Merge "Add sepolicy for hal_wifi to access /proc/modules"

commit: 6acd70b91845e752227244f20a4eb921077dc16a [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Jun 22 15:35:12 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jun 22 15:35:14 2017 +0000
tree: 05d7bcbb7f047a1c1ea9e6e891cb937a6becb352
parent: 3b7d9e49df9d4b4803b0b727cf980ae5f7926a20 [diff]
parent: 403efef2aff7269433b1b4a56822528c531a2b84 [diff]
diff --git a/OWNERS b/OWNERS
new file mode 100644
index 0000000..4bd7e34
--- /dev/null
+++ b/OWNERS

@@ -0,0 +1,6 @@
+nnk@google.com
+jeffv@google.com
+klyubin@google.com
+dcashman@google.com
+jbires@google.com
+sspatil@google.com

diff --git a/private/app.te b/private/app.te
index 359c354..c87bd84 100644
--- a/private/app.te
+++ b/private/app.te

@@ -109,10 +109,26 @@
 # Read icon file (opened by system).
 allow appdomain icon_file:file { getattr read };
 
-# Write to /data/anr/traces.txt.
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
 
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };

diff --git a/private/file_contexts b/private/file_contexts
index 5433ea8..fa27bd1 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -146,6 +146,7 @@
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
 /dev/socket/uncrypt	u:object_r:uncrypt_socket:s0
 /dev/socket/vold	u:object_r:vold_socket:s0

diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..42534bd 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -50,6 +50,7 @@
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;

diff --git a/private/property_contexts b/private/property_contexts
index 2315034..8eb2f28 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -50,6 +50,7 @@
 logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
 persist.log.tag         u:object_r:log_tag_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
+persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0

diff --git a/private/service_contexts b/private/service_contexts
index 8be98e9..8a4650e 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -147,6 +147,7 @@
 telephony.registry                        u:object_r:registry_service:s0
 textclassification                        u:object_r:textclassification_service:s0
 textservices                              u:object_r:textservices_service:s0
+timezone                                  u:object_r:timezone_service:s0
 trust                                     u:object_r:trust_service:s0
 tv_input                                  u:object_r:tv_input_service:s0
 uimode                                    u:object_r:uimode_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index 6a11448..7b95600 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -95,7 +95,7 @@
 allow system_server self:netlink_route_socket nlmsg_write;
 
 # Kill apps.
-allow system_server appdomain:process { sigkill signal };
+allow system_server appdomain:process { getpgid sigkill signal };
 
 # Set scheduling info for apps.
 allow system_server appdomain:process { getsched setsched };
@@ -303,9 +303,24 @@
 allow system_server asec_public_file:file create_file_perms;
 
 # Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
 allow system_server anr_data_file:dir create_dir_perms;
 allow system_server anr_data_file:file create_file_perms;
 
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.
 allow system_server incident_data_file:file read;

diff --git a/public/domain.te b/public/domain.te
index 958481f..ed7403b 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -481,14 +481,19 @@
   # Processes that can't exec crash_dump
   -mediacodec
   -mediaextractor
-} tombstoned:unix_stream_socket connectto;
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
 neverallow {
   domain
   -crash_dump
   -mediacodec
   -mediaextractor
 } tombstoned_crash_socket:sock_file write;
+
+# Never allow anyone except dumpstate or the system server to connect or write to
+# the tombstoned intercept socket.
 neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
 
 # Android does not support System V IPCs.
 #

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 64ad3e6..aaf516c 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te

@@ -24,7 +24,7 @@
 # This is used for e.g. adb backup/restore.
 allow domain_deprecated adbd:fd use;
 userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+auditallow { domain_deprecated -appdomain -system_server -runas } adbd:fd use;
 ')
 
 # Root fs.

diff --git a/public/file.te b/public/file.te
index 8a48dfe..7e11c64 100644
--- a/public/file.te
+++ b/public/file.te

@@ -243,6 +243,7 @@
 type system_wpa_socket, file_type;
 type system_ndebug_socket, file_type, mlstrustedobject;
 type tombstoned_crash_socket, file_type, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type;
 type uncrypt_socket, file_type;
 type vold_socket, file_type;

diff --git a/public/init.te b/public/init.te
index e293cef..699e641 100644
--- a/public/init.te
+++ b/public/init.te

@@ -270,7 +270,7 @@
 
 # Support "adb shell stop"
 allow init self:capability kill;
-allow init domain:process { sigkill signal };
+allow init domain:process { getpgid sigkill signal };
 
 # Init creates keystore's directory on boot, and walks through
 # the directory as part of a recursive restorecon.

diff --git a/public/netd.te b/public/netd.te
index 35d9b7c..d01d2f8 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -58,6 +58,7 @@
 allow netd clatd:process signal;
 
 set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
 
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
@@ -104,3 +105,11 @@
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
 neverallow { domain -system_server -dumpstate } netd:binder call;
 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;

diff --git a/public/property.te b/public/property.te
index daac0fb..95efcaa 100644
--- a/public/property.te
+++ b/public/property.te

@@ -30,6 +30,7 @@
 type mmc_prop, property_type;
 type net_dns_prop, property_type;
 type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
 type nfc_prop, property_type, core_property_type;
 type overlay_prop, property_type;
 type pan_result_prop, property_type, core_property_type;

diff --git a/public/runas.te b/public/runas.te
index 19e30e8..e56a9e7 100644
--- a/public/runas.te
+++ b/public/runas.te

@@ -1,7 +1,9 @@
 type runas, domain, domain_deprecated, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
+allow runas adbd:fd use;
 allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
 allow runas shell:fd use;
 allow runas shell:fifo_file { read write };
 allow runas shell:unix_stream_socket { read write };

diff --git a/public/service.te b/public/service.te
index db5aea7..157c9c0 100644
--- a/public/service.te
+++ b/public/service.te

@@ -125,6 +125,7 @@
 type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

diff --git a/public/te_macros b/public/te_macros
index c3743e5..ee19b00 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -458,7 +458,9 @@
   allow $1 su:fifo_file append;
 ')
 allow $1 anr_data_file:file append;
-allow $1 dumpstate:fifo_file append;
+allow $1 dumpstate:fd use;
+# TODO: Figure out why write is needed and remove.
+allow $1 dumpstate:fifo_file { append write };
 allow $1 tombstoned:unix_stream_socket connectto;
 allow $1 tombstoned:fd use;
 allow $1 tombstoned_crash_socket:sock_file write;

diff --git a/public/tombstoned.te b/public/tombstoned.te
index 37243bb..cf3ddcb 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te

@@ -10,8 +10,13 @@
 allow tombstoned domain:file r_file_perms;
 allow tombstoned tombstone_data_file:dir rw_dir_perms;
 allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
 
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { getattr open create };
commit	6acd70b91845e752227244f20a4eb921077dc16a	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Jun 22 15:35:12 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Jun 22 15:35:14 2017 +0000
tree	05d7bcbb7f047a1c1ea9e6e891cb937a6becb352
parent	3b7d9e49df9d4b4803b0b727cf980ae5f7926a20 [diff]
parent	403efef2aff7269433b1b4a56822528c531a2b84 [diff]