Skip to content
Snippets Groups Projects
  1. Dec 05, 2017
  2. Nov 30, 2017
  3. Jul 30, 2017
  4. Jul 27, 2017
    • Jeff Vander Stoep's avatar
      netd: relax binder neverallow rules for hwservices · faaf86bc
      Jeff Vander Stoep authored
      Relax neverallow rule restricting binder access to/from netd so that
      netd can export hwbinder services to vendor components.
      
      Continue to disallow app access to netd via binder.
      
      Bug: 36682246
      Test: build
      Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f
      Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7
      faaf86bc
  5. Jun 26, 2017
    • Jeff Vander Stoep's avatar
      Add another extraneous neverallow rule to force attribute inclusion · c75aa50d
      Jeff Vander Stoep authored
      Due to the massively increased number of attributes in SELinux policy
      as part of the treble changes, we have had to remove attributes from
      policy for performance reasons.  Unfortunately, some attributes are
      required to be in policy to ensure that our neverallow rules are being
      properly enforced.  Usually this is not a problem, since neverallow rules
      indicate that an attribute should be kept, but this is not currently the
      case when the attribute is part of a negation in a group.
      
      This is particularly problematic with treble since some attributes may
      exist for HALs that have no implementation, and thus no types.  In
      particular, this has caused an issue with the neverallows added in our
      macros.  Add an extraneous neverallow rule to each of those auto-generated
      neverallow rules to make sure that they are not removed from policy, until
      the policy compiler is fixed to avoid this.  Also add corresponding rules
      for other types which have been removed due to no corresponding rules.
      
      Bug: 62658302
      Bug: 62999603
      Test: Build Marlin policy.
      Test: verify attribute exists in policy using sepolicy-analyze.
          sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \
          attribute hal_tetheroffload_server
      Test: CTS neverallow tests pass.
          cts-tradefed run cts -m CtsSecurityHostTestCases -t \
          android.cts.security.SELinuxNeverallowRulesTest
      Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249
      c75aa50d
  6. Jun 22, 2017
  7. Jun 21, 2017
  8. Jun 20, 2017
  9. Jun 16, 2017
    • TreeHugger Robot's avatar
    • TreeHugger Robot's avatar
    • Daniel Rosenberg's avatar
      Add rules for vfat for sdcardfs · 260a4485
      Daniel Rosenberg authored
      
      This adds parellel rules to the ones added for media_rw_data_file
      to allow apps to access vfat under sdcardfs. This should be reverted
      if sdcardfs is modified to alter the secontext it used for access to
      the lower filesystem
      
      Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
      Bug: 62584229
      Test: Run android.appsecurity.cts.ExternalStorageHostTest with
            an external card formated as vfat
      Signed-off-by: default avatarDaniel Rosenberg <drosen@google.com>
      260a4485
    • Dan Cashman's avatar
      Add extraneous neverallow rule to enforce attribute inclusion. · 939b50ff
      Dan Cashman authored
      Due to the massively increased number of attributes in SELinux policy
      as part of the treble changes, we have had to remove attributes from
      policy for performance reasons.  Unfortunately, some attributes are
      required to be in policy to ensure that our neverallow rules are being
      properly enforced.  Usually this is not a problem, since neverallow rules
      indicate that an attribute should be kept, but this is not currently the
      case when the attribute is part of a negation in a group.
      
      This is particularly problematic with treble since some attributes may
      exist for HALs that have no implementation, and thus no types.  In
      particular, this has caused an issue with the neverallows added in our
      macros.  Add an extraneous neverallow rule to each of those auto-generated
      neverallow rules to make sure that they are not removed from policy, until
      the policy compiler is fixed to avoid this.  Also add corresponding rules
      for other types which have been removed due to no corresponding rules.
      
      Bug: 62591065
      Bug: 62658302
      Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
      works on platform-only policy.
      Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762
      939b50ff
    • Sandeep Patil's avatar
      Merge changes from topic 'fix-neverallow-violation' into oc-dev · 3692b318
      Sandeep Patil authored
      * changes:
        build: run neverallow checks on platform sepolicy
        radio: disalllow radio and rild socket for treble devices
      3692b318
  10. Jun 14, 2017
    • Carmen Jackson's avatar
      Add debug selinux permission to write saved_cmdlines_size. · e9381d5e
      Carmen Jackson authored
      Now that we're expected to use this when taking traces, we need to add
      this permission so that Traceur can also access this file.
      
