08f92f9c01fc5b86d620024573c46ff9e6ec173b |
|
23-Aug-2017 |
Chenbo Feng <fengc@google.com> |
sepolicy: New sepolicy classes and rules about bpf object Add the new classes for eBPF map and program to limit the access to eBPF object. Add corresponding rules to allow netd module initialize bpf programs and maps, use the program and read/wirte to eBPF maps. Test: no bpf sepolicy violations when device boot Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
/system/sepolicy/private/access_vectors
|
9fbc408f93e9070686cca71402e99c35745eb675 |
|
13-Jul-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
sepolicy: Define validate_trans permission am: 509923116f Change-Id: Ia24ef33e8cdbee7c3336fda2a5c0ec0e4ca751f0
|
90f46dd922baee16678bcdee34d11d898d2a759e |
|
13-Jul-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
Merge "sepolicy: Define and allow map permission" am: 770214abda Change-Id: I253dad49662831625a17162b18f013e0b4a87af4
|
509923116f103c8938efe992ab4b4b42fe4c90aa |
|
10-Jul-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
sepolicy: Define validate_trans permission Kernel commit f9df6458218f4fe ("selinux: export validatetrans decisions") introduced a /sys/fs/selinux/validatetrans pseudo file for use by userspace file system servers and defined a new validatetrans permission to control its use. Define the new permission in the Android SELinux policy. This change only defines the new permission; it does not allow it to any domains by default. This avoids a kernel message warning about the undefined permission on the policy load, ala: SELinux: Permission validate_trans in class security not defined in policy. Test: Policy builds Change-Id: Ib922a83b7d8f94905207663a72f7a1bc3db8d2c2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
4397f08288890ef397697b4d6dbff596bdca14c8 |
|
10-Jul-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
sepolicy: Define and allow map permission Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This change defines map permission for the Android policy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change also adds map permission to the global macro definitions for file permissions, thereby allowing it in any allow rule that uses these macros, and to specific rules allowing mapping of files from /system and executable types. This should cover most cases where it is needed, although it may still need to be added to specific allow rules when the global macros are not used. Test: Policy builds Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
52909aca4422c2759d8e498e61df9c96a4584aad |
|
27-Jun-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define smc_socket security class. am: 2be9799bcc Change-Id: If42bc0d3fc50db8294c8a9fd083d915b8e47a95e
|
a77096b02af4f72311a013afafc69c0a55c5ab47 |
|
27-Jun-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
Merge "Define getrlimit permission for class process" am: e02e0ad1cc Change-Id: I67eea67d667005d5ac357e1131a319ed57b33894
|
2be9799bcc21863de48925b1eff55185be168696 |
|
17-May-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define smc_socket security class. Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all network address families") triggers a build error if a new address family is added without defining a corresponding SELinux security class. As a result, the smc_socket class was added to the kernel to resolve a build failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa Linux 4.11. Define this security class and its access vector, add it to the socket_class_set macro, and exclude it from webview_zygote like other socket classes. Test: Policy builds Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
91a3eeac8fac333af4997f9fe5e5c7f454c7f336 |
|
17-May-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define getrlimit permission for class process This permission was added to the kernel in commit 791ec491c372 ("prlimit,security,selinux: add a security hook for prlimit") circa Linux 4.12 in order to control the ability to get the resource limits of another process. It is only checked when acting on another process, so it is not required for getrlimit(2), only for prlimit(2) on another process. Test: Policy builds Change-Id: Ic0079a341e959f1c5a3d045974df4b756fd4ab67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
2f1c7ba75e823b1cdcd6115c5504dcad6c2eab0f |
|
14-Apr-2017 |
Dan Cashman <dcashman@google.com> |
Remove vndservice_manager object classes. vndservicemanager is a copy of servicemanager, and so has the exact same properties. This should be reflected in the sharing of an object manager in SELinux policy, rather than creating a second one, which is effectively an attempt at namespacing based on object rather than type labels. hwservicemanager, however, provides different and additional functionality that may be reflected in changed permissions, though they currently map to the existing servicemanager permissions. Keep the new hwservice_manager object manager but remove the vndservice_manager one. Bug: 34454312 Bug: 36052864 Test: policy builds and device boots. Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e
/system/sepolicy/private/access_vectors
|
a0c7f01299c41157d123da0792fbf9ce2a26f9d3 |
|
11-Apr-2017 |
Shawn Willden <swillden@google.com> |
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
/system/sepolicy/private/access_vectors
|
bc6d88d2da12aa9cf43442d928f296c573a345b3 |
|
06-Apr-2017 |
Martijn Coenen <maco@google.com> |
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
/system/sepolicy/private/access_vectors
|
4921085d9c7a188596914de415b3d2346ac44fda |
|
06-Feb-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
431bdd9f2f344ecde4cd3fe0109bd70eab0a394c |
|
08-Dec-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
8a003607064804307201d0738e1e284442f9826b |
|
27-Apr-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/private/access_vectors
|
cb3eb4eef9733bbde2951a2a774392d0c8acc9fe |
|
19-Oct-2016 |
Josh Gao <jmgao@google.com> |
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
/system/sepolicy/private/access_vectors
|
11dc03e5a2c65c4f3ca9a5b6fd0eb688447433bd |
|
21-Nov-2016 |
Nick Kralevich <nnk@google.com> |
access_vectors: Remove unused permission definitions Description stolen from https://github.com/torvalds/linux/commit/42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Test: policy compiles and no boot errors (marlin) Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
/system/sepolicy/private/access_vectors
|
cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/private/access_vectors
|