| f2afca7cf05bcfe0547817069f33f8fed6e9e6c7 |
|
06-Jun-2018 |
Joel Galenson <jgalenson@google.com> |
Allow ephemeral_app to execute system_file.
Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
/system/sepolicy/public/app.te
|
| 069f3cff5044a33a9ed0e6bea9b1c254f2ea9050 |
|
05-Jun-2018 |
Jeff Vander Stoep <jeffv@google.com> |
ephemeral_app: disallow access to qtaguid files
Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid
Instant apps should also be excluded from access.
Fixes: 92796393
Test: make -j cts_instant
cts-instant-tradefed run commandAndExit cts-instant-dev \
-m CtsPermissionTestCases \
--test android.permission.cts.FileSystemPermissionTest
Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
/system/sepolicy/public/app.te
|
| b469c30069afd96df54e3fa18940fcfdfd9737a1 |
|
30-Mar-2018 |
Jeff Sharkey <jsharkey@android.com> |
Add exFAT support; unify behind "sdcard_type".
We're adding support for OEMs to ship exFAT, which behaves identical
to vfat. Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".
Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56
/system/sepolicy/public/app.te
|
| a11b16c9eed8703aad53cd5b79b0f3f85a31d68d |
|
08-Apr-2018 |
Jaekyun Seok <jaekyun@google.com> |
Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status
So they should be whitelisted for compatibility.
Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d18a8aa83123adfbdef8e9c352795e2b6b)
/system/sepolicy/public/app.te
|
| 0fa3d2766f4d9d84dd01d2e2d75d366734cfcc5f |
|
13-Mar-2018 |
Kweku Adams <kwekua@google.com> |
Allowing incidentd to get stack traces from processes.
Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
(cherry picked from commit 985db6d8dd2a2168a1e9ee741d89e03a0e3a76b9)
/system/sepolicy/public/app.te
|
| 4be28894772bccf5604fd36a75d07bb64e826c88 |
|
29-Mar-2018 |
Pawin Vongmasa <pawin@google.com> |
Put in sepolicies for Codec2.0 services
Test: Builds
Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
/system/sepolicy/public/app.te
|
| 5ec8f8432be8072711b388eb0e6696945c04950f |
|
08-Feb-2018 |
Chenbo Feng <fengc@google.com> |
Block SDK 28 app from using proc/net/xt_qtaguid
The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.
Test: Flashed with master branch on marlin, verified phone boot, can
browse web, watch youtube video, make phone call and use google
map for navigation with wifi on and off.
run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
run cts -m CtsAppSecurityHostTestCases -t \
android.appsecurity.cts.AppSecurityTests
Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
/system/sepolicy/public/app.te
|
| 8f568afad771b38fb5eb5e92801059f38ac9bc32 |
|
06-Feb-2018 |
Chenbo Feng <fengc@google.com> |
Revert "Remove app access to qtaguid ctrl/stats file"
This reverts commit fad0b04de1f131aa64c6efa1314b3eb69f0bb9e9.
Reason for revert: This change crashed facebook App on dogfood build.
Bug: 72977484
Change-Id: I4f35b00c11afbd4914f572d3cc0378d740403ed2
/system/sepolicy/public/app.te
|
| fad0b04de1f131aa64c6efa1314b3eb69f0bb9e9 |
|
26-Jan-2018 |
Chenbo Feng <fengc@google.com> |
Remove app access to qtaguid ctrl/stats file
Remove the untrusted apps and priviledged apps from the group that can
directly access xt_qtaguid module related file. All apps that need to
access app network usage data need to use the public API provided in
framework.
Test: Flashed with master branch on marlin, verified phone boot, can
browse web, watch youtube video, make phone call and use google
map for navigation with either wifi is on or off.
run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
run cts -m CtsNativeNetTestCases
Bug: 68774956 30950746
Change-Id: I9b3db819d6622611d5b512ef821abb4c28d6c9eb
/system/sepolicy/public/app.te
|
| dfe063c37dec77f158da06eb21ade5c490949486 |
|
19-Jan-2018 |
Marissa Wall <marissaw@google.com> |
sepolicy: restrict access to uid_cpupower files
Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.
b/71718257
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
/system/sepolicy/public/app.te
|
| 43303c8b89ac7792bfc90be4fa4aa338ea9d3be4 |
|
02-Jan-2018 |
Jeff Vander Stoep <jeffv@google.com> |
relabel files in /proc/net/xt_qtaguid/
/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956
This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886
Test: boot Taimen. Walk through setup-wizard. Make phone call and
video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea
/system/sepolicy/public/app.te
|
| 77b290f3030d31d79617996aacf081fb25e6540d |
|
19-Dec-2017 |
Jeff Vander Stoep <jeffv@google.com> |
app: move appdomain to public policy
Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.
Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8bd460f2d7a943c5ac5f8f4c77e9d58fcd)
/system/sepolicy/public/app.te
|
| 8429a331aaa9fcb9346f3a6e5a2c4c30432f4f85 |
|
26-Jan-2017 |
Alex Klyubin <klyubin@google.com> |
Move appdomain policy to private
This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.
Test: Device boot, apps (untrusted_app, system_app, platform_app,
priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f
/system/sepolicy/public/app.te
|
| 3d348fd60c2219bfdab782c006aaf9ab9e553766 |
|
19-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Allow ephemeral apps to read/write external storage
Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.
Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
/system/sepolicy/public/app.te
|
| 5c566d1a5ae344eaa849df0a3b7184c64952190d |
|
17-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Move ephemeral_app to appdomain
Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.
This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.
Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af
/system/sepolicy/public/app.te
|
| cb3eb4eef9733bbde2951a2a774392d0c8acc9fe |
|
19-Oct-2016 |
Josh Gao <jmgao@google.com> |
Introduce crash_dump debugging helper.
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.
Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
/system/sepolicy/public/app.te
|
| 7ae1d23745c0a9d14bfa03d776bf0884decc5c49 |
|
05-Dec-2016 |
Daichi Hirono <hirono@google.com> |
Don't open appfuse files in apps.
Previously we published appfuse mount points to apps and apps open
appfuse file by themselves. We changed the design and we don't allow
apps to access appfuse mount point. Instead system server opens a file
on appfuse mount points and passes FD to apps.
The change updates apps and system server policies to adopt new design.
Bug: 29970149
Test: None
Change-Id: I0b35fee9816f61565705eecb88a472754ccffdca
/system/sepolicy/public/app.te
|
| 6e4508e625e29f1a782428447de142e96498b5e4 |
|
28-Dec-2016 |
Alex Klyubin <klyubin@google.com> |
Restrict access to Bluetooth system properties
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.
The reason is that some of these properties may leak persistent
identifiers not resettable by the user.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
/system/sepolicy/public/app.te
|
| 641d5d8f9b0d3c425ec0b10da1804532c65a21d3 |
|
14-Nov-2016 |
Chad Brubaker <cbrubaker@google.com> |
Allow binder IPC between ephemeral app and appdomain
Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder
Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702
/system/sepolicy/public/app.te
|
| 8b1d45201d65116b48beec363828af9c7ae32a23 |
|
09-Dec-2016 |
Jeff Sharkey <jsharkey@android.com> |
installd has moved on to Binder; goodbye socket!
After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.
Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5
/system/sepolicy/public/app.te
|
| 2a0053b223cc1c90ce943fdef9653984bb5f70e2 |
|
07-Dec-2016 |
Daniel Rosenberg <drosen@google.com> |
Move sdcardfs media_rw_data_file rules to app.te
Test: No media_rw_data_file related app denials
Change-Id: I1a977db09379f9a3e5bc52c597df12f52929ad19
/system/sepolicy/public/app.te
|
| 2e00e6373faa6271d7839d33c5b9e69d998ff020 |
|
12-Oct-2016 |
dcashman <dcashman@google.com> |
sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
/system/sepolicy/public/app.te
|
| dc083f596d0dc84f1af0b7656dab982a7ffb13e4 |
|
03-Sep-2016 |
Daniel Micay <danielmicay@gmail.com> |
only permit text relocations in untrusted_app
The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.
It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).
Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
/system/sepolicy/public/app.te
|
| c9630dc6a1bdf918ffb8ea6853327f2abf4fe11e |
|
16-Nov-2016 |
Nick Kralevich <nnk@google.com> |
shell.te: revoke syslog(2) access to shell user
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.
The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.
This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.
References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a
TODO: Further unify /dev/kmsg permissions with syslog_read permissions.
Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
/system/sepolicy/public/app.te
|
| e0d5c5323dcbf0a3db90bb4b8dca603918d4449b |
|
15-Nov-2016 |
Nick Kralevich <nnk@google.com> |
exclude su from app auditallow
su is an appdomain, and as such, any auditallow statements applicable to
appdomain also apply to su. However, su is never enforced, so generating
SELinux denials for such domains is pointless. Exclude su from
ion_device auditallow rules.
Addresses the following auditallow spam:
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=10230 ioctlcmd=4906 scontext=u:r:su:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
Test: policy compiles
Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
/system/sepolicy/public/app.te
|
| 4c7044e0b1f0092d3334200d3817528600be323d |
|
09-Nov-2016 |
Daichi Hirono <hirono@google.com> |
Allow apps to search appfuse mount point and open a file on appfuse mount point.
Bug: 29970149
Test: None
Change-Id: I59f49f3bf20d93effde5e1a9a3c1ed64fbecb7a8
/system/sepolicy/public/app.te
|
| dd958e5a21ca6a744432902c479ce827b72eedde |
|
12-Oct-2016 |
Chia-I Wu <olv@google.com> |
Add sepolicy for gralloc-alloc HAL
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.
Specifically,
hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1
allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1
Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
/system/sepolicy/public/app.te
|
| ce4b5eeaeed88fbaca88eac2f7fd5f7a85d7ba0e |
|
21-Oct-2016 |
Jeff Vander Stoep <jeffv@google.com> |
isolated_app: no sdcard access
Remove and neverallow isolated_app access to external storage and
USB accessories.
Test: aosp_angler-userdebug builds
Bug: 21643067
Change-Id: Ie912706a954a38610f2afd742b1ab4b8cd4b1f36
/system/sepolicy/public/app.te
|
| cc39f637734a8d84bc861b649bfd109290c06401 |
|
22-Jul-2016 |
dcashman <dcashman@google.com> |
Split general policy into public and private components.
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
/system/sepolicy/public/app.te
|