Merge "Fix TH build error because of file.te"
diff --git a/apex/Android.bp b/apex/Android.bp
index 78e1be9..2347bc2 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -35,16 +35,16 @@
}
filegroup {
- name: "com.android.art.debug-file_contexts",
+ name: "com.android.art-file_contexts",
srcs: [
- "com.android.art.debug-file_contexts",
+ "com.android.art-file_contexts",
],
}
filegroup {
- name: "com.android.art.release-file_contexts",
+ name: "com.android.art.debug-file_contexts",
srcs: [
- "com.android.art.release-file_contexts",
+ "com.android.art.debug-file_contexts",
],
}
diff --git a/apex/com.android.art.release-file_contexts b/apex/com.android.art-file_contexts
similarity index 100%
rename from apex/com.android.art.release-file_contexts
rename to apex/com.android.art-file_contexts
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 12357c7..3586fff 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -196,24 +196,21 @@
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
-# Do not permit access from apps which host arbitrary code to the protected HwBinder
-# services.
+# Do not permit access from apps which host arbitrary code to the protected services
# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, those
-# HwBinder services either operate at a level below that of apps (e.g., HALs)
-# or must not rely on app identity for authorization. Thus, to be safe, the
-# default assumption is that every HwBinder service treats all its clients as
-# equally authorized to perform operations offered by the service.
-# 2. HAL servers (a subset of HwBinder services) contain code with higher
-# incidence rate of security issues than system/core components and have
-# access to lower layes of the stack (all the way down to hardware) thus
-# increasing opportunities for bypassing the Android security model.
+# 1. Protected HwBinder servers do not perform client authentication because
+# vendor code does not have a way to understand apps or their relation to
+# caller UID information and, even if it did, those services either operate
+# at a level below that of apps (e.g., HALs) or must not rely on app identity
+# for authorization. Thus, to be safe, the default assumption for all added
+# vendor services is that they treat all their clients as equally authorized
+# to perform operations offered by the service.
+# 2. HAL servers contain code with higher incidence rate of security issues
+# than system/core components and have access to lower layes of the stack
+# (all the way down to hardware) thus increasing opportunities for bypassing
+# the Android security model.
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-
-neverallow all_untrusted_apps {
- vendor_service
-}:service_manager find;
+neverallow all_untrusted_apps protected_service:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 5c83c7e..4527066 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -29,6 +29,7 @@
people_service
power_debug_prop
power_stats_service
+ proc_kallsyms
profcollectd
profcollectd_data_file
profcollectd_exec
diff --git a/private/file_contexts b/private/file_contexts
index c228b37..1448f5a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -300,10 +300,7 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 136da2b..1b22725 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
diff --git a/private/gsid.te b/private/gsid.te
index 3d91eb8..fe1d08e 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,11 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
+
+# Manage DSU metadata encryption key through vold.
+allow gsid vold_service:service_manager find;
+binder_call(gsid, vold)
+
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
diff --git a/private/property.te b/private/property.te
index 09e93e9..18d94d2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -11,6 +11,7 @@
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
+system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(system_adbd_prop)
@@ -461,3 +462,10 @@
-hal_dumpstate_server
not_compatible_property(`-vendor_init')
} hal_dumpstate_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ userdebug_or_eng(`-traced_probes')
+} {
+ lower_kptr_restrict_prop
+}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 361db3e..ac680a4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -44,6 +44,7 @@
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 36f9c51..f010a77 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -29,6 +29,11 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
+allow traced_probes proc_kallsyms:file r_file_perms;
+
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
diff --git a/private/vold.te b/private/vold.te
index 0f464a9..09388f1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -44,3 +44,12 @@
use
};
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+ -gsid
+} vold_service:service_manager find;
diff --git a/public/attributes b/public/attributes
index 45900a9..2ebcd6f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -144,6 +144,9 @@
# services which export only system_api
attribute system_api_service;
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
diff --git a/public/domain.te b/public/domain.te
index fb93e8f..4b245c6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -436,6 +436,10 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+# Allow the tracing daemon to use kallsyms to symbolize kernel traces. Addresses are not disclosed,
+# they are repalced with symbol names (if available). Traces don't disclose KASLR.
+neverallow { domain -init -vendor_init -traced_probes } proc_kallsyms:file { open read };
+
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
diff --git a/public/file.te b/public/file.te
index e9213b0..73a2f58 100644
--- a/public/file.te
+++ b/public/file.te
@@ -33,6 +33,7 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
diff --git a/public/init.te b/public/init.te
index f84bacb..805d9c2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -412,6 +412,7 @@
LOOP_CTL_GET_FREE
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
};
# Allow init to write to vibrator/trigger
diff --git a/public/service.te b/public/service.te
index 85d0fc5..cf268f8 100644
--- a/public/service.te
+++ b/public/service.te
@@ -218,15 +218,15 @@
### HAL Services
###
-type hal_face_service, vendor_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, service_manager_type;
-type hal_gnss_service, vendor_service, service_manager_type;
-type hal_identity_service, vendor_service, service_manager_type;
-type hal_light_service, vendor_service, service_manager_type;
-type hal_power_service, vendor_service, service_manager_type;
-type hal_power_stats_service, vendor_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, service_manager_type;
-type hal_vibrator_service, vendor_service, service_manager_type;
+type hal_face_service, vendor_service, protected_service, service_manager_type;
+type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
+type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_power_service, vendor_service, protected_service, service_manager_type;
+type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
+type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/vold.te b/public/vold.te
index 33fc620..737d215 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -69,7 +69,10 @@
# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
# location of the file's blocks on the raw block device to erase.
-allowxperm vold vold_data_file:file ioctl {
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
F2FS_IOC_SEC_TRIM_FILE
FS_IOC_FIEMAP
};
@@ -237,6 +240,7 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } create_file_perms;
@@ -333,15 +337,6 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
-} vold_service:service_manager find;
-
neverallow vold {
domain
-hal_health_storage_server
diff --git a/tests/policy.py b/tests/policy.py
index 0f51e2f..24466e9 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -103,6 +103,17 @@
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
+ def AssertPropertyOwnersAreExclusive(self):
+ systemProps = self.QueryTypeAttribute('system_property_type', True)
+ vendorProps = self.QueryTypeAttribute('vendor_property_type', True)
+ violators = systemProps.intersection(vendorProps)
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types have both system_property_type "
+ ret += "and vendor_property_type: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
# Return all file_contexts entries that map to the input Type.
def QueryFc(self, Type):
if Type in self.__FcDict:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index f8dc466..c92be7a 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -37,6 +37,10 @@
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+def TestPropertyTypeViolations(pol):
+ return pol.AssertPropertyOwnersAreExclusive()
+
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -62,6 +66,7 @@
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
+ "TestPropertyTypeViolations"
]
if __name__ == '__main__':
@@ -115,6 +120,8 @@
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
results += TestCoreDataTypeViolations(pol)
+ if options.test is None or "TestPropertyTypeViolations" in options.test:
+ results += TestPropertyTypeViolations(pol)
if len(results) > 0:
sys.exit(results)