tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/kernel.te

80 lines
3 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
# Life begins with the kernel.
kernel: make kernel an mlstrustedsubject Addresses post-review comment in https://android-review.googlesource.com/130620 Change-Id: I427ba99d63724eb526d41da47b95cc0ae038acdd
2015-02-25 03:45:46 +01:00
type kernel, domain, mlstrustedsubject;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel self:capability sys_nice;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
# Run /init before we have switched domains.
allow kernel rootfs:file execute_no_trans;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
# /dev/__null__ node created by init prior to policy load.
allow kernel tmpfs:chr_file rw_file_perms;
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 17:26:19 +02:00
# setcon to init domain.
allow kernel self:process setcurrent;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
allow kernel init:process dyntransition;
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 15:53:00 +02:00
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
Allow mounting of usbfs. Addresses denials such as: avc: denied { mount } for pid=5 comm="kworker/u:0" name="/" dev=usbfs ino=3234 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=filesystem Change-Id: I1db52193e6a2548c37a7809ef44cf7fd3357326d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:31:27 +02:00
# Mount usbfs.
allow kernel usbfs:filesystem mount;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel tmpfs:dir relabelfrom;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
allow kernel { device socket_device }:dir relabelto;
# /dev/__properties__
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel tmpfs:file relabelfrom;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
allow kernel properties_device:file relabelto;
# /sys
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel sysfs_type:dir r_dir_perms;
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 14:05:53 +01:00
# Initial setenforce by init prior to switching to init domain.
Revisit kernel setenforce Kernel userspace helpers may be spawned running in the kernel SELinux domain. Those userspace helpers shouldn't be able to turn SELinux off. This change revisits the discussion in https://android-review.googlesource.com/#/c/71184/ At the time, we were debating whether or not to have an allow rule, or a dontaudit rule. Both have the same effect, as at the time we switch to enforcing mode, the kernel is in permissive and the operation will be allowed. Change-Id: If335a5cf619125806c700780fcf91f8602083824
2014-05-12 23:32:59 +02:00
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
# Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:capability sys_resource;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
# Set checkreqprot by init.rc prior to switching to init domain.
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel selinuxfs:file write;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
allow kernel self:security setcheckreqprot;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
support kernel writes to external SDcards The kernel, when it creates a loop block device, starts a new kernel thread "loop0" (drivers/block/loop.c). This kernel thread, which performs writes on behalf of other processes, needs read/write privileges to the sdcard. Allow it. Steps to reproduce: 0) Get device with external, removable sdcard 1) Run: "adb install -s foo.apk" Expected: APK installs successfully. Actual: APK fails to install. Error message: Vold E Failed to write superblock (I/O error) loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 PackageHelper E Failed to create secure container smdl1645334795.tmp DefContainer E Failed to create container smdl1645334795.tmp Bug: 17158723 (cherry picked from commit 4c6b13508d1786a3a835ba5427f37e963c2c7506) Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
2014-08-27 21:13:28 +02:00
# MTP sync (b/15835289)
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
kernel.te: fix MTP sync STEPS TO REPRODUCE: 1. Connect the device to Mac. 2. Switch to AFT. 3. Now AFT on Mac will show the device contents. 4. Now drag and drop the file to device and observe. EXPECTED RESULTS: Should able to copy. OBSERVED RESULTS: Showing can not copy file and on clicking ok, It shows device storage can not connect and close the AFT. Addresses the following denial: W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd 12310 12530 E MtpRequestPacket: Malformed MTP request packet ps -Z entry: u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media Bug: 15835289 Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
2015-02-27 05:33:40 +01:00
allow kernel untrusted_app:fd use;
support kernel writes to external SDcards The kernel, when it creates a loop block device, starts a new kernel thread "loop0" (drivers/block/loop.c). This kernel thread, which performs writes on behalf of other processes, needs read/write privileges to the sdcard. Allow it. Steps to reproduce: 0) Get device with external, removable sdcard 1) Run: "adb install -s foo.apk" Expected: APK installs successfully. Actual: APK fails to install. Error message: Vold E Failed to write superblock (I/O error) loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 PackageHelper E Failed to create secure container smdl1645334795.tmp DefContainer E Failed to create container smdl1645334795.tmp Bug: 17158723 (cherry picked from commit 4c6b13508d1786a3a835ba5427f37e963c2c7506) Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
2014-08-27 21:13:28 +02:00
allow kernel sdcard_type:file { read write };
Allow kernel sdcard access for MTP sync. Address denials such as: avc: denied { write } for pid=2587 comm="kworker/u:4" path="/storage/emulated/0/Download/AllFileFormatesFromTommy/Test3GP.3gp" dev="fuse" ino=3086052592 scontext=u:r:kernel:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file permissive=0 Change-Id: I351e84b48f1b5a3361bc680b2ef379961ac2e8ea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Bug: 15835289
2014-06-24 19:18:02 +02:00
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
kernel.te: fix MTP sync STEPS TO REPRODUCE: 1. Connect the device to Mac. 2. Switch to AFT. 3. Now AFT on Mac will show the device contents. 4. Now drag and drop the file to device and observe. EXPECTED RESULTS: Should able to copy. OBSERVED RESULTS: Showing can not copy file and on clicking ok, It shows device storage can not connect and close the AFT. Addresses the following denial: W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd 12310 12530 E MtpRequestPacket: Malformed MTP request packet ps -Z entry: u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media Bug: 15835289 Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
2015-02-27 05:33:40 +01:00
allow kernel vold:fd use;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
allow kernel app_data_file:file read;
Allow kernel to read asec_image_file. Address the following denial encountered when installing a forward-locked apk. W loop0 : type=1400 audit(0.0:36): avc: denied { read } for path="/data/app-asec/smdl1061145377.tmp.asec" dev="mmcblk0p28" ino=180226 scontext=u:r:kernel:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file Bug: 19936901 Change-Id: I829858564a8f89677b2bb4cbd4c8fe4250ae51de
2015-03-26 20:40:07 +01:00
allow kernel asec_image_file:file read;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
###
### neverallow rules
###
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
neverallow domain kernel:process { transition dyntransition };
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
# If you encounter an execute_no_trans denial on the kernel domain, then
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
# program was left in the kernel domain and is now trying to execute
# some other program. Fix your init.rc file.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
Reference in a new issue Copy permalink