Age | Commit message (Collapse) | Author |
|
These files have been moved to system/sepolicy.
Bug: 27875478
Change-Id: I057784af0e9f6e43cd9a22ffce26fd63acccf98b
|
|
Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa.
Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.
Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.
Add more neverallow rules covering misc_logd_file directories.
Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768
To see the net effect of this change, you can use the following
command line:
sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
out/target/product/bullhead/root/sepolicy
Before this change:
# userdebug builds
allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
allow shell misc_logd_file:dir { search read lock getattr ioctl open };
allow shell misc_logd_file:file { read lock ioctl open getattr };
# user builds
allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
allow init misc_logd_file:file relabelto;
allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
After this change:
# userdebug builds
allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
allow init misc_logd_file:file { relabelto getattr };
allow init misc_logd_file:lnk_file relabelto;
allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
allow shell misc_logd_file:dir { search read lock getattr ioctl open };
allow shell misc_logd_file:file { read lock ioctl open getattr };
# user builds
allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
allow init misc_logd_file:file { relabelto getattr };
allow init misc_logd_file:lnk_file relabelto;
Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
|
|
To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.
type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0
BUG=23093747
Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
|
|
|
|
|
|
Bug: 27176738
Change-Id: I70e4b7b54044dd541076eddd39a8e9f5d881badf
|
|
03-25 09:31:22.996 1 1 W init : type=1400 audit(0.0:8): \
avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
dev="dm-2" ino=124778 scontext=u:r:init:s0 \
tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .
Introduced a new macro not_userdebug_nor_eng()
Change-Id: I9c3a952c265cac096342493598fff7d41604ca45
|
|
Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.
Bug: 18340553
Bug: 27853304
Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5
|
|
/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.
Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f
|
|
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.
Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
(cherry-pick of internal commit: 98eff7c3d46abe2db996c0718b7386a3e368f344)
Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f
|
|
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.
Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
|
|
See https://groups.google.com/d/msg/android-ndk/BbEOA9pnR-I/HgLkGy5qAgAJ
Addresses the following denial:
avc: denied { lock } for path="/data/data/com.mypackage/files/somefilename" dev="mmcblk0p28" ino=114736 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
While I'm here, also add lock to w_file_perms.
(cherrypicked from commit 4ee494cce1670e6883fb56cea96aa6bab10a4523)
Change-Id: I2568a228099c4e112e4a8b80da3bfcf2e35eb0ea
|
|
Block other operations which involve non-file descriptor
operations.
Change-Id: I5d813781c201a732aa1ee6ff6fd3d82f2af32ec7
|
|
BUG: 27419521
Change-Id: I63108468d75be3ef7f9761107a3df8997f207d07
|
|
This policy takes effect only when building with
SANITIZE_TARGET=address and allows the Zygote to load libraries from
/data. That's where ASan-instrumented copies of system libraries are
located. 32-bit library directories have been added a while back;
this CL extends the same policy to 64-bit directories.
Bug: 25751174
Change-Id: Ieb4701b78db9649ec8563f2962a69db537ae61b3
|
|
Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries. Mark it as an app_api_service so
that all applications may use this API. Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties. As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.
Bug: 27442760
Change-Id: I5c0f9d7992ff2ec64adaeef22356e88fd0e8169c
|
|
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
(cherry-pick from internal commit: 85c0f8affa4d3aa3c50331e272327e360eb8bed9)
Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9
|
|
Remove references to /data/security and the corresponding
type securitly_file.
Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6
|
|
Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely. Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.
Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be
|
|
|
|
|
|
Bug: http://b/27367422
Change-Id: I936c16281e06214b35f8d245da8f619dc92ff15f
|
|
Bug: 26813932
Change-Id: I155087d28d9284d8c96554cc6739bb676272a00f
|
|
am: edd86a6367
* commit 'edd86a63672b718448ad115b079aeb8f11d6bb90':
New postinstall domain and rules to run post-install program.
|
|
|
|
am: 01d95c23ab
* commit '01d95c23ab8c14d72e4ce98b3dda64ce81ab6306':
Update netlink socket classes.
|
|
Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes"). This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).
Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary. Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes. For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.
Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
|
|
am: 6ef10bd48b
* commit '6ef10bd48b09ae0cb371c9d9f161c3b3b8f003fc':
suppress unnecessary makefile output
|
|
checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.
SELinux compile time errors are printed to stderr, and are
uneffected by this change.
Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e
|
|
am: 9a1347eee6
* commit '9a1347eee668990a8fb357d0d088beb430a61c27':
Allow bluetooth access to the tun device.
|
|
Bluetooth uses the tun device for tethering. Allow access.
STEPS TO REPRODUCE:
0. Have two devices to test on, say Device A and Device B
1. On Device A, Go to settings ->Bluetooth .
2. Turn on the Bluetooth .
3. Pair it with device B
4. Tap on the paired device
OBSERVED RESULTS:
-Bluetooth share crash is observed with "Bluetooth share has stopped"
error message
-Unable to use Bluetooth tethering due to this issue
EXPECTED RESULTS:
No crash and Bluetooth devices should be able to connect for tethering
Addresses the following denial:
com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0
Bug: 27372573
Change-Id: I07724d8d68ffcdda691f1179787a4f40a0ab1c73
|
|
am: bca98efa57
* commit 'bca98efa575bedab68f2d5eaee2cd1fd1741962b':
Don't allow permissive SELinux domains on user builds.
|
|
It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.
In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.
A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:
userdebug_or_eng(`
permissive foo;
')
Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21
|
|
am: f25ea5f9c0
* commit 'f25ea5f9c00dff32a2d04c7af3e76d0efac28a7c':
Label /proc/meminfo.
|
|
Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file
(cherry-pick of internal commit: 971aeeda2138b27e3f8850f2fd7c95f60508154c)
Bug: 22032619
Chromium Bug: 586021
Change-Id: I2dcb2d4800bbc92ea47c37d4fd7a10f827a0114c
|
|
am: 7905d6819e
* commit '7905d6819efc5f3052bc4eaa6da8b40c03f3abb1':
Allow access to the daydream ("dreams") service.
|
|
Bug: 26804329
Change-Id: I7b789c6fe8411e3a4a718da86d442a0f48c5c310
|
|
am: 65b5fde912
* commit '65b5fde912285ebeeefc9c7486f4453dd86d994f':
Add recovery service.
|
|
RecoverySystemService is separated from PowerManagerService as a
dedicated system service to handle recovery related requests (such as
invoking uncrypt to uncrypt an OTA package on /data or to set up /
clear the bootloader control block (i.e. /misc) and etc).
The matching CL in frameworks/base is in:
Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560.
Bug: 26830925
Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e
|
|
am: 6b843bcff0
* commit '6b843bcff0c7560dec2aef6fd6d31e8cc9d67f0f':
Enable recovery to read batteryinfo.
|
|
Bug: 26879394
Change-Id: I09ac9027ca343e00488dedab8df1687fd32bb255
|
|
|
|
|
|
This is needed to kill sockets using the new SOCK_DESTROY
operation instead of using SIOCKILLADDR.
Bug: 26976388
Change-Id: I01a63a754726a0e9fb68be48b76df4dc47752edb
|
|
Bug: 26902605
Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7
|
|
|
|
Large numbers of denials have been collected. Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.
Change-Id: Ia7ad6264d85490824089b5074bf9c22303cc864a
|
|
* changes:
checkseapp: remove .data = NULL assignments
checkseapp: remove data types form static map
checkseapp: generalize input validation
checkseapp: update error message output
checkseapp: declare internal function as static
|
|
Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.
This is an overly broad grant. Commit a10f789d286d0f28c85488629cc92f5ab6ca8e00
started the process of deprecating "block_device" access in favor
of "misc_block_device".
This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.
Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55
|