Merge "Make sepolicy-analyze for ATS."
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index e58fa4e..12e5c98 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -467,6 +467,7 @@
proc_page_cluster
proc_pagetypeinfo
proc_panic
+ proc_pid_max
proc_pipe_conf
proc_random
proc_sched
diff --git a/private/file_contexts b/private/file_contexts
index b93168b..5471638 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -291,6 +291,7 @@
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 4f3a96c..09da56d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -42,6 +42,7 @@
genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
diff --git a/private/system_server.te b/private/system_server.te
index eaa1412..1d1b92b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -720,6 +720,13 @@
allow system_server zygote_exec:file rx_file_perms;
')
+# ART Profiles.
+# Allow system_server to open profile snapshots for read.
+# System server never reads the actual content. It passes the descriptor to
+# to privileged apps which acquire the permissions to inspect the profiles.
+allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:file { open read };
+
###
### Neverallow rules
###
@@ -787,8 +794,7 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
-# This neverallow can be removed after b/34951864 is fixed.
-neverallow system_server system_server:capability sys_resource;
+neverallow system_server system_server:global_capability_class_set sys_resource;
# TODO(b/67468181): Remove following lines upon resolution of this bug
dontaudit system_server statscompanion_service:service_manager { add find };
diff --git a/public/domain.te b/public/domain.te
index f4d5c68..0d50c38 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -238,8 +238,8 @@
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-# Do not allow any domain other than init or recovery to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init } unlabeled:dir_file_class_set create;
# Limit device node creation to these whitelisted domains.
neverallow {
@@ -269,8 +269,10 @@
# No domain needs mac_override as it is unused by SELinux.
neverallow * self:global_capability2_class_set mac_override;
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
@@ -376,6 +378,7 @@
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
+
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -399,10 +402,12 @@
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-# Only recovery should be doing writes to /system & /vendor
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
neverallow {
domain
- -recovery
with_asan(`-asan_extract')
} {
system_file
@@ -410,7 +415,7 @@
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
@@ -426,7 +431,7 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
+neverallow * contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Do not allow service_manager add for default service labels.
@@ -462,8 +467,8 @@
domain
-adbd
-dumpstate
- -hal_drm
- -hal_cas
+ -hal_drm_server
+ -hal_cas_server
-init
-mediadrmserver
-recovery
@@ -503,7 +508,7 @@
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
+ -hal_bootctl_server
-init
-uncrypt
-update_engine
@@ -1091,12 +1096,9 @@
# vendor, and boot partitions.
neverallow * ~{ system_file vendor_file rootfs }:system module_load;
-# Only allow filesystem caps to be set at build time or
-# during upgrade by recovery.
-neverallow {
- domain
- -recovery
-} self:global_capability_class_set setfcap;
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
diff --git a/public/file.te b/public/file.te
index 29bf9be..6c11b81 100644
--- a/public/file.te
+++ b/public/file.te
@@ -38,6 +38,7 @@
type proc_pagetypeinfo, fs_type;
type proc_panic, fs_type;
type proc_perf, fs_type;
+type proc_pid_max, fs_type;
type proc_pipe_conf, fs_type;
type proc_random, fs_type;
type proc_sched, fs_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 0665e26..dd7b140 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,11 +23,11 @@
###
# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
# Should never need network access.
# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index d0824c3..4265b8a 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -23,10 +23,10 @@
# hal_camera should never execute any executable without a
# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index b4801c5..7f65358 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -7,7 +7,7 @@
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
+get_prop(hal_cas_server, serialno_prop)
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
@@ -29,7 +29,7 @@
# hal_cas should never execute any executable without a
# domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index fbd90eb..a46dd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -47,7 +47,7 @@
# hal_drm should never execute any executable without a
# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/recovery.te b/public/recovery.te
index 3e3c28e..f6ad47f 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,10 +12,7 @@
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
- allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
-
- # Set security contexts on files that are not known to the loaded policy.
- allow recovery self:global_capability2_class_set mac_admin;
+ allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
# Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs)
@@ -29,26 +26,9 @@
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
- # Create and relabel files and directories under /system.
- allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
# Get file contexts
allow recovery file_contexts_file:file r_file_perms;
- # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
- # support to OTAs. However, that code has a bug. When an update occurs,
- # some directories are inappropriately labeled as exec_type. This is
- # only transient, and subsequent steps in the OTA script correct this
- # mistake. New devices are moving to block based OTAs, so this is not
- # worth fixing. b/15575013
- allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
diff --git a/public/shell.te b/public/shell.te
index cac84d4..1318c35 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -115,6 +115,7 @@
proc_interrupts
proc_meminfo
proc_modules
+ proc_pid_max
proc_stat
proc_timer
proc_uptime
diff --git a/public/te_macros b/public/te_macros
index aad2949..18e5e61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,6 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
')
diff --git a/public/vold.te b/public/vold.te
index b446915..9dbf8dd 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -210,7 +210,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
- -hal_keymaster
+ -hal_keymaster_server
-healthd
-hwservicemanager
-servicemanager
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1efbe73..d28121e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -16,6 +16,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0