This introduces some attributes that can be used to restrict access to
exported properties so that one can easily check from which the
properties can be accessed, and that OEMs can extend their own exported
properties.
Bug: 71814576
Bug: 131162102
Test: boot aosp_cf_x86_phone-userdebug
Test: logcat | grep "avc: "
Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
Allow dumpsys to dump process information for bug reports.
Test: build
Test: adb bugreport
Bug: 140541614
Change-Id: Ia361e8c8de2cc5f798e746dffcf067393fd6bcae
This new apex is a VNDK APEX which is going to replace /system/lib/vndk
libraries.
Bug: 134357236
Bug: 139772411
Test: m com.android.vndk
Change-Id: I9bdda5bc7862917a196b894cc562e0351db76c52
The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
when init is executing other binaries. The use of LD_PRELOAD for init spawned
services is generally considered a no-no, as it injects libraries which the
binary was not expecting. This is especially problematic for APEXes. The use
of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
code into a process which wasn't expecting that code, with potentially
unexpected side effects.
Test: compiles
Bug: 140789528
Change-Id: Ia781ec7318e700cddfd52df97c504b771f413504
This reverts commit a9b718a1ed.
Reason for revert: No longer be necessary after
http://r.android.com/1120246 lands as this causes BoringSSL to only write
flag files if a particular environment variable is set, and this variable
will only be set for the self test binaries which have permission to
write to /dev/boringssl.
Bug: 140918050
Test: Manually observed audit log after change
Change-Id: I851f4aea991d91c67b64535829eea5b9594a3e2c
Bug: 136592946
Bug: 138261472
Test: Ran with the patch applied, confirmed surface flinger can access
the system property.
Change-Id: I259a488399c5e698de384322852ea81ea1a96e7d
Merged-In: I259a488399c5e698de384322852ea81ea1a96e7d
Binaries other than boringssl_self_test_exec are not allowed
to create marker files /dev/boringssl/selftest/[hash].
Right now, some processes still attempt to because:
- Some binaries run so early during early-init that
boringssl_self_test{32,64} hasn't had a chance to
run yet, so the marker file doesn't exist yet, so
the unprivileged process attempts to create it.
- Some binaries statically link libcrypto so their
[hash] is different from that used by
boringssl_self_test{32,64}.
There's some ongoing work to stop those binaries even
attempting to create the marker files but it's not a
big deal if they do. Similarly, there is ongoing work
to minimize or eliminate static linking of this library.
For now, this CL turns off audit logs for this behavior
since it is harmless (a cosmetic issue) and in order to
not hold up the bulk of the logic being submitted.
Bug: 137267623
Test: Treehugger
Change-Id: I3de664c5959efd130f761764fe63515795ea9b98
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.
Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
Remove everyone's ability to read /proc/sys/vm/overcommit_memory.
Android's jemalloc implementation no longer uses this file.
init.te had multiple rules which allowed writing to this file. Get rid of
the duplicate rule.
Bug: 140736217
Test: compiles and boots
Test: bypass setup wizard and start the browser, browse the web
Change-Id: I5a2d5f450f5dde5dd55a0cedd7fbd55a6ac0beed
These properties should no longer be specified in the vendor rom.
Bug: 139883463
Test: manual
(cherry picked from commit 1f6eda4111)
Exempt-From-Owner-Approval: Cherry-pick from master
Merged-In: I510c917fa3c60dcbd3f104ebe619f34c69c821e6
Change-Id: I8b7cf03d7a2faceb03b83edcb47e831fbc8c8918
Include coredomain in initial definition of boringssl_self_test
rather than adding it later. This addresses an outstanding review
comment from http://r.android.com/1110523
Test: Treehugger
Bug: 137267623
Change-Id: I4e8d4e2e76b1c3a9b5a1f806e43e885b51cb7a60
Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.
This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.
All the hwservice context that were not in the whitelist are now put
to blacklist.
This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.
Bug: 139645938
Test: m
Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923)
Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468
/data/local/tmp is an attacker controlled location which system_apps
should not be depending on. system_apps should only depend on files in
their home directory and files passed to them by file descriptor. To
support this best practice, neverallow access to /data/local/tmp. This
adds a compile time assertion and CTS test to assert that this rule is
never present.
This is conceptually a tightening of already defined neverallow rules in
domain.te. The existing neverallow assertions exclude appdomain, which
is too broad:
neverallow {
domain
-adbd
-appdomain
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
# to be passed around by file descriptor, but not directly opened.
neverallow {
domain
-adbd
-appdomain
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
Test: compiles
Change-Id: Ib7178e2b9d5a41c03837a535f7db5eaf10319aac
Currently shell can connect to the traced_consumer_socket allowing it to
configure/start/stop and collect traces. This allows a host tool (e.g. Android Studio or
https://ui.perfetto.dev) to connect to the device via adb and collect traces. It would
be better if rather than executing shell commands the host tool could directly communicate
with the consumer socket. This is possible using adb forward:
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer
However in this case adbd is connecting to the socket - not shell.
This CL allows adbd to connect to the socket which allows host tools to collect
traces without having to do everything though shell commands.
Denial:
08-30 11:28:05.809 10254 10254 W adbd : type=1400 audit(0.0:1129): avc: denied { write } for name="traced_consumer" dev="tmpfs" ino=6719 scontext=u:r:adbd:s0 tcontext=u:object_r:traced_consumer_socket:s0 tclass=sock_file permissive=0
Test: Cherry pick CL to master, make, flash
adb logcat | grep denied
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer
Bug: b/139536756
Change-Id: Ie08e687c0b06d0e1121009e8cd70319a8f907ae2
This CL adds hand-written SELinux rules to:
- define the boringssl_self_test security domain
- label the corresponding files at type boringssl_self_test_marker
and boringssl_self_test_exec.
- define an automatic transition from init to boringssl_self_test
domains, plus appropriate access permissions.
Bug: 137267623
Test: When run together with the other changes from draft CL topic
http://aosp/q/topic:bug137267623_bsslselftest, check that:
- both /dev/boringssl/selftest/* marker files are
present after the device boots.
- Test: after the boringssl_self_test{32,64} binaries have
run, no further SELinux denials occur for processes
trying to write the marker file.
Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
When fsverity_init tries to access files in /system or /product
partition AFTER adb remount, SELinux denial is generated:
avc: denied { sys_admin } for capability=21
scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0
tclass=capability permissive=0
This is due to some internal access to an xattr inside overlayfs, but it
should not report this.
Before the message can be surpressed, dontaudit it to keep the log clean.
Test: no more error log
Bug: 132323675
Change-Id: I323c9330ee6e6b897d1a4e1e74f6e7e0ef1eaa89