      Test: Used Traceur and saw the traces appear in the bugreports
      directory, as expected.
      Bug: 62493544
      
      Change-Id: Ib4304176abbb51e2e3b45c566ff14574e1cfaa82
      Merged-In: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53
      (this merged-in is not the same change; it's a conflicting change in
      master)
      e9381d5e
    • Sandeep Patil's avatar
      build: run neverallow checks on platform sepolicy · cfb6f352
      Sandeep Patil authored
      
      This will prevent us from breaking our own neverallow rules
      in the platform sepolicy regardless of vendor policy adding
      exceptions to the neverallow rules using "*_violators" attributes
      
      Bug: 62616897
      Bug: 62343727
      
      Test: Build policy for sailfish
      Test: Build policy with radio to rild socket rule enabled for all
            and ensure the build fails
      
      Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      cfb6f352
    • Sandeep Patil's avatar
      radio: disalllow radio and rild socket for treble devices · d3381cd9
      Sandeep Patil authored
      
      This violates the socket comms ban between coredomain (radio) and
      non coredomain (rild) in the platform policy.
      
      Bug: 62616897
      Bug: 62343727
      
      Test: Build and boot sailfish
      
      Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      d3381cd9
  11. Jun 13, 2017
    • Jeff Vander Stoep's avatar
      Build split file_contexts for recovery · b236eb6c
      Jeff Vander Stoep authored
      [    7.674739] selinux: selinux_android_file_context: Error getting
      file context handle (No such file or directory)
      
      Bug: 62564629
      Test: build and flash marlin. Successfully switch between regular
          and recovery modes
      
      Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35
      b236eb6c
  12. Jun 10, 2017
    • Jeff Vander Stoep's avatar
      Move non-treble devices to split file_contexts · 7a68c5ae
      Jeff Vander Stoep authored
      This change is primarily to fix CTS which checks file ordering of
      file_contexts. Having two separate means of loading file_contexts
      has resulted in ordering variations.
      
      Previously the binary file_contexts was preferred since it
      loaded faster. However with the move to libpcre2, there is no
      difference in loading time between text and binary file_contexts.
      This leaves us with build system complexity with no benefit.
      Thus removing this unnecessary difference between devices.
      
      Bug: 38502071
      Test: build and boot non-Treble Bullhead, run CTS tests below
      Test: build and boot Treble Marlin, run CTS tests below
      Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
          --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospFileContexts
      Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
          --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testValidFileContexts
      Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1
      7a68c5ae
  13. Jun 06, 2017
  14. Jun 05, 2017
    • Jeff Vander Stoep's avatar
      Run Treble sepolicy tests at build time · 1fc0682e
      Jeff Vander Stoep authored
      Bug: 37008075
      Test: build policy on Marlin
      Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
      (cherry picked from commit e1ddc6df)
      1fc0682e
    • Sandeep Patil's avatar
      Fix coredomain violation for modprobe · e41af203
      Sandeep Patil authored
      
      modprobe domain was allowed to launch vendor toolbox even if its a
      coredomain. That violates the treble separation. Fix that by creating a
      separate 'vendor_modprobe' domain that init is allowed to transition to
      through vendor_toolbox.
      
      Bug: 37008075
      Test: Build and boot sailfish
      
      Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
      Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
      (cherry picked from commit 9e366a0e)
      e41af203
    • Jeff Vander Stoep's avatar
      Verify correct application of labels and attributes · bdfc0301
      Jeff Vander Stoep authored
      With project Treble, we're relying heavily on attributes for
      permission inheritance and enforcement of separation between
      platform and vendor components.
      
      We neead tests that verify those attributes are correctly applied.
      This change adds the framework for those tests including a wrapper
      around libsepol for loading and querying policy, and a python module
      for running tests on policy and file_contexts.
      
      Included with the testing framework is a test asserting that the
      coredomain attribute is only applied to core processes. This
      verification is done using the following rules:
      1. Domain's entrypoint is on /system - coredomain
      2. Domain's entrypoint is on /vendor - not coredomain
      3. Domain belongs to a whitelist of known coredomains - coredomain
      
      In a subsequent commit these tests will be applied at build time.
      However, I first need to fix existing Treble violations exposed by
      this test. These tests will also be applied during CTS.
      
      Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
          treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
          -f $OUT/vendor/etc/selinux/nonplat_file_contexts \
          -f $OUT/system/etc/selinux/plat_file_contexts
      Bug: 37008075
      Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
      (cherry picked from commit 0366afdf)
      bdfc0301
  15. Jun 03, 2017
  16. Jun 02, 2017
  17. Jun 01, 2017
  18. May 31, 2017
  19. May 30, 2017
  20. May 26, 2017
  21. May 25, 2017
Loading