f2afca7cf05bcfe0547817069f33f8fed6e9e6c7 |
|
06-Jun-2018 |
Joel Galenson <jgalenson@google.com> |
Allow ephemeral_app to execute system_file. Bug: 109653662 Test: Build policy. Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
/system/sepolicy/public/app.te
|
069f3cff5044a33a9ed0e6bea9b1c254f2ea9050 |
|
05-Jun-2018 |
Jeff Vander Stoep <jeffv@google.com> |
ephemeral_app: disallow access to qtaguid files Apps targeting API version 28+ are not allowed to access: /proc/xt_qtaguid/* /dev/xt_qtaguid Instant apps should also be excluded from access. Fixes: 92796393 Test: make -j cts_instant cts-instant-tradefed run commandAndExit cts-instant-dev \ -m CtsPermissionTestCases \ --test android.permission.cts.FileSystemPermissionTest Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
/system/sepolicy/public/app.te
|
b469c30069afd96df54e3fa18940fcfdfd9737a1 |
|
30-Mar-2018 |
Jeff Sharkey <jsharkey@android.com> |
Add exFAT support; unify behind "sdcard_type". We're adding support for OEMs to ship exFAT, which behaves identical to vfat. Some rules have been manually enumerating labels related to these "public" volumes, so unify them all behind "sdcard_type". Test: atest Bug: 67822822 Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
/system/sepolicy/public/app.te
|
a11b16c9eed8703aad53cd5b79b0f3f85a31d68d |
|
08-Apr-2018 |
Jaekyun Seok <jaekyun@google.com> |
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5 Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5 (cherry picked from commit 224921d18a8aa83123adfbdef8e9c352795e2b6b)
/system/sepolicy/public/app.te
|
0fa3d2766f4d9d84dd01d2e2d75d366734cfcc5f |
|
13-Mar-2018 |
Kweku Adams <kwekua@google.com> |
Allowing incidentd to get stack traces from processes. Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912 (cherry picked from commit 985db6d8dd2a2168a1e9ee741d89e03a0e3a76b9)
/system/sepolicy/public/app.te
|
4be28894772bccf5604fd36a75d07bb64e826c88 |
|
29-Mar-2018 |
Pawin Vongmasa <pawin@google.com> |
Put in sepolicies for Codec2.0 services Test: Builds Bug: 64121714 Bug: 31973802 Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
/system/sepolicy/public/app.te
|
5ec8f8432be8072711b388eb0e6696945c04950f |
|
08-Feb-2018 |
Chenbo Feng <fengc@google.com> |
Block SDK 28 app from using proc/net/xt_qtaguid The file under /proc/net/xt_qtaguid is going away in future release. Apps should use the provided public api instead of directly reading the proc file. This change will block apps that based on SDK 28 or above to directly read that file and we will delete that file after apps move away from it. Test: Flashed with master branch on marlin, verified phone boot, can browse web, watch youtube video, make phone call and use google map for navigation with wifi on and off. run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest run cts -m CtsAppSecurityHostTestCases -t \ android.appsecurity.cts.AppSecurityTests Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
/system/sepolicy/public/app.te
|
8f568afad771b38fb5eb5e92801059f38ac9bc32 |
|
06-Feb-2018 |
Chenbo Feng <fengc@google.com> |
Revert "Remove app access to qtaguid ctrl/stats file" This reverts commit fad0b04de1f131aa64c6efa1314b3eb69f0bb9e9. Reason for revert: This change crashed facebook App on dogfood build. Bug: 72977484 Change-Id: I4f35b00c11afbd4914f572d3cc0378d740403ed2
/system/sepolicy/public/app.te
|
fad0b04de1f131aa64c6efa1314b3eb69f0bb9e9 |
|
26-Jan-2018 |
Chenbo Feng <fengc@google.com> |
Remove app access to qtaguid ctrl/stats file Remove the untrusted apps and priviledged apps from the group that can directly access xt_qtaguid module related file. All apps that need to access app network usage data need to use the public API provided in framework. Test: Flashed with master branch on marlin, verified phone boot, can browse web, watch youtube video, make phone call and use google map for navigation with either wifi is on or off. run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest run cts -m CtsNativeNetTestCases Bug: 68774956 30950746 Change-Id: I9b3db819d6622611d5b512ef821abb4c28d6c9eb
/system/sepolicy/public/app.te
|
dfe063c37dec77f158da06eb21ade5c490949486 |
|
19-Jan-2018 |
Marissa Wall <marissaw@google.com> |
sepolicy: restrict access to uid_cpupower files Do not let apps read /proc/uid_cpupower/time_in_state, /proc/uid_cpupower/concurrent_active_time, /proc/uid_cpupower/concurrent_policy_time. b/71718257 Test: Check that they can't be read from the shell without root permissions and system_server was able to read them Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
/system/sepolicy/public/app.te
|
43303c8b89ac7792bfc90be4fa4aa338ea9d3be4 |
|
02-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
