -1,7 +1,5 @@ -bluetooth storage_stub_file dir b/145267097 dnsmasq netd fifo_file b/77868789 dnsmasq netd unix_stream_socket b/77868789 -gmscore_app storage_stub_file dir b/145267097 gmscore_app system_data_file dir b/146166941 init app_data_file file b/77873135 init cache_file blk_file b/77873135 @@ -26,15 +24,9 @@ netd untrusted_app unix_stream_socket b/77870037 netd untrusted_app_25 unix_stream_socket b/77870037 netd untrusted_app_27 unix_stream_socket b/77870037 platform_app nfc_data_file dir b/74331887 -platform_app storage_stub_file dir b/145267097 -priv_app storage_stub_file dir b/145267097 system_server crash_dump process b/73128755 system_server overlayfs_file file b/142390309 system_server sdcardfs file b/77856826 -system_server storage_stub_file dir b/145267097 system_server zygote process b/77856826 -untrusted_app storage_stub_file dir b/145267097 -untrusted_app_25 storage_stub_file dir b/145267097 -untrusted_app_27 storage_stub_file dir b/145267097 vold system_data_file file b/124108085 zygote untrusted_app_25 process b/77925912 diff --git a/private/gmscore_app.te b/private/gmscore_app.te index 5c01eab31..a5555ac20 100644 --- a/private/gmscore_app.te +++ b/private/gmscore_app.te @@ -63,15 +63,6 @@ dontaudit gmscore_app sysfs_dm:file r_file_perms; dontaudit gmscore_app sysfs_loop:file r_file_perms; dontaudit gmscore_app wifi_prop:file r_file_perms; dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms; - - -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent apps from spamming the logs. -dontaudit gmscore_app system_data_file:dir write; - -# suppress denials for scanning /data_mirror dontaudit gmscore_app mirror_data_file:dir search; # Access the network diff --git a/private/priv_app.te b/private/priv_app.te index f1da2013e..3b78e4a80 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -213,12 +213,6 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent apps from spamming the logs. -dontaudit priv_app system_data_file:dir write; - ### ### neverallow rules ### diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index f37cadc6e..d8e0b1455 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -162,12 +162,6 @@ dontaudit untrusted_app_all proc_uptime:file read; # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm create_pty(untrusted_app_all) -# Attempts to write to system_data_file is generally a sign -# that apps are attempting to access encrypted storage before -# the ACTION_USER_UNLOCKED intent is delivered. Suppress this -# denial to prevent third party apps from spamming the logs. -dontaudit untrusted_app_all system_data_file:dir write; - # Allow access to kcov via its ioctl interface for coverage # guided kernel fuzzing. userdebug_or_eng(`