This leaves only the existence of binderservicedomain attribute as
public API. All other rules are implementation details of this
attribute's policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with *_current targets
referenced in binderservicedomain.te.
Bug: 31364497
Change-Id: Ic830bcc5ffb6d624e0b3aec831071061cccc513c
This leaves only the existence of blkid and blkid_untrusted domains as
public API. All other rules are implementation details of these
domains' policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with blkid_current and
blkid_untrusted_current (as expected).
Bug: 31364497
Change-Id: I0dda2feeb64608b204006eecd8a7c9b9c7bb2b81
This leaves only the existence of system_server domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
system_server_current except those created by other domains'
allow rules referencing system_server domain from public and
vendor policies.
Bug: 31364497
Change-Id: Ifd76fa83c046b9327883eb6f0bbcd2113f2dd1a4
atrace and its atrace_exec now exist only in private policy.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with atrace_current
which is expected now that atrace cannot be referenced from
public or vendor policy.
Bug: 31364497
Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
This leaves only the existence of audioserver domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with audioserver_current
except those created by other domains' allow rules referencing
audioserver domain from public and vendor policies.
Bug: 31364497
Change-Id: I6662394d8318781de6e3b0c125435b66581363af
This leaves only the existence of surfaceflinger domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
surfaceflinger_current except those created by other domains'
allow rules referencing surfaceflinger domain from public and
vendor policies.
Bug: 31364497
Change-Id: I177751afad82ec27a5b6d2440cf0672cb5b9dfb8
This leaves only the existence of adbd domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with adbd_current except
those created by other domains' allow rules referencing adbd
domain from public and vendor policies.
Bug: 31364497
Change-Id: Icdce8b89f67c70c6c4c116471aaa412e55028cd8
This leaves only the existence of bluetoothdomain attribute as public
API. All other rules are implementation details of this attribute's
policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow bluetoothdomain bluetooth_current
rule (as expected).
Bug: 31364497
Change-Id: I0edfc30d98e1cd9fb4f41a2900954d9cdbb4db14
This leaves only the existence of bluetooth domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with bluetooth_current
except those created by other domains' allow rules referencing
bluetooth domain from public and vendor policy.
Bug: 31364497
Change-Id: I3521b74a1a9f6c5a5766b358e944dc5444e3c536
This leaves only the existence of mdnsd domain as public API. All
other rules are implementation details of this domains's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with mdnsd_current (as
expected).
Bug: 31364497
Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4
This leaves only the existence of netdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with netdomain_current
and *_current attributes targeted when netdomain rules reference
public types.
Bug: 31364497
Change-Id: I102e649374681ce1dd9e1e5ccbaaa5cb754e00a0
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Unless we need to retain compatibility
for kernels < 3.5, we can drop these classes from the policy altogether.
Possibly the neverallow rule in app.te should be augmented to include
the newer netlink security classes, similar to webview_zygote, but
that can be a separate change.
Test: policy builds
Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class. The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class. Add
definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.
Allowing access by specific domains to the new socket security
classes is left to future commits. Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.
The kernel support will be included upstream in Linux 4.11. The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").
This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled. This commit is already in
AOSP master.
Test: policy builds
Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f
(selinux: distinguish non-init user namespace capability checks)
introduced support for distinguishing capability
checks against a target associated with the init user namespace
versus capability checks against a target associated with a non-init
user namespace by defining and using separate security classes for the
latter. This support is needed on Linux to support e.g. Chrome usage of
user namespaces for the Chrome sandbox without needing to allow Chrome to
also exercise capabilities on targets in the init user namespace.
Define the new security classes and access vectors for the Android policy.
Refactor the original capability and capability2 access vector definitions
as common declarations to allow reuse by the new cap_userns and cap2_userns
classes.
This change does not allow use of the new classes by any domain; that
is deferred to future changes as needed if/when Android enables user
namespaces and the Android version of Chrome starts using them.
The kernel support went upstream in Linux 4.7.
Based on the corresponding refpolicy patch by Chris PeBenito, but
reworked for the Android policy.
Test: policy builds
Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.
This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.
Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.
Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
This change adds selinux policy for configstore@1.0 hal. Currently, only
surfaceflinger has access to the HAL, but need to be widen.
Bug: 34314793
Test: build & run
Merged-In: I40e65032e9898ab5f412bfdb7745b43136d8e964
Change-Id: I40e65032e9898ab5f412bfdb7745b43136d8e964
(cherry picked from commit 5ff0f178ba)
Required for I0aeb653afd65e4adead13ea9c7248ec20971b04a
Test: Together with I0aeb653afd65e4adead13ea9c7248ec20971b04a, ensure that the
system service works
Bug: b/30932767
Change-Id: I994b1c74763c073e95d84222e29bfff5483c6a07
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.
The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.
Test: devices boots and everything works as expected
no more auditallow logs
Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
Create an event_log_tags_file label and use it for
/dev/event-log-tags. Only trusted system log readers are allowed
direct read access to this file, no write access. Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Successfully boot with split serivce and property contexts.
Change-Id: I87f95292b5860283efb2081b2223e607a52fed04
Signed-off-by: Sandeep Patil <sspatil@google.com>
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f324)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: Device boots, with Multiproces WebView developer setting
enabled, apps with WebView work fine. No new denials.
Bug: 31364497
Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
Bug: 31015010
cherry-pick from b6e4d4bdf1
Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba
This leaves only the existence of zygote domain and its
executable's zygote_exec file label as public API. All other rules are
implementation details of this domain's policy and are thus now
private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie37128531be841b89ecd602992d83d77e26533bc
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.
Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
reflect the change from "mediaanalytics" to "mediametrics"
Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.
Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42