relabel files in /proc/net/xt_qtaguid/ /proc/net/xt_qtaguid is used by apps to track their network data use. Limit access to just zygote spawned processes - apps and system_server, omitting access to isolated_app which is not allowed to create network sockets. As Android moves to eBPF for app's network data stats, access to /proc/net/xt_qtaguid will be removed entirely. Segmenting access off is the first step. Bug: 68774956 This change also helps further segment and whitelist access to files in /proc/net and is a step in the lockdown of /proc/net. Bug: 9496886 Test: boot Taimen. Walk through setup-wizard. Make phone call and video call. Browse web. Watch youtube. Navigate in maps. Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \ android.appsecurity.cts.AppSecurityTests Test: cts-tradefed run cts -m CtsNativeNetTestCases Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \ com.android.server.cts.NetstatsIncidentTest Test: cts-tradefed run cts -m CtsOsTestCases -t \ android.os.cts.StrictModeTest Test: cts-tradefed run cts -m CtsNetTestCases -t \ android.net.cts.TrafficStatsTest Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \ android.app.usage.cts.NetworkUsageStatsTest Test: vts-tradefed run vts -m VtsQtaguidTest Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
/system/sepolicy/public/app.te
|
77b290f3030d31d79617996aacf081fb25e6540d |
|
19-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
app: move appdomain to public policy Vendor-specific app domains depend on the rules in app.te so they must reside in public policy. Bug: 70517907 Test: build Change-Id: If45557a5732a06f78c752779a8182e053beb25a2 Merged-In: If45557a5732a06f78c752779a8182e053beb25a2 (cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
/system/sepolicy/public/app.te
|
8429a331aaa9fcb9346f3a6e5a2c4c30432f4f85 |
|
26-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Move appdomain policy to private This leaves only the existence of appdomain attribute as public API. All other rules are implementation details of this attribute's policy and are thus now private. Test: Device boot, apps (untrusted_app, system_app, platform_app, priv_app) work fine. No new denials. Bug: 31364497 Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
/system/sepolicy/public/app.te
|
3d348fd60c2219bfdab782c006aaf9ab9e553766 |
|
19-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Allow ephemeral apps to read/write external storage Ephemeral apps cannot open files from external storage, but can be given access to files via the file picker. Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd. Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
/system/sepolicy/public/app.te
|
5c566d1a5ae344eaa849df0a3b7184c64952190d |
|
17-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Move ephemeral_app to appdomain Ephemeral apps are still apps with very similar capabilities, it makes more sense to have them under appdomain and benefit from the shared state (and all the neverallow rules) than to try and dupplicate them and keep them in sync. This is an initial move, there are parts of ephemeral_app that still need to be locked down further and some parts of appdomain that should be pushed down into the various app domains. Test: Builds, ephemeral apps work without denials. Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
/system/sepolicy/public/app.te
|
cb3eb4eef9733bbde2951a2a774392d0c8acc9fe |
|
19-Oct-2016 |
Josh Gao <jmgao@google.com> |
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
/system/sepolicy/public/app.te
|
7ae1d23745c0a9d14bfa03d776bf0884decc5c49 |
|
05-Dec-2016 |
Daichi Hirono <hirono@google.com> |
Don't open appfuse files in apps. Previously we published appfuse mount points to apps and apps open appfuse file by themselves. We changed the design and we don't allow apps to access appfuse mount point. Instead system server opens a file on appfuse mount points and passes FD to apps. The change updates apps and system server policies to adopt new design. Bug: 29970149 Test: None Change-Id: I0b35fee9816f61565705eecb88a472754ccffdca
/system/sepolicy/public/app.te
|
6e4508e625e29f1a782428447de142e96498b5e4 |
|
28-Dec-2016 |
Alex Klyubin <klyubin@google.com> |
Restrict access to Bluetooth system properties This removes access to Bluetooth system properties from arbitrary SELinux domains. Access remains granted to init, bluetooth, and system_app domains. neverallow rules / CTS enforce that access is not granted to Zygote and processes spawned from Zygote expcept for system_app and bluetooth. The reason is that some of these properties may leak persistent identifiers not resettable by the user. Test: Bluetooth pairing and data transfer works Bug: 33700679 Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
/system/sepolicy/public/app.te
|
641d5d8f9b0d3c425ec0b10da1804532c65a21d3 |
|
14-Nov-2016 |
Chad Brubaker <cbrubaker@google.com> |
Allow binder IPC between ephemeral app and appdomain Address denial type=1400 audit(0.0:42): avc: denied { call } for scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder Test: Above denial no longer happens Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702
