This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*
Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
...to reflect that the HAL operates on storage devices,
not filesystem.
Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
This is done so that /dev/input/event* nodes can be read by
dynamic sensors framework.
Bug: 38511270
Change-Id: Ib017c5621a8b7e08ddfa088453d061a6537a2a1c
(breaks vendor blobs, will have to be regenerated
after this CL)
This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.
Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e
Keymaster hal needs to be able to read the vendor SPL for purposes of
rollback protection.
Bug: 76428542
Test: Keymaster can access the hal_keymaster_default property
Change-Id: Ifa53adb23f6ab79346e9dd9616b34d8b24395a0a
Keymaster hal needs to be able to read the vendor SPL for purposes of
rollback protection.
Test: Keymaster can access the hal_keymaster_default property
Change-Id: Ifa53adb23f6ab79346e9dd9616b34d8b24395a0a
* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.
Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d)
This restores the change made in ag/3883322, which was inadvertently
reverted with the combination of ag/3998755 and the merge of
aosp/666885.
Bug: 9496886
Bug: 68016944
Test: Builds, device boots, no denial seen.
Change-Id: I6af83c5bf982283d69ac31c0495471079555c894
This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.
Bug: 77903086
Test: Device boots, denial not seen, wifi works
(cherry picked from commit 72ed615228)
Change-Id: Ia781e7c56f6e8e77e654cd28ca34de09180e2213
Merged-In: Ia55c4af1fcee75ada0e67a162fdb92ecc0089312
This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.
Bug: 77903086
Test: WiFi still working
Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893
Bug: 74114758
Test: Checked radio-service and sap-service is on the lshal after running the service
Change-Id: I1b18711286e000a7d17664e7d3a2045aeeb8c285
Merged-In: I1b18711286e000a7d17664e7d3a2045aeeb8c285
(cherry picked from commit 64839e874b)
Bug: 74114758
Test: Checked radio-service and sap-service is on the lshal after running the service
Change-Id: I1b18711286e000a7d17664e7d3a2045aeeb8c285
It should instead write to /data/vendor/wifi.
Bug: 36645291
Test: Built policy.
Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
(cherry picked from commit cc9b30a1cd)
This reverts commit 016f0a58a9.
Reason for revert: Was temporarily reverted, merging back in with fix.
Test: Basic telephony sanity, treehugger
Bug: 74486619
Bug: 36427227
Merged-in: Ide68726a90d5485c2758673079427407aee1e4f2
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
(cherry picked from commit 312248ff72)
This reverts commit aed57d4e4d.
Reason for revert: This CL is expected to break pre-submit tests (b/74486619)
Merged-in: I103c3faa1604fddc27b3b4602b587f2d733827b1
Change-Id: I0eb7a744e0d43ab15fc490e7e7c870d0f44e1401
This reverts commit 016f0a58a9.
Reason for revert: Was temporarily reverted, merging back in with fix.
Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.
Test: Basic telephony sanity, treehugger
Bug: 36427227
Merged-in: If892b28416d98ca1f9c241c5fcec70fbae35c82e
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e
Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.
Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.
Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.
Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5a)
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.
Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.
Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: I10882e7adda0bb51bf373e0e62fda0acc8ad34eb
These denials seem to be caused by a race with the process that labels
the files. While we work on fixing them, hide the denials.
Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
This is needed to allow it to log audit events, e.g. cert
validation failure.
Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Merged-In: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
This is needed to allow it to log audit events, e.g. cert
validation failure.
Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.
Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.
Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
Data outside /data/vendor must have the core_data_file_type
attribute.
Test: build (this is a build time test)
Bug: 34980020
Change-Id: Ia727fcad813d5fcfbe8f714246364bae0bda43bd
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Bug: 64131518
Test: Compile and flash the device, check whether service vendor.radio-config-hal-1-0 starts
Change-Id: Id728658b4acdda87748259b74e6b7438f6283ea5
Treble compliance.
Bug: 70228425
Bug: 70393317
Test: complete wifi test in b/70393317
Test: Test wifi on Taimen and Sailfish
Test: verify sockets exist in /data/vendor/wifi/wpa/sockets
Change-Id: I217c0eda0e5af50bb603cfcc35d60bf0d9cad72e
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.
Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye
(cherry picked from commit ba2130a882)
Change-Id: Iaedbbe31237822cf3348209028bba45ad85465f8
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.
Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye
Change-Id: Ifcb51a9c479955f4771586b61bccb705c552e4db
Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.
Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye
Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e
Only getattr and read are necessary for lnk_file. Open violates a new
neverallow for separating system and vendor data.
Bug: 34980020
Test: Enroll fingerprint on Taimen
Change-Id: I9434afbd5b4ecc1ead9f0ba47c7582fb5a6c6bf0
Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.
Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
successfuly.
Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.
Test: SensorDirectReportTest passes without setenforce 0
Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
Merged-In: I2068f6f4a8ac15da40126892e1326e0b90a6576f
This reverts commit 57e9946fb7.
Bug: 62616897
Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.
Signed-off-by: Sandeep Patil <sspatil@google.com>
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.
Bug: 37008075
Test: Build and boot sailfish
Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e49)
modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.
Bug: 37008075
Test: Build and boot sailfish
Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf502
Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.
Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
Added rule:
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0
Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58
Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.
Test: SensorDirectReportTest passes without setenforce 0
Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
Adding the default label/mapping is important because:
1. Lookups of services without an selinux label should generate
a denial.
2. In permissive mode, lookups of a service without a label should be
be allowed, without the default label service manager disallows
access.
3. We can neverallow use of the default label.
Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
Add/find of unlabeled vendor services generate a denial.
Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b842c)
Adding the default label/mapping is important because:
1. Lookups of services without an selinux label should generate
a denial.
2. In permissive mode, lookups of a service without a label should be
be allowed, without the default label service manager disallows
access.
3. We can neverallow use of the default label.
Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
Add/find of unlabeled vendor services generate a denial.
Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
