From ce5420fdf4b9ea4cb42b82f2bb5c133d21bb92e7 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 9 Oct 2024 13:05:12 +0800 Subject: [PATCH 1/6] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 372360090 Bug: 372359823 Bug: 372360278 Flag: EXEMPT NDK Change-Id: I9d195d35cc58503fc7c17a8fac5fabe66026c24b --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bb50b3a8..404c8f0f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,7 +2,10 @@ dump_display sysfs file b/350831939 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 +hal_camera_default cgroup_desc_file file b/372360090 hal_face_default traced_producer_socket sock_file b/305600808 +hal_graphics_composer_default cgroup_desc_file file b/372359823 +hal_power_default cgroup_desc_file file b/372360278 hal_power_default hal_power_default capability b/237492146 hal_sensors_default sysfs file b/336451433 hal_vibrator_default default_android_service service_manager b/360057889 From f906b69f95df284e1b261241c429e530f4340180 Mon Sep 17 00:00:00 2001 From: Eileen Lai Date: Thu, 3 Oct 2024 05:37:41 +0000 Subject: [PATCH 2/6] modem_svc: use shared_modem_platform to replace all modem_svc_sit Bug: 368257019 Flag: NONE local testing only Change-Id: Icc258ce297b5e7ea51fa60aa2ffb09ce99b7ef18 --- whitechapel_pro/file_contexts | 2 +- whitechapel_pro/modem_svc_sit.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index dc8e89b4..77fe8ccc 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -5,7 +5,7 @@ /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te index 606cd520..d93789d7 100644 --- a/whitechapel_pro/modem_svc_sit.te +++ b/whitechapel_pro/modem_svc_sit.te @@ -1,3 +1,4 @@ +# Selinux rule for modem_svc_sit daemon type modem_svc_sit, domain; type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(modem_svc_sit) @@ -37,6 +38,9 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) +# Modem SVC will register the default instance of the AIDL ISharedModemPlatform hal. +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) + userdebug_or_eng(` allow modem_svc_sit radio_test_device:chr_file rw_file_perms; ') From 588e82af38f5141b4e5a18fcf36ba4740dae8de4 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Tue, 15 Oct 2024 10:14:23 -0700 Subject: [PATCH 3/6] convert-to-ext4-sh.te: use su domain instead 07af2808d5285376958664823fb1d2a5c9576958 (b/239632964) added security policy support for /system_ext/bin/convert_to_ext4.sh. This shell script converts f2fs filesystems into ext4 filesystems on debuggable builds (userdebug or eng) only. Ever since 2022, the security policy for this shell script has been in permissive mode, meaning no SELinux rules were being enforced. # convert-to-ext4-sh.te permissive convert-to-ext4-sh; In the intervening 2 years, there has been no attempt to move this domain into enforcing mode. And by now, this script has likely served its purpose, by converting f2fs /persist filesystems on engineering builds to ext4, and is probably no longer needed. This change eliminates the use of the unenforced convert-to-ext4-sh security domain, preferring instead to use the "su" security domain. Like convert-to-ext4-sh, the su security domain enforces no rules on debuggable builds, and is equivalent to traditional root on desktop Linux systems, or running /system/xbin/su. This change eliminates unnecessary technical complexity, and unblocks other hardening changes, such as WIP commit https://android-review.googlesource.com/c/platform/system/sepolicy/+/3308856 Moving from one permissive domain ("convert-to-ext4-sh") to another permissive domain ("su") should be a no-op from a security and functionality perspective. Test: compiles and builds, passes treehugger. Bug: 239632964 Change-Id: Ifd628310a923926d1a57b568c7703cb857f0871b --- whitechapel_pro/convert-to-ext4-sh.te | 34 --------------------------- whitechapel_pro/file.te | 3 +++ whitechapel_pro/init.te | 11 +++++++++ 3 files changed, 14 insertions(+), 34 deletions(-) delete mode 100644 whitechapel_pro/convert-to-ext4-sh.te diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te deleted file mode 100644 index d64382df..00000000 --- a/whitechapel_pro/convert-to-ext4-sh.te +++ /dev/null @@ -1,34 +0,0 @@ -type convert-to-ext4-sh, domain, coredomain; -type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type; - -userdebug_or_eng(` - permissive convert-to-ext4-sh; - - init_daemon_domain(convert-to-ext4-sh) - - allow convert-to-ext4-sh block_device:dir search; - allow convert-to-ext4-sh e2fs_exec:file rx_file_perms; - allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms; - allow convert-to-ext4-sh kernel:process setsched; - allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms; - allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write }; - allow convert-to-ext4-sh shell_exec:file rx_file_perms; - allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search }; - allow convert-to-ext4-sh sysfs_fs_ext4_features:file read; - allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open }; - allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr }; - allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink }; - allow convert-to-ext4-sh toolbox_exec:file rx_file_perms; - allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search }; - allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms; - - allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl { - BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD - }; - - dontaudit convert-to-ext4-sh labeledfs:filesystem { mount unmount }; - dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio }; - dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr }; - dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr }; - dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override }; -') diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index e528d458..929ea63c 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; + +# /system_ext/bin/convert_to_ext4.sh +type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type; diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te index 3175db8c..a9d3ac0e 100644 --- a/whitechapel_pro/init.te +++ b/whitechapel_pro/init.te @@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms; # Workaround for b/193113005 that modem_img unlabeled after disable-verity dontaudit init overlayfs_file:file rename; dontaudit init overlayfs_file:chr_file unlink; + +# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs +# filesystem into an ext4 filesystem. This script is executed on +# debuggable devices only. As it is a one-shot script which +# has run in permissive mode since 2022, we transition to the +# su domain to avoid unnecessarily polluting security policy +# with rules which are never enforced. +# This script was added in b/239632964 +userdebug_or_eng(` + domain_auto_trans(init, convert-to-ext4-sh_exec, su) +') From 5000f8a8f9ce6de7dc5c7ff6de023fd151fce5c3 Mon Sep 17 00:00:00 2001 From: Nina Chen Date: Wed, 16 Oct 2024 11:58:28 +0800 Subject: [PATCH 4/6] Update SELinux error Test: SELinuxUncheckedDenialBootTest Flag: EXEMPT NDK Bug: 373755350 Change-Id: I3b317eb87c60d150a6cd76a5218808146de5cccd --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 404c8f0f..bdafcad7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ hal_face_default traced_producer_socket sock_file b/305600808 hal_graphics_composer_default cgroup_desc_file file b/372359823 hal_power_default cgroup_desc_file file b/372360278 hal_power_default hal_power_default capability b/237492146 +hal_sensors_default property_socket sock_file b/373755350 hal_sensors_default sysfs file b/336451433 hal_vibrator_default default_android_service service_manager b/360057889 incidentd debugfs_wakeup_sources file b/282626428 From 6497d42557d1976089bf4334bc447426bea225d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 15 Oct 2024 06:22:24 +0000 Subject: [PATCH 5/6] Revert "Update SELinux error" This reverts commit ce5420fdf4b9ea4cb42b82f2bb5c133d21bb92e7. Reason for revert: Caused by b/372347927, relevant CL was reverted Change-Id: Ifa42eb30ad3baa1b9f4b94c191bdce4901f9a135 Fix: 372360090 --- tracking_denials/bug_map | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bdafcad7..9572df7a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,10 +2,7 @@ dump_display sysfs file b/350831939 dump_modem sscoredump_vendor_data_coredump_file dir b/361726277 dump_modem sscoredump_vendor_data_logcat_file dir b/361726277 dumpstate unlabeled file b/350832009 -hal_camera_default cgroup_desc_file file b/372360090 hal_face_default traced_producer_socket sock_file b/305600808 -hal_graphics_composer_default cgroup_desc_file file b/372359823 -hal_power_default cgroup_desc_file file b/372360278 hal_power_default hal_power_default capability b/237492146 hal_sensors_default property_socket sock_file b/373755350 hal_sensors_default sysfs file b/336451433 From 1b64d05d93b7f28a1fd56b19b7e5d09d0c9f1916 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Tue, 1 Oct 2024 14:46:50 +1000 Subject: [PATCH 6/6] Remove duplicate service entries These entries are defined in the platform policy. Flag: EXEMPT bugfix Bug: 367832910 Test: TH Change-Id: I9e06b0c95330afa22da324e3669121d4477baa2f --- whitechapel_pro/service_contexts | 2 -- 1 file changed, 2 deletions(-) diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts index 0158b562..e3ae0e74 100644 --- a/whitechapel_pro/service_contexts +++ b/whitechapel_pro/service_contexts @@ -4,5 +4,3 @@ hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_ve vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 rlsservice u:object_r:rls_service:s0 - -android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0