/system/sepolicy/public/app.te
|
8b1d45201d65116b48beec363828af9c7ae32a23 |
|
09-Dec-2016 |
Jeff Sharkey <jsharkey@android.com> |
installd has moved on to Binder; goodbye socket! After a series of recent commits, installd has fully migrated over to Binder, and all socket-based communication has been removed. Test: builds, boots, apps install fine, pre-OTA dexopt works Bug: 13758960, 30944031 Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
/system/sepolicy/public/app.te
|
2a0053b223cc1c90ce943fdef9653984bb5f70e2 |
|
07-Dec-2016 |
Daniel Rosenberg <drosen@google.com> |
Move sdcardfs media_rw_data_file rules to app.te Test: No media_rw_data_file related app denials Change-Id: I1a977db09379f9a3e5bc52c597df12f52929ad19
/system/sepolicy/public/app.te
|
2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/public/app.te
|
dc083f596d0dc84f1af0b7656dab982a7ffb13e4 |
|
03-Sep-2016 |
Daniel Micay <danielmicay@gmail.com> |
only permit text relocations in untrusted_app The other domains either don't have the same backwards compatibility issues (isolated_app) or are privileged components that are pretty much part of the platform and can be expected to meet a higher standard. It would be possible to expose a build option for disabling the ART JIT, allowing conditional removal of execmem from some of these domains too (ones not ever using the WebView, until that's always in isolated_app). Bug: 20013628 Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
/system/sepolicy/public/app.te
|
c9630dc6a1bdf918ffb8ea6853327f2abf4fe11e |
|
16-Nov-2016 |
Nick Kralevich <nnk@google.com> |
shell.te: revoke syslog(2) access to shell user external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started having dmesg use /dev/kmsg, which is unreadable to the unprivileged shell user. Revoke syslog(2) to the shell user for consistency. The kernel dmesg log is a source of kernel pointers, which can leak kASLR information from the kernel. Restricting access to kernel information will make attacks against Android more difficult. Having said that, dmesg information is still available from "adb bugreport", so this change doesn't completely shutdown kernel info leaks. This change essentially reverts us to the state we were in between Nov 8 2011 and May 27 2014. During that almost 3 year period, the unprivileged shell user was unable to access dmesg, and there was only one complaint during that time. References: * https://android.googlesource.com/platform/system/core/+/f9557fb * https://android.googlesource.com/platform/system/sepolicy/+/f821b5a TODO: Further unify /dev/kmsg permissions with syslog_read permissions. Test: policy compiles, no dmesg output Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
/system/sepolicy/public/app.te
|
e0d5c5323dcbf0a3db90bb4b8dca603918d4449b |
|
15-Nov-2016 |
Nick Kralevich <nnk@google.com> |
exclude su from app auditallow su is an appdomain, and as such, any auditallow statements applicable to appdomain also apply to su. However, su is never enforced, so generating SELinux denials for such domains is pointless. Exclude su from ion_device auditallow rules. Addresses the following auditallow spam: avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs" ino=10230 ioctlcmd=4906 scontext=u:r:su:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file Test: policy compiles Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
/system/sepolicy/public/app.te
|
4c7044e0b1f0092d3334200d3817528600be323d |
|
09-Nov-2016 |
Daichi Hirono <hirono@google.com> |
Allow apps to search appfuse mount point and open a file on appfuse mount point. Bug: 29970149 Test: None Change-Id: I59f49f3bf20d93effde5e1a9a3c1ed64fbecb7a8
/system/sepolicy/public/app.te
|
dd958e5a21ca6a744432902c479ce827b72eedde |
|
12-Oct-2016 |
Chia-I Wu <olv@google.com> |
Add sepolicy for gralloc-alloc HAL Allow SurfaceFlinger to call into IAllocator, and allow everyone to access IAllocator's fd. Specifically, hwbinder_use(...) for avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 allow ... ion_device:chr_file r_file_perms for avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 allow ... gpu_device:chr_file rw_file_perms; for avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 binder_call(surfaceflinger, ...) for avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1 allow ... ...:fd use for avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1 Bug: 32021161 Test: make bootimage Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
/system/sepolicy/public/app.te
|
ce4b5eeaeed88fbaca88eac2f7fd5f7a85d7ba0e |
|
21-Oct-2016 |
Jeff Vander Stoep <jeffv@google.com> |
isolated_app: no sdcard access Remove and neverallow isolated_app access to external storage and USB accessories. Test: aosp_angler-userdebug builds Bug: 21643067 Change-Id: Ie912706a954a38610f2afd742b1ab4b8cd4b1f36
/system/sepolicy/public/app.te
|
cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/app.te
|